1
2
3
4
5
6
7
8
9
10
11#include <linux/module.h>
12#include <linux/init.h>
13#include <linux/list.h>
14#include <linux/skbuff.h>
15#include <linux/netlink.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_tables_core.h>
20#include <net/netfilter/nf_tables.h>
21#include <net/net_namespace.h>
22#include <net/sock.h>
23
24static LIST_HEAD(nf_tables_expressions);
25
26
27
28
29
30
31
32
33
34int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
35{
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail_rcu(&afi->list, &net->nft.af_info);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
40 return 0;
41}
42EXPORT_SYMBOL_GPL(nft_register_afinfo);
43
44static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
45
46
47
48
49
50
51
52
53void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
54{
55 nfnl_lock(NFNL_SUBSYS_NFTABLES);
56 __nft_release_afinfo(net, afi);
57 list_del_rcu(&afi->list);
58 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
59}
60EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
61
62static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
63{
64 struct nft_af_info *afi;
65
66 list_for_each_entry(afi, &net->nft.af_info, list) {
67 if (afi->family == family)
68 return afi;
69 }
70 return NULL;
71}
72
73static struct nft_af_info *
74nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
75{
76 struct nft_af_info *afi;
77
78 afi = nft_afinfo_lookup(net, family);
79 if (afi != NULL)
80 return afi;
81#ifdef CONFIG_MODULES
82 if (autoload) {
83 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
84 request_module("nft-afinfo-%u", family);
85 nfnl_lock(NFNL_SUBSYS_NFTABLES);
86 afi = nft_afinfo_lookup(net, family);
87 if (afi != NULL)
88 return ERR_PTR(-EAGAIN);
89 }
90#endif
91 return ERR_PTR(-EAFNOSUPPORT);
92}
93
94static void nft_ctx_init(struct nft_ctx *ctx,
95 struct net *net,
96 const struct sk_buff *skb,
97 const struct nlmsghdr *nlh,
98 struct nft_af_info *afi,
99 struct nft_table *table,
100 struct nft_chain *chain,
101 const struct nlattr * const *nla)
102{
103 ctx->net = net;
104 ctx->afi = afi;
105 ctx->table = table;
106 ctx->chain = chain;
107 ctx->nla = nla;
108 ctx->portid = NETLINK_CB(skb).portid;
109 ctx->report = nlmsg_report(nlh);
110 ctx->seq = nlh->nlmsg_seq;
111}
112
113static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
114 u32 size)
115{
116 struct nft_trans *trans;
117
118 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
119 if (trans == NULL)
120 return NULL;
121
122 trans->msg_type = msg_type;
123 trans->ctx = *ctx;
124
125 return trans;
126}
127
128static void nft_trans_destroy(struct nft_trans *trans)
129{
130 list_del(&trans->list);
131 kfree(trans);
132}
133
134static int nf_tables_register_hooks(struct net *net,
135 const struct nft_table *table,
136 struct nft_chain *chain,
137 unsigned int hook_nops)
138{
139 if (table->flags & NFT_TABLE_F_DORMANT ||
140 !(chain->flags & NFT_BASE_CHAIN))
141 return 0;
142
143 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
144 hook_nops);
145}
146
147static void nf_tables_unregister_hooks(struct net *net,
148 const struct nft_table *table,
149 struct nft_chain *chain,
150 unsigned int hook_nops)
151{
152 if (table->flags & NFT_TABLE_F_DORMANT ||
153 !(chain->flags & NFT_BASE_CHAIN))
154 return;
155
156 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
157}
158
159static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
160{
161 struct nft_trans *trans;
162
163 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
164 if (trans == NULL)
165 return -ENOMEM;
166
167 if (msg_type == NFT_MSG_NEWTABLE)
168 nft_activate_next(ctx->net, ctx->table);
169
170 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
171 return 0;
172}
173
174static int nft_deltable(struct nft_ctx *ctx)
175{
176 int err;
177
178 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
179 if (err < 0)
180 return err;
181
182 nft_deactivate_next(ctx->net, ctx->table);
183 return err;
184}
185
186static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
187{
188 struct nft_trans *trans;
189
190 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
191 if (trans == NULL)
192 return -ENOMEM;
193
194 if (msg_type == NFT_MSG_NEWCHAIN)
195 nft_activate_next(ctx->net, ctx->chain);
196
197 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
198 return 0;
199}
200
201static int nft_delchain(struct nft_ctx *ctx)
202{
203 int err;
204
205 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
206 if (err < 0)
207 return err;
208
209 ctx->table->use--;
210 nft_deactivate_next(ctx->net, ctx->chain);
211
212 return err;
213}
214
215static int
216nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
217{
218
219 if (nft_is_active_next(ctx->net, rule)) {
220 nft_deactivate_next(ctx->net, rule);
221 ctx->chain->use--;
222 return 0;
223 }
224 return -ENOENT;
225}
226
227static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
228 struct nft_rule *rule)
229{
230 struct nft_trans *trans;
231
232 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
233 if (trans == NULL)
234 return NULL;
235
236 nft_trans_rule(trans) = rule;
237 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
238
239 return trans;
240}
241
242static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
243{
244 struct nft_trans *trans;
245 int err;
246
247 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
248 if (trans == NULL)
249 return -ENOMEM;
250
251 err = nf_tables_delrule_deactivate(ctx, rule);
252 if (err < 0) {
253 nft_trans_destroy(trans);
254 return err;
255 }
256
257 return 0;
258}
259
260static int nft_delrule_by_chain(struct nft_ctx *ctx)
261{
262 struct nft_rule *rule;
263 int err;
264
265 list_for_each_entry(rule, &ctx->chain->rules, list) {
266 err = nft_delrule(ctx, rule);
267 if (err < 0)
268 return err;
269 }
270 return 0;
271}
272
273static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
274 struct nft_set *set)
275{
276 struct nft_trans *trans;
277
278 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
279 if (trans == NULL)
280 return -ENOMEM;
281
282 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
283 nft_trans_set_id(trans) =
284 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
285 nft_activate_next(ctx->net, set);
286 }
287 nft_trans_set(trans) = set;
288 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
289
290 return 0;
291}
292
293static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
294{
295 int err;
296
297 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
298 if (err < 0)
299 return err;
300
301 nft_deactivate_next(ctx->net, set);
302 ctx->table->use--;
303
304 return err;
305}
306
307
308
309
310
311static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
312 const struct nlattr *nla,
313 u8 genmask)
314{
315 struct nft_table *table;
316
317 list_for_each_entry(table, &afi->tables, list) {
318 if (!nla_strcmp(nla, table->name) &&
319 nft_active_genmask(table, genmask))
320 return table;
321 }
322 return NULL;
323}
324
325static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
326 const struct nlattr *nla,
327 u8 genmask)
328{
329 struct nft_table *table;
330
331 if (nla == NULL)
332 return ERR_PTR(-EINVAL);
333
334 table = nft_table_lookup(afi, nla, genmask);
335 if (table != NULL)
336 return table;
337
338 return ERR_PTR(-ENOENT);
339}
340
341static inline u64 nf_tables_alloc_handle(struct nft_table *table)
342{
343 return ++table->hgenerator;
344}
345
346static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
347
348static const struct nf_chain_type *
349__nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
350{
351 int i;
352
353 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
354 if (chain_type[family][i] != NULL &&
355 !nla_strcmp(nla, chain_type[family][i]->name))
356 return chain_type[family][i];
357 }
358 return NULL;
359}
360
361static const struct nf_chain_type *
362nf_tables_chain_type_lookup(const struct nft_af_info *afi,
363 const struct nlattr *nla,
364 bool autoload)
365{
366 const struct nf_chain_type *type;
367
368 type = __nf_tables_chain_type_lookup(afi->family, nla);
369 if (type != NULL)
370 return type;
371#ifdef CONFIG_MODULES
372 if (autoload) {
373 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
374 request_module("nft-chain-%u-%.*s", afi->family,
375 nla_len(nla), (const char *)nla_data(nla));
376 nfnl_lock(NFNL_SUBSYS_NFTABLES);
377 type = __nf_tables_chain_type_lookup(afi->family, nla);
378 if (type != NULL)
379 return ERR_PTR(-EAGAIN);
380 }
381#endif
382 return ERR_PTR(-ENOENT);
383}
384
385static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
386 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
387 .len = NFT_TABLE_MAXNAMELEN - 1 },
388 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
389};
390
391static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
392 u32 portid, u32 seq, int event, u32 flags,
393 int family, const struct nft_table *table)
394{
395 struct nlmsghdr *nlh;
396 struct nfgenmsg *nfmsg;
397
398 event |= NFNL_SUBSYS_NFTABLES << 8;
399 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
400 if (nlh == NULL)
401 goto nla_put_failure;
402
403 nfmsg = nlmsg_data(nlh);
404 nfmsg->nfgen_family = family;
405 nfmsg->version = NFNETLINK_V0;
406 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
407
408 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
409 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
410 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
411 goto nla_put_failure;
412
413 nlmsg_end(skb, nlh);
414 return 0;
415
416nla_put_failure:
417 nlmsg_trim(skb, nlh);
418 return -1;
419}
420
421static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
422{
423 struct sk_buff *skb;
424 int err;
425
426 if (!ctx->report &&
427 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
428 return 0;
429
430 err = -ENOBUFS;
431 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
432 if (skb == NULL)
433 goto err;
434
435 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
436 event, 0, ctx->afi->family, ctx->table);
437 if (err < 0) {
438 kfree_skb(skb);
439 goto err;
440 }
441
442 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
443 ctx->report, GFP_KERNEL);
444err:
445 if (err < 0) {
446 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
447 err);
448 }
449 return err;
450}
451
452static int nf_tables_dump_tables(struct sk_buff *skb,
453 struct netlink_callback *cb)
454{
455 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
456 const struct nft_af_info *afi;
457 const struct nft_table *table;
458 unsigned int idx = 0, s_idx = cb->args[0];
459 struct net *net = sock_net(skb->sk);
460 int family = nfmsg->nfgen_family;
461
462 rcu_read_lock();
463 cb->seq = net->nft.base_seq;
464
465 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
466 if (family != NFPROTO_UNSPEC && family != afi->family)
467 continue;
468
469 list_for_each_entry_rcu(table, &afi->tables, list) {
470 if (idx < s_idx)
471 goto cont;
472 if (idx > s_idx)
473 memset(&cb->args[1], 0,
474 sizeof(cb->args) - sizeof(cb->args[0]));
475 if (!nft_is_active(net, table))
476 continue;
477 if (nf_tables_fill_table_info(skb, net,
478 NETLINK_CB(cb->skb).portid,
479 cb->nlh->nlmsg_seq,
480 NFT_MSG_NEWTABLE,
481 NLM_F_MULTI,
482 afi->family, table) < 0)
483 goto done;
484
485 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
486cont:
487 idx++;
488 }
489 }
490done:
491 rcu_read_unlock();
492 cb->args[0] = idx;
493 return skb->len;
494}
495
496static int nf_tables_gettable(struct net *net, struct sock *nlsk,
497 struct sk_buff *skb, const struct nlmsghdr *nlh,
498 const struct nlattr * const nla[])
499{
500 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
501 u8 genmask = nft_genmask_cur(net);
502 const struct nft_af_info *afi;
503 const struct nft_table *table;
504 struct sk_buff *skb2;
505 int family = nfmsg->nfgen_family;
506 int err;
507
508 if (nlh->nlmsg_flags & NLM_F_DUMP) {
509 struct netlink_dump_control c = {
510 .dump = nf_tables_dump_tables,
511 };
512 return netlink_dump_start(nlsk, skb, nlh, &c);
513 }
514
515 afi = nf_tables_afinfo_lookup(net, family, false);
516 if (IS_ERR(afi))
517 return PTR_ERR(afi);
518
519 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
520 if (IS_ERR(table))
521 return PTR_ERR(table);
522
523 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
524 if (!skb2)
525 return -ENOMEM;
526
527 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
528 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
529 family, table);
530 if (err < 0)
531 goto err;
532
533 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
534
535err:
536 kfree_skb(skb2);
537 return err;
538}
539
540static int nf_tables_table_enable(struct net *net,
541 const struct nft_af_info *afi,
542 struct nft_table *table)
543{
544 struct nft_chain *chain;
545 int err, i = 0;
546
547 list_for_each_entry(chain, &table->chains, list) {
548 if (!nft_is_active_next(net, chain))
549 continue;
550 if (!(chain->flags & NFT_BASE_CHAIN))
551 continue;
552
553 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
554 afi->nops);
555 if (err < 0)
556 goto err;
557
558 i++;
559 }
560 return 0;
561err:
562 list_for_each_entry(chain, &table->chains, list) {
563 if (!nft_is_active_next(net, chain))
564 continue;
565 if (!(chain->flags & NFT_BASE_CHAIN))
566 continue;
567
568 if (i-- <= 0)
569 break;
570
571 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
572 afi->nops);
573 }
574 return err;
575}
576
577static void nf_tables_table_disable(struct net *net,
578 const struct nft_af_info *afi,
579 struct nft_table *table)
580{
581 struct nft_chain *chain;
582
583 list_for_each_entry(chain, &table->chains, list) {
584 if (!nft_is_active_next(net, chain))
585 continue;
586 if (!(chain->flags & NFT_BASE_CHAIN))
587 continue;
588
589 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
590 afi->nops);
591 }
592}
593
594static int nf_tables_updtable(struct nft_ctx *ctx)
595{
596 struct nft_trans *trans;
597 u32 flags;
598 int ret = 0;
599
600 if (!ctx->nla[NFTA_TABLE_FLAGS])
601 return 0;
602
603 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
604 if (flags & ~NFT_TABLE_F_DORMANT)
605 return -EINVAL;
606
607 if (flags == ctx->table->flags)
608 return 0;
609
610 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
611 sizeof(struct nft_trans_table));
612 if (trans == NULL)
613 return -ENOMEM;
614
615 if ((flags & NFT_TABLE_F_DORMANT) &&
616 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
617 nft_trans_table_enable(trans) = false;
618 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
619 ctx->table->flags & NFT_TABLE_F_DORMANT) {
620 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
621 if (ret >= 0) {
622 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
623 nft_trans_table_enable(trans) = true;
624 }
625 }
626 if (ret < 0)
627 goto err;
628
629 nft_trans_table_update(trans) = true;
630 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
631 return 0;
632err:
633 nft_trans_destroy(trans);
634 return ret;
635}
636
637static int nf_tables_newtable(struct net *net, struct sock *nlsk,
638 struct sk_buff *skb, const struct nlmsghdr *nlh,
639 const struct nlattr * const nla[])
640{
641 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
642 u8 genmask = nft_genmask_next(net);
643 const struct nlattr *name;
644 struct nft_af_info *afi;
645 struct nft_table *table;
646 int family = nfmsg->nfgen_family;
647 u32 flags = 0;
648 struct nft_ctx ctx;
649 int err;
650
651 afi = nf_tables_afinfo_lookup(net, family, true);
652 if (IS_ERR(afi))
653 return PTR_ERR(afi);
654
655 name = nla[NFTA_TABLE_NAME];
656 table = nf_tables_table_lookup(afi, name, genmask);
657 if (IS_ERR(table)) {
658 if (PTR_ERR(table) != -ENOENT)
659 return PTR_ERR(table);
660 table = NULL;
661 }
662
