1
2
3
4
5
6
7
8#include <linux/module.h>
9#include <linux/init.h>
10#include <linux/list.h>
11#include <linux/skbuff.h>
12#include <linux/netlink.h>
13#include <linux/vmalloc.h>
14#include <linux/rhashtable.h>
15#include <linux/audit.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_flow_table.h>
20#include <net/netfilter/nf_tables_core.h>
21#include <net/netfilter/nf_tables.h>
22#include <net/netfilter/nf_tables_offload.h>
23#include <net/net_namespace.h>
24#include <net/sock.h>
25
26#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28unsigned int nf_tables_net_id __read_mostly;
29
30static LIST_HEAD(nf_tables_expressions);
31static LIST_HEAD(nf_tables_objects);
32static LIST_HEAD(nf_tables_flowtables);
33static LIST_HEAD(nf_tables_destroy_list);
34static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
35static u64 table_handle;
36
37enum {
38 NFT_VALIDATE_SKIP = 0,
39 NFT_VALIDATE_NEED,
40 NFT_VALIDATE_DO,
41};
42
43static struct rhltable nft_objname_ht;
44
45static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
46static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
47static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
48
49static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
50static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
51static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
52
53static const struct rhashtable_params nft_chain_ht_params = {
54 .head_offset = offsetof(struct nft_chain, rhlhead),
55 .key_offset = offsetof(struct nft_chain, name),
56 .hashfn = nft_chain_hash,
57 .obj_hashfn = nft_chain_hash_obj,
58 .obj_cmpfn = nft_chain_hash_cmp,
59 .automatic_shrinking = true,
60};
61
62static const struct rhashtable_params nft_objname_ht_params = {
63 .head_offset = offsetof(struct nft_object, rhlhead),
64 .key_offset = offsetof(struct nft_object, key),
65 .hashfn = nft_objname_hash,
66 .obj_hashfn = nft_objname_hash_obj,
67 .obj_cmpfn = nft_objname_hash_cmp,
68 .automatic_shrinking = true,
69};
70
71struct nft_audit_data {
72 struct nft_table *table;
73 int entries;
74 int op;
75 struct list_head list;
76};
77
78static const u8 nft2audit_op[NFT_MSG_MAX] = {
79 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
80 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
81 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
82 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
83 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
84 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
85 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
86 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
87 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
88 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
89 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
90 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
91 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
92 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
93 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
94 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
95 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
96 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
98 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
100 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
101 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
102 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
103 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
104};
105
106static void nft_validate_state_update(struct net *net, u8 new_validate_state)
107{
108 struct nftables_pernet *nft_net = nft_pernet(net);
109
110 switch (nft_net->validate_state) {
111 case NFT_VALIDATE_SKIP:
112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
113 break;
114 case NFT_VALIDATE_NEED:
115 break;
116 case NFT_VALIDATE_DO:
117 if (new_validate_state == NFT_VALIDATE_NEED)
118 return;
119 }
120
121 nft_net->validate_state = new_validate_state;
122}
123static void nf_tables_trans_destroy_work(struct work_struct *w);
124static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
125
126static void nft_ctx_init(struct nft_ctx *ctx,
127 struct net *net,
128 const struct sk_buff *skb,
129 const struct nlmsghdr *nlh,
130 u8 family,
131 struct nft_table *table,
132 struct nft_chain *chain,
133 const struct nlattr * const *nla)
134{
135 ctx->net = net;
136 ctx->family = family;
137 ctx->level = 0;
138 ctx->table = table;
139 ctx->chain = chain;
140 ctx->nla = nla;
141 ctx->portid = NETLINK_CB(skb).portid;
142 ctx->report = nlmsg_report(nlh);
143 ctx->flags = nlh->nlmsg_flags;
144 ctx->seq = nlh->nlmsg_seq;
145}
146
147static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
148 int msg_type, u32 size, gfp_t gfp)
149{
150 struct nft_trans *trans;
151
152 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
153 if (trans == NULL)
154 return NULL;
155
156 trans->msg_type = msg_type;
157 trans->ctx = *ctx;
158
159 return trans;
160}
161
162static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
163 int msg_type, u32 size)
164{
165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
166}
167
168static void nft_trans_destroy(struct nft_trans *trans)
169{
170 list_del(&trans->list);
171 kfree(trans);
172}
173
174static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
175{
176 struct nftables_pernet *nft_net;
177 struct net *net = ctx->net;
178 struct nft_trans *trans;
179
180 if (!nft_set_is_anonymous(set))
181 return;
182
183 nft_net = nft_pernet(net);
184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
185 switch (trans->msg_type) {
186 case NFT_MSG_NEWSET:
187 if (nft_trans_set(trans) == set)
188 nft_trans_set_bound(trans) = true;
189 break;
190 case NFT_MSG_NEWSETELEM:
191 if (nft_trans_elem_set(trans) == set)
192 nft_trans_elem_set_bound(trans) = true;
193 break;
194 }
195 }
196}
197
198static int nft_netdev_register_hooks(struct net *net,
199 struct list_head *hook_list)
200{
201 struct nft_hook *hook;
202 int err, j;
203
204 j = 0;
205 list_for_each_entry(hook, hook_list, list) {
206 err = nf_register_net_hook(net, &hook->ops);
207 if (err < 0)
208 goto err_register;
209
210 j++;
211 }
212 return 0;
213
214err_register:
215 list_for_each_entry(hook, hook_list, list) {
216 if (j-- <= 0)
217 break;
218
219 nf_unregister_net_hook(net, &hook->ops);
220 }
221 return err;
222}
223
224static void nft_netdev_unregister_hooks(struct net *net,
225 struct list_head *hook_list)
226{
227 struct nft_hook *hook;
228
229 list_for_each_entry(hook, hook_list, list)
230 nf_unregister_net_hook(net, &hook->ops);
231}
232
233static int nf_tables_register_hook(struct net *net,
234 const struct nft_table *table,
235 struct nft_chain *chain)
236{
237 struct nft_base_chain *basechain;
238 const struct nf_hook_ops *ops;
239
240 if (table->flags & NFT_TABLE_F_DORMANT ||
241 !nft_is_base_chain(chain))
242 return 0;
243
244 basechain = nft_base_chain(chain);
245 ops = &basechain->ops;
246
247 if (basechain->type->ops_register)
248 return basechain->type->ops_register(net, ops);
249
250 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
251 return nft_netdev_register_hooks(net, &basechain->hook_list);
252
253 return nf_register_net_hook(net, &basechain->ops);
254}
255
256static void nf_tables_unregister_hook(struct net *net,
257 const struct nft_table *table,
258 struct nft_chain *chain)
259{
260 struct nft_base_chain *basechain;
261 const struct nf_hook_ops *ops;
262
263 if (table->flags & NFT_TABLE_F_DORMANT ||
264 !nft_is_base_chain(chain))
265 return;
266 basechain = nft_base_chain(chain);
267 ops = &basechain->ops;
268
269 if (basechain->type->ops_unregister)
270 return basechain->type->ops_unregister(net, ops);
271
272 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
273 nft_netdev_unregister_hooks(net, &basechain->hook_list);
274 else
275 nf_unregister_net_hook(net, &basechain->ops);
276}
277
278static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
279{
280 struct nftables_pernet *nft_net = nft_pernet(net);
281
282 list_add_tail(&trans->list, &nft_net->commit_list);
283}
284
285static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
286{
287 struct nft_trans *trans;
288
289 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
290 if (trans == NULL)
291 return -ENOMEM;
292
293 if (msg_type == NFT_MSG_NEWTABLE)
294 nft_activate_next(ctx->net, ctx->table);
295
296 nft_trans_commit_list_add_tail(ctx->net, trans);
297 return 0;
298}
299
300static int nft_deltable(struct nft_ctx *ctx)
301{
302 int err;
303
304 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
305 if (err < 0)
306 return err;
307
308 nft_deactivate_next(ctx->net, ctx->table);
309 return err;
310}
311
312static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
313{
314 struct nft_trans *trans;
315
316 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
317 if (trans == NULL)
318 return ERR_PTR(-ENOMEM);
319
320 if (msg_type == NFT_MSG_NEWCHAIN) {
321 nft_activate_next(ctx->net, ctx->chain);
322
323 if (ctx->nla[NFTA_CHAIN_ID]) {
324 nft_trans_chain_id(trans) =
325 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
326 }
327 }
328
329 nft_trans_commit_list_add_tail(ctx->net, trans);
330 return trans;
331}
332
333static int nft_delchain(struct nft_ctx *ctx)
334{
335 struct nft_trans *trans;
336
337 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
338 if (IS_ERR(trans))
339 return PTR_ERR(trans);
340
341 ctx->table->use--;
342 nft_deactivate_next(ctx->net, ctx->chain);
343
344 return 0;
345}
346
347static void nft_rule_expr_activate(const struct nft_ctx *ctx,
348 struct nft_rule *rule)
349{
350 struct nft_expr *expr;
351
352 expr = nft_expr_first(rule);
353 while (nft_expr_more(rule, expr)) {
354 if (expr->ops->activate)
355 expr->ops->activate(ctx, expr);
356
357 expr = nft_expr_next(expr);
358 }
359}
360
361static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
362 struct nft_rule *rule,
363 enum nft_trans_phase phase)
364{
365 struct nft_expr *expr;
366
367 expr = nft_expr_first(rule);
368 while (nft_expr_more(rule, expr)) {
369 if (expr->ops->deactivate)
370 expr->ops->deactivate(ctx, expr, phase);
371
372 expr = nft_expr_next(expr);
373 }
374}
375
376static int
377nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
378{
379
380 if (nft_is_active_next(ctx->net, rule)) {
381 nft_deactivate_next(ctx->net, rule);
382 ctx->chain->use--;
383 return 0;
384 }
385 return -ENOENT;
386}
387
388static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
389 struct nft_rule *rule)
390{
391 struct nft_trans *trans;
392
393 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
394 if (trans == NULL)
395 return NULL;
396
397 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
398 nft_trans_rule_id(trans) =
399 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
400 }
401 nft_trans_rule(trans) = rule;
402 nft_trans_commit_list_add_tail(ctx->net, trans);
403
404 return trans;
405}
406
407static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
408{
409 struct nft_flow_rule *flow;
410 struct nft_trans *trans;
411 int err;
412
413 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
414 if (trans == NULL)
415 return -ENOMEM;
416
417 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
418 flow = nft_flow_rule_create(ctx->net, rule);
419 if (IS_ERR(flow)) {
420 nft_trans_destroy(trans);
421 return PTR_ERR(flow);
422 }
423
424 nft_trans_flow_rule(trans) = flow;
425 }
426
427 err = nf_tables_delrule_deactivate(ctx, rule);
428 if (err < 0) {
429 nft_trans_destroy(trans);
430 return err;
431 }
432 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
433
434 return 0;
435}
436
437static int nft_delrule_by_chain(struct nft_ctx *ctx)
438{
439 struct nft_rule *rule;
440 int err;
441
442 list_for_each_entry(rule, &ctx->chain->rules, list) {
443 if (!nft_is_active_next(ctx->net, rule))
444 continue;
445
446 err = nft_delrule(ctx, rule);
447 if (err < 0)
448 return err;
449 }
450 return 0;
451}
452
453static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
454 struct nft_set *set)
455{
456 struct nft_trans *trans;
457
458 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
459 if (trans == NULL)
460 return -ENOMEM;
461
462 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
463 nft_trans_set_id(trans) =
464 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
465 nft_activate_next(ctx->net, set);
466 }
467 nft_trans_set(trans) = set;
468 nft_trans_commit_list_add_tail(ctx->net, trans);
469
470 return 0;
471}
472
473static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
474{
475 int err;
476
477 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
478 if (err < 0)
479 return err;
480
481 nft_deactivate_next(ctx->net, set);
482 ctx->table->use--;
483
484 return err;
485}
486
487static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
488 struct nft_object *obj)
489{
490 struct nft_trans *trans;
491
492 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
493 if (trans == NULL)
494 return -ENOMEM;
495
496 if (msg_type == NFT_MSG_NEWOBJ)
497 nft_activate_next(ctx->net, obj);
498
499 nft_trans_obj(trans) = obj;
500 nft_trans_commit_list_add_tail(ctx->net, trans);
501
502 return 0;
503}
504
505static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
506{
507 int err;
508
509 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
510 if (err < 0)
511 return err;
512
513 nft_deactivate_next(ctx->net, obj);
514 ctx->table->use--;
515
516 return err;
517}
518
519static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
520 struct nft_flowtable *flowtable)
521{
522 struct nft_trans *trans;
523
524 trans = nft_trans_alloc(ctx, msg_type,
525 sizeof(struct nft_trans_flowtable));
526 if (trans == NULL)
527 return -ENOMEM;
528
529 if (msg_type == NFT_MSG_NEWFLOWTABLE)
530 nft_activate_next(ctx->net, flowtable);
531
532 nft_trans_flowtable(trans) = flowtable;
533 nft_trans_commit_list_add_tail(ctx->net, trans);
534
535 return 0;
536}
537
538static int nft_delflowtable(struct nft_ctx *ctx,
539 struct nft_flowtable *flowtable)
540{
541 int err;
542
543 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
544 if (err < 0)
545 return err;
546
547 nft_deactivate_next(ctx->net, flowtable);
548 ctx->table->use--;
549
550 return err;
551}
552
553
554
555
556
557static struct nft_table *nft_table_lookup(const struct net *net,
558 const struct nlattr *nla,
559 u8 family, u8 genmask, u32 nlpid)
560{
561 struct nftables_pernet *nft_net;
562 struct nft_table *table;
563
564 if (nla == NULL)
565 return ERR_PTR(-EINVAL);
566
567 nft_net = nft_pernet(net);
568 list_for_each_entry_rcu(table, &nft_net->tables, list,
569 lockdep_is_held(&nft_net->commit_mutex)) {
570 if (!nla_strcmp(nla, table->name) &&
571 table->family == family &&
572 nft_active_genmask(table, genmask)) {
573 if (nft_table_has_owner(table) &&
574 table->nlpid != nlpid)
575 return ERR_PTR(-EPERM);
576
577 return table;
578 }
579 }
580
581 return ERR_PTR(-ENOENT);
582}
583
584static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
585 const struct nlattr *nla,
586 u8 genmask)
587{
588 struct nftables_pernet *nft_net;
589 struct nft_table *table;
590
591 nft_net = nft_pernet(net);
592 list_for_each_entry(table, &nft_net->tables, list) {
593 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
594 nft_active_genmask(table, genmask))
595 return table;
596 }
597
598 return ERR_PTR(-ENOENT);
599}
600
601static inline u64 nf_tables_alloc_handle(struct nft_table *table)
602{
603 return ++table->hgenerator;
604}
605
606static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
607
608static const struct nft_chain_type *
609__nft_chain_type_get(u8 family, enum nft_chain_types type)
610{
611 if (family >= NFPROTO_NUMPROTO ||
612 type >= NFT_CHAIN_T_MAX)
613 return NULL;
614
615 return chain_type[family][type];
616}
617
618static const struct nft_chain_type *
619__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
620{
621 const struct nft_chain_type *type;
622 int i;
623
624 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
625 type = __nft_chain_type_get(family, i);
626 if (!type)
627 continue;
628 if (!nla_strcmp(nla, type->name))
629 return type;
630 }
631 return NULL;
632}
633
634struct nft_module_request {
635 struct list_head list;
636 char module[MODULE_NAME_LEN];
637 bool done;
638};
639
640#ifdef CONFIG_MODULES
641__printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
642 ...)
643{
644 char module_name[MODULE_NAME_LEN];
645 struct nftables_pernet *nft_net;
646 struct nft_module_request *req;
647 va_list args;
648 int ret;
649
650 va_start(args, fmt);
651 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
652 va_end(args);
653 if (ret >= MODULE_NAME_LEN)
654 return 0;
655
656 nft_net = nft_pernet(net);
657 list_for_each_entry(req, &nft_net->module_list, list) {
658 if (!strcmp(req->module, module_name)) {
659 if (req->done)
660 return 0;
661
662
663 return -EAGAIN;
664 }
665 }
666
667 req = kmalloc(sizeof(*req), GFP_KERNEL);
668 if (!req)
669 return -ENOMEM;
670
671 req->done = false;
672 strlcpy(req->module, module_name, MODULE_NAME_LEN);
673 list_add_tail(&req->list, &nft_net->module_list);
674
675 return -EAGAIN;
676}
677EXPORT_SYMBOL_GPL(nft_request_module);
678#endif
679
680static void lockdep_nfnl_nft_mutex_not_held(void)
681{
682#ifdef CONFIG_PROVE_LOCKING
683 if (debug_locks)
684 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
685#endif
686}
687
688static const struct nft_chain_type *
689nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
690 u8 family, bool autoload)
691{
692 const struct nft_chain_type *type;
693
694 type = __nf_tables_chain_type_lookup(nla, family);
695 if (type != NULL)
696 return type;
697
698 lockdep_nfnl_nft_mutex_not_held();
699#ifdef CONFIG_MODULES
700 if (autoload) {
701 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
702 nla_len(nla),
703 (const char *)nla_data(nla)) == -EAGAIN)
704 return ERR_PTR(-EAGAIN);
705 }
706#endif
707 return ERR_PTR(-ENOENT);
708}
709
710static __be16 nft_base_seq(const struct net *net)
711{
712 struct nftables_pernet *nft_net = nft_pernet(net);
713
714 return htons(nft_net->base_seq & 0xffff);
715}
716
717static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
718 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
719 .len = NFT_TABLE_MAXNAMELEN - 1 },
720 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
721 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
722 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
723 .len = NFT_USERDATA_MAXLEN }
724};
725
726static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
727 u32 portid, u32 seq, int event, u32 flags,
728 int family, const struct nft_table *table)
729{
730 struct nlmsghdr *nlh;
731
732 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
733 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
734 NFNETLINK_V0, nft_base_seq(net));
735 if (!nlh)
736 goto nla_put_failure;
737
738 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
739 nla_put_be32(skb, NFTA_TABLE_FLAGS,
740 htonl(table->flags & NFT_TABLE_F_MASK)) ||
741 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
742 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
743 NFTA_TABLE_PAD))
744 goto nla_put_failure;
745 if (nft_table_has_owner(table) &&
746 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
747 goto nla_put_failure;
748
749 if (table->udata) {
750 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
751 goto nla_put_failure;
752 }
753
754 nlmsg_end(skb, nlh);
755 return 0;
756
757nla_put_failure:
758 nlmsg_trim(skb, nlh);
759 return -1;
760}
761
762struct nftnl_skb_parms {
763 bool report;
764};
765#define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
766
767static void nft_notify_enqueue(struct sk_buff *skb, bool report,
768 struct list_head *notify_list)
769{
770 NFT_CB(skb).report = report;
771 list_add_tail(&skb->list, notify_list);
772}
773
774static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
775{
776 struct nftables_pernet *nft_net;
777 struct sk_buff *skb;
778 int err;
779
780 if (!ctx->report &&
781 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
782 return;
783
784 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
785 if (skb == NULL)
786 goto err;
787
788 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
789 event, 0, ctx->family, ctx->table);
790 if (err < 0) {
791 kfree_skb(skb);
792 goto err;
793 }
794
795 nft_net = nft_pernet(ctx->net);
796 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
797 return;
798err:
799 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
800}
801
802static int nf_tables_dump_tables(struct sk_buff *skb,
803 struct netlink_callback *cb)
804{
805 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
806 struct nftables_pernet *nft_net;
807 const struct nft_table *table;
808 unsigned int idx = 0, s_idx = cb->args[0];
809 struct net *net = sock_net(skb->sk);
810 int family = nfmsg->nfgen_family;
811
812 rcu_read_lock();
813 nft_net = nft_pernet(net);
814 cb->seq = nft_net->base_seq;
815
816 list_for_each_entry_rcu(table, &nft_net->tables, list) {
817 if (family != NFPROTO_UNSPEC && family != table->family)
818 continue;
819
820 if (idx < s_idx)
821 goto cont;
822 if (idx > s_idx)
823 memset(&cb->args[1], 0,
824 sizeof(cb->args) - sizeof(cb->args[0]));
825 if (!nft_is_active(net, table))
826 continue;
827 if (nf_tables_fill_table_info(skb, net,
828 NETLINK_CB(cb->skb).portid,
829 cb->nlh->nlmsg_seq,
830 NFT_MSG_NEWTABLE, NLM_F_MULTI,
831 table->family, table) < 0)
832 goto done;
833
834 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
835cont:
836 idx++;
837 }
838done:
839 rcu_read_unlock();
840 cb->args[0] = idx;
841 return skb->len;
842}
843
844static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
845 const struct nlmsghdr *nlh,
846 struct netlink_dump_control *c)
847{
848 int err;
849
850 if (!try_module_get(THIS_MODULE))
851 return -EINVAL;
852
853 rcu_read_unlock();
854 err = netlink_dump_start(nlsk, skb, nlh, c);
855 rcu_read_lock();
856 module_put(THIS_MODULE);
857
858 return err;
859}
860
861
862static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
863 const struct nlattr * const nla[])
864{
865 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
866 struct netlink_ext_ack *extack = info->extack;
867 u8 genmask = nft_genmask_cur(info->net);
868 int family = nfmsg->nfgen_family;
869 const struct nft_table *table;
870 struct net *net = info->net;
871 struct sk_buff *skb2;
872 int err;
873
874 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
875 struct netlink_dump_control c = {
876 .dump = nf_tables_dump_tables,
877 .module = THIS_MODULE,
878 };
879
880 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
881 }
882
883 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
884 if (IS_ERR(table)) {
885 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
886 return PTR_ERR(table);
887 }
888
889 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
890 if (!skb2)
891 return -ENOMEM;
892
893 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
894 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
895 0, family, table);
896 if (err < 0)
897 goto err_fill_table_info;
898
899 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
900
901err_fill_table_info:
902 kfree_skb(skb2);
903 return err;
904}
905
906static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
907{
908 struct nft_chain *chain;
909 u32 i = 0;
910
911 list_for_each_entry(chain, &table->chains, list) {
912 if (!nft_is_active_next(net, chain))
913 continue;
914 if (!nft_is_base_chain(chain))
915 continue;
916
917 if (cnt && i++ == cnt)
918 break;
919
920 nf_tables_unregister_hook(net, table, chain);
921 }
922}
923
924static int nf_tables_table_enable(struct net *net, struct nft_table *table)
925{
926 struct nft_chain *chain;
927 int err, i = 0;
928
929 list_for_each_entry(chain, &table->chains, list) {
930 if (!nft_is_active_next(net, chain))
931 continue;
932 if (!nft_is_base_chain(chain))
933 continue;
934
935 err = nf_tables_register_hook(net, table, chain);
936 if (err < 0)
937 goto err_register_hooks;
938
939 i++;
940 }
941 return 0;
942
943err_register_hooks:
944 if (i)
945 nft_table_disable(net, table, i);
946 return err;
947}
948
949static void nf_tables_table_disable(struct net *net, struct nft_table *table)
950{
951 table->flags &= ~NFT_TABLE_F_DORMANT;
952 nft_table_disable(net, table, 0);
953 table->flags |= NFT_TABLE_F_DORMANT;
954}
955
956#define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
957#define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
958#define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
959#define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
960 __NFT_TABLE_F_WAS_AWAKEN)
961
962static int nf_tables_updtable(struct nft_ctx *ctx)
963{
964 struct nft_trans *trans;
965 u32 flags;
966 int ret;
967
968 if (!ctx->nla[NFTA_TABLE_FLAGS])
969 return 0;
970
971 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
972 if (flags & ~NFT_TABLE_F_MASK)
973 return -EOPNOTSUPP;
974
975 if (flags == ctx->table->flags)
976 return 0;
977
978 if ((nft_table_has_owner(ctx->table) &&
979 !(flags & NFT_TABLE_F_OWNER)) ||
980 (!nft_table_has_owner(ctx->table) &&
981 flags & NFT_TABLE_F_OWNER))
982 return -EOPNOTSUPP;
983
984 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
985 sizeof(struct nft_trans_table));
986 if (trans == NULL)
987 return -ENOMEM;
988
989 if ((flags & NFT_TABLE_F_DORMANT) &&
990 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
991 ctx->table->flags |= NFT_TABLE_F_DORMANT;
992 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
993 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
994 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
995 ctx->table->flags & NFT_TABLE_F_DORMANT) {
996 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
997 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
998 ret = nf_tables_table_enable(ctx->net, ctx->table);
999 if (ret < 0)
1000 goto err_register_hooks;
1001
1002 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1003 }
1004 }
1005
1006 nft_trans_table_update(trans) = true;
1007 nft_trans_commit_list_add_tail(ctx->net, trans);
1008
1009 return 0;
1010
1011err_register_hooks:
1012 nft_trans_destroy(trans);
1013 return ret;
1014}
1015
1016static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1017{
1018 const char *name = data;
1019
1020 return jhash(name, strlen(name), seed);
1021}
1022
1023static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1024{
1025 const struct nft_chain *chain = data;
1026
1027 return nft_chain_hash(chain->name, 0, seed);
1028}
1029
1030static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1031 const void *ptr)
1032{
1033 const struct nft_chain *chain = ptr;
1034 const char *name = arg->key;
1035
1036 return strcmp(chain->name, name);
1037}
1038
1039static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1040{
1041 const struct nft_object_hash_key *k = data;
1042
1043 seed ^= hash_ptr(k->table, 32);
1044
1045 return jhash(k->name, strlen(k->name), seed);
1046}
1047
1048static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1049{
1050 const struct nft_object *obj = data;
1051
1052 return nft_objname_hash(&obj->key, 0, seed);
1053}
1054
1055static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1056 const void *ptr)
1057{
1058 const struct nft_object_hash_key *k = arg->key;
1059 const struct nft_object *obj = ptr;
1060
1061 if (obj->key.table != k->table)
1062 return -1;
1063
1064 return strcmp(obj->key.name, k->name);
1065}
1066
1067static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1068 const struct nlattr * const nla[])
1069{
1070 struct nftables_pernet *nft_net = nft_pernet(info->net);
1071 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
1072 struct netlink_ext_ack *extack = info->extack;
1073 u8 genmask = nft_genmask_next(info->net);
1074 int family = nfmsg->nfgen_family;
1075 struct net *net = info->net;
1076 const struct nlattr *attr;
1077 struct nft_table *table;
1078 struct nft_ctx ctx;
1079 u32 flags = 0;
1080 int err;
1081
1082 lockdep_assert_held(&nft_net->commit_mutex);
1083 attr = nla[NFTA_TABLE_NAME];
1084 table = nft_table_lookup(net, attr, family, genmask,
1085 NETLINK_CB(skb).portid);
1086 if (IS_ERR(table)) {
1087 if (PTR_ERR(table) != -ENOENT)
1088 return PTR_ERR(table);
1089 } else {
1090 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1091 NL_SET_BAD_ATTR(extack, attr);
1092 return -EEXIST;
1093 }
1094 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1095 return -EOPNOTSUPP;
1096
1097 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1098
1099 return nf_tables_updtable(&ctx);
1100 }
1101
1102 if (nla[NFTA_TABLE_FLAGS]) {
1103 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1104 if (flags & ~NFT_TABLE_F_MASK)
1105 return -EOPNOTSUPP;
1106 }
1107
1108 err = -ENOMEM;
1109 table = kzalloc(sizeof(*table), GFP_KERNEL);
1110 if (table == NULL)
1111 goto err_kzalloc;
1112
1113 table->name = nla_strdup(attr, GFP_KERNEL);
1114 if (table->name == NULL)
1115 goto err_strdup;
1116
1117 if (nla[NFTA_TABLE_USERDATA]) {
1118 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1119 if (table->udata == NULL)
1120 goto err_table_udata;
1121
1122 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1123 }
1124
1125 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1126 if (err)
1127 goto err_chain_ht;
1128
1129 INIT_LIST_HEAD(&table->chains);
1130 INIT_LIST_HEAD(&table->sets);
1131 INIT_LIST_HEAD(&table->objects);
1132 INIT_LIST_HEAD(&table->flowtables);
1133 table->family = family;
1134 table->flags = flags;
1135 table->handle = ++table_handle;
1136 if (table->flags & NFT_TABLE_F_OWNER)
1137 table->nlpid = NETLINK_CB(skb).portid;
1138
1139 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1140 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1141 if (err < 0)
1142 goto err_trans;
1143
1144 list_add_tail_rcu(&table->list, &nft_net->tables);
1145 return 0;
1146err_trans:
1147 rhltable_destroy(&table->chains_ht);
1148err_chain_ht:
1149 kfree(table->udata);
1150err_table_udata:
1151 kfree(table->name);
1152err_strdup:
1153 kfree(table);
1154err_kzalloc:
1155 return err;
1156}
1157
1158static int nft_flush_table(struct nft_ctx *ctx)
1159{
1160 struct nft_flowtable *flowtable, *nft;
1161 struct nft_chain *chain, *nc;
1162 struct nft_object *obj, *ne;
1163 struct nft_set *set, *ns;
1164 int err;
1165
1166 list_for_each_entry(chain, &ctx->table->chains, list) {
1167 if (!nft_is_active_next(ctx->net, chain))
1168 continue;
1169
1170 if (nft_chain_is_bound(chain))
1171 continue;
1172
1173 ctx->chain = chain;
1174
1175 err = nft_delrule_by_chain(ctx);
1176 if (err < 0)
1177 goto out;
1178 }
1179
1180 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1181 if (!nft_is_active_next(ctx->net, set))
1182 continue;
1183
1184 if (nft_set_is_anonymous(set) &&
1185 !list_empty(&set->bindings))
1186 continue;
1187
1188 err = nft_delset(ctx, set);
1189 if (err < 0)
1190 goto out;
1191 }
1192
1193 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1194 if (!nft_is_active_next(ctx->net, flowtable))
1195 continue;
1196
1197 err = nft_delflowtable(ctx, flowtable);
1198 if (err < 0)
1199 goto out;
1200 }
1201
1202 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1203 if (!nft_is_active_next(ctx->net, obj))
1204 continue;
1205
1206 err = nft_delobj(ctx, obj);
1207 if (err < 0)
1208 goto out;
1209 }
1210
1211 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1212 if (!nft_is_active_next(ctx->net, chain))
1213 continue;
1214
1215 if (nft_chain_is_bound(chain))
1216 continue;
1217
1218 ctx->chain = chain;
1219
1220 err = nft_delchain(ctx);
1221 if (err < 0)
1222 goto out;
1223 }
1224
1225 err = nft_deltable(ctx);
1226out:
1227 return err;
1228}
1229
1230static int nft_flush(struct nft_ctx *ctx, int family)
1231{
1232 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1233 const struct nlattr * const *nla = ctx->nla;
1234 struct nft_table *table, *nt;
1235 int err = 0;
1236
1237 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1238 if (family != AF_UNSPEC && table->family != family)
1239 continue;
1240
1241 ctx->family = table->family;
1242
1243 if (!nft_is_active_next(ctx->net, table))
1244 continue;
1245
1246 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1247 continue;
1248
1249 if (nla[NFTA_TABLE_NAME] &&
1250 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1251 continue;
1252
1253 ctx->table = table;
1254
1255 err = nft_flush_table(ctx);
1256 if (err < 0)
1257 goto out;
1258 }
1259out:
1260 return err;
1261}
1262
1263static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1264 const struct nlattr * const nla[])
1265{
1266 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
