1
2
3
4
5
6
7
8#include <linux/module.h>
9#include <linux/init.h>
10#include <linux/list.h>
11#include <linux/skbuff.h>
12#include <linux/netlink.h>
13#include <linux/vmalloc.h>
14#include <linux/rhashtable.h>
15#include <linux/audit.h>
16#include <linux/netfilter.h>
17#include <linux/netfilter/nfnetlink.h>
18#include <linux/netfilter/nf_tables.h>
19#include <net/netfilter/nf_flow_table.h>
20#include <net/netfilter/nf_tables_core.h>
21#include <net/netfilter/nf_tables.h>
22#include <net/netfilter/nf_tables_offload.h>
23#include <net/net_namespace.h>
24#include <net/sock.h>
25
26#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28unsigned int nf_tables_net_id __read_mostly;
29
30static LIST_HEAD(nf_tables_expressions);
31static LIST_HEAD(nf_tables_objects);
32static LIST_HEAD(nf_tables_flowtables);
33static LIST_HEAD(nf_tables_destroy_list);
34static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
35static u64 table_handle;
36
37enum {
38 NFT_VALIDATE_SKIP = 0,
39 NFT_VALIDATE_NEED,
40 NFT_VALIDATE_DO,
41};
42
43static struct rhltable nft_objname_ht;
44
45static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
46static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
47static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
48
49static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
50static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
51static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
52
53static const struct rhashtable_params nft_chain_ht_params = {
54 .head_offset = offsetof(struct nft_chain, rhlhead),
55 .key_offset = offsetof(struct nft_chain, name),
56 .hashfn = nft_chain_hash,
57 .obj_hashfn = nft_chain_hash_obj,
58 .obj_cmpfn = nft_chain_hash_cmp,
59 .automatic_shrinking = true,
60};
61
62static const struct rhashtable_params nft_objname_ht_params = {
63 .head_offset = offsetof(struct nft_object, rhlhead),
64 .key_offset = offsetof(struct nft_object, key),
65 .hashfn = nft_objname_hash,
66 .obj_hashfn = nft_objname_hash_obj,
67 .obj_cmpfn = nft_objname_hash_cmp,
68 .automatic_shrinking = true,
69};
70
71struct nft_audit_data {
72 struct nft_table *table;
73 int entries;
74 int op;
75 struct list_head list;
76};
77
78static const u8 nft2audit_op[NFT_MSG_MAX] = {
79 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
80 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
81 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
82 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
83 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
84 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
85 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
86 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
87 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
88 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
89 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
90 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
91 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
92 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
93 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
94 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
95 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
96 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
98 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
100 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
101 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
102 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
103 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
104};
105
106static void nft_validate_state_update(struct net *net, u8 new_validate_state)
107{
108 struct nftables_pernet *nft_net = nft_pernet(net);
109
110 switch (nft_net->validate_state) {
111 case NFT_VALIDATE_SKIP:
112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
113 break;
114 case NFT_VALIDATE_NEED:
115 break;
116 case NFT_VALIDATE_DO:
117 if (new_validate_state == NFT_VALIDATE_NEED)
118 return;
119 }
120
121 nft_net->validate_state = new_validate_state;
122}
123static void nf_tables_trans_destroy_work(struct work_struct *w);
124static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
125
126static void nft_ctx_init(struct nft_ctx *ctx,
127 struct net *net,
128 const struct sk_buff *skb,
129 const struct nlmsghdr *nlh,
130 u8 family,
131 struct nft_table *table,
132 struct nft_chain *chain,
133 const struct nlattr * const *nla)
134{
135 ctx->net = net;
136 ctx->family = family;
137 ctx->level = 0;
138 ctx->table = table;
139 ctx->chain = chain;
140 ctx->nla = nla;
141 ctx->portid = NETLINK_CB(skb).portid;
142 ctx->report = nlmsg_report(nlh);
143 ctx->flags = nlh->nlmsg_flags;
144 ctx->seq = nlh->nlmsg_seq;
145}
146
147static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
148 int msg_type, u32 size, gfp_t gfp)
149{
150 struct nft_trans *trans;
151
152 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
153 if (trans == NULL)
154 return NULL;
155
156 trans->msg_type = msg_type;
157 trans->ctx = *ctx;
158
159 return trans;
160}
161
162static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
163 int msg_type, u32 size)
164{
165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
166}
167
168static void nft_trans_destroy(struct nft_trans *trans)
169{
170 list_del(&trans->list);
171 kfree(trans);
172}
173
174static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
175{
176 struct nftables_pernet *nft_net;
177 struct net *net = ctx->net;
178 struct nft_trans *trans;
179
180 if (!nft_set_is_anonymous(set))
181 return;
182
183 nft_net = nft_pernet(net);
184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
185 switch (trans->msg_type) {
186 case NFT_MSG_NEWSET:
187 if (nft_trans_set(trans) == set)
188 nft_trans_set_bound(trans) = true;
189 break;
190 case NFT_MSG_NEWSETELEM:
191 if (nft_trans_elem_set(trans) == set)
192 nft_trans_elem_set_bound(trans) = true;
193 break;
194 }
195 }
196}
197
198static int nft_netdev_register_hooks(struct net *net,
199 struct list_head *hook_list)
200{
201 struct nft_hook *hook;
202 int err, j;
203
204 j = 0;
205 list_for_each_entry(hook, hook_list, list) {
206 err = nf_register_net_hook(net, &hook->ops);
207 if (err < 0)
208 goto err_register;
209
210 j++;
211 }
212 return 0;
213
214err_register:
215 list_for_each_entry(hook, hook_list, list) {
216 if (j-- <= 0)
217 break;
218
219 nf_unregister_net_hook(net, &hook->ops);
220 }
221 return err;
222}
223
224static void nft_netdev_unregister_hooks(struct net *net,
225 struct list_head *hook_list)
226{
227 struct nft_hook *hook;
228
229 list_for_each_entry(hook, hook_list, list)
230 nf_unregister_net_hook(net, &hook->ops);
231}
232
233static int nf_tables_register_hook(struct net *net,
234 const struct nft_table *table,
235 struct nft_chain *chain)
236{
237 struct nft_base_chain *basechain;
238 const struct nf_hook_ops *ops;
239
240 if (table->flags & NFT_TABLE_F_DORMANT ||
241 !nft_is_base_chain(chain))
242 return 0;
243
244 basechain = nft_base_chain(chain);
245 ops = &basechain->ops;
246
247 if (basechain->type->ops_register)
248 return basechain->type->ops_register(net, ops);
249
250 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
251 return nft_netdev_register_hooks(net, &basechain->hook_list);
252
253 return nf_register_net_hook(net, &basechain->ops);
254}
255
256static void nf_tables_unregister_hook(struct net *net,
257 const struct nft_table *table,
258 struct nft_chain *chain)
259{
260 struct nft_base_chain *basechain;
261 const struct nf_hook_ops *ops;
262
263 if (table->flags & NFT_TABLE_F_DORMANT ||
264 !nft_is_base_chain(chain))
265 return;
266 basechain = nft_base_chain(chain);
267 ops = &basechain->ops;
268
269 if (basechain->type->ops_unregister)
270 return basechain->type->ops_unregister(net, ops);
271
272 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
273 nft_netdev_unregister_hooks(net, &basechain->hook_list);
274 else
275 nf_unregister_net_hook(net, &basechain->ops);
276}
277
278static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
279{
280 struct nftables_pernet *nft_net = nft_pernet(net);
281
282 list_add_tail(&trans->list, &nft_net->commit_list);
283}
284
285static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
286{
287 struct nft_trans *trans;
288
289 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
290 if (trans == NULL)
291 return -ENOMEM;
292
293 if (msg_type == NFT_MSG_NEWTABLE)
294 nft_activate_next(ctx->net, ctx->table);
295
296 nft_trans_commit_list_add_tail(ctx->net, trans);
297 return 0;
298}
299
300static int nft_deltable(struct nft_ctx *ctx)
301{
302 int err;
303
304 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
305 if (err < 0)
306 return err;
307
308 nft_deactivate_next(ctx->net, ctx->table);
309 return err;
310}
311
312static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
313{
314 struct nft_trans *trans;
315
316 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
317 if (trans == NULL)
318 return ERR_PTR(-ENOMEM);
319
320 if (msg_type == NFT_MSG_NEWCHAIN) {
321 nft_activate_next(ctx->net, ctx->chain);
322
323 if (ctx->nla[NFTA_CHAIN_ID]) {
324 nft_trans_chain_id(trans) =
325 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
326 }
327 }
328
329 nft_trans_commit_list_add_tail(ctx->net, trans);
330 return trans;
331}
332
333static int nft_delchain(struct nft_ctx *ctx)
334{
335 struct nft_trans *trans;
336
337 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
338 if (IS_ERR(trans))
339 return PTR_ERR(trans);
340
341 ctx->table->use--;
342 nft_deactivate_next(ctx->net, ctx->chain);
343
344 return 0;
345}
346
347static void nft_rule_expr_activate(const struct nft_ctx *ctx,
348 struct nft_rule *rule)
349{
350 struct nft_expr *expr;
351
352 expr = nft_expr_first(rule);
353 while (nft_expr_more(rule, expr)) {
354 if (expr->ops->activate)
355 expr->ops->activate(ctx, expr);
356
357 expr = nft_expr_next(expr);
358 }
359}
360
361static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
362 struct nft_rule *rule,
363 enum nft_trans_phase phase)
364{
365 struct nft_expr *expr;
366
367 expr = nft_expr_first(rule);
368 while (nft_expr_more(rule, expr)) {
369 if (expr->ops->deactivate)
370 expr->ops->deactivate(ctx, expr, phase);
371
372 expr = nft_expr_next(expr);
373 }
374}
375
376static int
377nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
378{
379
380 if (nft_is_active_next(ctx->net, rule)) {
381 nft_deactivate_next(ctx->net, rule);
382 ctx->chain->use--;
383 return 0;
384 }
385 return -ENOENT;
386}
387
388static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
389 struct nft_rule *rule)
390{
391 struct nft_trans *trans;
392
393 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
394 if (trans == NULL)
395 return NULL;
396
397 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
398 nft_trans_rule_id(trans) =
399 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
400 }
401 nft_trans_rule(trans) = rule;
402 nft_trans_commit_list_add_tail(ctx->net, trans);
403
404 return trans;
405}
406
407static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
408{
409 struct nft_flow_rule *flow;
410 struct nft_trans *trans;
411 int err;
412
413 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
414 if (trans == NULL)
415 return -ENOMEM;
416
417 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
418 flow = nft_flow_rule_create(ctx->net, rule);
419 if (IS_ERR(flow)) {
420 nft_trans_destroy(trans);
421 return PTR_ERR(flow);
422 }
423
424 nft_trans_flow_rule(trans) = flow;
425 }
426
427 err = nf_tables_delrule_deactivate(ctx, rule);
428 if (err < 0) {
429 nft_trans_destroy(trans);
430 return err;
431 }
432 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
433
434 return 0;
435}
436
437static int nft_delrule_by_chain(struct nft_ctx *ctx)
438{
439 struct nft_rule *rule;
440 int err;
441
442 list_for_each_entry(rule, &ctx->chain->rules, list) {
443 if (!nft_is_active_next(ctx->net, rule))
444 continue;
445
446 err = nft_delrule(ctx, rule);
447 if (err < 0)
448 return err;
449 }
450 return 0;
451}
452
453static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
454 struct nft_set *set)
455{
456 struct nft_trans *trans;
457
458 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
459 if (trans == NULL)
460 return -ENOMEM;
461
462 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
463 nft_trans_set_id(trans) =
464 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
465 nft_activate_next(ctx->net, set);
466 }
467 nft_trans_set(trans) = set;
468 nft_trans_commit_list_add_tail(ctx->net, trans);
469
470 return 0;
471}
472
473static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
474{
475 int err;
476
477 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
478 if (err < 0)
479 return err;
480
481 nft_deactivate_next(ctx->net, set);
482 ctx->table->use--;
483
484 return err;
485}
486
487static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
488 struct nft_object *obj)
489{
490 struct nft_trans *trans;
491
492 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
493 if (trans == NULL)
494 return -ENOMEM;
495
496 if (msg_type == NFT_MSG_NEWOBJ)
497 nft_activate_next(ctx->net, obj);
498
499 nft_trans_obj(trans) = obj;
500 nft_trans_commit_list_add_tail(ctx->net, trans);
501
502 return 0;
503}
504
505static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
506{
507 int err;
508
509 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
510 if (err < 0)
511 return err;
512
513 nft_deactivate_next(ctx->net, obj);
514 ctx->table->use--;
515
516 return err;
517}
518
519static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
520 struct nft_flowtable *flowtable)
521{
522 struct nft_trans *trans;
523
524 trans = nft_trans_alloc(ctx, msg_type,
525 sizeof(struct nft_trans_flowtable));
526 if (trans == NULL)
527 return -ENOMEM;
528
529 if (msg_type == NFT_MSG_NEWFLOWTABLE)
530 nft_activate_next(ctx->net, flowtable);
531
532 nft_trans_flowtable(trans) = flowtable;
533 nft_trans_commit_list_add_tail(ctx->net, trans);
534
535 return 0;
536}
537
538static int nft_delflowtable(struct nft_ctx *ctx,
539 struct nft_flowtable *flowtable)
540{
541 int err;
542
543 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
544 if (err < 0)
545 return err;
546
547 nft_deactivate_next(ctx->net, flowtable);
548 ctx->table->use--;
549
550 return err;
551}
552
553static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
554{
555 int i;
556
557 for (i = track->regs[dreg].num_reg; i > 0; i--)
558 __nft_reg_track_cancel(track, dreg - i);
559}
560
561static void __nft_reg_track_update(struct nft_regs_track *track,
562 const struct nft_expr *expr,
563 u8 dreg, u8 num_reg)
564{
565 track->regs[dreg].selector = expr;
566 track->regs[dreg].bitwise = NULL;
567 track->regs[dreg].num_reg = num_reg;
568}
569
570void nft_reg_track_update(struct nft_regs_track *track,
571 const struct nft_expr *expr, u8 dreg, u8 len)
572{
573 unsigned int regcount;
574 int i;
575
576 __nft_reg_track_clobber(track, dreg);
577
578 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
579 for (i = 0; i < regcount; i++, dreg++)
580 __nft_reg_track_update(track, expr, dreg, i);
581}
582EXPORT_SYMBOL_GPL(nft_reg_track_update);
583
584void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
585{
586 unsigned int regcount;
587 int i;
588
589 __nft_reg_track_clobber(track, dreg);
590
591 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
592 for (i = 0; i < regcount; i++, dreg++)
593 __nft_reg_track_cancel(track, dreg);
594}
595EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
596
597void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
598{
599 track->regs[dreg].selector = NULL;
600 track->regs[dreg].bitwise = NULL;
601 track->regs[dreg].num_reg = 0;
602}
603EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
604
605
606
607
608
609static struct nft_table *nft_table_lookup(const struct net *net,
610 const struct nlattr *nla,
611 u8 family, u8 genmask, u32 nlpid)
612{
613 struct nftables_pernet *nft_net;
614 struct nft_table *table;
615
616 if (nla == NULL)
617 return ERR_PTR(-EINVAL);
618
619 nft_net = nft_pernet(net);
620 list_for_each_entry_rcu(table, &nft_net->tables, list,
621 lockdep_is_held(&nft_net->commit_mutex)) {
622 if (!nla_strcmp(nla, table->name) &&
623 table->family == family &&
624 nft_active_genmask(table, genmask)) {
625 if (nft_table_has_owner(table) &&
626 nlpid && table->nlpid != nlpid)
627 return ERR_PTR(-EPERM);
628
629 return table;
630 }
631 }
632
633 return ERR_PTR(-ENOENT);
634}
635
636static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
637 const struct nlattr *nla,
638 u8 genmask, u32 nlpid)
639{
640 struct nftables_pernet *nft_net;
641 struct nft_table *table;
642
643 nft_net = nft_pernet(net);
644 list_for_each_entry(table, &nft_net->tables, list) {
645 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
646 nft_active_genmask(table, genmask)) {
647 if (nft_table_has_owner(table) &&
648 nlpid && table->nlpid != nlpid)
649 return ERR_PTR(-EPERM);
650
651 return table;
652 }
653 }
654
655 return ERR_PTR(-ENOENT);
656}
657
658static inline u64 nf_tables_alloc_handle(struct nft_table *table)
659{
660 return ++table->hgenerator;
661}
662
663static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
664
665static const struct nft_chain_type *
666__nft_chain_type_get(u8 family, enum nft_chain_types type)
667{
668 if (family >= NFPROTO_NUMPROTO ||
669 type >= NFT_CHAIN_T_MAX)
670 return NULL;
671
672 return chain_type[family][type];
673}
674
675static const struct nft_chain_type *
676__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
677{
678 const struct nft_chain_type *type;
679 int i;
680
681 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
682 type = __nft_chain_type_get(family, i);
683 if (!type)
684 continue;
685 if (!nla_strcmp(nla, type->name))
686 return type;
687 }
688 return NULL;
689}
690
691struct nft_module_request {
692 struct list_head list;
693 char module[MODULE_NAME_LEN];
694 bool done;
695};
696
697#ifdef CONFIG_MODULES
698__printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
699 ...)
700{
701 char module_name[MODULE_NAME_LEN];
702 struct nftables_pernet *nft_net;
703 struct nft_module_request *req;
704 va_list args;
705 int ret;
706
707 va_start(args, fmt);
708 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
709 va_end(args);
710 if (ret >= MODULE_NAME_LEN)
711 return 0;
712
713 nft_net = nft_pernet(net);
714 list_for_each_entry(req, &nft_net->module_list, list) {
715 if (!strcmp(req->module, module_name)) {
716 if (req->done)
717 return 0;
718
719
720 return -EAGAIN;
721 }
722 }
723
724 req = kmalloc(sizeof(*req), GFP_KERNEL);
725 if (!req)
726 return -ENOMEM;
727
728 req->done = false;
729 strlcpy(req->module, module_name, MODULE_NAME_LEN);
730 list_add_tail(&req->list, &nft_net->module_list);
731
732 return -EAGAIN;
733}
734EXPORT_SYMBOL_GPL(nft_request_module);
735#endif
736
737static void lockdep_nfnl_nft_mutex_not_held(void)
738{
739#ifdef CONFIG_PROVE_LOCKING
740 if (debug_locks)
741 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
742#endif
743}
744
745static const struct nft_chain_type *
746nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
747 u8 family, bool autoload)
748{
749 const struct nft_chain_type *type;
750
751 type = __nf_tables_chain_type_lookup(nla, family);
752 if (type != NULL)
753 return type;
754
755 lockdep_nfnl_nft_mutex_not_held();
756#ifdef CONFIG_MODULES
757 if (autoload) {
758 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
759 nla_len(nla),
760 (const char *)nla_data(nla)) == -EAGAIN)
761 return ERR_PTR(-EAGAIN);
762 }
763#endif
764 return ERR_PTR(-ENOENT);
765}
766
767static __be16 nft_base_seq(const struct net *net)
768{
769 struct nftables_pernet *nft_net = nft_pernet(net);
770
771 return htons(nft_net->base_seq & 0xffff);
772}
773
774static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
775 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
776 .len = NFT_TABLE_MAXNAMELEN - 1 },
777 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
778 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
779 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
780 .len = NFT_USERDATA_MAXLEN }
781};
782
783static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
784 u32 portid, u32 seq, int event, u32 flags,
785 int family, const struct nft_table *table)
786{
787 struct nlmsghdr *nlh;
788
789 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
790 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
791 NFNETLINK_V0, nft_base_seq(net));
792 if (!nlh)
793 goto nla_put_failure;
794
795 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
796 nla_put_be32(skb, NFTA_TABLE_FLAGS,
797 htonl(table->flags & NFT_TABLE_F_MASK)) ||
798 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
799 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
800 NFTA_TABLE_PAD))
801 goto nla_put_failure;
802 if (nft_table_has_owner(table) &&
803 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
804 goto nla_put_failure;
805
806 if (table->udata) {
807 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
808 goto nla_put_failure;
809 }
810
811 nlmsg_end(skb, nlh);
812 return 0;
813
814nla_put_failure:
815 nlmsg_trim(skb, nlh);
816 return -1;
817}
818
819struct nftnl_skb_parms {
820 bool report;
821};
822#define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
823
824static void nft_notify_enqueue(struct sk_buff *skb, bool report,
825 struct list_head *notify_list)
826{
827 NFT_CB(skb).report = report;
828 list_add_tail(&skb->list, notify_list);
829}
830
831static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
832{
833 struct nftables_pernet *nft_net;
834 struct sk_buff *skb;
835 u16 flags = 0;
836 int err;
837
838 if (!ctx->report &&
839 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
840 return;
841
842 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
843 if (skb == NULL)
844 goto err;
845
846 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
847 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
848
849 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
850 event, flags, ctx->family, ctx->table);
851 if (err < 0) {
852 kfree_skb(skb);
853 goto err;
854 }
855
856 nft_net = nft_pernet(ctx->net);
857 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
858 return;
859err:
860 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
861}
862
863static int nf_tables_dump_tables(struct sk_buff *skb,
864 struct netlink_callback *cb)
865{
866 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
867 struct nftables_pernet *nft_net;
868 const struct nft_table *table;
869 unsigned int idx = 0, s_idx = cb->args[0];
870 struct net *net = sock_net(skb->sk);
871 int family = nfmsg->nfgen_family;
872
873 rcu_read_lock();
874 nft_net = nft_pernet(net);
875 cb->seq = nft_net->base_seq;
876
877 list_for_each_entry_rcu(table, &nft_net->tables, list) {
878 if (family != NFPROTO_UNSPEC && family != table->family)
879 continue;
880
881 if (idx < s_idx)
882 goto cont;
883 if (idx > s_idx)
884 memset(&cb->args[1], 0,
885 sizeof(cb->args) - sizeof(cb->args[0]));
886 if (!nft_is_active(net, table))
887 continue;
888 if (nf_tables_fill_table_info(skb, net,
889 NETLINK_CB(cb->skb).portid,
890 cb->nlh->nlmsg_seq,
891 NFT_MSG_NEWTABLE, NLM_F_MULTI,
892 table->family, table) < 0)
893 goto done;
894
895 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
896cont:
897 idx++;
898 }
899done:
900 rcu_read_unlock();
901 cb->args[0] = idx;
902 return skb->len;
903}
904
905static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
906 const struct nlmsghdr *nlh,
907 struct netlink_dump_control *c)
908{
909 int err;
910
911 if (!try_module_get(THIS_MODULE))
912 return -EINVAL;
913
914 rcu_read_unlock();
915 err = netlink_dump_start(nlsk, skb, nlh, c);
916 rcu_read_lock();
917 module_put(THIS_MODULE);
918
919 return err;
920}
921
922
923static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
924 const struct nlattr * const nla[])
925{
926 struct netlink_ext_ack *extack = info->extack;
927 u8 genmask = nft_genmask_cur(info->net);
928 u8 family = info->nfmsg->nfgen_family;
929 const struct nft_table *table;
930 struct net *net = info->net;
931 struct sk_buff *skb2;
932 int err;
933
934 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
935 struct netlink_dump_control c = {
936 .dump = nf_tables_dump_tables,
937 .module = THIS_MODULE,
938 };
939
940 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
941 }
942
943 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
944 if (IS_ERR(table)) {
945 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
946 return PTR_ERR(table);
947 }
948
949 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
950 if (!skb2)
951 return -ENOMEM;
952
953 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
954 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
955 0, family, table);
956 if (err < 0)
957 goto err_fill_table_info;
958
959 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
960
961err_fill_table_info:
962 kfree_skb(skb2);
963 return err;
964}
965
966static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
967{
968 struct nft_chain *chain;
969 u32 i = 0;
970
971 list_for_each_entry(chain, &table->chains, list) {
972 if (!nft_is_active_next(net, chain))
973 continue;
974 if (!nft_is_base_chain(chain))
975 continue;
976
977 if (cnt && i++ == cnt)
978 break;
979
980 nf_tables_unregister_hook(net, table, chain);
981 }
982}
983
984static int nf_tables_table_enable(struct net *net, struct nft_table *table)
985{
986 struct nft_chain *chain;
987 int err, i = 0;
988
989 list_for_each_entry(chain, &table->chains, list) {
990 if (!nft_is_active_next(net, chain))
991 continue;
992 if (!nft_is_base_chain(chain))
993 continue;
994
995 err = nf_tables_register_hook(net, table, chain);
996 if (err < 0)
997 goto err_register_hooks;
998
999 i++;
1000 }
1001 return 0;
1002
1003err_register_hooks:
1004 if (i)
1005 nft_table_disable(net, table, i);
1006 return err;
1007}
1008
1009static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1010{
1011 table->flags &= ~NFT_TABLE_F_DORMANT;
1012 nft_table_disable(net, table, 0);
1013 table->flags |= NFT_TABLE_F_DORMANT;
1014}
1015
1016#define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1017#define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1018#define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1019#define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1020 __NFT_TABLE_F_WAS_AWAKEN)
1021
1022static int nf_tables_updtable(struct nft_ctx *ctx)
1023{
1024 struct nft_trans *trans;
1025 u32 flags;
1026 int ret;
1027
1028 if (!ctx->nla[NFTA_TABLE_FLAGS])
1029 return 0;
1030
1031 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1032 if (flags & ~NFT_TABLE_F_MASK)
1033 return -EOPNOTSUPP;
1034
1035 if (flags == ctx->table->flags)
1036 return 0;
1037
1038 if ((nft_table_has_owner(ctx->table) &&
1039 !(flags & NFT_TABLE_F_OWNER)) ||
1040 (!nft_table_has_owner(ctx->table) &&
1041 flags & NFT_TABLE_F_OWNER))
1042 return -EOPNOTSUPP;
1043
1044 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1045 sizeof(struct nft_trans_table));
1046 if (trans == NULL)
1047 return -ENOMEM;
1048
1049 if ((flags & NFT_TABLE_F_DORMANT) &&
1050 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1051 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1052 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1053 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1054 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1055 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1056 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1057 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1058 ret = nf_tables_table_enable(ctx->net, ctx->table);
1059 if (ret < 0)
1060 goto err_register_hooks;
1061
1062 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1063 }
1064 }
1065
1066 nft_trans_table_update(trans) = true;
1067 nft_trans_commit_list_add_tail(ctx->net, trans);
1068
1069 return 0;
1070
1071err_register_hooks:
1072 nft_trans_destroy(trans);
1073 return ret;
1074}
1075
1076static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1077{
1078 const char *name = data;
1079
1080 return jhash(name, strlen(name), seed);
1081}
1082
1083static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1084{
1085 const struct nft_chain *chain = data;
1086
1087 return nft_chain_hash(chain->name, 0, seed);
1088}
1089
1090static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1091 const void *ptr)
1092{
1093 const struct nft_chain *chain = ptr;
1094 const char *name = arg->key;
1095
1096 return strcmp(chain->name, name);
1097}
1098
1099static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1100{
1101 const struct nft_object_hash_key *k = data;
1102
1103 seed ^= hash_ptr(k->table, 32);
1104
1105 return jhash(k->name, strlen(k->name), seed);
1106}
1107
1108static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1109{
1110 const struct nft_object *obj = data;
1111
1112 return nft_objname_hash(&obj->key, 0, seed);
1113}
1114
1115static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1116 const void *ptr)
1117{
1118 const struct nft_object_hash_key *k = arg->key;
1119 const struct nft_object *obj = ptr;
1120
1121 if (obj->key.table != k->table)
1122 return -1;
1123
1124 return strcmp(obj->key.name, k->name);
1125}
1126
1127static bool nft_supported_family(u8 family)
1128{
1129 return false
1130#ifdef CONFIG_NF_TABLES_INET
1131 || family == NFPROTO_INET
1132#endif
1133#ifdef CONFIG_NF_TABLES_IPV4
1134 || family == NFPROTO_IPV4
1135#endif
1136#ifdef CONFIG_NF_TABLES_ARP
1137 || family == NFPROTO_ARP
1138#endif
1139#ifdef CONFIG_NF_TABLES_NETDEV
1140 || family == NFPROTO_NETDEV
1141#endif
1142#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1143 || family == NFPROTO_BRIDGE
1144#endif
1145#ifdef CONFIG_NF_TABLES_IPV6
1146 || family == NFPROTO_IPV6
1147#endif
1148 ;
1149}
1150
1151static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1152 const struct nlattr * const nla[])
1153{
1154 struct nftables_pernet *nft_net = nft_pernet(info->net);
1155 struct netlink_ext_ack *extack = info->extack;
1156 u8 genmask = nft_genmask_next(info->net);
1157 u8 family = info->nfmsg->nfgen_family;
1158 struct net *net = info->net;
1159 const struct nlattr *attr;
1160 struct nft_table *table;
1161 struct nft_ctx ctx;
1162 u32 flags = 0;
1163 int err;
1164
1165 if (!nft_supported_family(family))
1166 return -EOPNOTSUPP;
1167
1168 lockdep_assert_held(&nft_net->commit_mutex);
1169 attr = nla[NFTA_TABLE_NAME];
1170 table = nft_table_lookup(net, attr, family, genmask,
1171 NETLINK_CB(skb).portid);
1172 if (IS_ERR(table)) {
1173 if (PTR_ERR(table) != -ENOENT)
1174 return PTR_ERR(table);
1175 } else {
1176 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1177 NL_SET_BAD_ATTR(extack, attr);
1178 return -EEXIST;
1179 }
1180 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1181 return -EOPNOTSUPP;
1182
1183 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1184