663 if (table != NULL) {
664 if (nlh->nlmsg_flags & NLM_F_EXCL)
665 return -EEXIST;
666 if (nlh->nlmsg_flags & NLM_F_REPLACE)
667 return -EOPNOTSUPP;
668
669 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
670 return nf_tables_updtable(&ctx);
671 }
672
673 if (nla[NFTA_TABLE_FLAGS]) {
674 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
675 if (flags & ~NFT_TABLE_F_DORMANT)
676 return -EINVAL;
677 }
678
679 err = -EAFNOSUPPORT;
680 if (!try_module_get(afi->owner))
681 goto err1;
682
683 err = -ENOMEM;
684 table = kzalloc(sizeof(*table), GFP_KERNEL);
685 if (table == NULL)
686 goto err2;
687
688 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
689 INIT_LIST_HEAD(&table->chains);
690 INIT_LIST_HEAD(&table->sets);
691 table->flags = flags;
692
693 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
694 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
695 if (err < 0)
696 goto err3;
697
698 list_add_tail_rcu(&table->list, &afi->tables);
699 return 0;
700err3:
701 kfree(table);
702err2:
703 module_put(afi->owner);
704err1:
705 return err;
706}
707
708static int nft_flush_table(struct nft_ctx *ctx)
709{
710 int err;
711 struct nft_chain *chain, *nc;
712 struct nft_set *set, *ns;
713
714 list_for_each_entry(chain, &ctx->table->chains, list) {
715 if (!nft_is_active_next(ctx->net, chain))
716 continue;
717
718 ctx->chain = chain;
719
720 err = nft_delrule_by_chain(ctx);
721 if (err < 0)
722 goto out;
723 }
724
725 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
726 if (!nft_is_active_next(ctx->net, set))
727 continue;
728
729 if (set->flags & NFT_SET_ANONYMOUS &&
730 !list_empty(&set->bindings))
731 continue;
732
733 err = nft_delset(ctx, set);
734 if (err < 0)
735 goto out;
736 }
737
738 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
739 if (!nft_is_active_next(ctx->net, chain))
740 continue;
741
742 ctx->chain = chain;
743
744 err = nft_delchain(ctx);
745 if (err < 0)
746 goto out;
747 }
748
749 err = nft_deltable(ctx);
750out:
751 return err;
752}
753
754static int nft_flush(struct nft_ctx *ctx, int family)
755{
756 struct nft_af_info *afi;
757 struct nft_table *table, *nt;
758 const struct nlattr * const *nla = ctx->nla;
759 int err = 0;
760
761 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
762 if (family != AF_UNSPEC && afi->family != family)
763 continue;
764
765 ctx->afi = afi;
766 list_for_each_entry_safe(table, nt, &afi->tables, list) {
767 if (!nft_is_active_next(ctx->net, table))
768 continue;
769
770 if (nla[NFTA_TABLE_NAME] &&
771 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
772 continue;
773
774 ctx->table = table;
775
776 err = nft_flush_table(ctx);
777 if (err < 0)
778 goto out;
779 }
780 }
781out:
782 return err;
783}
784
785static int nf_tables_deltable(struct net *net, struct sock *nlsk,
786 struct sk_buff *skb, const struct nlmsghdr *nlh,
787 const struct nlattr * const nla[])
788{
789 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
790 u8 genmask = nft_genmask_next(net);
791 struct nft_af_info *afi;
792 struct nft_table *table;
793 int family = nfmsg->nfgen_family;
794 struct nft_ctx ctx;
795
796 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
797 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
798 return nft_flush(&ctx, family);
799
800 afi = nf_tables_afinfo_lookup(net, family, false);
801 if (IS_ERR(afi))
802 return PTR_ERR(afi);
803
804 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
805 if (IS_ERR(table))
806 return PTR_ERR(table);
807
808 ctx.afi = afi;
809 ctx.table = table;
810
811 return nft_flush_table(&ctx);
812}
813
814static void nf_tables_table_destroy(struct nft_ctx *ctx)
815{
816 BUG_ON(ctx->table->use > 0);
817
818 kfree(ctx->table);
819 module_put(ctx->afi->owner);
820}
821
822int nft_register_chain_type(const struct nf_chain_type *ctype)
823{
824 int err = 0;
825
826 nfnl_lock(NFNL_SUBSYS_NFTABLES);
827 if (chain_type[ctype->family][ctype->type] != NULL) {
828 err = -EBUSY;
829 goto out;
830 }
831 chain_type[ctype->family][ctype->type] = ctype;
832out:
833 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
834 return err;
835}
836EXPORT_SYMBOL_GPL(nft_register_chain_type);
837
838void nft_unregister_chain_type(const struct nf_chain_type *ctype)
839{
840 nfnl_lock(NFNL_SUBSYS_NFTABLES);
841 chain_type[ctype->family][ctype->type] = NULL;
842 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
843}
844EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
845
846
847
848
849
850static struct nft_chain *
851nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
852 u8 genmask)
853{
854 struct nft_chain *chain;
855
856 list_for_each_entry(chain, &table->chains, list) {
857 if (chain->handle == handle &&
858 nft_active_genmask(chain, genmask))
859 return chain;
860 }
861
862 return ERR_PTR(-ENOENT);
863}
864
865static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
866 const struct nlattr *nla,
867 u8 genmask)
868{
869 struct nft_chain *chain;
870
871 if (nla == NULL)
872 return ERR_PTR(-EINVAL);
873
874 list_for_each_entry(chain, &table->chains, list) {
875 if (!nla_strcmp(nla, chain->name) &&
876 nft_active_genmask(chain, genmask))
877 return chain;
878 }
879
880 return ERR_PTR(-ENOENT);
881}
882
883static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
884 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
885 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
886 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
887 .len = NFT_CHAIN_MAXNAMELEN - 1 },
888 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
889 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
890 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
891 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
892};
893
894static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
895 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
896 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
897 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
898 .len = IFNAMSIZ - 1 },
899};
900
901static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
902{
903 struct nft_stats *cpu_stats, total;
904 struct nlattr *nest;
905 unsigned int seq;
906 u64 pkts, bytes;
907 int cpu;
908
909 memset(&total, 0, sizeof(total));
910 for_each_possible_cpu(cpu) {
911 cpu_stats = per_cpu_ptr(stats, cpu);
912 do {
913 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
914 pkts = cpu_stats->pkts;
915 bytes = cpu_stats->bytes;
916 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
917 total.pkts += pkts;
918 total.bytes += bytes;
919 }
920 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
921 if (nest == NULL)
922 goto nla_put_failure;
923
924 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
925 NFTA_COUNTER_PAD) ||
926 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
927 NFTA_COUNTER_PAD))
928 goto nla_put_failure;
929
930 nla_nest_end(skb, nest);
931 return 0;
932
933nla_put_failure:
934 return -ENOSPC;
935}
936
937static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
938 u32 portid, u32 seq, int event, u32 flags,
939 int family, const struct nft_table *table,
940 const struct nft_chain *chain)
941{
942 struct nlmsghdr *nlh;
943 struct nfgenmsg *nfmsg;
944
945 event |= NFNL_SUBSYS_NFTABLES << 8;
946 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
947 if (nlh == NULL)
948 goto nla_put_failure;
949
950 nfmsg = nlmsg_data(nlh);
951 nfmsg->nfgen_family = family;
952 nfmsg->version = NFNETLINK_V0;
953 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
954
955 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
956 goto nla_put_failure;
957 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
958 NFTA_CHAIN_PAD))
959 goto nla_put_failure;
960 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
961 goto nla_put_failure;
962
963 if (chain->flags & NFT_BASE_CHAIN) {
964 const struct nft_base_chain *basechain = nft_base_chain(chain);
965 const struct nf_hook_ops *ops = &basechain->ops[0];
966 struct nlattr *nest;
967
968 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
969 if (nest == NULL)
970 goto nla_put_failure;
971 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
972 goto nla_put_failure;
973 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
974 goto nla_put_failure;
975 if (basechain->dev_name[0] &&
976 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
977 goto nla_put_failure;
978 nla_nest_end(skb, nest);
979
980 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
981 htonl(basechain->policy)))
982 goto nla_put_failure;
983
984 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
985 goto nla_put_failure;
986
987 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
988 goto nla_put_failure;
989 }
990
991 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
992 goto nla_put_failure;
993
994 nlmsg_end(skb, nlh);
995 return 0;
996
997nla_put_failure:
998 nlmsg_trim(skb, nlh);
999 return -1;
1000}
1001
1002static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1003{
1004 struct sk_buff *skb;
1005 int err;
1006
1007 if (!ctx->report &&
1008 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1009 return 0;
1010
1011 err = -ENOBUFS;
1012 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1013 if (skb == NULL)
1014 goto err;
1015
1016 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1017 event, 0, ctx->afi->family, ctx->table,
1018 ctx->chain);
1019 if (err < 0) {
1020 kfree_skb(skb);
1021 goto err;
1022 }
1023
1024 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1025 ctx->report, GFP_KERNEL);
1026err:
1027 if (err < 0) {
1028 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1029 err);
1030 }
1031 return err;
1032}
1033
1034static int nf_tables_dump_chains(struct sk_buff *skb,
1035 struct netlink_callback *cb)
1036{
1037 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1038 const struct nft_af_info *afi;
1039 const struct nft_table *table;
1040 const struct nft_chain *chain;
1041 unsigned int idx = 0, s_idx = cb->args[0];
1042 struct net *net = sock_net(skb->sk);
1043 int family = nfmsg->nfgen_family;
1044
1045 rcu_read_lock();
1046 cb->seq = net->nft.base_seq;
1047
1048 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1049 if (family != NFPROTO_UNSPEC && family != afi->family)
1050 continue;
1051
1052 list_for_each_entry_rcu(table, &afi->tables, list) {
1053 list_for_each_entry_rcu(chain, &table->chains, list) {
1054 if (idx < s_idx)
1055 goto cont;
1056 if (idx > s_idx)
1057 memset(&cb->args[1], 0,
1058 sizeof(cb->args) - sizeof(cb->args[0]));
1059 if (!nft_is_active(net, chain))
1060 continue;
1061 if (nf_tables_fill_chain_info(skb, net,
1062 NETLINK_CB(cb->skb).portid,
1063 cb->nlh->nlmsg_seq,
1064 NFT_MSG_NEWCHAIN,
1065 NLM_F_MULTI,
1066 afi->family, table, chain) < 0)
1067 goto done;
1068
1069 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1070cont:
1071 idx++;
1072 }
1073 }
1074 }
1075done:
1076 rcu_read_unlock();
1077 cb->args[0] = idx;
1078 return skb->len;
1079}
1080
1081static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1082 struct sk_buff *skb, const struct nlmsghdr *nlh,
1083 const struct nlattr * const nla[])
1084{
1085 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1086 u8 genmask = nft_genmask_cur(net);
1087 const struct nft_af_info *afi;
1088 const struct nft_table *table;
1089 const struct nft_chain *chain;
1090 struct sk_buff *skb2;
1091 int family = nfmsg->nfgen_family;
1092 int err;
1093
1094 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1095 struct netlink_dump_control c = {
1096 .dump = nf_tables_dump_chains,
1097 };
1098 return netlink_dump_start(nlsk, skb, nlh, &c);
1099 }
1100
1101 afi = nf_tables_afinfo_lookup(net, family, false);
1102 if (IS_ERR(afi))
1103 return PTR_ERR(afi);
1104
1105 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1106 if (IS_ERR(table))
1107 return PTR_ERR(table);
1108
1109 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1110 if (IS_ERR(chain))
1111 return PTR_ERR(chain);
1112
1113 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1114 if (!skb2)
1115 return -ENOMEM;
1116
1117 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1118 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1119 family, table, chain);
1120 if (err < 0)
1121 goto err;
1122
1123 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1124
1125err:
1126 kfree_skb(skb2);
1127 return err;
1128}
1129
1130static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1131 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1132 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1133};
1134
1135static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1136{
1137 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1138 struct nft_stats __percpu *newstats;
1139 struct nft_stats *stats;
1140 int err;
1141
1142 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1143 if (err < 0)
1144 return ERR_PTR(err);
1145
1146 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1147 return ERR_PTR(-EINVAL);
1148
1149 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1150 if (newstats == NULL)
1151 return ERR_PTR(-ENOMEM);
1152
1153
1154
1155
1156 preempt_disable();
1157 stats = this_cpu_ptr(newstats);
1158 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1159 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1160 preempt_enable();
1161
1162 return newstats;
1163}
1164
1165static void nft_chain_stats_replace(struct nft_base_chain *chain,
1166 struct nft_stats __percpu *newstats)
1167{
1168 if (newstats == NULL)
1169 return;
1170
1171 if (chain->stats) {
1172 struct nft_stats __percpu *oldstats =
1173 nft_dereference(chain->stats);
1174
1175 rcu_assign_pointer(chain->stats, newstats);
1176 synchronize_rcu();
1177 free_percpu(oldstats);
1178 } else
1179 rcu_assign_pointer(chain->stats, newstats);
1180}
1181
1182static void nf_tables_chain_destroy(struct nft_chain *chain)
1183{
1184 BUG_ON(chain->use > 0);
1185
1186 if (chain->flags & NFT_BASE_CHAIN) {
1187 struct nft_base_chain *basechain = nft_base_chain(chain);
1188
1189 module_put(basechain->type->owner);
1190 free_percpu(basechain->stats);
1191 if (basechain->ops[0].dev != NULL)
1192 dev_put(basechain->ops[0].dev);
1193 kfree(basechain);
1194 } else {
1195 kfree(chain);
1196 }
1197}
1198
1199struct nft_chain_hook {
1200 u32 num;
1201 u32 priority;
1202 const struct nf_chain_type *type;
1203 struct net_device *dev;
1204};
1205
1206static int nft_chain_parse_hook(struct net *net,
1207 const struct nlattr * const nla[],
1208 struct nft_af_info *afi,
1209 struct nft_chain_hook *hook, bool create)
1210{
1211 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1212 const struct nf_chain_type *type;
1213 struct net_device *dev;
1214 int err;
1215
1216 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1217 nft_hook_policy);
1218 if (err < 0)
1219 return err;
1220
1221 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1222 ha[NFTA_HOOK_PRIORITY] == NULL)
1223 return -EINVAL;
1224
1225 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1226 if (hook->num >= afi->nhooks)
1227 return -EINVAL;
1228
1229 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1230
1231 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1232 if (nla[NFTA_CHAIN_TYPE]) {
1233 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1234 create);
1235 if (IS_ERR(type))
1236 return PTR_ERR(type);
1237 }
1238 if (!(type->hook_mask & (1 << hook->num)))
1239 return -EOPNOTSUPP;
1240 if (!try_module_get(type->owner))
1241 return -ENOENT;
1242
1243 hook->type = type;
1244
1245 hook->dev = NULL;
1246 if (afi->flags & NFT_AF_NEEDS_DEV) {
1247 char ifname[IFNAMSIZ];
1248
1249 if (!ha[NFTA_HOOK_DEV]) {
1250 module_put(type->owner);
1251 return -EOPNOTSUPP;
1252 }
1253
1254 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1255 dev = dev_get_by_name(net, ifname);