1267 struct netlink_ext_ack *extack = info->extack;
1268 u8 genmask = nft_genmask_next(info->net);
1269 int family = nfmsg->nfgen_family;
1270 struct net *net = info->net;
1271 const struct nlattr *attr;
1272 struct nft_table *table;
1273 struct nft_ctx ctx;
1274
1275 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1276 if (family == AF_UNSPEC ||
1277 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1278 return nft_flush(&ctx, family);
1279
1280 if (nla[NFTA_TABLE_HANDLE]) {
1281 attr = nla[NFTA_TABLE_HANDLE];
1282 table = nft_table_lookup_byhandle(net, attr, genmask);
1283 } else {
1284 attr = nla[NFTA_TABLE_NAME];
1285 table = nft_table_lookup(net, attr, family, genmask,
1286 NETLINK_CB(skb).portid);
1287 }
1288
1289 if (IS_ERR(table)) {
1290 NL_SET_BAD_ATTR(extack, attr);
1291 return PTR_ERR(table);
1292 }
1293
1294 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1295 table->use > 0)
1296 return -EBUSY;
1297
1298 ctx.family = family;
1299 ctx.table = table;
1300
1301 return nft_flush_table(&ctx);
1302}
1303
1304static void nf_tables_table_destroy(struct nft_ctx *ctx)
1305{
1306 if (WARN_ON(ctx->table->use > 0))
1307 return;
1308
1309 rhltable_destroy(&ctx->table->chains_ht);
1310 kfree(ctx->table->name);
1311 kfree(ctx->table->udata);
1312 kfree(ctx->table);
1313}
1314
1315void nft_register_chain_type(const struct nft_chain_type *ctype)
1316{
1317 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1318 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1319 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1320 return;
1321 }
1322 chain_type[ctype->family][ctype->type] = ctype;
1323 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1324}
1325EXPORT_SYMBOL_GPL(nft_register_chain_type);
1326
1327void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1328{
1329 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1330 chain_type[ctype->family][ctype->type] = NULL;
1331 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1332}
1333EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1334
1335
1336
1337
1338
1339static struct nft_chain *
1340nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1341{
1342 struct nft_chain *chain;
1343
1344 list_for_each_entry(chain, &table->chains, list) {
1345 if (chain->handle == handle &&
1346 nft_active_genmask(chain, genmask))
1347 return chain;
1348 }
1349
1350 return ERR_PTR(-ENOENT);
1351}
1352
1353static bool lockdep_commit_lock_is_held(const struct net *net)
1354{
1355#ifdef CONFIG_PROVE_LOCKING
1356 struct nftables_pernet *nft_net = nft_pernet(net);
1357
1358 return lockdep_is_held(&nft_net->commit_mutex);
1359#else
1360 return true;
1361#endif
1362}
1363
1364static struct nft_chain *nft_chain_lookup(struct net *net,
1365 struct nft_table *table,
1366 const struct nlattr *nla, u8 genmask)
1367{
1368 char search[NFT_CHAIN_MAXNAMELEN + 1];
1369 struct rhlist_head *tmp, *list;
1370 struct nft_chain *chain;
1371
1372 if (nla == NULL)
1373 return ERR_PTR(-EINVAL);
1374
1375 nla_strscpy(search, nla, sizeof(search));
1376
1377 WARN_ON(!rcu_read_lock_held() &&
1378 !lockdep_commit_lock_is_held(net));
1379
1380 chain = ERR_PTR(-ENOENT);
1381 rcu_read_lock();
1382 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1383 if (!list)
1384 goto out_unlock;
1385
1386 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1387 if (nft_active_genmask(chain, genmask))
1388 goto out_unlock;
1389 }
1390 chain = ERR_PTR(-ENOENT);
1391out_unlock:
1392 rcu_read_unlock();
1393 return chain;
1394}
1395
1396static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1397 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1398 .len = NFT_TABLE_MAXNAMELEN - 1 },
1399 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1400 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1401 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1402 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1403 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1404 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1405 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1406 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1407 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1408 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1409 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1410 .len = NFT_USERDATA_MAXLEN },
1411};
1412
1413static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1414 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1415 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1416 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1417 .len = IFNAMSIZ - 1 },
1418};
1419
1420static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1421{
1422 struct nft_stats *cpu_stats, total;
1423 struct nlattr *nest;
1424 unsigned int seq;
1425 u64 pkts, bytes;
1426 int cpu;
1427
1428 if (!stats)
1429 return 0;
1430
1431 memset(&total, 0, sizeof(total));
1432 for_each_possible_cpu(cpu) {
1433 cpu_stats = per_cpu_ptr(stats, cpu);
1434 do {
1435 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1436 pkts = cpu_stats->pkts;
1437 bytes = cpu_stats->bytes;
1438 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1439 total.pkts += pkts;
1440 total.bytes += bytes;
1441 }
1442 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1443 if (nest == NULL)
1444 goto nla_put_failure;
1445
1446 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1447 NFTA_COUNTER_PAD) ||
1448 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1449 NFTA_COUNTER_PAD))
1450 goto nla_put_failure;
1451
1452 nla_nest_end(skb, nest);
1453 return 0;
1454
1455nla_put_failure:
1456 return -ENOSPC;
1457}
1458
1459static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1460 const struct nft_base_chain *basechain)
1461{
1462 const struct nf_hook_ops *ops = &basechain->ops;
1463 struct nft_hook *hook, *first = NULL;
1464 struct nlattr *nest, *nest_devs;
1465 int n = 0;
1466
1467 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1468 if (nest == NULL)
1469 goto nla_put_failure;
1470 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1471 goto nla_put_failure;
1472 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1473 goto nla_put_failure;
1474
1475 if (nft_base_chain_netdev(family, ops->hooknum)) {
1476 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1477 list_for_each_entry(hook, &basechain->hook_list, list) {
1478 if (!first)
1479 first = hook;
1480
1481 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1482 hook->ops.dev->name))
1483 goto nla_put_failure;
1484 n++;
1485 }
1486 nla_nest_end(skb, nest_devs);
1487
1488 if (n == 1 &&
1489 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1490 goto nla_put_failure;
1491 }
1492 nla_nest_end(skb, nest);
1493
1494 return 0;
1495nla_put_failure:
1496 return -1;
1497}
1498
1499static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1500 u32 portid, u32 seq, int event, u32 flags,
1501 int family, const struct nft_table *table,
1502 const struct nft_chain *chain)
1503{
1504 struct nlmsghdr *nlh;
1505
1506 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1507 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1508 NFNETLINK_V0, nft_base_seq(net));
1509 if (!nlh)
1510 goto nla_put_failure;
1511
1512 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1513 goto nla_put_failure;
1514 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1515 NFTA_CHAIN_PAD))
1516 goto nla_put_failure;
1517 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1518 goto nla_put_failure;
1519
1520 if (nft_is_base_chain(chain)) {
1521 const struct nft_base_chain *basechain = nft_base_chain(chain);
1522 struct nft_stats __percpu *stats;
1523
1524 if (nft_dump_basechain_hook(skb, family, basechain))
1525 goto nla_put_failure;
1526
1527 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1528 htonl(basechain->policy)))
1529 goto nla_put_failure;
1530
1531 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1532 goto nla_put_failure;
1533
1534 stats = rcu_dereference_check(basechain->stats,
1535 lockdep_commit_lock_is_held(net));
1536 if (nft_dump_stats(skb, stats))
1537 goto nla_put_failure;
1538 }
1539
1540 if (chain->flags &&
1541 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1542 goto nla_put_failure;
1543
1544 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1545 goto nla_put_failure;
1546
1547 if (chain->udata &&
1548 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1549 goto nla_put_failure;
1550
1551 nlmsg_end(skb, nlh);
1552 return 0;
1553
1554nla_put_failure:
1555 nlmsg_trim(skb, nlh);
1556 return -1;
1557}
1558
1559static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1560{
1561 struct nftables_pernet *nft_net;
1562 struct sk_buff *skb;
1563 int err;
1564
1565 if (!ctx->report &&
1566 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1567 return;
1568
1569 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1570 if (skb == NULL)
1571 goto err;
1572
1573 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1574 event, 0, ctx->family, ctx->table,
1575 ctx->chain);
1576 if (err < 0) {
1577 kfree_skb(skb);
1578 goto err;
1579 }
1580
1581 nft_net = nft_pernet(ctx->net);
1582 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1583 return;
1584err:
1585 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1586}
1587
1588static int nf_tables_dump_chains(struct sk_buff *skb,
1589 struct netlink_callback *cb)
1590{
1591 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1592 unsigned int idx = 0, s_idx = cb->args[0];
1593 struct net *net = sock_net(skb->sk);
1594 int family = nfmsg->nfgen_family;
1595 struct nftables_pernet *nft_net;
1596 const struct nft_table *table;
1597 const struct nft_chain *chain;
1598
1599 rcu_read_lock();
1600 nft_net = nft_pernet(net);
1601 cb->seq = nft_net->base_seq;
1602
1603 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1604 if (family != NFPROTO_UNSPEC && family != table->family)
1605 continue;
1606
1607 list_for_each_entry_rcu(chain, &table->chains, list) {
1608 if (idx < s_idx)
1609 goto cont;
1610 if (idx > s_idx)
1611 memset(&cb->args[1], 0,
1612 sizeof(cb->args) - sizeof(cb->args[0]));
1613 if (!nft_is_active(net, chain))
1614 continue;
1615 if (nf_tables_fill_chain_info(skb, net,
1616 NETLINK_CB(cb->skb).portid,
1617 cb->nlh->nlmsg_seq,
1618 NFT_MSG_NEWCHAIN,
1619 NLM_F_MULTI,
1620 table->family, table,
1621 chain) < 0)
1622 goto done;
1623
1624 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1625cont:
1626 idx++;
1627 }
1628 }
1629done:
1630 rcu_read_unlock();
1631 cb->args[0] = idx;
1632 return skb->len;
1633}
1634
1635
1636static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1637 const struct nlattr * const nla[])
1638{
1639 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
1640 struct netlink_ext_ack *extack = info->extack;
1641 u8 genmask = nft_genmask_cur(info->net);
1642 int family = nfmsg->nfgen_family;
1643 const struct nft_chain *chain;
1644 struct net *net = info->net;
1645 struct nft_table *table;
1646 struct sk_buff *skb2;
1647 int err;
1648
1649 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1650 struct netlink_dump_control c = {
1651 .dump = nf_tables_dump_chains,
1652 .module = THIS_MODULE,
1653 };
1654
1655 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1656 }
1657
1658 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1659 if (IS_ERR(table)) {
1660 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1661 return PTR_ERR(table);
1662 }
1663
1664 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1665 if (IS_ERR(chain)) {
1666 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1667 return PTR_ERR(chain);
1668 }
1669
1670 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1671 if (!skb2)
1672 return -ENOMEM;
1673
1674 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1675 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1676 0, family, table, chain);
1677 if (err < 0)
1678 goto err_fill_chain_info;
1679
1680 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1681
1682err_fill_chain_info:
1683 kfree_skb(skb2);
1684 return err;
1685}
1686
1687static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1688 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1689 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1690};
1691
1692static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1693{
1694 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1695 struct nft_stats __percpu *newstats;
1696 struct nft_stats *stats;
1697 int err;
1698
1699 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1700 nft_counter_policy, NULL);
1701 if (err < 0)
1702 return ERR_PTR(err);
1703
1704 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1705 return ERR_PTR(-EINVAL);
1706
1707 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1708 if (newstats == NULL)
1709 return ERR_PTR(-ENOMEM);
1710
1711
1712
1713
1714 preempt_disable();
1715 stats = this_cpu_ptr(newstats);
1716 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1717 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1718 preempt_enable();
1719
1720 return newstats;
1721}
1722
1723static void nft_chain_stats_replace(struct nft_trans *trans)
1724{
1725 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1726
1727 if (!nft_trans_chain_stats(trans))
1728 return;
1729
1730 nft_trans_chain_stats(trans) =
1731 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1732 lockdep_commit_lock_is_held(trans->ctx.net));
1733
1734 if (!nft_trans_chain_stats(trans))
1735 static_branch_inc(&nft_counters_enabled);
1736}
1737
1738static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1739{
1740 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1741 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1742
1743 if (g0 != g1)
1744 kvfree(g1);
1745 kvfree(g0);
1746
1747
1748 WARN_ON_ONCE(chain->rules_next);
1749 kvfree(chain->rules_next);
1750}
1751
1752void nf_tables_chain_destroy(struct nft_ctx *ctx)
1753{
1754 struct nft_chain *chain = ctx->chain;
1755 struct nft_hook *hook, *next;
1756
1757 if (WARN_ON(chain->use > 0))
1758 return;
1759
1760
1761 nf_tables_chain_free_chain_rules(chain);
1762
1763 if (nft_is_base_chain(chain)) {
1764 struct nft_base_chain *basechain = nft_base_chain(chain);
1765
1766 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1767 list_for_each_entry_safe(hook, next,
1768 &basechain->hook_list, list) {
1769 list_del_rcu(&hook->list);
1770 kfree_rcu(hook, rcu);
1771 }
1772 }
1773 module_put(basechain->type->owner);
1774 if (rcu_access_pointer(basechain->stats)) {
1775 static_branch_dec(&nft_counters_enabled);
1776 free_percpu(rcu_dereference_raw(basechain->stats));
1777 }
1778 kfree(chain->name);
1779 kfree(chain->udata);
1780 kfree(basechain);
1781 } else {
1782 kfree(chain->name);
1783 kfree(chain->udata);
1784 kfree(chain);
1785 }
1786}
1787
1788static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1789 const struct nlattr *attr)
1790{
1791 struct net_device *dev;
1792 char ifname[IFNAMSIZ];
1793 struct nft_hook *hook;
1794 int err;
1795
1796 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1797 if (!hook) {
1798 err = -ENOMEM;
1799 goto err_hook_alloc;
1800 }
1801
1802 nla_strscpy(ifname, attr, IFNAMSIZ);
1803
1804
1805
1806
1807 dev = __dev_get_by_name(net, ifname);
1808 if (!dev) {
1809 err = -ENOENT;
1810 goto err_hook_dev;
1811 }
1812 hook->ops.dev = dev;
1813 hook->inactive = false;
1814
1815 return hook;
1816
1817err_hook_dev:
1818 kfree(hook);
1819err_hook_alloc:
1820 return ERR_PTR(err);
1821}
1822
1823static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1824 const struct nft_hook *this)
1825{
1826 struct nft_hook *hook;
1827
1828 list_for_each_entry(hook, hook_list, list) {
1829 if (this->ops.dev == hook->ops.dev)
1830 return hook;
1831 }
1832
1833 return NULL;
1834}
1835
1836static int nf_tables_parse_netdev_hooks(struct net *net,
1837 const struct nlattr *attr,
1838 struct list_head *hook_list)
1839{
1840 struct nft_hook *hook, *next;
1841 const struct nlattr *tmp;
1842 int rem, n = 0, err;
1843
1844 nla_for_each_nested(tmp, attr, rem) {
1845 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1846 err = -EINVAL;
1847 goto err_hook;
1848 }
1849
1850 hook = nft_netdev_hook_alloc(net, tmp);
1851 if (IS_ERR(hook)) {
1852 err = PTR_ERR(hook);
1853 goto err_hook;
1854 }
1855 if (nft_hook_list_find(hook_list, hook)) {
1856 kfree(hook);
1857 err = -EEXIST;
1858 goto err_hook;
1859 }
1860 list_add_tail(&hook->list, hook_list);
1861 n++;
1862
1863 if (n == NFT_NETDEVICE_MAX) {
1864 err = -EFBIG;
1865 goto err_hook;
1866 }
1867 }
1868
1869 return 0;
1870
1871err_hook:
1872 list_for_each_entry_safe(hook, next, hook_list, list) {
1873 list_del(&hook->list);
1874 kfree(hook);
1875 }
1876 return err;
1877}
1878
1879struct nft_chain_hook {
1880 u32 num;
1881 s32 priority;
1882 const struct nft_chain_type *type;
1883 struct list_head list;
1884};
1885
1886static int nft_chain_parse_netdev(struct net *net,
1887 struct nlattr *tb[],
1888 struct list_head *hook_list)
1889{
1890 struct nft_hook *hook;
1891 int err;
1892
1893 if (tb[NFTA_HOOK_DEV]) {
1894 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1895 if (IS_ERR(hook))
1896 return PTR_ERR(hook);
1897
1898 list_add_tail(&hook->list, hook_list);
1899 } else if (tb[NFTA_HOOK_DEVS]) {
1900 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1901 hook_list);
1902 if (err < 0)
1903 return err;
1904
1905 if (list_empty(hook_list))
1906 return -EINVAL;
1907 } else {
1908 return -EINVAL;
1909 }
1910
1911 return 0;
1912}
1913
1914static int nft_chain_parse_hook(struct net *net,
1915 const struct nlattr * const nla[],
1916 struct nft_chain_hook *hook, u8 family,
1917 struct netlink_ext_ack *extack, bool autoload)
1918{
1919 struct nftables_pernet *nft_net = nft_pernet(net);
1920 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1921 const struct nft_chain_type *type;
1922 int err;
1923
1924 lockdep_assert_held(&nft_net->commit_mutex);
1925 lockdep_nfnl_nft_mutex_not_held();
1926
1927 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1928 nla[NFTA_CHAIN_HOOK],
1929 nft_hook_policy, NULL);
1930 if (err < 0)
1931 return err;
1932
1933 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1934 ha[NFTA_HOOK_PRIORITY] == NULL)
1935 return -EINVAL;
1936
1937 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1938 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1939
1940 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1941 if (!type)
1942 return -EOPNOTSUPP;
1943
1944 if (nla[NFTA_CHAIN_TYPE]) {
1945 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1946 family, autoload);
1947 if (IS_ERR(type)) {
1948 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
1949 return PTR_ERR(type);
1950 }
1951 }
1952 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1953 return -EOPNOTSUPP;
1954
1955 if (type->type == NFT_CHAIN_T_NAT &&
1956 hook->priority <= NF_IP_PRI_CONNTRACK)
1957 return -EOPNOTSUPP;
1958
1959 if (!try_module_get(type->owner)) {
1960 if (nla[NFTA_CHAIN_TYPE])
1961 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
1962 return -ENOENT;
1963 }
1964
1965 hook->type = type;
1966
1967 INIT_LIST_HEAD(&hook->list);
1968 if (nft_base_chain_netdev(family, hook->num)) {
1969 err = nft_chain_parse_netdev(net, ha, &hook->list);
1970 if (err < 0) {
1971 module_put(type->owner);
1972 return err;
1973 }
1974 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1975 module_put(type->owner);
1976 return -EOPNOTSUPP;
1977 }
1978
1979 return 0;
1980}
1981
1982static void nft_chain_release_hook(struct nft_chain_hook *hook)
1983{
1984 struct nft_hook *h, *next;
1985
1986 list_for_each_entry_safe(h, next, &hook->list, list) {
1987 list_del(&h->list);
1988 kfree(h);
1989 }
1990 module_put(hook->type->owner);
1991}
1992
1993struct nft_rules_old {
1994 struct rcu_head h;
1995 struct nft_rule **start;
1996};
1997
1998static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1999 unsigned int alloc)
2000{
2001 if (alloc > INT_MAX)
2002 return NULL;
2003
2004 alloc += 1;
2005 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
2006 return NULL;
2007
2008 alloc *= sizeof(struct nft_rule *);
2009 alloc += sizeof(struct nft_rules_old);
2010
2011 return kvmalloc(alloc, GFP_KERNEL);
2012}
2013
2014static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2015 const struct nft_chain_hook *hook,
2016 struct nft_chain *chain)
2017{
2018 ops->pf = family;
2019 ops->hooknum = hook->num;
2020 ops->priority = hook->priority;
2021 ops->priv = chain;
2022 ops->hook = hook->type->hooks[ops->hooknum];
2023}
2024
2025static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2026 struct nft_chain_hook *hook, u32 flags)
2027{
2028 struct nft_chain *chain;
2029 struct nft_hook *h;
2030
2031 basechain->type = hook->type;
2032 INIT_LIST_HEAD(&basechain->hook_list);
2033 chain = &basechain->chain;
2034
2035 if (nft_base_chain_netdev(family, hook->num)) {
2036 list_splice_init(&hook->list, &basechain->hook_list);
2037 list_for_each_entry(h, &basechain->hook_list, list)
2038 nft_basechain_hook_init(&h->ops, family, hook, chain);
2039
2040 basechain->ops.hooknum = hook->num;
2041 basechain->ops.priority = hook->priority;
2042 } else {
2043 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2044 }
2045
2046 chain->flags |= NFT_CHAIN_BASE | flags;
2047 basechain->policy = NF_ACCEPT;
2048 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2049 nft_chain_offload_priority(basechain) < 0)
2050 return -EOPNOTSUPP;
2051
2052 flow_block_init(&basechain->flow_block);
2053
2054 return 0;
2055}
2056
2057static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2058{
2059 int err;
2060
2061 err = rhltable_insert_key(&table->chains_ht, chain->name,
2062 &chain->rhlhead, nft_chain_ht_params);
2063 if (err)
2064 return err;
2065
2066 list_add_tail_rcu(&chain->list, &table->chains);
2067
2068 return 0;
2069}
2070
2071static u64 chain_id;
2072
2073static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2074 u8 policy, u32 flags,
2075 struct netlink_ext_ack *extack)
2076{
2077 const struct nlattr * const *nla = ctx->nla;
2078 struct nft_table *table = ctx->table;
2079 struct nft_base_chain *basechain;
2080 struct nft_stats __percpu *stats;
2081 struct net *net = ctx->net;
2082 char name[NFT_NAME_MAXLEN];
2083 struct nft_trans *trans;
2084 struct nft_chain *chain;
2085 struct nft_rule **rules;
2086 int err;
2087
2088 if (table->use == UINT_MAX)
2089 return -EOVERFLOW;
2090
2091 if (nla[NFTA_CHAIN_HOOK]) {
2092 struct nft_chain_hook hook;
2093
2094 if (flags & NFT_CHAIN_BINDING)
2095 return -EOPNOTSUPP;
2096
2097 err = nft_chain_parse_hook(net, nla, &hook, family, extack,
2098 true);
2099 if (err < 0)
2100 return err;
2101
2102 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2103 if (basechain == NULL) {
2104 nft_chain_release_hook(&hook);
2105 return -ENOMEM;
2106 }
2107 chain = &basechain->chain;
2108
2109 if (nla[NFTA_CHAIN_COUNTERS]) {
2110 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2111 if (IS_ERR(stats)) {
2112 nft_chain_release_hook(&hook);
2113 kfree(basechain);
2114 return PTR_ERR(stats);
2115 }
2116 rcu_assign_pointer(basechain->stats, stats);
2117 static_branch_inc(&nft_counters_enabled);
2118 }
2119
2120 err = nft_basechain_init(basechain, family, &hook, flags);
2121 if (err < 0) {
2122 nft_chain_release_hook(&hook);
2123 kfree(basechain);
2124 return err;
2125 }
2126 } else {
2127 if (flags & NFT_CHAIN_BASE)
2128 return -EINVAL;
2129 if (flags & NFT_CHAIN_HW_OFFLOAD)
2130 return -EOPNOTSUPP;
2131
2132 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2133 if (chain == NULL)
2134 return -ENOMEM;
2135
2136 chain->flags = flags;
2137 }
2138 ctx->chain = chain;
2139
2140 INIT_LIST_HEAD(&chain->rules);
2141 chain->handle = nf_tables_alloc_handle(table);
2142 chain->table = table;
2143
2144 if (nla[NFTA_CHAIN_NAME]) {
2145 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2146 } else {
2147 if (!(flags & NFT_CHAIN_BINDING)) {
2148 err = -EINVAL;
2149 goto err_destroy_chain;
2150 }
2151
2152 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2153 chain->name = kstrdup(name, GFP_KERNEL);
2154 }
2155
2156 if (!chain->name) {
2157 err = -ENOMEM;
2158 goto err_destroy_chain;
2159 }
2160
2161 if (nla[NFTA_CHAIN_USERDATA]) {
2162 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2163 if (chain->udata == NULL) {
2164 err = -ENOMEM;
2165 goto err_destroy_chain;
2166 }
2167 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2168 }
2169
2170 rules = nf_tables_chain_alloc_rules(chain, 0);
2171 if (!rules) {
2172 err = -ENOMEM;
2173 goto err_destroy_chain;
2174 }
2175
2176 *rules = NULL;
2177 rcu_assign_pointer(chain->rules_gen_0, rules);
2178 rcu_assign_pointer(chain->rules_gen_1, rules);
2179
2180 err = nf_tables_register_hook(net, table, chain);
2181 if (err < 0)
2182 goto err_destroy_chain;
2183
2184 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2185 if (IS_ERR(trans)) {
2186 err = PTR_ERR(trans);
2187 goto err_unregister_hook;
2188 }
2189
2190 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2191 if (nft_is_base_chain(chain))
2192 nft_trans_chain_policy(trans) = policy;
2193
2194 err = nft_chain_add(table, chain);
2195 if (err < 0) {
2196 nft_trans_destroy(trans);
2197 goto err_unregister_hook;
2198 }
2199
2200 table->use++;
2201
2202 return 0;
2203err_unregister_hook:
2204 nf_tables_unregister_hook(net, table, chain);
2205err_destroy_chain:
2206 nf_tables_chain_destroy(ctx);
2207
2208 return err;
2209}
2210
2211static bool nft_hook_list_equal(struct list_head *hook_list1,
2212 struct list_head *hook_list2)
2213{
2214 struct nft_hook *hook;
2215 int n = 0, m = 0;
2216
2217 n = 0;
2218 list_for_each_entry(hook, hook_list2, list) {
2219 if (!nft_hook_list_find(hook_list1, hook))
2220 return false;
2221
2222 n++;
2223 }
2224 list_for_each_entry(hook, hook_list1, list)
2225 m++;
2226
2227 return n == m;
2228}
2229
2230static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2231 u32 flags, const struct nlattr *attr,
2232 struct netlink_ext_ack *extack)
2233{
2234 const struct nlattr * const *nla = ctx->nla;
2235 struct nft_table *table = ctx->table;
2236 struct nft_chain *chain = ctx->chain;
2237 struct nft_base_chain *basechain;
2238 struct nft_stats *stats = NULL;
2239 struct nft_chain_hook hook;
2240 struct nf_hook_ops *ops;
2241 struct nft_trans *trans;
2242 int err;
2243
2244 if (chain->flags ^ flags)
2245 return -EOPNOTSUPP;
2246
2247 if (nla[NFTA_CHAIN_HOOK]) {
2248 if (!nft_is_base_chain(chain)) {
2249 NL_SET_BAD_ATTR(extack, attr);
2250 return -EEXIST;
2251 }
2252 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2253 extack, false);
2254 if (err < 0)
2255 return err;
2256
2257 basechain = nft_base_chain(chain);
2258 if (basechain->type != hook.type) {
2259 nft_chain_release_hook(&hook);
2260 NL_SET_BAD_ATTR(extack, attr);
2261 return -EEXIST;
2262 }
2263
2264 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2265 if (!nft_hook_list_equal(&basechain->hook_list,
2266 &hook.list)) {
2267 nft_chain_release_hook(&hook);
2268 NL_SET_BAD_ATTR(extack, attr);
2269 return -EEXIST;
2270 }
2271 } else {
2272 ops = &basechain->ops;
2273 if (ops->hooknum != hook.num ||
2274 ops->priority != hook.priority) {
2275 nft_chain_release_hook(&hook);
2276 NL_SET_BAD_ATTR(extack, attr);
2277 return -EEXIST;
2278 }
2279 }
2280 nft_chain_release_hook(&hook);
2281 }
2282
2283 if (nla[NFTA_CHAIN_HANDLE] &&
2284 nla[NFTA_CHAIN_NAME]) {
2285 struct nft_chain *chain2;
2286
2287 chain2 = nft_chain_lookup(ctx->net, table,
2288 nla[NFTA_CHAIN_NAME], genmask);
2289 if (!IS_ERR(chain2)) {
2290 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2291 return -EEXIST;
2292 }
2293 }
2294
2295 if (nla[NFTA_CHAIN_COUNTERS]) {
2296 if (!nft_is_base_chain(chain))
2297 return -EOPNOTSUPP;
2298
2299 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2300 if (IS_ERR(stats))
2301 return PTR_ERR(stats);
2302 }
2303
2304 err = -ENOMEM;
2305 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2306 sizeof(struct nft_trans_chain));
2307 if (trans == NULL)
2308 goto err;
2309
2310 nft_trans_chain_stats(trans) = stats;
2311 nft_trans_chain_update(trans) = true;
2312
2313 if (nla[NFTA_CHAIN_POLICY])
2314 nft_trans_chain_policy(trans) = policy;
2315 else
2316 nft_trans_chain_policy(trans) = -1;
2317
2318 if (nla[NFTA_CHAIN_HANDLE] &&
2319 nla[NFTA_CHAIN_NAME]) {
2320 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2321 struct nft_trans *tmp;
2322 char *name;
2323
2324 err = -ENOMEM;
2325 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2326 if (!name)
2327 goto err;
2328
2329 err = -EEXIST;
2330 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2331 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2332 tmp->ctx.table == table &&
2333 nft_trans_chain_update(tmp) &&
2334 nft_trans_chain_name(tmp) &&
2335 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2336 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2337 kfree(name);
2338 goto err;
2339 }
2340 }
2341
2342 nft_trans_chain_name(trans) = name;
2343 }
2344 nft_trans_commit_list_add_tail(ctx->net, trans);
2345
2346 return 0;
2347err:
2348 free_percpu(stats);
2349 kfree(trans);
2350 return err;
2351}
2352
2353static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2354 const struct nlattr *nla)
2355{
2356 struct nftables_pernet *nft_net = nft_pernet(net);
2357 u32 id = ntohl(nla_get_be32(nla));
2358 struct nft_trans *trans;
2359
2360 list_for_each_entry(trans, &nft_net->commit_list, list) {
2361 struct nft_chain *chain = trans->ctx.chain;
2362
2363 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2364 id == nft_trans_chain_id(trans))
2365 return chain;
2366 }
2367 return ERR_PTR(-ENOENT);
2368}
2369
2370static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2371 const struct nlattr * const nla[])
2372{
2373 struct nftables_pernet *nft_net = nft_pernet(info->net);
2374 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
2375 struct netlink_ext_ack *extack = info->extack;
2376 u8 genmask = nft_genmask_next(info->net);
2377 int family = nfmsg->nfgen_family;
2378 struct nft_chain *chain = NULL;
2379 struct net *net = info->net;
2380 const struct nlattr *attr;
2381 struct nft_table *table;
2382 u8 policy = NF_ACCEPT;
2383 struct nft_ctx ctx;
2384 u64 handle = 0;
2385 u32 flags = 0;
2386
2387 lockdep_assert_held(&nft_net->commit_mutex);
2388
2389 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2390 NETLINK_CB(skb).portid);
2391 if (IS_ERR(table)) {
2392 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2393 return PTR_ERR(table);
2394 }
2395
2396 chain = NULL;
2397 attr = nla[NFTA_CHAIN_NAME];
2398
2399 if (nla[NFTA_CHAIN_HANDLE]) {
2400 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2401 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2402 if (IS_ERR(chain)) {
2403 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2404 return PTR_ERR(chain);
2405 }
2406 attr = nla[NFTA_CHAIN_HANDLE];
2407 } else if (nla[NFTA_CHAIN_NAME]) {
2408 chain = nft_chain_lookup(net, table, attr, genmask);
2409 if (IS_ERR(chain)) {
2410 if (PTR_ERR(chain) != -ENOENT) {
2411 NL_SET_BAD_ATTR(extack, attr);
2412 return PTR_ERR(chain);
2413 }
2414 chain = NULL;
2415 }
2416 } else if (!nla[NFTA_CHAIN_ID]) {
2417 return -EINVAL;
2418 }
2419
2420 if (nla[NFTA_CHAIN_POLICY]) {
2421 if (chain != NULL &&
2422 !nft_is_base_chain(chain)) {
2423 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2424 return -EOPNOTSUPP;
2425 }
2426
2427 if (chain == NULL &&
2428 nla[NFTA_CHAIN_HOOK] == NULL) {
2429 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2430 return -EOPNOTSUPP;
2431 }
2432
2433 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2434 switch (policy) {
2435 case NF_DROP:
2436 case NF_ACCEPT:
2437 break;
2438 default:
2439 return -EINVAL;
2440 }
2441 }
2442
2443 if (nla[NFTA_CHAIN_FLAGS])
2444 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2445 else if (chain)
2446 flags = chain->flags;
2447
2448 if (flags & ~NFT_CHAIN_FLAGS)
2449 return -EOPNOTSUPP;
2450
2451 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2452
2453 if (chain != NULL) {
2454 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2455 NL_SET_BAD_ATTR(extack, attr);
2456 return -EEXIST;
2457 }
2458 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2459 return -EOPNOTSUPP;
2460
2461 flags |= chain->flags & NFT_CHAIN_BASE;
2462 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2463 extack);
2464 }
2465
2466 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2467}
2468
2469static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2470 const struct nlattr * const nla[])
2471{
2472 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
2473 struct netlink_ext_ack *extack = info->extack;