1185 return nf_tables_updtable(&ctx);
1186 }
1187
1188 if (nla[NFTA_TABLE_FLAGS]) {
1189 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1190 if (flags & ~NFT_TABLE_F_MASK)
1191 return -EOPNOTSUPP;
1192 }
1193
1194 err = -ENOMEM;
1195 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1196 if (table == NULL)
1197 goto err_kzalloc;
1198
1199 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1200 if (table->name == NULL)
1201 goto err_strdup;
1202
1203 if (nla[NFTA_TABLE_USERDATA]) {
1204 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1205 if (table->udata == NULL)
1206 goto err_table_udata;
1207
1208 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1209 }
1210
1211 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1212 if (err)
1213 goto err_chain_ht;
1214
1215 INIT_LIST_HEAD(&table->chains);
1216 INIT_LIST_HEAD(&table->sets);
1217 INIT_LIST_HEAD(&table->objects);
1218 INIT_LIST_HEAD(&table->flowtables);
1219 table->family = family;
1220 table->flags = flags;
1221 table->handle = ++table_handle;
1222 if (table->flags & NFT_TABLE_F_OWNER)
1223 table->nlpid = NETLINK_CB(skb).portid;
1224
1225 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1226 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1227 if (err < 0)
1228 goto err_trans;
1229
1230 list_add_tail_rcu(&table->list, &nft_net->tables);
1231 return 0;
1232err_trans:
1233 rhltable_destroy(&table->chains_ht);
1234err_chain_ht:
1235 kfree(table->udata);
1236err_table_udata:
1237 kfree(table->name);
1238err_strdup:
1239 kfree(table);
1240err_kzalloc:
1241 return err;
1242}
1243
1244static int nft_flush_table(struct nft_ctx *ctx)
1245{
1246 struct nft_flowtable *flowtable, *nft;
1247 struct nft_chain *chain, *nc;
1248 struct nft_object *obj, *ne;
1249 struct nft_set *set, *ns;
1250 int err;
1251
1252 list_for_each_entry(chain, &ctx->table->chains, list) {
1253 if (!nft_is_active_next(ctx->net, chain))
1254 continue;
1255
1256 if (nft_chain_is_bound(chain))
1257 continue;
1258
1259 ctx->chain = chain;
1260
1261 err = nft_delrule_by_chain(ctx);
1262 if (err < 0)
1263 goto out;
1264 }
1265
1266 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1267 if (!nft_is_active_next(ctx->net, set))
1268 continue;
1269
1270 if (nft_set_is_anonymous(set) &&
1271 !list_empty(&set->bindings))
1272 continue;
1273
1274 err = nft_delset(ctx, set);
1275 if (err < 0)
1276 goto out;
1277 }
1278
1279 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1280 if (!nft_is_active_next(ctx->net, flowtable))
1281 continue;
1282
1283 err = nft_delflowtable(ctx, flowtable);
1284 if (err < 0)
1285 goto out;
1286 }
1287
1288 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1289 if (!nft_is_active_next(ctx->net, obj))
1290 continue;
1291
1292 err = nft_delobj(ctx, obj);
1293 if (err < 0)
1294 goto out;
1295 }
1296
1297 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1298 if (!nft_is_active_next(ctx->net, chain))
1299 continue;
1300
1301 if (nft_chain_is_bound(chain))
1302 continue;
1303
1304 ctx->chain = chain;
1305
1306 err = nft_delchain(ctx);
1307 if (err < 0)
1308 goto out;
1309 }
1310
1311 err = nft_deltable(ctx);
1312out:
1313 return err;
1314}
1315
1316static int nft_flush(struct nft_ctx *ctx, int family)
1317{
1318 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1319 const struct nlattr * const *nla = ctx->nla;
1320 struct nft_table *table, *nt;
1321 int err = 0;
1322
1323 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1324 if (family != AF_UNSPEC && table->family != family)
1325 continue;
1326
1327 ctx->family = table->family;
1328
1329 if (!nft_is_active_next(ctx->net, table))
1330 continue;
1331
1332 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1333 continue;
1334
1335 if (nla[NFTA_TABLE_NAME] &&
1336 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1337 continue;
1338
1339 ctx->table = table;
1340
1341 err = nft_flush_table(ctx);
1342 if (err < 0)
1343 goto out;
1344 }
1345out:
1346 return err;
1347}
1348
1349static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1350 const struct nlattr * const nla[])
1351{
1352 struct netlink_ext_ack *extack = info->extack;
1353 u8 genmask = nft_genmask_next(info->net);
1354 u8 family = info->nfmsg->nfgen_family;
1355 struct net *net = info->net;
1356 const struct nlattr *attr;
1357 struct nft_table *table;
1358 struct nft_ctx ctx;
1359
1360 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1361 if (family == AF_UNSPEC ||
1362 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1363 return nft_flush(&ctx, family);
1364
1365 if (nla[NFTA_TABLE_HANDLE]) {
1366 attr = nla[NFTA_TABLE_HANDLE];
1367 table = nft_table_lookup_byhandle(net, attr, genmask,
1368 NETLINK_CB(skb).portid);
1369 } else {
1370 attr = nla[NFTA_TABLE_NAME];
1371 table = nft_table_lookup(net, attr, family, genmask,
1372 NETLINK_CB(skb).portid);
1373 }
1374
1375 if (IS_ERR(table)) {
1376 NL_SET_BAD_ATTR(extack, attr);
1377 return PTR_ERR(table);
1378 }
1379
1380 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1381 table->use > 0)
1382 return -EBUSY;
1383
1384 ctx.family = family;
1385 ctx.table = table;
1386
1387 return nft_flush_table(&ctx);
1388}
1389
1390static void nf_tables_table_destroy(struct nft_ctx *ctx)
1391{
1392 if (WARN_ON(ctx->table->use > 0))
1393 return;
1394
1395 rhltable_destroy(&ctx->table->chains_ht);
1396 kfree(ctx->table->name);
1397 kfree(ctx->table->udata);
1398 kfree(ctx->table);
1399}
1400
1401void nft_register_chain_type(const struct nft_chain_type *ctype)
1402{
1403 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1404 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1405 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1406 return;
1407 }
1408 chain_type[ctype->family][ctype->type] = ctype;
1409 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1410}
1411EXPORT_SYMBOL_GPL(nft_register_chain_type);
1412
1413void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1414{
1415 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1416 chain_type[ctype->family][ctype->type] = NULL;
1417 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1418}
1419EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1420
1421
1422
1423
1424
1425static struct nft_chain *
1426nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1427{
1428 struct nft_chain *chain;
1429
1430 list_for_each_entry(chain, &table->chains, list) {
1431 if (chain->handle == handle &&
1432 nft_active_genmask(chain, genmask))
1433 return chain;
1434 }
1435
1436 return ERR_PTR(-ENOENT);
1437}
1438
1439static bool lockdep_commit_lock_is_held(const struct net *net)
1440{
1441#ifdef CONFIG_PROVE_LOCKING
1442 struct nftables_pernet *nft_net = nft_pernet(net);
1443
1444 return lockdep_is_held(&nft_net->commit_mutex);
1445#else
1446 return true;
1447#endif
1448}
1449
1450static struct nft_chain *nft_chain_lookup(struct net *net,
1451 struct nft_table *table,
1452 const struct nlattr *nla, u8 genmask)
1453{
1454 char search[NFT_CHAIN_MAXNAMELEN + 1];
1455 struct rhlist_head *tmp, *list;
1456 struct nft_chain *chain;
1457
1458 if (nla == NULL)
1459 return ERR_PTR(-EINVAL);
1460
1461 nla_strscpy(search, nla, sizeof(search));
1462
1463 WARN_ON(!rcu_read_lock_held() &&
1464 !lockdep_commit_lock_is_held(net));
1465
1466 chain = ERR_PTR(-ENOENT);
1467 rcu_read_lock();
1468 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1469 if (!list)
1470 goto out_unlock;
1471
1472 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1473 if (nft_active_genmask(chain, genmask))
1474 goto out_unlock;
1475 }
1476 chain = ERR_PTR(-ENOENT);
1477out_unlock:
1478 rcu_read_unlock();
1479 return chain;
1480}
1481
1482static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1483 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1484 .len = NFT_TABLE_MAXNAMELEN - 1 },
1485 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1486 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1487 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1488 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1489 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1490 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1491 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1492 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1493 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1494 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1495 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1496 .len = NFT_USERDATA_MAXLEN },
1497};
1498
1499static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1500 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1501 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1502 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1503 .len = IFNAMSIZ - 1 },
1504};
1505
1506static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1507{
1508 struct nft_stats *cpu_stats, total;
1509 struct nlattr *nest;
1510 unsigned int seq;
1511 u64 pkts, bytes;
1512 int cpu;
1513
1514 if (!stats)
1515 return 0;
1516
1517 memset(&total, 0, sizeof(total));
1518 for_each_possible_cpu(cpu) {
1519 cpu_stats = per_cpu_ptr(stats, cpu);
1520 do {
1521 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1522 pkts = cpu_stats->pkts;
1523 bytes = cpu_stats->bytes;
1524 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1525 total.pkts += pkts;
1526 total.bytes += bytes;
1527 }
1528 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1529 if (nest == NULL)
1530 goto nla_put_failure;
1531
1532 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1533 NFTA_COUNTER_PAD) ||
1534 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1535 NFTA_COUNTER_PAD))
1536 goto nla_put_failure;
1537
1538 nla_nest_end(skb, nest);
1539 return 0;
1540
1541nla_put_failure:
1542 return -ENOSPC;
1543}
1544
1545static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1546 const struct nft_base_chain *basechain)
1547{
1548 const struct nf_hook_ops *ops = &basechain->ops;
1549 struct nft_hook *hook, *first = NULL;
1550 struct nlattr *nest, *nest_devs;
1551 int n = 0;
1552
1553 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1554 if (nest == NULL)
1555 goto nla_put_failure;
1556 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1557 goto nla_put_failure;
1558 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1559 goto nla_put_failure;
1560
1561 if (nft_base_chain_netdev(family, ops->hooknum)) {
1562 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1563 list_for_each_entry(hook, &basechain->hook_list, list) {
1564 if (!first)
1565 first = hook;
1566
1567 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1568 hook->ops.dev->name))
1569 goto nla_put_failure;
1570 n++;
1571 }
1572 nla_nest_end(skb, nest_devs);
1573
1574 if (n == 1 &&
1575 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1576 goto nla_put_failure;
1577 }
1578 nla_nest_end(skb, nest);
1579
1580 return 0;
1581nla_put_failure:
1582 return -1;
1583}
1584
1585static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1586 u32 portid, u32 seq, int event, u32 flags,
1587 int family, const struct nft_table *table,
1588 const struct nft_chain *chain)
1589{
1590 struct nlmsghdr *nlh;
1591
1592 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1593 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1594 NFNETLINK_V0, nft_base_seq(net));
1595 if (!nlh)
1596 goto nla_put_failure;
1597
1598 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1599 goto nla_put_failure;
1600 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1601 NFTA_CHAIN_PAD))
1602 goto nla_put_failure;
1603 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1604 goto nla_put_failure;
1605
1606 if (nft_is_base_chain(chain)) {
1607 const struct nft_base_chain *basechain = nft_base_chain(chain);
1608 struct nft_stats __percpu *stats;
1609
1610 if (nft_dump_basechain_hook(skb, family, basechain))
1611 goto nla_put_failure;
1612
1613 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1614 htonl(basechain->policy)))
1615 goto nla_put_failure;
1616
1617 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1618 goto nla_put_failure;
1619
1620 stats = rcu_dereference_check(basechain->stats,
1621 lockdep_commit_lock_is_held(net));
1622 if (nft_dump_stats(skb, stats))
1623 goto nla_put_failure;
1624 }
1625
1626 if (chain->flags &&
1627 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1628 goto nla_put_failure;
1629
1630 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1631 goto nla_put_failure;
1632
1633 if (chain->udata &&
1634 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1635 goto nla_put_failure;
1636
1637 nlmsg_end(skb, nlh);
1638 return 0;
1639
1640nla_put_failure:
1641 nlmsg_trim(skb, nlh);
1642 return -1;
1643}
1644
1645static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1646{
1647 struct nftables_pernet *nft_net;
1648 struct sk_buff *skb;
1649 u16 flags = 0;
1650 int err;
1651
1652 if (!ctx->report &&
1653 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1654 return;
1655
1656 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1657 if (skb == NULL)
1658 goto err;
1659
1660 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1661 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1662
1663 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1664 event, flags, ctx->family, ctx->table,
1665 ctx->chain);
1666 if (err < 0) {
1667 kfree_skb(skb);
1668 goto err;
1669 }
1670
1671 nft_net = nft_pernet(ctx->net);
1672 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1673 return;
1674err:
1675 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1676}
1677
1678static int nf_tables_dump_chains(struct sk_buff *skb,
1679 struct netlink_callback *cb)
1680{
1681 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1682 unsigned int idx = 0, s_idx = cb->args[0];
1683 struct net *net = sock_net(skb->sk);
1684 int family = nfmsg->nfgen_family;
1685 struct nftables_pernet *nft_net;
1686 const struct nft_table *table;
1687 const struct nft_chain *chain;
1688
1689 rcu_read_lock();
1690 nft_net = nft_pernet(net);
1691 cb->seq = nft_net->base_seq;
1692
1693 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1694 if (family != NFPROTO_UNSPEC && family != table->family)
1695 continue;
1696
1697 list_for_each_entry_rcu(chain, &table->chains, list) {
1698 if (idx < s_idx)
1699 goto cont;
1700 if (idx > s_idx)
1701 memset(&cb->args[1], 0,
1702 sizeof(cb->args) - sizeof(cb->args[0]));
1703 if (!nft_is_active(net, chain))
1704 continue;
1705 if (nf_tables_fill_chain_info(skb, net,
1706 NETLINK_CB(cb->skb).portid,
1707 cb->nlh->nlmsg_seq,
1708 NFT_MSG_NEWCHAIN,
1709 NLM_F_MULTI,
1710 table->family, table,
1711 chain) < 0)
1712 goto done;
1713
1714 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1715cont:
1716 idx++;
1717 }
1718 }
1719done:
1720 rcu_read_unlock();
1721 cb->args[0] = idx;
1722 return skb->len;
1723}
1724
1725
1726static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1727 const struct nlattr * const nla[])
1728{
1729 struct netlink_ext_ack *extack = info->extack;
1730 u8 genmask = nft_genmask_cur(info->net);
1731 u8 family = info->nfmsg->nfgen_family;
1732 const struct nft_chain *chain;
1733 struct net *net = info->net;
1734 struct nft_table *table;
1735 struct sk_buff *skb2;
1736 int err;
1737
1738 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1739 struct netlink_dump_control c = {
1740 .dump = nf_tables_dump_chains,
1741 .module = THIS_MODULE,
1742 };
1743
1744 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1745 }
1746
1747 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1748 if (IS_ERR(table)) {
1749 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1750 return PTR_ERR(table);
1751 }
1752
1753 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1754 if (IS_ERR(chain)) {
1755 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1756 return PTR_ERR(chain);
1757 }
1758
1759 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1760 if (!skb2)
1761 return -ENOMEM;
1762
1763 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1764 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1765 0, family, table, chain);
1766 if (err < 0)
1767 goto err_fill_chain_info;
1768
1769 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1770
1771err_fill_chain_info:
1772 kfree_skb(skb2);
1773 return err;
1774}
1775
1776static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1777 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1778 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1779};
1780
1781static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1782{
1783 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1784 struct nft_stats __percpu *newstats;
1785 struct nft_stats *stats;
1786 int err;
1787
1788 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1789 nft_counter_policy, NULL);
1790 if (err < 0)
1791 return ERR_PTR(err);
1792
1793 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1794 return ERR_PTR(-EINVAL);
1795
1796 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1797 if (newstats == NULL)
1798 return ERR_PTR(-ENOMEM);
1799
1800
1801
1802
1803 preempt_disable();
1804 stats = this_cpu_ptr(newstats);
1805 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1806 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1807 preempt_enable();
1808
1809 return newstats;
1810}
1811
1812static void nft_chain_stats_replace(struct nft_trans *trans)
1813{
1814 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1815
1816 if (!nft_trans_chain_stats(trans))
1817 return;
1818
1819 nft_trans_chain_stats(trans) =
1820 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1821 lockdep_commit_lock_is_held(trans->ctx.net));
1822
1823 if (!nft_trans_chain_stats(trans))
1824 static_branch_inc(&nft_counters_enabled);
1825}
1826
1827static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1828{
1829 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
1830 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
1831
1832 if (g0 != g1)
1833 kvfree(g1);
1834 kvfree(g0);
1835
1836
1837 WARN_ON_ONCE(chain->blob_next);
1838 kvfree(chain->blob_next);
1839}
1840
1841void nf_tables_chain_destroy(struct nft_ctx *ctx)
1842{
1843 struct nft_chain *chain = ctx->chain;
1844 struct nft_hook *hook, *next;
1845
1846 if (WARN_ON(chain->use > 0))
1847 return;
1848
1849
1850 nf_tables_chain_free_chain_rules(chain);
1851
1852 if (nft_is_base_chain(chain)) {
1853 struct nft_base_chain *basechain = nft_base_chain(chain);
1854
1855 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1856 list_for_each_entry_safe(hook, next,
1857 &basechain->hook_list, list) {
1858 list_del_rcu(&hook->list);
1859 kfree_rcu(hook, rcu);
1860 }
1861 }
1862 module_put(basechain->type->owner);
1863 if (rcu_access_pointer(basechain->stats)) {
1864 static_branch_dec(&nft_counters_enabled);
1865 free_percpu(rcu_dereference_raw(basechain->stats));
1866 }
1867 kfree(chain->name);
1868 kfree(chain->udata);
1869 kfree(basechain);
1870 } else {
1871 kfree(chain->name);
1872 kfree(chain->udata);
1873 kfree(chain);
1874 }
1875}
1876
1877static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1878 const struct nlattr *attr)
1879{
1880 struct net_device *dev;
1881 char ifname[IFNAMSIZ];
1882 struct nft_hook *hook;
1883 int err;
1884
1885 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
1886 if (!hook) {
1887 err = -ENOMEM;
1888 goto err_hook_alloc;
1889 }
1890
1891 nla_strscpy(ifname, attr, IFNAMSIZ);
1892
1893
1894
1895
1896 dev = __dev_get_by_name(net, ifname);
1897 if (!dev) {
1898 err = -ENOENT;
1899 goto err_hook_dev;
1900 }
1901 hook->ops.dev = dev;
1902 hook->inactive = false;
1903
1904 return hook;
1905
1906err_hook_dev:
1907 kfree(hook);
1908err_hook_alloc:
1909 return ERR_PTR(err);
1910}
1911
1912static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1913 const struct nft_hook *this)
1914{
1915 struct nft_hook *hook;
1916
1917 list_for_each_entry(hook, hook_list, list) {
1918 if (this->ops.dev == hook->ops.dev)
1919 return hook;
1920 }
1921
1922 return NULL;
1923}
1924
1925static int nf_tables_parse_netdev_hooks(struct net *net,
1926 const struct nlattr *attr,
1927 struct list_head *hook_list)
1928{
1929 struct nft_hook *hook, *next;
1930 const struct nlattr *tmp;
1931 int rem, n = 0, err;
1932
1933 nla_for_each_nested(tmp, attr, rem) {
1934 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1935 err = -EINVAL;
1936 goto err_hook;
1937 }
1938
1939 hook = nft_netdev_hook_alloc(net, tmp);
1940 if (IS_ERR(hook)) {
1941 err = PTR_ERR(hook);
1942 goto err_hook;
1943 }
1944 if (nft_hook_list_find(hook_list, hook)) {
1945 kfree(hook);
1946 err = -EEXIST;
1947 goto err_hook;
1948 }
1949 list_add_tail(&hook->list, hook_list);
1950 n++;
1951
1952 if (n == NFT_NETDEVICE_MAX) {
1953 err = -EFBIG;
1954 goto err_hook;
1955 }
1956 }
1957
1958 return 0;
1959
1960err_hook:
1961 list_for_each_entry_safe(hook, next, hook_list, list) {
1962 list_del(&hook->list);
1963 kfree(hook);
1964 }
1965 return err;
1966}
1967
1968struct nft_chain_hook {
1969 u32 num;
1970 s32 priority;
1971 const struct nft_chain_type *type;
1972 struct list_head list;
1973};
1974
1975static int nft_chain_parse_netdev(struct net *net,
1976 struct nlattr *tb[],
1977 struct list_head *hook_list)
1978{
1979 struct nft_hook *hook;
1980 int err;
1981
1982 if (tb[NFTA_HOOK_DEV]) {
1983 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1984 if (IS_ERR(hook))
1985 return PTR_ERR(hook);
1986
1987 list_add_tail(&hook->list, hook_list);
1988 } else if (tb[NFTA_HOOK_DEVS]) {
1989 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1990 hook_list);
1991 if (err < 0)
1992 return err;
1993
1994 if (list_empty(hook_list))
1995 return -EINVAL;
1996 } else {
1997 return -EINVAL;
1998 }
1999
2000 return 0;
2001}
2002
2003static int nft_chain_parse_hook(struct net *net,
2004 const struct nlattr * const nla[],
2005 struct nft_chain_hook *hook, u8 family,
2006 struct netlink_ext_ack *extack, bool autoload)
2007{
2008 struct nftables_pernet *nft_net = nft_pernet(net);
2009 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2010 const struct nft_chain_type *type;
2011 int err;
2012
2013 lockdep_assert_held(&nft_net->commit_mutex);
2014 lockdep_nfnl_nft_mutex_not_held();
2015
2016 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2017 nla[NFTA_CHAIN_HOOK],
2018 nft_hook_policy, NULL);
2019 if (err < 0)
2020 return err;
2021
2022 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
2023 ha[NFTA_HOOK_PRIORITY] == NULL)
2024 return -EINVAL;
2025
2026 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2027 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2028
2029 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2030 if (!type)
2031 return -EOPNOTSUPP;
2032
2033 if (nla[NFTA_CHAIN_TYPE]) {
2034 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2035 family, autoload);
2036 if (IS_ERR(type)) {
2037 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2038 return PTR_ERR(type);
2039 }
2040 }
2041 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2042 return -EOPNOTSUPP;
2043
2044 if (type->type == NFT_CHAIN_T_NAT &&
2045 hook->priority <= NF_IP_PRI_CONNTRACK)
2046 return -EOPNOTSUPP;
2047
2048 if (!try_module_get(type->owner)) {
2049 if (nla[NFTA_CHAIN_TYPE])
2050 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2051 return -ENOENT;
2052 }
2053
2054 hook->type = type;
2055
2056 INIT_LIST_HEAD(&hook->list);
2057 if (nft_base_chain_netdev(family, hook->num)) {
2058 err = nft_chain_parse_netdev(net, ha, &hook->list);
2059 if (err < 0) {
2060 module_put(type->owner);
2061 return err;
2062 }
2063 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2064 module_put(type->owner);
2065 return -EOPNOTSUPP;
2066 }
2067
2068 return 0;
2069}
2070
2071static void nft_chain_release_hook(struct nft_chain_hook *hook)
2072{
2073 struct nft_hook *h, *next;
2074
2075 list_for_each_entry_safe(h, next, &hook->list, list) {
2076 list_del(&h->list);
2077 kfree(h);
2078 }
2079 module_put(hook->type->owner);
2080}
2081
2082struct nft_rules_old {
2083 struct rcu_head h;
2084 struct nft_rule_blob *blob;
2085};
2086
2087static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr)
2088{
2089 struct nft_rule_dp *prule;
2090
2091 prule = (struct nft_rule_dp *)ptr;
2092 prule->is_last = 1;
2093
2094}
2095
2096static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size)
2097{
2098 struct nft_rule_blob *blob;
2099
2100
2101 if (size < offsetof(struct nft_rule_dp, data))
2102 return NULL;
2103
2104 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old);
2105 if (size > INT_MAX)
2106 return NULL;
2107
2108 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2109 if (!blob)
2110 return NULL;
2111
2112 blob->size = 0;
2113 nft_last_rule(blob, blob->data);
2114
2115 return blob;
2116}
2117
2118static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2119 const struct nft_chain_hook *hook,
2120 struct nft_chain *chain)
2121{
2122 ops->pf = family;
2123 ops->hooknum = hook->num;
2124 ops->priority = hook->priority;
2125 ops->priv = chain;
2126 ops->hook = hook->type->hooks[ops->hooknum];
2127 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2128}
2129
2130static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2131 struct nft_chain_hook *hook, u32 flags)
2132{
2133 struct nft_chain *chain;
2134 struct nft_hook *h;
2135
2136 basechain->type = hook->type;
2137 INIT_LIST_HEAD(&basechain->hook_list);
2138 chain = &basechain->chain;
2139
2140 if (nft_base_chain_netdev(family, hook->num)) {
2141 list_splice_init(&hook->list, &basechain->hook_list);
2142 list_for_each_entry(h, &basechain->hook_list, list)
2143 nft_basechain_hook_init(&h->ops, family, hook, chain);
2144
2145 basechain->ops.hooknum = hook->num;
2146 basechain->ops.priority = hook->priority;
2147 } else {
2148 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2149 }
2150
2151 chain->flags |= NFT_CHAIN_BASE | flags;
2152 basechain->policy = NF_ACCEPT;
2153 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2154 nft_chain_offload_priority(basechain) < 0)
2155 return -EOPNOTSUPP;
2156
2157 flow_block_init(&basechain->flow_block);
2158
2159 return 0;
2160}
2161
2162static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2163{
2164 int err;
2165
2166 err = rhltable_insert_key(&table->chains_ht, chain->name,
2167 &chain->rhlhead, nft_chain_ht_params);
2168 if (err)
2169 return err;
2170
2171 list_add_tail_rcu(&chain->list, &table->chains);
2172
2173 return 0;
2174}
2175
2176static u64 chain_id;
2177
2178static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2179 u8 policy, u32 flags,
2180 struct netlink_ext_ack *extack)
2181{
2182 const struct nlattr * const *nla = ctx->nla;
2183 struct nft_table *table = ctx->table;
2184 struct nft_base_chain *basechain;
2185 struct nft_stats __percpu *stats;
2186 struct net *net = ctx->net;
2187 char name[NFT_NAME_MAXLEN];
2188 struct nft_rule_blob *blob;
2189 struct nft_trans *trans;
2190 struct nft_chain *chain;
2191 unsigned int data_size;
2192 int err;
2193
2194 if (table->use == UINT_MAX)
2195 return -EOVERFLOW;
2196
2197 if (nla[NFTA_CHAIN_HOOK]) {
2198 struct nft_chain_hook hook;
2199
2200 if (flags & NFT_CHAIN_BINDING)
2201 return -EOPNOTSUPP;
2202
2203 err = nft_chain_parse_hook(net, nla, &hook, family, extack,
2204 true);
2205 if (err < 0)
2206 return err;
2207
2208 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2209 if (basechain == NULL) {
2210 nft_chain_release_hook(&hook);
2211 return -ENOMEM;
2212 }
2213 chain = &basechain->chain;
2214
2215 if (nla[NFTA_CHAIN_COUNTERS]) {
2216 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2217 if (IS_ERR(stats)) {
2218 nft_chain_release_hook(&hook);
2219 kfree(basechain);
2220 return PTR_ERR(stats);
2221 }
2222 rcu_assign_pointer(basechain->stats, stats);
2223 static_branch_inc(&nft_counters_enabled);
2224 }
2225
2226 err = nft_basechain_init(basechain, family, &hook, flags);
2227 if (err < 0) {
2228 nft_chain_release_hook(&hook);
2229 kfree(basechain);
2230 return err;
2231 }
2232 } else {
2233 if (flags & NFT_CHAIN_BASE)
2234 return -EINVAL;
2235 if (flags & NFT_CHAIN_HW_OFFLOAD)
2236 return -EOPNOTSUPP;
2237
2238 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2239 if (chain == NULL)
2240 return -ENOMEM;
2241
2242 chain->flags = flags;
2243 }
2244 ctx->chain = chain;
2245
2246 INIT_LIST_HEAD(&chain->rules);
2247 chain->handle = nf_tables_alloc_handle(table);
2248 chain->table = table;
2249
2250 if (nla[NFTA_CHAIN_NAME]) {
2251 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2252 } else {
2253 if (!(flags & NFT_CHAIN_BINDING)) {
2254 err = -EINVAL;
2255 goto err_destroy_chain;
2256 }
2257
2258 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2259 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2260 }
2261
2262 if (!chain->name) {
2263 err = -ENOMEM;
2264 goto err_destroy_chain;
2265 }
2266
2267 if (nla[NFTA_CHAIN_USERDATA]) {
2268 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2269 if (chain->udata == NULL) {
2270 err = -ENOMEM;
2271 goto err_destroy_chain;
2272 }
2273 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2274 }
2275
2276 data_size = offsetof(struct nft_rule_dp, data);
2277 blob = nf_tables_chain_alloc_rules(data_size);
2278 if (!blob) {
2279 err = -ENOMEM;
2280 goto err_destroy_chain;
2281 }
2282
2283 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2284 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2285
2286 err = nf_tables_register_hook(net, table, chain);
2287 if (err < 0)
2288 goto err_destroy_chain;
2289
2290 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2291 if (IS_ERR(trans)) {
2292 err = PTR_ERR(trans);
2293 goto err_unregister_hook;
2294 }
2295
2296 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2297 if (nft_is_base_chain(chain))
2298 nft_trans_chain_policy(trans) = policy;
2299
2300 err = nft_chain_add(table, chain);
2301 if (err < 0) {
2302 nft_trans_destroy(trans);
2303 goto err_unregister_hook;
2304 }
2305
2306 table->use++;
2307
2308 return 0;
2309err_unregister_hook:
2310 nf_tables_unregister_hook(net, table, chain);
2311err_destroy_chain:
2312 nf_tables_chain_destroy(ctx);
2313
2314 return err;
2315}
2316
2317static bool nft_hook_list_equal(struct list_head *hook_list1,
2318 struct list_head *hook_list2)
2319{
2320 struct nft_hook *hook;
2321 int n = 0, m = 0;
2322
2323 n = 0;
2324 list_for_each_entry(hook, hook_list2, list) {
2325 if (!nft_hook_list_find(hook_list1, hook))
2326 return false;
2327
2328 n++;
2329 }
2330 list_for_each_entry(hook, hook_list1, list)
2331 m++;
2332
2333 return n == m;
2334}
2335
2336static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2337 u32 flags, const struct nlattr *attr,
2338 struct netlink_ext_ack *extack)
2339{
2340 const struct nlattr * const *nla = ctx->nla;
2341 struct nft_table *table = ctx->table;
2342 struct nft_chain *chain = ctx->chain;
2343 struct nft_base_chain *basechain;
2344 struct nft_stats *stats = NULL;
2345 struct nft_chain_hook hook;
2346 struct nf_hook_ops *ops;
2347 struct nft_trans *trans;
2348 int err;
2349
2350 if (chain->flags ^ flags)
2351 return -EOPNOTSUPP;