1256 if (!dev) {
1257 module_put(type->owner);
1258 return -ENOENT;
1259 }
1260 hook->dev = dev;
1261 } else if (ha[NFTA_HOOK_DEV]) {
1262 module_put(type->owner);
1263 return -EOPNOTSUPP;
1264 }
1265
1266 return 0;
1267}
1268
1269static void nft_chain_release_hook(struct nft_chain_hook *hook)
1270{
1271 module_put(hook->type->owner);
1272 if (hook->dev != NULL)
1273 dev_put(hook->dev);
1274}
1275
1276static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1277 struct sk_buff *skb, const struct nlmsghdr *nlh,
1278 const struct nlattr * const nla[])
1279{
1280 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1281 const struct nlattr * uninitialized_var(name);
1282 struct nft_af_info *afi;
1283 struct nft_table *table;
1284 struct nft_chain *chain;
1285 struct nft_base_chain *basechain = NULL;
1286 u8 genmask = nft_genmask_next(net);
1287 int family = nfmsg->nfgen_family;
1288 u8 policy = NF_ACCEPT;
1289 u64 handle = 0;
1290 unsigned int i;
1291 struct nft_stats __percpu *stats;
1292 int err;
1293 bool create;
1294 struct nft_ctx ctx;
1295
1296 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1297
1298 afi = nf_tables_afinfo_lookup(net, family, true);
1299 if (IS_ERR(afi))
1300 return PTR_ERR(afi);
1301
1302 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1303 if (IS_ERR(table))
1304 return PTR_ERR(table);
1305
1306 chain = NULL;
1307 name = nla[NFTA_CHAIN_NAME];
1308
1309 if (nla[NFTA_CHAIN_HANDLE]) {
1310 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1311 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1312 if (IS_ERR(chain))
1313 return PTR_ERR(chain);
1314 } else {
1315 chain = nf_tables_chain_lookup(table, name, genmask);
1316 if (IS_ERR(chain)) {
1317 if (PTR_ERR(chain) != -ENOENT)
1318 return PTR_ERR(chain);
1319 chain = NULL;
1320 }
1321 }
1322
1323 if (nla[NFTA_CHAIN_POLICY]) {
1324 if ((chain != NULL &&
1325 !(chain->flags & NFT_BASE_CHAIN)))
1326 return -EOPNOTSUPP;
1327
1328 if (chain == NULL &&
1329 nla[NFTA_CHAIN_HOOK] == NULL)
1330 return -EOPNOTSUPP;
1331
1332 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1333 switch (policy) {
1334 case NF_DROP:
1335 case NF_ACCEPT:
1336 break;
1337 default:
1338 return -EINVAL;
1339 }
1340 }
1341
1342 if (chain != NULL) {
1343 struct nft_stats *stats = NULL;
1344 struct nft_trans *trans;
1345
1346 if (nlh->nlmsg_flags & NLM_F_EXCL)
1347 return -EEXIST;
1348 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1349 return -EOPNOTSUPP;
1350
1351 if (nla[NFTA_CHAIN_HOOK]) {
1352 struct nft_base_chain *basechain;
1353 struct nft_chain_hook hook;
1354 struct nf_hook_ops *ops;
1355
1356 if (!(chain->flags & NFT_BASE_CHAIN))
1357 return -EBUSY;
1358
1359 err = nft_chain_parse_hook(net, nla, afi, &hook,
1360 create);
1361 if (err < 0)
1362 return err;
1363
1364 basechain = nft_base_chain(chain);
1365 if (basechain->type != hook.type) {
1366 nft_chain_release_hook(&hook);
1367 return -EBUSY;
1368 }
1369
1370 for (i = 0; i < afi->nops; i++) {
1371 ops = &basechain->ops[i];
1372 if (ops->hooknum != hook.num ||
1373 ops->priority != hook.priority ||
1374 ops->dev != hook.dev) {
1375 nft_chain_release_hook(&hook);
1376 return -EBUSY;
1377 }
1378 }
1379 nft_chain_release_hook(&hook);
1380 }
1381
1382 if (nla[NFTA_CHAIN_HANDLE] && name) {
1383 struct nft_chain *chain2;
1384
1385 chain2 = nf_tables_chain_lookup(table,
1386 nla[NFTA_CHAIN_NAME],
1387 genmask);
1388 if (IS_ERR(chain2))
1389 return PTR_ERR(chain2);
1390 }
1391
1392 if (nla[NFTA_CHAIN_COUNTERS]) {
1393 if (!(chain->flags & NFT_BASE_CHAIN))
1394 return -EOPNOTSUPP;
1395
1396 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1397 if (IS_ERR(stats))
1398 return PTR_ERR(stats);
1399 }
1400
1401 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1402 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1403 sizeof(struct nft_trans_chain));
1404 if (trans == NULL) {
1405 free_percpu(stats);
1406 return -ENOMEM;
1407 }
1408
1409 nft_trans_chain_stats(trans) = stats;
1410 nft_trans_chain_update(trans) = true;
1411
1412 if (nla[NFTA_CHAIN_POLICY])
1413 nft_trans_chain_policy(trans) = policy;
1414 else
1415 nft_trans_chain_policy(trans) = -1;
1416
1417 if (nla[NFTA_CHAIN_HANDLE] && name) {
1418 nla_strlcpy(nft_trans_chain_name(trans), name,
1419 NFT_CHAIN_MAXNAMELEN);
1420 }
1421 list_add_tail(&trans->list, &net->nft.commit_list);
1422 return 0;
1423 }
1424
1425 if (table->use == UINT_MAX)
1426 return -EOVERFLOW;
1427
1428 if (nla[NFTA_CHAIN_HOOK]) {
1429 struct nft_chain_hook hook;
1430 struct nf_hook_ops *ops;
1431 nf_hookfn *hookfn;
1432
1433 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1434 if (err < 0)
1435 return err;
1436
1437 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1438 if (basechain == NULL) {
1439 nft_chain_release_hook(&hook);
1440 return -ENOMEM;
1441 }
1442
1443 if (hook.dev != NULL)
1444 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1445
1446 if (nla[NFTA_CHAIN_COUNTERS]) {
1447 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1448 if (IS_ERR(stats)) {
1449 nft_chain_release_hook(&hook);
1450 kfree(basechain);
1451 return PTR_ERR(stats);
1452 }
1453 basechain->stats = stats;
1454 } else {
1455 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1456 if (stats == NULL) {
1457 nft_chain_release_hook(&hook);
1458 kfree(basechain);
1459 return -ENOMEM;
1460 }
1461 rcu_assign_pointer(basechain->stats, stats);
1462 }
1463
1464 hookfn = hook.type->hooks[hook.num];
1465 basechain->type = hook.type;
1466 chain = &basechain->chain;
1467
1468 for (i = 0; i < afi->nops; i++) {
1469 ops = &basechain->ops[i];
1470 ops->pf = family;
1471 ops->hooknum = hook.num;
1472 ops->priority = hook.priority;
1473 ops->priv = chain;
1474 ops->hook = afi->hooks[ops->hooknum];
1475 ops->dev = hook.dev;
1476 if (hookfn)
1477 ops->hook = hookfn;
1478 if (afi->hook_ops_init)
1479 afi->hook_ops_init(ops, i);
1480 }
1481
1482 chain->flags |= NFT_BASE_CHAIN;
1483 basechain->policy = policy;
1484 } else {
1485 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1486 if (chain == NULL)
1487 return -ENOMEM;
1488 }
1489
1490 INIT_LIST_HEAD(&chain->rules);
1491 chain->handle = nf_tables_alloc_handle(table);
1492 chain->table = table;
1493 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1494
1495 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1496 if (err < 0)
1497 goto err1;
1498
1499 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1500 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1501 if (err < 0)
1502 goto err2;
1503
1504 table->use++;
1505 list_add_tail_rcu(&chain->list, &table->chains);
1506 return 0;
1507err2:
1508 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1509err1:
1510 nf_tables_chain_destroy(chain);
1511 return err;
1512}
1513
1514static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1515 struct sk_buff *skb, const struct nlmsghdr *nlh,
1516 const struct nlattr * const nla[])
1517{
1518 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1519 u8 genmask = nft_genmask_next(net);
1520 struct nft_af_info *afi;
1521 struct nft_table *table;
1522 struct nft_chain *chain;
1523 int family = nfmsg->nfgen_family;
1524 struct nft_ctx ctx;
1525
1526 afi = nf_tables_afinfo_lookup(net, family, false);
1527 if (IS_ERR(afi))
1528 return PTR_ERR(afi);
1529
1530 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1531 if (IS_ERR(table))
1532 return PTR_ERR(table);
1533
1534 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1535 if (IS_ERR(chain))
1536 return PTR_ERR(chain);
1537 if (chain->use > 0)
1538 return -EBUSY;
1539
1540 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1541
1542 return nft_delchain(&ctx);
1543}
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556int nft_register_expr(struct nft_expr_type *type)
1557{
1558 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1559 if (type->family == NFPROTO_UNSPEC)
1560 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1561 else
1562 list_add_rcu(&type->list, &nf_tables_expressions);
1563 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1564 return 0;
1565}
1566EXPORT_SYMBOL_GPL(nft_register_expr);
1567
1568
1569
1570
1571
1572
1573
1574void nft_unregister_expr(struct nft_expr_type *type)
1575{
1576 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1577 list_del_rcu(&type->list);
1578 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1579}
1580EXPORT_SYMBOL_GPL(nft_unregister_expr);
1581
1582static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1583 struct nlattr *nla)
1584{
1585 const struct nft_expr_type *type;
1586
1587 list_for_each_entry(type, &nf_tables_expressions, list) {
1588 if (!nla_strcmp(nla, type->name) &&
1589 (!type->family || type->family == family))
1590 return type;
1591 }
1592 return NULL;
1593}
1594
1595static const struct nft_expr_type *nft_expr_type_get(u8 family,
1596 struct nlattr *nla)
1597{
1598 const struct nft_expr_type *type;
1599
1600 if (nla == NULL)
1601 return ERR_PTR(-EINVAL);
1602
1603 type = __nft_expr_type_get(family, nla);
1604 if (type != NULL && try_module_get(type->owner))
1605 return type;
1606
1607#ifdef CONFIG_MODULES
1608 if (type == NULL) {
1609 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1610 request_module("nft-expr-%u-%.*s", family,
1611 nla_len(nla), (char *)nla_data(nla));
1612 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1613 if (__nft_expr_type_get(family, nla))
1614 return ERR_PTR(-EAGAIN);
1615
1616 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1617 request_module("nft-expr-%.*s",
1618 nla_len(nla), (char *)nla_data(nla));
1619 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1620 if (__nft_expr_type_get(family, nla))
1621 return ERR_PTR(-EAGAIN);
1622 }
1623#endif
1624 return ERR_PTR(-ENOENT);
1625}
1626
1627static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1628 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1629 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1630};
1631
1632static int nf_tables_fill_expr_info(struct sk_buff *skb,
1633 const struct nft_expr *expr)
1634{
1635 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1636 goto nla_put_failure;
1637
1638 if (expr->ops->dump) {
1639 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1640 if (data == NULL)
1641 goto nla_put_failure;
1642 if (expr->ops->dump(skb, expr) < 0)
1643 goto nla_put_failure;
1644 nla_nest_end(skb, data);
1645 }
1646
1647 return skb->len;
1648
1649nla_put_failure:
1650 return -1;
1651};
1652
1653int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1654 const struct nft_expr *expr)
1655{
1656 struct nlattr *nest;
1657
1658 nest = nla_nest_start(skb, attr);
1659 if (!nest)
1660 goto nla_put_failure;
1661 if (nf_tables_fill_expr_info(skb, expr) < 0)
1662 goto nla_put_failure;
1663 nla_nest_end(skb, nest);
1664 return 0;
1665
1666nla_put_failure:
1667 return -1;
1668}
1669
1670struct nft_expr_info {
1671 const struct nft_expr_ops *ops;
1672 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1673};
1674
1675static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1676 const struct nlattr *nla,
1677 struct nft_expr_info *info)
1678{
1679 const struct nft_expr_type *type;
1680 const struct nft_expr_ops *ops;
1681 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1682 int err;
1683
1684 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1685 if (err < 0)
1686 return err;
1687
1688 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1689 if (IS_ERR(type))
1690 return PTR_ERR(type);
1691
1692 if (tb[NFTA_EXPR_DATA]) {
1693 err = nla_parse_nested(info->tb, type->maxattr,
1694 tb[NFTA_EXPR_DATA], type->policy);
1695 if (err < 0)
1696 goto err1;
1697 } else
1698 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1699
1700 if (type->select_ops != NULL) {
1701 ops = type->select_ops(ctx,
1702 (const struct nlattr * const *)info->tb);
1703 if (IS_ERR(ops)) {
1704 err = PTR_ERR(ops);
1705 goto err1;
1706 }
1707 } else
1708 ops = type->ops;
1709
1710 info->ops = ops;
1711 return 0;
1712
1713err1:
1714 module_put(type->owner);
1715 return err;
1716}
1717
1718static int nf_tables_newexpr(const struct nft_ctx *ctx,
1719 const struct nft_expr_info *info,
1720 struct nft_expr *expr)
1721{
1722 const struct nft_expr_ops *ops = info->ops;
1723 int err;
1724
1725 expr->ops = ops;
1726 if (ops->init) {
1727 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1728 if (err < 0)
1729 goto err1;
1730 }
1731
1732 return 0;
1733
1734err1:
1735 expr->ops = NULL;
1736 return err;
1737}
1738
1739static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1740 struct nft_expr *expr)
1741{
1742 if (expr->ops->destroy)
1743 expr->ops->destroy(ctx, expr);
1744 module_put(expr->ops->type->owner);
1745}
1746
1747struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1748 const struct nlattr *nla)
1749{
1750 struct nft_expr_info info;
1751 struct nft_expr *expr;
1752 int err;
1753
1754 err = nf_tables_expr_parse(ctx, nla, &info);
1755 if (err < 0)
1756 goto err1;
1757
1758 err = -ENOMEM;
1759 expr = kzalloc(info.ops->size, GFP_KERNEL);
1760 if (expr == NULL)
1761 goto err2;
1762
1763 err = nf_tables_newexpr(ctx, &info, expr);
1764 if (err < 0)
1765 goto err3;
1766
1767 return expr;
1768err3:
1769 kfree(expr);
1770err2:
1771 module_put(info.ops->type->owner);
1772err1:
1773 return ERR_PTR(err);
1774}
1775
1776void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1777{
1778 nf_tables_expr_destroy(ctx, expr);
1779 kfree(expr);
1780}
1781
1782
1783
1784
1785
1786static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1787 u64 handle)
1788{
1789 struct nft_rule *rule;
1790
1791
1792 list_for_each_entry(rule, &chain->rules, list) {
1793 if (handle == rule->handle)
1794 return rule;
1795 }
1796
1797 return ERR_PTR(-ENOENT);
1798}
1799
1800static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1801 const struct nlattr *nla)
1802{
1803 if (nla == NULL)
1804 return ERR_PTR(-EINVAL);
1805
1806 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1807}
1808
1809static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1810 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1811 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1812 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1813 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1814 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1815 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1816 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1817 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1818 .len = NFT_USERDATA_MAXLEN },
1819};
1820
1821static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1822 u32 portid, u32 seq, int event,
1823 u32 flags, int family,
1824 const struct nft_table *table,
1825 const struct nft_chain *chain,
1826 const struct nft_rule *rule)
1827{
1828 struct nlmsghdr *nlh;
1829 struct nfgenmsg *nfmsg;
1830 const struct nft_expr *expr, *next;
1831 struct nlattr *list;
1832 const struct nft_rule *prule;
1833 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1834
1835 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1836 flags);
1837 if (nlh == NULL)
1838 goto nla_put_failure;
1839
1840 nfmsg = nlmsg_data(nlh);
1841 nfmsg->nfgen_family = family;
1842 nfmsg->version = NFNETLINK_V0;
1843 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1844
1845 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1846 goto nla_put_failure;
1847 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1848 goto nla_put_failure;
1849 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1850 NFTA_RULE_PAD))
1851 goto nla_put_failure;
1852
1853 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1854 prule = list_entry(rule->list.prev, struct nft_rule, list);
1855 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1856 cpu_to_be64(prule->handle),