2474 u8 genmask = nft_genmask_next(info->net);
2475 int family = nfmsg->nfgen_family;
2476 struct net *net = info->net;
2477 const struct nlattr *attr;
2478 struct nft_table *table;
2479 struct nft_chain *chain;
2480 struct nft_rule *rule;
2481 struct nft_ctx ctx;
2482 u64 handle;
2483 u32 use;
2484 int err;
2485
2486 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2487 NETLINK_CB(skb).portid);
2488 if (IS_ERR(table)) {
2489 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2490 return PTR_ERR(table);
2491 }
2492
2493 if (nla[NFTA_CHAIN_HANDLE]) {
2494 attr = nla[NFTA_CHAIN_HANDLE];
2495 handle = be64_to_cpu(nla_get_be64(attr));
2496 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2497 } else {
2498 attr = nla[NFTA_CHAIN_NAME];
2499 chain = nft_chain_lookup(net, table, attr, genmask);
2500 }
2501 if (IS_ERR(chain)) {
2502 NL_SET_BAD_ATTR(extack, attr);
2503 return PTR_ERR(chain);
2504 }
2505
2506 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2507 chain->use > 0)
2508 return -EBUSY;
2509
2510 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2511
2512 use = chain->use;
2513 list_for_each_entry(rule, &chain->rules, list) {
2514 if (!nft_is_active_next(net, rule))
2515 continue;
2516 use--;
2517
2518 err = nft_delrule(&ctx, rule);
2519 if (err < 0)
2520 return err;
2521 }
2522
2523
2524
2525
2526 if (use > 0) {
2527 NL_SET_BAD_ATTR(extack, attr);
2528 return -EBUSY;
2529 }
2530
2531 return nft_delchain(&ctx);
2532}
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545int nft_register_expr(struct nft_expr_type *type)
2546{
2547 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2548 if (type->family == NFPROTO_UNSPEC)
2549 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2550 else
2551 list_add_rcu(&type->list, &nf_tables_expressions);
2552 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2553 return 0;
2554}
2555EXPORT_SYMBOL_GPL(nft_register_expr);
2556
2557
2558
2559
2560
2561
2562
2563void nft_unregister_expr(struct nft_expr_type *type)
2564{
2565 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2566 list_del_rcu(&type->list);
2567 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2568}
2569EXPORT_SYMBOL_GPL(nft_unregister_expr);
2570
2571static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2572 struct nlattr *nla)
2573{
2574 const struct nft_expr_type *type, *candidate = NULL;
2575
2576 list_for_each_entry(type, &nf_tables_expressions, list) {
2577 if (!nla_strcmp(nla, type->name)) {
2578 if (!type->family && !candidate)
2579 candidate = type;
2580 else if (type->family == family)
2581 candidate = type;
2582 }
2583 }
2584 return candidate;
2585}
2586
2587#ifdef CONFIG_MODULES
2588static int nft_expr_type_request_module(struct net *net, u8 family,
2589 struct nlattr *nla)
2590{
2591 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2592 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2593 return -EAGAIN;
2594
2595 return 0;
2596}
2597#endif
2598
2599static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2600 u8 family,
2601 struct nlattr *nla)
2602{
2603 const struct nft_expr_type *type;
2604
2605 if (nla == NULL)
2606 return ERR_PTR(-EINVAL);
2607
2608 type = __nft_expr_type_get(family, nla);
2609 if (type != NULL && try_module_get(type->owner))
2610 return type;
2611
2612 lockdep_nfnl_nft_mutex_not_held();
2613#ifdef CONFIG_MODULES
2614 if (type == NULL) {
2615 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2616 return ERR_PTR(-EAGAIN);
2617
2618 if (nft_request_module(net, "nft-expr-%.*s",
2619 nla_len(nla),
2620 (char *)nla_data(nla)) == -EAGAIN)
2621 return ERR_PTR(-EAGAIN);
2622 }
2623#endif
2624 return ERR_PTR(-ENOENT);
2625}
2626
2627static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2628 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2629 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2630 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2631};
2632
2633static int nf_tables_fill_expr_info(struct sk_buff *skb,
2634 const struct nft_expr *expr)
2635{
2636 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2637 goto nla_put_failure;
2638
2639 if (expr->ops->dump) {
2640 struct nlattr *data = nla_nest_start_noflag(skb,
2641 NFTA_EXPR_DATA);
2642 if (data == NULL)
2643 goto nla_put_failure;
2644 if (expr->ops->dump(skb, expr) < 0)
2645 goto nla_put_failure;
2646 nla_nest_end(skb, data);
2647 }
2648
2649 return skb->len;
2650
2651nla_put_failure:
2652 return -1;
2653};
2654
2655int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2656 const struct nft_expr *expr)
2657{
2658 struct nlattr *nest;
2659
2660 nest = nla_nest_start_noflag(skb, attr);
2661 if (!nest)
2662 goto nla_put_failure;
2663 if (nf_tables_fill_expr_info(skb, expr) < 0)
2664 goto nla_put_failure;
2665 nla_nest_end(skb, nest);
2666 return 0;
2667
2668nla_put_failure:
2669 return -1;
2670}
2671
2672struct nft_expr_info {
2673 const struct nft_expr_ops *ops;
2674 const struct nlattr *attr;
2675 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2676};
2677
2678static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2679 const struct nlattr *nla,
2680 struct nft_expr_info *info)
2681{
2682 const struct nft_expr_type *type;
2683 const struct nft_expr_ops *ops;
2684 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2685 int err;
2686
2687 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2688 nft_expr_policy, NULL);
2689 if (err < 0)
2690 return err;
2691
2692 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2693 if (IS_ERR(type))
2694 return PTR_ERR(type);
2695
2696 if (tb[NFTA_EXPR_DATA]) {
2697 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2698 tb[NFTA_EXPR_DATA],
2699 type->policy, NULL);
2700 if (err < 0)
2701 goto err1;
2702 } else
2703 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2704
2705 if (type->select_ops != NULL) {
2706 ops = type->select_ops(ctx,
2707 (const struct nlattr * const *)info->tb);
2708 if (IS_ERR(ops)) {
2709 err = PTR_ERR(ops);
2710#ifdef CONFIG_MODULES
2711 if (err == -EAGAIN)
2712 if (nft_expr_type_request_module(ctx->net,
2713 ctx->family,
2714 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2715 err = -ENOENT;
2716#endif
2717 goto err1;
2718 }
2719 } else
2720 ops = type->ops;
2721
2722 info->attr = nla;
2723 info->ops = ops;
2724
2725 return 0;
2726
2727err1:
2728 module_put(type->owner);
2729 return err;
2730}
2731
2732static int nf_tables_newexpr(const struct nft_ctx *ctx,
2733 const struct nft_expr_info *expr_info,
2734 struct nft_expr *expr)
2735{
2736 const struct nft_expr_ops *ops = expr_info->ops;
2737 int err;
2738
2739 expr->ops = ops;
2740 if (ops->init) {
2741 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
2742 if (err < 0)
2743 goto err1;
2744 }
2745
2746 return 0;
2747err1:
2748 expr->ops = NULL;
2749 return err;
2750}
2751
2752static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2753 struct nft_expr *expr)
2754{
2755 const struct nft_expr_type *type = expr->ops->type;
2756
2757 if (expr->ops->destroy)
2758 expr->ops->destroy(ctx, expr);
2759 module_put(type->owner);
2760}
2761
2762static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2763 const struct nlattr *nla)
2764{
2765 struct nft_expr_info expr_info;
2766 struct nft_expr *expr;
2767 struct module *owner;
2768 int err;
2769
2770 err = nf_tables_expr_parse(ctx, nla, &expr_info);
2771 if (err < 0)
2772 goto err1;
2773
2774 err = -ENOMEM;
2775 expr = kzalloc(expr_info.ops->size, GFP_KERNEL);
2776 if (expr == NULL)
2777 goto err2;
2778
2779 err = nf_tables_newexpr(ctx, &expr_info, expr);
2780 if (err < 0)
2781 goto err3;
2782
2783 return expr;
2784err3:
2785 kfree(expr);
2786err2:
2787 owner = expr_info.ops->type->owner;
2788 if (expr_info.ops->type->release_ops)
2789 expr_info.ops->type->release_ops(expr_info.ops);
2790
2791 module_put(owner);
2792err1:
2793 return ERR_PTR(err);
2794}
2795
2796int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2797{
2798 int err;
2799
2800 if (src->ops->clone) {
2801 dst->ops = src->ops;
2802 err = src->ops->clone(dst, src);
2803 if (err < 0)
2804 return err;
2805 } else {
2806 memcpy(dst, src, src->ops->size);
2807 }
2808
2809 __module_get(src->ops->type->owner);
2810
2811 return 0;
2812}
2813
2814void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2815{
2816 nf_tables_expr_destroy(ctx, expr);
2817 kfree(expr);
2818}
2819
2820
2821
2822
2823
2824static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2825 u64 handle)
2826{
2827 struct nft_rule *rule;
2828
2829
2830 list_for_each_entry_rcu(rule, &chain->rules, list) {
2831 if (handle == rule->handle)
2832 return rule;
2833 }
2834
2835 return ERR_PTR(-ENOENT);
2836}
2837
2838static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2839 const struct nlattr *nla)
2840{
2841 if (nla == NULL)
2842 return ERR_PTR(-EINVAL);
2843
2844 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2845}
2846
2847static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2848 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2849 .len = NFT_TABLE_MAXNAMELEN - 1 },
2850 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2851 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2852 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2853 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2854 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2855 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2856 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2857 .len = NFT_USERDATA_MAXLEN },
2858 [NFTA_RULE_ID] = { .type = NLA_U32 },
2859 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2860 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2861};
2862
2863static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2864 u32 portid, u32 seq, int event,
2865 u32 flags, int family,
2866 const struct nft_table *table,
2867 const struct nft_chain *chain,
2868 const struct nft_rule *rule,
2869 const struct nft_rule *prule)
2870{
2871 struct nlmsghdr *nlh;
2872 const struct nft_expr *expr, *next;
2873 struct nlattr *list;
2874 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2875
2876 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
2877 nft_base_seq(net));
2878 if (!nlh)
2879 goto nla_put_failure;
2880
2881 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2882 goto nla_put_failure;
2883 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2884 goto nla_put_failure;
2885 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2886 NFTA_RULE_PAD))
2887 goto nla_put_failure;
2888
2889 if (event != NFT_MSG_DELRULE && prule) {
2890 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2891 cpu_to_be64(prule->handle),
2892 NFTA_RULE_PAD))
2893 goto nla_put_failure;
2894 }
2895
2896 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2897 nft_flow_rule_stats(chain, rule);
2898
2899 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2900 if (list == NULL)
2901 goto nla_put_failure;
2902 nft_rule_for_each_expr(expr, next, rule) {
2903 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2904 goto nla_put_failure;
2905 }
2906 nla_nest_end(skb, list);
2907
2908 if (rule->udata) {
2909 struct nft_userdata *udata = nft_userdata(rule);
2910 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2911 udata->data) < 0)
2912 goto nla_put_failure;
2913 }
2914
2915 nlmsg_end(skb, nlh);
2916 return 0;
2917
2918nla_put_failure:
2919 nlmsg_trim(skb, nlh);
2920 return -1;
2921}
2922
2923static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2924 const struct nft_rule *rule, int event)
2925{
2926 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2927 struct sk_buff *skb;
2928 int err;
2929
2930 if (!ctx->report &&
2931 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2932 return;
2933
2934 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2935 if (skb == NULL)
2936 goto err;
2937
2938 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2939 event, 0, ctx->family, ctx->table,
2940 ctx->chain, rule, NULL);
2941 if (err < 0) {
2942 kfree_skb(skb);
2943 goto err;
2944 }
2945
2946 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
2947 return;
2948err:
2949 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2950}
2951
2952struct nft_rule_dump_ctx {
2953 char *table;
2954 char *chain;
2955};
2956
2957static int __nf_tables_dump_rules(struct sk_buff *skb,
2958 unsigned int *idx,
2959 struct netlink_callback *cb,
2960 const struct nft_table *table,
2961 const struct nft_chain *chain)
2962{
2963 struct net *net = sock_net(skb->sk);
2964 const struct nft_rule *rule, *prule;
2965 unsigned int s_idx = cb->args[0];
2966
2967 prule = NULL;
2968 list_for_each_entry_rcu(rule, &chain->rules, list) {
2969 if (!nft_is_active(net, rule))
2970 goto cont_skip;
2971 if (*idx < s_idx)
2972 goto cont;
2973 if (*idx > s_idx) {
2974 memset(&cb->args[1], 0,
2975 sizeof(cb->args) - sizeof(cb->args[0]));
2976 }
2977 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2978 cb->nlh->nlmsg_seq,
2979 NFT_MSG_NEWRULE,
2980 NLM_F_MULTI | NLM_F_APPEND,
2981 table->family,
2982 table, chain, rule, prule) < 0)
2983 return 1;
2984
2985 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2986cont:
2987 prule = rule;
2988cont_skip:
2989 (*idx)++;
2990 }
2991 return 0;
2992}
2993
2994static int nf_tables_dump_rules(struct sk_buff *skb,
2995 struct netlink_callback *cb)
2996{
2997 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2998 const struct nft_rule_dump_ctx *ctx = cb->data;
2999 struct nft_table *table;
3000 const struct nft_chain *chain;
3001 unsigned int idx = 0;
3002 struct net *net = sock_net(skb->sk);
3003 int family = nfmsg->nfgen_family;
3004 struct nftables_pernet *nft_net;
3005
3006 rcu_read_lock();
3007 nft_net = nft_pernet(net);
3008 cb->seq = nft_net->base_seq;
3009
3010 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3011 if (family != NFPROTO_UNSPEC && family != table->family)
3012 continue;
3013
3014 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3015 continue;
3016
3017 if (ctx && ctx->table && ctx->chain) {
3018 struct rhlist_head *list, *tmp;
3019
3020 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3021 nft_chain_ht_params);
3022 if (!list)
3023 goto done;
3024
3025 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3026 if (!nft_is_active(net, chain))
3027 continue;
3028 __nf_tables_dump_rules(skb, &idx,
3029 cb, table, chain);
3030 break;
3031 }
3032 goto done;
3033 }
3034
3035 list_for_each_entry_rcu(chain, &table->chains, list) {
3036 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
3037 goto done;
3038 }
3039
3040 if (ctx && ctx->table)
3041 break;
3042 }
3043done:
3044 rcu_read_unlock();
3045
3046 cb->args[0] = idx;
3047 return skb->len;
3048}
3049
3050static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3051{
3052 const struct nlattr * const *nla = cb->data;
3053 struct nft_rule_dump_ctx *ctx = NULL;
3054
3055 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3056 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3057 if (!ctx)
3058 return -ENOMEM;
3059
3060 if (nla[NFTA_RULE_TABLE]) {
3061 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3062 GFP_ATOMIC);
3063 if (!ctx->table) {
3064 kfree(ctx);
3065 return -ENOMEM;
3066 }
3067 }
3068 if (nla[NFTA_RULE_CHAIN]) {
3069 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3070 GFP_ATOMIC);
3071 if (!ctx->chain) {
3072 kfree(ctx->table);
3073 kfree(ctx);
3074 return -ENOMEM;
3075 }
3076 }
3077 }
3078
3079 cb->data = ctx;
3080 return 0;
3081}
3082
3083static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3084{
3085 struct nft_rule_dump_ctx *ctx = cb->data;
3086
3087 if (ctx) {
3088 kfree(ctx->table);
3089 kfree(ctx->chain);
3090 kfree(ctx);
3091 }
3092 return 0;
3093}
3094
3095
3096static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3097 const struct nlattr * const nla[])
3098{
3099 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
3100 struct netlink_ext_ack *extack = info->extack;
3101 u8 genmask = nft_genmask_cur(info->net);
3102 int family = nfmsg->nfgen_family;
3103 const struct nft_chain *chain;
3104 const struct nft_rule *rule;
3105 struct net *net = info->net;
3106 struct nft_table *table;
3107 struct sk_buff *skb2;
3108 int err;
3109
3110 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3111 struct netlink_dump_control c = {
3112 .start= nf_tables_dump_rules_start,
3113 .dump = nf_tables_dump_rules,
3114 .done = nf_tables_dump_rules_done,
3115 .module = THIS_MODULE,
3116 .data = (void *)nla,
3117 };
3118
3119 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3120 }
3121
3122 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3123 if (IS_ERR(table)) {
3124 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3125 return PTR_ERR(table);
3126 }
3127
3128 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3129 if (IS_ERR(chain)) {
3130 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3131 return PTR_ERR(chain);
3132 }
3133
3134 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3135 if (IS_ERR(rule)) {
3136 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3137 return PTR_ERR(rule);
3138 }
3139
3140 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3141 if (!skb2)
3142 return -ENOMEM;
3143
3144 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3145 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3146 family, table, chain, rule, NULL);
3147 if (err < 0)
3148 goto err_fill_rule_info;
3149
3150 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3151
3152err_fill_rule_info:
3153 kfree_skb(skb2);
3154 return err;
3155}
3156
3157static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3158 struct nft_rule *rule)
3159{
3160 struct nft_expr *expr, *next;
3161
3162
3163
3164
3165
3166 expr = nft_expr_first(rule);
3167 while (nft_expr_more(rule, expr)) {
3168 next = nft_expr_next(expr);
3169 nf_tables_expr_destroy(ctx, expr);
3170 expr = next;
3171 }
3172 kfree(rule);
3173}
3174
3175void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3176{
3177 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3178 nf_tables_rule_destroy(ctx, rule);
3179}
3180
3181int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3182{
3183 struct nft_expr *expr, *last;
3184 const struct nft_data *data;
3185 struct nft_rule *rule;
3186 int err;
3187
3188 if (ctx->level == NFT_JUMP_STACK_SIZE)
3189 return -EMLINK;
3190
3191 list_for_each_entry(rule, &chain->rules, list) {
3192 if (!nft_is_active_next(ctx->net, rule))
3193 continue;
3194
3195 nft_rule_for_each_expr(expr, last, rule) {
3196 if (!expr->ops->validate)
3197 continue;
3198
3199 err = expr->ops->validate(ctx, expr, &data);
3200 if (err < 0)
3201 return err;
3202 }
3203 }
3204
3205 return 0;
3206}
3207EXPORT_SYMBOL_GPL(nft_chain_validate);
3208
3209static int nft_table_validate(struct net *net, const struct nft_table *table)
3210{
3211 struct nft_chain *chain;
3212 struct nft_ctx ctx = {
3213 .net = net,
3214 .family = table->family,
3215 };
3216 int err;
3217
3218 list_for_each_entry(chain, &table->chains, list) {
3219 if (!nft_is_base_chain(chain))
3220 continue;
3221
3222 ctx.chain = chain;
3223 err = nft_chain_validate(&ctx, chain);
3224 if (err < 0)
3225 return err;
3226 }
3227
3228 return 0;
3229}
3230
3231static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3232 const struct nlattr *nla);
3233
3234#define NFT_RULE_MAXEXPRS 128
3235
3236static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3237 const struct nlattr * const nla[])
3238{
3239 struct nftables_pernet *nft_net = nft_pernet(info->net);
3240 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
3241 struct netlink_ext_ack *extack = info->extack;
3242 unsigned int size, i, n, ulen = 0, usize = 0;
3243 u8 genmask = nft_genmask_next(info->net);
3244 struct nft_rule *rule, *old_rule = NULL;
3245 struct nft_expr_info *expr_info = NULL;
3246 int family = nfmsg->nfgen_family;
3247 struct net *net = info->net;
3248 struct nft_flow_rule *flow;
3249 struct nft_userdata *udata;
3250 struct nft_table *table;
3251 struct nft_chain *chain;
3252 struct nft_trans *trans;
3253 u64 handle, pos_handle;
3254 struct nft_expr *expr;
3255 struct nft_ctx ctx;
3256 struct nlattr *tmp;
3257 int err, rem;
3258
3259 lockdep_assert_held(&nft_net->commit_mutex);
3260
3261 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3262 NETLINK_CB(skb).portid);
3263 if (IS_ERR(table)) {
3264 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3265 return PTR_ERR(table);
3266 }
3267
3268 if (nla[NFTA_RULE_CHAIN]) {
3269 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3270 genmask);
3271 if (IS_ERR(chain)) {
3272 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3273 return PTR_ERR(chain);
3274 }
3275 if (nft_chain_is_bound(chain))
3276 return -EOPNOTSUPP;
3277
3278 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3279 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3280 if (IS_ERR(chain)) {
3281 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3282 return PTR_ERR(chain);
3283 }
3284 } else {
3285 return -EINVAL;
3286 }
3287
3288 if (nla[NFTA_RULE_HANDLE]) {
3289 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3290 rule = __nft_rule_lookup(chain, handle);
3291 if (IS_ERR(rule)) {
3292 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3293 return PTR_ERR(rule);
3294 }
3295
3296 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3297 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3298 return -EEXIST;
3299 }
3300 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3301 old_rule = rule;
3302 else
3303 return -EOPNOTSUPP;
3304 } else {
3305 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3306 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3307 return -EINVAL;
3308 handle = nf_tables_alloc_handle(table);
3309
3310 if (chain->use == UINT_MAX)
3311 return -EOVERFLOW;
3312
3313 if (nla[NFTA_RULE_POSITION]) {
3314 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3315 old_rule = __nft_rule_lookup(chain, pos_handle);
3316 if (IS_ERR(old_rule)) {
3317 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3318 return PTR_ERR(old_rule);
3319 }
3320 } else if (nla[NFTA_RULE_POSITION_ID]) {
3321 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3322 if (IS_ERR(old_rule)) {
3323 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3324 return PTR_ERR(old_rule);
3325 }
3326 }
3327 }
3328
3329 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3330
3331 n = 0;
3332 size = 0;
3333 if (nla[NFTA_RULE_EXPRESSIONS]) {
3334 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3335 sizeof(struct nft_expr_info),
3336 GFP_KERNEL);
3337 if (!expr_info)
3338 return -ENOMEM;
3339
3340 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3341 err = -EINVAL;
3342 if (nla_type(tmp) != NFTA_LIST_ELEM)
3343 goto err1;
3344 if (n == NFT_RULE_MAXEXPRS)
3345 goto err1;
3346 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3347 if (err < 0) {
3348 NL_SET_BAD_ATTR(extack, tmp);
3349 goto err1;
3350 }
3351 size += expr_info[n].ops->size;
3352 n++;
3353 }
3354 }
3355
3356 err = -EFBIG;
3357 if (size >= 1 << 12)
3358 goto err1;
3359
3360 if (nla[NFTA_RULE_USERDATA]) {
3361 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3362 if (ulen > 0)
3363 usize = sizeof(struct nft_userdata) + ulen;
3364 }
3365
3366 err = -ENOMEM;
3367 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3368 if (rule == NULL)
3369 goto err1;
3370
3371 nft_activate_next(net, rule);
3372
3373 rule->handle = handle;
3374 rule->dlen = size;
3375 rule->udata = ulen ? 1 : 0;
3376
3377 if (ulen) {
3378 udata = nft_userdata(rule);
3379 udata->len = ulen - 1;
3380 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3381 }
3382
3383 expr = nft_expr_first(rule);
3384 for (i = 0; i < n; i++) {
3385 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
3386 if (err < 0) {
3387 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
3388 goto err2;
3389 }
3390
3391 if (expr_info[i].ops->validate)
3392 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3393
3394 expr_info[i].ops = NULL;
3395 expr = nft_expr_next(expr);
3396 }
3397
3398 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
3399 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3400 if (trans == NULL) {
3401 err = -ENOMEM;
3402 goto err2;
3403 }
3404 err = nft_delrule(&ctx, old_rule);
3405 if (err < 0) {
3406 nft_trans_destroy(trans);
3407 goto err2;
3408 }
3409
3410 list_add_tail_rcu(&rule->list, &old_rule->list);
3411 } else {
3412 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3413 if (!trans) {
3414 err = -ENOMEM;
3415 goto err2;
3416 }
3417
3418 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
3419 if (old_rule)
3420 list_add_rcu(&rule->list, &old_rule->list);
3421 else
3422 list_add_tail_rcu(&rule->list, &chain->rules);
3423 } else {
3424 if (old_rule)
3425 list_add_tail_rcu(&rule->list, &old_rule->list);
3426 else
3427 list_add_rcu(&rule->list, &chain->rules);
3428 }
3429 }
3430 kvfree(expr_info);
3431 chain->use++;
3432
3433 if (nft_net->validate_state == NFT_VALIDATE_DO)
3434 return nft_table_validate(net, table);
3435
3436 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3437 flow = nft_flow_rule_create(net, rule);
3438 if (IS_ERR(flow))
3439 return PTR_ERR(flow);
3440
3441 nft_trans_flow_rule(trans) = flow;
3442 }
3443
3444 return 0;
3445err2:
3446 nf_tables_rule_release(&ctx, rule);
3447err1:
3448 for (i = 0; i < n; i++) {
3449 if (expr_info[i].ops) {
3450 module_put(expr_info[i].ops->type->owner);
3451 if (expr_info[i].ops->type->release_ops)
3452 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3453 }
3454 }
3455 kvfree(expr_info);
3456
3457 return err;
3458}
3459
3460static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3461 const struct nlattr *nla)
3462{
3463 struct nftables_pernet *nft_net = nft_pernet(net);
3464 u32 id = ntohl(nla_get_be32(nla));
3465 struct nft_trans *trans;
3466
3467 list_for_each_entry(trans, &nft_net->commit_list, list) {
3468 struct nft_rule *rule = nft_trans_rule(trans);
3469
3470 if (trans->msg_type == NFT_MSG_NEWRULE &&
3471 id == nft_trans_rule_id(trans))
3472 return rule;
3473 }
3474 return ERR_PTR(-ENOENT);
3475}
3476
3477static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
3478 const struct nlattr * const nla[])
3479{
3480 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
3481 struct netlink_ext_ack *extack = info->extack;
3482 int family = nfmsg->nfgen_family, err = 0;
3483 u8 genmask = nft_genmask_next(info->net);
3484 struct nft_chain *chain = NULL;
3485 struct net *net = info->net;
3486 struct nft_table *table;
3487 struct nft_rule *rule;
3488 struct nft_ctx ctx;
3489
3490 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3491 NETLINK_CB(skb).portid);
3492 if (IS_ERR(table)) {
3493 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3494 return PTR_ERR(table);
3495 }
3496
3497 if (nla[NFTA_RULE_CHAIN]) {
3498 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3499 genmask);
3500 if (IS_ERR(chain)) {
3501 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3502 return PTR_ERR(chain);
3503 }
3504 if (nft_chain_is_bound(chain))
3505 return -EOPNOTSUPP;
3506 }
3507
3508 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3509
3510 if (chain) {
3511 if (nla[NFTA_RULE_HANDLE]) {
3512 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3513 if (IS_ERR(rule)) {
3514 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3515 return PTR_ERR(rule);
3516 }
3517
3518 err = nft_delrule(&ctx, rule);
3519 } else if (nla[NFTA_RULE_ID]) {
3520 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3521 if (IS_ERR(rule)) {
3522 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3523 return PTR_ERR(rule);
3524 }
3525
3526 err = nft_delrule(&ctx, rule);
3527 } else {
3528 err = nft_delrule_by_chain(&ctx);
3529 }
3530 } else {
3531 list_for_each_entry(chain, &table->chains, list) {
3532 if (!nft_is_active_next(net, chain))
3533 continue;
3534
3535 ctx.chain = chain;
3536 err = nft_delrule_by_chain(&ctx);
3537 if (err < 0)
3538 break;
3539 }
3540 }
3541
3542 return err;
3543}
3544
3545
3546
3547
3548static const struct nft_set_type *nft_set_types[] = {
3549 &nft_set_hash_fast_type,
3550 &nft_set_hash_type,
3551 &nft_set_rhash_type,
3552 &nft_set_bitmap_type,
3553 &nft_set_rbtree_type,
3554#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3555 &nft_set_pipapo_avx2_type,
3556#endif
3557 &nft_set_pipapo_type,
3558};
3559
3560#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3561 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3562 NFT_SET_EVAL)
3563
3564static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3565{
3566 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3567}
3568
3569
3570
3571
3572
3573
3574static const struct nft_set_ops *
3575nft_select_set_ops(const struct nft_ctx *ctx,
3576 const struct nlattr * const nla[],
3577 const struct nft_set_desc *desc,
3578 enum nft_set_policies policy)
3579{
3580 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3581 const struct nft_set_ops *ops, *bops;
3582 struct nft_set_estimate est, best;
3583 const struct nft_set_type *type;
3584 u32 flags = 0;
3585 int i;
3586
3587 lockdep_assert_held(&nft_net->commit_mutex);
3588 lockdep_nfnl_nft_mutex_not_held();
3589
3590 if (nla[NFTA_SET_FLAGS] != NULL)
3591 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3592
3593 bops = NULL;
3594 best.size = ~0;
3595 best.lookup = ~0;
3596 best.space = ~0;
3597
3598 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3599 type = nft_set_types[i];
3600 ops = &type->ops;
3601
3602 if (!nft_set_ops_candidate(type, flags))
3603 continue;
3604 if (!ops->estimate(desc, flags, &est))
3605 continue;
3606
3607 switch (policy) {
3608 case NFT_SET_POL_PERFORMANCE:
3609 if (est.lookup < best.lookup)
3610 break;
3611 if (est.lookup == best.lookup &&
3612 est.space < best.space)
3613 break;
3614 continue;
3615 case NFT_SET_POL_MEMORY:
3616 if (!desc->size) {
3617 if (est.space < best.space)
3618 break;
3619 if (est.space == best.space &&
3620 est.lookup < best.lookup)
3621 break;
3622 } else if (est.size < best.size || !bops) {
3623 break;
3624 }
3625 continue;
3626 default:
3627 break;
3628 }
3629
3630 bops = ops;
3631 best = est;
3632 }
3633
3634 if (bops != NULL)
3635 return bops;
3636
3637 return ERR_PTR(-EOPNOTSUPP);
3638}
3639
3640static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3641 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3642 .len = NFT_TABLE_MAXNAMELEN - 1 },
3643 [NFTA_SET_NAME] = { .type = NLA_STRING,
3644 .len = NFT_SET_MAXNAMELEN - 1 },
3645 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3646 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3647 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3648 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3649 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3650 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3651 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3652 [NFTA_SET_ID] = { .type = NLA_U32 },
3653 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3654 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3655 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3656 .len = NFT_USERDATA_MAXLEN },
3657 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3658 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3659 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3660 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3661};
3662
3663static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3664 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3665 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3666};
3667
3668static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3669 const struct sk_buff *skb,
3670 const struct nlmsghdr *nlh,
3671 const struct nlattr * const nla[],
3672 struct netlink_ext_ack *extack,
3673 u8 genmask, u32 nlpid)
3674{
3675 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3676 int family = nfmsg->nfgen_family;
3677 struct nft_table *table = NULL;
3678
3679 if (nla[NFTA_SET_TABLE] != NULL) {
3680 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3681 genmask, nlpid);
3682 if (IS_ERR(table)) {
3683 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3684 return PTR_ERR(table);
3685 }
3686 }
3687
3688 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3689 return 0;
3690}
3691
3692static struct nft_set *nft_set_lookup(const struct nft_table *table,
3693 const struct nlattr *nla, u8 genmask)
3694{
3695 struct nft_set *set;
3696
3697 if (nla == NULL)
3698 return ERR_PTR(-EINVAL);
3699
3700 list_for_each_entry_rcu(set, &table->sets, list) {
3701 if (!nla_strcmp(nla, set->name) &&
3702 nft_active_genmask(set, genmask))
3703 return set;
3704 }
3705 return ERR_PTR(-ENOENT);
3706}
3707