2352
2353 if (nla[NFTA_CHAIN_HOOK]) {
2354 if (!nft_is_base_chain(chain)) {
2355 NL_SET_BAD_ATTR(extack, attr);
2356 return -EEXIST;
2357 }
2358 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2359 extack, false);
2360 if (err < 0)
2361 return err;
2362
2363 basechain = nft_base_chain(chain);
2364 if (basechain->type != hook.type) {
2365 nft_chain_release_hook(&hook);
2366 NL_SET_BAD_ATTR(extack, attr);
2367 return -EEXIST;
2368 }
2369
2370 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2371 if (!nft_hook_list_equal(&basechain->hook_list,
2372 &hook.list)) {
2373 nft_chain_release_hook(&hook);
2374 NL_SET_BAD_ATTR(extack, attr);
2375 return -EEXIST;
2376 }
2377 } else {
2378 ops = &basechain->ops;
2379 if (ops->hooknum != hook.num ||
2380 ops->priority != hook.priority) {
2381 nft_chain_release_hook(&hook);
2382 NL_SET_BAD_ATTR(extack, attr);
2383 return -EEXIST;
2384 }
2385 }
2386 nft_chain_release_hook(&hook);
2387 }
2388
2389 if (nla[NFTA_CHAIN_HANDLE] &&
2390 nla[NFTA_CHAIN_NAME]) {
2391 struct nft_chain *chain2;
2392
2393 chain2 = nft_chain_lookup(ctx->net, table,
2394 nla[NFTA_CHAIN_NAME], genmask);
2395 if (!IS_ERR(chain2)) {
2396 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2397 return -EEXIST;
2398 }
2399 }
2400
2401 if (nla[NFTA_CHAIN_COUNTERS]) {
2402 if (!nft_is_base_chain(chain))
2403 return -EOPNOTSUPP;
2404
2405 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2406 if (IS_ERR(stats))
2407 return PTR_ERR(stats);
2408 }
2409
2410 err = -ENOMEM;
2411 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2412 sizeof(struct nft_trans_chain));
2413 if (trans == NULL)
2414 goto err;
2415
2416 nft_trans_chain_stats(trans) = stats;
2417 nft_trans_chain_update(trans) = true;
2418
2419 if (nla[NFTA_CHAIN_POLICY])
2420 nft_trans_chain_policy(trans) = policy;
2421 else
2422 nft_trans_chain_policy(trans) = -1;
2423
2424 if (nla[NFTA_CHAIN_HANDLE] &&
2425 nla[NFTA_CHAIN_NAME]) {
2426 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2427 struct nft_trans *tmp;
2428 char *name;
2429
2430 err = -ENOMEM;
2431 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2432 if (!name)
2433 goto err;
2434
2435 err = -EEXIST;
2436 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2437 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2438 tmp->ctx.table == table &&
2439 nft_trans_chain_update(tmp) &&
2440 nft_trans_chain_name(tmp) &&
2441 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2442 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2443 kfree(name);
2444 goto err;
2445 }
2446 }
2447
2448 nft_trans_chain_name(trans) = name;
2449 }
2450 nft_trans_commit_list_add_tail(ctx->net, trans);
2451
2452 return 0;
2453err:
2454 free_percpu(stats);
2455 kfree(trans);
2456 return err;
2457}
2458
2459static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2460 const struct nlattr *nla)
2461{
2462 struct nftables_pernet *nft_net = nft_pernet(net);
2463 u32 id = ntohl(nla_get_be32(nla));
2464 struct nft_trans *trans;
2465
2466 list_for_each_entry(trans, &nft_net->commit_list, list) {
2467 struct nft_chain *chain = trans->ctx.chain;
2468
2469 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2470 id == nft_trans_chain_id(trans))
2471 return chain;
2472 }
2473 return ERR_PTR(-ENOENT);
2474}
2475
2476static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2477 const struct nlattr * const nla[])
2478{
2479 struct nftables_pernet *nft_net = nft_pernet(info->net);
2480 struct netlink_ext_ack *extack = info->extack;
2481 u8 genmask = nft_genmask_next(info->net);
2482 u8 family = info->nfmsg->nfgen_family;
2483 struct nft_chain *chain = NULL;
2484 struct net *net = info->net;
2485 const struct nlattr *attr;
2486 struct nft_table *table;
2487 u8 policy = NF_ACCEPT;
2488 struct nft_ctx ctx;
2489 u64 handle = 0;
2490 u32 flags = 0;
2491
2492 lockdep_assert_held(&nft_net->commit_mutex);
2493
2494 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2495 NETLINK_CB(skb).portid);
2496 if (IS_ERR(table)) {
2497 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2498 return PTR_ERR(table);
2499 }
2500
2501 chain = NULL;
2502 attr = nla[NFTA_CHAIN_NAME];
2503
2504 if (nla[NFTA_CHAIN_HANDLE]) {
2505 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2506 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2507 if (IS_ERR(chain)) {
2508 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2509 return PTR_ERR(chain);
2510 }
2511 attr = nla[NFTA_CHAIN_HANDLE];
2512 } else if (nla[NFTA_CHAIN_NAME]) {
2513 chain = nft_chain_lookup(net, table, attr, genmask);
2514 if (IS_ERR(chain)) {
2515 if (PTR_ERR(chain) != -ENOENT) {
2516 NL_SET_BAD_ATTR(extack, attr);
2517 return PTR_ERR(chain);
2518 }
2519 chain = NULL;
2520 }
2521 } else if (!nla[NFTA_CHAIN_ID]) {
2522 return -EINVAL;
2523 }
2524
2525 if (nla[NFTA_CHAIN_POLICY]) {
2526 if (chain != NULL &&
2527 !nft_is_base_chain(chain)) {
2528 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2529 return -EOPNOTSUPP;
2530 }
2531
2532 if (chain == NULL &&
2533 nla[NFTA_CHAIN_HOOK] == NULL) {
2534 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2535 return -EOPNOTSUPP;
2536 }
2537
2538 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2539 switch (policy) {
2540 case NF_DROP:
2541 case NF_ACCEPT:
2542 break;
2543 default:
2544 return -EINVAL;
2545 }
2546 }
2547
2548 if (nla[NFTA_CHAIN_FLAGS])
2549 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2550 else if (chain)
2551 flags = chain->flags;
2552
2553 if (flags & ~NFT_CHAIN_FLAGS)
2554 return -EOPNOTSUPP;
2555
2556 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2557
2558 if (chain != NULL) {
2559 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2560 NL_SET_BAD_ATTR(extack, attr);
2561 return -EEXIST;
2562 }
2563 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2564 return -EOPNOTSUPP;
2565
2566 flags |= chain->flags & NFT_CHAIN_BASE;
2567 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2568 extack);
2569 }
2570
2571 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2572}
2573
2574static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2575 const struct nlattr * const nla[])
2576{
2577 struct netlink_ext_ack *extack = info->extack;
2578 u8 genmask = nft_genmask_next(info->net);
2579 u8 family = info->nfmsg->nfgen_family;
2580 struct net *net = info->net;
2581 const struct nlattr *attr;
2582 struct nft_table *table;
2583 struct nft_chain *chain;
2584 struct nft_rule *rule;
2585 struct nft_ctx ctx;
2586 u64 handle;
2587 u32 use;
2588 int err;
2589
2590 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2591 NETLINK_CB(skb).portid);
2592 if (IS_ERR(table)) {
2593 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2594 return PTR_ERR(table);
2595 }
2596
2597 if (nla[NFTA_CHAIN_HANDLE]) {
2598 attr = nla[NFTA_CHAIN_HANDLE];
2599 handle = be64_to_cpu(nla_get_be64(attr));
2600 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2601 } else {
2602 attr = nla[NFTA_CHAIN_NAME];
2603 chain = nft_chain_lookup(net, table, attr, genmask);
2604 }
2605 if (IS_ERR(chain)) {
2606 NL_SET_BAD_ATTR(extack, attr);
2607 return PTR_ERR(chain);
2608 }
2609
2610 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2611 chain->use > 0)
2612 return -EBUSY;
2613
2614 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2615
2616 use = chain->use;
2617 list_for_each_entry(rule, &chain->rules, list) {
2618 if (!nft_is_active_next(net, rule))
2619 continue;
2620 use--;
2621
2622 err = nft_delrule(&ctx, rule);
2623 if (err < 0)
2624 return err;
2625 }
2626
2627
2628
2629
2630 if (use > 0) {
2631 NL_SET_BAD_ATTR(extack, attr);
2632 return -EBUSY;
2633 }
2634
2635 return nft_delchain(&ctx);
2636}
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649int nft_register_expr(struct nft_expr_type *type)
2650{
2651 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2652 if (type->family == NFPROTO_UNSPEC)
2653 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2654 else
2655 list_add_rcu(&type->list, &nf_tables_expressions);
2656 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2657 return 0;
2658}
2659EXPORT_SYMBOL_GPL(nft_register_expr);
2660
2661
2662
2663
2664
2665
2666
2667void nft_unregister_expr(struct nft_expr_type *type)
2668{
2669 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2670 list_del_rcu(&type->list);
2671 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2672}
2673EXPORT_SYMBOL_GPL(nft_unregister_expr);
2674
2675static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2676 struct nlattr *nla)
2677{
2678 const struct nft_expr_type *type, *candidate = NULL;
2679
2680 list_for_each_entry(type, &nf_tables_expressions, list) {
2681 if (!nla_strcmp(nla, type->name)) {
2682 if (!type->family && !candidate)
2683 candidate = type;
2684 else if (type->family == family)
2685 candidate = type;
2686 }
2687 }
2688 return candidate;
2689}
2690
2691#ifdef CONFIG_MODULES
2692static int nft_expr_type_request_module(struct net *net, u8 family,
2693 struct nlattr *nla)
2694{
2695 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2696 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2697 return -EAGAIN;
2698
2699 return 0;
2700}
2701#endif
2702
2703static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2704 u8 family,
2705 struct nlattr *nla)
2706{
2707 const struct nft_expr_type *type;
2708
2709 if (nla == NULL)
2710 return ERR_PTR(-EINVAL);
2711
2712 type = __nft_expr_type_get(family, nla);
2713 if (type != NULL && try_module_get(type->owner))
2714 return type;
2715
2716 lockdep_nfnl_nft_mutex_not_held();
2717#ifdef CONFIG_MODULES
2718 if (type == NULL) {
2719 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2720 return ERR_PTR(-EAGAIN);
2721
2722 if (nft_request_module(net, "nft-expr-%.*s",
2723 nla_len(nla),
2724 (char *)nla_data(nla)) == -EAGAIN)
2725 return ERR_PTR(-EAGAIN);
2726 }
2727#endif
2728 return ERR_PTR(-ENOENT);
2729}
2730
2731static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2732 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2733 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2734 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2735};
2736
2737static int nf_tables_fill_expr_info(struct sk_buff *skb,
2738 const struct nft_expr *expr)
2739{
2740 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2741 goto nla_put_failure;
2742
2743 if (expr->ops->dump) {
2744 struct nlattr *data = nla_nest_start_noflag(skb,
2745 NFTA_EXPR_DATA);
2746 if (data == NULL)
2747 goto nla_put_failure;
2748 if (expr->ops->dump(skb, expr) < 0)
2749 goto nla_put_failure;
2750 nla_nest_end(skb, data);
2751 }
2752
2753 return skb->len;
2754
2755nla_put_failure:
2756 return -1;
2757};
2758
2759int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2760 const struct nft_expr *expr)
2761{
2762 struct nlattr *nest;
2763
2764 nest = nla_nest_start_noflag(skb, attr);
2765 if (!nest)
2766 goto nla_put_failure;
2767 if (nf_tables_fill_expr_info(skb, expr) < 0)
2768 goto nla_put_failure;
2769 nla_nest_end(skb, nest);
2770 return 0;
2771
2772nla_put_failure:
2773 return -1;
2774}
2775
2776struct nft_expr_info {
2777 const struct nft_expr_ops *ops;
2778 const struct nlattr *attr;
2779 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2780};
2781
2782static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2783 const struct nlattr *nla,
2784 struct nft_expr_info *info)
2785{
2786 const struct nft_expr_type *type;
2787 const struct nft_expr_ops *ops;
2788 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2789 int err;
2790
2791 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2792 nft_expr_policy, NULL);
2793 if (err < 0)
2794 return err;
2795
2796 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2797 if (IS_ERR(type))
2798 return PTR_ERR(type);
2799
2800 if (tb[NFTA_EXPR_DATA]) {
2801 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2802 tb[NFTA_EXPR_DATA],
2803 type->policy, NULL);
2804 if (err < 0)
2805 goto err1;
2806 } else
2807 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2808
2809 if (type->select_ops != NULL) {
2810 ops = type->select_ops(ctx,
2811 (const struct nlattr * const *)info->tb);
2812 if (IS_ERR(ops)) {
2813 err = PTR_ERR(ops);
2814#ifdef CONFIG_MODULES
2815 if (err == -EAGAIN)
2816 if (nft_expr_type_request_module(ctx->net,
2817 ctx->family,
2818 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2819 err = -ENOENT;
2820#endif
2821 goto err1;
2822 }
2823 } else
2824 ops = type->ops;
2825
2826 info->attr = nla;
2827 info->ops = ops;
2828
2829 return 0;
2830
2831err1:
2832 module_put(type->owner);
2833 return err;
2834}
2835
2836static int nf_tables_newexpr(const struct nft_ctx *ctx,
2837 const struct nft_expr_info *expr_info,
2838 struct nft_expr *expr)
2839{
2840 const struct nft_expr_ops *ops = expr_info->ops;
2841 int err;
2842
2843 expr->ops = ops;
2844 if (ops->init) {
2845 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
2846 if (err < 0)
2847 goto err1;
2848 }
2849
2850 return 0;
2851err1:
2852 expr->ops = NULL;
2853 return err;
2854}
2855
2856static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2857 struct nft_expr *expr)
2858{
2859 const struct nft_expr_type *type = expr->ops->type;
2860
2861 if (expr->ops->destroy)
2862 expr->ops->destroy(ctx, expr);
2863 module_put(type->owner);
2864}
2865
2866static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2867 const struct nlattr *nla)
2868{
2869 struct nft_expr_info expr_info;
2870 struct nft_expr *expr;
2871 struct module *owner;
2872 int err;
2873
2874 err = nf_tables_expr_parse(ctx, nla, &expr_info);
2875 if (err < 0)
2876 goto err1;
2877
2878 err = -ENOMEM;
2879 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
2880 if (expr == NULL)
2881 goto err2;
2882
2883 err = nf_tables_newexpr(ctx, &expr_info, expr);
2884 if (err < 0)
2885 goto err3;
2886
2887 return expr;
2888err3:
2889 kfree(expr);
2890err2:
2891 owner = expr_info.ops->type->owner;
2892 if (expr_info.ops->type->release_ops)
2893 expr_info.ops->type->release_ops(expr_info.ops);
2894
2895 module_put(owner);
2896err1:
2897 return ERR_PTR(err);
2898}
2899
2900int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2901{
2902 int err;
2903
2904 if (src->ops->clone) {
2905 dst->ops = src->ops;
2906 err = src->ops->clone(dst, src);
2907 if (err < 0)
2908 return err;
2909 } else {
2910 memcpy(dst, src, src->ops->size);
2911 }
2912
2913 __module_get(src->ops->type->owner);
2914
2915 return 0;
2916}
2917
2918void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2919{
2920 nf_tables_expr_destroy(ctx, expr);
2921 kfree(expr);
2922}
2923
2924
2925
2926
2927
2928static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2929 u64 handle)
2930{
2931 struct nft_rule *rule;
2932
2933
2934 list_for_each_entry_rcu(rule, &chain->rules, list) {
2935 if (handle == rule->handle)
2936 return rule;
2937 }
2938
2939 return ERR_PTR(-ENOENT);
2940}
2941
2942static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2943 const struct nlattr *nla)
2944{
2945 if (nla == NULL)
2946 return ERR_PTR(-EINVAL);
2947
2948 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2949}
2950
2951static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2952 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2953 .len = NFT_TABLE_MAXNAMELEN - 1 },
2954 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2955 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2956 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2957 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2958 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2959 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2960 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2961 .len = NFT_USERDATA_MAXLEN },
2962 [NFTA_RULE_ID] = { .type = NLA_U32 },
2963 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2964 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2965};
2966
2967static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2968 u32 portid, u32 seq, int event,
2969 u32 flags, int family,
2970 const struct nft_table *table,
2971 const struct nft_chain *chain,
2972 const struct nft_rule *rule, u64 handle)
2973{
2974 struct nlmsghdr *nlh;
2975 const struct nft_expr *expr, *next;
2976 struct nlattr *list;
2977 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2978
2979 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
2980 nft_base_seq(net));
2981 if (!nlh)
2982 goto nla_put_failure;
2983
2984 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2985 goto nla_put_failure;
2986 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2987 goto nla_put_failure;
2988 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2989 NFTA_RULE_PAD))
2990 goto nla_put_failure;
2991
2992 if (event != NFT_MSG_DELRULE && handle) {
2993 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
2994 NFTA_RULE_PAD))
2995 goto nla_put_failure;
2996 }
2997
2998 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2999 nft_flow_rule_stats(chain, rule);
3000
3001 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3002 if (list == NULL)
3003 goto nla_put_failure;
3004 nft_rule_for_each_expr(expr, next, rule) {
3005 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
3006 goto nla_put_failure;
3007 }
3008 nla_nest_end(skb, list);
3009
3010 if (rule->udata) {
3011 struct nft_userdata *udata = nft_userdata(rule);
3012 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3013 udata->data) < 0)
3014 goto nla_put_failure;
3015 }
3016
3017 nlmsg_end(skb, nlh);
3018 return 0;
3019
3020nla_put_failure:
3021 nlmsg_trim(skb, nlh);
3022 return -1;
3023}
3024
3025static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3026 const struct nft_rule *rule, int event)
3027{
3028 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3029 const struct nft_rule *prule;
3030 struct sk_buff *skb;
3031 u64 handle = 0;
3032 u16 flags = 0;
3033 int err;
3034
3035 if (!ctx->report &&
3036 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3037 return;
3038
3039 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3040 if (skb == NULL)
3041 goto err;
3042
3043 if (event == NFT_MSG_NEWRULE &&
3044 !list_is_first(&rule->list, &ctx->chain->rules) &&
3045 !list_is_last(&rule->list, &ctx->chain->rules)) {
3046 prule = list_prev_entry(rule, list);
3047 handle = prule->handle;
3048 }
3049 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3050 flags |= NLM_F_APPEND;
3051 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3052 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3053
3054 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3055 event, flags, ctx->family, ctx->table,
3056 ctx->chain, rule, handle);
3057 if (err < 0) {
3058 kfree_skb(skb);
3059 goto err;
3060 }
3061
3062 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3063 return;
3064err:
3065 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3066}
3067
3068struct nft_rule_dump_ctx {
3069 char *table;
3070 char *chain;
3071};
3072
3073static int __nf_tables_dump_rules(struct sk_buff *skb,
3074 unsigned int *idx,
3075 struct netlink_callback *cb,
3076 const struct nft_table *table,
3077 const struct nft_chain *chain)
3078{
3079 struct net *net = sock_net(skb->sk);
3080 const struct nft_rule *rule, *prule;
3081 unsigned int s_idx = cb->args[0];
3082 u64 handle;
3083
3084 prule = NULL;
3085 list_for_each_entry_rcu(rule, &chain->rules, list) {
3086 if (!nft_is_active(net, rule))
3087 goto cont_skip;
3088 if (*idx < s_idx)
3089 goto cont;
3090 if (*idx > s_idx) {
3091 memset(&cb->args[1], 0,
3092 sizeof(cb->args) - sizeof(cb->args[0]));
3093 }
3094 if (prule)
3095 handle = prule->handle;
3096 else
3097 handle = 0;
3098
3099 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3100 cb->nlh->nlmsg_seq,
3101 NFT_MSG_NEWRULE,
3102 NLM_F_MULTI | NLM_F_APPEND,
3103 table->family,
3104 table, chain, rule, handle) < 0)
3105 return 1;
3106
3107 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3108cont:
3109 prule = rule;
3110cont_skip:
3111 (*idx)++;
3112 }
3113 return 0;
3114}
3115
3116static int nf_tables_dump_rules(struct sk_buff *skb,
3117 struct netlink_callback *cb)
3118{
3119 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3120 const struct nft_rule_dump_ctx *ctx = cb->data;
3121 struct nft_table *table;
3122 const struct nft_chain *chain;
3123 unsigned int idx = 0;
3124 struct net *net = sock_net(skb->sk);
3125 int family = nfmsg->nfgen_family;
3126 struct nftables_pernet *nft_net;
3127
3128 rcu_read_lock();
3129 nft_net = nft_pernet(net);
3130 cb->seq = nft_net->base_seq;
3131
3132 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3133 if (family != NFPROTO_UNSPEC && family != table->family)
3134 continue;
3135
3136 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3137 continue;
3138
3139 if (ctx && ctx->table && ctx->chain) {
3140 struct rhlist_head *list, *tmp;
3141
3142 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3143 nft_chain_ht_params);
3144 if (!list)
3145 goto done;
3146
3147 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3148 if (!nft_is_active(net, chain))
3149 continue;
3150 __nf_tables_dump_rules(skb, &idx,
3151 cb, table, chain);
3152 break;
3153 }
3154 goto done;
3155 }
3156
3157 list_for_each_entry_rcu(chain, &table->chains, list) {
3158 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
3159 goto done;
3160 }
3161
3162 if (ctx && ctx->table)
3163 break;
3164 }
3165done:
3166 rcu_read_unlock();
3167
3168 cb->args[0] = idx;
3169 return skb->len;
3170}
3171
3172static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3173{
3174 const struct nlattr * const *nla = cb->data;
3175 struct nft_rule_dump_ctx *ctx = NULL;
3176
3177 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3178 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3179 if (!ctx)
3180 return -ENOMEM;
3181
3182 if (nla[NFTA_RULE_TABLE]) {
3183 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3184 GFP_ATOMIC);
3185 if (!ctx->table) {
3186 kfree(ctx);
3187 return -ENOMEM;
3188 }
3189 }
3190 if (nla[NFTA_RULE_CHAIN]) {
3191 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3192 GFP_ATOMIC);
3193 if (!ctx->chain) {
3194 kfree(ctx->table);
3195 kfree(ctx);
3196 return -ENOMEM;
3197 }
3198 }
3199 }
3200
3201 cb->data = ctx;
3202 return 0;
3203}
3204
3205static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3206{
3207 struct nft_rule_dump_ctx *ctx = cb->data;
3208
3209 if (ctx) {
3210 kfree(ctx->table);
3211 kfree(ctx->chain);
3212 kfree(ctx);
3213 }
3214 return 0;
3215}
3216
3217
3218static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3219 const struct nlattr * const nla[])
3220{
3221 struct netlink_ext_ack *extack = info->extack;
3222 u8 genmask = nft_genmask_cur(info->net);
3223 u8 family = info->nfmsg->nfgen_family;
3224 const struct nft_chain *chain;
3225 const struct nft_rule *rule;
3226 struct net *net = info->net;
3227 struct nft_table *table;
3228 struct sk_buff *skb2;
3229 int err;
3230
3231 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3232 struct netlink_dump_control c = {
3233 .start= nf_tables_dump_rules_start,
3234 .dump = nf_tables_dump_rules,
3235 .done = nf_tables_dump_rules_done,
3236 .module = THIS_MODULE,
3237 .data = (void *)nla,
3238 };
3239
3240 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3241 }
3242
3243 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3244 if (IS_ERR(table)) {
3245 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3246 return PTR_ERR(table);
3247 }
3248
3249 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3250 if (IS_ERR(chain)) {
3251 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3252 return PTR_ERR(chain);
3253 }
3254
3255 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3256 if (IS_ERR(rule)) {
3257 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3258 return PTR_ERR(rule);
3259 }
3260
3261 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3262 if (!skb2)
3263 return -ENOMEM;
3264
3265 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3266 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3267 family, table, chain, rule, 0);
3268 if (err < 0)
3269 goto err_fill_rule_info;
3270
3271 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3272
3273err_fill_rule_info:
3274 kfree_skb(skb2);
3275 return err;
3276}
3277
3278static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3279 struct nft_rule *rule)
3280{
3281 struct nft_expr *expr, *next;
3282
3283
3284
3285
3286
3287 expr = nft_expr_first(rule);
3288 while (nft_expr_more(rule, expr)) {
3289 next = nft_expr_next(expr);
3290 nf_tables_expr_destroy(ctx, expr);
3291 expr = next;
3292 }
3293 kfree(rule);
3294}
3295
3296void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3297{
3298 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3299 nf_tables_rule_destroy(ctx, rule);
3300}
3301
3302int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3303{
3304 struct nft_expr *expr, *last;
3305 const struct nft_data *data;
3306 struct nft_rule *rule;
3307 int err;
3308
3309 if (ctx->level == NFT_JUMP_STACK_SIZE)
3310 return -EMLINK;
3311
3312 list_for_each_entry(rule, &chain->rules, list) {
3313 if (!nft_is_active_next(ctx->net, rule))
3314 continue;
3315
3316 nft_rule_for_each_expr(expr, last, rule) {
3317 if (!expr->ops->validate)
3318 continue;
3319
3320 err = expr->ops->validate(ctx, expr, &data);
3321 if (err < 0)
3322 return err;
3323 }
3324 }
3325
3326 return 0;
3327}
3328EXPORT_SYMBOL_GPL(nft_chain_validate);
3329
3330static int nft_table_validate(struct net *net, const struct nft_table *table)
3331{
3332 struct nft_chain *chain;
3333 struct nft_ctx ctx = {
3334 .net = net,
3335 .family = table->family,
3336 };
3337 int err;
3338
3339 list_for_each_entry(chain, &table->chains, list) {
3340 if (!nft_is_base_chain(chain))
3341 continue;
3342
3343 ctx.chain = chain;
3344 err = nft_chain_validate(&ctx, chain);
3345 if (err < 0)
3346 return err;
3347 }
3348
3349 return 0;
3350}
3351
3352static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3353 const struct nlattr *nla);
3354
3355#define NFT_RULE_MAXEXPRS 128
3356
3357static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3358 const struct nlattr * const nla[])
3359{
3360 struct nftables_pernet *nft_net = nft_pernet(info->net);
3361 struct netlink_ext_ack *extack = info->extack;
3362 unsigned int size, i, n, ulen = 0, usize = 0;
3363 u8 genmask = nft_genmask_next(info->net);
3364 struct nft_rule *rule, *old_rule = NULL;
3365 struct nft_expr_info *expr_info = NULL;
3366 u8 family = info->nfmsg->nfgen_family;
3367 struct nft_flow_rule *flow = NULL;
3368 struct net *net = info->net;
3369 struct nft_userdata *udata;
3370 struct nft_table *table;
3371 struct nft_chain *chain;
3372 struct nft_trans *trans;
3373 u64 handle, pos_handle;
3374 struct nft_expr *expr;
3375 struct nft_ctx ctx;
3376 struct nlattr *tmp;
3377 int err, rem;
3378
3379 lockdep_assert_held(&nft_net->commit_mutex);
3380
3381 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3382 NETLINK_CB(skb).portid);
3383 if (IS_ERR(table)) {
3384 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3385 return PTR_ERR(table);
3386 }
3387
3388 if (nla[NFTA_RULE_CHAIN]) {
3389 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3390 genmask);
3391 if (IS_ERR(chain)) {
3392 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3393 return PTR_ERR(chain);
3394 }
3395 if (nft_chain_is_bound(chain))
3396 return -EOPNOTSUPP;
3397
3398 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3399 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3400 if (IS_ERR(chain)) {
3401 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3402 return PTR_ERR(chain);
3403 }
3404 } else {
3405 return -EINVAL;
3406 }
3407
3408 if (nla[NFTA_RULE_HANDLE]) {
3409 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3410 rule = __nft_rule_lookup(chain, handle);
3411 if (IS_ERR(rule)) {
3412 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3413 return PTR_ERR(rule);
3414 }
3415
3416 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3417 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3418 return -EEXIST;
3419 }
3420 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3421 old_rule = rule;
3422 else
3423 return -EOPNOTSUPP;
3424 } else {
3425 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3426 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3427 return -EINVAL;
3428 handle = nf_tables_alloc_handle(table);
3429
3430 if (chain->use == UINT_MAX)
3431 return -EOVERFLOW;
3432
3433 if (nla[NFTA_RULE_POSITION]) {
3434 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3435 old_rule = __nft_rule_lookup(chain, pos_handle);
3436 if (IS_ERR(old_rule)) {
3437 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3438 return PTR_ERR(old_rule);
3439 }
3440 } else if (nla[NFTA_RULE_POSITION_ID]) {
3441 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3442 if (IS_ERR(old_rule)) {
3443 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3444 return PTR_ERR(old_rule);
3445 }
3446 }
3447 }
3448
3449 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3450
3451 n = 0;
3452 size = 0;
3453 if (nla[NFTA_RULE_EXPRESSIONS]) {
3454 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3455 sizeof(struct nft_expr_info),
3456 GFP_KERNEL);
3457 if (!expr_info)
3458 return -ENOMEM;
3459
3460 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3461 err = -EINVAL;
3462 if (nla_type(tmp) != NFTA_LIST_ELEM)
3463 goto err_release_expr;
3464 if (n == NFT_RULE_MAXEXPRS)
3465 goto err_release_expr;
3466 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3467 if (err < 0) {
3468 NL_SET_BAD_ATTR(extack, tmp);
3469 goto err_release_expr;
3470 }
3471 size += expr_info[n].ops->size;
3472 n++;
3473 }
3474 }
3475
3476 err = -EFBIG;
3477 if (size >= 1 << 12)
3478 goto err_release_expr;
3479
3480 if (nla[NFTA_RULE_USERDATA]) {
3481 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3482 if (ulen > 0)
3483 usize = sizeof(struct nft_userdata) + ulen;
3484 }
3485
3486 err = -ENOMEM;
3487 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
3488 if (rule == NULL)
3489 goto err_release_expr;
3490
3491 nft_activate_next(net, rule);
3492
3493 rule->handle = handle;
3494 rule->dlen = size;
3495 rule->udata = ulen ? 1 : 0;
3496
3497 if (ulen) {
3498 udata = nft_userdata(rule);
3499 udata->len = ulen - 1;
3500 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3501 }
3502
3503 expr = nft_expr_first(rule);
3504 for (i = 0; i < n; i++) {
3505 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
3506 if (err < 0) {
3507 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
3508 goto err_release_rule;
3509 }
3510
3511 if (expr_info[i].ops->validate)
3512 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3513
3514 expr_info[i].ops = NULL;
3515 expr = nft_expr_next(expr);
3516 }
3517
3518 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3519 flow = nft_flow_rule_create(net, rule);
3520 if (IS_ERR(flow)) {
3521 err = PTR_ERR(flow);
3522 goto err_release_rule;
3523 }
3524 }
3525
3526 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
3527 err = nft_delrule(&ctx, old_rule);