1857 NFTA_RULE_PAD))
1858 goto nla_put_failure;
1859 }
1860
1861 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1862 if (list == NULL)
1863 goto nla_put_failure;
1864 nft_rule_for_each_expr(expr, next, rule) {
1865 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1866 goto nla_put_failure;
1867 }
1868 nla_nest_end(skb, list);
1869
1870 if (rule->udata) {
1871 struct nft_userdata *udata = nft_userdata(rule);
1872 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1873 udata->data) < 0)
1874 goto nla_put_failure;
1875 }
1876
1877 nlmsg_end(skb, nlh);
1878 return 0;
1879
1880nla_put_failure:
1881 nlmsg_trim(skb, nlh);
1882 return -1;
1883}
1884
1885static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1886 const struct nft_rule *rule,
1887 int event)
1888{
1889 struct sk_buff *skb;
1890 int err;
1891
1892 if (!ctx->report &&
1893 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1894 return 0;
1895
1896 err = -ENOBUFS;
1897 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1898 if (skb == NULL)
1899 goto err;
1900
1901 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1902 event, 0, ctx->afi->family, ctx->table,
1903 ctx->chain, rule);
1904 if (err < 0) {
1905 kfree_skb(skb);
1906 goto err;
1907 }
1908
1909 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1910 ctx->report, GFP_KERNEL);
1911err:
1912 if (err < 0) {
1913 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1914 err);
1915 }
1916 return err;
1917}
1918
1919struct nft_rule_dump_ctx {
1920 char table[NFT_TABLE_MAXNAMELEN];
1921 char chain[NFT_CHAIN_MAXNAMELEN];
1922};
1923
1924static int nf_tables_dump_rules(struct sk_buff *skb,
1925 struct netlink_callback *cb)
1926{
1927 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1928 const struct nft_rule_dump_ctx *ctx = cb->data;
1929 const struct nft_af_info *afi;
1930 const struct nft_table *table;
1931 const struct nft_chain *chain;
1932 const struct nft_rule *rule;
1933 unsigned int idx = 0, s_idx = cb->args[0];
1934 struct net *net = sock_net(skb->sk);
1935 int family = nfmsg->nfgen_family;
1936
1937 rcu_read_lock();
1938 cb->seq = net->nft.base_seq;
1939
1940 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1941 if (family != NFPROTO_UNSPEC && family != afi->family)
1942 continue;
1943
1944 list_for_each_entry_rcu(table, &afi->tables, list) {
1945 if (ctx && ctx->table[0] &&
1946 strcmp(ctx->table, table->name) != 0)
1947 continue;
1948
1949 list_for_each_entry_rcu(chain, &table->chains, list) {
1950 if (ctx && ctx->chain[0] &&
1951 strcmp(ctx->chain, chain->name) != 0)
1952 continue;
1953
1954 list_for_each_entry_rcu(rule, &chain->rules, list) {
1955 if (!nft_is_active(net, rule))
1956 goto cont;
1957 if (idx < s_idx)
1958 goto cont;
1959 if (idx > s_idx)
1960 memset(&cb->args[1], 0,
1961 sizeof(cb->args) - sizeof(cb->args[0]));
1962 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
1963 cb->nlh->nlmsg_seq,
1964 NFT_MSG_NEWRULE,
1965 NLM_F_MULTI | NLM_F_APPEND,
1966 afi->family, table, chain, rule) < 0)
1967 goto done;
1968
1969 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1970cont:
1971 idx++;
1972 }
1973 }
1974 }
1975 }
1976done:
1977 rcu_read_unlock();
1978
1979 cb->args[0] = idx;
1980 return skb->len;
1981}
1982
1983static int nf_tables_dump_rules_done(struct netlink_callback *cb)
1984{
1985 kfree(cb->data);
1986 return 0;
1987}
1988
1989static int nf_tables_getrule(struct net *net, struct sock *nlsk,
1990 struct sk_buff *skb, const struct nlmsghdr *nlh,
1991 const struct nlattr * const nla[])
1992{
1993 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1994 u8 genmask = nft_genmask_cur(net);
1995 const struct nft_af_info *afi;
1996 const struct nft_table *table;
1997 const struct nft_chain *chain;
1998 const struct nft_rule *rule;
1999 struct sk_buff *skb2;
2000 int family = nfmsg->nfgen_family;
2001 int err;
2002
2003 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2004 struct netlink_dump_control c = {
2005 .dump = nf_tables_dump_rules,
2006 .done = nf_tables_dump_rules_done,
2007 };
2008
2009 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2010 struct nft_rule_dump_ctx *ctx;
2011
2012 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2013 if (!ctx)
2014 return -ENOMEM;
2015
2016 if (nla[NFTA_RULE_TABLE])
2017 nla_strlcpy(ctx->table, nla[NFTA_RULE_TABLE],
2018 sizeof(ctx->table));
2019 if (nla[NFTA_RULE_CHAIN])
2020 nla_strlcpy(ctx->chain, nla[NFTA_RULE_CHAIN],
2021 sizeof(ctx->chain));
2022 c.data = ctx;
2023 }
2024
2025 return netlink_dump_start(nlsk, skb, nlh, &c);
2026 }
2027
2028 afi = nf_tables_afinfo_lookup(net, family, false);
2029 if (IS_ERR(afi))
2030 return PTR_ERR(afi);
2031
2032 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2033 if (IS_ERR(table))
2034 return PTR_ERR(table);
2035
2036 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2037 if (IS_ERR(chain))
2038 return PTR_ERR(chain);
2039
2040 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2041 if (IS_ERR(rule))
2042 return PTR_ERR(rule);
2043
2044 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2045 if (!skb2)
2046 return -ENOMEM;
2047
2048 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2049 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2050 family, table, chain, rule);
2051 if (err < 0)
2052 goto err;
2053
2054 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2055
2056err:
2057 kfree_skb(skb2);
2058 return err;
2059}
2060
2061static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2062 struct nft_rule *rule)
2063{
2064 struct nft_expr *expr;
2065
2066
2067
2068
2069
2070 expr = nft_expr_first(rule);
2071 while (expr->ops && expr != nft_expr_last(rule)) {
2072 nf_tables_expr_destroy(ctx, expr);
2073 expr = nft_expr_next(expr);
2074 }
2075 kfree(rule);
2076}
2077
2078#define NFT_RULE_MAXEXPRS 128
2079
2080static struct nft_expr_info *info;
2081
2082static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2083 struct sk_buff *skb, const struct nlmsghdr *nlh,
2084 const struct nlattr * const nla[])
2085{
2086 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2087 u8 genmask = nft_genmask_next(net);
2088 struct nft_af_info *afi;
2089 struct nft_table *table;
2090 struct nft_chain *chain;
2091 struct nft_rule *rule, *old_rule = NULL;
2092 struct nft_userdata *udata;
2093 struct nft_trans *trans = NULL;
2094 struct nft_expr *expr;
2095 struct nft_ctx ctx;
2096 struct nlattr *tmp;
2097 unsigned int size, i, n, ulen = 0, usize = 0;
2098 int err, rem;
2099 bool create;
2100 u64 handle, pos_handle;
2101
2102 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2103
2104 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2105 if (IS_ERR(afi))
2106 return PTR_ERR(afi);
2107
2108 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2109 if (IS_ERR(table))
2110 return PTR_ERR(table);
2111
2112 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2113 if (IS_ERR(chain))
2114 return PTR_ERR(chain);
2115
2116 if (nla[NFTA_RULE_HANDLE]) {
2117 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2118 rule = __nf_tables_rule_lookup(chain, handle);
2119 if (IS_ERR(rule))
2120 return PTR_ERR(rule);
2121
2122 if (nlh->nlmsg_flags & NLM_F_EXCL)
2123 return -EEXIST;
2124 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2125 old_rule = rule;
2126 else
2127 return -EOPNOTSUPP;
2128 } else {
2129 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2130 return -EINVAL;
2131 handle = nf_tables_alloc_handle(table);
2132
2133 if (chain->use == UINT_MAX)
2134 return -EOVERFLOW;
2135 }
2136
2137 if (nla[NFTA_RULE_POSITION]) {
2138 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2139 return -EOPNOTSUPP;
2140
2141 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2142 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2143 if (IS_ERR(old_rule))
2144 return PTR_ERR(old_rule);
2145 }
2146
2147 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2148
2149 n = 0;
2150 size = 0;
2151 if (nla[NFTA_RULE_EXPRESSIONS]) {
2152 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2153 err = -EINVAL;
2154 if (nla_type(tmp) != NFTA_LIST_ELEM)
2155 goto err1;
2156 if (n == NFT_RULE_MAXEXPRS)
2157 goto err1;
2158 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2159 if (err < 0)
2160 goto err1;
2161 size += info[n].ops->size;
2162 n++;
2163 }
2164 }
2165
2166 err = -EFBIG;
2167 if (size >= 1 << 12)
2168 goto err1;
2169
2170 if (nla[NFTA_RULE_USERDATA]) {
2171 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2172 if (ulen > 0)
2173 usize = sizeof(struct nft_userdata) + ulen;
2174 }
2175
2176 err = -ENOMEM;
2177 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2178 if (rule == NULL)
2179 goto err1;
2180
2181 nft_activate_next(net, rule);
2182
2183 rule->handle = handle;
2184 rule->dlen = size;
2185 rule->udata = ulen ? 1 : 0;
2186
2187 if (ulen) {
2188 udata = nft_userdata(rule);
2189 udata->len = ulen - 1;
2190 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2191 }
2192
2193 expr = nft_expr_first(rule);
2194 for (i = 0; i < n; i++) {
2195 err = nf_tables_newexpr(&ctx, &info[i], expr);
2196 if (err < 0)
2197 goto err2;
2198 info[i].ops = NULL;
2199 expr = nft_expr_next(expr);
2200 }
2201
2202 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2203 if (nft_is_active_next(net, old_rule)) {
2204 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2205 old_rule);
2206 if (trans == NULL) {
2207 err = -ENOMEM;
2208 goto err2;
2209 }
2210 nft_deactivate_next(net, old_rule);
2211 chain->use--;
2212 list_add_tail_rcu(&rule->list, &old_rule->list);
2213 } else {
2214 err = -ENOENT;
2215 goto err2;
2216 }
2217 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2218 if (old_rule)
2219 list_add_rcu(&rule->list, &old_rule->list);
2220 else
2221 list_add_tail_rcu(&rule->list, &chain->rules);
2222 else {
2223 if (old_rule)
2224 list_add_tail_rcu(&rule->list, &old_rule->list);
2225 else
2226 list_add_rcu(&rule->list, &chain->rules);
2227 }
2228
2229 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2230 err = -ENOMEM;
2231 goto err3;
2232 }
2233 chain->use++;
2234 return 0;
2235
2236err3:
2237 list_del_rcu(&rule->list);
2238err2:
2239 nf_tables_rule_destroy(&ctx, rule);
2240err1:
2241 for (i = 0; i < n; i++) {
2242 if (info[i].ops != NULL)
2243 module_put(info[i].ops->type->owner);
2244 }
2245 return err;
2246}
2247
2248static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2249 struct sk_buff *skb, const struct nlmsghdr *nlh,
2250 const struct nlattr * const nla[])
2251{
2252 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2253 u8 genmask = nft_genmask_next(net);
2254 struct nft_af_info *afi;
2255 struct nft_table *table;
2256 struct nft_chain *chain = NULL;
2257 struct nft_rule *rule;
2258 int family = nfmsg->nfgen_family, err = 0;
2259 struct nft_ctx ctx;
2260
2261 afi = nf_tables_afinfo_lookup(net, family, false);
2262 if (IS_ERR(afi))
2263 return PTR_ERR(afi);
2264
2265 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2266 if (IS_ERR(table))
2267 return PTR_ERR(table);
2268
2269 if (nla[NFTA_RULE_CHAIN]) {
2270 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2271 genmask);
2272 if (IS_ERR(chain))
2273 return PTR_ERR(chain);
2274 }
2275
2276 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2277
2278 if (chain) {
2279 if (nla[NFTA_RULE_HANDLE]) {
2280 rule = nf_tables_rule_lookup(chain,
2281 nla[NFTA_RULE_HANDLE]);
2282 if (IS_ERR(rule))
2283 return PTR_ERR(rule);
2284
2285 err = nft_delrule(&ctx, rule);
2286 } else {
2287 err = nft_delrule_by_chain(&ctx);
2288 }
2289 } else {
2290 list_for_each_entry(chain, &table->chains, list) {
2291 if (!nft_is_active_next(net, chain))
2292 continue;
2293
2294 ctx.chain = chain;
2295 err = nft_delrule_by_chain(&ctx);
2296 if (err < 0)
2297 break;
2298 }
2299 }
2300
2301 return err;
2302}
2303
2304
2305
2306
2307
2308static LIST_HEAD(nf_tables_set_ops);
2309
2310int nft_register_set(struct nft_set_ops *ops)
2311{
2312 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2313 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2314 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2315 return 0;
2316}
2317EXPORT_SYMBOL_GPL(nft_register_set);
2318
2319void nft_unregister_set(struct nft_set_ops *ops)
2320{
2321 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2322 list_del_rcu(&ops->list);
2323 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2324}
2325EXPORT_SYMBOL_GPL(nft_unregister_set);
2326
2327
2328
2329
2330
2331
2332static const struct nft_set_ops *
2333nft_select_set_ops(const struct nlattr * const nla[],
2334 const struct nft_set_desc *desc,
2335 enum nft_set_policies policy)
2336{
2337 const struct nft_set_ops *ops, *bops;
2338 struct nft_set_estimate est, best;
2339 u32 features;
2340
2341#ifdef CONFIG_MODULES
2342 if (list_empty(&nf_tables_set_ops)) {
2343 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2344 request_module("nft-set");
2345 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2346 if (!list_empty(&nf_tables_set_ops))
2347 return ERR_PTR(-EAGAIN);
2348 }
2349#endif
2350 features = 0;
2351 if (nla[NFTA_SET_FLAGS] != NULL) {
2352 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2353 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2354 }
2355
2356 bops = NULL;
2357 best.size = ~0;
2358 best.class = ~0;
2359
2360 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2361 if ((ops->features & features) != features)
2362 continue;
2363 if (!ops->estimate(desc, features, &est))
2364 continue;
2365
2366 switch (policy) {
2367 case NFT_SET_POL_PERFORMANCE:
2368 if (est.class < best.class)
2369 break;
2370 if (est.class == best.class && est.size < best.size)
2371 break;
2372 continue;
2373 case NFT_SET_POL_MEMORY:
2374 if (est.size < best.size)
2375 break;
2376 if (est.size == best.size && est.class < best.class)
2377 break;
2378 continue;
2379 default:
2380 break;
2381 }
2382
2383 if (!try_module_get(ops->owner))
2384 continue;
2385 if (bops != NULL)
2386 module_put(bops->owner);
2387
2388 bops = ops;
2389 best = est;
2390 }
2391
2392 if (bops != NULL)
2393 return bops;
2394
2395 return ERR_PTR(-EOPNOTSUPP);
2396}
2397
2398static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2399 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2400 [NFTA_SET_NAME] = { .type = NLA_STRING,
2401 .len = NFT_SET_MAXNAMELEN - 1 },
2402 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2403 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2404 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2405 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2406 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2407 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2408 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2409 [NFTA_SET_ID] = { .type = NLA_U32 },
2410 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2411 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2412 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2413 .len = NFT_USERDATA_MAXLEN },
2414};
2415
2416static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2417 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2418};
2419
2420static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2421 const struct sk_buff *skb,
2422 const struct nlmsghdr *nlh,
2423 const struct nlattr * const nla[],
2424 u8 genmask)
2425{
2426 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2427 struct nft_af_info *afi = NULL;
2428 struct nft_table *table = NULL;
2429
2430 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2431 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2432 if (IS_ERR(afi))
2433 return PTR_ERR(afi);
2434 }
2435
2436 if (nla[NFTA_SET_TABLE] != NULL) {
2437 if (afi == NULL)
2438 return -EAFNOSUPPORT;
2439
2440 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2441 genmask);
2442 if (IS_ERR(table))