3708static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3709 const struct nlattr *nla,
3710 u8 genmask)
3711{
3712 struct nft_set *set;
3713
3714 list_for_each_entry(set, &table->sets, list) {
3715 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3716 nft_active_genmask(set, genmask))
3717 return set;
3718 }
3719 return ERR_PTR(-ENOENT);
3720}
3721
3722static struct nft_set *nft_set_lookup_byid(const struct net *net,
3723 const struct nlattr *nla, u8 genmask)
3724{
3725 struct nftables_pernet *nft_net = nft_pernet(net);
3726 u32 id = ntohl(nla_get_be32(nla));
3727 struct nft_trans *trans;
3728
3729 list_for_each_entry(trans, &nft_net->commit_list, list) {
3730 if (trans->msg_type == NFT_MSG_NEWSET) {
3731 struct nft_set *set = nft_trans_set(trans);
3732
3733 if (id == nft_trans_set_id(trans) &&
3734 nft_active_genmask(set, genmask))
3735 return set;
3736 }
3737 }
3738 return ERR_PTR(-ENOENT);
3739}
3740
3741struct nft_set *nft_set_lookup_global(const struct net *net,
3742 const struct nft_table *table,
3743 const struct nlattr *nla_set_name,
3744 const struct nlattr *nla_set_id,
3745 u8 genmask)
3746{
3747 struct nft_set *set;
3748
3749 set = nft_set_lookup(table, nla_set_name, genmask);
3750 if (IS_ERR(set)) {
3751 if (!nla_set_id)
3752 return set;
3753
3754 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3755 }
3756 return set;
3757}
3758EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3759
3760static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3761 const char *name)
3762{
3763 const struct nft_set *i;
3764 const char *p;
3765 unsigned long *inuse;
3766 unsigned int n = 0, min = 0;
3767
3768 p = strchr(name, '%');
3769 if (p != NULL) {
3770 if (p[1] != 'd' || strchr(p + 2, '%'))
3771 return -EINVAL;
3772
3773 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3774 if (inuse == NULL)
3775 return -ENOMEM;
3776cont:
3777 list_for_each_entry(i, &ctx->table->sets, list) {
3778 int tmp;
3779
3780 if (!nft_is_active_next(ctx->net, set))
3781 continue;
3782 if (!sscanf(i->name, name, &tmp))
3783 continue;
3784 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3785 continue;
3786
3787 set_bit(tmp - min, inuse);
3788 }
3789
3790 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3791 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3792 min += BITS_PER_BYTE * PAGE_SIZE;
3793 memset(inuse, 0, PAGE_SIZE);
3794 goto cont;
3795 }
3796 free_page((unsigned long)inuse);
3797 }
3798
3799 set->name = kasprintf(GFP_KERNEL, name, min + n);
3800 if (!set->name)
3801 return -ENOMEM;
3802
3803 list_for_each_entry(i, &ctx->table->sets, list) {
3804 if (!nft_is_active_next(ctx->net, i))
3805 continue;
3806 if (!strcmp(set->name, i->name)) {
3807 kfree(set->name);
3808 set->name = NULL;
3809 return -ENFILE;
3810 }
3811 }
3812 return 0;
3813}
3814
3815int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3816{
3817 u64 ms = be64_to_cpu(nla_get_be64(nla));
3818 u64 max = (u64)(~((u64)0));
3819
3820 max = div_u64(max, NSEC_PER_MSEC);
3821 if (ms >= max)
3822 return -ERANGE;
3823
3824 ms *= NSEC_PER_MSEC;
3825 *result = nsecs_to_jiffies64(ms);
3826 return 0;
3827}
3828
3829__be64 nf_jiffies64_to_msecs(u64 input)
3830{
3831 return cpu_to_be64(jiffies64_to_msecs(input));
3832}
3833
3834static int nf_tables_fill_set_concat(struct sk_buff *skb,
3835 const struct nft_set *set)
3836{
3837 struct nlattr *concat, *field;
3838 int i;
3839
3840 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3841 if (!concat)
3842 return -ENOMEM;
3843
3844 for (i = 0; i < set->field_count; i++) {
3845 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3846 if (!field)
3847 return -ENOMEM;
3848
3849 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3850 htonl(set->field_len[i])))
3851 return -ENOMEM;
3852
3853 nla_nest_end(skb, field);
3854 }
3855
3856 nla_nest_end(skb, concat);
3857
3858 return 0;
3859}
3860
3861static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3862 const struct nft_set *set, u16 event, u16 flags)
3863{
3864 struct nlmsghdr *nlh;
3865 u32 portid = ctx->portid;
3866 struct nlattr *nest;
3867 u32 seq = ctx->seq;
3868 int i;
3869
3870 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3871 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
3872 NFNETLINK_V0, nft_base_seq(ctx->net));
3873 if (!nlh)
3874 goto nla_put_failure;
3875
3876 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3877 goto nla_put_failure;
3878 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3879 goto nla_put_failure;
3880 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3881 NFTA_SET_PAD))
3882 goto nla_put_failure;
3883 if (set->flags != 0)
3884 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3885 goto nla_put_failure;
3886
3887 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3888 goto nla_put_failure;
3889 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3890 goto nla_put_failure;
3891 if (set->flags & NFT_SET_MAP) {
3892 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3893 goto nla_put_failure;
3894 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3895 goto nla_put_failure;
3896 }
3897 if (set->flags & NFT_SET_OBJECT &&
3898 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3899 goto nla_put_failure;
3900
3901 if (set->timeout &&
3902 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3903 nf_jiffies64_to_msecs(set->timeout),
3904 NFTA_SET_PAD))
3905 goto nla_put_failure;
3906 if (set->gc_int &&
3907 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3908 goto nla_put_failure;
3909
3910 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3911 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3912 goto nla_put_failure;
3913 }
3914
3915 if (set->udata &&
3916 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3917 goto nla_put_failure;
3918
3919 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3920 if (!nest)
3921 goto nla_put_failure;
3922 if (set->size &&
3923 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3924 goto nla_put_failure;
3925
3926 if (set->field_count > 1 &&
3927 nf_tables_fill_set_concat(skb, set))
3928 goto nla_put_failure;
3929
3930 nla_nest_end(skb, nest);
3931
3932 if (set->num_exprs == 1) {
3933 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3934 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
3935 goto nla_put_failure;
3936
3937 nla_nest_end(skb, nest);
3938 } else if (set->num_exprs > 1) {
3939 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
3940 if (nest == NULL)
3941 goto nla_put_failure;
3942
3943 for (i = 0; i < set->num_exprs; i++) {
3944 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
3945 set->exprs[i]) < 0)
3946 goto nla_put_failure;
3947 }
3948 nla_nest_end(skb, nest);
3949 }
3950
3951 nlmsg_end(skb, nlh);
3952 return 0;
3953
3954nla_put_failure:
3955 nlmsg_trim(skb, nlh);
3956 return -1;
3957}
3958
3959static void nf_tables_set_notify(const struct nft_ctx *ctx,
3960 const struct nft_set *set, int event,
3961 gfp_t gfp_flags)
3962{
3963 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3964 struct sk_buff *skb;
3965 u32 portid = ctx->portid;
3966 int err;
3967
3968 if (!ctx->report &&
3969 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3970 return;
3971
3972 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3973 if (skb == NULL)
3974 goto err;
3975
3976 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3977 if (err < 0) {
3978 kfree_skb(skb);
3979 goto err;
3980 }
3981
3982 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3983 return;
3984err:
3985 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3986}
3987
3988static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3989{
3990 const struct nft_set *set;
3991 unsigned int idx, s_idx = cb->args[0];
3992 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3993 struct net *net = sock_net(skb->sk);
3994 struct nft_ctx *ctx = cb->data, ctx_set;
3995 struct nftables_pernet *nft_net;
3996
3997 if (cb->args[1])
3998 return skb->len;
3999
4000 rcu_read_lock();
4001 nft_net = nft_pernet(net);
4002 cb->seq = nft_net->base_seq;
4003
4004 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4005 if (ctx->family != NFPROTO_UNSPEC &&
4006 ctx->family != table->family)
4007 continue;
4008
4009 if (ctx->table && ctx->table != table)
4010 continue;
4011
4012 if (cur_table) {
4013 if (cur_table != table)
4014 continue;
4015
4016 cur_table = NULL;
4017 }
4018 idx = 0;
4019 list_for_each_entry_rcu(set, &table->sets, list) {
4020 if (idx < s_idx)
4021 goto cont;
4022 if (!nft_is_active(net, set))
4023 goto cont;
4024
4025 ctx_set = *ctx;
4026 ctx_set.table = table;
4027 ctx_set.family = table->family;
4028
4029 if (nf_tables_fill_set(skb, &ctx_set, set,
4030 NFT_MSG_NEWSET,
4031 NLM_F_MULTI) < 0) {
4032 cb->args[0] = idx;
4033 cb->args[2] = (unsigned long) table;
4034 goto done;
4035 }
4036 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4037cont:
4038 idx++;
4039 }
4040 if (s_idx)
4041 s_idx = 0;
4042 }
4043 cb->args[1] = 1;
4044done:
4045 rcu_read_unlock();
4046 return skb->len;
4047}
4048
4049static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4050{
4051 struct nft_ctx *ctx_dump = NULL;
4052
4053 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4054 if (ctx_dump == NULL)
4055 return -ENOMEM;
4056
4057 cb->data = ctx_dump;
4058 return 0;
4059}
4060
4061static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4062{
4063 kfree(cb->data);
4064 return 0;
4065}
4066
4067
4068static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4069 const struct nlattr * const nla[])
4070{
4071 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
4072 struct netlink_ext_ack *extack = info->extack;
4073 u8 genmask = nft_genmask_cur(info->net);
4074 struct net *net = info->net;
4075 const struct nft_set *set;
4076 struct sk_buff *skb2;
4077 struct nft_ctx ctx;
4078 int err;
4079
4080
4081 err = nft_ctx_init_from_setattr(&ctx, net, skb, info->nlh, nla, extack,
4082 genmask, 0);
4083 if (err < 0)
4084 return err;
4085
4086 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4087 struct netlink_dump_control c = {
4088 .start = nf_tables_dump_sets_start,
4089 .dump = nf_tables_dump_sets,
4090 .done = nf_tables_dump_sets_done,
4091 .data = &ctx,
4092 .module = THIS_MODULE,
4093 };
4094
4095 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4096 }
4097
4098
4099 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4100 return -EAFNOSUPPORT;
4101 if (!nla[NFTA_SET_TABLE])
4102 return -EINVAL;
4103
4104 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4105 if (IS_ERR(set))
4106 return PTR_ERR(set);
4107
4108 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4109 if (skb2 == NULL)
4110 return -ENOMEM;
4111
4112 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4113 if (err < 0)
4114 goto err_fill_set_info;
4115
4116 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4117
4118err_fill_set_info:
4119 kfree_skb(skb2);
4120 return err;
4121}
4122
4123static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4124 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4125};
4126
4127static int nft_set_desc_concat_parse(const struct nlattr *attr,
4128 struct nft_set_desc *desc)
4129{
4130 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4131 u32 len;
4132 int err;
4133
4134 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4135 nft_concat_policy, NULL);
4136 if (err < 0)
4137 return err;
4138
4139 if (!tb[NFTA_SET_FIELD_LEN])
4140 return -EINVAL;
4141
4142 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4143
4144 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4145 return -E2BIG;
4146
4147 desc->field_len[desc->field_count++] = len;
4148
4149 return 0;
4150}
4151
4152static int nft_set_desc_concat(struct nft_set_desc *desc,
4153 const struct nlattr *nla)
4154{
4155 struct nlattr *attr;
4156 int rem, err;
4157
4158 nla_for_each_nested(attr, nla, rem) {
4159 if (nla_type(attr) != NFTA_LIST_ELEM)
4160 return -EINVAL;
4161
4162 err = nft_set_desc_concat_parse(attr, desc);
4163 if (err < 0)
4164 return err;
4165 }
4166
4167 return 0;
4168}
4169
4170static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4171 const struct nlattr *nla)
4172{
4173 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4174 int err;
4175
4176 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4177 nft_set_desc_policy, NULL);
4178 if (err < 0)
4179 return err;
4180
4181 if (da[NFTA_SET_DESC_SIZE] != NULL)
4182 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4183 if (da[NFTA_SET_DESC_CONCAT])
4184 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4185
4186 return err;
4187}
4188
4189static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4190 const struct nlattr * const nla[])
4191{
4192 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
4193 u32 ktype, dtype, flags, policy, gc_int, objtype;
4194 struct netlink_ext_ack *extack = info->extack;
4195 u8 genmask = nft_genmask_next(info->net);
4196 int family = nfmsg->nfgen_family;
4197 const struct nft_set_ops *ops;
4198 struct nft_expr *expr = NULL;
4199 struct net *net = info->net;
4200 struct nft_set_desc desc;
4201 struct nft_table *table;
4202 unsigned char *udata;
4203 struct nft_set *set;
4204 struct nft_ctx ctx;
4205 size_t alloc_size;
4206 u64 timeout;
4207 char *name;
4208 int err, i;
4209 u16 udlen;
4210 u64 size;
4211
4212 if (nla[NFTA_SET_TABLE] == NULL ||
4213 nla[NFTA_SET_NAME] == NULL ||
4214 nla[NFTA_SET_KEY_LEN] == NULL ||
4215 nla[NFTA_SET_ID] == NULL)
4216 return -EINVAL;
4217
4218 memset(&desc, 0, sizeof(desc));
4219
4220 ktype = NFT_DATA_VALUE;
4221 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4222 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4223 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4224 return -EINVAL;
4225 }
4226
4227 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4228 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4229 return -EINVAL;
4230
4231 flags = 0;
4232 if (nla[NFTA_SET_FLAGS] != NULL) {
4233 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4234 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4235 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4236 NFT_SET_MAP | NFT_SET_EVAL |
4237 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4238 return -EOPNOTSUPP;
4239
4240 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4241 (NFT_SET_MAP | NFT_SET_OBJECT))
4242 return -EOPNOTSUPP;
4243 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4244 (NFT_SET_EVAL | NFT_SET_OBJECT))
4245 return -EOPNOTSUPP;
4246 }
4247
4248 dtype = 0;
4249 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4250 if (!(flags & NFT_SET_MAP))
4251 return -EINVAL;
4252
4253 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4254 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4255 dtype != NFT_DATA_VERDICT)
4256 return -EINVAL;
4257
4258 if (dtype != NFT_DATA_VERDICT) {
4259 if (nla[NFTA_SET_DATA_LEN] == NULL)
4260 return -EINVAL;
4261 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4262 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4263 return -EINVAL;
4264 } else
4265 desc.dlen = sizeof(struct nft_verdict);
4266 } else if (flags & NFT_SET_MAP)
4267 return -EINVAL;
4268
4269 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4270 if (!(flags & NFT_SET_OBJECT))
4271 return -EINVAL;
4272
4273 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4274 if (objtype == NFT_OBJECT_UNSPEC ||
4275 objtype > NFT_OBJECT_MAX)
4276 return -EOPNOTSUPP;
4277 } else if (flags & NFT_SET_OBJECT)
4278 return -EINVAL;
4279 else
4280 objtype = NFT_OBJECT_UNSPEC;
4281
4282 timeout = 0;
4283 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4284 if (!(flags & NFT_SET_TIMEOUT))
4285 return -EINVAL;
4286
4287 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4288 if (err)
4289 return err;
4290 }
4291 gc_int = 0;
4292 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4293 if (!(flags & NFT_SET_TIMEOUT))
4294 return -EINVAL;
4295 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4296 }
4297
4298 policy = NFT_SET_POL_PERFORMANCE;
4299 if (nla[NFTA_SET_POLICY] != NULL)
4300 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4301
4302 if (nla[NFTA_SET_DESC] != NULL) {
4303 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4304 if (err < 0)
4305 return err;
4306 }
4307
4308 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4309 desc.expr = true;
4310
4311 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4312 NETLINK_CB(skb).portid);
4313 if (IS_ERR(table)) {
4314 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4315 return PTR_ERR(table);
4316 }
4317
4318 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4319
4320 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4321 if (IS_ERR(set)) {
4322 if (PTR_ERR(set) != -ENOENT) {
4323 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4324 return PTR_ERR(set);
4325 }
4326 } else {
4327 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4328 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4329 return -EEXIST;
4330 }
4331 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4332 return -EOPNOTSUPP;
4333
4334 return 0;
4335 }
4336
4337 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
4338 return -ENOENT;
4339
4340 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4341 if (IS_ERR(ops))
4342 return PTR_ERR(ops);
4343
4344 udlen = 0;
4345 if (nla[NFTA_SET_USERDATA])
4346 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4347
4348 size = 0;
4349 if (ops->privsize != NULL)
4350 size = ops->privsize(nla, &desc);
4351 alloc_size = sizeof(*set) + size + udlen;
4352 if (alloc_size < size)
4353 return -ENOMEM;
4354 set = kvzalloc(alloc_size, GFP_KERNEL);
4355 if (!set)
4356 return -ENOMEM;
4357
4358 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4359 if (!name) {
4360 err = -ENOMEM;
4361 goto err_set_name;
4362 }
4363
4364 err = nf_tables_set_alloc_name(&ctx, set, name);
4365 kfree(name);
4366 if (err < 0)
4367 goto err_set_name;
4368
4369 udata = NULL;
4370 if (udlen) {
4371 udata = set->data + size;
4372 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4373 }
4374
4375 INIT_LIST_HEAD(&set->bindings);
4376 INIT_LIST_HEAD(&set->catchall_list);
4377 set->table = table;
4378 write_pnet(&set->net, net);
4379 set->ops = ops;
4380 set->ktype = ktype;
4381 set->klen = desc.klen;
4382 set->dtype = dtype;
4383 set->objtype = objtype;
4384 set->dlen = desc.dlen;
4385 set->flags = flags;
4386 set->size = desc.size;
4387 set->policy = policy;
4388 set->udlen = udlen;
4389 set->udata = udata;
4390 set->timeout = timeout;
4391 set->gc_int = gc_int;
4392
4393 set->field_count = desc.field_count;
4394 for (i = 0; i < desc.field_count; i++)
4395 set->field_len[i] = desc.field_len[i];
4396
4397 err = ops->init(set, &desc, nla);
4398 if (err < 0)
4399 goto err_set_init;
4400
4401 if (nla[NFTA_SET_EXPR]) {
4402 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4403 if (IS_ERR(expr)) {
4404 err = PTR_ERR(expr);
4405 goto err_set_expr_alloc;
4406 }
4407 set->exprs[0] = expr;
4408 set->num_exprs++;
4409 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4410 struct nft_expr *expr;
4411 struct nlattr *tmp;
4412 int left;
4413
4414 if (!(flags & NFT_SET_EXPR)) {
4415 err = -EINVAL;
4416 goto err_set_expr_alloc;
4417 }
4418 i = 0;
4419 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4420 if (i == NFT_SET_EXPR_MAX) {
4421 err = -E2BIG;
4422 goto err_set_expr_alloc;
4423 }
4424 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4425 err = -EINVAL;
4426 goto err_set_expr_alloc;
4427 }
4428 expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4429 if (IS_ERR(expr)) {
4430 err = PTR_ERR(expr);
4431 goto err_set_expr_alloc;
4432 }
4433 set->exprs[i++] = expr;
4434 set->num_exprs++;
4435 }
4436 }
4437
4438 set->handle = nf_tables_alloc_handle(table);
4439
4440 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4441 if (err < 0)
4442 goto err_set_expr_alloc;
4443
4444 list_add_tail_rcu(&set->list, &table->sets);
4445 table->use++;
4446 return 0;
4447
4448err_set_expr_alloc:
4449 for (i = 0; i < set->num_exprs; i++)
4450 nft_expr_destroy(&ctx, set->exprs[i]);
4451
4452 ops->destroy(set);
4453err_set_init:
4454 kfree(set->name);
4455err_set_name:
4456 kvfree(set);
4457 return err;
4458}
4459
4460struct nft_set_elem_catchall {
4461 struct list_head list;
4462 struct rcu_head rcu;
4463 void *elem;
4464};
4465
4466static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
4467 struct nft_set *set)
4468{
4469 struct nft_set_elem_catchall *catchall;
4470
4471 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4472 list_del_rcu(&catchall->list);
4473 nft_set_elem_destroy(set, catchall->elem, true);
4474 kfree_rcu(catchall);
4475 }
4476}
4477
4478static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4479{
4480 int i;
4481
4482 if (WARN_ON(set->use > 0))
4483 return;
4484
4485 for (i = 0; i < set->num_exprs; i++)
4486 nft_expr_destroy(ctx, set->exprs[i]);
4487
4488 set->ops->destroy(set);
4489 nft_set_catchall_destroy(ctx, set);
4490 kfree(set->name);
4491 kvfree(set);
4492}
4493
4494static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
4495 const struct nlattr * const nla[])
4496{
4497 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
4498 struct netlink_ext_ack *extack = info->extack;
4499 u8 genmask = nft_genmask_next(info->net);
4500 struct net *net = info->net;
4501 const struct nlattr *attr;
4502 struct nft_set *set;
4503 struct nft_ctx ctx;
4504 int err;
4505
4506 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4507 return -EAFNOSUPPORT;
4508 if (nla[NFTA_SET_TABLE] == NULL)
4509 return -EINVAL;
4510
4511 err = nft_ctx_init_from_setattr(&ctx, net, skb, info->nlh, nla, extack,
4512 genmask, NETLINK_CB(skb).portid);
4513 if (err < 0)
4514 return err;
4515
4516 if (nla[NFTA_SET_HANDLE]) {
4517 attr = nla[NFTA_SET_HANDLE];
4518 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4519 } else {
4520 attr = nla[NFTA_SET_NAME];
4521 set = nft_set_lookup(ctx.table, attr, genmask);
4522 }
4523
4524 if (IS_ERR(set)) {
4525 NL_SET_BAD_ATTR(extack, attr);
4526 return PTR_ERR(set);
4527 }
4528 if (set->use ||
4529 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
4530 atomic_read(&set->nelems) > 0)) {
4531 NL_SET_BAD_ATTR(extack, attr);
4532 return -EBUSY;
4533 }
4534
4535 return nft_delset(&ctx, set);
4536}
4537
4538static int nft_validate_register_store(const struct nft_ctx *ctx,
4539 enum nft_registers reg,
4540 const struct nft_data *data,
4541 enum nft_data_types type,
4542 unsigned int len);
4543
4544static int nft_setelem_data_validate(const struct nft_ctx *ctx,
4545 struct nft_set *set,
4546 struct nft_set_elem *elem)
4547{
4548 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4549 enum nft_registers dreg;
4550
4551 dreg = nft_type_to_reg(set->dtype);
4552 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4553 set->dtype == NFT_DATA_VERDICT ?
4554 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4555 set->dlen);
4556}
4557
4558static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4559 struct nft_set *set,
4560 const struct nft_set_iter *iter,
4561 struct nft_set_elem *elem)
4562{
4563 return nft_setelem_data_validate(ctx, set, elem);
4564}
4565
4566static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
4567 struct nft_set *set)
4568{
4569 u8 genmask = nft_genmask_next(ctx->net);
4570 struct nft_set_elem_catchall *catchall;
4571 struct nft_set_elem elem;
4572 struct nft_set_ext *ext;
4573 int ret = 0;
4574
4575 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4576 ext = nft_set_elem_ext(set, catchall->elem);
4577 if (!nft_set_elem_active(ext, genmask))
4578 continue;
4579
4580 elem.priv = catchall->elem;
4581 ret = nft_setelem_data_validate(ctx, set, &elem);
4582 if (ret < 0)
4583 break;
4584 }
4585
4586 return ret;
4587}
4588
4589int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4590 struct nft_set_binding *binding)
4591{
4592 struct nft_set_binding *i;
4593 struct nft_set_iter iter;
4594
4595 if (set->use == UINT_MAX)
4596 return -EOVERFLOW;
4597
4598 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4599 return -EBUSY;
4600
4601 if (binding->flags & NFT_SET_MAP) {
4602
4603
4604
4605 list_for_each_entry(i, &set->bindings, list) {
4606 if (i->flags & NFT_SET_MAP &&
4607 i->chain == binding->chain)
4608 goto bind;
4609 }
4610
4611 iter.genmask = nft_genmask_next(ctx->net);
4612 iter.skip = 0;
4613 iter.count = 0;
4614 iter.err = 0;
4615 iter.fn = nf_tables_bind_check_setelem;
4616
4617 set->ops->walk(ctx, set, &iter);
4618 if (!iter.err)
4619 iter.err = nft_set_catchall_bind_check(ctx, set);
4620
4621 if (iter.err < 0)
4622 return iter.err;
4623 }
4624bind:
4625 binding->chain = ctx->chain;
4626 list_add_tail_rcu(&binding->list, &set->bindings);
4627 nft_set_trans_bind(ctx, set);
4628 set->use++;
4629
4630 return 0;
4631}
4632EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4633
4634static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4635 struct nft_set_binding *binding, bool event)
4636{
4637 list_del_rcu(&binding->list);
4638
4639 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4640 list_del_rcu(&set->list);
4641 if (event)
4642 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4643 GFP_KERNEL);
4644 }
4645}
4646
4647void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4648 struct nft_set_binding *binding,
4649 enum nft_trans_phase phase)
4650{
4651 switch (phase) {
4652 case NFT_TRANS_PREPARE:
4653 set->use--;
4654 return;
4655 case NFT_TRANS_ABORT:
4656 case NFT_TRANS_RELEASE:
4657 set->use--;
4658 fallthrough;
4659 default:
4660 nf_tables_unbind_set(ctx, set, binding,
4661 phase == NFT_TRANS_COMMIT);
4662 }
4663}
4664EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4665
4666void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4667{
4668 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4669 nft_set_destroy(ctx, set);
4670}
4671EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4672
4673const struct nft_set_ext_type nft_set_ext_types[] = {
4674 [NFT_SET_EXT_KEY] = {
4675 .align = __alignof__(u32),
4676 },
4677 [NFT_SET_EXT_DATA] = {
4678 .align = __alignof__(u32),
4679 },
4680 [NFT_SET_EXT_EXPRESSIONS] = {
4681 .align = __alignof__(struct nft_set_elem_expr),
4682 },
4683 [NFT_SET_EXT_OBJREF] = {
4684 .len = sizeof(struct nft_object *),
4685 .align = __alignof__(struct nft_object *),
4686 },
4687 [NFT_SET_EXT_FLAGS] = {
4688 .len = sizeof(u8),
4689 .align = __alignof__(u8),
4690 },
4691 [NFT_SET_EXT_TIMEOUT] = {
4692 .len = sizeof(u64),
4693 .align = __alignof__(u64),
4694 },
4695 [NFT_SET_EXT_EXPIRATION] = {
4696 .len = sizeof(u64),
4697 .align = __alignof__(u64),
4698 },
4699 [NFT_SET_EXT_USERDATA] = {
4700 .len = sizeof(struct nft_userdata),
4701 .align = __alignof__(struct nft_userdata),
4702 },
4703 [NFT_SET_EXT_KEY_END] = {
4704 .align = __alignof__(u32),
4705 },
4706};
4707
4708
4709
4710
4711
4712static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4713 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4714 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4715 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4716 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4717 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4718 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4719 .len = NFT_USERDATA_MAXLEN },
4720 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4721 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4722 .len = NFT_OBJ_MAXNAMELEN - 1 },
4723 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4724 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4725};
4726
4727static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4728 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4729 .len = NFT_TABLE_MAXNAMELEN - 1 },
4730 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4731 .len = NFT_SET_MAXNAMELEN - 1 },
4732 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4733 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4734};
4735
4736static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4737 const struct sk_buff *skb,
4738 const struct nlmsghdr *nlh,
4739 const struct nlattr * const nla[],
4740 struct netlink_ext_ack *extack,
4741 u8 genmask, u32 nlpid)
4742{
4743 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4744 int family = nfmsg->nfgen_family;
4745 struct nft_table *table;
4746
4747 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4748 genmask, nlpid);
4749 if (IS_ERR(table)) {
4750 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4751 return PTR_ERR(table);
4752 }
4753
4754 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4755 return 0;
4756}
4757
4758static int nft_set_elem_expr_dump(struct sk_buff *skb,
4759 const struct nft_set *set,
4760 const struct nft_set_ext *ext)
4761{
4762 struct nft_set_elem_expr *elem_expr;
4763 u32 size, num_exprs = 0;
4764 struct nft_expr *expr;
4765 struct nlattr *nest;
4766
4767 elem_expr = nft_set_ext_expr(ext);
4768 nft_setelem_expr_foreach(expr, elem_expr, size)
4769 num_exprs++;
4770
4771 if (num_exprs == 1) {
4772 expr = nft_setelem_expr_at(elem_expr, 0);
4773 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4774 return -1;
4775
4776 return 0;
4777 } else if (num_exprs > 1) {
4778 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4779 if (nest == NULL)
4780 goto nla_put_failure;
4781
4782 nft_setelem_expr_foreach(expr, elem_expr, size) {
4783 expr = nft_setelem_expr_at(elem_expr, size);
4784 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4785 goto nla_put_failure;
4786 }
4787 nla_nest_end(skb, nest);
4788 }
4789 return 0;
4790
4791nla_put_failure:
4792 return -1;
4793}
4794
4795static int nf_tables_fill_setelem(struct sk_buff *skb,
4796 const struct nft_set *set,
4797 const struct nft_set_elem *elem)
4798{
4799 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4800 unsigned char *b = skb_tail_pointer(skb);
4801 struct nlattr *nest;
4802
4803 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4804 if (nest == NULL)
4805 goto nla_put_failure;
4806
4807 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
4808 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4809 NFT_DATA_VALUE, set->klen) < 0)
4810 goto nla_put_failure;
4811
4812 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4813 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4814 NFT_DATA_VALUE, set->klen) < 0)
4815 goto nla_put_failure;
4816
4817 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4818 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4819 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4820 set->dlen) < 0)
4821 goto nla_put_failure;
4822
4823 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4824 nft_set_elem_expr_dump(skb, set, ext))
4825 goto nla_put_failure;
4826
4827 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4828 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4829 (*nft_set_ext_obj(ext))->key.name) < 0)
4830 goto nla_put_failure;
4831
4832 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4833 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4834 htonl(*nft_set_ext_flags(ext))))
4835 goto nla_put_failure;
4836
4837 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4838 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4839 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4840 NFTA_SET_ELEM_PAD))
4841 goto nla_put_failure;
4842
4843 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4844 u64 expires, now = get_jiffies_64();
4845
4846 expires = *nft_set_ext_expiration(ext);
4847 if (time_before64(now, expires))
4848 expires -= now;
4849 else
4850 expires = 0;
4851
4852 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4853 nf_jiffies64_to_msecs(expires),
4854 NFTA_SET_ELEM_PAD))
4855 goto nla_put_failure;
4856 }
4857
4858 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4859 struct nft_userdata *udata;
4860
4861 udata = nft_set_ext_userdata(ext);
4862 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4863 udata->len + 1, udata->data))
4864 goto nla_put_failure;
4865 }
4866
4867 nla_nest_end(skb, nest);
4868 return 0;
4869
4870nla_put_failure:
4871 nlmsg_trim(skb, b);
4872 return -EMSGSIZE;
4873}
4874
4875struct nft_set_dump_args {
4876 const struct netlink_callback *cb;
4877 struct nft_set_iter iter;
4878 struct sk_buff *skb;
4879};
4880
4881static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4882 struct nft_set *set,
4883 const struct nft_set_iter *iter,
4884 struct nft_set_elem *elem)
4885{
4886 struct nft_set_dump_args *args;
4887
4888 args = container_of(iter, struct nft_set_dump_args, iter);
4889 return nf_tables_fill_setelem(args->skb, set, elem);
4890}
4891
4892struct nft_set_dump_ctx {
4893 const struct nft_set *set;
4894 struct nft_ctx ctx;
4895};