3528 if (err < 0)
3529 goto err_destroy_flow_rule;
3530
3531 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3532 if (trans == NULL) {
3533 err = -ENOMEM;
3534 goto err_destroy_flow_rule;
3535 }
3536 list_add_tail_rcu(&rule->list, &old_rule->list);
3537 } else {
3538 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3539 if (!trans) {
3540 err = -ENOMEM;
3541 goto err_destroy_flow_rule;
3542 }
3543
3544 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
3545 if (old_rule)
3546 list_add_rcu(&rule->list, &old_rule->list);
3547 else
3548 list_add_tail_rcu(&rule->list, &chain->rules);
3549 } else {
3550 if (old_rule)
3551 list_add_tail_rcu(&rule->list, &old_rule->list);
3552 else
3553 list_add_rcu(&rule->list, &chain->rules);
3554 }
3555 }
3556 kvfree(expr_info);
3557 chain->use++;
3558
3559 if (flow)
3560 nft_trans_flow_rule(trans) = flow;
3561
3562 if (nft_net->validate_state == NFT_VALIDATE_DO)
3563 return nft_table_validate(net, table);
3564
3565 return 0;
3566
3567err_destroy_flow_rule:
3568 if (flow)
3569 nft_flow_rule_destroy(flow);
3570err_release_rule:
3571 nf_tables_rule_release(&ctx, rule);
3572err_release_expr:
3573 for (i = 0; i < n; i++) {
3574 if (expr_info[i].ops) {
3575 module_put(expr_info[i].ops->type->owner);
3576 if (expr_info[i].ops->type->release_ops)
3577 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3578 }
3579 }
3580 kvfree(expr_info);
3581
3582 return err;
3583}
3584
3585static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3586 const struct nlattr *nla)
3587{
3588 struct nftables_pernet *nft_net = nft_pernet(net);
3589 u32 id = ntohl(nla_get_be32(nla));
3590 struct nft_trans *trans;
3591
3592 list_for_each_entry(trans, &nft_net->commit_list, list) {
3593 struct nft_rule *rule = nft_trans_rule(trans);
3594
3595 if (trans->msg_type == NFT_MSG_NEWRULE &&
3596 id == nft_trans_rule_id(trans))
3597 return rule;
3598 }
3599 return ERR_PTR(-ENOENT);
3600}
3601
3602static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
3603 const struct nlattr * const nla[])
3604{
3605 struct netlink_ext_ack *extack = info->extack;
3606 u8 genmask = nft_genmask_next(info->net);
3607 u8 family = info->nfmsg->nfgen_family;
3608 struct nft_chain *chain = NULL;
3609 struct net *net = info->net;
3610 struct nft_table *table;
3611 struct nft_rule *rule;
3612 struct nft_ctx ctx;
3613 int err = 0;
3614
3615 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3616 NETLINK_CB(skb).portid);
3617 if (IS_ERR(table)) {
3618 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3619 return PTR_ERR(table);
3620 }
3621
3622 if (nla[NFTA_RULE_CHAIN]) {
3623 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3624 genmask);
3625 if (IS_ERR(chain)) {
3626 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3627 return PTR_ERR(chain);
3628 }
3629 if (nft_chain_is_bound(chain))
3630 return -EOPNOTSUPP;
3631 }
3632
3633 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3634
3635 if (chain) {
3636 if (nla[NFTA_RULE_HANDLE]) {
3637 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3638 if (IS_ERR(rule)) {
3639 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3640 return PTR_ERR(rule);
3641 }
3642
3643 err = nft_delrule(&ctx, rule);
3644 } else if (nla[NFTA_RULE_ID]) {
3645 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3646 if (IS_ERR(rule)) {
3647 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3648 return PTR_ERR(rule);
3649 }
3650
3651 err = nft_delrule(&ctx, rule);
3652 } else {
3653 err = nft_delrule_by_chain(&ctx);
3654 }
3655 } else {
3656 list_for_each_entry(chain, &table->chains, list) {
3657 if (!nft_is_active_next(net, chain))
3658 continue;
3659
3660 ctx.chain = chain;
3661 err = nft_delrule_by_chain(&ctx);
3662 if (err < 0)
3663 break;
3664 }
3665 }
3666
3667 return err;
3668}
3669
3670
3671
3672
3673static const struct nft_set_type *nft_set_types[] = {
3674 &nft_set_hash_fast_type,
3675 &nft_set_hash_type,
3676 &nft_set_rhash_type,
3677 &nft_set_bitmap_type,
3678 &nft_set_rbtree_type,
3679#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3680 &nft_set_pipapo_avx2_type,
3681#endif
3682 &nft_set_pipapo_type,
3683};
3684
3685#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3686 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3687 NFT_SET_EVAL)
3688
3689static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3690{
3691 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3692}
3693
3694
3695
3696
3697
3698
3699static const struct nft_set_ops *
3700nft_select_set_ops(const struct nft_ctx *ctx,
3701 const struct nlattr * const nla[],
3702 const struct nft_set_desc *desc,
3703 enum nft_set_policies policy)
3704{
3705 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3706 const struct nft_set_ops *ops, *bops;
3707 struct nft_set_estimate est, best;
3708 const struct nft_set_type *type;
3709 u32 flags = 0;
3710 int i;
3711
3712 lockdep_assert_held(&nft_net->commit_mutex);
3713 lockdep_nfnl_nft_mutex_not_held();
3714
3715 if (nla[NFTA_SET_FLAGS] != NULL)
3716 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3717
3718 bops = NULL;
3719 best.size = ~0;
3720 best.lookup = ~0;
3721 best.space = ~0;
3722
3723 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3724 type = nft_set_types[i];
3725 ops = &type->ops;
3726
3727 if (!nft_set_ops_candidate(type, flags))
3728 continue;
3729 if (!ops->estimate(desc, flags, &est))
3730 continue;
3731
3732 switch (policy) {
3733 case NFT_SET_POL_PERFORMANCE:
3734 if (est.lookup < best.lookup)
3735 break;
3736 if (est.lookup == best.lookup &&
3737 est.space < best.space)
3738 break;
3739 continue;
3740 case NFT_SET_POL_MEMORY:
3741 if (!desc->size) {
3742 if (est.space < best.space)
3743 break;
3744 if (est.space == best.space &&
3745 est.lookup < best.lookup)
3746 break;
3747 } else if (est.size < best.size || !bops) {
3748 break;
3749 }
3750 continue;
3751 default:
3752 break;
3753 }
3754
3755 bops = ops;
3756 best = est;
3757 }
3758
3759 if (bops != NULL)
3760 return bops;
3761
3762 return ERR_PTR(-EOPNOTSUPP);
3763}
3764
3765static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3766 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3767 .len = NFT_TABLE_MAXNAMELEN - 1 },
3768 [NFTA_SET_NAME] = { .type = NLA_STRING,
3769 .len = NFT_SET_MAXNAMELEN - 1 },
3770 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3771 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3772 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3773 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3774 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3775 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3776 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3777 [NFTA_SET_ID] = { .type = NLA_U32 },
3778 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3779 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3780 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3781 .len = NFT_USERDATA_MAXLEN },
3782 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3783 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3784 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3785 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3786};
3787
3788static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3789 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3790 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3791};
3792
3793static struct nft_set *nft_set_lookup(const struct nft_table *table,
3794 const struct nlattr *nla, u8 genmask)
3795{
3796 struct nft_set *set;
3797
3798 if (nla == NULL)
3799 return ERR_PTR(-EINVAL);
3800
3801 list_for_each_entry_rcu(set, &table->sets, list) {
3802 if (!nla_strcmp(nla, set->name) &&
3803 nft_active_genmask(set, genmask))
3804 return set;
3805 }
3806 return ERR_PTR(-ENOENT);
3807}
3808
3809static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3810 const struct nlattr *nla,
3811 u8 genmask)
3812{
3813 struct nft_set *set;
3814
3815 list_for_each_entry(set, &table->sets, list) {
3816 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3817 nft_active_genmask(set, genmask))
3818 return set;
3819 }
3820 return ERR_PTR(-ENOENT);
3821}
3822
3823static struct nft_set *nft_set_lookup_byid(const struct net *net,
3824 const struct nlattr *nla, u8 genmask)
3825{
3826 struct nftables_pernet *nft_net = nft_pernet(net);
3827 u32 id = ntohl(nla_get_be32(nla));
3828 struct nft_trans *trans;
3829
3830 list_for_each_entry(trans, &nft_net->commit_list, list) {
3831 if (trans->msg_type == NFT_MSG_NEWSET) {
3832 struct nft_set *set = nft_trans_set(trans);
3833
3834 if (id == nft_trans_set_id(trans) &&
3835 nft_active_genmask(set, genmask))
3836 return set;
3837 }
3838 }
3839 return ERR_PTR(-ENOENT);
3840}
3841
3842struct nft_set *nft_set_lookup_global(const struct net *net,
3843 const struct nft_table *table,
3844 const struct nlattr *nla_set_name,
3845 const struct nlattr *nla_set_id,
3846 u8 genmask)
3847{
3848 struct nft_set *set;
3849
3850 set = nft_set_lookup(table, nla_set_name, genmask);
3851 if (IS_ERR(set)) {
3852 if (!nla_set_id)
3853 return set;
3854
3855 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3856 }
3857 return set;
3858}
3859EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3860
3861static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3862 const char *name)
3863{
3864 const struct nft_set *i;
3865 const char *p;
3866 unsigned long *inuse;
3867 unsigned int n = 0, min = 0;
3868
3869 p = strchr(name, '%');
3870 if (p != NULL) {
3871 if (p[1] != 'd' || strchr(p + 2, '%'))
3872 return -EINVAL;
3873
3874 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3875 if (inuse == NULL)
3876 return -ENOMEM;
3877cont:
3878 list_for_each_entry(i, &ctx->table->sets, list) {
3879 int tmp;
3880
3881 if (!nft_is_active_next(ctx->net, set))
3882 continue;
3883 if (!sscanf(i->name, name, &tmp))
3884 continue;
3885 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3886 continue;
3887
3888 set_bit(tmp - min, inuse);
3889 }
3890
3891 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3892 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3893 min += BITS_PER_BYTE * PAGE_SIZE;
3894 memset(inuse, 0, PAGE_SIZE);
3895 goto cont;
3896 }
3897 free_page((unsigned long)inuse);
3898 }
3899
3900 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
3901 if (!set->name)
3902 return -ENOMEM;
3903
3904 list_for_each_entry(i, &ctx->table->sets, list) {
3905 if (!nft_is_active_next(ctx->net, i))
3906 continue;
3907 if (!strcmp(set->name, i->name)) {
3908 kfree(set->name);
3909 set->name = NULL;
3910 return -ENFILE;
3911 }
3912 }
3913 return 0;
3914}
3915
3916int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3917{
3918 u64 ms = be64_to_cpu(nla_get_be64(nla));
3919 u64 max = (u64)(~((u64)0));
3920
3921 max = div_u64(max, NSEC_PER_MSEC);
3922 if (ms >= max)
3923 return -ERANGE;
3924
3925 ms *= NSEC_PER_MSEC;
3926 *result = nsecs_to_jiffies64(ms);
3927 return 0;
3928}
3929
3930__be64 nf_jiffies64_to_msecs(u64 input)
3931{
3932 return cpu_to_be64(jiffies64_to_msecs(input));
3933}
3934
3935static int nf_tables_fill_set_concat(struct sk_buff *skb,
3936 const struct nft_set *set)
3937{
3938 struct nlattr *concat, *field;
3939 int i;
3940
3941 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3942 if (!concat)
3943 return -ENOMEM;
3944
3945 for (i = 0; i < set->field_count; i++) {
3946 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3947 if (!field)
3948 return -ENOMEM;
3949
3950 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3951 htonl(set->field_len[i])))
3952 return -ENOMEM;
3953
3954 nla_nest_end(skb, field);
3955 }
3956
3957 nla_nest_end(skb, concat);
3958
3959 return 0;
3960}
3961
3962static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3963 const struct nft_set *set, u16 event, u16 flags)
3964{
3965 struct nlmsghdr *nlh;
3966 u32 portid = ctx->portid;
3967 struct nlattr *nest;
3968 u32 seq = ctx->seq;
3969 int i;
3970
3971 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3972 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
3973 NFNETLINK_V0, nft_base_seq(ctx->net));
3974 if (!nlh)
3975 goto nla_put_failure;
3976
3977 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3978 goto nla_put_failure;
3979 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3980 goto nla_put_failure;
3981 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3982 NFTA_SET_PAD))
3983 goto nla_put_failure;
3984 if (set->flags != 0)
3985 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3986 goto nla_put_failure;
3987
3988 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3989 goto nla_put_failure;
3990 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3991 goto nla_put_failure;
3992 if (set->flags & NFT_SET_MAP) {
3993 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3994 goto nla_put_failure;
3995 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3996 goto nla_put_failure;
3997 }
3998 if (set->flags & NFT_SET_OBJECT &&
3999 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4000 goto nla_put_failure;
4001
4002 if (set->timeout &&
4003 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4004 nf_jiffies64_to_msecs(set->timeout),
4005 NFTA_SET_PAD))
4006 goto nla_put_failure;
4007 if (set->gc_int &&
4008 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
4009 goto nla_put_failure;
4010
4011 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4012 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4013 goto nla_put_failure;
4014 }
4015
4016 if (set->udata &&
4017 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4018 goto nla_put_failure;
4019
4020 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4021 if (!nest)
4022 goto nla_put_failure;
4023 if (set->size &&
4024 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4025 goto nla_put_failure;
4026
4027 if (set->field_count > 1 &&
4028 nf_tables_fill_set_concat(skb, set))
4029 goto nla_put_failure;
4030
4031 nla_nest_end(skb, nest);
4032
4033 if (set->num_exprs == 1) {
4034 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4035 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
4036 goto nla_put_failure;
4037
4038 nla_nest_end(skb, nest);
4039 } else if (set->num_exprs > 1) {
4040 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4041 if (nest == NULL)
4042 goto nla_put_failure;
4043
4044 for (i = 0; i < set->num_exprs; i++) {
4045 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4046 set->exprs[i]) < 0)
4047 goto nla_put_failure;
4048 }
4049 nla_nest_end(skb, nest);
4050 }
4051
4052 nlmsg_end(skb, nlh);
4053 return 0;
4054
4055nla_put_failure:
4056 nlmsg_trim(skb, nlh);
4057 return -1;
4058}
4059
4060static void nf_tables_set_notify(const struct nft_ctx *ctx,
4061 const struct nft_set *set, int event,
4062 gfp_t gfp_flags)
4063{
4064 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4065 u32 portid = ctx->portid;
4066 struct sk_buff *skb;
4067 u16 flags = 0;
4068 int err;
4069
4070 if (!ctx->report &&
4071 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4072 return;
4073
4074 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4075 if (skb == NULL)
4076 goto err;
4077
4078 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4079 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4080
4081 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4082 if (err < 0) {
4083 kfree_skb(skb);
4084 goto err;
4085 }
4086
4087 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4088 return;
4089err:
4090 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4091}
4092
4093static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4094{
4095 const struct nft_set *set;
4096 unsigned int idx, s_idx = cb->args[0];
4097 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4098 struct net *net = sock_net(skb->sk);
4099 struct nft_ctx *ctx = cb->data, ctx_set;
4100 struct nftables_pernet *nft_net;
4101
4102 if (cb->args[1])
4103 return skb->len;
4104
4105 rcu_read_lock();
4106 nft_net = nft_pernet(net);
4107 cb->seq = nft_net->base_seq;
4108
4109 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4110 if (ctx->family != NFPROTO_UNSPEC &&
4111 ctx->family != table->family)
4112 continue;
4113
4114 if (ctx->table && ctx->table != table)
4115 continue;
4116
4117 if (cur_table) {
4118 if (cur_table != table)
4119 continue;
4120
4121 cur_table = NULL;
4122 }
4123 idx = 0;
4124 list_for_each_entry_rcu(set, &table->sets, list) {
4125 if (idx < s_idx)
4126 goto cont;
4127 if (!nft_is_active(net, set))
4128 goto cont;
4129
4130 ctx_set = *ctx;
4131 ctx_set.table = table;
4132 ctx_set.family = table->family;
4133
4134 if (nf_tables_fill_set(skb, &ctx_set, set,
4135 NFT_MSG_NEWSET,
4136 NLM_F_MULTI) < 0) {
4137 cb->args[0] = idx;
4138 cb->args[2] = (unsigned long) table;
4139 goto done;
4140 }
4141 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4142cont:
4143 idx++;
4144 }
4145 if (s_idx)
4146 s_idx = 0;
4147 }
4148 cb->args[1] = 1;
4149done:
4150 rcu_read_unlock();
4151 return skb->len;
4152}
4153
4154static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4155{
4156 struct nft_ctx *ctx_dump = NULL;
4157
4158 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4159 if (ctx_dump == NULL)
4160 return -ENOMEM;
4161
4162 cb->data = ctx_dump;
4163 return 0;
4164}
4165
4166static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4167{
4168 kfree(cb->data);
4169 return 0;
4170}
4171
4172
4173static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4174 const struct nlattr * const nla[])
4175{
4176 struct netlink_ext_ack *extack = info->extack;
4177 u8 genmask = nft_genmask_cur(info->net);
4178 u8 family = info->nfmsg->nfgen_family;
4179 struct nft_table *table = NULL;
4180 struct net *net = info->net;
4181 const struct nft_set *set;
4182 struct sk_buff *skb2;
4183 struct nft_ctx ctx;
4184 int err;
4185
4186 if (nla[NFTA_SET_TABLE]) {
4187 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4188 genmask, 0);
4189 if (IS_ERR(table)) {
4190 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4191 return PTR_ERR(table);
4192 }
4193 }
4194
4195 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4196
4197 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4198 struct netlink_dump_control c = {
4199 .start = nf_tables_dump_sets_start,
4200 .dump = nf_tables_dump_sets,
4201 .done = nf_tables_dump_sets_done,
4202 .data = &ctx,
4203 .module = THIS_MODULE,
4204 };
4205
4206 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4207 }
4208
4209
4210 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4211 return -EAFNOSUPPORT;
4212 if (!nla[NFTA_SET_TABLE])
4213 return -EINVAL;
4214
4215 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4216 if (IS_ERR(set))
4217 return PTR_ERR(set);
4218
4219 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4220 if (skb2 == NULL)
4221 return -ENOMEM;
4222
4223 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4224 if (err < 0)
4225 goto err_fill_set_info;
4226
4227 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4228
4229err_fill_set_info:
4230 kfree_skb(skb2);
4231 return err;
4232}
4233
4234static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4235 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4236};
4237
4238static int nft_set_desc_concat_parse(const struct nlattr *attr,
4239 struct nft_set_desc *desc)
4240{
4241 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4242 u32 len;
4243 int err;
4244
4245 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4246 nft_concat_policy, NULL);
4247 if (err < 0)
4248 return err;
4249
4250 if (!tb[NFTA_SET_FIELD_LEN])
4251 return -EINVAL;
4252
4253 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4254
4255 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4256 return -E2BIG;
4257
4258 desc->field_len[desc->field_count++] = len;
4259
4260 return 0;
4261}
4262
4263static int nft_set_desc_concat(struct nft_set_desc *desc,
4264 const struct nlattr *nla)
4265{
4266 struct nlattr *attr;
4267 int rem, err;
4268
4269 nla_for_each_nested(attr, nla, rem) {
4270 if (nla_type(attr) != NFTA_LIST_ELEM)
4271 return -EINVAL;
4272
4273 err = nft_set_desc_concat_parse(attr, desc);
4274 if (err < 0)
4275 return err;
4276 }
4277
4278 return 0;
4279}
4280
4281static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4282 const struct nlattr *nla)
4283{
4284 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4285 int err;
4286
4287 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4288 nft_set_desc_policy, NULL);
4289 if (err < 0)
4290 return err;
4291
4292 if (da[NFTA_SET_DESC_SIZE] != NULL)
4293 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4294 if (da[NFTA_SET_DESC_CONCAT])
4295 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4296
4297 return err;
4298}
4299
4300static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4301 const struct nlattr * const nla[])
4302{
4303 u32 ktype, dtype, flags, policy, gc_int, objtype;
4304 struct netlink_ext_ack *extack = info->extack;
4305 u8 genmask = nft_genmask_next(info->net);
4306 u8 family = info->nfmsg->nfgen_family;
4307 const struct nft_set_ops *ops;
4308 struct nft_expr *expr = NULL;
4309 struct net *net = info->net;
4310 struct nft_set_desc desc;
4311 struct nft_table *table;
4312 unsigned char *udata;
4313 struct nft_set *set;
4314 struct nft_ctx ctx;
4315 size_t alloc_size;
4316 u64 timeout;
4317 char *name;
4318 int err, i;
4319 u16 udlen;
4320 u64 size;
4321
4322 if (nla[NFTA_SET_TABLE] == NULL ||
4323 nla[NFTA_SET_NAME] == NULL ||
4324 nla[NFTA_SET_KEY_LEN] == NULL ||
4325 nla[NFTA_SET_ID] == NULL)
4326 return -EINVAL;
4327
4328 memset(&desc, 0, sizeof(desc));
4329
4330 ktype = NFT_DATA_VALUE;
4331 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4332 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4333 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4334 return -EINVAL;
4335 }
4336
4337 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4338 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4339 return -EINVAL;
4340
4341 flags = 0;
4342 if (nla[NFTA_SET_FLAGS] != NULL) {
4343 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4344 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4345 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4346 NFT_SET_MAP | NFT_SET_EVAL |
4347 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4348 return -EOPNOTSUPP;
4349
4350 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4351 (NFT_SET_MAP | NFT_SET_OBJECT))
4352 return -EOPNOTSUPP;
4353 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4354 (NFT_SET_EVAL | NFT_SET_OBJECT))
4355 return -EOPNOTSUPP;
4356 }
4357
4358 dtype = 0;
4359 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4360 if (!(flags & NFT_SET_MAP))
4361 return -EINVAL;
4362
4363 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4364 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4365 dtype != NFT_DATA_VERDICT)
4366 return -EINVAL;
4367
4368 if (dtype != NFT_DATA_VERDICT) {
4369 if (nla[NFTA_SET_DATA_LEN] == NULL)
4370 return -EINVAL;
4371 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4372 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4373 return -EINVAL;
4374 } else
4375 desc.dlen = sizeof(struct nft_verdict);
4376 } else if (flags & NFT_SET_MAP)
4377 return -EINVAL;
4378
4379 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4380 if (!(flags & NFT_SET_OBJECT))
4381 return -EINVAL;
4382
4383 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4384 if (objtype == NFT_OBJECT_UNSPEC ||
4385 objtype > NFT_OBJECT_MAX)
4386 return -EOPNOTSUPP;
4387 } else if (flags & NFT_SET_OBJECT)
4388 return -EINVAL;
4389 else
4390 objtype = NFT_OBJECT_UNSPEC;
4391
4392 timeout = 0;
4393 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4394 if (!(flags & NFT_SET_TIMEOUT))
4395 return -EINVAL;
4396
4397 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4398 if (err)
4399 return err;
4400 }
4401 gc_int = 0;
4402 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4403 if (!(flags & NFT_SET_TIMEOUT))
4404 return -EINVAL;
4405 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4406 }
4407
4408 policy = NFT_SET_POL_PERFORMANCE;
4409 if (nla[NFTA_SET_POLICY] != NULL)
4410 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4411
4412 if (nla[NFTA_SET_DESC] != NULL) {
4413 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4414 if (err < 0)
4415 return err;
4416 }
4417
4418 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4419 desc.expr = true;
4420
4421 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4422 NETLINK_CB(skb).portid);
4423 if (IS_ERR(table)) {
4424 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4425 return PTR_ERR(table);
4426 }
4427
4428 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4429
4430 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4431 if (IS_ERR(set)) {
4432 if (PTR_ERR(set) != -ENOENT) {
4433 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4434 return PTR_ERR(set);
4435 }
4436 } else {
4437 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4438 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4439 return -EEXIST;
4440 }
4441 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4442 return -EOPNOTSUPP;
4443
4444 return 0;
4445 }
4446
4447 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
4448 return -ENOENT;
4449
4450 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4451 if (IS_ERR(ops))
4452 return PTR_ERR(ops);
4453
4454 udlen = 0;
4455 if (nla[NFTA_SET_USERDATA])
4456 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4457
4458 size = 0;
4459 if (ops->privsize != NULL)
4460 size = ops->privsize(nla, &desc);
4461 alloc_size = sizeof(*set) + size + udlen;
4462 if (alloc_size < size || alloc_size > INT_MAX)
4463 return -ENOMEM;
4464 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
4465 if (!set)
4466 return -ENOMEM;
4467
4468 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
4469 if (!name) {
4470 err = -ENOMEM;
4471 goto err_set_name;
4472 }
4473
4474 err = nf_tables_set_alloc_name(&ctx, set, name);
4475 kfree(name);
4476 if (err < 0)
4477 goto err_set_name;
4478
4479 udata = NULL;
4480 if (udlen) {
4481 udata = set->data + size;
4482 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4483 }
4484
4485 INIT_LIST_HEAD(&set->bindings);
4486 INIT_LIST_HEAD(&set->catchall_list);
4487 set->table = table;
4488 write_pnet(&set->net, net);
4489 set->ops = ops;
4490 set->ktype = ktype;
4491 set->klen = desc.klen;
4492 set->dtype = dtype;
4493 set->objtype = objtype;
4494 set->dlen = desc.dlen;
4495 set->flags = flags;
4496 set->size = desc.size;
4497 set->policy = policy;
4498 set->udlen = udlen;
4499 set->udata = udata;
4500 set->timeout = timeout;
4501 set->gc_int = gc_int;
4502
4503 set->field_count = desc.field_count;
4504 for (i = 0; i < desc.field_count; i++)
4505 set->field_len[i] = desc.field_len[i];
4506
4507 err = ops->init(set, &desc, nla);
4508 if (err < 0)
4509 goto err_set_init;
4510
4511 if (nla[NFTA_SET_EXPR]) {
4512 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4513 if (IS_ERR(expr)) {
4514 err = PTR_ERR(expr);
4515 goto err_set_expr_alloc;
4516 }
4517 set->exprs[0] = expr;
4518 set->num_exprs++;
4519 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4520 struct nft_expr *expr;
4521 struct nlattr *tmp;
4522 int left;
4523
4524 if (!(flags & NFT_SET_EXPR)) {
4525 err = -EINVAL;
4526 goto err_set_expr_alloc;
4527 }
4528 i = 0;
4529 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4530 if (i == NFT_SET_EXPR_MAX) {
4531 err = -E2BIG;
4532 goto err_set_expr_alloc;
4533 }
4534 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4535 err = -EINVAL;
4536 goto err_set_expr_alloc;
4537 }
4538 expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4539 if (IS_ERR(expr)) {
4540 err = PTR_ERR(expr);
4541 goto err_set_expr_alloc;
4542 }
4543 set->exprs[i++] = expr;
4544 set->num_exprs++;
4545 }
4546 }
4547
4548 set->handle = nf_tables_alloc_handle(table);
4549
4550 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4551 if (err < 0)
4552 goto err_set_expr_alloc;
4553
4554 list_add_tail_rcu(&set->list, &table->sets);
4555 table->use++;
4556 return 0;
4557
4558err_set_expr_alloc:
4559 for (i = 0; i < set->num_exprs; i++)
4560 nft_expr_destroy(&ctx, set->exprs[i]);
4561
4562 ops->destroy(set);
4563err_set_init:
4564 kfree(set->name);
4565err_set_name:
4566 kvfree(set);
4567 return err;
4568}
4569
4570struct nft_set_elem_catchall {
4571 struct list_head list;
4572 struct rcu_head rcu;
4573 void *elem;
4574};
4575
4576static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
4577 struct nft_set *set)
4578{
4579 struct nft_set_elem_catchall *next, *catchall;
4580
4581 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
4582 list_del_rcu(&catchall->list);
4583 nft_set_elem_destroy(set, catchall->elem, true);
4584 kfree_rcu(catchall, rcu);
4585 }
4586}
4587
4588static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4589{
4590 int i;
4591
4592 if (WARN_ON(set->use > 0))
4593 return;
4594
4595 for (i = 0; i < set->num_exprs; i++)
4596 nft_expr_destroy(ctx, set->exprs[i]);
4597
4598 set->ops->destroy(set);
4599 nft_set_catchall_destroy(ctx, set);
4600 kfree(set->name);
4601 kvfree(set);
4602}
4603
4604static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
4605 const struct nlattr * const nla[])
4606{
4607 struct netlink_ext_ack *extack = info->extack;
4608 u8 genmask = nft_genmask_next(info->net);
4609 u8 family = info->nfmsg->nfgen_family;
4610 struct net *net = info->net;
4611 const struct nlattr *attr;
4612 struct nft_table *table;
4613 struct nft_set *set;
4614 struct nft_ctx ctx;
4615
4616 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4617 return -EAFNOSUPPORT;
4618
4619 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4620 genmask, NETLINK_CB(skb).portid);
4621 if (IS_ERR(table)) {
4622 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4623 return PTR_ERR(table);
4624 }
4625
4626 if (nla[NFTA_SET_HANDLE]) {
4627 attr = nla[NFTA_SET_HANDLE];
4628 set = nft_set_lookup_byhandle(table, attr, genmask);
4629 } else {
4630 attr = nla[NFTA_SET_NAME];
4631 set = nft_set_lookup(table, attr, genmask);
4632 }
4633
4634 if (IS_ERR(set)) {
4635 NL_SET_BAD_ATTR(extack, attr);
4636 return PTR_ERR(set);
4637 }
4638 if (set->use ||
4639 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
4640 atomic_read(&set->nelems) > 0)) {
4641 NL_SET_BAD_ATTR(extack, attr);
4642 return -EBUSY;
4643 }
4644
4645 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4646
4647 return nft_delset(&ctx, set);
4648}
4649
4650static int nft_validate_register_store(const struct nft_ctx *ctx,
4651 enum nft_registers reg,
4652 const struct nft_data *data,
4653 enum nft_data_types type,
4654 unsigned int len);
4655
4656static int nft_setelem_data_validate(const struct nft_ctx *ctx,
4657 struct nft_set *set,
4658 struct nft_set_elem *elem)
4659{
4660 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4661 enum nft_registers dreg;
4662
4663 dreg = nft_type_to_reg(set->dtype);
4664 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4665 set->dtype == NFT_DATA_VERDICT ?