2443 return PTR_ERR(table);
2444 }
2445
2446 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2447 return 0;
2448}
2449
2450struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2451 const struct nlattr *nla, u8 genmask)
2452{
2453 struct nft_set *set;
2454
2455 if (nla == NULL)
2456 return ERR_PTR(-EINVAL);
2457
2458 list_for_each_entry(set, &table->sets, list) {
2459 if (!nla_strcmp(nla, set->name) &&
2460 nft_active_genmask(set, genmask))
2461 return set;
2462 }
2463 return ERR_PTR(-ENOENT);
2464}
2465
2466struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2467 const struct nlattr *nla,
2468 u8 genmask)
2469{
2470 struct nft_trans *trans;
2471 u32 id = ntohl(nla_get_be32(nla));
2472
2473 list_for_each_entry(trans, &net->nft.commit_list, list) {
2474 struct nft_set *set = nft_trans_set(trans);
2475
2476 if (trans->msg_type == NFT_MSG_NEWSET &&
2477 id == nft_trans_set_id(trans) &&
2478 nft_active_genmask(set, genmask))
2479 return set;
2480 }
2481 return ERR_PTR(-ENOENT);
2482}
2483
2484static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2485 const char *name)
2486{
2487 const struct nft_set *i;
2488 const char *p;
2489 unsigned long *inuse;
2490 unsigned int n = 0, min = 0;
2491
2492 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2493 if (p != NULL) {
2494 if (p[1] != 'd' || strchr(p + 2, '%'))
2495 return -EINVAL;
2496
2497 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2498 if (inuse == NULL)
2499 return -ENOMEM;
2500cont:
2501 list_for_each_entry(i, &ctx->table->sets, list) {
2502 int tmp;
2503
2504 if (!nft_is_active_next(ctx->net, set))
2505 continue;
2506 if (!sscanf(i->name, name, &tmp))
2507 continue;
2508 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2509 continue;
2510
2511 set_bit(tmp - min, inuse);
2512 }
2513
2514 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2515 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2516 min += BITS_PER_BYTE * PAGE_SIZE;
2517 memset(inuse, 0, PAGE_SIZE);
2518 goto cont;
2519 }
2520 free_page((unsigned long)inuse);
2521 }
2522
2523 snprintf(set->name, sizeof(set->name), name, min + n);
2524 list_for_each_entry(i, &ctx->table->sets, list) {
2525 if (!nft_is_active_next(ctx->net, i))
2526 continue;
2527 if (!strcmp(set->name, i->name))
2528 return -ENFILE;
2529 }
2530 return 0;
2531}
2532
2533static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2534 const struct nft_set *set, u16 event, u16 flags)
2535{
2536 struct nfgenmsg *nfmsg;
2537 struct nlmsghdr *nlh;
2538 struct nlattr *desc;
2539 u32 portid = ctx->portid;
2540 u32 seq = ctx->seq;
2541
2542 event |= NFNL_SUBSYS_NFTABLES << 8;
2543 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2544 flags);
2545 if (nlh == NULL)
2546 goto nla_put_failure;
2547
2548 nfmsg = nlmsg_data(nlh);
2549 nfmsg->nfgen_family = ctx->afi->family;
2550 nfmsg->version = NFNETLINK_V0;
2551 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2552
2553 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2554 goto nla_put_failure;
2555 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2556 goto nla_put_failure;
2557 if (set->flags != 0)
2558 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2559 goto nla_put_failure;
2560
2561 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2562 goto nla_put_failure;
2563 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2564 goto nla_put_failure;
2565 if (set->flags & NFT_SET_MAP) {
2566 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2567 goto nla_put_failure;
2568 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2569 goto nla_put_failure;
2570 }
2571
2572 if (set->timeout &&
2573 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2574 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2575 NFTA_SET_PAD))
2576 goto nla_put_failure;
2577 if (set->gc_int &&
2578 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2579 goto nla_put_failure;
2580
2581 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2582 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2583 goto nla_put_failure;
2584 }
2585
2586 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2587 goto nla_put_failure;
2588
2589 desc = nla_nest_start(skb, NFTA_SET_DESC);
2590 if (desc == NULL)
2591 goto nla_put_failure;
2592 if (set->size &&
2593 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2594 goto nla_put_failure;
2595 nla_nest_end(skb, desc);
2596
2597 nlmsg_end(skb, nlh);
2598 return 0;
2599
2600nla_put_failure:
2601 nlmsg_trim(skb, nlh);
2602 return -1;
2603}
2604
2605static int nf_tables_set_notify(const struct nft_ctx *ctx,
2606 const struct nft_set *set,
2607 int event, gfp_t gfp_flags)
2608{
2609 struct sk_buff *skb;
2610 u32 portid = ctx->portid;
2611 int err;
2612
2613 if (!ctx->report &&
2614 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2615 return 0;
2616
2617 err = -ENOBUFS;
2618 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2619 if (skb == NULL)
2620 goto err;
2621
2622 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2623 if (err < 0) {
2624 kfree_skb(skb);
2625 goto err;
2626 }
2627
2628 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2629 ctx->report, gfp_flags);
2630err:
2631 if (err < 0)
2632 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2633 return err;
2634}
2635
2636static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2637{
2638 const struct nft_set *set;
2639 unsigned int idx, s_idx = cb->args[0];
2640 struct nft_af_info *afi;
2641 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2642 struct net *net = sock_net(skb->sk);
2643 int cur_family = cb->args[3];
2644 struct nft_ctx *ctx = cb->data, ctx_set;
2645
2646 if (cb->args[1])
2647 return skb->len;
2648
2649 rcu_read_lock();
2650 cb->seq = net->nft.base_seq;
2651
2652 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2653 if (ctx->afi && ctx->afi != afi)
2654 continue;
2655
2656 if (cur_family) {
2657 if (afi->family != cur_family)
2658 continue;
2659
2660 cur_family = 0;
2661 }
2662 list_for_each_entry_rcu(table, &afi->tables, list) {
2663 if (ctx->table && ctx->table != table)
2664 continue;
2665
2666 if (cur_table) {
2667 if (cur_table != table)
2668 continue;
2669
2670 cur_table = NULL;
2671 }
2672 idx = 0;
2673 list_for_each_entry_rcu(set, &table->sets, list) {
2674 if (idx < s_idx)
2675 goto cont;
2676 if (!nft_is_active(net, set))
2677 goto cont;
2678
2679 ctx_set = *ctx;
2680 ctx_set.table = table;
2681 ctx_set.afi = afi;
2682 if (nf_tables_fill_set(skb, &ctx_set, set,
2683 NFT_MSG_NEWSET,
2684 NLM_F_MULTI) < 0) {
2685 cb->args[0] = idx;
2686 cb->args[2] = (unsigned long) table;
2687 cb->args[3] = afi->family;
2688 goto done;
2689 }
2690 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2691cont:
2692 idx++;
2693 }
2694 if (s_idx)
2695 s_idx = 0;
2696 }
2697 }
2698 cb->args[1] = 1;
2699done:
2700 rcu_read_unlock();
2701 return skb->len;
2702}
2703
2704static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2705{
2706 kfree(cb->data);
2707 return 0;
2708}
2709
2710static int nf_tables_getset(struct net *net, struct sock *nlsk,
2711 struct sk_buff *skb, const struct nlmsghdr *nlh,
2712 const struct nlattr * const nla[])
2713{
2714 u8 genmask = nft_genmask_cur(net);
2715 const struct nft_set *set;
2716 struct nft_ctx ctx;
2717 struct sk_buff *skb2;
2718 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2719 int err;
2720
2721
2722 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2723 if (err < 0)
2724 return err;
2725
2726 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2727 struct netlink_dump_control c = {
2728 .dump = nf_tables_dump_sets,
2729 .done = nf_tables_dump_sets_done,
2730 };
2731 struct nft_ctx *ctx_dump;
2732
2733 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2734 if (ctx_dump == NULL)
2735 return -ENOMEM;
2736
2737 *ctx_dump = ctx;
2738 c.data = ctx_dump;
2739
2740 return netlink_dump_start(nlsk, skb, nlh, &c);
2741 }
2742
2743
2744 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2745 return -EAFNOSUPPORT;
2746 if (!nla[NFTA_SET_TABLE])
2747 return -EINVAL;
2748
2749 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2750 if (IS_ERR(set))
2751 return PTR_ERR(set);
2752
2753 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2754 if (skb2 == NULL)
2755 return -ENOMEM;
2756
2757 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2758 if (err < 0)
2759 goto err;
2760
2761 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2762
2763err:
2764 kfree_skb(skb2);
2765 return err;
2766}
2767
2768static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2769 struct nft_set_desc *desc,
2770 const struct nlattr *nla)
2771{
2772 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2773 int err;
2774
2775 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2776 if (err < 0)
2777 return err;
2778
2779 if (da[NFTA_SET_DESC_SIZE] != NULL)
2780 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2781
2782 return 0;
2783}
2784
2785static int nf_tables_newset(struct net *net, struct sock *nlsk,
2786 struct sk_buff *skb, const struct nlmsghdr *nlh,
2787 const struct nlattr * const nla[])
2788{
2789 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2790 u8 genmask = nft_genmask_next(net);
2791 const struct nft_set_ops *ops;
2792 struct nft_af_info *afi;
2793 struct nft_table *table;
2794 struct nft_set *set;
2795 struct nft_ctx ctx;
2796 char name[NFT_SET_MAXNAMELEN];
2797 unsigned int size;
2798 bool create;
2799 u64 timeout;
2800 u32 ktype, dtype, flags, policy, gc_int;
2801 struct nft_set_desc desc;
2802 unsigned char *udata;
2803 u16 udlen;
2804 int err;
2805
2806 if (nla[NFTA_SET_TABLE] == NULL ||
2807 nla[NFTA_SET_NAME] == NULL ||
2808 nla[NFTA_SET_KEY_LEN] == NULL ||
2809 nla[NFTA_SET_ID] == NULL)
2810 return -EINVAL;
2811
2812 memset(&desc, 0, sizeof(desc));
2813
2814 ktype = NFT_DATA_VALUE;
2815 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2816 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2817 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2818 return -EINVAL;
2819 }
2820
2821 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2822 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2823 return -EINVAL;
2824
2825 flags = 0;
2826 if (nla[NFTA_SET_FLAGS] != NULL) {
2827 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2828 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2829 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2830 NFT_SET_MAP | NFT_SET_EVAL))
2831 return -EINVAL;
2832
2833 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL)) ==
2834 (NFT_SET_MAP | NFT_SET_EVAL))
2835 return -EOPNOTSUPP;
2836 }
2837
2838 dtype = 0;
2839 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2840 if (!(flags & NFT_SET_MAP))
2841 return -EINVAL;
2842
2843 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2844 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2845 dtype != NFT_DATA_VERDICT)
2846 return -EINVAL;
2847
2848 if (dtype != NFT_DATA_VERDICT) {
2849 if (nla[NFTA_SET_DATA_LEN] == NULL)
2850 return -EINVAL;
2851 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2852 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2853 return -EINVAL;
2854 } else
2855 desc.dlen = sizeof(struct nft_verdict);
2856 } else if (flags & NFT_SET_MAP)
2857 return -EINVAL;
2858
2859 timeout = 0;
2860 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2861 if (!(flags & NFT_SET_TIMEOUT))
2862 return -EINVAL;
2863 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2864 nla[NFTA_SET_TIMEOUT])));
2865 }
2866 gc_int = 0;
2867 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2868 if (!(flags & NFT_SET_TIMEOUT))
2869 return -EINVAL;
2870 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2871 }
2872
2873 policy = NFT_SET_POL_PERFORMANCE;
2874 if (nla[NFTA_SET_POLICY] != NULL)
2875 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2876
2877 if (nla[NFTA_SET_DESC] != NULL) {
2878 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2879 if (err < 0)
2880 return err;
2881 }
2882
2883 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2884
2885 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2886 if (IS_ERR(afi))
2887 return PTR_ERR(afi);
2888
2889 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
2890 if (IS_ERR(table))
2891 return PTR_ERR(table);
2892
2893 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2894
2895 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
2896 if (IS_ERR(set)) {
2897 if (PTR_ERR(set) != -ENOENT)
2898 return PTR_ERR(set);
2899 set = NULL;
2900 }
2901
2902 if (set != NULL) {
2903 if (nlh->nlmsg_flags & NLM_F_EXCL)
2904 return -EEXIST;
2905 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2906 return -EOPNOTSUPP;
2907 return 0;
2908 }
2909
2910 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2911 return -ENOENT;
2912
2913 ops = nft_select_set_ops(nla, &desc, policy);
2914 if (IS_ERR(ops))
2915 return PTR_ERR(ops);
2916
2917 udlen = 0;
2918 if (nla[NFTA_SET_USERDATA])
2919 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2920
2921 size = 0;
2922 if (ops->privsize != NULL)
2923 size = ops->privsize(nla);
2924
2925 err = -ENOMEM;
2926 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2927 if (set == NULL)
2928 goto err1;
2929
2930 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2931 err = nf_tables_set_alloc_name(&ctx, set, name);
2932 if (err < 0)
2933 goto err2;
2934
2935 udata = NULL;
2936 if (udlen) {
2937 udata = set->data + size;
2938 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2939 }
2940
2941 INIT_LIST_HEAD(&set->bindings);
2942 set->ops = ops;
2943 set->ktype = ktype;
2944 set->klen = desc.klen;
2945 set->dtype = dtype;
2946 set->dlen = desc.dlen;
2947 set->flags = flags;
2948 set->size = desc.size;
2949 set->policy = policy;
2950 set->udlen = udlen;
2951 set->udata = udata;
2952 set->timeout = timeout;
2953 set->gc_int = gc_int;
2954
2955 err = ops->init(set, &desc, nla);
2956 if (err < 0)
2957 goto err2;
2958
2959 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
2960 if (err < 0)
2961 goto err3;
2962
2963 list_add_tail_rcu(&set->list, &table->sets);
2964 table->use++;
2965 return 0;
2966
2967err3:
2968 ops->destroy(set);
2969err2:
2970 kfree(set);
2971err1:
2972 module_put(ops->owner);
2973 return err;
2974}
2975
2976static void nft_set_destroy(struct nft_set *set)
2977{
2978 set->ops->destroy(set);
2979 module_put(set->ops->owner);
2980 kfree(set);
2981}
2982
2983static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2984{
2985 list_del_rcu(&set->list);
2986 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2987 nft_set_destroy(set);
2988}
2989
2990static int nf_tables_delset(struct net *net, struct sock *nlsk,
2991 struct sk_buff *skb, const struct nlmsghdr *nlh,
2992 const struct nlattr * const nla[])
2993{
2994 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2995 u8 genmask = nft_genmask_next(net);
2996 struct nft_set *set;
2997 struct nft_ctx ctx;
2998 int err;
2999
3000 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3001 return -EAFNOSUPPORT;
3002 if (nla[NFTA_SET_TABLE] == NULL)
3003 return -EINVAL;
3004
3005 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3006 if (err < 0)
3007 return err;
3008
3009 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3010 if (IS_ERR(set))
3011 return PTR_ERR(set);
3012 if (!list_empty(&set->bindings))
3013 return -EBUSY;
3014
3015 return nft_delset(&ctx, set);
3016}
3017
3018static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3019 const struct nft_set *set,
3020 const struct nft_set_iter *iter,
3021 const struct nft_set_elem *elem)
3022{
3023 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3024 enum nft_registers dreg;
3025
3026 dreg = nft_type_to_reg(set->dtype);
3027 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3028 set->dtype == NFT_DATA_VERDICT ?