4896
4897static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
4898 const struct nft_set *set)
4899{
4900 struct nft_set_elem_catchall *catchall;
4901 u8 genmask = nft_genmask_cur(net);
4902 struct nft_set_elem elem;
4903 struct nft_set_ext *ext;
4904 int ret = 0;
4905
4906 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4907 ext = nft_set_elem_ext(set, catchall->elem);
4908 if (!nft_set_elem_active(ext, genmask) ||
4909 nft_set_elem_expired(ext))
4910 continue;
4911
4912 elem.priv = catchall->elem;
4913 ret = nf_tables_fill_setelem(skb, set, &elem);
4914 break;
4915 }
4916
4917 return ret;
4918}
4919
4920static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4921{
4922 struct nft_set_dump_ctx *dump_ctx = cb->data;
4923 struct net *net = sock_net(skb->sk);
4924 struct nftables_pernet *nft_net;
4925 struct nft_table *table;
4926 struct nft_set *set;
4927 struct nft_set_dump_args args;
4928 bool set_found = false;
4929 struct nlmsghdr *nlh;
4930 struct nlattr *nest;
4931 u32 portid, seq;
4932 int event;
4933
4934 rcu_read_lock();
4935 nft_net = nft_pernet(net);
4936 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4937 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4938 dump_ctx->ctx.family != table->family)
4939 continue;
4940
4941 if (table != dump_ctx->ctx.table)
4942 continue;
4943
4944 list_for_each_entry_rcu(set, &table->sets, list) {
4945 if (set == dump_ctx->set) {
4946 set_found = true;
4947 break;
4948 }
4949 }
4950 break;
4951 }
4952
4953 if (!set_found) {
4954 rcu_read_unlock();
4955 return -ENOENT;
4956 }
4957
4958 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4959 portid = NETLINK_CB(cb->skb).portid;
4960 seq = cb->nlh->nlmsg_seq;
4961
4962 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
4963 table->family, NFNETLINK_V0, nft_base_seq(net));
4964 if (!nlh)
4965 goto nla_put_failure;
4966
4967 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4968 goto nla_put_failure;
4969 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4970 goto nla_put_failure;
4971
4972 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4973 if (nest == NULL)
4974 goto nla_put_failure;
4975
4976 args.cb = cb;
4977 args.skb = skb;
4978 args.iter.genmask = nft_genmask_cur(net);
4979 args.iter.skip = cb->args[0];
4980 args.iter.count = 0;
4981 args.iter.err = 0;
4982 args.iter.fn = nf_tables_dump_setelem;
4983 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4984
4985 if (!args.iter.err && args.iter.count == cb->args[0])
4986 args.iter.err = nft_set_catchall_dump(net, skb, set);
4987 rcu_read_unlock();
4988
4989 nla_nest_end(skb, nest);
4990 nlmsg_end(skb, nlh);
4991
4992 if (args.iter.err && args.iter.err != -EMSGSIZE)
4993 return args.iter.err;
4994 if (args.iter.count == cb->args[0])
4995 return 0;
4996
4997 cb->args[0] = args.iter.count;
4998 return skb->len;
4999
5000nla_put_failure:
5001 rcu_read_unlock();
5002 return -ENOSPC;
5003}
5004
5005static int nf_tables_dump_set_start(struct netlink_callback *cb)
5006{
5007 struct nft_set_dump_ctx *dump_ctx = cb->data;
5008
5009 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5010
5011 return cb->data ? 0 : -ENOMEM;
5012}
5013
5014static int nf_tables_dump_set_done(struct netlink_callback *cb)
5015{
5016 kfree(cb->data);
5017 return 0;
5018}
5019
5020static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5021 const struct nft_ctx *ctx, u32 seq,
5022 u32 portid, int event, u16 flags,
5023 const struct nft_set *set,
5024 const struct nft_set_elem *elem)
5025{
5026 struct nlmsghdr *nlh;
5027 struct nlattr *nest;
5028 int err;
5029
5030 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5031 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5032 NFNETLINK_V0, nft_base_seq(ctx->net));
5033 if (!nlh)
5034 goto nla_put_failure;
5035
5036 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5037 goto nla_put_failure;
5038 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5039 goto nla_put_failure;
5040
5041 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5042 if (nest == NULL)
5043 goto nla_put_failure;
5044
5045 err = nf_tables_fill_setelem(skb, set, elem);
5046 if (err < 0)
5047 goto nla_put_failure;
5048
5049 nla_nest_end(skb, nest);
5050
5051 nlmsg_end(skb, nlh);
5052 return 0;
5053
5054nla_put_failure:
5055 nlmsg_trim(skb, nlh);
5056 return -1;
5057}
5058
5059static int nft_setelem_parse_flags(const struct nft_set *set,
5060 const struct nlattr *attr, u32 *flags)
5061{
5062 if (attr == NULL)
5063 return 0;
5064
5065 *flags = ntohl(nla_get_be32(attr));
5066 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5067 return -EOPNOTSUPP;
5068 if (!(set->flags & NFT_SET_INTERVAL) &&
5069 *flags & NFT_SET_ELEM_INTERVAL_END)
5070 return -EINVAL;
5071
5072 return 0;
5073}
5074
5075static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5076 struct nft_data *key, struct nlattr *attr)
5077{
5078 struct nft_data_desc desc;
5079 int err;
5080
5081 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
5082 if (err < 0)
5083 return err;
5084
5085 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
5086 nft_data_release(key, desc.type);
5087 return -EINVAL;
5088 }
5089
5090 return 0;
5091}
5092
5093static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5094 struct nft_data_desc *desc,
5095 struct nft_data *data,
5096 struct nlattr *attr)
5097{
5098 int err;
5099
5100 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
5101 if (err < 0)
5102 return err;
5103
5104 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
5105 nft_data_release(data, desc->type);
5106 return -EINVAL;
5107 }
5108
5109 return 0;
5110}
5111
5112static void *nft_setelem_catchall_get(const struct net *net,
5113 const struct nft_set *set)
5114{
5115 struct nft_set_elem_catchall *catchall;
5116 u8 genmask = nft_genmask_cur(net);
5117 struct nft_set_ext *ext;
5118 void *priv = NULL;
5119
5120 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5121 ext = nft_set_elem_ext(set, catchall->elem);
5122 if (!nft_set_elem_active(ext, genmask) ||
5123 nft_set_elem_expired(ext))
5124 continue;
5125
5126 priv = catchall->elem;
5127 break;
5128 }
5129
5130 return priv;
5131}
5132
5133static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5134 struct nft_set_elem *elem, u32 flags)
5135{
5136 void *priv;
5137
5138 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5139 priv = set->ops->get(ctx->net, set, elem, flags);
5140 if (IS_ERR(priv))
5141 return PTR_ERR(priv);
5142 } else {
5143 priv = nft_setelem_catchall_get(ctx->net, set);
5144 if (!priv)
5145 return -ENOENT;
5146 }
5147 elem->priv = priv;
5148
5149 return 0;
5150}
5151
5152static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5153 const struct nlattr *attr)
5154{
5155 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5156 struct nft_set_elem elem;
5157 struct sk_buff *skb;
5158 uint32_t flags = 0;
5159 int err;
5160
5161 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5162 nft_set_elem_policy, NULL);
5163 if (err < 0)
5164 return err;
5165
5166 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5167 if (err < 0)
5168 return err;
5169
5170 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5171 return -EINVAL;
5172
5173 if (nla[NFTA_SET_ELEM_KEY]) {
5174 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5175 nla[NFTA_SET_ELEM_KEY]);
5176 if (err < 0)
5177 return err;
5178 }
5179
5180 if (nla[NFTA_SET_ELEM_KEY_END]) {
5181 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5182 nla[NFTA_SET_ELEM_KEY_END]);
5183 if (err < 0)
5184 return err;
5185 }
5186
5187 err = nft_setelem_get(ctx, set, &elem, flags);
5188 if (err < 0)
5189 return err;
5190
5191 err = -ENOMEM;
5192 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5193 if (skb == NULL)
5194 return err;
5195
5196 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5197 NFT_MSG_NEWSETELEM, 0, set, &elem);
5198 if (err < 0)
5199 goto err_fill_setelem;
5200
5201 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5202
5203err_fill_setelem:
5204 kfree_skb(skb);
5205 return err;
5206}
5207
5208
5209static int nf_tables_getsetelem(struct sk_buff *skb,
5210 const struct nfnl_info *info,
5211 const struct nlattr * const nla[])
5212{
5213 struct netlink_ext_ack *extack = info->extack;
5214 u8 genmask = nft_genmask_cur(info->net);
5215 struct net *net = info->net;
5216 struct nft_set *set;
5217 struct nlattr *attr;
5218 struct nft_ctx ctx;
5219 int rem, err = 0;
5220
5221 err = nft_ctx_init_from_elemattr(&ctx, net, skb, info->nlh, nla, extack,
5222 genmask, NETLINK_CB(skb).portid);
5223 if (err < 0)
5224 return err;
5225
5226 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5227 if (IS_ERR(set))
5228 return PTR_ERR(set);
5229
5230 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5231 struct netlink_dump_control c = {
5232 .start = nf_tables_dump_set_start,
5233 .dump = nf_tables_dump_set,
5234 .done = nf_tables_dump_set_done,
5235 .module = THIS_MODULE,
5236 };
5237 struct nft_set_dump_ctx dump_ctx = {
5238 .set = set,
5239 .ctx = ctx,
5240 };
5241
5242 c.data = &dump_ctx;
5243 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5244 }
5245
5246 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5247 return -EINVAL;
5248
5249 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5250 err = nft_get_set_elem(&ctx, set, attr);
5251 if (err < 0)
5252 break;
5253 }
5254
5255 return err;
5256}
5257
5258static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5259 const struct nft_set *set,
5260 const struct nft_set_elem *elem,
5261 int event, u16 flags)
5262{
5263 struct nftables_pernet *nft_net;
5264 struct net *net = ctx->net;
5265 u32 portid = ctx->portid;
5266 struct sk_buff *skb;
5267 int err;
5268
5269 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5270 return;
5271
5272 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5273 if (skb == NULL)
5274 goto err;
5275
5276 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5277 set, elem);
5278 if (err < 0) {
5279 kfree_skb(skb);
5280 goto err;
5281 }
5282
5283 nft_net = nft_pernet(net);
5284 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5285 return;
5286err:
5287 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5288}
5289
5290static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5291 int msg_type,
5292 struct nft_set *set)
5293{
5294 struct nft_trans *trans;
5295
5296 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5297 if (trans == NULL)
5298 return NULL;
5299
5300 nft_trans_elem_set(trans) = set;
5301 return trans;
5302}
5303
5304struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5305 const struct nft_set *set,
5306 const struct nlattr *attr)
5307{
5308 struct nft_expr *expr;
5309 int err;
5310
5311 expr = nft_expr_init(ctx, attr);
5312 if (IS_ERR(expr))
5313 return expr;
5314
5315 err = -EOPNOTSUPP;
5316 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5317 goto err_set_elem_expr;
5318
5319 if (expr->ops->type->flags & NFT_EXPR_GC) {
5320 if (set->flags & NFT_SET_TIMEOUT)
5321 goto err_set_elem_expr;
5322 if (!set->ops->gc_init)
5323 goto err_set_elem_expr;
5324 set->ops->gc_init(set);
5325 }
5326
5327 return expr;
5328
5329err_set_elem_expr:
5330 nft_expr_destroy(ctx, expr);
5331 return ERR_PTR(err);
5332}
5333
5334void *nft_set_elem_init(const struct nft_set *set,
5335 const struct nft_set_ext_tmpl *tmpl,
5336 const u32 *key, const u32 *key_end,
5337 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5338{
5339 struct nft_set_ext *ext;
5340 void *elem;
5341
5342 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5343 if (elem == NULL)
5344 return NULL;
5345
5346 ext = nft_set_elem_ext(set, elem);
5347 nft_set_ext_init(ext, tmpl);
5348
5349 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY))
5350 memcpy(nft_set_ext_key(ext), key, set->klen);
5351 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5352 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5353 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5354 memcpy(nft_set_ext_data(ext), data, set->dlen);
5355 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5356 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5357 if (expiration == 0)
5358 *nft_set_ext_expiration(ext) += timeout;
5359 }
5360 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5361 *nft_set_ext_timeout(ext) = timeout;
5362
5363 return elem;
5364}
5365
5366static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5367 struct nft_expr *expr)
5368{
5369 if (expr->ops->destroy_clone) {
5370 expr->ops->destroy_clone(ctx, expr);
5371 module_put(expr->ops->type->owner);
5372 } else {
5373 nf_tables_expr_destroy(ctx, expr);
5374 }
5375}
5376
5377static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5378 struct nft_set_elem_expr *elem_expr)
5379{
5380 struct nft_expr *expr;
5381 u32 size;
5382
5383 nft_setelem_expr_foreach(expr, elem_expr, size)
5384 __nft_set_elem_expr_destroy(ctx, expr);
5385}
5386
5387void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5388 bool destroy_expr)
5389{
5390 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5391 struct nft_ctx ctx = {
5392 .net = read_pnet(&set->net),
5393 .family = set->table->family,
5394 };
5395
5396 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5397 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5398 nft_data_release(nft_set_ext_data(ext), set->dtype);
5399 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5400 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5401
5402 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5403 (*nft_set_ext_obj(ext))->use--;
5404 kfree(elem);
5405}
5406EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5407
5408
5409
5410
5411static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5412 const struct nft_set *set, void *elem)
5413{
5414 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5415
5416 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5417 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5418
5419 kfree(elem);
5420}
5421
5422int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5423 struct nft_expr *expr_array[])
5424{
5425 struct nft_expr *expr;
5426 int err, i, k;
5427
5428 for (i = 0; i < set->num_exprs; i++) {
5429 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
5430 if (!expr)
5431 goto err_expr;
5432
5433 err = nft_expr_clone(expr, set->exprs[i]);
5434 if (err < 0) {
5435 nft_expr_destroy(ctx, expr);
5436 goto err_expr;
5437 }
5438 expr_array[i] = expr;
5439 }
5440
5441 return 0;
5442
5443err_expr:
5444 for (k = i - 1; k >= 0; k--)
5445 nft_expr_destroy(ctx, expr_array[k]);
5446
5447 return -ENOMEM;
5448}
5449
5450static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
5451 const struct nft_set_ext *ext,
5452 struct nft_expr *expr_array[],
5453 u32 num_exprs)
5454{
5455 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5456 struct nft_expr *expr;
5457 int i, err;
5458
5459 for (i = 0; i < num_exprs; i++) {
5460 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5461 err = nft_expr_clone(expr, expr_array[i]);
5462 if (err < 0)
5463 goto err_elem_expr_setup;
5464
5465 elem_expr->size += expr_array[i]->ops->size;
5466 nft_expr_destroy(ctx, expr_array[i]);
5467 expr_array[i] = NULL;
5468 }
5469
5470 return 0;
5471
5472err_elem_expr_setup:
5473 for (; i < num_exprs; i++) {
5474 nft_expr_destroy(ctx, expr_array[i]);
5475 expr_array[i] = NULL;
5476 }
5477
5478 return -ENOMEM;
5479}
5480
5481struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
5482 const struct nft_set *set)
5483{
5484 struct nft_set_elem_catchall *catchall;
5485 u8 genmask = nft_genmask_cur(net);
5486 struct nft_set_ext *ext;
5487
5488 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5489 ext = nft_set_elem_ext(set, catchall->elem);
5490 if (nft_set_elem_active(ext, genmask) &&
5491 !nft_set_elem_expired(ext))
5492 return ext;
5493 }
5494
5495 return NULL;
5496}
5497EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
5498
5499void *nft_set_catchall_gc(const struct nft_set *set)
5500{
5501 struct nft_set_elem_catchall *catchall, *next;
5502 struct nft_set_ext *ext;
5503 void *elem = NULL;
5504
5505 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5506 ext = nft_set_elem_ext(set, catchall->elem);
5507
5508 if (!nft_set_elem_expired(ext) ||
5509 nft_set_elem_mark_busy(ext))
5510 continue;
5511
5512 elem = catchall->elem;
5513 list_del_rcu(&catchall->list);
5514 kfree_rcu(catchall, rcu);
5515 break;
5516 }
5517
5518 return elem;
5519}
5520EXPORT_SYMBOL_GPL(nft_set_catchall_gc);
5521
5522static int nft_setelem_catchall_insert(const struct net *net,
5523 struct nft_set *set,
5524 const struct nft_set_elem *elem,
5525 struct nft_set_ext **pext)
5526{
5527 struct nft_set_elem_catchall *catchall;
5528 u8 genmask = nft_genmask_next(net);
5529 struct nft_set_ext *ext;
5530
5531 list_for_each_entry(catchall, &set->catchall_list, list) {
5532 ext = nft_set_elem_ext(set, catchall->elem);
5533 if (nft_set_elem_active(ext, genmask)) {
5534 *pext = ext;
5535 return -EEXIST;
5536 }
5537 }
5538
5539 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
5540 if (!catchall)
5541 return -ENOMEM;
5542
5543 catchall->elem = elem->priv;
5544 list_add_tail_rcu(&catchall->list, &set->catchall_list);
5545
5546 return 0;
5547}
5548
5549static int nft_setelem_insert(const struct net *net,
5550 struct nft_set *set,
5551 const struct nft_set_elem *elem,
5552 struct nft_set_ext **ext, unsigned int flags)
5553{
5554 int ret;
5555
5556 if (flags & NFT_SET_ELEM_CATCHALL)
5557 ret = nft_setelem_catchall_insert(net, set, elem, ext);
5558 else
5559 ret = set->ops->insert(net, set, elem, ext);
5560
5561 return ret;
5562}
5563
5564static bool nft_setelem_is_catchall(const struct nft_set *set,
5565 const struct nft_set_elem *elem)
5566{
5567 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5568
5569 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5570 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
5571 return true;
5572
5573 return false;
5574}
5575
5576static void nft_setelem_activate(struct net *net, struct nft_set *set,
5577 struct nft_set_elem *elem)
5578{
5579 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5580
5581 if (nft_setelem_is_catchall(set, elem)) {
5582 nft_set_elem_change_active(net, set, ext);
5583 nft_set_elem_clear_busy(ext);
5584 } else {
5585 set->ops->activate(net, set, elem);
5586 }
5587}
5588
5589static int nft_setelem_catchall_deactivate(const struct net *net,
5590 struct nft_set *set,
5591 struct nft_set_elem *elem)
5592{
5593 struct nft_set_elem_catchall *catchall;
5594 struct nft_set_ext *ext;
5595
5596 list_for_each_entry(catchall, &set->catchall_list, list) {
5597 ext = nft_set_elem_ext(set, catchall->elem);
5598 if (!nft_is_active(net, ext) ||
5599 nft_set_elem_mark_busy(ext))
5600 continue;
5601
5602 kfree(elem->priv);
5603 elem->priv = catchall->elem;
5604 nft_set_elem_change_active(net, set, ext);
5605 return 0;
5606 }
5607
5608 return -ENOENT;
5609}
5610
5611static int __nft_setelem_deactivate(const struct net *net,
5612 struct nft_set *set,
5613 struct nft_set_elem *elem)
5614{
5615 void *priv;
5616
5617 priv = set->ops->deactivate(net, set, elem);
5618 if (!priv)
5619 return -ENOENT;
5620
5621 kfree(elem->priv);
5622 elem->priv = priv;
5623 set->ndeact++;
5624
5625 return 0;
5626}
5627
5628static int nft_setelem_deactivate(const struct net *net,
5629 struct nft_set *set,
5630 struct nft_set_elem *elem, u32 flags)
5631{
5632 int ret;
5633
5634 if (flags & NFT_SET_ELEM_CATCHALL)
5635 ret = nft_setelem_catchall_deactivate(net, set, elem);
5636 else
5637 ret = __nft_setelem_deactivate(net, set, elem);
5638
5639 return ret;
5640}
5641
5642static void nft_setelem_catchall_remove(const struct net *net,
5643 const struct nft_set *set,
5644 const struct nft_set_elem *elem)
5645{
5646 struct nft_set_elem_catchall *catchall, *next;
5647
5648 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5649 if (catchall->elem == elem->priv) {
5650 list_del_rcu(&catchall->list);
5651 kfree_rcu(catchall);
5652 break;
5653 }
5654 }
5655}
5656
5657static void nft_setelem_remove(const struct net *net,
5658 const struct nft_set *set,
5659 const struct nft_set_elem *elem)
5660{
5661 if (nft_setelem_is_catchall(set, elem))
5662 nft_setelem_catchall_remove(net, set, elem);
5663 else
5664 set->ops->remove(net, set, elem);
5665}
5666
5667static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5668 const struct nlattr *attr, u32 nlmsg_flags)
5669{
5670 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5671 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5672 u8 genmask = nft_genmask_next(ctx->net);
5673 u32 flags = 0, size = 0, num_exprs = 0;
5674 struct nft_set_ext_tmpl tmpl;
5675 struct nft_set_ext *ext, *ext2;
5676 struct nft_set_elem elem;
5677 struct nft_set_binding *binding;
5678 struct nft_object *obj = NULL;
5679 struct nft_userdata *udata;
5680 struct nft_data_desc desc;
5681 enum nft_registers dreg;
5682 struct nft_trans *trans;
5683 u64 timeout;
5684 u64 expiration;
5685 int err, i;
5686 u8 ulen;
5687
5688 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5689 nft_set_elem_policy, NULL);
5690 if (err < 0)
5691 return err;
5692
5693 nft_set_ext_prepare(&tmpl);
5694
5695 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5696 if (err < 0)
5697 return err;
5698
5699 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5700 return -EINVAL;
5701
5702 if (flags != 0)
5703 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5704
5705 if (set->flags & NFT_SET_MAP) {
5706 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5707 !(flags & NFT_SET_ELEM_INTERVAL_END))
5708 return -EINVAL;
5709 } else {
5710 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5711 return -EINVAL;
5712 }
5713
5714 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5715 (nla[NFTA_SET_ELEM_DATA] ||
5716 nla[NFTA_SET_ELEM_OBJREF] ||
5717 nla[NFTA_SET_ELEM_TIMEOUT] ||
5718 nla[NFTA_SET_ELEM_EXPIRATION] ||
5719 nla[NFTA_SET_ELEM_USERDATA] ||
5720 nla[NFTA_SET_ELEM_EXPR] ||
5721 nla[NFTA_SET_ELEM_EXPRESSIONS]))
5722 return -EINVAL;
5723
5724 timeout = 0;
5725 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5726 if (!(set->flags & NFT_SET_TIMEOUT))
5727 return -EINVAL;
5728 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5729 &timeout);
5730 if (err)
5731 return err;
5732 } else if (set->flags & NFT_SET_TIMEOUT) {
5733 timeout = set->timeout;
5734 }
5735
5736 expiration = 0;
5737 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5738 if (!(set->flags & NFT_SET_TIMEOUT))
5739 return -EINVAL;
5740 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5741 &expiration);
5742 if (err)
5743 return err;
5744 }
5745
5746 if (nla[NFTA_SET_ELEM_EXPR]) {
5747 struct nft_expr *expr;
5748
5749 if (set->num_exprs && set->num_exprs != 1)
5750 return -EOPNOTSUPP;
5751
5752 expr = nft_set_elem_expr_alloc(ctx, set,
5753 nla[NFTA_SET_ELEM_EXPR]);
5754 if (IS_ERR(expr))
5755 return PTR_ERR(expr);
5756
5757 expr_array[0] = expr;
5758 num_exprs = 1;
5759
5760 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5761 err = -EOPNOTSUPP;
5762 goto err_set_elem_expr;
5763 }
5764 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5765 struct nft_expr *expr;
5766 struct nlattr *tmp;
5767 int left;
5768
5769 i = 0;
5770 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5771 if (i == NFT_SET_EXPR_MAX ||
5772 (set->num_exprs && set->num_exprs == i)) {
5773 err = -E2BIG;
5774 goto err_set_elem_expr;
5775 }
5776 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5777 err = -EINVAL;
5778 goto err_set_elem_expr;
5779 }
5780 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5781 if (IS_ERR(expr)) {
5782 err = PTR_ERR(expr);
5783 goto err_set_elem_expr;
5784 }
5785 expr_array[i] = expr;
5786 num_exprs++;
5787
5788 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5789 err = -EOPNOTSUPP;
5790 goto err_set_elem_expr;
5791 }
5792 i++;
5793 }
5794 if (set->num_exprs && set->num_exprs != i) {
5795 err = -EOPNOTSUPP;
5796 goto err_set_elem_expr;
5797 }
5798 } else if (set->num_exprs > 0) {
5799 err = nft_set_elem_expr_clone(ctx, set, expr_array);
5800 if (err < 0)
5801 goto err_set_elem_expr_clone;
5802
5803 num_exprs = set->num_exprs;
5804 }
5805
5806 if (nla[NFTA_SET_ELEM_KEY]) {
5807 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5808 nla[NFTA_SET_ELEM_KEY]);
5809 if (err < 0)
5810 goto err_set_elem_expr;
5811
5812 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5813 }
5814
5815 if (nla[NFTA_SET_ELEM_KEY_END]) {
5816 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5817 nla[NFTA_SET_ELEM_KEY_END]);
5818 if (err < 0)
5819 goto err_parse_key;
5820
5821 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5822 }
5823
5824 if (timeout > 0) {
5825 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5826 if (timeout != set->timeout)
5827 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5828 }
5829
5830 if (num_exprs) {
5831 for (i = 0; i < num_exprs; i++)
5832 size += expr_array[i]->ops->size;
5833
5834 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5835 sizeof(struct nft_set_elem_expr) +
5836 size);
5837 }
5838
5839 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5840 if (!(set->flags & NFT_SET_OBJECT)) {
5841 err = -EINVAL;
5842 goto err_parse_key_end;
5843 }
5844 obj = nft_obj_lookup(ctx->net, ctx->table,
5845 nla[NFTA_SET_ELEM_OBJREF],
5846 set->objtype, genmask);
5847 if (IS_ERR(obj)) {
5848 err = PTR_ERR(obj);
5849 goto err_parse_key_end;
5850 }
5851 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5852 }
5853
5854 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5855 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5856 nla[NFTA_SET_ELEM_DATA]);
5857 if (err < 0)
5858 goto err_parse_key_end;
5859
5860 dreg = nft_type_to_reg(set->dtype);
5861 list_for_each_entry(binding, &set->bindings, list) {
5862 struct nft_ctx bind_ctx = {
5863 .net = ctx->net,
5864 .family = ctx->family,
5865 .table = ctx->table,
5866 .chain = (struct nft_chain *)binding->chain,
5867 };
5868
5869 if (!(binding->flags & NFT_SET_MAP))
5870 continue;
5871
5872 err = nft_validate_register_store(&bind_ctx, dreg,
5873 &elem.data.val,
5874 desc.type, desc.len);
5875 if (err < 0)
5876 goto err_parse_data;
5877
5878 if (desc.type == NFT_DATA_VERDICT &&
5879 (elem.data.val.verdict.code == NFT_GOTO ||
5880 elem.data.val.verdict.code == NFT_JUMP))
5881 nft_validate_state_update(ctx->net,
5882 NFT_VALIDATE_NEED);
5883 }
5884
5885 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5886 }
5887
5888
5889
5890
5891
5892 ulen = 0;
5893 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5894 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5895 if (ulen > 0)
5896 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5897 ulen);
5898 }
5899
5900 err = -ENOMEM;
5901 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5902 elem.key_end.val.data, elem.data.val.data,
5903 timeout, expiration, GFP_KERNEL);
5904 if (elem.priv == NULL)
5905 goto err_parse_data;
5906
5907 ext = nft_set_elem_ext(set, elem.priv);
5908 if (flags)
5909 *nft_set_ext_flags(ext) = flags;
5910 if (ulen > 0) {
5911 udata = nft_set_ext_userdata(ext);
5912 udata->len = ulen - 1;
5913 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5914 }
5915 if (obj) {
5916 *nft_set_ext_obj(ext) = obj;
5917 obj->use++;
5918 }
5919 err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs);
5920 if (err < 0)
5921 goto err_elem_expr;
5922
5923 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5924 if (trans == NULL) {
5925 err = -ENOMEM;
5926 goto err_elem_expr;
5927 }
5928
5929 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5930
5931 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
5932 if (err) {
5933 if (err == -EEXIST) {
5934 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5935 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5936 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5937 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5938 goto err_element_clash;
5939 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5940 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5941 memcmp(nft_set_ext_data(ext),
5942 nft_set_ext_data(ext2), set->dlen) != 0) ||
5943 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5944 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5945 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5946 goto err_element_clash;
5947 else if (!(nlmsg_flags & NLM_F_EXCL))
5948 err = 0;
5949 } else if (err == -ENOTEMPTY) {
5950
5951
5952
5953 err = -EEXIST;
5954 }
5955 goto err_element_clash;
5956 }
5957
5958 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
5959 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5960 err = -ENFILE;
5961 goto err_set_full;
5962 }
5963
5964 nft_trans_elem(trans) = elem;
5965 nft_trans_commit_list_add_tail(ctx->net, trans);
5966 return 0;
5967
5968err_set_full:
5969 nft_setelem_remove(ctx->net, set, &elem);
5970err_element_clash:
5971 kfree(trans);
5972err_elem_expr:
5973 if (obj)
5974 obj->use--;
5975
5976 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5977err_parse_data:
5978 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5979 nft_data_release(&elem.data.val, desc.type);
5980err_parse_key_end:
5981 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5982err_parse_key:
5983 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5984err_set_elem_expr:
5985 for (i = 0; i < num_exprs && expr_array[i]; i++)
5986 nft_expr_destroy(ctx, expr_array[i]);
5987err_set_elem_expr_clone:
5988 return err;
5989}
5990
5991static int nf_tables_newsetelem(struct sk_buff *skb,
5992 const struct nfnl_info *info,
5993 const struct nlattr * const nla[])
5994{
5995 struct nftables_pernet *nft_net = nft_pernet(info->net);
5996 struct netlink_ext_ack *extack = info->extack;
5997 u8 genmask = nft_genmask_next(info->net);
5998 struct net *net = info->net;
5999 const struct nlattr *attr;
6000 struct nft_set *set;
6001 struct nft_ctx ctx;
6002 int rem, err;
6003
6004 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6005 return -EINVAL;
6006
6007 err = nft_ctx_init_from_elemattr(&ctx, net, skb, info->nlh, nla, extack,
6008 genmask, NETLINK_CB(skb).portid);
6009 if (err < 0)
6010 return err;
6011
6012 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
6013 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6014 if (IS_ERR(set))
6015 return PTR_ERR(set);
6016
6017 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6018 return -EBUSY;
6019
6020 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6021 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6022 if (err < 0)
6023 return err;
6024 }
6025
6026 if (nft_net->validate_state == NFT_VALIDATE_DO)
6027 return nft_table_validate(net, ctx.table);
6028
6029 return 0;
6030}
6031
6032
6033
6034
6035
6036
6037
6038
6039
6040
6041
6042
6043void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6044{
6045 struct nft_chain *chain;
6046 struct nft_rule *rule;
6047
6048 if (type == NFT_DATA_VERDICT) {
6049 switch (data->verdict.code) {
6050 case NFT_JUMP:
6051 case NFT_GOTO:
6052 chain = data->verdict.chain;
6053 chain->use++;
6054
6055 if (!nft_chain_is_bound(chain))
6056 break;
6057
6058 chain->table->use++;
6059 list_for_each_entry(rule, &chain->rules, list)
6060 chain->use++;
6061
6062 nft_chain_add(chain->table, chain);
6063 break;
6064 }
6065 }
6066}
6067
6068static void nft_setelem_data_activate(const struct net *net,
6069 const struct nft_set *set,
6070 struct nft_set_elem *elem)
6071{
6072 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6073
6074 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6075 nft_data_hold(nft_set_ext_data(ext), set->dtype);
6076 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6077 (*nft_set_ext_obj(ext))->use++;
6078}
6079
6080static void nft_setelem_data_deactivate(const struct net *net,
6081 const struct nft_set *set,
6082 struct nft_set_elem *elem)
6083{
6084 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6085
6086 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6087 nft_data_release(nft_set_ext_data(ext), set->dtype);
6088 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6089 (*nft_set_ext_obj(ext))->use--;
6090}
6091
6092static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
6093 const struct nlattr *attr)
6094{
6095 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6096 struct nft_set_ext_tmpl tmpl;
6097 struct nft_set_elem elem;
6098 struct nft_set_ext *ext;
6099 struct nft_trans *trans;
6100 u32 flags = 0;
6101 int err;
6102
6103 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6104 nft_set_elem_policy, NULL);
6105 if (err < 0)
6106 return err;
6107
6108 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6109 if (err < 0)
6110 return err;
6111