4666 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4667 set->dlen);
4668}
4669
4670static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4671 struct nft_set *set,
4672 const struct nft_set_iter *iter,
4673 struct nft_set_elem *elem)
4674{
4675 return nft_setelem_data_validate(ctx, set, elem);
4676}
4677
4678static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
4679 struct nft_set *set)
4680{
4681 u8 genmask = nft_genmask_next(ctx->net);
4682 struct nft_set_elem_catchall *catchall;
4683 struct nft_set_elem elem;
4684 struct nft_set_ext *ext;
4685 int ret = 0;
4686
4687 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4688 ext = nft_set_elem_ext(set, catchall->elem);
4689 if (!nft_set_elem_active(ext, genmask))
4690 continue;
4691
4692 elem.priv = catchall->elem;
4693 ret = nft_setelem_data_validate(ctx, set, &elem);
4694 if (ret < 0)
4695 break;
4696 }
4697
4698 return ret;
4699}
4700
4701int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4702 struct nft_set_binding *binding)
4703{
4704 struct nft_set_binding *i;
4705 struct nft_set_iter iter;
4706
4707 if (set->use == UINT_MAX)
4708 return -EOVERFLOW;
4709
4710 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4711 return -EBUSY;
4712
4713 if (binding->flags & NFT_SET_MAP) {
4714
4715
4716
4717 list_for_each_entry(i, &set->bindings, list) {
4718 if (i->flags & NFT_SET_MAP &&
4719 i->chain == binding->chain)
4720 goto bind;
4721 }
4722
4723 iter.genmask = nft_genmask_next(ctx->net);
4724 iter.skip = 0;
4725 iter.count = 0;
4726 iter.err = 0;
4727 iter.fn = nf_tables_bind_check_setelem;
4728
4729 set->ops->walk(ctx, set, &iter);
4730 if (!iter.err)
4731 iter.err = nft_set_catchall_bind_check(ctx, set);
4732
4733 if (iter.err < 0)
4734 return iter.err;
4735 }
4736bind:
4737 binding->chain = ctx->chain;
4738 list_add_tail_rcu(&binding->list, &set->bindings);
4739 nft_set_trans_bind(ctx, set);
4740 set->use++;
4741
4742 return 0;
4743}
4744EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4745
4746static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4747 struct nft_set_binding *binding, bool event)
4748{
4749 list_del_rcu(&binding->list);
4750
4751 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4752 list_del_rcu(&set->list);
4753 if (event)
4754 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4755 GFP_KERNEL);
4756 }
4757}
4758
4759void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4760 struct nft_set_binding *binding,
4761 enum nft_trans_phase phase)
4762{
4763 switch (phase) {
4764 case NFT_TRANS_PREPARE:
4765 set->use--;
4766 return;
4767 case NFT_TRANS_ABORT:
4768 case NFT_TRANS_RELEASE:
4769 set->use--;
4770 fallthrough;
4771 default:
4772 nf_tables_unbind_set(ctx, set, binding,
4773 phase == NFT_TRANS_COMMIT);
4774 }
4775}
4776EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4777
4778void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4779{
4780 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4781 nft_set_destroy(ctx, set);
4782}
4783EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4784
4785const struct nft_set_ext_type nft_set_ext_types[] = {
4786 [NFT_SET_EXT_KEY] = {
4787 .align = __alignof__(u32),
4788 },
4789 [NFT_SET_EXT_DATA] = {
4790 .align = __alignof__(u32),
4791 },
4792 [NFT_SET_EXT_EXPRESSIONS] = {
4793 .align = __alignof__(struct nft_set_elem_expr),
4794 },
4795 [NFT_SET_EXT_OBJREF] = {
4796 .len = sizeof(struct nft_object *),
4797 .align = __alignof__(struct nft_object *),
4798 },
4799 [NFT_SET_EXT_FLAGS] = {
4800 .len = sizeof(u8),
4801 .align = __alignof__(u8),
4802 },
4803 [NFT_SET_EXT_TIMEOUT] = {
4804 .len = sizeof(u64),
4805 .align = __alignof__(u64),
4806 },
4807 [NFT_SET_EXT_EXPIRATION] = {
4808 .len = sizeof(u64),
4809 .align = __alignof__(u64),
4810 },
4811 [NFT_SET_EXT_USERDATA] = {
4812 .len = sizeof(struct nft_userdata),
4813 .align = __alignof__(struct nft_userdata),
4814 },
4815 [NFT_SET_EXT_KEY_END] = {
4816 .align = __alignof__(u32),
4817 },
4818};
4819
4820
4821
4822
4823
4824static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4825 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4826 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4827 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4828 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4829 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4830 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4831 .len = NFT_USERDATA_MAXLEN },
4832 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4833 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4834 .len = NFT_OBJ_MAXNAMELEN - 1 },
4835 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4836 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4837};
4838
4839static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4840 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4841 .len = NFT_TABLE_MAXNAMELEN - 1 },
4842 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4843 .len = NFT_SET_MAXNAMELEN - 1 },
4844 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4845 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4846};
4847
4848static int nft_set_elem_expr_dump(struct sk_buff *skb,
4849 const struct nft_set *set,
4850 const struct nft_set_ext *ext)
4851{
4852 struct nft_set_elem_expr *elem_expr;
4853 u32 size, num_exprs = 0;
4854 struct nft_expr *expr;
4855 struct nlattr *nest;
4856
4857 elem_expr = nft_set_ext_expr(ext);
4858 nft_setelem_expr_foreach(expr, elem_expr, size)
4859 num_exprs++;
4860
4861 if (num_exprs == 1) {
4862 expr = nft_setelem_expr_at(elem_expr, 0);
4863 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4864 return -1;
4865
4866 return 0;
4867 } else if (num_exprs > 1) {
4868 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4869 if (nest == NULL)
4870 goto nla_put_failure;
4871
4872 nft_setelem_expr_foreach(expr, elem_expr, size) {
4873 expr = nft_setelem_expr_at(elem_expr, size);
4874 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4875 goto nla_put_failure;
4876 }
4877 nla_nest_end(skb, nest);
4878 }
4879 return 0;
4880
4881nla_put_failure:
4882 return -1;
4883}
4884
4885static int nf_tables_fill_setelem(struct sk_buff *skb,
4886 const struct nft_set *set,
4887 const struct nft_set_elem *elem)
4888{
4889 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4890 unsigned char *b = skb_tail_pointer(skb);
4891 struct nlattr *nest;
4892
4893 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4894 if (nest == NULL)
4895 goto nla_put_failure;
4896
4897 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
4898 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4899 NFT_DATA_VALUE, set->klen) < 0)
4900 goto nla_put_failure;
4901
4902 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4903 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4904 NFT_DATA_VALUE, set->klen) < 0)
4905 goto nla_put_failure;
4906
4907 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4908 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4909 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4910 set->dlen) < 0)
4911 goto nla_put_failure;
4912
4913 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4914 nft_set_elem_expr_dump(skb, set, ext))
4915 goto nla_put_failure;
4916
4917 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4918 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4919 (*nft_set_ext_obj(ext))->key.name) < 0)
4920 goto nla_put_failure;
4921
4922 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4923 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4924 htonl(*nft_set_ext_flags(ext))))
4925 goto nla_put_failure;
4926
4927 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4928 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4929 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4930 NFTA_SET_ELEM_PAD))
4931 goto nla_put_failure;
4932
4933 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4934 u64 expires, now = get_jiffies_64();
4935
4936 expires = *nft_set_ext_expiration(ext);
4937 if (time_before64(now, expires))
4938 expires -= now;
4939 else
4940 expires = 0;
4941
4942 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4943 nf_jiffies64_to_msecs(expires),
4944 NFTA_SET_ELEM_PAD))
4945 goto nla_put_failure;
4946 }
4947
4948 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4949 struct nft_userdata *udata;
4950
4951 udata = nft_set_ext_userdata(ext);
4952 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4953 udata->len + 1, udata->data))
4954 goto nla_put_failure;
4955 }
4956
4957 nla_nest_end(skb, nest);
4958 return 0;
4959
4960nla_put_failure:
4961 nlmsg_trim(skb, b);
4962 return -EMSGSIZE;
4963}
4964
4965struct nft_set_dump_args {
4966 const struct netlink_callback *cb;
4967 struct nft_set_iter iter;
4968 struct sk_buff *skb;
4969};
4970
4971static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4972 struct nft_set *set,
4973 const struct nft_set_iter *iter,
4974 struct nft_set_elem *elem)
4975{
4976 struct nft_set_dump_args *args;
4977
4978 args = container_of(iter, struct nft_set_dump_args, iter);
4979 return nf_tables_fill_setelem(args->skb, set, elem);
4980}
4981
4982struct nft_set_dump_ctx {
4983 const struct nft_set *set;
4984 struct nft_ctx ctx;
4985};
4986
4987static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
4988 const struct nft_set *set)
4989{
4990 struct nft_set_elem_catchall *catchall;
4991 u8 genmask = nft_genmask_cur(net);
4992 struct nft_set_elem elem;
4993 struct nft_set_ext *ext;
4994 int ret = 0;
4995
4996 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4997 ext = nft_set_elem_ext(set, catchall->elem);
4998 if (!nft_set_elem_active(ext, genmask) ||
4999 nft_set_elem_expired(ext))
5000 continue;
5001
5002 elem.priv = catchall->elem;
5003 ret = nf_tables_fill_setelem(skb, set, &elem);
5004 break;
5005 }
5006
5007 return ret;
5008}
5009
5010static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5011{
5012 struct nft_set_dump_ctx *dump_ctx = cb->data;
5013 struct net *net = sock_net(skb->sk);
5014 struct nftables_pernet *nft_net;
5015 struct nft_table *table;
5016 struct nft_set *set;
5017 struct nft_set_dump_args args;
5018 bool set_found = false;
5019 struct nlmsghdr *nlh;
5020 struct nlattr *nest;
5021 u32 portid, seq;
5022 int event;
5023
5024 rcu_read_lock();
5025 nft_net = nft_pernet(net);
5026 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5027 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5028 dump_ctx->ctx.family != table->family)
5029 continue;
5030
5031 if (table != dump_ctx->ctx.table)
5032 continue;
5033
5034 list_for_each_entry_rcu(set, &table->sets, list) {
5035 if (set == dump_ctx->set) {
5036 set_found = true;
5037 break;
5038 }
5039 }
5040 break;
5041 }
5042
5043 if (!set_found) {
5044 rcu_read_unlock();
5045 return -ENOENT;
5046 }
5047
5048 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5049 portid = NETLINK_CB(cb->skb).portid;
5050 seq = cb->nlh->nlmsg_seq;
5051
5052 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5053 table->family, NFNETLINK_V0, nft_base_seq(net));
5054 if (!nlh)
5055 goto nla_put_failure;
5056
5057 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5058 goto nla_put_failure;
5059 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5060 goto nla_put_failure;
5061
5062 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5063 if (nest == NULL)
5064 goto nla_put_failure;
5065
5066 args.cb = cb;
5067 args.skb = skb;
5068 args.iter.genmask = nft_genmask_cur(net);
5069 args.iter.skip = cb->args[0];
5070 args.iter.count = 0;
5071 args.iter.err = 0;
5072 args.iter.fn = nf_tables_dump_setelem;
5073 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5074
5075 if (!args.iter.err && args.iter.count == cb->args[0])
5076 args.iter.err = nft_set_catchall_dump(net, skb, set);
5077 rcu_read_unlock();
5078
5079 nla_nest_end(skb, nest);
5080 nlmsg_end(skb, nlh);
5081
5082 if (args.iter.err && args.iter.err != -EMSGSIZE)
5083 return args.iter.err;
5084 if (args.iter.count == cb->args[0])
5085 return 0;
5086
5087 cb->args[0] = args.iter.count;
5088 return skb->len;
5089
5090nla_put_failure:
5091 rcu_read_unlock();
5092 return -ENOSPC;
5093}
5094
5095static int nf_tables_dump_set_start(struct netlink_callback *cb)
5096{
5097 struct nft_set_dump_ctx *dump_ctx = cb->data;
5098
5099 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5100
5101 return cb->data ? 0 : -ENOMEM;
5102}
5103
5104static int nf_tables_dump_set_done(struct netlink_callback *cb)
5105{
5106 kfree(cb->data);
5107 return 0;
5108}
5109
5110static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5111 const struct nft_ctx *ctx, u32 seq,
5112 u32 portid, int event, u16 flags,
5113 const struct nft_set *set,
5114 const struct nft_set_elem *elem)
5115{
5116 struct nlmsghdr *nlh;
5117 struct nlattr *nest;
5118 int err;
5119
5120 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5121 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5122 NFNETLINK_V0, nft_base_seq(ctx->net));
5123 if (!nlh)
5124 goto nla_put_failure;
5125
5126 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5127 goto nla_put_failure;
5128 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5129 goto nla_put_failure;
5130
5131 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5132 if (nest == NULL)
5133 goto nla_put_failure;
5134
5135 err = nf_tables_fill_setelem(skb, set, elem);
5136 if (err < 0)
5137 goto nla_put_failure;
5138
5139 nla_nest_end(skb, nest);
5140
5141 nlmsg_end(skb, nlh);
5142 return 0;
5143
5144nla_put_failure:
5145 nlmsg_trim(skb, nlh);
5146 return -1;
5147}
5148
5149static int nft_setelem_parse_flags(const struct nft_set *set,
5150 const struct nlattr *attr, u32 *flags)
5151{
5152 if (attr == NULL)
5153 return 0;
5154
5155 *flags = ntohl(nla_get_be32(attr));
5156 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5157 return -EOPNOTSUPP;
5158 if (!(set->flags & NFT_SET_INTERVAL) &&
5159 *flags & NFT_SET_ELEM_INTERVAL_END)
5160 return -EINVAL;
5161
5162 return 0;
5163}
5164
5165static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5166 struct nft_data *key, struct nlattr *attr)
5167{
5168 struct nft_data_desc desc;
5169 int err;
5170
5171 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
5172 if (err < 0)
5173 return err;
5174
5175 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
5176 nft_data_release(key, desc.type);
5177 return -EINVAL;
5178 }
5179
5180 return 0;
5181}
5182
5183static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5184 struct nft_data_desc *desc,
5185 struct nft_data *data,
5186 struct nlattr *attr)
5187{
5188 int err;
5189
5190 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
5191 if (err < 0)
5192 return err;
5193
5194 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
5195 nft_data_release(data, desc->type);
5196 return -EINVAL;
5197 }
5198
5199 return 0;
5200}
5201
5202static void *nft_setelem_catchall_get(const struct net *net,
5203 const struct nft_set *set)
5204{
5205 struct nft_set_elem_catchall *catchall;
5206 u8 genmask = nft_genmask_cur(net);
5207 struct nft_set_ext *ext;
5208 void *priv = NULL;
5209
5210 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5211 ext = nft_set_elem_ext(set, catchall->elem);
5212 if (!nft_set_elem_active(ext, genmask) ||
5213 nft_set_elem_expired(ext))
5214 continue;
5215
5216 priv = catchall->elem;
5217 break;
5218 }
5219
5220 return priv;
5221}
5222
5223static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5224 struct nft_set_elem *elem, u32 flags)
5225{
5226 void *priv;
5227
5228 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5229 priv = set->ops->get(ctx->net, set, elem, flags);
5230 if (IS_ERR(priv))
5231 return PTR_ERR(priv);
5232 } else {
5233 priv = nft_setelem_catchall_get(ctx->net, set);
5234 if (!priv)
5235 return -ENOENT;
5236 }
5237 elem->priv = priv;
5238
5239 return 0;
5240}
5241
5242static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5243 const struct nlattr *attr)
5244{
5245 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5246 struct nft_set_elem elem;
5247 struct sk_buff *skb;
5248 uint32_t flags = 0;
5249 int err;
5250
5251 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5252 nft_set_elem_policy, NULL);
5253 if (err < 0)
5254 return err;
5255
5256 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5257 if (err < 0)
5258 return err;
5259
5260 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5261 return -EINVAL;
5262
5263 if (nla[NFTA_SET_ELEM_KEY]) {
5264 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5265 nla[NFTA_SET_ELEM_KEY]);
5266 if (err < 0)
5267 return err;
5268 }
5269
5270 if (nla[NFTA_SET_ELEM_KEY_END]) {
5271 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5272 nla[NFTA_SET_ELEM_KEY_END]);
5273 if (err < 0)
5274 return err;
5275 }
5276
5277 err = nft_setelem_get(ctx, set, &elem, flags);
5278 if (err < 0)
5279 return err;
5280
5281 err = -ENOMEM;
5282 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5283 if (skb == NULL)
5284 return err;
5285
5286 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5287 NFT_MSG_NEWSETELEM, 0, set, &elem);
5288 if (err < 0)
5289 goto err_fill_setelem;
5290
5291 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5292
5293err_fill_setelem:
5294 kfree_skb(skb);
5295 return err;
5296}
5297
5298
5299static int nf_tables_getsetelem(struct sk_buff *skb,
5300 const struct nfnl_info *info,
5301 const struct nlattr * const nla[])
5302{
5303 struct netlink_ext_ack *extack = info->extack;
5304 u8 genmask = nft_genmask_cur(info->net);
5305 u8 family = info->nfmsg->nfgen_family;
5306 struct net *net = info->net;
5307 struct nft_table *table;
5308 struct nft_set *set;
5309 struct nlattr *attr;
5310 struct nft_ctx ctx;
5311 int rem, err = 0;
5312
5313 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
5314 genmask, NETLINK_CB(skb).portid);
5315 if (IS_ERR(table)) {
5316 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
5317 return PTR_ERR(table);
5318 }
5319
5320 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5321 if (IS_ERR(set))
5322 return PTR_ERR(set);
5323
5324 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5325
5326 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5327 struct netlink_dump_control c = {
5328 .start = nf_tables_dump_set_start,
5329 .dump = nf_tables_dump_set,
5330 .done = nf_tables_dump_set_done,
5331 .module = THIS_MODULE,
5332 };
5333 struct nft_set_dump_ctx dump_ctx = {
5334 .set = set,
5335 .ctx = ctx,
5336 };
5337
5338 c.data = &dump_ctx;
5339 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5340 }
5341
5342 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5343 return -EINVAL;
5344
5345 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5346 err = nft_get_set_elem(&ctx, set, attr);
5347 if (err < 0)
5348 break;
5349 }
5350
5351 return err;
5352}
5353
5354static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5355 const struct nft_set *set,
5356 const struct nft_set_elem *elem,
5357 int event)
5358{
5359 struct nftables_pernet *nft_net;
5360 struct net *net = ctx->net;
5361 u32 portid = ctx->portid;
5362 struct sk_buff *skb;
5363 u16 flags = 0;
5364 int err;
5365
5366 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5367 return;
5368
5369 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5370 if (skb == NULL)
5371 goto err;
5372
5373 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5374 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5375
5376 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5377 set, elem);
5378 if (err < 0) {
5379 kfree_skb(skb);
5380 goto err;
5381 }
5382
5383 nft_net = nft_pernet(net);
5384 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5385 return;
5386err:
5387 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5388}
5389
5390static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5391 int msg_type,
5392 struct nft_set *set)
5393{
5394 struct nft_trans *trans;
5395
5396 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5397 if (trans == NULL)
5398 return NULL;
5399
5400 nft_trans_elem_set(trans) = set;
5401 return trans;
5402}
5403
5404struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5405 const struct nft_set *set,
5406 const struct nlattr *attr)
5407{
5408 struct nft_expr *expr;
5409 int err;
5410
5411 expr = nft_expr_init(ctx, attr);
5412 if (IS_ERR(expr))
5413 return expr;
5414
5415 err = -EOPNOTSUPP;
5416 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5417 goto err_set_elem_expr;
5418
5419 if (expr->ops->type->flags & NFT_EXPR_GC) {
5420 if (set->flags & NFT_SET_TIMEOUT)
5421 goto err_set_elem_expr;
5422 if (!set->ops->gc_init)
5423 goto err_set_elem_expr;
5424 set->ops->gc_init(set);
5425 }
5426
5427 return expr;
5428
5429err_set_elem_expr:
5430 nft_expr_destroy(ctx, expr);
5431 return ERR_PTR(err);
5432}
5433
5434void *nft_set_elem_init(const struct nft_set *set,
5435 const struct nft_set_ext_tmpl *tmpl,
5436 const u32 *key, const u32 *key_end,
5437 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5438{
5439 struct nft_set_ext *ext;
5440 void *elem;
5441
5442 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5443 if (elem == NULL)
5444 return NULL;
5445
5446 ext = nft_set_elem_ext(set, elem);
5447 nft_set_ext_init(ext, tmpl);
5448
5449 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY))
5450 memcpy(nft_set_ext_key(ext), key, set->klen);
5451 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5452 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5453 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5454 memcpy(nft_set_ext_data(ext), data, set->dlen);
5455 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5456 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5457 if (expiration == 0)
5458 *nft_set_ext_expiration(ext) += timeout;
5459 }
5460 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5461 *nft_set_ext_timeout(ext) = timeout;
5462
5463 return elem;
5464}
5465
5466static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5467 struct nft_expr *expr)
5468{
5469 if (expr->ops->destroy_clone) {
5470 expr->ops->destroy_clone(ctx, expr);
5471 module_put(expr->ops->type->owner);
5472 } else {
5473 nf_tables_expr_destroy(ctx, expr);
5474 }
5475}
5476
5477static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5478 struct nft_set_elem_expr *elem_expr)
5479{
5480 struct nft_expr *expr;
5481 u32 size;
5482
5483 nft_setelem_expr_foreach(expr, elem_expr, size)
5484 __nft_set_elem_expr_destroy(ctx, expr);
5485}
5486
5487void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5488 bool destroy_expr)
5489{
5490 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5491 struct nft_ctx ctx = {
5492 .net = read_pnet(&set->net),
5493 .family = set->table->family,
5494 };
5495
5496 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5497 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5498 nft_data_release(nft_set_ext_data(ext), set->dtype);
5499 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5500 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5501
5502 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5503 (*nft_set_ext_obj(ext))->use--;
5504 kfree(elem);
5505}
5506EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5507
5508
5509
5510
5511static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5512 const struct nft_set *set, void *elem)
5513{
5514 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5515
5516 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5517 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5518
5519 kfree(elem);
5520}
5521
5522int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5523 struct nft_expr *expr_array[])
5524{
5525 struct nft_expr *expr;
5526 int err, i, k;
5527
5528 for (i = 0; i < set->num_exprs; i++) {
5529 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
5530 if (!expr)
5531 goto err_expr;
5532
5533 err = nft_expr_clone(expr, set->exprs[i]);
5534 if (err < 0) {
5535 nft_expr_destroy(ctx, expr);
5536 goto err_expr;
5537 }
5538 expr_array[i] = expr;
5539 }
5540
5541 return 0;
5542
5543err_expr:
5544 for (k = i - 1; k >= 0; k--)
5545 nft_expr_destroy(ctx, expr_array[k]);
5546
5547 return -ENOMEM;
5548}
5549
5550static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
5551 const struct nft_set_ext *ext,
5552 struct nft_expr *expr_array[],
5553 u32 num_exprs)
5554{
5555 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5556 struct nft_expr *expr;
5557 int i, err;
5558
5559 for (i = 0; i < num_exprs; i++) {
5560 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5561 err = nft_expr_clone(expr, expr_array[i]);
5562 if (err < 0)
5563 goto err_elem_expr_setup;
5564
5565 elem_expr->size += expr_array[i]->ops->size;
5566 nft_expr_destroy(ctx, expr_array[i]);
5567 expr_array[i] = NULL;
5568 }
5569
5570 return 0;
5571
5572err_elem_expr_setup:
5573 for (; i < num_exprs; i++) {
5574 nft_expr_destroy(ctx, expr_array[i]);
5575 expr_array[i] = NULL;
5576 }
5577
5578 return -ENOMEM;
5579}
5580
5581struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
5582 const struct nft_set *set)
5583{
5584 struct nft_set_elem_catchall *catchall;
5585 u8 genmask = nft_genmask_cur(net);
5586 struct nft_set_ext *ext;
5587
5588 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5589 ext = nft_set_elem_ext(set, catchall->elem);
5590 if (nft_set_elem_active(ext, genmask) &&
5591 !nft_set_elem_expired(ext))
5592 return ext;
5593 }
5594
5595 return NULL;
5596}
5597EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
5598
5599void *nft_set_catchall_gc(const struct nft_set *set)
5600{
5601 struct nft_set_elem_catchall *catchall, *next;
5602 struct nft_set_ext *ext;
5603 void *elem = NULL;
5604
5605 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5606 ext = nft_set_elem_ext(set, catchall->elem);
5607
5608 if (!nft_set_elem_expired(ext) ||
5609 nft_set_elem_mark_busy(ext))
5610 continue;
5611
5612 elem = catchall->elem;
5613 list_del_rcu(&catchall->list);
5614 kfree_rcu(catchall, rcu);
5615 break;
5616 }
5617
5618 return elem;
5619}
5620EXPORT_SYMBOL_GPL(nft_set_catchall_gc);
5621
5622static int nft_setelem_catchall_insert(const struct net *net,
5623 struct nft_set *set,
5624 const struct nft_set_elem *elem,
5625 struct nft_set_ext **pext)
5626{
5627 struct nft_set_elem_catchall *catchall;
5628 u8 genmask = nft_genmask_next(net);
5629 struct nft_set_ext *ext;
5630
5631 list_for_each_entry(catchall, &set->catchall_list, list) {
5632 ext = nft_set_elem_ext(set, catchall->elem);
5633 if (nft_set_elem_active(ext, genmask)) {
5634 *pext = ext;
5635 return -EEXIST;
5636 }
5637 }
5638
5639 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
5640 if (!catchall)
5641 return -ENOMEM;
5642
5643 catchall->elem = elem->priv;
5644 list_add_tail_rcu(&catchall->list, &set->catchall_list);
5645
5646 return 0;
5647}
5648