3029 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3030 set->dlen);
3031}
3032
3033int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3034 struct nft_set_binding *binding)
3035{
3036 struct nft_set_binding *i;
3037 struct nft_set_iter iter;
3038
3039 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3040 return -EBUSY;
3041
3042 if (binding->flags & NFT_SET_MAP) {
3043
3044
3045
3046 list_for_each_entry(i, &set->bindings, list) {
3047 if (i->flags & NFT_SET_MAP &&
3048 i->chain == binding->chain)
3049 goto bind;
3050 }
3051
3052 iter.genmask = nft_genmask_next(ctx->net);
3053 iter.skip = 0;
3054 iter.count = 0;
3055 iter.err = 0;
3056 iter.fn = nf_tables_bind_check_setelem;
3057
3058 set->ops->walk(ctx, set, &iter);
3059 if (iter.err < 0)
3060 return iter.err;
3061 }
3062bind:
3063 binding->chain = ctx->chain;
3064 list_add_tail_rcu(&binding->list, &set->bindings);
3065 return 0;
3066}
3067
3068void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3069 struct nft_set_binding *binding)
3070{
3071 list_del_rcu(&binding->list);
3072
3073 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3074 nft_is_active(ctx->net, set))
3075 nf_tables_set_destroy(ctx, set);
3076}
3077
3078const struct nft_set_ext_type nft_set_ext_types[] = {
3079 [NFT_SET_EXT_KEY] = {
3080 .align = __alignof__(u32),
3081 },
3082 [NFT_SET_EXT_DATA] = {
3083 .align = __alignof__(u32),
3084 },
3085 [NFT_SET_EXT_EXPR] = {
3086 .align = __alignof__(struct nft_expr),
3087 },
3088 [NFT_SET_EXT_FLAGS] = {
3089 .len = sizeof(u8),
3090 .align = __alignof__(u8),
3091 },
3092 [NFT_SET_EXT_TIMEOUT] = {
3093 .len = sizeof(u64),
3094 .align = __alignof__(u64),
3095 },
3096 [NFT_SET_EXT_EXPIRATION] = {
3097 .len = sizeof(unsigned long),
3098 .align = __alignof__(unsigned long),
3099 },
3100 [NFT_SET_EXT_USERDATA] = {
3101 .len = sizeof(struct nft_userdata),
3102 .align = __alignof__(struct nft_userdata),
3103 },
3104};
3105EXPORT_SYMBOL_GPL(nft_set_ext_types);
3106
3107
3108
3109
3110
3111static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3112 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3113 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3114 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3115 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3116 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3117 .len = NFT_USERDATA_MAXLEN },
3118};
3119
3120static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3121 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3122 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3123 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3124 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3125};
3126
3127static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3128 const struct sk_buff *skb,
3129 const struct nlmsghdr *nlh,
3130 const struct nlattr * const nla[],
3131 u8 genmask)
3132{
3133 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3134 struct nft_af_info *afi;
3135 struct nft_table *table;
3136
3137 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3138 if (IS_ERR(afi))
3139 return PTR_ERR(afi);
3140
3141 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3142 genmask);
3143 if (IS_ERR(table))
3144 return PTR_ERR(table);
3145
3146 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3147 return 0;
3148}
3149
3150static int nf_tables_fill_setelem(struct sk_buff *skb,
3151 const struct nft_set *set,
3152 const struct nft_set_elem *elem)
3153{
3154 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3155 unsigned char *b = skb_tail_pointer(skb);
3156 struct nlattr *nest;
3157
3158 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3159 if (nest == NULL)
3160 goto nla_put_failure;
3161
3162 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3163 NFT_DATA_VALUE, set->klen) < 0)
3164 goto nla_put_failure;
3165
3166 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3167 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3168 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3169 set->dlen) < 0)
3170 goto nla_put_failure;
3171
3172 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3173 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3174 goto nla_put_failure;
3175
3176 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3177 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3178 htonl(*nft_set_ext_flags(ext))))
3179 goto nla_put_failure;
3180
3181 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3182 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3183 cpu_to_be64(jiffies_to_msecs(
3184 *nft_set_ext_timeout(ext))),
3185 NFTA_SET_ELEM_PAD))
3186 goto nla_put_failure;
3187
3188 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3189 unsigned long expires, now = jiffies;
3190
3191 expires = *nft_set_ext_expiration(ext);
3192 if (time_before(now, expires))
3193 expires -= now;
3194 else
3195 expires = 0;
3196
3197 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3198 cpu_to_be64(jiffies_to_msecs(expires)),
3199 NFTA_SET_ELEM_PAD))
3200 goto nla_put_failure;
3201 }
3202
3203 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3204 struct nft_userdata *udata;
3205
3206 udata = nft_set_ext_userdata(ext);
3207 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3208 udata->len + 1, udata->data))
3209 goto nla_put_failure;
3210 }
3211
3212 nla_nest_end(skb, nest);
3213 return 0;
3214
3215nla_put_failure:
3216 nlmsg_trim(skb, b);
3217 return -EMSGSIZE;
3218}
3219
3220struct nft_set_dump_args {
3221 const struct netlink_callback *cb;
3222 struct nft_set_iter iter;
3223 struct sk_buff *skb;
3224};
3225
3226static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3227 const struct nft_set *set,
3228 const struct nft_set_iter *iter,
3229 const struct nft_set_elem *elem)
3230{
3231 struct nft_set_dump_args *args;
3232
3233 args = container_of(iter, struct nft_set_dump_args, iter);
3234 return nf_tables_fill_setelem(args->skb, set, elem);
3235}
3236
3237static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3238{
3239 struct net *net = sock_net(skb->sk);
3240 u8 genmask = nft_genmask_cur(net);
3241 const struct nft_set *set;
3242 struct nft_set_dump_args args;
3243 struct nft_ctx ctx;
3244 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3245 struct nfgenmsg *nfmsg;
3246 struct nlmsghdr *nlh;
3247 struct nlattr *nest;
3248 u32 portid, seq;
3249 int event, err;
3250
3251 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3252 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3253 if (err < 0)
3254 return err;
3255
3256 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3257 (void *)nla, genmask);
3258 if (err < 0)
3259 return err;
3260
3261 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3262 genmask);
3263 if (IS_ERR(set))
3264 return PTR_ERR(set);
3265
3266 event = NFT_MSG_NEWSETELEM;
3267 event |= NFNL_SUBSYS_NFTABLES << 8;
3268 portid = NETLINK_CB(cb->skb).portid;
3269 seq = cb->nlh->nlmsg_seq;
3270
3271 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3272 NLM_F_MULTI);
3273 if (nlh == NULL)
3274 goto nla_put_failure;
3275
3276 nfmsg = nlmsg_data(nlh);
3277 nfmsg->nfgen_family = ctx.afi->family;
3278 nfmsg->version = NFNETLINK_V0;
3279 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3280
3281 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3282 goto nla_put_failure;
3283 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3284 goto nla_put_failure;
3285
3286 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3287 if (nest == NULL)
3288 goto nla_put_failure;
3289
3290 args.cb = cb;
3291 args.skb = skb;
3292 args.iter.genmask = nft_genmask_cur(ctx.net);
3293 args.iter.skip = cb->args[0];
3294 args.iter.count = 0;
3295 args.iter.err = 0;
3296 args.iter.fn = nf_tables_dump_setelem;
3297 set->ops->walk(&ctx, set, &args.iter);
3298
3299 nla_nest_end(skb, nest);
3300 nlmsg_end(skb, nlh);
3301
3302 if (args.iter.err && args.iter.err != -EMSGSIZE)
3303 return args.iter.err;
3304 if (args.iter.count == cb->args[0])
3305 return 0;
3306
3307 cb->args[0] = args.iter.count;
3308 return skb->len;
3309
3310nla_put_failure:
3311 return -ENOSPC;
3312}
3313
3314static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3315 struct sk_buff *skb, const struct nlmsghdr *nlh,
3316 const struct nlattr * const nla[])
3317{
3318 u8 genmask = nft_genmask_cur(net);
3319 const struct nft_set *set;
3320 struct nft_ctx ctx;
3321 int err;
3322
3323 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3324 if (err < 0)
3325 return err;
3326
3327 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3328 genmask);
3329 if (IS_ERR(set))
3330 return PTR_ERR(set);
3331
3332 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3333 struct netlink_dump_control c = {
3334 .dump = nf_tables_dump_set,
3335 };
3336 return netlink_dump_start(nlsk, skb, nlh, &c);
3337 }
3338 return -EOPNOTSUPP;
3339}
3340
3341static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3342 const struct nft_ctx *ctx, u32 seq,
3343 u32 portid, int event, u16 flags,
3344 const struct nft_set *set,
3345 const struct nft_set_elem *elem)
3346{
3347 struct nfgenmsg *nfmsg;
3348 struct nlmsghdr *nlh;
3349 struct nlattr *nest;
3350 int err;
3351
3352 event |= NFNL_SUBSYS_NFTABLES << 8;
3353 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3354 flags);
3355 if (nlh == NULL)
3356 goto nla_put_failure;
3357
3358 nfmsg = nlmsg_data(nlh);
3359 nfmsg->nfgen_family = ctx->afi->family;
3360 nfmsg->version = NFNETLINK_V0;
3361 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3362
3363 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3364 goto nla_put_failure;
3365 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3366 goto nla_put_failure;
3367
3368 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3369 if (nest == NULL)
3370 goto nla_put_failure;
3371
3372 err = nf_tables_fill_setelem(skb, set, elem);
3373 if (err < 0)
3374 goto nla_put_failure;
3375
3376 nla_nest_end(skb, nest);
3377
3378 nlmsg_end(skb, nlh);
3379 return 0;
3380
3381nla_put_failure:
3382 nlmsg_trim(skb, nlh);
3383 return -1;
3384}
3385
3386static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3387 const struct nft_set *set,
3388 const struct nft_set_elem *elem,
3389 int event, u16 flags)
3390{
3391 struct net *net = ctx->net;
3392 u32 portid = ctx->portid;
3393 struct sk_buff *skb;
3394 int err;
3395
3396 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3397 return 0;
3398
3399 err = -ENOBUFS;
3400 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3401 if (skb == NULL)
3402 goto err;
3403
3404 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3405 set, elem);
3406 if (err < 0) {
3407 kfree_skb(skb);
3408 goto err;
3409 }
3410
3411 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3412 GFP_KERNEL);
3413err:
3414 if (err < 0)
3415 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3416 return err;
3417}
3418
3419static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3420 int msg_type,
3421 struct nft_set *set)
3422{
3423 struct nft_trans *trans;
3424
3425 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3426 if (trans == NULL)
3427 return NULL;
3428
3429 nft_trans_elem_set(trans) = set;
3430 return trans;
3431}
3432
3433void *nft_set_elem_init(const struct nft_set *set,
3434 const struct nft_set_ext_tmpl *tmpl,
3435 const u32 *key, const u32 *data,
3436 u64 timeout, gfp_t gfp)
3437{
3438 struct nft_set_ext *ext;
3439 void *elem;
3440
3441 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3442 if (elem == NULL)
3443 return NULL;
3444
3445 ext = nft_set_elem_ext(set, elem);
3446 nft_set_ext_init(ext, tmpl);
3447
3448 memcpy(nft_set_ext_key(ext), key, set->klen);
3449 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3450 memcpy(nft_set_ext_data(ext), data, set->dlen);
3451 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3452 *nft_set_ext_expiration(ext) =
3453 jiffies + timeout;
3454 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3455 *nft_set_ext_timeout(ext) = timeout;
3456
3457 return elem;
3458}
3459
3460void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3461 bool destroy_expr)
3462{
3463 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3464
3465 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3466 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3467 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3468 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3469 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3470
3471 kfree(elem);
3472}
3473EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3474
3475static int nft_setelem_parse_flags(const struct nft_set *set,
3476 const struct nlattr *attr, u32 *flags)
3477{
3478 if (attr == NULL)
3479 return 0;
3480
3481 *flags = ntohl(nla_get_be32(attr));
3482 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3483 return -EINVAL;
3484 if (!(set->flags & NFT_SET_INTERVAL) &&
3485 *flags & NFT_SET_ELEM_INTERVAL_END)
3486 return -EINVAL;
3487
3488 return 0;
3489}
3490
3491static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3492 const struct nlattr *attr, u32 nlmsg_flags)
3493{
3494 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3495 struct nft_data_desc d1, d2;
3496 struct nft_set_ext_tmpl tmpl;
3497 struct nft_set_ext *ext, *ext2;
3498 struct nft_set_elem elem;
3499 struct nft_set_binding *binding;
3500 struct nft_userdata *udata;
3501 struct nft_data data;
3502 enum nft_registers dreg;
3503 struct nft_trans *trans;
3504 u32 flags = 0;
3505 u64 timeout;
3506 u8 ulen;
3507 int err;
3508
3509 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3510 nft_set_elem_policy);
3511 if (err < 0)
3512 return err;
3513
3514 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3515 return -EINVAL;
3516
3517 nft_set_ext_prepare(&tmpl);
3518
3519 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3520 if (err < 0)
3521 return err;
3522 if (flags != 0)
3523 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3524
3525 if (set->flags & NFT_SET_MAP) {
3526 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3527 !(flags & NFT_SET_ELEM_INTERVAL_END))
3528 return -EINVAL;
3529 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3530 flags & NFT_SET_ELEM_INTERVAL_END)
3531 return -EINVAL;
3532 } else {
3533 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3534 return -EINVAL;
3535 }
3536
3537 timeout = 0;
3538 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3539 if (!(set->flags & NFT_SET_TIMEOUT))
3540 return -EINVAL;
3541 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3542 nla[NFTA_SET_ELEM_TIMEOUT])));
3543 } else if (set->flags & NFT_SET_TIMEOUT) {
3544 timeout = set->timeout;
3545 }
3546
3547 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3548 nla[NFTA_SET_ELEM_KEY]);
3549 if (err < 0)
3550 goto err1;
3551 err = -EINVAL;
3552 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3553 goto err2;
3554
3555 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3556 if (timeout > 0) {
3557 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3558 if (timeout != set->timeout)
3559 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3560 }
3561
3562 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3563 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3564 nla[NFTA_SET_ELEM_DATA]);
3565 if (err < 0)
3566 goto err2;
3567
3568 err = -EINVAL;
3569 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3570 goto err3;
3571
3572 dreg = nft_type_to_reg(set->dtype);
3573 list_for_each_entry(binding, &set->bindings, list) {
3574 struct nft_ctx bind_ctx = {
3575 .net = ctx->net,
3576 .afi = ctx->afi,
3577 .table = ctx->table,
3578 .chain = (struct nft_chain *)binding->chain,
3579 };
3580
3581 if (!(binding->flags & NFT_SET_MAP))
3582 continue;
3583
3584 err = nft_validate_register_store(&bind_ctx, dreg,
3585 &data,
3586 d2.type, d2.len);
3587 if (err < 0)
3588 goto err3;
3589 }
3590
3591 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3592 }
3593
3594
3595
3596
3597
3598 ulen = 0;