6112 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6113 return -EINVAL;
6114
6115 nft_set_ext_prepare(&tmpl);
6116
6117 if (flags != 0)
6118 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6119
6120 if (nla[NFTA_SET_ELEM_KEY]) {
6121 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6122 nla[NFTA_SET_ELEM_KEY]);
6123 if (err < 0)
6124 return err;
6125
6126 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6127 }
6128
6129 if (nla[NFTA_SET_ELEM_KEY_END]) {
6130 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6131 nla[NFTA_SET_ELEM_KEY_END]);
6132 if (err < 0)
6133 return err;
6134
6135 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6136 }
6137
6138 err = -ENOMEM;
6139 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6140 elem.key_end.val.data, NULL, 0, 0,
6141 GFP_KERNEL);
6142 if (elem.priv == NULL)
6143 goto fail_elem;
6144
6145 ext = nft_set_elem_ext(set, elem.priv);
6146 if (flags)
6147 *nft_set_ext_flags(ext) = flags;
6148
6149 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
6150 if (trans == NULL)
6151 goto fail_trans;
6152
6153 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
6154 if (err < 0)
6155 goto fail_ops;
6156
6157 nft_setelem_data_deactivate(ctx->net, set, &elem);
6158
6159 nft_trans_elem(trans) = elem;
6160 nft_trans_commit_list_add_tail(ctx->net, trans);
6161 return 0;
6162
6163fail_ops:
6164 kfree(trans);
6165fail_trans:
6166 kfree(elem.priv);
6167fail_elem:
6168 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6169 return err;
6170}
6171
6172static int nft_setelem_flush(const struct nft_ctx *ctx,
6173 struct nft_set *set,
6174 const struct nft_set_iter *iter,
6175 struct nft_set_elem *elem)
6176{
6177 struct nft_trans *trans;
6178 int err;
6179
6180 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6181 sizeof(struct nft_trans_elem), GFP_ATOMIC);
6182 if (!trans)
6183 return -ENOMEM;
6184
6185 if (!set->ops->flush(ctx->net, set, elem->priv)) {
6186 err = -ENOENT;
6187 goto err1;
6188 }
6189 set->ndeact++;
6190
6191 nft_setelem_data_deactivate(ctx->net, set, elem);
6192 nft_trans_elem_set(trans) = set;
6193 nft_trans_elem(trans) = *elem;
6194 nft_trans_commit_list_add_tail(ctx->net, trans);
6195
6196 return 0;
6197err1:
6198 kfree(trans);
6199 return err;
6200}
6201
6202static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
6203 struct nft_set *set,
6204 struct nft_set_elem *elem)
6205{
6206 struct nft_trans *trans;
6207
6208 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6209 sizeof(struct nft_trans_elem), GFP_KERNEL);
6210 if (!trans)
6211 return -ENOMEM;
6212
6213 nft_setelem_data_deactivate(ctx->net, set, elem);
6214 nft_trans_elem_set(trans) = set;
6215 nft_trans_elem(trans) = *elem;
6216 nft_trans_commit_list_add_tail(ctx->net, trans);
6217
6218 return 0;
6219}
6220
6221static int nft_set_catchall_flush(const struct nft_ctx *ctx,
6222 struct nft_set *set)
6223{
6224 u8 genmask = nft_genmask_next(ctx->net);
6225 struct nft_set_elem_catchall *catchall;
6226 struct nft_set_elem elem;
6227 struct nft_set_ext *ext;
6228 int ret = 0;
6229
6230 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6231 ext = nft_set_elem_ext(set, catchall->elem);
6232 if (!nft_set_elem_active(ext, genmask) ||
6233 nft_set_elem_mark_busy(ext))
6234 continue;
6235
6236 elem.priv = catchall->elem;
6237 ret = __nft_set_catchall_flush(ctx, set, &elem);
6238 if (ret < 0)
6239 break;
6240 }
6241
6242 return ret;
6243}
6244
6245static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
6246{
6247 struct nft_set_iter iter = {
6248 .genmask = genmask,
6249 .fn = nft_setelem_flush,
6250 };
6251
6252 set->ops->walk(ctx, set, &iter);
6253 if (!iter.err)
6254 iter.err = nft_set_catchall_flush(ctx, set);
6255
6256 return iter.err;
6257}
6258
6259static int nf_tables_delsetelem(struct sk_buff *skb,
6260 const struct nfnl_info *info,
6261 const struct nlattr * const nla[])
6262{
6263 struct netlink_ext_ack *extack = info->extack;
6264 u8 genmask = nft_genmask_next(info->net);
6265 struct net *net = info->net;
6266 const struct nlattr *attr;
6267 struct nft_set *set;
6268 struct nft_ctx ctx;
6269 int rem, err = 0;
6270
6271 err = nft_ctx_init_from_elemattr(&ctx, net, skb, info->nlh, nla, extack,
6272 genmask, NETLINK_CB(skb).portid);
6273 if (err < 0)
6274 return err;
6275
6276 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6277 if (IS_ERR(set))
6278 return PTR_ERR(set);
6279 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6280 return -EBUSY;
6281
6282 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6283 return nft_set_flush(&ctx, set, genmask);
6284
6285 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6286 err = nft_del_setelem(&ctx, set, attr);
6287 if (err < 0)
6288 break;
6289 }
6290 return err;
6291}
6292
6293void nft_set_gc_batch_release(struct rcu_head *rcu)
6294{
6295 struct nft_set_gc_batch *gcb;
6296 unsigned int i;
6297
6298 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
6299 for (i = 0; i < gcb->head.cnt; i++)
6300 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
6301 kfree(gcb);
6302}
6303
6304struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
6305 gfp_t gfp)
6306{
6307 struct nft_set_gc_batch *gcb;
6308
6309 gcb = kzalloc(sizeof(*gcb), gfp);
6310 if (gcb == NULL)
6311 return gcb;
6312 gcb->head.set = set;
6313 return gcb;
6314}
6315
6316
6317
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327int nft_register_obj(struct nft_object_type *obj_type)
6328{
6329 if (obj_type->type == NFT_OBJECT_UNSPEC)
6330 return -EINVAL;
6331
6332 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6333 list_add_rcu(&obj_type->list, &nf_tables_objects);
6334 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6335 return 0;
6336}
6337EXPORT_SYMBOL_GPL(nft_register_obj);
6338
6339
6340
6341
6342
6343
6344
6345void nft_unregister_obj(struct nft_object_type *obj_type)
6346{
6347 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6348 list_del_rcu(&obj_type->list);
6349 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6350}
6351EXPORT_SYMBOL_GPL(nft_unregister_obj);
6352
6353struct nft_object *nft_obj_lookup(const struct net *net,
6354 const struct nft_table *table,
6355 const struct nlattr *nla, u32 objtype,
6356 u8 genmask)
6357{
6358 struct nft_object_hash_key k = { .table = table };
6359 char search[NFT_OBJ_MAXNAMELEN];
6360 struct rhlist_head *tmp, *list;
6361 struct nft_object *obj;
6362
6363 nla_strscpy(search, nla, sizeof(search));
6364 k.name = search;
6365
6366 WARN_ON_ONCE(!rcu_read_lock_held() &&
6367 !lockdep_commit_lock_is_held(net));
6368
6369 rcu_read_lock();
6370 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
6371 if (!list)
6372 goto out;
6373
6374 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
6375 if (objtype == obj->ops->type->type &&
6376 nft_active_genmask(obj, genmask)) {
6377 rcu_read_unlock();
6378 return obj;
6379 }
6380 }
6381out:
6382 rcu_read_unlock();
6383 return ERR_PTR(-ENOENT);
6384}
6385EXPORT_SYMBOL_GPL(nft_obj_lookup);
6386
6387static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
6388 const struct nlattr *nla,
6389 u32 objtype, u8 genmask)
6390{
6391 struct nft_object *obj;
6392
6393 list_for_each_entry(obj, &table->objects, list) {
6394 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
6395 objtype == obj->ops->type->type &&
6396 nft_active_genmask(obj, genmask))
6397 return obj;
6398 }
6399 return ERR_PTR(-ENOENT);
6400}
6401
6402static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
6403 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
6404 .len = NFT_TABLE_MAXNAMELEN - 1 },
6405 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
6406 .len = NFT_OBJ_MAXNAMELEN - 1 },
6407 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
6408 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
6409 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
6410 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
6411 .len = NFT_USERDATA_MAXLEN },
6412};
6413
6414static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
6415 const struct nft_object_type *type,
6416 const struct nlattr *attr)
6417{
6418 struct nlattr **tb;
6419 const struct nft_object_ops *ops;
6420 struct nft_object *obj;
6421 int err = -ENOMEM;
6422
6423 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6424 if (!tb)
6425 goto err1;
6426
6427 if (attr) {
6428 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6429 type->policy, NULL);
6430 if (err < 0)
6431 goto err2;
6432 } else {
6433 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6434 }
6435
6436 if (type->select_ops) {
6437 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6438 if (IS_ERR(ops)) {
6439 err = PTR_ERR(ops);
6440 goto err2;
6441 }
6442 } else {
6443 ops = type->ops;
6444 }
6445
6446 err = -ENOMEM;
6447 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6448 if (!obj)
6449 goto err2;
6450
6451 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6452 if (err < 0)
6453 goto err3;
6454
6455 obj->ops = ops;
6456
6457 kfree(tb);
6458 return obj;
6459err3:
6460 kfree(obj);
6461err2:
6462 kfree(tb);
6463err1:
6464 return ERR_PTR(err);
6465}
6466
6467static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6468 struct nft_object *obj, bool reset)
6469{
6470 struct nlattr *nest;
6471
6472 nest = nla_nest_start_noflag(skb, attr);
6473 if (!nest)
6474 goto nla_put_failure;
6475 if (obj->ops->dump(skb, obj, reset) < 0)
6476 goto nla_put_failure;
6477 nla_nest_end(skb, nest);
6478 return 0;
6479
6480nla_put_failure:
6481 return -1;
6482}
6483
6484static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6485{
6486 const struct nft_object_type *type;
6487
6488 list_for_each_entry(type, &nf_tables_objects, list) {
6489 if (objtype == type->type)
6490 return type;
6491 }
6492 return NULL;
6493}
6494
6495static const struct nft_object_type *
6496nft_obj_type_get(struct net *net, u32 objtype)
6497{
6498 const struct nft_object_type *type;
6499
6500 type = __nft_obj_type_get(objtype);
6501 if (type != NULL && try_module_get(type->owner))
6502 return type;
6503
6504 lockdep_nfnl_nft_mutex_not_held();
6505#ifdef CONFIG_MODULES
6506 if (type == NULL) {
6507 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6508 return ERR_PTR(-EAGAIN);
6509 }
6510#endif
6511 return ERR_PTR(-ENOENT);
6512}
6513
6514static int nf_tables_updobj(const struct nft_ctx *ctx,
6515 const struct nft_object_type *type,
6516 const struct nlattr *attr,
6517 struct nft_object *obj)
6518{
6519 struct nft_object *newobj;
6520 struct nft_trans *trans;
6521 int err;
6522
6523 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6524 sizeof(struct nft_trans_obj));
6525 if (!trans)
6526 return -ENOMEM;
6527
6528 newobj = nft_obj_init(ctx, type, attr);
6529 if (IS_ERR(newobj)) {
6530 err = PTR_ERR(newobj);
6531 goto err_free_trans;
6532 }
6533
6534 nft_trans_obj(trans) = obj;
6535 nft_trans_obj_update(trans) = true;
6536 nft_trans_obj_newobj(trans) = newobj;
6537 nft_trans_commit_list_add_tail(ctx->net, trans);
6538
6539 return 0;
6540
6541err_free_trans:
6542 kfree(trans);
6543 return err;
6544}
6545
6546static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
6547 const struct nlattr * const nla[])
6548{
6549 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
6550 struct netlink_ext_ack *extack = info->extack;
6551 u8 genmask = nft_genmask_next(info->net);
6552 const struct nft_object_type *type;
6553 int family = nfmsg->nfgen_family;
6554 struct net *net = info->net;
6555 struct nft_table *table;
6556 struct nft_object *obj;
6557 struct nft_ctx ctx;
6558 u32 objtype;
6559 int err;
6560
6561 if (!nla[NFTA_OBJ_TYPE] ||
6562 !nla[NFTA_OBJ_NAME] ||
6563 !nla[NFTA_OBJ_DATA])
6564 return -EINVAL;
6565
6566 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6567 NETLINK_CB(skb).portid);
6568 if (IS_ERR(table)) {
6569 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6570 return PTR_ERR(table);
6571 }
6572
6573 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6574 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6575 if (IS_ERR(obj)) {
6576 err = PTR_ERR(obj);
6577 if (err != -ENOENT) {
6578 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6579 return err;
6580 }
6581 } else {
6582 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
6583 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6584 return -EEXIST;
6585 }
6586 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
6587 return -EOPNOTSUPP;
6588
6589 type = __nft_obj_type_get(objtype);
6590 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6591
6592 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6593 }
6594
6595 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6596
6597 type = nft_obj_type_get(net, objtype);
6598 if (IS_ERR(type))
6599 return PTR_ERR(type);
6600
6601 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6602 if (IS_ERR(obj)) {
6603 err = PTR_ERR(obj);
6604 goto err_init;
6605 }
6606 obj->key.table = table;
6607 obj->handle = nf_tables_alloc_handle(table);
6608
6609 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6610 if (!obj->key.name) {
6611 err = -ENOMEM;
6612 goto err_strdup;
6613 }
6614
6615 if (nla[NFTA_OBJ_USERDATA]) {
6616 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6617 if (obj->udata == NULL)
6618 goto err_userdata;
6619
6620 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6621 }
6622
6623 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6624 if (err < 0)
6625 goto err_trans;
6626
6627 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6628 nft_objname_ht_params);
6629 if (err < 0)
6630 goto err_obj_ht;
6631
6632 list_add_tail_rcu(&obj->list, &table->objects);
6633 table->use++;
6634 return 0;
6635err_obj_ht:
6636
6637 INIT_LIST_HEAD(&obj->list);
6638 return err;
6639err_trans:
6640 kfree(obj->udata);
6641err_userdata:
6642 kfree(obj->key.name);
6643err_strdup:
6644 if (obj->ops->destroy)
6645 obj->ops->destroy(&ctx, obj);
6646 kfree(obj);
6647err_init:
6648 module_put(type->owner);
6649 return err;
6650}
6651
6652static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6653 u32 portid, u32 seq, int event, u32 flags,
6654 int family, const struct nft_table *table,
6655 struct nft_object *obj, bool reset)
6656{
6657 struct nlmsghdr *nlh;
6658
6659 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6660 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
6661 NFNETLINK_V0, nft_base_seq(net));
6662 if (!nlh)
6663 goto nla_put_failure;
6664
6665 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6666 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6667 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6668 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6669 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6670 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6671 NFTA_OBJ_PAD))
6672 goto nla_put_failure;
6673
6674 if (obj->udata &&
6675 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6676 goto nla_put_failure;
6677
6678 nlmsg_end(skb, nlh);
6679 return 0;
6680
6681nla_put_failure:
6682 nlmsg_trim(skb, nlh);
6683 return -1;
6684}
6685
6686struct nft_obj_filter {
6687 char *table;
6688 u32 type;
6689};
6690
6691static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6692{
6693 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6694 const struct nft_table *table;
6695 unsigned int idx = 0, s_idx = cb->args[0];
6696 struct nft_obj_filter *filter = cb->data;
6697 struct net *net = sock_net(skb->sk);
6698 int family = nfmsg->nfgen_family;
6699 struct nftables_pernet *nft_net;
6700 struct nft_object *obj;
6701 bool reset = false;
6702
6703 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6704 reset = true;
6705
6706 rcu_read_lock();
6707 nft_net = nft_pernet(net);
6708 cb->seq = nft_net->base_seq;
6709
6710 list_for_each_entry_rcu(table, &nft_net->tables, list) {
6711 if (family != NFPROTO_UNSPEC && family != table->family)
6712 continue;
6713
6714 list_for_each_entry_rcu(obj, &table->objects, list) {
6715 if (!nft_is_active(net, obj))
6716 goto cont;
6717 if (idx < s_idx)
6718 goto cont;
6719 if (idx > s_idx)
6720 memset(&cb->args[1], 0,
6721 sizeof(cb->args) - sizeof(cb->args[0]));
6722 if (filter && filter->table &&
6723 strcmp(filter->table, table->name))
6724 goto cont;
6725 if (filter &&
6726 filter->type != NFT_OBJECT_UNSPEC &&
6727 obj->ops->type->type != filter->type)
6728 goto cont;
6729 if (reset) {
6730 char *buf = kasprintf(GFP_ATOMIC,
6731 "%s:%u",
6732 table->name,
6733 nft_net->base_seq);
6734
6735 audit_log_nfcfg(buf,
6736 family,
6737 obj->handle,
6738 AUDIT_NFT_OP_OBJ_RESET,
6739 GFP_ATOMIC);
6740 kfree(buf);
6741 }
6742
6743 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6744 cb->nlh->nlmsg_seq,
6745 NFT_MSG_NEWOBJ,
6746 NLM_F_MULTI | NLM_F_APPEND,
6747 table->family, table,
6748 obj, reset) < 0)
6749 goto done;
6750
6751 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6752cont:
6753 idx++;
6754 }
6755 }
6756done:
6757 rcu_read_unlock();
6758
6759 cb->args[0] = idx;
6760 return skb->len;
6761}
6762
6763static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6764{
6765 const struct nlattr * const *nla = cb->data;
6766 struct nft_obj_filter *filter = NULL;
6767
6768 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6769 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6770 if (!filter)
6771 return -ENOMEM;
6772
6773 if (nla[NFTA_OBJ_TABLE]) {
6774 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6775 if (!filter->table) {
6776 kfree(filter);
6777 return -ENOMEM;
6778 }
6779 }
6780
6781 if (nla[NFTA_OBJ_TYPE])
6782 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6783 }
6784
6785 cb->data = filter;
6786 return 0;
6787}
6788
6789static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6790{
6791 struct nft_obj_filter *filter = cb->data;
6792
6793 if (filter) {
6794 kfree(filter->table);
6795 kfree(filter);
6796 }
6797
6798 return 0;
6799}
6800
6801
6802static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
6803 const struct nlattr * const nla[])
6804{
6805 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
6806 struct netlink_ext_ack *extack = info->extack;
6807 u8 genmask = nft_genmask_cur(info->net);
6808 int family = nfmsg->nfgen_family;
6809 const struct nft_table *table;
6810 struct net *net = info->net;
6811 struct nft_object *obj;
6812 struct sk_buff *skb2;
6813 bool reset = false;
6814 u32 objtype;
6815 int err;
6816
6817 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6818 struct netlink_dump_control c = {
6819 .start = nf_tables_dump_obj_start,
6820 .dump = nf_tables_dump_obj,
6821 .done = nf_tables_dump_obj_done,
6822 .module = THIS_MODULE,
6823 .data = (void *)nla,
6824 };
6825
6826 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6827 }
6828
6829 if (!nla[NFTA_OBJ_NAME] ||
6830 !nla[NFTA_OBJ_TYPE])
6831 return -EINVAL;
6832
6833 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6834 if (IS_ERR(table)) {
6835 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6836 return PTR_ERR(table);
6837 }
6838
6839 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6840 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6841 if (IS_ERR(obj)) {
6842 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6843 return PTR_ERR(obj);
6844 }
6845
6846 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6847 if (!skb2)
6848 return -ENOMEM;
6849
6850 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6851 reset = true;
6852
6853 if (reset) {
6854 const struct nftables_pernet *nft_net;
6855 char *buf;
6856
6857 nft_net = nft_pernet(net);
6858 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
6859
6860 audit_log_nfcfg(buf,
6861 family,
6862 obj->handle,
6863 AUDIT_NFT_OP_OBJ_RESET,
6864 GFP_ATOMIC);
6865 kfree(buf);
6866 }
6867
6868 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6869 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6870 family, table, obj, reset);
6871 if (err < 0)
6872 goto err_fill_obj_info;
6873
6874 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6875
6876err_fill_obj_info:
6877 kfree_skb(skb2);
6878 return err;
6879}
6880
6881static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6882{
6883 if (obj->ops->destroy)
6884 obj->ops->destroy(ctx, obj);
6885
6886 module_put(obj->ops->type->owner);
6887 kfree(obj->key.name);
6888 kfree(obj->udata);
6889 kfree(obj);
6890}
6891
6892static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
6893 const struct nlattr * const nla[])
6894{
6895 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
6896 struct netlink_ext_ack *extack = info->extack;
6897 u8 genmask = nft_genmask_next(info->net);
6898 int family = nfmsg->nfgen_family;
6899 struct net *net = info->net;
6900 const struct nlattr *attr;
6901 struct nft_table *table;
6902 struct nft_object *obj;
6903 struct nft_ctx ctx;
6904 u32 objtype;
6905
6906 if (!nla[NFTA_OBJ_TYPE] ||
6907 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6908 return -EINVAL;
6909
6910 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6911 NETLINK_CB(skb).portid);
6912 if (IS_ERR(table)) {
6913 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6914 return PTR_ERR(table);
6915 }
6916
6917 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6918 if (nla[NFTA_OBJ_HANDLE]) {
6919 attr = nla[NFTA_OBJ_HANDLE];
6920 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6921 } else {
6922 attr = nla[NFTA_OBJ_NAME];
6923 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6924 }
6925
6926 if (IS_ERR(obj)) {
6927 NL_SET_BAD_ATTR(extack, attr);
6928 return PTR_ERR(obj);
6929 }
6930 if (obj->use > 0) {
6931 NL_SET_BAD_ATTR(extack, attr);
6932 return -EBUSY;
6933 }
6934
6935 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6936
6937 return nft_delobj(&ctx, obj);
6938}
6939
6940void nft_obj_notify(struct net *net, const struct nft_table *table,
6941 struct nft_object *obj, u32 portid, u32 seq, int event,
6942 int family, int report, gfp_t gfp)
6943{
6944 struct nftables_pernet *nft_net = nft_pernet(net);
6945 struct sk_buff *skb;
6946 int err;
6947 char *buf = kasprintf(gfp, "%s:%u",
6948 table->name, nft_net->base_seq);
6949
6950 audit_log_nfcfg(buf,
6951 family,
6952 obj->handle,
6953 event == NFT_MSG_NEWOBJ ?
6954 AUDIT_NFT_OP_OBJ_REGISTER :
6955 AUDIT_NFT_OP_OBJ_UNREGISTER,
6956 gfp);
6957 kfree(buf);
6958
6959 if (!report &&
6960 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6961 return;
6962
6963 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6964 if (skb == NULL)
6965 goto err;
6966
6967 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6968 table, obj, false);
6969 if (err < 0) {
6970 kfree_skb(skb);
6971 goto err;
6972 }
6973
6974 nft_notify_enqueue(skb, report, &nft_net->notify_list);
6975 return;
6976err:
6977 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6978}
6979EXPORT_SYMBOL_GPL(nft_obj_notify);
6980
6981static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6982 struct nft_object *obj, int event)
6983{
6984 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6985 ctx->family, ctx->report, GFP_KERNEL);
6986}
6987
6988
6989
6990
6991void nft_register_flowtable_type(struct nf_flowtable_type *type)
6992{
6993 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6994 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6995 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6996}
6997EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6998
6999void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7000{
7001 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7002 list_del_rcu(&type->list);
7003 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7004}
7005EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7006
7007static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7008 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7009 .len = NFT_NAME_MAXLEN - 1 },
7010 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7011 .len = NFT_NAME_MAXLEN - 1 },
7012 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
7013 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
7014 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
7015};
7016
7017struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
7018 const struct nlattr *nla, u8 genmask)
7019{
7020 struct nft_flowtable *flowtable;
7021
7022 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7023 if (!nla_strcmp(nla, flowtable->name) &&
7024 nft_active_genmask(flowtable, genmask))
7025 return flowtable;
7026 }
7027 return ERR_PTR(-ENOENT);
7028}
7029EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
7030
7031void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
7032 struct nft_flowtable *flowtable,
7033 enum nft_trans_phase phase)
7034{
7035 switch (phase) {
7036 case NFT_TRANS_PREPARE:
7037 case NFT_TRANS_ABORT:
7038 case NFT_TRANS_RELEASE:
7039 flowtable->use--;
7040 fallthrough;
7041 default:
7042 return;
7043 }
7044}
7045EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
7046
7047static struct nft_flowtable *
7048nft_flowtable_lookup_byhandle(const struct nft_table *table,
7049 const struct nlattr *nla, u8 genmask)
7050{
7051 struct nft_flowtable *flowtable;
7052
7053 list_for_each_entry(flowtable, &table->flowtables, list) {
7054 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
7055 nft_active_genmask(flowtable, genmask))
7056 return flowtable;
7057 }
7058 return ERR_PTR(-ENOENT);
7059}
7060
7061struct nft_flowtable_hook {
7062 u32 num;
7063 int priority;
7064 struct list_head list;
7065};
7066
7067static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
7068 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
7069 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
7070 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
7071};
7072
7073static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
7074 const struct nlattr *attr,
7075 struct nft_flowtable_hook *flowtable_hook,
7076 struct nft_flowtable *flowtable, bool add)
7077{
7078 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
7079 struct nft_hook *hook;
7080 int hooknum, priority;
7081 int err;
7082
7083 INIT_LIST_HEAD(&flowtable_hook->list);
7084
7085 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
7086 nft_flowtable_hook_policy, NULL);
7087 if (err < 0)
7088 return err;
7089
7090 if (add) {
7091 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
7092 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
7093 return -EINVAL;
7094
7095 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7096 if (hooknum != NF_NETDEV_INGRESS)
7097 return -EOPNOTSUPP;
7098
7099 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7100
7101 flowtable_hook->priority = priority;
7102 flowtable_hook->num = hooknum;
7103 } else {
7104 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
7105 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7106 if (hooknum != flowtable->hooknum)
7107 return -EOPNOTSUPP;
7108 }
7109
7110 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7111 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7112 if (priority != flowtable->data.priority)
7113 return -EOPNOTSUPP;
7114 }
7115
7116 flowtable_hook->priority = flowtable->data.priority;
7117 flowtable_hook->num = flowtable->hooknum;
7118 }
7119
7120 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
7121 err = nf_tables_parse_netdev_hooks(ctx->net,
7122 tb[NFTA_FLOWTABLE_HOOK_DEVS],
7123 &flowtable_hook->list);
7124 if (err < 0)
7125 return err;
7126 }
7127
7128 list_for_each_entry(hook, &flowtable_hook->list, list) {
7129 hook->ops.pf = NFPROTO_NETDEV;
7130 hook->ops.hooknum = flowtable_hook->num;
7131 hook->ops.priority = flowtable_hook->priority;
7132 hook->ops.priv = &flowtable->data;
7133 hook->ops.hook = flowtable->data.type->hook;
7134 }
7135
7136 return err;
7137}
7138
7139static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
7140{
7141 const struct nf_flowtable_type *type;
7142
7143 list_for_each_entry(type, &nf_tables_flowtables, list) {
7144 if (family == type->family)
7145 return type;
7146 }
7147 return NULL;
7148}
7149
7150static const struct nf_flowtable_type *
7151nft_flowtable_type_get(struct net *net, u8 family)
7152{
7153 const struct nf_flowtable_type *type;
7154
7155 type = __nft_flowtable_type_get(family);
7156 if (type != NULL && try_module_get(type->owner))
7157 return type;
7158
7159 lockdep_nfnl_nft_mutex_not_held();
7160#ifdef CONFIG_MODULES
7161 if (type == NULL) {
7162 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
7163 return ERR_PTR(-EAGAIN);
7164 }
7165#endif
7166 return ERR_PTR(-ENOENT);
7167}
7168
7169
7170static void nft_unregister_flowtable_hook(struct net *net,
7171 struct nft_flowtable *flowtable,
7172 struct nft_hook *hook)
7173{
7174 nf_unregister_net_hook(net, &hook->ops);
7175 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7176 FLOW_BLOCK_UNBIND);
7177}
7178
7179static void nft_unregister_flowtable_net_hooks(struct net *net,
7180 struct list_head *hook_list)
7181{
7182 struct nft_hook *hook;
7183
7184 list_for_each_entry(hook, hook_list, list)
7185 nf_unregister_net_hook(net, &hook->ops);
7186}
7187
7188static int nft_register_flowtable_net_hooks(struct net *net,
7189 struct nft_table *table,
7190 struct list_head *hook_list,
7191 struct nft_flowtable *flowtable)
7192{
7193 struct nft_hook *hook, *hook2, *next;
7194 struct nft_flowtable *ft;
7195 int err, i = 0;
7196
7197 list_for_each_entry(hook, hook_list, list) {
7198 list_for_each_entry(ft, &table->flowtables, list) {
7199 if (!nft_is_active_next(net, ft))
7200 continue;
7201
7202 list_for_each_entry(hook2, &ft->hook_list, list) {
7203 if (hook->ops.dev == hook2->ops.dev &&
7204 hook->ops.pf == hook2->ops.pf) {
7205 err = -EEXIST;
7206 goto err_unregister_net_hooks;
7207 }
7208 }
7209 }
7210
7211 err = flowtable->data.type->setup(&flowtable->data,
7212 hook->ops.dev,
7213 FLOW_BLOCK_BIND);
7214 if (err < 0)
7215 goto err_unregister_net_hooks;
7216
7217 err = nf_register_net_hook(net, &hook->ops);
7218 if (err < 0) {
7219 flowtable->data.type->setup(&flowtable->data,
7220 hook->ops.dev,
7221 FLOW_BLOCK_UNBIND);
7222 goto err_unregister_net_hooks;
7223 }
7224
7225 i++;
7226 }
7227
7228 return 0;
7229
7230err_unregister_net_hooks:
7231 list_for_each_entry_safe(hook, next, hook_list, list) {
7232 if (i-- <= 0)
7233 break;
7234
7235 nft_unregister_flowtable_hook(net, flowtable, hook);
7236 list_del_rcu(&hook->list);
7237 kfree_rcu(hook, rcu);
7238 }
7239
7240 return err;
7241}
7242
7243static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
7244{
7245 struct nft_hook *hook, *next;
7246
7247 list_for_each_entry_safe(hook, next, hook_list, list) {
7248 list_del_rcu(&hook->list);
7249 kfree_rcu(hook, rcu);
7250 }
7251}
7252
7253static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
7254 struct nft_flowtable *flowtable)
7255{
7256 const struct nlattr * const *nla = ctx->nla;
7257 struct nft_flowtable_hook flowtable_hook;
7258 struct nft_hook *hook, *next;
7259 struct nft_trans *trans;
7260 bool unregister = false;
7261 u32 flags;
7262 int err;
7263
7264 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7265 &flowtable_hook, flowtable, false);
7266 if (err < 0)
7267 return err;
7268
7269 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7270 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
7271 list_del(&hook->list);
7272 kfree(hook);
7273 }
7274 }
7275
7276 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7277 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7278 if (flags & ~NFT_FLOWTABLE_MASK)
7279 return -EOPNOTSUPP;
7280 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
7281 (flags & NFT_FLOWTABLE_HW_OFFLOAD))
7282 return -EOPNOTSUPP;
7283 } else {
7284 flags = flowtable->data.flags;
7285 }
7286
7287 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
7288 &flowtable_hook.list, flowtable);
7289 if (err < 0)
7290 goto err_flowtable_update_hook;
7291
7292 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
7293 sizeof(struct nft_trans_flowtable));
7294 if (!trans) {
7295 unregister = true;
7296 err = -ENOMEM;
7297 goto err_flowtable_update_hook;
7298 }
7299
7300 nft_trans_flowtable_flags(trans) = flags;
7301 nft_trans_flowtable(trans) = flowtable;
7302 nft_trans_flowtable_update(trans) = true;
7303 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7304 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
7305
7306 nft_trans_commit_list_add_tail(ctx->net, trans);
7307
7308 return 0;
7309
7310err_flowtable_update_hook:
7311 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7312 if (unregister)
7313 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
7314 list_del_rcu(&hook->list);
7315 kfree_rcu(hook, rcu);
7316 }
7317
7318 return err;
7319
7320}
7321
7322static int nf_tables_newflowtable(struct sk_buff *skb,
7323 const struct nfnl_info *info,