5649static int nft_setelem_insert(const struct net *net,
5650 struct nft_set *set,
5651 const struct nft_set_elem *elem,
5652 struct nft_set_ext **ext, unsigned int flags)
5653{
5654 int ret;
5655
5656 if (flags & NFT_SET_ELEM_CATCHALL)
5657 ret = nft_setelem_catchall_insert(net, set, elem, ext);
5658 else
5659 ret = set->ops->insert(net, set, elem, ext);
5660
5661 return ret;
5662}
5663
5664static bool nft_setelem_is_catchall(const struct nft_set *set,
5665 const struct nft_set_elem *elem)
5666{
5667 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5668
5669 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5670 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
5671 return true;
5672
5673 return false;
5674}
5675
5676static void nft_setelem_activate(struct net *net, struct nft_set *set,
5677 struct nft_set_elem *elem)
5678{
5679 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5680
5681 if (nft_setelem_is_catchall(set, elem)) {
5682 nft_set_elem_change_active(net, set, ext);
5683 nft_set_elem_clear_busy(ext);
5684 } else {
5685 set->ops->activate(net, set, elem);
5686 }
5687}
5688
5689static int nft_setelem_catchall_deactivate(const struct net *net,
5690 struct nft_set *set,
5691 struct nft_set_elem *elem)
5692{
5693 struct nft_set_elem_catchall *catchall;
5694 struct nft_set_ext *ext;
5695
5696 list_for_each_entry(catchall, &set->catchall_list, list) {
5697 ext = nft_set_elem_ext(set, catchall->elem);
5698 if (!nft_is_active(net, ext) ||
5699 nft_set_elem_mark_busy(ext))
5700 continue;
5701
5702 kfree(elem->priv);
5703 elem->priv = catchall->elem;
5704 nft_set_elem_change_active(net, set, ext);
5705 return 0;
5706 }
5707
5708 return -ENOENT;
5709}
5710
5711static int __nft_setelem_deactivate(const struct net *net,
5712 struct nft_set *set,
5713 struct nft_set_elem *elem)
5714{
5715 void *priv;
5716
5717 priv = set->ops->deactivate(net, set, elem);
5718 if (!priv)
5719 return -ENOENT;
5720
5721 kfree(elem->priv);
5722 elem->priv = priv;
5723 set->ndeact++;
5724
5725 return 0;
5726}
5727
5728static int nft_setelem_deactivate(const struct net *net,
5729 struct nft_set *set,
5730 struct nft_set_elem *elem, u32 flags)
5731{
5732 int ret;
5733
5734 if (flags & NFT_SET_ELEM_CATCHALL)
5735 ret = nft_setelem_catchall_deactivate(net, set, elem);
5736 else
5737 ret = __nft_setelem_deactivate(net, set, elem);
5738
5739 return ret;
5740}
5741
5742static void nft_setelem_catchall_remove(const struct net *net,
5743 const struct nft_set *set,
5744 const struct nft_set_elem *elem)
5745{
5746 struct nft_set_elem_catchall *catchall, *next;
5747
5748 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5749 if (catchall->elem == elem->priv) {
5750 list_del_rcu(&catchall->list);
5751 kfree_rcu(catchall, rcu);
5752 break;
5753 }
5754 }
5755}
5756
5757static void nft_setelem_remove(const struct net *net,
5758 const struct nft_set *set,
5759 const struct nft_set_elem *elem)
5760{
5761 if (nft_setelem_is_catchall(set, elem))
5762 nft_setelem_catchall_remove(net, set, elem);
5763 else
5764 set->ops->remove(net, set, elem);
5765}
5766
5767static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5768 const struct nlattr *attr, u32 nlmsg_flags)
5769{
5770 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5771 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5772 u8 genmask = nft_genmask_next(ctx->net);
5773 u32 flags = 0, size = 0, num_exprs = 0;
5774 struct nft_set_ext_tmpl tmpl;
5775 struct nft_set_ext *ext, *ext2;
5776 struct nft_set_elem elem;
5777 struct nft_set_binding *binding;
5778 struct nft_object *obj = NULL;
5779 struct nft_userdata *udata;
5780 struct nft_data_desc desc;
5781 enum nft_registers dreg;
5782 struct nft_trans *trans;
5783 u64 timeout;
5784 u64 expiration;
5785 int err, i;
5786 u8 ulen;
5787
5788 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5789 nft_set_elem_policy, NULL);
5790 if (err < 0)
5791 return err;
5792
5793 nft_set_ext_prepare(&tmpl);
5794
5795 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5796 if (err < 0)
5797 return err;
5798
5799 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5800 return -EINVAL;
5801
5802 if (flags != 0)
5803 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5804
5805 if (set->flags & NFT_SET_MAP) {
5806 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5807 !(flags & NFT_SET_ELEM_INTERVAL_END))
5808 return -EINVAL;
5809 } else {
5810 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5811 return -EINVAL;
5812 }
5813
5814 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5815 (nla[NFTA_SET_ELEM_DATA] ||
5816 nla[NFTA_SET_ELEM_OBJREF] ||
5817 nla[NFTA_SET_ELEM_TIMEOUT] ||
5818 nla[NFTA_SET_ELEM_EXPIRATION] ||
5819 nla[NFTA_SET_ELEM_USERDATA] ||
5820 nla[NFTA_SET_ELEM_EXPR] ||
5821 nla[NFTA_SET_ELEM_EXPRESSIONS]))
5822 return -EINVAL;
5823
5824 timeout = 0;
5825 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5826 if (!(set->flags & NFT_SET_TIMEOUT))
5827 return -EINVAL;
5828 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5829 &timeout);
5830 if (err)
5831 return err;
5832 } else if (set->flags & NFT_SET_TIMEOUT) {
5833 timeout = set->timeout;
5834 }
5835
5836 expiration = 0;
5837 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5838 if (!(set->flags & NFT_SET_TIMEOUT))
5839 return -EINVAL;
5840 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5841 &expiration);
5842 if (err)
5843 return err;
5844 }
5845
5846 if (nla[NFTA_SET_ELEM_EXPR]) {
5847 struct nft_expr *expr;
5848
5849 if (set->num_exprs && set->num_exprs != 1)
5850 return -EOPNOTSUPP;
5851
5852 expr = nft_set_elem_expr_alloc(ctx, set,
5853 nla[NFTA_SET_ELEM_EXPR]);
5854 if (IS_ERR(expr))
5855 return PTR_ERR(expr);
5856
5857 expr_array[0] = expr;
5858 num_exprs = 1;
5859
5860 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5861 err = -EOPNOTSUPP;
5862 goto err_set_elem_expr;
5863 }
5864 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5865 struct nft_expr *expr;
5866 struct nlattr *tmp;
5867 int left;
5868
5869 i = 0;
5870 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5871 if (i == NFT_SET_EXPR_MAX ||
5872 (set->num_exprs && set->num_exprs == i)) {
5873 err = -E2BIG;
5874 goto err_set_elem_expr;
5875 }
5876 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5877 err = -EINVAL;
5878 goto err_set_elem_expr;
5879 }
5880 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5881 if (IS_ERR(expr)) {
5882 err = PTR_ERR(expr);
5883 goto err_set_elem_expr;
5884 }
5885 expr_array[i] = expr;
5886 num_exprs++;
5887
5888 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5889 err = -EOPNOTSUPP;
5890 goto err_set_elem_expr;
5891 }
5892 i++;
5893 }
5894 if (set->num_exprs && set->num_exprs != i) {
5895 err = -EOPNOTSUPP;
5896 goto err_set_elem_expr;
5897 }
5898 } else if (set->num_exprs > 0) {
5899 err = nft_set_elem_expr_clone(ctx, set, expr_array);
5900 if (err < 0)
5901 goto err_set_elem_expr_clone;
5902
5903 num_exprs = set->num_exprs;
5904 }
5905
5906 if (nla[NFTA_SET_ELEM_KEY]) {
5907 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5908 nla[NFTA_SET_ELEM_KEY]);
5909 if (err < 0)
5910 goto err_set_elem_expr;
5911
5912 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5913 }
5914
5915 if (nla[NFTA_SET_ELEM_KEY_END]) {
5916 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5917 nla[NFTA_SET_ELEM_KEY_END]);
5918 if (err < 0)
5919 goto err_parse_key;
5920
5921 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5922 }
5923
5924 if (timeout > 0) {
5925 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5926 if (timeout != set->timeout)
5927 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5928 }
5929
5930 if (num_exprs) {
5931 for (i = 0; i < num_exprs; i++)
5932 size += expr_array[i]->ops->size;
5933
5934 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5935 sizeof(struct nft_set_elem_expr) +
5936 size);
5937 }
5938
5939 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5940 if (!(set->flags & NFT_SET_OBJECT)) {
5941 err = -EINVAL;
5942 goto err_parse_key_end;
5943 }
5944 obj = nft_obj_lookup(ctx->net, ctx->table,
5945 nla[NFTA_SET_ELEM_OBJREF],
5946 set->objtype, genmask);
5947 if (IS_ERR(obj)) {
5948 err = PTR_ERR(obj);
5949 goto err_parse_key_end;
5950 }
5951 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5952 }
5953
5954 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5955 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5956 nla[NFTA_SET_ELEM_DATA]);
5957 if (err < 0)
5958 goto err_parse_key_end;
5959
5960 dreg = nft_type_to_reg(set->dtype);
5961 list_for_each_entry(binding, &set->bindings, list) {
5962 struct nft_ctx bind_ctx = {
5963 .net = ctx->net,
5964 .family = ctx->family,
5965 .table = ctx->table,
5966 .chain = (struct nft_chain *)binding->chain,
5967 };
5968
5969 if (!(binding->flags & NFT_SET_MAP))
5970 continue;
5971
5972 err = nft_validate_register_store(&bind_ctx, dreg,
5973 &elem.data.val,
5974 desc.type, desc.len);
5975 if (err < 0)
5976 goto err_parse_data;
5977
5978 if (desc.type == NFT_DATA_VERDICT &&
5979 (elem.data.val.verdict.code == NFT_GOTO ||
5980 elem.data.val.verdict.code == NFT_JUMP))
5981 nft_validate_state_update(ctx->net,
5982 NFT_VALIDATE_NEED);
5983 }
5984
5985 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5986 }
5987
5988
5989
5990
5991
5992 ulen = 0;
5993 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5994 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5995 if (ulen > 0)
5996 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5997 ulen);
5998 }
5999
6000 err = -ENOMEM;
6001 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6002 elem.key_end.val.data, elem.data.val.data,
6003 timeout, expiration, GFP_KERNEL_ACCOUNT);
6004 if (elem.priv == NULL)
6005 goto err_parse_data;
6006
6007 ext = nft_set_elem_ext(set, elem.priv);
6008 if (flags)
6009 *nft_set_ext_flags(ext) = flags;
6010 if (ulen > 0) {
6011 udata = nft_set_ext_userdata(ext);
6012 udata->len = ulen - 1;
6013 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6014 }
6015 if (obj) {
6016 *nft_set_ext_obj(ext) = obj;
6017 obj->use++;
6018 }
6019 err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs);
6020 if (err < 0)
6021 goto err_elem_expr;
6022
6023 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
6024 if (trans == NULL) {
6025 err = -ENOMEM;
6026 goto err_elem_expr;
6027 }
6028
6029 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
6030
6031 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
6032 if (err) {
6033 if (err == -EEXIST) {
6034 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
6035 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
6036 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
6037 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
6038 goto err_element_clash;
6039 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6040 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
6041 memcmp(nft_set_ext_data(ext),
6042 nft_set_ext_data(ext2), set->dlen) != 0) ||
6043 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
6044 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
6045 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
6046 goto err_element_clash;
6047 else if (!(nlmsg_flags & NLM_F_EXCL))
6048 err = 0;
6049 } else if (err == -ENOTEMPTY) {
6050
6051
6052
6053 err = -EEXIST;
6054 }
6055 goto err_element_clash;
6056 }
6057
6058 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
6059 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
6060 err = -ENFILE;
6061 goto err_set_full;
6062 }
6063
6064 nft_trans_elem(trans) = elem;
6065 nft_trans_commit_list_add_tail(ctx->net, trans);
6066 return 0;
6067
6068err_set_full:
6069 nft_setelem_remove(ctx->net, set, &elem);
6070err_element_clash:
6071 kfree(trans);
6072err_elem_expr:
6073 if (obj)
6074 obj->use--;
6075
6076 nf_tables_set_elem_destroy(ctx, set, elem.priv);
6077err_parse_data:
6078 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6079 nft_data_release(&elem.data.val, desc.type);
6080err_parse_key_end:
6081 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
6082err_parse_key:
6083 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6084err_set_elem_expr:
6085 for (i = 0; i < num_exprs && expr_array[i]; i++)
6086 nft_expr_destroy(ctx, expr_array[i]);
6087err_set_elem_expr_clone:
6088 return err;
6089}
6090
6091static int nf_tables_newsetelem(struct sk_buff *skb,
6092 const struct nfnl_info *info,
6093 const struct nlattr * const nla[])
6094{
6095 struct nftables_pernet *nft_net = nft_pernet(info->net);
6096 struct netlink_ext_ack *extack = info->extack;
6097 u8 genmask = nft_genmask_next(info->net);
6098 u8 family = info->nfmsg->nfgen_family;
6099 struct net *net = info->net;
6100 const struct nlattr *attr;
6101 struct nft_table *table;
6102 struct nft_set *set;
6103 struct nft_ctx ctx;
6104 int rem, err;
6105
6106 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6107 return -EINVAL;
6108
6109 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6110 genmask, NETLINK_CB(skb).portid);
6111 if (IS_ERR(table)) {
6112 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6113 return PTR_ERR(table);
6114 }
6115
6116 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
6117 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6118 if (IS_ERR(set))
6119 return PTR_ERR(set);
6120
6121 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6122 return -EBUSY;
6123
6124 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6125
6126 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6127 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6128 if (err < 0)
6129 return err;
6130 }
6131
6132 if (nft_net->validate_state == NFT_VALIDATE_DO)
6133 return nft_table_validate(net, table);
6134
6135 return 0;
6136}
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6147
6148
6149void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6150{
6151 struct nft_chain *chain;
6152 struct nft_rule *rule;
6153
6154 if (type == NFT_DATA_VERDICT) {
6155 switch (data->verdict.code) {
6156 case NFT_JUMP:
6157 case NFT_GOTO:
6158 chain = data->verdict.chain;
6159 chain->use++;
6160
6161 if (!nft_chain_is_bound(chain))
6162 break;
6163
6164 chain->table->use++;
6165 list_for_each_entry(rule, &chain->rules, list)
6166 chain->use++;
6167
6168 nft_chain_add(chain->table, chain);
6169 break;
6170 }
6171 }
6172}
6173
6174static void nft_setelem_data_activate(const struct net *net,
6175 const struct nft_set *set,
6176 struct nft_set_elem *elem)
6177{
6178 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6179
6180 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6181 nft_data_hold(nft_set_ext_data(ext), set->dtype);
6182 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6183 (*nft_set_ext_obj(ext))->use++;
6184}
6185
6186static void nft_setelem_data_deactivate(const struct net *net,
6187 const struct nft_set *set,
6188 struct nft_set_elem *elem)
6189{
6190 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6191
6192 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6193 nft_data_release(nft_set_ext_data(ext), set->dtype);
6194 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6195 (*nft_set_ext_obj(ext))->use--;
6196}
6197
6198static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
6199 const struct nlattr *attr)
6200{
6201 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6202 struct nft_set_ext_tmpl tmpl;
6203 struct nft_set_elem elem;
6204 struct nft_set_ext *ext;
6205 struct nft_trans *trans;
6206 u32 flags = 0;
6207 int err;
6208
6209 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6210 nft_set_elem_policy, NULL);
6211 if (err < 0)
6212 return err;
6213
6214 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6215 if (err < 0)
6216 return err;
6217
6218 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6219 return -EINVAL;
6220
6221 nft_set_ext_prepare(&tmpl);
6222
6223 if (flags != 0)
6224 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6225
6226 if (nla[NFTA_SET_ELEM_KEY]) {
6227 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6228 nla[NFTA_SET_ELEM_KEY]);
6229 if (err < 0)
6230 return err;
6231
6232 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6233 }
6234
6235 if (nla[NFTA_SET_ELEM_KEY_END]) {
6236 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6237 nla[NFTA_SET_ELEM_KEY_END]);
6238 if (err < 0)
6239 return err;
6240
6241 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6242 }
6243
6244 err = -ENOMEM;
6245 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6246 elem.key_end.val.data, NULL, 0, 0,
6247 GFP_KERNEL_ACCOUNT);
6248 if (elem.priv == NULL)
6249 goto fail_elem;
6250
6251 ext = nft_set_elem_ext(set, elem.priv);
6252 if (flags)
6253 *nft_set_ext_flags(ext) = flags;
6254
6255 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
6256 if (trans == NULL)
6257 goto fail_trans;
6258
6259 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
6260 if (err < 0)
6261 goto fail_ops;
6262
6263 nft_setelem_data_deactivate(ctx->net, set, &elem);
6264
6265 nft_trans_elem(trans) = elem;
6266 nft_trans_commit_list_add_tail(ctx->net, trans);
6267 return 0;
6268
6269fail_ops:
6270 kfree(trans);
6271fail_trans:
6272 kfree(elem.priv);
6273fail_elem:
6274 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6275 return err;
6276}
6277
6278static int nft_setelem_flush(const struct nft_ctx *ctx,
6279 struct nft_set *set,
6280 const struct nft_set_iter *iter,
6281 struct nft_set_elem *elem)
6282{
6283 struct nft_trans *trans;
6284 int err;
6285
6286 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6287 sizeof(struct nft_trans_elem), GFP_ATOMIC);
6288 if (!trans)
6289 return -ENOMEM;
6290
6291 if (!set->ops->flush(ctx->net, set, elem->priv)) {
6292 err = -ENOENT;
6293 goto err1;
6294 }
6295 set->ndeact++;
6296
6297 nft_setelem_data_deactivate(ctx->net, set, elem);
6298 nft_trans_elem_set(trans) = set;
6299 nft_trans_elem(trans) = *elem;
6300 nft_trans_commit_list_add_tail(ctx->net, trans);
6301
6302 return 0;
6303err1:
6304 kfree(trans);
6305 return err;
6306}
6307
6308static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
6309 struct nft_set *set,
6310 struct nft_set_elem *elem)
6311{
6312 struct nft_trans *trans;
6313
6314 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6315 sizeof(struct nft_trans_elem), GFP_KERNEL);
6316 if (!trans)
6317 return -ENOMEM;
6318
6319 nft_setelem_data_deactivate(ctx->net, set, elem);
6320 nft_trans_elem_set(trans) = set;
6321 nft_trans_elem(trans) = *elem;
6322 nft_trans_commit_list_add_tail(ctx->net, trans);
6323
6324 return 0;
6325}
6326
6327static int nft_set_catchall_flush(const struct nft_ctx *ctx,
6328 struct nft_set *set)
6329{
6330 u8 genmask = nft_genmask_next(ctx->net);
6331 struct nft_set_elem_catchall *catchall;
6332 struct nft_set_elem elem;
6333 struct nft_set_ext *ext;
6334 int ret = 0;
6335
6336 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6337 ext = nft_set_elem_ext(set, catchall->elem);
6338 if (!nft_set_elem_active(ext, genmask) ||
6339 nft_set_elem_mark_busy(ext))
6340 continue;
6341
6342 elem.priv = catchall->elem;
6343 ret = __nft_set_catchall_flush(ctx, set, &elem);
6344 if (ret < 0)
6345 break;
6346 }
6347
6348 return ret;
6349}
6350
6351static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
6352{
6353 struct nft_set_iter iter = {
6354 .genmask = genmask,
6355 .fn = nft_setelem_flush,
6356 };
6357
6358 set->ops->walk(ctx, set, &iter);
6359 if (!iter.err)
6360 iter.err = nft_set_catchall_flush(ctx, set);
6361
6362 return iter.err;
6363}
6364
6365static int nf_tables_delsetelem(struct sk_buff *skb,
6366 const struct nfnl_info *info,
6367 const struct nlattr * const nla[])
6368{
6369 struct netlink_ext_ack *extack = info->extack;
6370 u8 genmask = nft_genmask_next(info->net);
6371 u8 family = info->nfmsg->nfgen_family;
6372 struct net *net = info->net;
6373 const struct nlattr *attr;
6374 struct nft_table *table;
6375 struct nft_set *set;
6376 struct nft_ctx ctx;
6377 int rem, err = 0;
6378
6379 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6380 genmask, NETLINK_CB(skb).portid);
6381 if (IS_ERR(table)) {
6382 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6383 return PTR_ERR(table);
6384 }
6385
6386 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6387 if (IS_ERR(set))
6388 return PTR_ERR(set);
6389 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6390 return -EBUSY;
6391
6392 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6393
6394 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6395 return nft_set_flush(&ctx, set, genmask);
6396
6397 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6398 err = nft_del_setelem(&ctx, set, attr);
6399 if (err < 0)
6400 break;
6401 }
6402 return err;
6403}
6404
6405void nft_set_gc_batch_release(struct rcu_head *rcu)
6406{
6407 struct nft_set_gc_batch *gcb;
6408 unsigned int i;
6409
6410 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
6411 for (i = 0; i < gcb->head.cnt; i++)
6412 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
6413 kfree(gcb);
6414}
6415
6416struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
6417 gfp_t gfp)
6418{
6419 struct nft_set_gc_batch *gcb;
6420
6421 gcb = kzalloc(sizeof(*gcb), gfp);
6422 if (gcb == NULL)
6423 return gcb;
6424 gcb->head.set = set;
6425 return gcb;
6426}
6427
6428
6429
6430
6431
6432
6433
6434
6435
6436
6437
6438
6439int nft_register_obj(struct nft_object_type *obj_type)
6440{
6441 if (obj_type->type == NFT_OBJECT_UNSPEC)
6442 return -EINVAL;
6443
6444 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6445 list_add_rcu(&obj_type->list, &nf_tables_objects);
6446 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6447 return 0;
6448}
6449EXPORT_SYMBOL_GPL(nft_register_obj);
6450
6451
6452
6453
6454
6455
6456
6457void nft_unregister_obj(struct nft_object_type *obj_type)
6458{
6459 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6460 list_del_rcu(&obj_type->list);
6461 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6462}
6463EXPORT_SYMBOL_GPL(nft_unregister_obj);
6464
6465struct nft_object *nft_obj_lookup(const struct net *net,
6466 const struct nft_table *table,
6467 const struct nlattr *nla, u32 objtype,
6468 u8 genmask)
6469{
6470 struct nft_object_hash_key k = { .table = table };
6471 char search[NFT_OBJ_MAXNAMELEN];
6472 struct rhlist_head *tmp, *list;
6473 struct nft_object *obj;
6474
6475 nla_strscpy(search, nla, sizeof(search));
6476 k.name = search;
6477
6478 WARN_ON_ONCE(!rcu_read_lock_held() &&
6479 !lockdep_commit_lock_is_held(net));
6480
6481 rcu_read_lock();
6482 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
6483 if (!list)
6484 goto out;
6485
6486 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
6487 if (objtype == obj->ops->type->type &&
6488 nft_active_genmask(obj, genmask)) {
6489 rcu_read_unlock();
6490 return obj;
6491 }
6492 }
6493out:
6494 rcu_read_unlock();
6495 return ERR_PTR(-ENOENT);
6496}
6497EXPORT_SYMBOL_GPL(nft_obj_lookup);
6498
6499static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
6500 const struct nlattr *nla,
6501 u32 objtype, u8 genmask)
6502{
6503 struct nft_object *obj;
6504
6505 list_for_each_entry(obj, &table->objects, list) {
6506 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
6507 objtype == obj->ops->type->type &&
6508 nft_active_genmask(obj, genmask))
6509 return obj;
6510 }
6511 return ERR_PTR(-ENOENT);
6512}
6513
6514static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
6515 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
6516 .len = NFT_TABLE_MAXNAMELEN - 1 },
6517 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
6518 .len = NFT_OBJ_MAXNAMELEN - 1 },
6519 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
6520 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
6521 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
6522 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
6523 .len = NFT_USERDATA_MAXLEN },
6524};
6525
6526static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
6527 const struct nft_object_type *type,
6528 const struct nlattr *attr)
6529{
6530 struct nlattr **tb;
6531 const struct nft_object_ops *ops;
6532 struct nft_object *obj;
6533 int err = -ENOMEM;
6534
6535 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6536 if (!tb)
6537 goto err1;
6538
6539 if (attr) {
6540 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6541 type->policy, NULL);
6542 if (err < 0)
6543 goto err2;
6544 } else {
6545 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6546 }
6547
6548 if (type->select_ops) {
6549 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6550 if (IS_ERR(ops)) {
6551 err = PTR_ERR(ops);
6552 goto err2;
6553 }
6554 } else {
6555 ops = type->ops;
6556 }
6557
6558 err = -ENOMEM;
6559 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
6560 if (!obj)
6561 goto err2;
6562
6563 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6564 if (err < 0)
6565 goto err3;
6566
6567 obj->ops = ops;
6568
6569 kfree(tb);
6570 return obj;
6571err3:
6572 kfree(obj);
6573err2:
6574 kfree(tb);
6575err1:
6576 return ERR_PTR(err);
6577}
6578
6579static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6580 struct nft_object *obj, bool reset)
6581{
6582 struct nlattr *nest;
6583
6584 nest = nla_nest_start_noflag(skb, attr);
6585 if (!nest)
6586 goto nla_put_failure;
6587 if (obj->ops->dump(skb, obj, reset) < 0)
6588 goto nla_put_failure;
6589 nla_nest_end(skb, nest);
6590 return 0;
6591
6592nla_put_failure:
6593 return -1;
6594}
6595
6596static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6597{
6598 const struct nft_object_type *type;
6599
6600 list_for_each_entry(type, &nf_tables_objects, list) {
6601 if (objtype == type->type)
6602 return type;
6603 }
6604 return NULL;
6605}
6606
6607static const struct nft_object_type *
6608nft_obj_type_get(struct net *net, u32 objtype)
6609{
6610 const struct nft_object_type *type;
6611
6612 type = __nft_obj_type_get(objtype);
6613 if (type != NULL && try_module_get(type->owner))
6614 return type;
6615
6616 lockdep_nfnl_nft_mutex_not_held();
6617#ifdef CONFIG_MODULES
6618 if (type == NULL) {
6619 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6620 return ERR_PTR(-EAGAIN);
6621 }
6622#endif
6623 return ERR_PTR(-ENOENT);
6624}
6625
6626static int nf_tables_updobj(const struct nft_ctx *ctx,
6627 const struct nft_object_type *type,
6628 const struct nlattr *attr,
6629 struct nft_object *obj)
6630{
6631 struct nft_object *newobj;
6632 struct nft_trans *trans;
6633 int err = -ENOMEM;
6634
6635 if (!try_module_get(type->owner))
6636 return -ENOENT;
6637
6638 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6639 sizeof(struct nft_trans_obj));
6640 if (!trans)
6641 goto err_trans;
6642
6643 newobj = nft_obj_init(ctx, type, attr);
6644 if (IS_ERR(newobj)) {
6645 err = PTR_ERR(newobj);
6646 goto err_free_trans;