3599 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3600 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3601 if (ulen > 0)
3602 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3603 ulen);
3604 }
3605
3606 err = -ENOMEM;
3607 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3608 timeout, GFP_KERNEL);
3609 if (elem.priv == NULL)
3610 goto err3;
3611
3612 ext = nft_set_elem_ext(set, elem.priv);
3613 if (flags)
3614 *nft_set_ext_flags(ext) = flags;
3615 if (ulen > 0) {
3616 udata = nft_set_ext_userdata(ext);
3617 udata->len = ulen - 1;
3618 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3619 }
3620
3621 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3622 if (trans == NULL)
3623 goto err4;
3624
3625 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3626 err = set->ops->insert(ctx->net, set, &elem, &ext2);
3627 if (err) {
3628 if (err == -EEXIST) {
3629 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3630 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
3631 memcmp(nft_set_ext_data(ext),
3632 nft_set_ext_data(ext2), set->dlen) != 0)
3633 err = -EBUSY;
3634 else if (!(nlmsg_flags & NLM_F_EXCL))
3635 err = 0;
3636 }
3637 goto err5;
3638 }
3639
3640 nft_trans_elem(trans) = elem;
3641 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3642 return 0;
3643
3644err5:
3645 kfree(trans);
3646err4:
3647 kfree(elem.priv);
3648err3:
3649 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3650 nft_data_uninit(&data, d2.type);
3651err2:
3652 nft_data_uninit(&elem.key.val, d1.type);
3653err1:
3654 return err;
3655}
3656
3657static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3658 struct sk_buff *skb, const struct nlmsghdr *nlh,
3659 const struct nlattr * const nla[])
3660{
3661 u8 genmask = nft_genmask_next(net);
3662 const struct nlattr *attr;
3663 struct nft_set *set;
3664 struct nft_ctx ctx;
3665 int rem, err = 0;
3666
3667 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3668 return -EINVAL;
3669
3670 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3671 if (err < 0)
3672 return err;
3673
3674 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3675 genmask);
3676 if (IS_ERR(set)) {
3677 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3678 set = nf_tables_set_lookup_byid(net,
3679 nla[NFTA_SET_ELEM_LIST_SET_ID],
3680 genmask);
3681 }
3682 if (IS_ERR(set))
3683 return PTR_ERR(set);
3684 }
3685
3686 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3687 return -EBUSY;
3688
3689 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3690 if (set->size &&
3691 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3692 return -ENFILE;
3693
3694 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
3695 if (err < 0) {
3696 atomic_dec(&set->nelems);
3697 break;
3698 }
3699 }
3700 return err;
3701}
3702
3703static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3704 const struct nlattr *attr)
3705{
3706 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3707 struct nft_set_ext_tmpl tmpl;
3708 struct nft_data_desc desc;
3709 struct nft_set_elem elem;
3710 struct nft_set_ext *ext;
3711 struct nft_trans *trans;
3712 u32 flags = 0;
3713 void *priv;
3714 int err;
3715
3716 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3717 nft_set_elem_policy);
3718 if (err < 0)
3719 goto err1;
3720
3721 err = -EINVAL;
3722 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3723 goto err1;
3724
3725 nft_set_ext_prepare(&tmpl);
3726
3727 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3728 if (err < 0)
3729 return err;
3730 if (flags != 0)
3731 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3732
3733 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3734 nla[NFTA_SET_ELEM_KEY]);
3735 if (err < 0)
3736 goto err1;
3737
3738 err = -EINVAL;
3739 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3740 goto err2;
3741
3742 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
3743
3744 err = -ENOMEM;
3745 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
3746 GFP_KERNEL);
3747 if (elem.priv == NULL)
3748 goto err2;
3749
3750 ext = nft_set_elem_ext(set, elem.priv);
3751 if (flags)
3752 *nft_set_ext_flags(ext) = flags;
3753
3754 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3755 if (trans == NULL) {
3756 err = -ENOMEM;
3757 goto err3;
3758 }
3759
3760 priv = set->ops->deactivate(ctx->net, set, &elem);
3761 if (priv == NULL) {
3762 err = -ENOENT;
3763 goto err4;
3764 }
3765 kfree(elem.priv);
3766 elem.priv = priv;
3767
3768 nft_trans_elem(trans) = elem;
3769 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3770 return 0;
3771
3772err4:
3773 kfree(trans);
3774err3:
3775 kfree(elem.priv);
3776err2:
3777 nft_data_uninit(&elem.key.val, desc.type);
3778err1:
3779 return err;
3780}
3781
3782static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3783 struct sk_buff *skb, const struct nlmsghdr *nlh,
3784 const struct nlattr * const nla[])
3785{
3786 u8 genmask = nft_genmask_next(net);
3787 const struct nlattr *attr;
3788 struct nft_set *set;
3789 struct nft_ctx ctx;
3790 int rem, err = 0;
3791
3792 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3793 return -EINVAL;
3794
3795 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3796 if (err < 0)
3797 return err;
3798
3799 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3800 genmask);
3801 if (IS_ERR(set))
3802 return PTR_ERR(set);
3803 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3804 return -EBUSY;
3805
3806 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3807 err = nft_del_setelem(&ctx, set, attr);
3808 if (err < 0)
3809 break;
3810
3811 set->ndeact++;
3812 }
3813 return err;
3814}
3815
3816void nft_set_gc_batch_release(struct rcu_head *rcu)
3817{
3818 struct nft_set_gc_batch *gcb;
3819 unsigned int i;
3820
3821 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3822 for (i = 0; i < gcb->head.cnt; i++)
3823 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
3824 kfree(gcb);
3825}
3826EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3827
3828struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3829 gfp_t gfp)
3830{
3831 struct nft_set_gc_batch *gcb;
3832
3833 gcb = kzalloc(sizeof(*gcb), gfp);
3834 if (gcb == NULL)
3835 return gcb;
3836 gcb->head.set = set;
3837 return gcb;
3838}
3839EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3840
3841static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
3842 u32 portid, u32 seq)
3843{
3844 struct nlmsghdr *nlh;
3845 struct nfgenmsg *nfmsg;
3846 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
3847
3848 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
3849 if (nlh == NULL)
3850 goto nla_put_failure;
3851
3852 nfmsg = nlmsg_data(nlh);
3853 nfmsg->nfgen_family = AF_UNSPEC;
3854 nfmsg->version = NFNETLINK_V0;
3855 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3856
3857 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
3858 goto nla_put_failure;
3859
3860 nlmsg_end(skb, nlh);
3861 return 0;
3862
3863nla_put_failure:
3864 nlmsg_trim(skb, nlh);
3865 return -EMSGSIZE;
3866}
3867
3868static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
3869{
3870 struct nlmsghdr *nlh = nlmsg_hdr(skb);
3871 struct sk_buff *skb2;
3872 int err;
3873
3874 if (nlmsg_report(nlh) &&
3875 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3876 return 0;
3877
3878 err = -ENOBUFS;
3879 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3880 if (skb2 == NULL)
3881 goto err;
3882
3883 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3884 nlh->nlmsg_seq);
3885 if (err < 0) {
3886 kfree_skb(skb2);
3887 goto err;
3888 }
3889
3890 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
3891 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
3892err:
3893 if (err < 0) {
3894 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
3895 err);
3896 }
3897 return err;
3898}
3899
3900static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3901 struct sk_buff *skb, const struct nlmsghdr *nlh,
3902 const struct nlattr * const nla[])
3903{
3904 struct sk_buff *skb2;
3905 int err;
3906
3907 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3908 if (skb2 == NULL)
3909 return -ENOMEM;
3910
3911 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3912 nlh->nlmsg_seq);
3913 if (err < 0)
3914 goto err;
3915
3916 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3917err:
3918 kfree_skb(skb2);
3919 return err;
3920}
3921
3922static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
3923 [NFT_MSG_NEWTABLE] = {
3924 .call_batch = nf_tables_newtable,
3925 .attr_count = NFTA_TABLE_MAX,
3926 .policy = nft_table_policy,
3927 },
3928 [NFT_MSG_GETTABLE] = {
3929 .call = nf_tables_gettable,
3930 .attr_count = NFTA_TABLE_MAX,
3931 .policy = nft_table_policy,
3932 },
3933 [NFT_MSG_DELTABLE] = {
3934 .call_batch = nf_tables_deltable,
3935 .attr_count = NFTA_TABLE_MAX,
3936 .policy = nft_table_policy,
3937 },
3938 [NFT_MSG_NEWCHAIN] = {
3939 .call_batch = nf_tables_newchain,
3940 .attr_count = NFTA_CHAIN_MAX,
3941 .policy = nft_chain_policy,
3942 },
3943 [NFT_MSG_GETCHAIN] = {
3944 .call = nf_tables_getchain,
3945 .attr_count = NFTA_CHAIN_MAX,
3946 .policy = nft_chain_policy,
3947 },
3948 [NFT_MSG_DELCHAIN] = {
3949 .call_batch = nf_tables_delchain,
3950 .attr_count = NFTA_CHAIN_MAX,
3951 .policy = nft_chain_policy,
3952 },
3953 [NFT_MSG_NEWRULE] = {
3954 .call_batch = nf_tables_newrule,
3955 .attr_count = NFTA_RULE_MAX,
3956 .policy = nft_rule_policy,
3957 },
3958 [NFT_MSG_GETRULE] = {
3959 .call = nf_tables_getrule,
3960 .attr_count = NFTA_RULE_MAX,
3961 .policy = nft_rule_policy,
3962 },
3963 [NFT_MSG_DELRULE] = {
3964 .call_batch = nf_tables_delrule,
3965 .attr_count = NFTA_RULE_MAX,
3966 .policy = nft_rule_policy,
3967 },
3968 [NFT_MSG_NEWSET] = {
3969 .call_batch = nf_tables_newset,
3970 .attr_count = NFTA_SET_MAX,
3971 .policy = nft_set_policy,
3972 },
3973 [NFT_MSG_GETSET] = {
3974 .call = nf_tables_getset,
3975 .attr_count = NFTA_SET_MAX,
3976 .policy = nft_set_policy,
3977 },
3978 [NFT_MSG_DELSET] = {
3979 .call_batch = nf_tables_delset,
3980 .attr_count = NFTA_SET_MAX,
3981 .policy = nft_set_policy,
3982 },
3983 [NFT_MSG_NEWSETELEM] = {
3984 .call_batch = nf_tables_newsetelem,
3985 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3986 .policy = nft_set_elem_list_policy,
3987 },
3988 [NFT_MSG_GETSETELEM] = {
3989 .call = nf_tables_getsetelem,
3990 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3991 .policy = nft_set_elem_list_policy,
3992 },
3993 [NFT_MSG_DELSETELEM] = {
3994 .call_batch = nf_tables_delsetelem,
3995 .attr_count = NFTA_SET_ELEM_LIST_MAX,
3996 .policy = nft_set_elem_list_policy,
3997 },
3998 [NFT_MSG_GETGEN] = {
3999 .call = nf_tables_getgen,
4000 },
4001};
4002
4003static void nft_chain_commit_update(struct nft_trans *trans)
4004{
4005 struct nft_base_chain *basechain;
4006
4007 if (nft_trans_chain_name(trans)[0])
4008 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
4009
4010 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
4011 return;
4012
4013 basechain = nft_base_chain(trans->ctx.chain);
4014 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
4015
4016 switch (nft_trans_chain_policy(trans)) {
4017 case NF_DROP:
4018 case NF_ACCEPT:
4019 basechain->policy = nft_trans_chain_policy(trans);
4020 break;
4021 }
4022}
4023
4024static void nf_tables_commit_release(struct nft_trans *trans)
4025{
4026 switch (trans->msg_type) {
4027 case NFT_MSG_DELTABLE:
4028 nf_tables_table_destroy(&trans->ctx);
4029 break;
4030 case NFT_MSG_DELCHAIN:
4031 nf_tables_chain_destroy(trans->ctx.chain);
4032 break;
4033 case NFT_MSG_DELRULE:
4034 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4035 break;
4036 case NFT_MSG_DELSET:
4037 nft_set_destroy(nft_trans_set(trans));
4038 break;
4039 case NFT_MSG_DELSETELEM:
4040 nft_set_elem_destroy(nft_trans_elem_set(trans),
4041 nft_trans_elem(trans).priv, true);
4042 break;
4043 }
4044 kfree(trans);
4045}
4046
4047static int nf_tables_commit(struct net *net, struct sk_buff *skb)
4048{
4049 struct nft_trans *trans, *next;
4050 struct nft_trans_elem *te;
4051
4052
4053 while (++net->nft.base_seq == 0);
4054
4055
4056 net->nft.gencursor = nft_gencursor_next(net);
4057
4058
4059
4060
4061 synchronize_rcu();
4062
4063 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4064 switch (trans->msg_type) {
4065 case NFT_MSG_NEWTABLE:
4066 if (nft_trans_table_update(trans)) {
4067 if (!nft_trans_table_enable(trans)) {
4068 nf_tables_table_disable(net,
4069 trans->ctx.afi,
4070 trans->ctx.table);
4071 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4072 }
4073 } else {
4074 nft_clear(net, trans->ctx.table);
4075 }
4076 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
4077 nft_trans_destroy(trans);
4078 break;
4079 case NFT_MSG_DELTABLE:
4080 list_del_rcu(&trans->ctx.table->list);
4081 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
4082 break;
4083 case NFT_MSG_NEWCHAIN:
4084 if (nft_trans_chain_update(trans))
4085 nft_chain_commit_update(trans);
4086 else
4087 nft_clear(net, trans->ctx.chain);
4088
4089 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
4090 nft_trans_destroy(trans);
4091 break;
4092 case NFT_MSG_DELCHAIN:
4093 list_del_rcu(&trans->ctx.chain->list);
4094 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
4095 nf_tables_unregister_hooks(trans->ctx.net,
4096 trans->ctx.table,
4097 trans->ctx.chain,
4098 trans->ctx.afi->nops);
4099 break;
4100 case NFT_MSG_NEWRULE:
4101 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4102 nf_tables_rule_notify(&trans->ctx,
4103 nft_trans_rule(trans),
4104 NFT_MSG_NEWRULE);
4105 nft_trans_destroy(trans);
4106 break;
4107 case NFT_MSG_DELRULE:
4108 list_del_rcu(&nft_trans_rule(trans)->list);
4109 nf_tables_rule_notify(&trans->ctx,
4110 nft_trans_rule(trans),
4111 NFT_MSG_DELRULE);
4112 break;
4113 case NFT_MSG_NEWSET:
4114 nft_clear(net, nft_trans_set(trans));
4115
4116
4117
4118 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4119 !list_empty(&nft_trans_set(trans)->bindings))
4120 trans->ctx.table->use--;
4121
4122 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4123 NFT_MSG_NEWSET, GFP_KERNEL);
4124 nft_trans_destroy(trans);
4125 break;
4126 case NFT_MSG_DELSET:
4127 list_del_rcu(&nft_trans_set(trans)->list);
4128 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4129 NFT_MSG_DELSET, GFP_KERNEL);
4130 break;
4131 case NFT_MSG_NEWSETELEM:
4132 te = (struct nft_trans_elem *)trans->data;
4133
4134 te->set->ops->activate(net, te->set, &te->elem);
4135 nf_tables_setelem_notify(&trans->ctx, te->set,
4136 &te->elem,
4137 NFT_MSG_NEWSETELEM, 0);
4138 nft_trans_destroy(trans);
4139 break;
4140 case NFT_MSG_DELSETELEM:
4141 te = (struct nft_trans_elem *)trans->data;
4142
4143 nf_tables_setelem_notify(&trans->ctx, te->set,
4144 &te->elem,
4145 NFT_MSG_DELSETELEM, 0);
4146 te->set->ops->remove(te->set, &te->elem);
4147 atomic_dec(&te->set->nelems);
4148 te->set->ndeact--;
4149 break;
4150 }
4151 }
4152
4153 synchronize_rcu();
4154
4155 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4156 list_del(&trans->list);
4157 nf_tables_commit_release(trans);
4158 }
4159
4160 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4161
4162 return 0;
4163}
4164
4165static void nf_tables_abort_release(struct nft_trans *trans)
4166{
4167 switch (trans->msg_type) {
4168 case NFT_MSG_NEWTABLE:
4169 nf_tables_table_destroy(&trans->ctx);
4170 break;
4171 case NFT_MSG_NEWCHAIN:
4172 nf_tables_chain_destroy(trans->ctx.chain);
4173 break;
4174 case NFT_MSG_NEWRULE:
4175 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4176 break;
4177 case NFT_MSG_NEWSET:
4178 nft_set_destroy(nft_trans_set(trans));
4179 break;
4180 case NFT_MSG_NEWSETELEM:
4181 nft_set_elem_destroy(nft_trans_elem_set(trans),
4182 nft_trans_elem(trans).priv, true);
4183 break;
4184 }
4185 kfree(trans);
4186}
4187
4188static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4189{
4190 struct nft_trans *trans, *next;
4191 struct nft_trans_elem *te;
4192
4193 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4194 list) {