7324 const struct nlattr * const nla[])
7325{
7326 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
7327 struct netlink_ext_ack *extack = info->extack;
7328 struct nft_flowtable_hook flowtable_hook;
7329 u8 genmask = nft_genmask_next(info->net);
7330 const struct nf_flowtable_type *type;
7331 int family = nfmsg->nfgen_family;
7332 struct nft_flowtable *flowtable;
7333 struct nft_hook *hook, *next;
7334 struct net *net = info->net;
7335 struct nft_table *table;
7336 struct nft_ctx ctx;
7337 int err;
7338
7339 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7340 !nla[NFTA_FLOWTABLE_NAME] ||
7341 !nla[NFTA_FLOWTABLE_HOOK])
7342 return -EINVAL;
7343
7344 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7345 genmask, NETLINK_CB(skb).portid);
7346 if (IS_ERR(table)) {
7347 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7348 return PTR_ERR(table);
7349 }
7350
7351 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7352 genmask);
7353 if (IS_ERR(flowtable)) {
7354 err = PTR_ERR(flowtable);
7355 if (err != -ENOENT) {
7356 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7357 return err;
7358 }
7359 } else {
7360 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7361 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7362 return -EEXIST;
7363 }
7364
7365 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7366
7367 return nft_flowtable_update(&ctx, info->nlh, flowtable);
7368 }
7369
7370 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7371
7372 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
7373 if (!flowtable)
7374 return -ENOMEM;
7375
7376 flowtable->table = table;
7377 flowtable->handle = nf_tables_alloc_handle(table);
7378 INIT_LIST_HEAD(&flowtable->hook_list);
7379
7380 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
7381 if (!flowtable->name) {
7382 err = -ENOMEM;
7383 goto err1;
7384 }
7385
7386 type = nft_flowtable_type_get(net, family);
7387 if (IS_ERR(type)) {
7388 err = PTR_ERR(type);
7389 goto err2;
7390 }
7391
7392 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7393 flowtable->data.flags =
7394 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7395 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
7396 err = -EOPNOTSUPP;
7397 goto err3;
7398 }
7399 }
7400
7401 write_pnet(&flowtable->data.net, net);
7402 flowtable->data.type = type;
7403 err = type->init(&flowtable->data);
7404 if (err < 0)
7405 goto err3;
7406
7407 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
7408 &flowtable_hook, flowtable, true);
7409 if (err < 0)
7410 goto err4;
7411
7412 list_splice(&flowtable_hook.list, &flowtable->hook_list);
7413 flowtable->data.priority = flowtable_hook.priority;
7414 flowtable->hooknum = flowtable_hook.num;
7415
7416 err = nft_register_flowtable_net_hooks(ctx.net, table,
7417 &flowtable->hook_list,
7418 flowtable);
7419 if (err < 0) {
7420 nft_flowtable_hooks_destroy(&flowtable->hook_list);
7421 goto err4;
7422 }
7423
7424 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
7425 if (err < 0)
7426 goto err5;
7427
7428 list_add_tail_rcu(&flowtable->list, &table->flowtables);
7429 table->use++;
7430
7431 return 0;
7432err5:
7433 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7434 nft_unregister_flowtable_hook(net, flowtable, hook);
7435 list_del_rcu(&hook->list);
7436 kfree_rcu(hook, rcu);
7437 }
7438err4:
7439 flowtable->data.type->free(&flowtable->data);
7440err3:
7441 module_put(type->owner);
7442err2:
7443 kfree(flowtable->name);
7444err1:
7445 kfree(flowtable);
7446 return err;
7447}
7448
7449static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7450{
7451 struct nft_hook *this, *next;
7452
7453 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7454 list_del(&this->list);
7455 kfree(this);
7456 }
7457}
7458
7459static int nft_delflowtable_hook(struct nft_ctx *ctx,
7460 struct nft_flowtable *flowtable)
7461{
7462 const struct nlattr * const *nla = ctx->nla;
7463 struct nft_flowtable_hook flowtable_hook;
7464 struct nft_hook *this, *hook;
7465 struct nft_trans *trans;
7466 int err;
7467
7468 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7469 &flowtable_hook, flowtable, false);
7470 if (err < 0)
7471 return err;
7472
7473 list_for_each_entry(this, &flowtable_hook.list, list) {
7474 hook = nft_hook_list_find(&flowtable->hook_list, this);
7475 if (!hook) {
7476 err = -ENOENT;
7477 goto err_flowtable_del_hook;
7478 }
7479 hook->inactive = true;
7480 }
7481
7482 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7483 sizeof(struct nft_trans_flowtable));
7484 if (!trans) {
7485 err = -ENOMEM;
7486 goto err_flowtable_del_hook;
7487 }
7488
7489 nft_trans_flowtable(trans) = flowtable;
7490 nft_trans_flowtable_update(trans) = true;
7491 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7492 nft_flowtable_hook_release(&flowtable_hook);
7493
7494 nft_trans_commit_list_add_tail(ctx->net, trans);
7495
7496 return 0;
7497
7498err_flowtable_del_hook:
7499 list_for_each_entry(this, &flowtable_hook.list, list) {
7500 hook = nft_hook_list_find(&flowtable->hook_list, this);
7501 if (!hook)
7502 break;
7503
7504 hook->inactive = false;
7505 }
7506 nft_flowtable_hook_release(&flowtable_hook);
7507
7508 return err;
7509}
7510
7511static int nf_tables_delflowtable(struct sk_buff *skb,
7512 const struct nfnl_info *info,
7513 const struct nlattr * const nla[])
7514{
7515 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
7516 struct netlink_ext_ack *extack = info->extack;
7517 u8 genmask = nft_genmask_next(info->net);
7518 int family = nfmsg->nfgen_family;
7519 struct nft_flowtable *flowtable;
7520 struct net *net = info->net;
7521 const struct nlattr *attr;
7522 struct nft_table *table;
7523 struct nft_ctx ctx;
7524
7525 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7526 (!nla[NFTA_FLOWTABLE_NAME] &&
7527 !nla[NFTA_FLOWTABLE_HANDLE]))
7528 return -EINVAL;
7529
7530 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7531 genmask, NETLINK_CB(skb).portid);
7532 if (IS_ERR(table)) {
7533 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7534 return PTR_ERR(table);
7535 }
7536
7537 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7538 attr = nla[NFTA_FLOWTABLE_HANDLE];
7539 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7540 } else {
7541 attr = nla[NFTA_FLOWTABLE_NAME];
7542 flowtable = nft_flowtable_lookup(table, attr, genmask);
7543 }
7544
7545 if (IS_ERR(flowtable)) {
7546 NL_SET_BAD_ATTR(extack, attr);
7547 return PTR_ERR(flowtable);
7548 }
7549
7550 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7551
7552 if (nla[NFTA_FLOWTABLE_HOOK])
7553 return nft_delflowtable_hook(&ctx, flowtable);
7554
7555 if (flowtable->use > 0) {
7556 NL_SET_BAD_ATTR(extack, attr);
7557 return -EBUSY;
7558 }
7559
7560 return nft_delflowtable(&ctx, flowtable);
7561}
7562
7563static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7564 u32 portid, u32 seq, int event,
7565 u32 flags, int family,
7566 struct nft_flowtable *flowtable,
7567 struct list_head *hook_list)
7568{
7569 struct nlattr *nest, *nest_devs;
7570 struct nft_hook *hook;
7571 struct nlmsghdr *nlh;
7572
7573 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7574 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7575 NFNETLINK_V0, nft_base_seq(net));
7576 if (!nlh)
7577 goto nla_put_failure;
7578
7579 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7580 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7581 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7582 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7583 NFTA_FLOWTABLE_PAD) ||
7584 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7585 goto nla_put_failure;
7586
7587 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7588 if (!nest)
7589 goto nla_put_failure;
7590 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7591 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7592 goto nla_put_failure;
7593
7594 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7595 if (!nest_devs)
7596 goto nla_put_failure;
7597
7598 list_for_each_entry_rcu(hook, hook_list, list) {
7599 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7600 goto nla_put_failure;
7601 }
7602 nla_nest_end(skb, nest_devs);
7603 nla_nest_end(skb, nest);
7604
7605 nlmsg_end(skb, nlh);
7606 return 0;
7607
7608nla_put_failure:
7609 nlmsg_trim(skb, nlh);
7610 return -1;
7611}
7612
7613struct nft_flowtable_filter {
7614 char *table;
7615};
7616
7617static int nf_tables_dump_flowtable(struct sk_buff *skb,
7618 struct netlink_callback *cb)
7619{
7620 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7621 struct nft_flowtable_filter *filter = cb->data;
7622 unsigned int idx = 0, s_idx = cb->args[0];
7623 struct net *net = sock_net(skb->sk);
7624 int family = nfmsg->nfgen_family;
7625 struct nft_flowtable *flowtable;
7626 struct nftables_pernet *nft_net;
7627 const struct nft_table *table;
7628
7629 rcu_read_lock();
7630 nft_net = nft_pernet(net);
7631 cb->seq = nft_net->base_seq;
7632
7633 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7634 if (family != NFPROTO_UNSPEC && family != table->family)
7635 continue;
7636
7637 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7638 if (!nft_is_active(net, flowtable))
7639 goto cont;
7640 if (idx < s_idx)
7641 goto cont;
7642 if (idx > s_idx)
7643 memset(&cb->args[1], 0,
7644 sizeof(cb->args) - sizeof(cb->args[0]));
7645 if (filter && filter->table &&
7646 strcmp(filter->table, table->name))
7647 goto cont;
7648
7649 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7650 cb->nlh->nlmsg_seq,
7651 NFT_MSG_NEWFLOWTABLE,
7652 NLM_F_MULTI | NLM_F_APPEND,
7653 table->family,
7654 flowtable,
7655 &flowtable->hook_list) < 0)
7656 goto done;
7657
7658 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7659cont:
7660 idx++;
7661 }
7662 }
7663done:
7664 rcu_read_unlock();
7665
7666 cb->args[0] = idx;
7667 return skb->len;
7668}
7669
7670static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7671{
7672 const struct nlattr * const *nla = cb->data;
7673 struct nft_flowtable_filter *filter = NULL;
7674
7675 if (nla[NFTA_FLOWTABLE_TABLE]) {
7676 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7677 if (!filter)
7678 return -ENOMEM;
7679
7680 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7681 GFP_ATOMIC);
7682 if (!filter->table) {
7683 kfree(filter);
7684 return -ENOMEM;
7685 }
7686 }
7687
7688 cb->data = filter;
7689 return 0;
7690}
7691
7692static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7693{
7694 struct nft_flowtable_filter *filter = cb->data;
7695
7696 if (!filter)
7697 return 0;
7698
7699 kfree(filter->table);
7700 kfree(filter);
7701
7702 return 0;
7703}
7704
7705
7706static int nf_tables_getflowtable(struct sk_buff *skb,
7707 const struct nfnl_info *info,
7708 const struct nlattr * const nla[])
7709{
7710 const struct nfgenmsg *nfmsg = nlmsg_data(info->nlh);
7711 u8 genmask = nft_genmask_cur(info->net);
7712 int family = nfmsg->nfgen_family;
7713 struct nft_flowtable *flowtable;
7714 const struct nft_table *table;
7715 struct net *net = info->net;
7716 struct sk_buff *skb2;
7717 int err;
7718
7719 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7720 struct netlink_dump_control c = {
7721 .start = nf_tables_dump_flowtable_start,
7722 .dump = nf_tables_dump_flowtable,
7723 .done = nf_tables_dump_flowtable_done,
7724 .module = THIS_MODULE,
7725 .data = (void *)nla,
7726 };
7727
7728 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7729 }
7730
7731 if (!nla[NFTA_FLOWTABLE_NAME])
7732 return -EINVAL;
7733
7734 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7735 genmask, 0);
7736 if (IS_ERR(table))
7737 return PTR_ERR(table);
7738
7739 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7740 genmask);
7741 if (IS_ERR(flowtable))
7742 return PTR_ERR(flowtable);
7743
7744 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7745 if (!skb2)
7746 return -ENOMEM;
7747
7748 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7749 info->nlh->nlmsg_seq,
7750 NFT_MSG_NEWFLOWTABLE, 0, family,
7751 flowtable, &flowtable->hook_list);
7752 if (err < 0)
7753 goto err_fill_flowtable_info;
7754
7755 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7756
7757err_fill_flowtable_info:
7758 kfree_skb(skb2);
7759 return err;
7760}
7761
7762static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7763 struct nft_flowtable *flowtable,
7764 struct list_head *hook_list,
7765 int event)
7766{
7767 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
7768 struct sk_buff *skb;
7769 int err;
7770
7771 if (!ctx->report &&
7772 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7773 return;
7774
7775 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7776 if (skb == NULL)
7777 goto err;
7778
7779 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7780 ctx->seq, event, 0,
7781 ctx->family, flowtable, hook_list);
7782 if (err < 0) {
7783 kfree_skb(skb);
7784 goto err;
7785 }
7786
7787 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
7788 return;
7789err:
7790 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7791}
7792
7793static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7794{
7795 struct nft_hook *hook, *next;
7796
7797 flowtable->data.type->free(&flowtable->data);
7798 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7799 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7800 FLOW_BLOCK_UNBIND);
7801 list_del_rcu(&hook->list);
7802 kfree(hook);
7803 }
7804 kfree(flowtable->name);
7805 module_put(flowtable->data.type->owner);
7806 kfree(flowtable);
7807}
7808
7809static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7810 u32 portid, u32 seq)
7811{
7812 struct nftables_pernet *nft_net = nft_pernet(net);
7813 struct nlmsghdr *nlh;
7814 char buf[TASK_COMM_LEN];
7815 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7816
7817 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
7818 NFNETLINK_V0, nft_base_seq(net));
7819 if (!nlh)
7820 goto nla_put_failure;
7821
7822 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
7823 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7824 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7825 goto nla_put_failure;
7826
7827 nlmsg_end(skb, nlh);
7828 return 0;
7829
7830nla_put_failure:
7831 nlmsg_trim(skb, nlh);
7832 return -EMSGSIZE;
7833}
7834
7835static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7836 struct nft_flowtable *flowtable)
7837{
7838 struct nft_hook *hook;
7839
7840 list_for_each_entry(hook, &flowtable->hook_list, list) {
7841 if (hook->ops.dev != dev)
7842 continue;
7843
7844
7845 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7846 list_del_rcu(&hook->list);
7847 kfree_rcu(hook, rcu);
7848 break;
7849 }
7850}
7851
7852static int nf_tables_flowtable_event(struct notifier_block *this,
7853 unsigned long event, void *ptr)
7854{
7855 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7856 struct nft_flowtable *flowtable;
7857 struct nftables_pernet *nft_net;
7858 struct nft_table *table;
7859 struct net *net;
7860
7861 if (event != NETDEV_UNREGISTER)
7862 return 0;
7863
7864 net = dev_net(dev);
7865 nft_net = nft_pernet(net);
7866 mutex_lock(&nft_net->commit_mutex);
7867 list_for_each_entry(table, &nft_net->tables, list) {
7868 list_for_each_entry(flowtable, &table->flowtables, list) {
7869 nft_flowtable_event(event, dev, flowtable);
7870 }
7871 }
7872 mutex_unlock(&nft_net->commit_mutex);
7873
7874 return NOTIFY_DONE;
7875}
7876
7877static struct notifier_block nf_tables_flowtable_notifier = {
7878 .notifier_call = nf_tables_flowtable_event,
7879};
7880
7881static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7882 int event)
7883{
7884 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7885 struct sk_buff *skb2;
7886 int err;
7887
7888 if (!nlmsg_report(nlh) &&
7889 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7890 return;
7891
7892 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7893 if (skb2 == NULL)
7894 goto err;
7895
7896 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7897 nlh->nlmsg_seq);
7898 if (err < 0) {
7899 kfree_skb(skb2);
7900 goto err;
7901 }
7902
7903 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7904 nlmsg_report(nlh), GFP_KERNEL);
7905 return;
7906err:
7907 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7908 -ENOBUFS);
7909}
7910
7911static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
7912 const struct nlattr * const nla[])
7913{
7914 struct sk_buff *skb2;
7915 int err;
7916
7917 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7918 if (skb2 == NULL)
7919 return -ENOMEM;
7920
7921 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
7922 info->nlh->nlmsg_seq);
7923 if (err < 0)
7924 goto err_fill_gen_info;
7925
7926 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
7927
7928err_fill_gen_info:
7929 kfree_skb(skb2);
7930 return err;
7931}
7932
7933static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7934 [NFT_MSG_NEWTABLE] = {
7935 .call = nf_tables_newtable,
7936 .type = NFNL_CB_BATCH,
7937 .attr_count = NFTA_TABLE_MAX,
7938 .policy = nft_table_policy,
7939 },
7940 [NFT_MSG_GETTABLE] = {
7941 .call = nf_tables_gettable,
7942 .type = NFNL_CB_RCU,
7943 .attr_count = NFTA_TABLE_MAX,
7944 .policy = nft_table_policy,
7945 },
7946 [NFT_MSG_DELTABLE] = {
7947 .call = nf_tables_deltable,
7948 .type = NFNL_CB_BATCH,
7949 .attr_count = NFTA_TABLE_MAX,
7950 .policy = nft_table_policy,
7951 },
7952 [NFT_MSG_NEWCHAIN] = {
7953 .call = nf_tables_newchain,
7954 .type = NFNL_CB_BATCH,
7955 .attr_count = NFTA_CHAIN_MAX,
7956 .policy = nft_chain_policy,
7957 },
7958 [NFT_MSG_GETCHAIN] = {
7959 .call = nf_tables_getchain,
7960 .type = NFNL_CB_RCU,
7961 .attr_count = NFTA_CHAIN_MAX,
7962 .policy = nft_chain_policy,
7963 },
7964 [NFT_MSG_DELCHAIN] = {
7965 .call = nf_tables_delchain,
7966 .type = NFNL_CB_BATCH,
7967 .attr_count = NFTA_CHAIN_MAX,
7968 .policy = nft_chain_policy,
7969 },
7970 [NFT_MSG_NEWRULE] = {
7971 .call = nf_tables_newrule,
7972 .type = NFNL_CB_BATCH,
7973 .attr_count = NFTA_RULE_MAX,
7974 .policy = nft_rule_policy,
7975 },
7976 [NFT_MSG_GETRULE] = {
7977 .call = nf_tables_getrule,
7978 .type = NFNL_CB_RCU,
7979 .attr_count = NFTA_RULE_MAX,
7980 .policy = nft_rule_policy,
7981 },
7982 [NFT_MSG_DELRULE] = {
7983 .call = nf_tables_delrule,
7984 .type = NFNL_CB_BATCH,
7985 .attr_count = NFTA_RULE_MAX,
7986 .policy = nft_rule_policy,
7987 },
7988 [NFT_MSG_NEWSET] = {
7989 .call = nf_tables_newset,
7990 .type = NFNL_CB_BATCH,
7991 .attr_count = NFTA_SET_MAX,
7992 .policy = nft_set_policy,
7993 },
7994 [NFT_MSG_GETSET] = {
7995 .call = nf_tables_getset,
7996 .type = NFNL_CB_RCU,
7997 .attr_count = NFTA_SET_MAX,
7998 .policy = nft_set_policy,
7999 },
8000 [NFT_MSG_DELSET] = {
8001 .call = nf_tables_delset,
8002 .type = NFNL_CB_BATCH,
8003 .attr_count = NFTA_SET_MAX,
8004 .policy = nft_set_policy,
8005 },
8006 [NFT_MSG_NEWSETELEM] = {
8007 .call = nf_tables_newsetelem,
8008 .type = NFNL_CB_BATCH,
8009 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8010 .policy = nft_set_elem_list_policy,
8011 },
8012 [NFT_MSG_GETSETELEM] = {
8013 .call = nf_tables_getsetelem,
8014 .type = NFNL_CB_RCU,
8015 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8016 .policy = nft_set_elem_list_policy,
8017 },
8018 [NFT_MSG_DELSETELEM] = {
8019 .call = nf_tables_delsetelem,
8020 .type = NFNL_CB_BATCH,
8021 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8022 .policy = nft_set_elem_list_policy,
8023 },
8024 [NFT_MSG_GETGEN] = {
8025 .call = nf_tables_getgen,
8026 .type = NFNL_CB_RCU,
8027 },
8028 [NFT_MSG_NEWOBJ] = {
8029 .call = nf_tables_newobj,
8030 .type = NFNL_CB_BATCH,
8031 .attr_count = NFTA_OBJ_MAX,
8032 .policy = nft_obj_policy,
8033 },
8034 [NFT_MSG_GETOBJ] = {
8035 .call = nf_tables_getobj,
8036 .type = NFNL_CB_RCU,
8037 .attr_count = NFTA_OBJ_MAX,
8038 .policy = nft_obj_policy,
8039 },
8040 [NFT_MSG_DELOBJ] = {
8041 .call = nf_tables_delobj,
8042 .type = NFNL_CB_BATCH,
8043 .attr_count = NFTA_OBJ_MAX,
8044 .policy = nft_obj_policy,
8045 },
8046 [NFT_MSG_GETOBJ_RESET] = {
8047 .call = nf_tables_getobj,
8048 .type = NFNL_CB_RCU,
8049 .attr_count = NFTA_OBJ_MAX,
8050 .policy = nft_obj_policy,
8051 },
8052 [NFT_MSG_NEWFLOWTABLE] = {
8053 .call = nf_tables_newflowtable,
8054 .type = NFNL_CB_BATCH,
8055 .attr_count = NFTA_FLOWTABLE_MAX,
8056 .policy = nft_flowtable_policy,
8057 },
8058 [NFT_MSG_GETFLOWTABLE] = {
8059 .call = nf_tables_getflowtable,
8060 .type = NFNL_CB_RCU,
8061 .attr_count = NFTA_FLOWTABLE_MAX,
8062 .policy = nft_flowtable_policy,
8063 },
8064 [NFT_MSG_DELFLOWTABLE] = {
8065 .call = nf_tables_delflowtable,
8066 .type = NFNL_CB_BATCH,
8067 .attr_count = NFTA_FLOWTABLE_MAX,
8068 .policy = nft_flowtable_policy,
8069 },
8070};
8071
8072static int nf_tables_validate(struct net *net)
8073{
8074 struct nftables_pernet *nft_net = nft_pernet(net);
8075 struct nft_table *table;
8076
8077 switch (nft_net->validate_state) {
8078 case NFT_VALIDATE_SKIP:
8079 break;
8080 case NFT_VALIDATE_NEED:
8081 nft_validate_state_update(net, NFT_VALIDATE_DO);
8082 fallthrough;
8083 case NFT_VALIDATE_DO:
8084 list_for_each_entry(table, &nft_net->tables, list) {
8085 if (nft_table_validate(net, table) < 0)
8086 return -EAGAIN;
8087 }
8088 break;
8089 }
8090
8091 return 0;
8092}
8093
8094
8095
8096
8097
8098
8099
8100
8101static void nft_chain_commit_drop_policy(struct nft_trans *trans)
8102{
8103 struct nft_base_chain *basechain;
8104
8105 if (nft_trans_chain_policy(trans) != NF_DROP)
8106 return;
8107
8108 if (!nft_is_base_chain(trans->ctx.chain))
8109 return;
8110
8111 basechain = nft_base_chain(trans->ctx.chain);
8112 basechain->policy = NF_DROP;
8113}
8114
8115static void nft_chain_commit_update(struct nft_trans *trans)
8116{
8117 struct nft_base_chain *basechain;
8118
8119 if (nft_trans_chain_name(trans)) {
8120 rhltable_remove(&trans->ctx.table->chains_ht,
8121 &trans->ctx.chain->rhlhead,
8122 nft_chain_ht_params);
8123 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
8124 rhltable_insert_key(&trans->ctx.table->chains_ht,
8125 trans->ctx.chain->name,
8126 &trans->ctx.chain->rhlhead,
8127 nft_chain_ht_params);
8128 }
8129
8130 if (!nft_is_base_chain(trans->ctx.chain))
8131 return;
8132
8133 nft_chain_stats_replace(trans);
8134
8135 basechain = nft_base_chain(trans->ctx.chain);
8136
8137 switch (nft_trans_chain_policy(trans)) {
8138 case NF_DROP:
8139 case NF_ACCEPT:
8140 basechain->policy = nft_trans_chain_policy(trans);
8141 break;
8142 }
8143}
8144
8145static void nft_obj_commit_update(struct nft_trans *trans)
8146{
8147 struct nft_object *newobj;
8148 struct nft_object *obj;
8149
8150 obj = nft_trans_obj(trans);
8151 newobj = nft_trans_obj_newobj(trans);
8152
8153 if (obj->ops->update)
8154 obj->ops->update(obj, newobj);
8155
8156 kfree(newobj);
8157}
8158
8159static void nft_commit_release(struct nft_trans *trans)
8160{
8161 switch (trans->msg_type) {
8162 case NFT_MSG_DELTABLE:
8163 nf_tables_table_destroy(&trans->ctx);
8164 break;
8165 case NFT_MSG_NEWCHAIN:
8166 free_percpu(nft_trans_chain_stats(trans));
8167 kfree(nft_trans_chain_name(trans));
8168 break;
8169 case NFT_MSG_DELCHAIN:
8170 nf_tables_chain_destroy(&trans->ctx);
8171 break;
8172 case NFT_MSG_DELRULE:
8173 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8174 break;
8175 case NFT_MSG_DELSET:
8176 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8177 break;
8178 case NFT_MSG_DELSETELEM:
8179 nf_tables_set_elem_destroy(&trans->ctx,
8180 nft_trans_elem_set(trans),
8181 nft_trans_elem(trans).priv);
8182 break;
8183 case NFT_MSG_DELOBJ:
8184 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8185 break;
8186 case NFT_MSG_DELFLOWTABLE:
8187 if (nft_trans_flowtable_update(trans))
8188 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8189 else
8190 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8191 break;
8192 }
8193
8194 if (trans->put_net)
8195 put_net(trans->ctx.net);
8196
8197 kfree(trans);
8198}
8199
8200static void nf_tables_trans_destroy_work(struct work_struct *w)
8201{
8202 struct nft_trans *trans, *next;
8203 LIST_HEAD(head);
8204
8205 spin_lock(&nf_tables_destroy_list_lock);
8206 list_splice_init(&nf_tables_destroy_list, &head);
8207 spin_unlock(&nf_tables_destroy_list_lock);
8208
8209 if (list_empty(&head))
8210 return;
8211
8212 synchronize_rcu();
8213
8214 list_for_each_entry_safe(trans, next, &head, list) {
8215 list_del(&trans->list);
8216 nft_commit_release(trans);
8217 }
8218}
8219
8220void nf_tables_trans_destroy_flush_work(void)
8221{
8222 flush_work(&trans_destroy_work);
8223}
8224EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
8225
8226static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
8227{
8228 struct nft_rule *rule;
8229 unsigned int alloc = 0;
8230 int i;
8231
8232
8233 if (chain->rules_next || !nft_is_active_next(net, chain))
8234 return 0;
8235
8236 rule = list_entry(&chain->rules, struct nft_rule, list);
8237 i = 0;
8238
8239 list_for_each_entry_continue(rule, &chain->rules, list) {
8240 if (nft_is_active_next(net, rule))
8241 alloc++;
8242 }
8243
8244 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
8245 if (!chain->rules_next)
8246 return -ENOMEM;
8247
8248 list_for_each_entry_continue(rule, &chain->rules, list) {
8249 if (nft_is_active_next(net, rule))
8250 chain->rules_next[i++] = rule;
8251 }
8252
8253 chain->rules_next[i] = NULL;
8254 return 0;
8255}
8256
8257static void nf_tables_commit_chain_prepare_cancel(struct net *net)
8258{
8259 struct nftables_pernet *nft_net = nft_pernet(net);
8260 struct nft_trans *trans, *next;
8261
8262 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8263 struct nft_chain *chain = trans->ctx.chain;
8264
8265 if (trans->msg_type == NFT_MSG_NEWRULE ||
8266 trans->msg_type == NFT_MSG_DELRULE) {
8267 kvfree(chain->rules_next);
8268 chain->rules_next = NULL;
8269 }
8270 }
8271}
8272
8273static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
8274{
8275 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
8276
8277 kvfree(o->start);
8278}
8279
8280static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
8281{
8282 struct nft_rule **r = rules;
8283 struct nft_rules_old *old;
8284
8285 while (*r)
8286 r++;
8287
8288 r++;
8289 old = (void *) r;
8290 old->start = rules;
8291
8292 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
8293}
8294
8295static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
8296{
8297 struct nft_rule **g0, **g1;
8298 bool next_genbit;
8299
8300 next_genbit = nft_gencursor_next(net);
8301
8302 g0 = rcu_dereference_protected(chain->rules_gen_0,
8303 lockdep_commit_lock_is_held(net));
8304 g1 = rcu_dereference_protected(chain->rules_gen_1,
8305 lockdep_commit_lock_is_held(net));
8306
8307
8308 if (chain->rules_next == NULL) {
8309
8310 if (g0 == g1)
8311 return;
8312
8313
8314
8315
8316 if (next_genbit) {
8317 rcu_assign_pointer(chain->rules_gen_1, g0);
8318 nf_tables_commit_chain_free_rules_old(g1);
8319 } else {
8320 rcu_assign_pointer(chain->rules_gen_0, g1);
8321 nf_tables_commit_chain_free_rules_old(g0);
8322 }
8323
8324 return;
8325 }
8326
8327 if (next_genbit)
8328 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
8329 else
8330 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
8331
8332 chain->rules_next = NULL;
8333
8334 if (g0 == g1)
8335 return;
8336
8337 if (next_genbit)
8338 nf_tables_commit_chain_free_rules_old(g1);
8339 else
8340 nf_tables_commit_chain_free_rules_old(g0);
8341}
8342
8343static void nft_obj_del(struct nft_object *obj)
8344{
8345 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
8346 list_del_rcu(&obj->list);
8347}
8348
8349void nft_chain_del(struct nft_chain *chain)
8350{
8351 struct nft_table *table = chain->table;
8352
8353 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
8354 nft_chain_ht_params));
8355 list_del_rcu(&chain->list);
8356}
8357
8358static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
8359 struct list_head *hook_list)
8360{
8361 struct nft_hook *hook, *next;
8362
8363 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8364 if (hook->inactive)
8365 list_move(&hook->list, hook_list);
8366 }
8367}
8368
8369static void nf_tables_module_autoload_cleanup(struct net *net)
8370{
8371 struct nftables_pernet *nft_net = nft_pernet(net);
8372 struct nft_module_request *req, *next;
8373
8374 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
8375 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
8376 WARN_ON_ONCE(!req->done);
8377 list_del(&req->list);
8378 kfree(req);
8379 }
8380}
8381
8382static void nf_tables_commit_release(struct net *net)
8383{
8384 struct nftables_pernet *nft_net = nft_pernet(net);
8385 struct nft_trans *trans;
8386
8387
8388
8389
8390
8391
8392
8393
8394 if (list_empty(&nft_net->commit_list)) {
8395 nf_tables_module_autoload_cleanup(net);
8396 mutex_unlock(&nft_net->commit_mutex);
8397 return;
8398 }
8399
8400 trans = list_last_entry(&nft_net->commit_list,
8401 struct nft_trans, list);
8402 get_net(trans->ctx.net);
8403 WARN_ON_ONCE(trans->put_net);
8404
8405 trans->put_net = true;
8406 spin_lock(&nf_tables_destroy_list_lock);
8407 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
8408 spin_unlock(&nf_tables_destroy_list_lock);
8409
8410 nf_tables_module_autoload_cleanup(net);
8411 schedule_work(&trans_destroy_work);
8412
8413 mutex_unlock(&nft_net->commit_mutex);
8414}
8415
8416static void nft_commit_notify(struct net *net, u32 portid)
8417{
8418 struct nftables_pernet *nft_net = nft_pernet(net);
8419 struct sk_buff *batch_skb = NULL, *nskb, *skb;
8420 unsigned char *data;
8421 int len;
8422
8423 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
8424 if (!batch_skb) {
8425new_batch:
8426 batch_skb = skb;
8427 len = NLMSG_GOODSIZE - skb->len;
8428 list_del(&skb->list);
8429 continue;
8430 }
8431 len -= skb->len;
8432 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
8433 data = skb_put(batch_skb, skb->len);
8434 memcpy(data, skb->data, skb->len);
8435 list_del(&skb->list);
8436 kfree_skb(skb);
8437 continue;
8438 }
8439 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8440 NFT_CB(batch_skb).report, GFP_KERNEL);
8441 goto new_batch;
8442 }
8443
8444 if (batch_skb) {
8445 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8446 NFT_CB(batch_skb).report, GFP_KERNEL);
8447 }
8448
8449 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
8450}
8451
8452static int nf_tables_commit_audit_alloc(struct list_head *adl,
8453 struct nft_table *table)
8454{
8455 struct nft_audit_data *adp;
8456
8457 list_for_each_entry(adp, adl, list) {
8458 if (adp->table == table)
8459 return 0;
8460 }
8461 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
8462 if (!adp)
8463 return -ENOMEM;
8464 adp->table = table;
8465 list_add(&adp->list, adl);
8466 return 0;
8467}
8468
8469static void nf_tables_commit_audit_collect(struct list_head *adl,
8470 struct nft_table *table, u32 op)
8471{
8472 struct nft_audit_data *adp;
8473
8474 list_for_each_entry(adp, adl, list) {
8475 if (adp->table == table)
8476 goto found;
8477 }
8478 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
8479 return;
8480found:
8481 adp->entries++;
8482 if (!adp->op || adp->op > op)
8483 adp->op = op;
8484}
8485
8486#define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
8487
8488static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
8489{
8490 struct nft_audit_data *adp, *adn;
8491 char aubuf[AUNFTABLENAMELEN];
8492
8493 list_for_each_entry_safe(adp, adn, adl, list) {
8494 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
8495 generation);
8496 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
8497 nft2audit_op[adp->op], GFP_KERNEL);
8498 list_del(&adp->list);
8499 kfree(adp);
8500 }
8501}
8502
8503static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8504{
8505 struct nftables_pernet *nft_net = nft_pernet(net);
8506 struct nft_trans *trans, *next;
8507 struct nft_trans_elem *te;
8508 struct nft_chain *chain;
8509 struct nft_table *table;
8510 LIST_HEAD(adl);
8511 int err;
8512
8513 if (list_empty(&nft_net->commit_list)) {
8514 mutex_unlock(&nft_net->commit_mutex);
8515 return 0;
8516 }
8517
8518
8519 if (nf_tables_validate(net) < 0)
8520 return -EAGAIN;
8521
8522 err = nft_flow_rule_offload_commit(net);
8523 if (err < 0)
8524 return err;
8525
8526
8527 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8528 int ret;
8529
8530 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
8531 if (ret) {
8532 nf_tables_commit_chain_prepare_cancel(net);
8533 return ret;
8534 }
8535 if (trans->msg_type == NFT_MSG_NEWRULE ||
8536 trans->msg_type == NFT_MSG_DELRULE) {
8537 chain = trans->ctx.chain;
8538
8539 ret = nf_tables_commit_chain_prepare(net, chain);
8540 if (ret < 0) {
8541 nf_tables_commit_chain_prepare_cancel(net);
8542 return ret;
8543 }
8544 }
8545 }
8546
8547