4195 switch (trans->msg_type) {
4196 case NFT_MSG_NEWTABLE:
4197 if (nft_trans_table_update(trans)) {
4198 if (nft_trans_table_enable(trans)) {
4199 nf_tables_table_disable(net,
4200 trans->ctx.afi,
4201 trans->ctx.table);
4202 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4203 }
4204 nft_trans_destroy(trans);
4205 } else {
4206 list_del_rcu(&trans->ctx.table->list);
4207 }
4208 break;
4209 case NFT_MSG_DELTABLE:
4210 nft_clear(trans->ctx.net, trans->ctx.table);
4211 nft_trans_destroy(trans);
4212 break;
4213 case NFT_MSG_NEWCHAIN:
4214 if (nft_trans_chain_update(trans)) {
4215 free_percpu(nft_trans_chain_stats(trans));
4216
4217 nft_trans_destroy(trans);
4218 } else {
4219 trans->ctx.table->use--;
4220 list_del_rcu(&trans->ctx.chain->list);
4221 nf_tables_unregister_hooks(trans->ctx.net,
4222 trans->ctx.table,
4223 trans->ctx.chain,
4224 trans->ctx.afi->nops);
4225 }
4226 break;
4227 case NFT_MSG_DELCHAIN:
4228 trans->ctx.table->use++;
4229 nft_clear(trans->ctx.net, trans->ctx.chain);
4230 nft_trans_destroy(trans);
4231 break;
4232 case NFT_MSG_NEWRULE:
4233 trans->ctx.chain->use--;
4234 list_del_rcu(&nft_trans_rule(trans)->list);
4235 break;
4236 case NFT_MSG_DELRULE:
4237 trans->ctx.chain->use++;
4238 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4239 nft_trans_destroy(trans);
4240 break;
4241 case NFT_MSG_NEWSET:
4242 trans->ctx.table->use--;
4243 list_del_rcu(&nft_trans_set(trans)->list);
4244 break;
4245 case NFT_MSG_DELSET:
4246 trans->ctx.table->use++;
4247 nft_clear(trans->ctx.net, nft_trans_set(trans));
4248 nft_trans_destroy(trans);
4249 break;
4250 case NFT_MSG_NEWSETELEM:
4251 te = (struct nft_trans_elem *)trans->data;
4252
4253 te->set->ops->remove(te->set, &te->elem);
4254 atomic_dec(&te->set->nelems);
4255 break;
4256 case NFT_MSG_DELSETELEM:
4257 te = (struct nft_trans_elem *)trans->data;
4258
4259 te->set->ops->activate(net, te->set, &te->elem);
4260 te->set->ndeact--;
4261
4262 nft_trans_destroy(trans);
4263 break;
4264 }
4265 }
4266
4267 synchronize_rcu();
4268
4269 list_for_each_entry_safe_reverse(trans, next,
4270 &net->nft.commit_list, list) {
4271 list_del(&trans->list);
4272 nf_tables_abort_release(trans);
4273 }
4274
4275 return 0;
4276}
4277
4278static const struct nfnetlink_subsystem nf_tables_subsys = {
4279 .name = "nf_tables",
4280 .subsys_id = NFNL_SUBSYS_NFTABLES,
4281 .cb_count = NFT_MSG_MAX,
4282 .cb = nf_tables_cb,
4283 .commit = nf_tables_commit,
4284 .abort = nf_tables_abort,
4285};
4286
4287int nft_chain_validate_dependency(const struct nft_chain *chain,
4288 enum nft_chain_type type)
4289{
4290 const struct nft_base_chain *basechain;
4291
4292 if (chain->flags & NFT_BASE_CHAIN) {
4293 basechain = nft_base_chain(chain);
4294 if (basechain->type->type != type)
4295 return -EOPNOTSUPP;
4296 }
4297 return 0;
4298}
4299EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4300
4301int nft_chain_validate_hooks(const struct nft_chain *chain,
4302 unsigned int hook_flags)
4303{
4304 struct nft_base_chain *basechain;
4305
4306 if (chain->flags & NFT_BASE_CHAIN) {
4307 basechain = nft_base_chain(chain);
4308
4309 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4310 return 0;
4311
4312 return -EOPNOTSUPP;
4313 }
4314
4315 return 0;
4316}
4317EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328static int nf_tables_check_loops(const struct nft_ctx *ctx,
4329 const struct nft_chain *chain);
4330
4331static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4332 const struct nft_set *set,
4333 const struct nft_set_iter *iter,
4334 const struct nft_set_elem *elem)
4335{
4336 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4337 const struct nft_data *data;
4338
4339 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4340 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4341 return 0;
4342
4343 data = nft_set_ext_data(ext);
4344 switch (data->verdict.code) {
4345 case NFT_JUMP:
4346 case NFT_GOTO:
4347 return nf_tables_check_loops(ctx, data->verdict.chain);
4348 default:
4349 return 0;
4350 }
4351}
4352
4353static int nf_tables_check_loops(const struct nft_ctx *ctx,
4354 const struct nft_chain *chain)
4355{
4356 const struct nft_rule *rule;
4357 const struct nft_expr *expr, *last;
4358 const struct nft_set *set;
4359 struct nft_set_binding *binding;
4360 struct nft_set_iter iter;
4361
4362 if (ctx->chain == chain)
4363 return -ELOOP;
4364
4365 list_for_each_entry(rule, &chain->rules, list) {
4366 nft_rule_for_each_expr(expr, last, rule) {
4367 const struct nft_data *data = NULL;
4368 int err;
4369
4370 if (!expr->ops->validate)
4371 continue;
4372
4373 err = expr->ops->validate(ctx, expr, &data);
4374 if (err < 0)
4375 return err;
4376
4377 if (data == NULL)
4378 continue;
4379
4380 switch (data->verdict.code) {
4381 case NFT_JUMP:
4382 case NFT_GOTO:
4383 err = nf_tables_check_loops(ctx,
4384 data->verdict.chain);
4385 if (err < 0)
4386 return err;
4387 default:
4388 break;
4389 }
4390 }
4391 }
4392
4393 list_for_each_entry(set, &ctx->table->sets, list) {
4394 if (!nft_is_active_next(ctx->net, set))
4395 continue;
4396 if (!(set->flags & NFT_SET_MAP) ||
4397 set->dtype != NFT_DATA_VERDICT)
4398 continue;
4399
4400 list_for_each_entry(binding, &set->bindings, list) {
4401 if (!(binding->flags & NFT_SET_MAP) ||
4402 binding->chain != chain)
4403 continue;
4404
4405 iter.genmask = nft_genmask_next(ctx->net);
4406 iter.skip = 0;
4407 iter.count = 0;
4408 iter.err = 0;
4409 iter.fn = nf_tables_loop_check_setelem;
4410
4411 set->ops->walk(ctx, set, &iter);
4412 if (iter.err < 0)
4413 return iter.err;
4414 }
4415 }
4416
4417 return 0;
4418}
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
4433{
4434 u32 val;
4435
4436 val = ntohl(nla_get_be32(attr));
4437 if (val > max)
4438 return -ERANGE;
4439
4440 *dest = val;
4441 return 0;
4442}
4443EXPORT_SYMBOL_GPL(nft_parse_u32_check);
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454unsigned int nft_parse_register(const struct nlattr *attr)
4455{
4456 unsigned int reg;
4457
4458 reg = ntohl(nla_get_be32(attr));
4459 switch (reg) {
4460 case NFT_REG_VERDICT...NFT_REG_4:
4461 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
4462 default:
4463 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
4464 }
4465}
4466EXPORT_SYMBOL_GPL(nft_parse_register);
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
4480{
4481 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
4482 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
4483 else
4484 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
4485
4486 return nla_put_be32(skb, attr, htonl(reg));
4487}
4488EXPORT_SYMBOL_GPL(nft_dump_register);
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499int nft_validate_register_load(enum nft_registers reg, unsigned int len)
4500{
4501 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4502 return -EINVAL;
4503 if (len == 0)
4504 return -EINVAL;
4505 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
4506 return -ERANGE;
4507
4508 return 0;
4509}
4510EXPORT_SYMBOL_GPL(nft_validate_register_load);
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526int nft_validate_register_store(const struct nft_ctx *ctx,
4527 enum nft_registers reg,
4528 const struct nft_data *data,
4529 enum nft_data_types type, unsigned int len)
4530{
4531 int err;
4532
4533 switch (reg) {
4534 case NFT_REG_VERDICT:
4535 if (type != NFT_DATA_VERDICT)
4536 return -EINVAL;
4537
4538 if (data != NULL &&
4539 (data->verdict.code == NFT_GOTO ||
4540 data->verdict.code == NFT_JUMP)) {
4541 err = nf_tables_check_loops(ctx, data->verdict.chain);
4542 if (err < 0)
4543 return err;
4544
4545 if (ctx->chain->level + 1 >
4546 data->verdict.chain->level) {
4547 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
4548 return -EMLINK;
4549 data->verdict.chain->level = ctx->chain->level + 1;
4550 }
4551 }
4552
4553 return 0;
4554 default:
4555 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
4556 return -EINVAL;
4557 if (len == 0)
4558 return -EINVAL;
4559 if (reg * NFT_REG32_SIZE + len >
4560 FIELD_SIZEOF(struct nft_regs, data))
4561 return -ERANGE;
4562
4563 if (data != NULL && type != NFT_DATA_VALUE)
4564 return -EINVAL;
4565 return 0;
4566 }
4567}
4568EXPORT_SYMBOL_GPL(nft_validate_register_store);
4569
4570static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
4571 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
4572 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
4573 .len = NFT_CHAIN_MAXNAMELEN - 1 },
4574};
4575
4576static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
4577 struct nft_data_desc *desc, const struct nlattr *nla)
4578{
4579 u8 genmask = nft_genmask_next(ctx->net);
4580 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
4581 struct nft_chain *chain;
4582 int err;
4583
4584 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
4585 if (err < 0)
4586 return err;
4587
4588 if (!tb[NFTA_VERDICT_CODE])
4589 return -EINVAL;
4590 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
4591
4592 switch (data->verdict.code) {
4593 default:
4594 switch (data->verdict.code & NF_VERDICT_MASK) {
4595 case NF_ACCEPT:
4596 case NF_DROP:
4597 case NF_QUEUE:
4598 break;
4599 default:
4600 return -EINVAL;
4601 }
4602
4603 case NFT_CONTINUE:
4604 case NFT_BREAK:
4605 case NFT_RETURN:
4606 break;
4607 case NFT_JUMP:
4608 case NFT_GOTO:
4609 if (!tb[NFTA_VERDICT_CHAIN])
4610 return -EINVAL;
4611 chain = nf_tables_chain_lookup(ctx->table,
4612 tb[NFTA_VERDICT_CHAIN], genmask);
4613 if (IS_ERR(chain))
4614 return PTR_ERR(chain);
4615 if (chain->flags & NFT_BASE_CHAIN)
4616 return -EOPNOTSUPP;
4617
4618 chain->use++;
4619 data->verdict.chain = chain;
4620 break;
4621 }
4622
4623 desc->len = sizeof(data->verdict);
4624 desc->type = NFT_DATA_VERDICT;
4625 return 0;
4626}
4627
4628static void nft_verdict_uninit(const struct nft_data *data)
4629{
4630 switch (data->verdict.code) {
4631 case NFT_JUMP:
4632 case NFT_GOTO:
4633 data->verdict.chain->use--;
4634 break;
4635 }
4636}
4637
4638int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
4639{
4640 struct nlattr *nest;
4641
4642 nest = nla_nest_start(skb, type);
4643 if (!nest)
4644 goto nla_put_failure;
4645
4646 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
4647 goto nla_put_failure;
4648
4649 switch (v->code) {
4650 case NFT_JUMP:
4651 case NFT_GOTO:
4652 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
4653 v->chain->name))
4654 goto nla_put_failure;
4655 }
4656 nla_nest_end(skb, nest);
4657 return 0;
4658
4659nla_put_failure:
4660 return -1;
4661}
4662
4663static int nft_value_init(const struct nft_ctx *ctx,
4664 struct nft_data *data, unsigned int size,
4665 struct nft_data_desc *desc, const struct nlattr *nla)
4666{
4667 unsigned int len;
4668
4669 len = nla_len(nla);
4670 if (len == 0)
4671 return -EINVAL;
4672 if (len > size)
4673 return -EOVERFLOW;
4674
4675 nla_memcpy(data->data, nla, len);
4676 desc->type = NFT_DATA_VALUE;
4677 desc->len = len;
4678 return 0;
4679}
4680
4681static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
4682 unsigned int len)
4683{
4684 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
4685}
4686
4687static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
4688 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
4689 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
4690};
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707int nft_data_init(const struct nft_ctx *ctx,
4708 struct nft_data *data, unsigned int size,
4709 struct nft_data_desc *desc, const struct nlattr *nla)
4710{
4711 struct nlattr *tb[NFTA_DATA_MAX + 1];
4712 int err;
4713
4714 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
4715 if (err < 0)
4716 return err;
4717
4718 if (tb[NFTA_DATA_VALUE])
4719 return nft_value_init(ctx, data, size, desc,
4720 tb[NFTA_DATA_VALUE]);
4721 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
4722 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
4723 return -EINVAL;
4724}
4725EXPORT_SYMBOL_GPL(nft_data_init);
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
4737{
4738 if (type < NFT_DATA_VERDICT)
4739 return;
4740 switch (type) {
4741 case NFT_DATA_VERDICT:
4742 return nft_verdict_uninit(data);
4743 default:
4744 WARN_ON(1);
4745 }
4746}
4747EXPORT_SYMBOL_GPL(nft_data_uninit);
4748
4749int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
4750 enum nft_data_types type, unsigned int len)
4751{
4752 struct nlattr *nest;
4753 int err;
4754
4755 nest = nla_nest_start(skb, attr);
4756 if (nest == NULL)
4757 return -1;
4758
4759 switch (type) {
4760 case NFT_DATA_VALUE:
4761 err = nft_value_dump(skb, data, len);
4762 break;
4763 case NFT_DATA_VERDICT:
4764 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
4765 break;
4766 default:
4767 err = -EINVAL;
4768 WARN_ON(1);
4769 }
4770
4771 nla_nest_end(skb, nest);
4772 return err;
4773}
4774EXPORT_SYMBOL_GPL(nft_data_dump);
4775
4776static int __net_init nf_tables_init_net(struct net *net)
4777{
4778 INIT_LIST_HEAD(&net->nft.af_info);
4779 INIT_LIST_HEAD(&net->nft.commit_list);
4780 net->nft.base_seq = 1;
4781 return 0;
4782}
4783
4784int __nft_release_basechain(struct nft_ctx *ctx)
4785{
4786 struct nft_rule *rule, *nr;
4787
4788 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
4789
4790 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
4791 ctx->afi->nops);
4792 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
4793 list_del(&rule->list);
4794 ctx->chain->use--;
4795 nf_tables_rule_destroy(ctx, rule);
4796 }
4797 list_del(&ctx->chain->list);
4798 ctx->table->use--;
4799 nf_tables_chain_destroy(ctx->chain);
4800
4801 return 0;
4802}
4803EXPORT_SYMBOL_GPL(__nft_release_basechain);
4804
4805
4806static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
4807{
4808 struct nft_table *table, *nt;
4809 struct nft_chain *chain, *nc;
4810 struct nft_rule *rule, *nr;
4811 struct nft_set *set, *ns;
4812 struct nft_ctx ctx = {
4813 .net = net,
4814 .afi = afi,
4815 };
4816
4817 list_for_each_entry_safe(table, nt, &afi->tables, list) {
4818 list_for_each_entry(chain, &table->chains, list)
4819 nf_tables_unregister_hooks(net, table, chain,
4820 afi->nops);
4821
4822 ctx.table = table;
4823 list_for_each_entry(chain, &table->chains, list) {
4824 ctx.chain = chain;
4825 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
4826 list_del(&rule->list);
4827 chain->use--;
4828 nf_tables_rule_destroy(&ctx, rule);
4829 }
4830 }
4831 list_for_each_entry_safe(set, ns, &table->sets, list) {
4832 list_del(&set->list);
4833 table->use--;
4834 nft_set_destroy(set);
4835 }
4836 list_for_each_entry_safe(chain, nc, &table->chains, list) {
4837 list_del(&chain->list);
4838 table->use--;
4839 nf_tables_chain_destroy(chain);
4840 }
4841 list_del(&table->list);
4842 nf_tables_table_destroy(&ctx);
4843 }
4844}
4845
4846static struct pernet_operations nf_tables_net_ops = {
4847 .init = nf_tables_init_net,
4848};
4849
4850static int __init nf_tables_module_init(void)
4851{
4852 int err;
4853
4854 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
4855 GFP_KERNEL);
4856 if (info == NULL) {
4857 err = -ENOMEM;
4858 goto err1;
4859 }
4860
4861 err = nf_tables_core_module_init();
4862 if (err < 0)
4863 goto err2;
4864
4865 err = nfnetlink_subsys_register(&nf_tables_subsys);
4866 if (err < 0)
4867 goto err3;
4868
4869 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
4870 return register_pernet_subsys(&nf_tables_net_ops);
4871err3:
4872 nf_tables_core_module_exit();
4873err2:
4874 kfree(info);
4875err1:
4876 return err;
4877}
4878
4879static void __exit nf_tables_module_exit(void)
4880{
4881 unregister_pernet_subsys(&nf_tables_net_ops);
4882 nfnetlink_subsys_unregister(&nf_tables_subsys);
4883 rcu_barrier();
4884 nf_tables_core_module_exit();
4885 kfree(info);
4886}
4887
4888module_init(nf_tables_module_init);
4889module_exit(nf_tables_module_exit);
4890
4891MODULE_LICENSE("GPL");
4892MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
4893MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
4894