8548 list_for_each_entry(table, &nft_net->tables, list) {
8549 list_for_each_entry(chain, &table->chains, list)
8550 nf_tables_commit_chain(net, chain);
8551 }
8552
8553
8554
8555
8556
8557 while (++nft_net->base_seq == 0)
8558 ;
8559
8560
8561 net->nft.gencursor = nft_gencursor_next(net);
8562
8563 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8564 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8565 trans->msg_type);
8566 switch (trans->msg_type) {
8567 case NFT_MSG_NEWTABLE:
8568 if (nft_trans_table_update(trans)) {
8569 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
8570 nft_trans_destroy(trans);
8571 break;
8572 }
8573 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
8574 nf_tables_table_disable(net, trans->ctx.table);
8575
8576 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
8577 } else {
8578 nft_clear(net, trans->ctx.table);
8579 }
8580 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8581 nft_trans_destroy(trans);
8582 break;
8583 case NFT_MSG_DELTABLE:
8584 list_del_rcu(&trans->ctx.table->list);
8585 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8586 break;
8587 case NFT_MSG_NEWCHAIN:
8588 if (nft_trans_chain_update(trans)) {
8589 nft_chain_commit_update(trans);
8590 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8591
8592 } else {
8593 nft_chain_commit_drop_policy(trans);
8594 nft_clear(net, trans->ctx.chain);
8595 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8596 nft_trans_destroy(trans);
8597 }
8598 break;
8599 case NFT_MSG_DELCHAIN:
8600 nft_chain_del(trans->ctx.chain);
8601 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8602 nf_tables_unregister_hook(trans->ctx.net,
8603 trans->ctx.table,
8604 trans->ctx.chain);
8605 break;
8606 case NFT_MSG_NEWRULE:
8607 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8608 nf_tables_rule_notify(&trans->ctx,
8609 nft_trans_rule(trans),
8610 NFT_MSG_NEWRULE);
8611 nft_trans_destroy(trans);
8612 break;
8613 case NFT_MSG_DELRULE:
8614 list_del_rcu(&nft_trans_rule(trans)->list);
8615 nf_tables_rule_notify(&trans->ctx,
8616 nft_trans_rule(trans),
8617 NFT_MSG_DELRULE);
8618 nft_rule_expr_deactivate(&trans->ctx,
8619 nft_trans_rule(trans),
8620 NFT_TRANS_COMMIT);
8621 break;
8622 case NFT_MSG_NEWSET:
8623 nft_clear(net, nft_trans_set(trans));
8624
8625
8626
8627 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8628 !list_empty(&nft_trans_set(trans)->bindings))
8629 trans->ctx.table->use--;
8630
8631 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8632 NFT_MSG_NEWSET, GFP_KERNEL);
8633 nft_trans_destroy(trans);
8634 break;
8635 case NFT_MSG_DELSET:
8636 list_del_rcu(&nft_trans_set(trans)->list);
8637 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8638 NFT_MSG_DELSET, GFP_KERNEL);
8639 break;
8640 case NFT_MSG_NEWSETELEM:
8641 te = (struct nft_trans_elem *)trans->data;
8642
8643 nft_setelem_activate(net, te->set, &te->elem);
8644 nf_tables_setelem_notify(&trans->ctx, te->set,
8645 &te->elem,
8646 NFT_MSG_NEWSETELEM, 0);
8647 nft_trans_destroy(trans);
8648 break;
8649 case NFT_MSG_DELSETELEM:
8650 te = (struct nft_trans_elem *)trans->data;
8651
8652 nf_tables_setelem_notify(&trans->ctx, te->set,
8653 &te->elem,
8654 NFT_MSG_DELSETELEM, 0);
8655 nft_setelem_remove(net, te->set, &te->elem);
8656 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
8657 atomic_dec(&te->set->nelems);
8658 te->set->ndeact--;
8659 }
8660 break;
8661 case NFT_MSG_NEWOBJ:
8662 if (nft_trans_obj_update(trans)) {
8663 nft_obj_commit_update(trans);
8664 nf_tables_obj_notify(&trans->ctx,
8665 nft_trans_obj(trans),
8666 NFT_MSG_NEWOBJ);
8667 } else {
8668 nft_clear(net, nft_trans_obj(trans));
8669 nf_tables_obj_notify(&trans->ctx,
8670 nft_trans_obj(trans),
8671 NFT_MSG_NEWOBJ);
8672 nft_trans_destroy(trans);
8673 }
8674 break;
8675 case NFT_MSG_DELOBJ:
8676 nft_obj_del(nft_trans_obj(trans));
8677 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8678 NFT_MSG_DELOBJ);
8679 break;
8680 case NFT_MSG_NEWFLOWTABLE:
8681 if (nft_trans_flowtable_update(trans)) {
8682 nft_trans_flowtable(trans)->data.flags =
8683 nft_trans_flowtable_flags(trans);
8684 nf_tables_flowtable_notify(&trans->ctx,
8685 nft_trans_flowtable(trans),
8686 &nft_trans_flowtable_hooks(trans),
8687 NFT_MSG_NEWFLOWTABLE);
8688 list_splice(&nft_trans_flowtable_hooks(trans),
8689 &nft_trans_flowtable(trans)->hook_list);
8690 } else {
8691 nft_clear(net, nft_trans_flowtable(trans));
8692 nf_tables_flowtable_notify(&trans->ctx,
8693 nft_trans_flowtable(trans),
8694 &nft_trans_flowtable(trans)->hook_list,
8695 NFT_MSG_NEWFLOWTABLE);
8696 }
8697 nft_trans_destroy(trans);
8698 break;
8699 case NFT_MSG_DELFLOWTABLE:
8700 if (nft_trans_flowtable_update(trans)) {
8701 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8702 &nft_trans_flowtable_hooks(trans));
8703 nf_tables_flowtable_notify(&trans->ctx,
8704 nft_trans_flowtable(trans),
8705 &nft_trans_flowtable_hooks(trans),
8706 NFT_MSG_DELFLOWTABLE);
8707 nft_unregister_flowtable_net_hooks(net,
8708 &nft_trans_flowtable_hooks(trans));
8709 } else {
8710 list_del_rcu(&nft_trans_flowtable(trans)->list);
8711 nf_tables_flowtable_notify(&trans->ctx,
8712 nft_trans_flowtable(trans),
8713 &nft_trans_flowtable(trans)->hook_list,
8714 NFT_MSG_DELFLOWTABLE);
8715 nft_unregister_flowtable_net_hooks(net,
8716 &nft_trans_flowtable(trans)->hook_list);
8717 }
8718 break;
8719 }
8720 }
8721
8722 nft_commit_notify(net, NETLINK_CB(skb).portid);
8723 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8724 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
8725 nf_tables_commit_release(net);
8726
8727 return 0;
8728}
8729
8730static void nf_tables_module_autoload(struct net *net)
8731{
8732 struct nftables_pernet *nft_net = nft_pernet(net);
8733 struct nft_module_request *req, *next;
8734 LIST_HEAD(module_list);
8735
8736 list_splice_init(&nft_net->module_list, &module_list);
8737 mutex_unlock(&nft_net->commit_mutex);
8738 list_for_each_entry_safe(req, next, &module_list, list) {
8739 request_module("%s", req->module);
8740 req->done = true;
8741 }
8742 mutex_lock(&nft_net->commit_mutex);
8743 list_splice(&module_list, &nft_net->module_list);
8744}
8745
8746static void nf_tables_abort_release(struct nft_trans *trans)
8747{
8748 switch (trans->msg_type) {
8749 case NFT_MSG_NEWTABLE:
8750 nf_tables_table_destroy(&trans->ctx);
8751 break;
8752 case NFT_MSG_NEWCHAIN:
8753 nf_tables_chain_destroy(&trans->ctx);
8754 break;
8755 case NFT_MSG_NEWRULE:
8756 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8757 break;
8758 case NFT_MSG_NEWSET:
8759 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8760 break;
8761 case NFT_MSG_NEWSETELEM:
8762 nft_set_elem_destroy(nft_trans_elem_set(trans),
8763 nft_trans_elem(trans).priv, true);
8764 break;
8765 case NFT_MSG_NEWOBJ:
8766 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8767 break;
8768 case NFT_MSG_NEWFLOWTABLE:
8769 if (nft_trans_flowtable_update(trans))
8770 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8771 else
8772 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8773 break;
8774 }
8775 kfree(trans);
8776}
8777
8778static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8779{
8780 struct nftables_pernet *nft_net = nft_pernet(net);
8781 struct nft_trans *trans, *next;
8782 struct nft_trans_elem *te;
8783 struct nft_hook *hook;
8784
8785 if (action == NFNL_ABORT_VALIDATE &&
8786 nf_tables_validate(net) < 0)
8787 return -EAGAIN;
8788
8789 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
8790 list) {
8791 switch (trans->msg_type) {
8792 case NFT_MSG_NEWTABLE:
8793 if (nft_trans_table_update(trans)) {
8794 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
8795 nft_trans_destroy(trans);
8796 break;
8797 }
8798 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
8799 nf_tables_table_disable(net, trans->ctx.table);
8800 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8801 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
8802 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
8803 }
8804 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
8805 nft_trans_destroy(trans);
8806 } else {
8807 list_del_rcu(&trans->ctx.table->list);
8808 }
8809 break;
8810 case NFT_MSG_DELTABLE:
8811 nft_clear(trans->ctx.net, trans->ctx.table);
8812 nft_trans_destroy(trans);
8813 break;
8814 case NFT_MSG_NEWCHAIN:
8815 if (nft_trans_chain_update(trans)) {
8816 free_percpu(nft_trans_chain_stats(trans));
8817 kfree(nft_trans_chain_name(trans));
8818 nft_trans_destroy(trans);
8819 } else {
8820 if (nft_chain_is_bound(trans->ctx.chain)) {
8821 nft_trans_destroy(trans);
8822 break;
8823 }
8824 trans->ctx.table->use--;
8825 nft_chain_del(trans->ctx.chain);
8826 nf_tables_unregister_hook(trans->ctx.net,
8827 trans->ctx.table,
8828 trans->ctx.chain);
8829 }
8830 break;
8831 case NFT_MSG_DELCHAIN:
8832 trans->ctx.table->use++;
8833 nft_clear(trans->ctx.net, trans->ctx.chain);
8834 nft_trans_destroy(trans);
8835 break;
8836 case NFT_MSG_NEWRULE:
8837 trans->ctx.chain->use--;
8838 list_del_rcu(&nft_trans_rule(trans)->list);
8839 nft_rule_expr_deactivate(&trans->ctx,
8840 nft_trans_rule(trans),
8841 NFT_TRANS_ABORT);
8842 break;
8843 case NFT_MSG_DELRULE:
8844 trans->ctx.chain->use++;
8845 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8846 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8847 nft_trans_destroy(trans);
8848 break;
8849 case NFT_MSG_NEWSET:
8850 trans->ctx.table->use--;
8851 if (nft_trans_set_bound(trans)) {
8852 nft_trans_destroy(trans);
8853 break;
8854 }
8855 list_del_rcu(&nft_trans_set(trans)->list);
8856 break;
8857 case NFT_MSG_DELSET:
8858 trans->ctx.table->use++;
8859 nft_clear(trans->ctx.net, nft_trans_set(trans));
8860 nft_trans_destroy(trans);
8861 break;
8862 case NFT_MSG_NEWSETELEM:
8863 if (nft_trans_elem_set_bound(trans)) {
8864 nft_trans_destroy(trans);
8865 break;
8866 }
8867 te = (struct nft_trans_elem *)trans->data;
8868 nft_setelem_remove(net, te->set, &te->elem);
8869 if (!nft_setelem_is_catchall(te->set, &te->elem))
8870 atomic_dec(&te->set->nelems);
8871 break;
8872 case NFT_MSG_DELSETELEM:
8873 te = (struct nft_trans_elem *)trans->data;
8874
8875 nft_setelem_data_activate(net, te->set, &te->elem);
8876 nft_setelem_activate(net, te->set, &te->elem);
8877 if (!nft_setelem_is_catchall(te->set, &te->elem))
8878 te->set->ndeact--;
8879
8880 nft_trans_destroy(trans);
8881 break;
8882 case NFT_MSG_NEWOBJ:
8883 if (nft_trans_obj_update(trans)) {
8884 kfree(nft_trans_obj_newobj(trans));
8885 nft_trans_destroy(trans);
8886 } else {
8887 trans->ctx.table->use--;
8888 nft_obj_del(nft_trans_obj(trans));
8889 }
8890 break;
8891 case NFT_MSG_DELOBJ:
8892 trans->ctx.table->use++;
8893 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8894 nft_trans_destroy(trans);
8895 break;
8896 case NFT_MSG_NEWFLOWTABLE:
8897 if (nft_trans_flowtable_update(trans)) {
8898 nft_unregister_flowtable_net_hooks(net,
8899 &nft_trans_flowtable_hooks(trans));
8900 } else {
8901 trans->ctx.table->use--;
8902 list_del_rcu(&nft_trans_flowtable(trans)->list);
8903 nft_unregister_flowtable_net_hooks(net,
8904 &nft_trans_flowtable(trans)->hook_list);
8905 }
8906 break;
8907 case NFT_MSG_DELFLOWTABLE:
8908 if (nft_trans_flowtable_update(trans)) {
8909 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8910 hook->inactive = false;
8911 } else {
8912 trans->ctx.table->use++;
8913 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8914 }
8915 nft_trans_destroy(trans);
8916 break;
8917 }
8918 }
8919
8920 synchronize_rcu();
8921
8922 list_for_each_entry_safe_reverse(trans, next,
8923 &nft_net->commit_list, list) {
8924 list_del(&trans->list);
8925 nf_tables_abort_release(trans);
8926 }
8927
8928 if (action == NFNL_ABORT_AUTOLOAD)
8929 nf_tables_module_autoload(net);
8930 else
8931 nf_tables_module_autoload_cleanup(net);
8932
8933 return 0;
8934}
8935
8936static void nf_tables_cleanup(struct net *net)
8937{
8938 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8939}
8940
8941static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8942 enum nfnl_abort_action action)
8943{
8944 struct nftables_pernet *nft_net = nft_pernet(net);
8945 int ret = __nf_tables_abort(net, action);
8946
8947 mutex_unlock(&nft_net->commit_mutex);
8948
8949 return ret;
8950}
8951
8952static bool nf_tables_valid_genid(struct net *net, u32 genid)
8953{
8954 struct nftables_pernet *nft_net = nft_pernet(net);
8955 bool genid_ok;
8956
8957 mutex_lock(&nft_net->commit_mutex);
8958
8959 genid_ok = genid == 0 || nft_net->base_seq == genid;
8960 if (!genid_ok)
8961 mutex_unlock(&nft_net->commit_mutex);
8962
8963
8964 return genid_ok;
8965}
8966
8967static const struct nfnetlink_subsystem nf_tables_subsys = {
8968 .name = "nf_tables",
8969 .subsys_id = NFNL_SUBSYS_NFTABLES,
8970 .cb_count = NFT_MSG_MAX,
8971 .cb = nf_tables_cb,
8972 .commit = nf_tables_commit,
8973 .abort = nf_tables_abort,
8974 .cleanup = nf_tables_cleanup,
8975 .valid_genid = nf_tables_valid_genid,
8976 .owner = THIS_MODULE,
8977};
8978
8979int nft_chain_validate_dependency(const struct nft_chain *chain,
8980 enum nft_chain_types type)
8981{
8982 const struct nft_base_chain *basechain;
8983
8984 if (nft_is_base_chain(chain)) {
8985 basechain = nft_base_chain(chain);
8986 if (basechain->type->type != type)
8987 return -EOPNOTSUPP;
8988 }
8989 return 0;
8990}
8991EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8992
8993int nft_chain_validate_hooks(const struct nft_chain *chain,
8994 unsigned int hook_flags)
8995{
8996 struct nft_base_chain *basechain;
8997
8998 if (nft_is_base_chain(chain)) {
8999 basechain = nft_base_chain(chain);
9000
9001 if ((1 << basechain->ops.hooknum) & hook_flags)
9002 return 0;
9003
9004 return -EOPNOTSUPP;
9005 }
9006
9007 return 0;
9008}
9009EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
9010
9011
9012
9013
9014
9015
9016
9017
9018
9019
9020static int nf_tables_check_loops(const struct nft_ctx *ctx,
9021 const struct nft_chain *chain);
9022
9023static int nft_check_loops(const struct nft_ctx *ctx,
9024 const struct nft_set_ext *ext)
9025{
9026 const struct nft_data *data;
9027 int ret;
9028
9029 data = nft_set_ext_data(ext);
9030 switch (data->verdict.code) {
9031 case NFT_JUMP:
9032 case NFT_GOTO:
9033 ret = nf_tables_check_loops(ctx, data->verdict.chain);
9034 break;
9035 default:
9036 ret = 0;
9037 break;
9038 }
9039
9040 return ret;
9041}
9042
9043static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
9044 struct nft_set *set,
9045 const struct nft_set_iter *iter,
9046 struct nft_set_elem *elem)
9047{
9048 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
9049
9050 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
9051 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
9052 return 0;
9053
9054 return nft_check_loops(ctx, ext);
9055}
9056
9057static int nft_set_catchall_loops(const struct nft_ctx *ctx,
9058 struct nft_set *set)
9059{
9060 u8 genmask = nft_genmask_next(ctx->net);
9061 struct nft_set_elem_catchall *catchall;
9062 struct nft_set_ext *ext;
9063 int ret = 0;
9064
9065 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9066 ext = nft_set_elem_ext(set, catchall->elem);
9067 if (!nft_set_elem_active(ext, genmask))
9068 continue;
9069
9070 ret = nft_check_loops(ctx, ext);
9071 if (ret < 0)
9072 return ret;
9073 }
9074
9075 return ret;
9076}
9077
9078static int nf_tables_check_loops(const struct nft_ctx *ctx,
9079 const struct nft_chain *chain)
9080{
9081 const struct nft_rule *rule;
9082 const struct nft_expr *expr, *last;
9083 struct nft_set *set;
9084 struct nft_set_binding *binding;
9085 struct nft_set_iter iter;
9086
9087 if (ctx->chain == chain)
9088 return -ELOOP;
9089
9090 list_for_each_entry(rule, &chain->rules, list) {
9091 nft_rule_for_each_expr(expr, last, rule) {
9092 struct nft_immediate_expr *priv;
9093 const struct nft_data *data;
9094 int err;
9095
9096 if (strcmp(expr->ops->type->name, "immediate"))
9097 continue;
9098
9099 priv = nft_expr_priv(expr);
9100 if (priv->dreg != NFT_REG_VERDICT)
9101 continue;
9102
9103 data = &priv->data;
9104 switch (data->verdict.code) {
9105 case NFT_JUMP:
9106 case NFT_GOTO:
9107 err = nf_tables_check_loops(ctx,
9108 data->verdict.chain);
9109 if (err < 0)
9110 return err;
9111 break;
9112 default:
9113 break;
9114 }
9115 }
9116 }
9117
9118 list_for_each_entry(set, &ctx->table->sets, list) {
9119 if (!nft_is_active_next(ctx->net, set))
9120 continue;
9121 if (!(set->flags & NFT_SET_MAP) ||
9122 set->dtype != NFT_DATA_VERDICT)
9123 continue;
9124
9125 list_for_each_entry(binding, &set->bindings, list) {
9126 if (!(binding->flags & NFT_SET_MAP) ||
9127 binding->chain != chain)
9128 continue;
9129
9130 iter.genmask = nft_genmask_next(ctx->net);
9131 iter.skip = 0;
9132 iter.count = 0;
9133 iter.err = 0;
9134 iter.fn = nf_tables_loop_check_setelem;
9135
9136 set->ops->walk(ctx, set, &iter);
9137 if (!iter.err)
9138 iter.err = nft_set_catchall_loops(ctx, set);
9139
9140 if (iter.err < 0)
9141 return iter.err;
9142 }
9143 }
9144
9145 return 0;
9146}
9147
9148
9149
9150
9151
9152
9153
9154
9155
9156
9157
9158
9159
9160int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
9161{
9162 u32 val;
9163
9164 val = ntohl(nla_get_be32(attr));
9165 if (val > max)
9166 return -ERANGE;
9167
9168 *dest = val;
9169 return 0;
9170}
9171EXPORT_SYMBOL_GPL(nft_parse_u32_check);
9172
9173static unsigned int nft_parse_register(const struct nlattr *attr)
9174{
9175 unsigned int reg;
9176
9177 reg = ntohl(nla_get_be32(attr));
9178 switch (reg) {
9179 case NFT_REG_VERDICT...NFT_REG_4:
9180 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
9181 default:
9182 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
9183 }
9184}
9185
9186
9187
9188
9189
9190
9191
9192
9193
9194
9195
9196
9197int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
9198{
9199 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
9200 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
9201 else
9202 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
9203
9204 return nla_put_be32(skb, attr, htonl(reg));
9205}
9206EXPORT_SYMBOL_GPL(nft_dump_register);
9207
9208static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
9209{
9210 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9211 return -EINVAL;
9212 if (len == 0)
9213 return -EINVAL;
9214 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
9215 return -ERANGE;
9216
9217 return 0;
9218}
9219
9220int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
9221{
9222 u32 reg;
9223 int err;
9224
9225 reg = nft_parse_register(attr);
9226 err = nft_validate_register_load(reg, len);
9227 if (err < 0)
9228 return err;
9229
9230 *sreg = reg;
9231 return 0;
9232}
9233EXPORT_SYMBOL_GPL(nft_parse_register_load);
9234
9235static int nft_validate_register_store(const struct nft_ctx *ctx,
9236 enum nft_registers reg,
9237 const struct nft_data *data,
9238 enum nft_data_types type,
9239 unsigned int len)
9240{
9241 int err;
9242
9243 switch (reg) {
9244 case NFT_REG_VERDICT:
9245 if (type != NFT_DATA_VERDICT)
9246 return -EINVAL;
9247
9248 if (data != NULL &&
9249 (data->verdict.code == NFT_GOTO ||
9250 data->verdict.code == NFT_JUMP)) {
9251 err = nf_tables_check_loops(ctx, data->verdict.chain);
9252 if (err < 0)
9253 return err;
9254 }
9255
9256 return 0;
9257 default:
9258 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9259 return -EINVAL;
9260 if (len == 0)
9261 return -EINVAL;
9262 if (reg * NFT_REG32_SIZE + len >
9263 sizeof_field(struct nft_regs, data))
9264 return -ERANGE;
9265
9266 if (data != NULL && type != NFT_DATA_VALUE)
9267 return -EINVAL;
9268 return 0;
9269 }
9270}
9271
9272int nft_parse_register_store(const struct nft_ctx *ctx,
9273 const struct nlattr *attr, u8 *dreg,
9274 const struct nft_data *data,
9275 enum nft_data_types type, unsigned int len)
9276{
9277 int err;
9278 u32 reg;
9279
9280 reg = nft_parse_register(attr);
9281 err = nft_validate_register_store(ctx, reg, data, type, len);
9282 if (err < 0)
9283 return err;
9284
9285 *dreg = reg;
9286 return 0;
9287}
9288EXPORT_SYMBOL_GPL(nft_parse_register_store);
9289
9290static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
9291 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
9292 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
9293 .len = NFT_CHAIN_MAXNAMELEN - 1 },
9294 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
9295};
9296
9297static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
9298 struct nft_data_desc *desc, const struct nlattr *nla)
9299{
9300 u8 genmask = nft_genmask_next(ctx->net);
9301 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
9302 struct nft_chain *chain;
9303 int err;
9304
9305 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
9306 nft_verdict_policy, NULL);
9307 if (err < 0)
9308 return err;
9309
9310 if (!tb[NFTA_VERDICT_CODE])
9311 return -EINVAL;
9312 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
9313
9314 switch (data->verdict.code) {
9315 default:
9316 switch (data->verdict.code & NF_VERDICT_MASK) {
9317 case NF_ACCEPT:
9318 case NF_DROP:
9319 case NF_QUEUE:
9320 break;
9321 default:
9322 return -EINVAL;
9323 }
9324 fallthrough;
9325 case NFT_CONTINUE:
9326 case NFT_BREAK:
9327 case NFT_RETURN:
9328 break;
9329 case NFT_JUMP:
9330 case NFT_GOTO:
9331 if (tb[NFTA_VERDICT_CHAIN]) {
9332 chain = nft_chain_lookup(ctx->net, ctx->table,
9333 tb[NFTA_VERDICT_CHAIN],
9334 genmask);
9335 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
9336 chain = nft_chain_lookup_byid(ctx->net,
9337 tb[NFTA_VERDICT_CHAIN_ID]);
9338 if (IS_ERR(chain))
9339 return PTR_ERR(chain);
9340 } else {
9341 return -EINVAL;
9342 }
9343
9344 if (IS_ERR(chain))
9345 return PTR_ERR(chain);
9346 if (nft_is_base_chain(chain))
9347 return -EOPNOTSUPP;
9348
9349 chain->use++;
9350 data->verdict.chain = chain;
9351 break;
9352 }
9353
9354 desc->len = sizeof(data->verdict);
9355 desc->type = NFT_DATA_VERDICT;
9356 return 0;
9357}
9358
9359static void nft_verdict_uninit(const struct nft_data *data)
9360{
9361 struct nft_chain *chain;
9362 struct nft_rule *rule;
9363
9364 switch (data->verdict.code) {
9365 case NFT_JUMP:
9366 case NFT_GOTO:
9367 chain = data->verdict.chain;
9368 chain->use--;
9369
9370 if (!nft_chain_is_bound(chain))
9371 break;
9372
9373 chain->table->use--;
9374 list_for_each_entry(rule, &chain->rules, list)
9375 chain->use--;
9376
9377 nft_chain_del(chain);
9378 break;
9379 }
9380}
9381
9382int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
9383{
9384 struct nlattr *nest;
9385
9386 nest = nla_nest_start_noflag(skb, type);
9387 if (!nest)
9388 goto nla_put_failure;
9389
9390 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
9391 goto nla_put_failure;
9392
9393 switch (v->code) {
9394 case NFT_JUMP:
9395 case NFT_GOTO:
9396 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
9397 v->chain->name))
9398 goto nla_put_failure;
9399 }
9400 nla_nest_end(skb, nest);
9401 return 0;
9402
9403nla_put_failure:
9404 return -1;
9405}
9406
9407static int nft_value_init(const struct nft_ctx *ctx,
9408 struct nft_data *data, unsigned int size,
9409 struct nft_data_desc *desc, const struct nlattr *nla)
9410{
9411 unsigned int len;
9412
9413 len = nla_len(nla);
9414 if (len == 0)
9415 return -EINVAL;
9416 if (len > size)
9417 return -EOVERFLOW;
9418
9419 nla_memcpy(data->data, nla, len);
9420 desc->type = NFT_DATA_VALUE;
9421 desc->len = len;
9422 return 0;
9423}
9424
9425static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
9426 unsigned int len)
9427{
9428 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
9429}
9430
9431static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
9432 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
9433 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
9434};
9435
9436
9437
9438
9439
9440
9441
9442
9443
9444
9445
9446
9447
9448
9449
9450
9451int nft_data_init(const struct nft_ctx *ctx,
9452 struct nft_data *data, unsigned int size,
9453 struct nft_data_desc *desc, const struct nlattr *nla)
9454{
9455 struct nlattr *tb[NFTA_DATA_MAX + 1];
9456 int err;
9457
9458 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
9459 nft_data_policy, NULL);
9460 if (err < 0)
9461 return err;
9462
9463 if (tb[NFTA_DATA_VALUE])
9464 return nft_value_init(ctx, data, size, desc,
9465 tb[NFTA_DATA_VALUE]);
9466 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
9467 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
9468 return -EINVAL;
9469}
9470EXPORT_SYMBOL_GPL(nft_data_init);
9471
9472
9473
9474
9475
9476
9477
9478
9479
9480
9481void nft_data_release(const struct nft_data *data, enum nft_data_types type)
9482{
9483 if (type < NFT_DATA_VERDICT)
9484 return;
9485 switch (type) {
9486 case NFT_DATA_VERDICT:
9487 return nft_verdict_uninit(data);
9488 default:
9489 WARN_ON(1);
9490 }
9491}
9492EXPORT_SYMBOL_GPL(nft_data_release);
9493
9494int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
9495 enum nft_data_types type, unsigned int len)
9496{
9497 struct nlattr *nest;
9498 int err;
9499
9500 nest = nla_nest_start_noflag(skb, attr);
9501 if (nest == NULL)
9502 return -1;
9503
9504 switch (type) {
9505 case NFT_DATA_VALUE:
9506 err = nft_value_dump(skb, data, len);
9507 break;
9508 case NFT_DATA_VERDICT:
9509 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
9510 break;
9511 default:
9512 err = -EINVAL;
9513 WARN_ON(1);
9514 }
9515
9516 nla_nest_end(skb, nest);
9517 return err;
9518}
9519EXPORT_SYMBOL_GPL(nft_data_dump);
9520
9521int __nft_release_basechain(struct nft_ctx *ctx)
9522{
9523 struct nft_rule *rule, *nr;
9524
9525 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
9526 return 0;
9527
9528 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9529 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9530 list_del(&rule->list);
9531 ctx->chain->use--;
9532 nf_tables_rule_release(ctx, rule);
9533 }
9534 nft_chain_del(ctx->chain);
9535 ctx->table->use--;
9536 nf_tables_chain_destroy(ctx);
9537
9538 return 0;
9539}
9540EXPORT_SYMBOL_GPL(__nft_release_basechain);
9541
9542static void __nft_release_hook(struct net *net, struct nft_table *table)
9543{
9544 struct nft_chain *chain;
9545
9546 list_for_each_entry(chain, &table->chains, list)
9547 nf_tables_unregister_hook(net, table, chain);
9548}
9549
9550static void __nft_release_hooks(struct net *net)
9551{
9552 struct nftables_pernet *nft_net = nft_pernet(net);
9553 struct nft_table *table;
9554
9555 list_for_each_entry(table, &nft_net->tables, list) {
9556 if (nft_table_has_owner(table))
9557 continue;
9558
9559 __nft_release_hook(net, table);
9560 }
9561}
9562
9563static void __nft_release_table(struct net *net, struct nft_table *table)
9564{
9565 struct nft_flowtable *flowtable, *nf;
9566 struct nft_chain *chain, *nc;
9567 struct nft_object *obj, *ne;
9568 struct nft_rule *rule, *nr;
9569 struct nft_set *set, *ns;
9570 struct nft_ctx ctx = {
9571 .net = net,
9572 .family = NFPROTO_NETDEV,
9573 };
9574
9575 ctx.family = table->family;
9576 ctx.table = table;
9577 list_for_each_entry(chain, &table->chains, list) {
9578 ctx.chain = chain;
9579 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9580 list_del(&rule->list);
9581 chain->use--;
9582 nf_tables_rule_release(&ctx, rule);
9583 }
9584 }
9585 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9586 list_del(&flowtable->list);
9587 table->use--;
9588 nf_tables_flowtable_destroy(flowtable);
9589 }
9590 list_for_each_entry_safe(set, ns, &table->sets, list) {
9591 list_del(&set->list);
9592 table->use--;
9593 nft_set_destroy(&ctx, set);
9594 }
9595 list_for_each_entry_safe(obj, ne, &table->objects, list) {
9596 nft_obj_del(obj);
9597 table->use--;
9598 nft_obj_destroy(&ctx, obj);
9599 }
9600 list_for_each_entry_safe(chain, nc, &table->chains, list) {
9601 ctx.chain = chain;
9602 nft_chain_del(chain);
9603 table->use--;
9604 nf_tables_chain_destroy(&ctx);
9605 }
9606 list_del(&table->list);
9607 nf_tables_table_destroy(&ctx);
9608}
9609
9610static void __nft_release_tables(struct net *net)
9611{
9612 struct nftables_pernet *nft_net = nft_pernet(net);
9613 struct nft_table *table, *nt;
9614
9615 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
9616 if (nft_table_has_owner(table))
9617 continue;
9618
9619 __nft_release_table(net, table);
9620 }
9621}
9622
9623static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9624 void *ptr)
9625{
9626 struct nftables_pernet *nft_net;
9627 struct netlink_notify *n = ptr;
9628 struct nft_table *table, *nt;
9629 struct net *net = n->net;
9630 bool release = false;
9631
9632 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9633 return NOTIFY_DONE;
9634
9635 nft_net = nft_pernet(net);
9636 mutex_lock(&nft_net->commit_mutex);
9637 list_for_each_entry(table, &nft_net->tables, list) {
9638 if (nft_table_has_owner(table) &&
9639 n->portid == table->nlpid) {
9640 __nft_release_hook(net, table);
9641 release = true;
9642 }
9643 }
9644 if (release) {
9645 synchronize_rcu();
9646 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
9647 if (nft_table_has_owner(table) &&
9648 n->portid == table->nlpid)
9649 __nft_release_table(net, table);
9650 }
9651 }
9652 mutex_unlock(&nft_net->commit_mutex);
9653
9654 return NOTIFY_DONE;
9655}
9656
9657static struct notifier_block nft_nl_notifier = {
9658 .notifier_call = nft_rcv_nl_event,
9659};
9660
9661static int __net_init nf_tables_init_net(struct net *net)
9662{
9663 struct nftables_pernet *nft_net = nft_pernet(net);
9664
9665 INIT_LIST_HEAD(&nft_net->tables);
9666 INIT_LIST_HEAD(&nft_net->commit_list);
9667 INIT_LIST_HEAD(&nft_net->module_list);
9668 INIT_LIST_HEAD(&nft_net->notify_list);
9669 mutex_init(&nft_net->commit_mutex);
9670 nft_net->base_seq = 1;
9671 nft_net->validate_state = NFT_VALIDATE_SKIP;
9672
9673 return 0;
9674}
9675
9676static void __net_exit nf_tables_pre_exit_net(struct net *net)
9677{
9678 __nft_release_hooks(net);
9679}
9680
9681static void __net_exit nf_tables_exit_net(struct net *net)
9682{
9683 struct nftables_pernet *nft_net = nft_pernet(net);
9684
9685 mutex_lock(&nft_net->commit_mutex);
9686 if (!list_empty(&nft_net->commit_list))
9687 __nf_tables_abort(net, NFNL_ABORT_NONE);
9688 __nft_release_tables(net);
9689 mutex_unlock(&nft_net->commit_mutex);
9690 WARN_ON_ONCE(!list_empty(&nft_net->tables));
9691 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
9692 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9693}
9694
9695static struct pernet_operations nf_tables_net_ops = {
9696 .init = nf_tables_init_net,
9697 .pre_exit = nf_tables_pre_exit_net,
9698 .exit = nf_tables_exit_net,
9699 .id = &nf_tables_net_id,
9700 .size = sizeof(struct nftables_pernet),
9701};
9702
9703static int __init nf_tables_module_init(void)
9704{
9705 int err;
9706
9707 err = register_pernet_subsys(&nf_tables_net_ops);
9708 if (err < 0)
9709 return err;
9710
9711 err = nft_chain_filter_init();
9712 if (err < 0)
9713 goto err_chain_filter;
9714
9715 err = nf_tables_core_module_init();
9716 if (err < 0)
9717 goto err_core_module;
9718
9719 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9720 if (err < 0)
9721 goto err_netdev_notifier;
9722
9723 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9724 if (err < 0)
9725 goto err_rht_objname;
9726
9727 err = nft_offload_init();
9728 if (err < 0)
9729 goto err_offload;
9730
9731 err = netlink_register_notifier(&nft_nl_notifier);
9732 if (err < 0)
9733 goto err_netlink_notifier;
9734
9735
9736 err = nfnetlink_subsys_register(&nf_tables_subsys);
9737 if (err < 0)
9738 goto err_nfnl_subsys;
9739
9740 nft_chain_route_init();
9741
9742 return err;
9743
9744err_nfnl_subsys:
9745 netlink_unregister_notifier(&nft_nl_notifier);
9746err_netlink_notifier:
9747 nft_offload_exit();
9748err_offload:
9749 rhltable_destroy(&nft_objname_ht);
9750err_rht_objname:
9751 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9752err_netdev_notifier:
9753 nf_tables_core_module_exit();
9754err_core_module:
9755 nft_chain_filter_fini();
9756err_chain_filter:
9757 unregister_pernet_subsys(&nf_tables_net_ops);
9758 return err;
9759}
9760
9761static void __exit nf_tables_module_exit(void)
9762{
9763 nfnetlink_subsys_unregister(&nf_tables_subsys);
9764 netlink_unregister_notifier(&nft_nl_notifier);
9765 nft_offload_exit();
9766 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9767 nft_chain_filter_fini();
9768 nft_chain_route_fini();
9769 unregister_pernet_subsys(&nf_tables_net_ops);
9770 cancel_work_sync(&trans_destroy_work);
9771 rcu_barrier();
9772 rhltable_destroy(&nft_objname_ht);
9773 nf_tables_core_module_exit();
9774}
9775
9776module_init(nf_tables_module_init);
9777module_exit(nf_tables_module_exit);
9778
9779MODULE_LICENSE("GPL");
9780MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9781MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
9782