6647 }
6648
6649 nft_trans_obj(trans) = obj;
6650 nft_trans_obj_update(trans) = true;
6651 nft_trans_obj_newobj(trans) = newobj;
6652 nft_trans_commit_list_add_tail(ctx->net, trans);
6653
6654 return 0;
6655
6656err_free_trans:
6657 kfree(trans);
6658err_trans:
6659 module_put(type->owner);
6660 return err;
6661}
6662
6663static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
6664 const struct nlattr * const nla[])
6665{
6666 struct netlink_ext_ack *extack = info->extack;
6667 u8 genmask = nft_genmask_next(info->net);
6668 u8 family = info->nfmsg->nfgen_family;
6669 const struct nft_object_type *type;
6670 struct net *net = info->net;
6671 struct nft_table *table;
6672 struct nft_object *obj;
6673 struct nft_ctx ctx;
6674 u32 objtype;
6675 int err;
6676
6677 if (!nla[NFTA_OBJ_TYPE] ||
6678 !nla[NFTA_OBJ_NAME] ||
6679 !nla[NFTA_OBJ_DATA])
6680 return -EINVAL;
6681
6682 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6683 NETLINK_CB(skb).portid);
6684 if (IS_ERR(table)) {
6685 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6686 return PTR_ERR(table);
6687 }
6688
6689 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6690 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6691 if (IS_ERR(obj)) {
6692 err = PTR_ERR(obj);
6693 if (err != -ENOENT) {
6694 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6695 return err;
6696 }
6697 } else {
6698 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
6699 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6700 return -EEXIST;
6701 }
6702 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
6703 return -EOPNOTSUPP;
6704
6705 type = __nft_obj_type_get(objtype);
6706 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6707
6708 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6709 }
6710
6711 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6712
6713 type = nft_obj_type_get(net, objtype);
6714 if (IS_ERR(type))
6715 return PTR_ERR(type);
6716
6717 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6718 if (IS_ERR(obj)) {
6719 err = PTR_ERR(obj);
6720 goto err_init;
6721 }
6722 obj->key.table = table;
6723 obj->handle = nf_tables_alloc_handle(table);
6724
6725 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
6726 if (!obj->key.name) {
6727 err = -ENOMEM;
6728 goto err_strdup;
6729 }
6730
6731 if (nla[NFTA_OBJ_USERDATA]) {
6732 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6733 if (obj->udata == NULL)
6734 goto err_userdata;
6735
6736 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6737 }
6738
6739 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6740 if (err < 0)
6741 goto err_trans;
6742
6743 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6744 nft_objname_ht_params);
6745 if (err < 0)
6746 goto err_obj_ht;
6747
6748 list_add_tail_rcu(&obj->list, &table->objects);
6749 table->use++;
6750 return 0;
6751err_obj_ht:
6752
6753 INIT_LIST_HEAD(&obj->list);
6754 return err;
6755err_trans:
6756 kfree(obj->udata);
6757err_userdata:
6758 kfree(obj->key.name);
6759err_strdup:
6760 if (obj->ops->destroy)
6761 obj->ops->destroy(&ctx, obj);
6762 kfree(obj);
6763err_init:
6764 module_put(type->owner);
6765 return err;
6766}
6767
6768static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6769 u32 portid, u32 seq, int event, u32 flags,
6770 int family, const struct nft_table *table,
6771 struct nft_object *obj, bool reset)
6772{
6773 struct nlmsghdr *nlh;
6774
6775 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6776 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
6777 NFNETLINK_V0, nft_base_seq(net));
6778 if (!nlh)
6779 goto nla_put_failure;
6780
6781 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6782 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6783 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6784 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6785 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6786 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6787 NFTA_OBJ_PAD))
6788 goto nla_put_failure;
6789
6790 if (obj->udata &&
6791 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6792 goto nla_put_failure;
6793
6794 nlmsg_end(skb, nlh);
6795 return 0;
6796
6797nla_put_failure:
6798 nlmsg_trim(skb, nlh);
6799 return -1;
6800}
6801
6802struct nft_obj_filter {
6803 char *table;
6804 u32 type;
6805};
6806
6807static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6808{
6809 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6810 const struct nft_table *table;
6811 unsigned int idx = 0, s_idx = cb->args[0];
6812 struct nft_obj_filter *filter = cb->data;
6813 struct net *net = sock_net(skb->sk);
6814 int family = nfmsg->nfgen_family;
6815 struct nftables_pernet *nft_net;
6816 struct nft_object *obj;
6817 bool reset = false;
6818
6819 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6820 reset = true;
6821
6822 rcu_read_lock();
6823 nft_net = nft_pernet(net);
6824 cb->seq = nft_net->base_seq;
6825
6826 list_for_each_entry_rcu(table, &nft_net->tables, list) {
6827 if (family != NFPROTO_UNSPEC && family != table->family)
6828 continue;
6829
6830 list_for_each_entry_rcu(obj, &table->objects, list) {
6831 if (!nft_is_active(net, obj))
6832 goto cont;
6833 if (idx < s_idx)
6834 goto cont;
6835 if (idx > s_idx)
6836 memset(&cb->args[1], 0,
6837 sizeof(cb->args) - sizeof(cb->args[0]));
6838 if (filter && filter->table &&
6839 strcmp(filter->table, table->name))
6840 goto cont;
6841 if (filter &&
6842 filter->type != NFT_OBJECT_UNSPEC &&
6843 obj->ops->type->type != filter->type)
6844 goto cont;
6845 if (reset) {
6846 char *buf = kasprintf(GFP_ATOMIC,
6847 "%s:%u",
6848 table->name,
6849 nft_net->base_seq);
6850
6851 audit_log_nfcfg(buf,
6852 family,
6853 obj->handle,
6854 AUDIT_NFT_OP_OBJ_RESET,
6855 GFP_ATOMIC);
6856 kfree(buf);
6857 }
6858
6859 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6860 cb->nlh->nlmsg_seq,
6861 NFT_MSG_NEWOBJ,
6862 NLM_F_MULTI | NLM_F_APPEND,
6863 table->family, table,
6864 obj, reset) < 0)
6865 goto done;
6866
6867 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6868cont:
6869 idx++;
6870 }
6871 }
6872done:
6873 rcu_read_unlock();
6874
6875 cb->args[0] = idx;
6876 return skb->len;
6877}
6878
6879static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6880{
6881 const struct nlattr * const *nla = cb->data;
6882 struct nft_obj_filter *filter = NULL;
6883
6884 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6885 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6886 if (!filter)
6887 return -ENOMEM;
6888
6889 if (nla[NFTA_OBJ_TABLE]) {
6890 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6891 if (!filter->table) {
6892 kfree(filter);
6893 return -ENOMEM;
6894 }
6895 }
6896
6897 if (nla[NFTA_OBJ_TYPE])
6898 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6899 }
6900
6901 cb->data = filter;
6902 return 0;
6903}
6904
6905static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6906{
6907 struct nft_obj_filter *filter = cb->data;
6908
6909 if (filter) {
6910 kfree(filter->table);
6911 kfree(filter);
6912 }
6913
6914 return 0;
6915}
6916
6917
6918static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
6919 const struct nlattr * const nla[])
6920{
6921 struct netlink_ext_ack *extack = info->extack;
6922 u8 genmask = nft_genmask_cur(info->net);
6923 u8 family = info->nfmsg->nfgen_family;
6924 const struct nft_table *table;
6925 struct net *net = info->net;
6926 struct nft_object *obj;
6927 struct sk_buff *skb2;
6928 bool reset = false;
6929 u32 objtype;
6930 int err;
6931
6932 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6933 struct netlink_dump_control c = {
6934 .start = nf_tables_dump_obj_start,
6935 .dump = nf_tables_dump_obj,
6936 .done = nf_tables_dump_obj_done,
6937 .module = THIS_MODULE,
6938 .data = (void *)nla,
6939 };
6940
6941 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6942 }
6943
6944 if (!nla[NFTA_OBJ_NAME] ||
6945 !nla[NFTA_OBJ_TYPE])
6946 return -EINVAL;
6947
6948 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6949 if (IS_ERR(table)) {
6950 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6951 return PTR_ERR(table);
6952 }
6953
6954 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6955 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6956 if (IS_ERR(obj)) {
6957 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6958 return PTR_ERR(obj);
6959 }
6960
6961 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6962 if (!skb2)
6963 return -ENOMEM;
6964
6965 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6966 reset = true;
6967
6968 if (reset) {
6969 const struct nftables_pernet *nft_net;
6970 char *buf;
6971
6972 nft_net = nft_pernet(net);
6973 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
6974
6975 audit_log_nfcfg(buf,
6976 family,
6977 obj->handle,
6978 AUDIT_NFT_OP_OBJ_RESET,
6979 GFP_ATOMIC);
6980 kfree(buf);
6981 }
6982
6983 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6984 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6985 family, table, obj, reset);
6986 if (err < 0)
6987 goto err_fill_obj_info;
6988
6989 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6990
6991err_fill_obj_info:
6992 kfree_skb(skb2);
6993 return err;
6994}
6995
6996static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6997{
6998 if (obj->ops->destroy)
6999 obj->ops->destroy(ctx, obj);
7000
7001 module_put(obj->ops->type->owner);
7002 kfree(obj->key.name);
7003 kfree(obj->udata);
7004 kfree(obj);
7005}
7006
7007static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
7008 const struct nlattr * const nla[])
7009{
7010 struct netlink_ext_ack *extack = info->extack;
7011 u8 genmask = nft_genmask_next(info->net);
7012 u8 family = info->nfmsg->nfgen_family;
7013 struct net *net = info->net;
7014 const struct nlattr *attr;
7015 struct nft_table *table;
7016 struct nft_object *obj;
7017 struct nft_ctx ctx;
7018 u32 objtype;
7019
7020 if (!nla[NFTA_OBJ_TYPE] ||
7021 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
7022 return -EINVAL;
7023
7024 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7025 NETLINK_CB(skb).portid);
7026 if (IS_ERR(table)) {
7027 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7028 return PTR_ERR(table);
7029 }
7030
7031 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7032 if (nla[NFTA_OBJ_HANDLE]) {
7033 attr = nla[NFTA_OBJ_HANDLE];
7034 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
7035 } else {
7036 attr = nla[NFTA_OBJ_NAME];
7037 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
7038 }
7039
7040 if (IS_ERR(obj)) {
7041 NL_SET_BAD_ATTR(extack, attr);
7042 return PTR_ERR(obj);
7043 }
7044 if (obj->use > 0) {
7045 NL_SET_BAD_ATTR(extack, attr);
7046 return -EBUSY;
7047 }
7048
7049 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7050
7051 return nft_delobj(&ctx, obj);
7052}
7053
7054void nft_obj_notify(struct net *net, const struct nft_table *table,
7055 struct nft_object *obj, u32 portid, u32 seq, int event,
7056 u16 flags, int family, int report, gfp_t gfp)
7057{
7058 struct nftables_pernet *nft_net = nft_pernet(net);
7059 struct sk_buff *skb;
7060 int err;
7061 char *buf = kasprintf(gfp, "%s:%u",
7062 table->name, nft_net->base_seq);
7063
7064 audit_log_nfcfg(buf,
7065 family,
7066 obj->handle,
7067 event == NFT_MSG_NEWOBJ ?
7068 AUDIT_NFT_OP_OBJ_REGISTER :
7069 AUDIT_NFT_OP_OBJ_UNREGISTER,
7070 gfp);
7071 kfree(buf);
7072
7073 if (!report &&
7074 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7075 return;
7076
7077 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
7078 if (skb == NULL)
7079 goto err;
7080
7081 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
7082 flags & (NLM_F_CREATE | NLM_F_EXCL),
7083 family, table, obj, false);
7084 if (err < 0) {
7085 kfree_skb(skb);
7086 goto err;
7087 }
7088
7089 nft_notify_enqueue(skb, report, &nft_net->notify_list);
7090 return;
7091err:
7092 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
7093}
7094EXPORT_SYMBOL_GPL(nft_obj_notify);
7095
7096static void nf_tables_obj_notify(const struct nft_ctx *ctx,
7097 struct nft_object *obj, int event)
7098{
7099 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
7100 ctx->flags, ctx->family, ctx->report, GFP_KERNEL);
7101}
7102
7103
7104
7105
7106void nft_register_flowtable_type(struct nf_flowtable_type *type)
7107{
7108 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7109 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
7110 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7111}
7112EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
7113
7114void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7115{
7116 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7117 list_del_rcu(&type->list);
7118 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7119}
7120EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7121
7122static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7123 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7124 .len = NFT_NAME_MAXLEN - 1 },
7125 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7126 .len = NFT_NAME_MAXLEN - 1 },
7127 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
7128 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
7129 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
7130};
7131
7132struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
7133 const struct nlattr *nla, u8 genmask)
7134{
7135 struct nft_flowtable *flowtable;
7136
7137 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7138 if (!nla_strcmp(nla, flowtable->name) &&
7139 nft_active_genmask(flowtable, genmask))
7140 return flowtable;
7141 }
7142 return ERR_PTR(-ENOENT);
7143}
7144EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
7145
7146void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
7147 struct nft_flowtable *flowtable,
7148 enum nft_trans_phase phase)
7149{
7150 switch (phase) {
7151 case NFT_TRANS_PREPARE:
7152 case NFT_TRANS_ABORT:
7153 case NFT_TRANS_RELEASE:
7154 flowtable->use--;
7155 fallthrough;
7156 default:
7157 return;
7158 }
7159}
7160EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
7161
7162static struct nft_flowtable *
7163nft_flowtable_lookup_byhandle(const struct nft_table *table,
7164 const struct nlattr *nla, u8 genmask)
7165{
7166 struct nft_flowtable *flowtable;
7167
7168 list_for_each_entry(flowtable, &table->flowtables, list) {
7169 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
7170 nft_active_genmask(flowtable, genmask))
7171 return flowtable;
7172 }
7173 return ERR_PTR(-ENOENT);
7174}
7175
7176struct nft_flowtable_hook {
7177 u32 num;
7178 int priority;
7179 struct list_head list;
7180};
7181
7182static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
7183 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
7184 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
7185 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
7186};
7187
7188static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
7189 const struct nlattr *attr,
7190 struct nft_flowtable_hook *flowtable_hook,
7191 struct nft_flowtable *flowtable, bool add)
7192{
7193 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
7194 struct nft_hook *hook;
7195 int hooknum, priority;
7196 int err;
7197
7198 INIT_LIST_HEAD(&flowtable_hook->list);
7199
7200 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
7201 nft_flowtable_hook_policy, NULL);
7202 if (err < 0)
7203 return err;
7204
7205 if (add) {
7206 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
7207 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
7208 return -EINVAL;
7209
7210 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7211 if (hooknum != NF_NETDEV_INGRESS)
7212 return -EOPNOTSUPP;
7213
7214 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7215
7216 flowtable_hook->priority = priority;
7217 flowtable_hook->num = hooknum;
7218 } else {
7219 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
7220 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7221 if (hooknum != flowtable->hooknum)
7222 return -EOPNOTSUPP;
7223 }
7224
7225 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7226 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7227 if (priority != flowtable->data.priority)
7228 return -EOPNOTSUPP;
7229 }
7230
7231 flowtable_hook->priority = flowtable->data.priority;
7232 flowtable_hook->num = flowtable->hooknum;
7233 }
7234
7235 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
7236 err = nf_tables_parse_netdev_hooks(ctx->net,
7237 tb[NFTA_FLOWTABLE_HOOK_DEVS],
7238 &flowtable_hook->list);
7239 if (err < 0)
7240 return err;
7241 }
7242
7243 list_for_each_entry(hook, &flowtable_hook->list, list) {
7244 hook->ops.pf = NFPROTO_NETDEV;
7245 hook->ops.hooknum = flowtable_hook->num;
7246 hook->ops.priority = flowtable_hook->priority;
7247 hook->ops.priv = &flowtable->data;
7248 hook->ops.hook = flowtable->data.type->hook;
7249 }
7250
7251 return err;
7252}
7253
7254static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
7255{
7256 const struct nf_flowtable_type *type;
7257
7258 list_for_each_entry(type, &nf_tables_flowtables, list) {
7259 if (family == type->family)
7260 return type;
7261 }
7262 return NULL;
7263}
7264
7265static const struct nf_flowtable_type *
7266nft_flowtable_type_get(struct net *net, u8 family)
7267{
7268 const struct nf_flowtable_type *type;
7269
7270 type = __nft_flowtable_type_get(family);
7271 if (type != NULL && try_module_get(type->owner))
7272 return type;
7273
7274 lockdep_nfnl_nft_mutex_not_held();
7275#ifdef CONFIG_MODULES
7276 if (type == NULL) {
7277 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
7278 return ERR_PTR(-EAGAIN);
7279 }
7280#endif
7281 return ERR_PTR(-ENOENT);
7282}
7283
7284
7285static void nft_unregister_flowtable_hook(struct net *net,
7286 struct nft_flowtable *flowtable,
7287 struct nft_hook *hook)
7288{
7289 nf_unregister_net_hook(net, &hook->ops);
7290 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7291 FLOW_BLOCK_UNBIND);
7292}
7293
7294static void nft_unregister_flowtable_net_hooks(struct net *net,
7295 struct list_head *hook_list)
7296{
7297 struct nft_hook *hook;
7298
7299 list_for_each_entry(hook, hook_list, list)
7300 nf_unregister_net_hook(net, &hook->ops);
7301}
7302
7303static int nft_register_flowtable_net_hooks(struct net *net,
7304 struct nft_table *table,
7305 struct list_head *hook_list,
7306 struct nft_flowtable *flowtable)
7307{
7308 struct nft_hook *hook, *hook2, *next;
7309 struct nft_flowtable *ft;
7310 int err, i = 0;
7311
7312 list_for_each_entry(hook, hook_list, list) {
7313 list_for_each_entry(ft, &table->flowtables, list) {
7314 if (!nft_is_active_next(net, ft))
7315 continue;
7316
7317 list_for_each_entry(hook2, &ft->hook_list, list) {
7318 if (hook->ops.dev == hook2->ops.dev &&
7319 hook->ops.pf == hook2->ops.pf) {
7320 err = -EEXIST;
7321 goto err_unregister_net_hooks;
7322 }
7323 }
7324 }
7325
7326 err = flowtable->data.type->setup(&flowtable->data,
7327 hook->ops.dev,
7328 FLOW_BLOCK_BIND);
7329 if (err < 0)
7330 goto err_unregister_net_hooks;
7331
7332 err = nf_register_net_hook(net, &hook->ops);
7333 if (err < 0) {
7334 flowtable->data.type->setup(&flowtable->data,
7335 hook->ops.dev,
7336 FLOW_BLOCK_UNBIND);
7337 goto err_unregister_net_hooks;
7338 }
7339
7340 i++;
7341 }
7342
7343 return 0;
7344
7345err_unregister_net_hooks:
7346 list_for_each_entry_safe(hook, next, hook_list, list) {
7347 if (i-- <= 0)
7348 break;
7349
7350 nft_unregister_flowtable_hook(net, flowtable, hook);
7351 list_del_rcu(&hook->list);
7352 kfree_rcu(hook, rcu);
7353 }
7354
7355 return err;
7356}
7357
7358static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
7359{
7360 struct nft_hook *hook, *next;
7361
7362 list_for_each_entry_safe(hook, next, hook_list, list) {
7363 list_del_rcu(&hook->list);
7364 kfree_rcu(hook, rcu);
7365 }
7366}
7367
7368static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
7369 struct nft_flowtable *flowtable)
7370{
7371 const struct nlattr * const *nla = ctx->nla;
7372 struct nft_flowtable_hook flowtable_hook;
7373 struct nft_hook *hook, *next;
7374 struct nft_trans *trans;
7375 bool unregister = false;
7376 u32 flags;
7377 int err;
7378
7379 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7380 &flowtable_hook, flowtable, false);
7381 if (err < 0)
7382 return err;
7383
7384 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7385 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
7386 list_del(&hook->list);
7387 kfree(hook);
7388 }
7389 }
7390
7391 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7392 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7393 if (flags & ~NFT_FLOWTABLE_MASK)
7394 return -EOPNOTSUPP;
7395 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
7396 (flags & NFT_FLOWTABLE_HW_OFFLOAD))
7397 return -EOPNOTSUPP;
7398 } else {
7399 flags = flowtable->data.flags;
7400 }
7401
7402 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
7403 &flowtable_hook.list, flowtable);
7404 if (err < 0)
7405 goto err_flowtable_update_hook;
7406
7407 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
7408 sizeof(struct nft_trans_flowtable));
7409 if (!trans) {
7410 unregister = true;
7411 err = -ENOMEM;
7412 goto err_flowtable_update_hook;
7413 }
7414
7415 nft_trans_flowtable_flags(trans) = flags;
7416 nft_trans_flowtable(trans) = flowtable;
7417 nft_trans_flowtable_update(trans) = true;
7418 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7419 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
7420
7421 nft_trans_commit_list_add_tail(ctx->net, trans);
7422
7423 return 0;
7424
7425err_flowtable_update_hook:
7426 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7427 if (unregister)
7428 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
7429 list_del_rcu(&hook->list);
7430 kfree_rcu(hook, rcu);
7431 }
7432
7433 return err;
7434
7435}
7436
7437static int nf_tables_newflowtable(struct sk_buff *skb,
7438 const struct nfnl_info *info,
7439 const struct nlattr * const nla[])
7440{
7441 struct netlink_ext_ack *extack = info->extack;
7442 struct nft_flowtable_hook flowtable_hook;
7443 u8 genmask = nft_genmask_next(info->net);
7444 u8 family = info->nfmsg->nfgen_family;
7445 const struct nf_flowtable_type *type;
7446 struct nft_flowtable *flowtable;
7447 struct nft_hook *hook, *next;
7448 struct net *net = info->net;
7449 struct nft_table *table;
7450 struct nft_ctx ctx;
7451 int err;
7452
7453 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7454 !nla[NFTA_FLOWTABLE_NAME] ||
7455 !nla[NFTA_FLOWTABLE_HOOK])
7456 return -EINVAL;
7457
7458 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7459 genmask, NETLINK_CB(skb).portid);
7460 if (IS_ERR(table)) {
7461 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7462 return PTR_ERR(table);
7463 }
7464
7465 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7466 genmask);
7467 if (IS_ERR(flowtable)) {
7468 err = PTR_ERR(flowtable);
7469 if (err != -ENOENT) {
7470 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7471 return err;
7472 }
7473 } else {
7474 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7475 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7476 return -EEXIST;
7477 }
7478
7479 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7480
7481 return nft_flowtable_update(&ctx, info->nlh, flowtable);
7482 }
7483
7484 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7485
7486 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
7487 if (!flowtable)
7488 return -ENOMEM;
7489
7490 flowtable->table = table;
7491 flowtable->handle = nf_tables_alloc_handle(table);
7492 INIT_LIST_HEAD(&flowtable->hook_list);
7493
7494 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
7495 if (!flowtable->name) {
7496 err = -ENOMEM;
7497 goto err1;
7498 }
7499
7500 type = nft_flowtable_type_get(net, family);
7501 if (IS_ERR(type)) {
7502 err = PTR_ERR(type);
7503 goto err2;
7504 }
7505
7506 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7507 flowtable->data.flags =
7508 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7509 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
7510 err = -EOPNOTSUPP;
7511 goto err3;
7512 }
7513 }
7514
7515 write_pnet(&flowtable->data.net, net);
7516 flowtable->data.type = type;
7517 err = type->init(&flowtable->data);
7518 if (err < 0)
7519 goto err3;
7520
7521 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
7522 &flowtable_hook, flowtable, true);
7523 if (err < 0)
7524 goto err4;
7525
7526 list_splice(&flowtable_hook.list, &flowtable->hook_list);
7527 flowtable->data.priority = flowtable_hook.priority;
7528 flowtable->hooknum = flowtable_hook.num;
7529
7530 err = nft_register_flowtable_net_hooks(ctx.net, table,
7531 &flowtable->hook_list,
7532 flowtable);
7533 if (err < 0) {
7534 nft_flowtable_hooks_destroy(&flowtable->hook_list);
7535 goto err4;
7536 }
7537
7538 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
7539 if (err < 0)
7540 goto err5;
7541
7542 list_add_tail_rcu(&flowtable->list, &table->flowtables);
7543 table->use++;
7544
7545 return 0;
7546err5:
7547 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7548 nft_unregister_flowtable_hook(net, flowtable, hook);
7549 list_del_rcu(&hook->list);
7550 kfree_rcu(hook, rcu);
7551 }
7552err4:
7553 flowtable->data.type->free(&flowtable->data);
7554err3:
7555 module_put(type->owner);
7556err2:
7557 kfree(flowtable->name);
7558err1:
7559 kfree(flowtable);
7560 return err;
7561}
7562
7563static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7564{
7565 struct nft_hook *this, *next;
7566
7567 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7568 list_del(&this->list);
7569 kfree(this);
7570 }
7571}
7572
7573static int nft_delflowtable_hook(struct nft_ctx *ctx,
7574 struct nft_flowtable *flowtable)
7575{
7576 const struct nlattr * const *nla = ctx->nla;
7577 struct nft_flowtable_hook flowtable_hook;
7578 struct nft_hook *this, *hook;
7579 struct nft_trans *trans;
7580 int err;
7581
7582 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7583 &flowtable_hook, flowtable, false);
7584 if (err < 0)
7585 return err;
7586
7587 list_for_each_entry(this, &flowtable_hook.list, list) {
7588 hook = nft_hook_list_find(&flowtable->hook_list, this);
7589 if (!hook) {
7590 err = -ENOENT;
7591 goto err_flowtable_del_hook;
7592 }
7593 hook->inactive = true;
7594 }
7595
7596 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7597 sizeof(struct nft_trans_flowtable));
7598 if (!trans) {
7599 err = -ENOMEM;
7600 goto err_flowtable_del_hook;
7601 }
7602
7603 nft_trans_flowtable(trans) = flowtable;
7604 nft_trans_flowtable_update(trans) = true;
7605 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7606 nft_flowtable_hook_release(&flowtable_hook);
7607
7608 nft_trans_commit_list_add_tail(ctx->net, trans);
7609
7610 return 0;
7611
7612err_flowtable_del_hook:
7613 list_for_each_entry(this, &flowtable_hook.list, list) {
7614 hook = nft_hook_list_find(&flowtable->hook_list, this);
7615 if (!hook)
7616 break;
7617
7618 hook->inactive = false;
7619 }
7620 nft_flowtable_hook_release(&flowtable_hook);
7621
7622 return err;
7623}
7624
7625static int nf_tables_delflowtable(struct sk_buff *skb,
7626 const struct nfnl_info *info,
7627 const struct nlattr * const nla[])
7628{
7629 struct netlink_ext_ack *extack = info->extack;
7630 u8 genmask = nft_genmask_next(info->net);
7631 u8 family = info->nfmsg->nfgen_family;
7632 struct nft_flowtable *flowtable;
7633 struct net *net = info->net;
7634 const struct nlattr *attr;
7635 struct nft_table *table;
7636 struct nft_ctx ctx;
7637
7638 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7639 (!nla[NFTA_FLOWTABLE_NAME] &&
7640 !nla[NFTA_FLOWTABLE_HANDLE]))
7641 return -EINVAL;
7642
7643 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7644 genmask, NETLINK_CB(skb).portid);
7645 if (IS_ERR(table)) {
7646 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7647 return PTR_ERR(table);
7648 }
7649
7650 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7651 attr = nla[NFTA_FLOWTABLE_HANDLE];
7652 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7653 } else {
7654 attr = nla[NFTA_FLOWTABLE_NAME];
7655 flowtable = nft_flowtable_lookup(table, attr, genmask);
7656 }
7657
7658 if (IS_ERR(flowtable)) {
7659 NL_SET_BAD_ATTR(extack, attr);
7660 return PTR_ERR(flowtable);
7661 }
7662
7663 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7664
7665 if (nla[NFTA_FLOWTABLE_HOOK])
7666 return nft_delflowtable_hook(&ctx, flowtable);
7667
7668 if (flowtable->use > 0) {
7669 NL_SET_BAD_ATTR(extack, attr);
7670 return -EBUSY;
7671 }
7672
7673 return nft_delflowtable(&ctx, flowtable);
7674}
7675
7676static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7677 u32 portid, u32 seq, int event,
7678 u32 flags, int family,
7679 struct nft_flowtable *flowtable,
7680 struct list_head *hook_list)
7681{
7682 struct nlattr *nest, *nest_devs;
7683 struct nft_hook *hook;
7684 struct nlmsghdr *nlh;
7685
7686 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7687 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7688 NFNETLINK_V0, nft_base_seq(net));
7689 if (!nlh)
7690 goto nla_put_failure;
7691
7692 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7693 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7694 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7695 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7696 NFTA_FLOWTABLE_PAD) ||
7697 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7698 goto nla_put_failure;
7699
7700 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7701 if (!nest)
7702 goto nla_put_failure;
7703 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7704 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7705 goto nla_put_failure;
7706
7707 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7708 if (!nest_devs)
7709 goto nla_put_failure;
7710
7711 list_for_each_entry_rcu(hook, hook_list, list) {
7712 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7713 goto nla_put_failure;
7714 }
7715 nla_nest_end(skb, nest_devs);
7716 nla_nest_end(skb, nest);
7717
7718 nlmsg_end(skb, nlh);
7719 return 0;
7720
7721nla_put_failure:
7722 nlmsg_trim(skb, nlh);
7723 return -1;
7724}
7725
7726struct nft_flowtable_filter {
7727 char *table;
7728};
7729
7730static int nf_tables_dump_flowtable(struct sk_buff *skb,
7731 struct netlink_callback *cb)
7732{
7733 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7734 struct nft_flowtable_filter *filter = cb->data;
7735 unsigned int idx = 0, s_idx = cb->args[0];
7736 struct net *net = sock_net(skb->sk);
7737 int family = nfmsg->nfgen_family;
7738 struct nft_flowtable *flowtable;
7739 struct nftables_pernet *nft_net;
7740 const struct nft_table *table;
7741
7742 rcu_read_lock();
7743 nft_net = nft_pernet(net);
7744 cb->seq = nft_net->base_seq;
7745
7746 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7747 if (family != NFPROTO_UNSPEC && family != table->family)
7748 continue;
7749
7750 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7751 if (!nft_is_active(net, flowtable))
7752 goto cont;
7753 if (idx < s_idx)
7754 goto cont;
7755 if (idx > s_idx)
7756 memset(&cb->args[1], 0,
7757 sizeof(cb->args) - sizeof(cb->args[0]));
7758 if (filter && filter->table &&
7759 strcmp(filter->table, table->name))
7760 goto cont;
7761
7762 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7763 cb->nlh->nlmsg_seq,
7764 NFT_MSG_NEWFLOWTABLE,
7765 NLM_F_MULTI | NLM_F_APPEND,
7766 table->family,
7767 flowtable,
7768 &flowtable->hook_list) < 0)
7769 goto done;
7770
7771 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7772cont:
7773 idx++;
7774 }
7775 }
7776done:
7777 rcu_read_unlock();
7778
7779 cb->args[0] = idx;
7780 return skb->len;
7781}
7782
7783static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7784{
7785 const struct nlattr * const *nla = cb->data;
7786 struct nft_flowtable_filter *filter = NULL;
7787
7788 if (nla[NFTA_FLOWTABLE_TABLE]) {
7789 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7790 if (!filter)
7791 return -ENOMEM;
7792
7793 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7794 GFP_ATOMIC);
7795 if (!filter->table) {
7796 kfree(filter);
7797 return -ENOMEM;
7798 }
7799 }
7800
7801 cb->data = filter;
7802 return 0;
7803}
7804
7805static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7806{
7807 struct nft_flowtable_filter *filter = cb->data;
7808
7809 if (!filter)
7810 return 0;
7811
7812 kfree(filter->table);
7813 kfree(filter);
7814
7815 return 0;
7816}
7817
7818
7819static int nf_tables_getflowtable(struct sk_buff *skb,
7820 const struct nfnl_info *info,
7821 const struct nlattr * const nla[])
7822{
7823 u8 genmask = nft_genmask_cur(info->net);
7824 u8 family = info->nfmsg->nfgen_family;
7825 struct nft_flowtable *flowtable;
7826 const struct nft_table *table;
7827 struct net *net = info->net;
7828 struct sk_buff *skb2;
7829 int err;
7830
7831 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7832 struct netlink_dump_control c = {
7833 .start = nf_tables_dump_flowtable_start,
7834 .dump = nf_tables_dump_flowtable,
7835 .done = nf_tables_dump_flowtable_done,
7836 .module = THIS_MODULE,
7837 .data = (void *)nla,
7838 };
7839
7840 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7841 }
7842
7843 if (!nla[NFTA_FLOWTABLE_NAME])
7844 return -EINVAL;
7845
7846 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7847 genmask, 0);
7848 if (IS_ERR(table))
7849 return PTR_ERR(table);
7850
7851 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7852 genmask);
7853 if (IS_ERR(flowtable))
7854 return PTR_ERR(flowtable);
7855
7856 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7857 if (!skb2)
7858 return -ENOMEM;
7859
7860 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7861 info->nlh->nlmsg_seq,
7862 NFT_MSG_NEWFLOWTABLE, 0, family,
7863 flowtable, &flowtable->hook_list);
7864 if (err < 0)
7865 goto err_fill_flowtable_info;
7866
7867 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7868
7869err_fill_flowtable_info:
7870 kfree_skb(skb2);
7871 return err;
7872}
7873
7874static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7875 struct nft_flowtable *flowtable,
7876 struct list_head *hook_list,
7877 int event)
7878{
7879 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
7880 struct sk_buff *skb;
7881 u16 flags = 0;
7882 int err;
7883
7884 if (!ctx->report &&
7885 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7886 return;
7887
7888 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7889 if (skb == NULL)
7890 goto err;
7891
7892 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
7893 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
7894
7895 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7896 ctx->seq, event, flags,
7897 ctx->family, flowtable, hook_list);
7898 if (err < 0) {
7899 kfree_skb(skb);
7900 goto err;
7901 }
7902
7903 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
7904 return;
7905err:
7906 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7907}
7908
7909static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7910{
7911 struct nft_hook *hook, *next;
7912
7913 flowtable->data.type->free(&flowtable->data);
7914 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7915 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7916 FLOW_BLOCK_UNBIND);
7917 list_del_rcu(&hook->list);
7918 kfree(hook);
7919 }
7920 kfree(flowtable->name);
7921 module_put(flowtable->data.type->owner);
7922 kfree(flowtable);
7923}
7924
7925static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7926 u32 portid, u32 seq)
7927{
7928 struct nftables_pernet *nft_net = nft_pernet(net);
7929 struct nlmsghdr *nlh;
7930 char buf[TASK_COMM_LEN];
7931 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7932
7933 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
7934 NFNETLINK_V0, nft_base_seq(net));
7935 if (!nlh)
7936 goto nla_put_failure;
7937
7938 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
7939 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7940 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7941 goto nla_put_failure;
7942
7943 nlmsg_end(skb, nlh);
7944 return 0;
7945
7946nla_put_failure:
7947 nlmsg_trim(skb, nlh);
7948 return -EMSGSIZE;
7949}
7950
7951static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7952 struct nft_flowtable *flowtable)
7953{
7954 struct nft_hook *hook;
7955
7956 list_for_each_entry(hook, &flowtable->hook_list, list) {
7957 if (hook->ops.dev != dev)
7958 continue;
7959
7960
7961 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7962 list_del_rcu(&hook->list);
7963 kfree_rcu(hook, rcu);
7964 break;
7965 }
7966}
7967
7968static int nf_tables_flowtable_event(struct notifier_block *this,
7969 unsigned long event, void *ptr)
7970{
7971 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7972 struct nft_flowtable *flowtable;
7973 struct nftables_pernet *nft_net;
7974 struct nft_table *table;
7975 struct net *net;
7976
7977 if (event != NETDEV_UNREGISTER)
7978 return 0;
7979
7980 net = dev_net(dev);
7981 nft_net = nft_pernet(net);
7982 mutex_lock(&nft_net->commit_mutex);
7983 list_for_each_entry(table, &nft_net->tables, list) {
7984 list_for_each_entry(flowtable, &table->flowtables, list) {
7985 nft_flowtable_event(event, dev, flowtable);
7986 }
7987 }
7988 mutex_unlock(&nft_net->commit_mutex);
7989
7990 return NOTIFY_DONE;
7991}
7992
7993static struct notifier_block nf_tables_flowtable_notifier = {
7994 .notifier_call = nf_tables_flowtable_event,
7995};
7996
7997static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7998 int event)
7999{
8000 struct nlmsghdr *nlh = nlmsg_hdr(skb);
8001 struct sk_buff *skb2;
8002 int err;
8003
8004 if (!nlmsg_report(nlh) &&
8005 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8006 return;
8007
8008 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
8009 if (skb2 == NULL)
8010 goto err;
8011
8012 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
8013 nlh->nlmsg_seq);
8014 if (err < 0) {
8015 kfree_skb(skb2);
8016 goto err;
8017 }
8018
8019 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8020 nlmsg_report(nlh), GFP_KERNEL);
8021 return;
8022err:
8023 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
8024 -ENOBUFS);
8025}
8026
8027static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
8028 const struct nlattr * const nla[])
8029{
8030 struct sk_buff *skb2;
8031 int err;
8032
8033 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8034 if (skb2 == NULL)
8035 return -ENOMEM;
8036
8037 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
8038 info->nlh->nlmsg_seq);
8039 if (err < 0)
8040 goto err_fill_gen_info;
8041
8042 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
8043
8044err_fill_gen_info:
8045 kfree_skb(skb2);
8046 return err;
8047}
8048
8049static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
8050 [NFT_MSG_NEWTABLE] = {
8051 .call = nf_tables_newtable,
8052 .type = NFNL_CB_BATCH,
8053 .attr_count = NFTA_TABLE_MAX,
8054 .policy = nft_table_policy,
8055 },
8056 [NFT_MSG_GETTABLE] = {
8057 .call = nf_tables_gettable,
8058 .type = NFNL_CB_RCU,
8059 .attr_count = NFTA_TABLE_MAX,
8060 .policy = nft_table_policy,
8061 },
8062 [NFT_MSG_DELTABLE] = {
8063 .call = nf_tables_deltable,
8064 .type = NFNL_CB_BATCH,
8065 .attr_count = NFTA_TABLE_MAX,
8066 .policy = nft_table_policy,
8067 },
8068 [NFT_MSG_NEWCHAIN] = {
8069 .call = nf_tables_newchain,
8070 .type = NFNL_CB_BATCH,
8071 .attr_count = NFTA_CHAIN_MAX,
8072 .policy = nft_chain_policy,
8073 },
8074 [NFT_MSG_GETCHAIN] = {
8075 .call = nf_tables_getchain,
8076 .type = NFNL_CB_RCU,
8077 .attr_count = NFTA_CHAIN_MAX,
8078 .policy = nft_chain_policy,
8079 },
8080 [NFT_MSG_DELCHAIN] = {
8081 .call = nf_tables_delchain,
8082 .type = NFNL_CB_BATCH,
8083 .attr_count = NFTA_CHAIN_MAX,
8084 .policy = nft_chain_policy,
8085 },
8086 [NFT_MSG_NEWRULE] = {
8087 .call = nf_tables_newrule,
8088 .type = NFNL_CB_BATCH,
8089 .attr_count = NFTA_RULE_MAX,
8090 .policy = nft_rule_policy,
8091 },
8092 [NFT_MSG_GETRULE] = {
8093 .call = nf_tables_getrule,
8094 .type = NFNL_CB_RCU,
8095 .attr_count = NFTA_RULE_MAX,
8096 .policy = nft_rule_policy,
8097 },
8098 [NFT_MSG_DELRULE] = {
8099 .call = nf_tables_delrule,
8100 .type = NFNL_CB_BATCH,
8101 .attr_count = NFTA_RULE_MAX,
8102 .policy = nft_rule_policy,
8103 },
8104 [NFT_MSG_NEWSET] = {
8105 .call = nf_tables_newset,
8106 .type = NFNL_CB_BATCH,
8107 .attr_count = NFTA_SET_MAX,
8108 .policy = nft_set_policy,
8109 },
8110 [NFT_MSG_GETSET] = {
8111 .call = nf_tables_getset,
8112 .type = NFNL_CB_RCU,
8113 .attr_count = NFTA_SET_MAX,
8114 .policy = nft_set_policy,
8115 },
8116 [NFT_MSG_DELSET] = {
8117 .call = nf_tables_delset,
8118 .type = NFNL_CB_BATCH,
8119 .attr_count = NFTA_SET_MAX,
8120 .policy = nft_set_policy,
8121 },
8122 [NFT_MSG_NEWSETELEM] = {
8123 .call = nf_tables_newsetelem,
8124 .type = NFNL_CB_BATCH,
8125 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8126 .policy = nft_set_elem_list_policy,
8127 },
8128 [NFT_MSG_GETSETELEM] = {
8129 .call = nf_tables_getsetelem,
8130 .type = NFNL_CB_RCU,
8131 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8132 .policy = nft_set_elem_list_policy,
8133 },
8134 [NFT_MSG_DELSETELEM] = {
8135 .call = nf_tables_delsetelem,
8136 .type = NFNL_CB_BATCH,
8137 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8138 .policy = nft_set_elem_list_policy,
8139 },
8140 [NFT_MSG_GETGEN] = {
8141 .call = nf_tables_getgen,
8142 .type = NFNL_CB_RCU,
8143 },
8144 [NFT_MSG_NEWOBJ] = {
8145 .call = nf_tables_newobj,
8146 .type = NFNL_CB_BATCH,
8147 .attr_count = NFTA_OBJ_MAX,
8148 .policy = nft_obj_policy,
8149 },
8150 [NFT_MSG_GETOBJ] = {
8151 .call = nf_tables_getobj,
8152 .type = NFNL_CB_RCU,
8153 .attr_count = NFTA_OBJ_MAX,
8154 .policy = nft_obj_policy,
8155 },
8156 [NFT_MSG_DELOBJ] = {
8157 .call = nf_tables_delobj,
8158 .type = NFNL_CB_BATCH,
8159 .attr_count = NFTA_OBJ_MAX,
8160 .policy = nft_obj_policy,
8161 },
8162 [NFT_MSG_GETOBJ_RESET] = {
8163 .call = nf_tables_getobj,
8164 .type = NFNL_CB_RCU,
8165 .attr_count = NFTA_OBJ_MAX,
8166 .policy = nft_obj_policy,
8167 },
8168 [NFT_MSG_NEWFLOWTABLE] = {
8169 .call = nf_tables_newflowtable,
8170 .type = NFNL_CB_BATCH,
8171 .attr_count = NFTA_FLOWTABLE_MAX,
8172 .policy = nft_flowtable_policy,
8173 },
8174 [NFT_MSG_GETFLOWTABLE] = {
8175 .call = nf_tables_getflowtable,
8176 .type = NFNL_CB_RCU,
8177 .attr_count = NFTA_FLOWTABLE_MAX,
8178 .policy = nft_flowtable_policy,
8179 },
8180 [NFT_MSG_DELFLOWTABLE] = {
8181 .call = nf_tables_delflowtable,
8182 .type = NFNL_CB_BATCH,
8183 .attr_count = NFTA_FLOWTABLE_MAX,
8184 .policy = nft_flowtable_policy,
8185 },
8186};
8187
8188static int nf_tables_validate(struct net *net)
8189{
8190 struct nftables_pernet *nft_net = nft_pernet(net);
8191 struct nft_table *table;
8192
8193 switch (nft_net->validate_state) {
8194 case NFT_VALIDATE_SKIP:
8195 break;
8196 case NFT_VALIDATE_NEED:
8197 nft_validate_state_update(net, NFT_VALIDATE_DO);
8198 fallthrough;
8199 case NFT_VALIDATE_DO:
8200 list_for_each_entry(table, &nft_net->tables, list) {
8201 if (nft_table_validate(net, table) < 0)
8202 return -EAGAIN;
8203 }
8204 break;
8205 }
8206
8207 return 0;
8208}
8209
8210
8211
8212
8213
8214
8215
8216
8217static void nft_chain_commit_drop_policy(struct nft_trans *trans)
8218{
8219 struct nft_base_chain *basechain;
8220
8221 if (nft_trans_chain_policy(trans) != NF_DROP)
8222 return;
8223
8224 if (!nft_is_base_chain(trans->ctx.chain))
8225 return;
8226
8227 basechain = nft_base_chain(trans->ctx.chain);
8228 basechain->policy = NF_DROP;
8229}
8230
8231static void nft_chain_commit_update(struct nft_trans *trans)
8232{
8233 struct nft_base_chain *basechain;
8234
8235 if (nft_trans_chain_name(trans)) {
8236 rhltable_remove(&trans->ctx.table->chains_ht,
8237 &trans->ctx.chain->rhlhead,
8238 nft_chain_ht_params);
8239 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
8240 rhltable_insert_key(&trans->ctx.table->chains_ht,
8241 trans->ctx.chain->name,
8242 &trans->ctx.chain->rhlhead,
8243 nft_chain_ht_params);
8244 }
8245
8246 if (!nft_is_base_chain(trans->ctx.chain))
8247 return;
8248
8249 nft_chain_stats_replace(trans);
8250
8251 basechain = nft_base_chain(trans->ctx.chain);
8252
8253 switch (nft_trans_chain_policy(trans)) {
8254 case NF_DROP:
8255 case NF_ACCEPT:
8256 basechain->policy = nft_trans_chain_policy(trans);
8257 break;
8258 }
8259}
8260
8261static void nft_obj_commit_update(struct nft_trans *trans)
8262{
8263 struct nft_object *newobj;
8264 struct nft_object *obj;
8265
8266 obj = nft_trans_obj(trans);
8267 newobj = nft_trans_obj_newobj(trans);
8268
8269 if (obj->ops->update)
8270 obj->ops->update(obj, newobj);
8271
8272 nft_obj_destroy(&trans->ctx, newobj);
8273}
8274
8275static void nft_commit_release(struct nft_trans *trans)
8276{
8277 switch (trans->msg_type) {
8278 case NFT_MSG_DELTABLE:
8279 nf_tables_table_destroy(&trans->ctx);
8280 break;
8281 case NFT_MSG_NEWCHAIN:
8282 free_percpu(nft_trans_chain_stats(trans));
8283 kfree(nft_trans_chain_name(trans));
8284 break;
8285 case NFT_MSG_DELCHAIN:
8286 nf_tables_chain_destroy(&trans->ctx);
8287 break;
8288 case NFT_MSG_DELRULE:
8289 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8290 break;
8291 case NFT_MSG_DELSET:
8292 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8293 break;
8294 case NFT_MSG_DELSETELEM:
8295 nf_tables_set_elem_destroy(&trans->ctx,
8296 nft_trans_elem_set(trans),
8297 nft_trans_elem(trans).priv);
8298 break;
8299 case NFT_MSG_DELOBJ:
8300 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8301 break;
8302 case NFT_MSG_DELFLOWTABLE:
8303 if (nft_trans_flowtable_update(trans))
8304 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8305 else
8306 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8307 break;
8308 }
8309
8310 if (trans->put_net)
8311 put_net(trans->ctx.net);
8312
8313 kfree(trans);
8314}
8315
8316static void nf_tables_trans_destroy_work(struct work_struct *w)
8317{
8318 struct nft_trans *trans, *next;
8319 LIST_HEAD(head);
8320
8321 spin_lock(&nf_tables_destroy_list_lock);
8322 list_splice_init(&nf_tables_destroy_list, &head);
8323 spin_unlock(&nf_tables_destroy_list_lock);
8324
8325 if (list_empty(&head))
8326 return;
8327
8328 synchronize_rcu();
8329
8330 list_for_each_entry_safe(trans, next, &head, list) {
8331 list_del(&trans->list);
8332 nft_commit_release(trans);
8333 }
8334}
8335
8336void nf_tables_trans_destroy_flush_work(void)
8337{
8338 flush_work(&trans_destroy_work);
8339}
8340EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
8341
8342static bool nft_expr_reduce(struct nft_regs_track *track,
8343 const struct nft_expr *expr)
8344{
8345 return false;
8346}
8347
8348static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
8349{
8350 const struct nft_expr *expr, *last;
8351 struct nft_regs_track track = {};
8352 unsigned int size, data_size;
8353 void *data, *data_boundary;
8354 struct nft_rule_dp *prule;
8355 struct nft_rule *rule;
8356
8357
8358 if (chain->blob_next || !nft_is_active_next(net, chain))
8359 return 0;
8360
8361 rule = list_entry(&chain->rules, struct nft_rule, list);
8362
8363 data_size = 0;
8364 list_for_each_entry_continue(rule, &chain->rules, list) {
8365 if (nft_is_active_next(net, rule)) {
8366 data_size += sizeof(*prule) + rule->dlen;
8367 if (data_size > INT_MAX)
8368 return -ENOMEM;
8369 }
8370 }
8371 data_size += offsetof(struct nft_rule_dp, data);
8372
8373 chain->blob_next = nf_tables_chain_alloc_rules(data_size);
8374 if (!chain->blob_next)
8375 return -ENOMEM;
8376
8377 data = (void *)chain->blob_next->data;
8378 data_boundary = data + data_size;
8379 size = 0;
8380
8381 list_for_each_entry_continue(rule, &chain->rules, list) {
8382 if (!nft_is_active_next(net, rule))
8383 continue;
8384
8385 prule = (struct nft_rule_dp *)data;
8386 data += offsetof(struct nft_rule_dp, data);
8387 if (WARN_ON_ONCE(data > data_boundary))
8388 return -ENOMEM;
8389
8390 size = 0;
8391 track.last = nft_expr_last(rule);
8392 nft_rule_for_each_expr(expr, last, rule) {
8393 track.cur = expr;
8394
8395 if (nft_expr_reduce(&track, expr)) {
8396 expr = track.cur;
8397 continue;
8398 }
8399
8400 if (WARN_ON_ONCE(data + expr->ops->size > data_boundary))
8401 return -ENOMEM;
8402
8403 memcpy(data + size, expr, expr->ops->size);
8404 size += expr->ops->size;
8405 }
8406 if (WARN_ON_ONCE(size >= 1 << 12))
8407 return -ENOMEM;
8408
8409 prule->handle = rule->handle;
8410 prule->dlen = size;
8411 prule->is_last = 0;
8412
8413 data += size;
8414 size = 0;
8415 chain->blob_next->size += (unsigned long)(data - (void *)prule);
8416 }
8417
8418 prule = (struct nft_rule_dp *)data;
8419 data += offsetof(struct nft_rule_dp, data);
8420 if (WARN_ON_ONCE(data > data_boundary))
8421 return -ENOMEM;
8422
8423 nft_last_rule(chain->blob_next, prule);
8424
8425 return 0;
8426}
8427
8428static void nf_tables_commit_chain_prepare_cancel(struct net *net)
8429{
8430 struct nftables_pernet *nft_net = nft_pernet(net);
8431 struct nft_trans *trans, *next;
8432
8433 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8434 struct nft_chain *chain = trans->ctx.chain;
8435
8436 if (trans->msg_type == NFT_MSG_NEWRULE ||
8437 trans->msg_type == NFT_MSG_DELRULE) {
8438 kvfree(chain->blob_next);
8439 chain->blob_next = NULL;
8440 }
8441 }
8442}
8443
8444static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
8445{
8446 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
8447
8448 kvfree(o->blob);
8449}
8450
8451static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
8452{
8453 struct nft_rules_old *old;
8454
8455
8456 old = (void *)blob + sizeof(*blob) + blob->size;
8457 old->blob = blob;
8458
8459 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
8460}
8461
8462static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
8463{
8464 struct nft_rule_blob *g0, *g1;
8465 bool next_genbit;
8466
8467 next_genbit = nft_gencursor_next(net);
8468
8469 g0 = rcu_dereference_protected(chain->blob_gen_0,
8470 lockdep_commit_lock_is_held(net));
8471 g1 = rcu_dereference_protected(chain->blob_gen_1,
8472 lockdep_commit_lock_is_held(net));
8473
8474
8475 if (chain->blob_next == NULL) {
8476
8477 if (g0 == g1)
8478 return;
8479
8480
8481
8482
8483 if (next_genbit) {
8484 rcu_assign_pointer(chain->blob_gen_1, g0);
8485 nf_tables_commit_chain_free_rules_old(g1);
8486 } else {
8487 rcu_assign_pointer(chain->blob_gen_0, g1);
8488 nf_tables_commit_chain_free_rules_old(g0);
8489 }
8490
8491 return;
8492 }
8493
8494 if (next_genbit)
8495 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
8496 else
8497 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
8498
8499 chain->blob_next = NULL;
8500
8501 if (g0 == g1)
8502 return;
8503
8504 if (next_genbit)
8505 nf_tables_commit_chain_free_rules_old(g1);
8506 else
8507 nf_tables_commit_chain_free_rules_old(g0);
8508}
8509
8510static void nft_obj_del(struct nft_object *obj)
8511{
8512 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
8513 list_del_rcu(&obj->list);
8514}
8515
8516void nft_chain_del(struct nft_chain *chain)
8517{
8518 struct nft_table *table = chain->table;
8519
8520 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
8521 nft_chain_ht_params));
8522 list_del_rcu(&chain->list);
8523}
8524
8525static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
8526 struct list_head *hook_list)
8527{
8528 struct nft_hook *hook, *next;
8529
8530 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8531 if (hook->inactive)
8532 list_move(&hook->list, hook_list);
8533 }
8534}
8535
8536static void nf_tables_module_autoload_cleanup(struct net *net)
8537{
8538 struct nftables_pernet *nft_net = nft_pernet(net);
8539 struct nft_module_request *req, *next;
8540
8541 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
8542 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
8543 WARN_ON_ONCE(!req->done);
8544 list_del(&req->list);
8545 kfree(req);
8546 }
8547}
8548
8549static void nf_tables_commit_release(struct net *net)
8550{
8551 struct nftables_pernet *nft_net = nft_pernet(net);
8552 struct nft_trans *trans;
8553
8554
8555
8556
8557
8558
8559
8560
8561 if (list_empty(&nft_net->commit_list)) {
8562 nf_tables_module_autoload_cleanup(net);
8563 mutex_unlock(&nft_net->commit_mutex);
8564 return;
8565 }
8566
8567 trans = list_last_entry(&nft_net->commit_list,
8568 struct nft_trans, list);
8569 get_net(trans->ctx.net);
8570 WARN_ON_ONCE(trans->put_net);
8571
8572 trans->put_net = true;
8573 spin_lock(&nf_tables_destroy_list_lock);
8574 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
8575 spin_unlock(&nf_tables_destroy_list_lock);
8576
8577 nf_tables_module_autoload_cleanup(net);
8578 schedule_work(&trans_destroy_work);
8579
8580 mutex_unlock(&nft_net->commit_mutex);
8581}
8582
8583static void nft_commit_notify(struct net *net, u32 portid)
8584{
8585 struct nftables_pernet *nft_net = nft_pernet(net);
8586 struct sk_buff *batch_skb = NULL, *nskb, *skb;
8587 unsigned char *data;
8588 int len;
8589
8590 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
8591 if (!batch_skb) {
8592new_batch:
8593 batch_skb = skb;
8594 len = NLMSG_GOODSIZE - skb->len;
8595 list_del(&skb->list);
8596 continue;
8597 }
8598 len -= skb->len;
8599 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
8600 data = skb_put(batch_skb, skb->len);
8601 memcpy(data, skb->data, skb->len);
8602 list_del(&skb->list);
8603 kfree_skb(skb);
8604 continue;
8605 }
8606 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8607 NFT_CB(batch_skb).report, GFP_KERNEL);
8608 goto new_batch;
8609 }
8610
8611 if (batch_skb) {
8612 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8613 NFT_CB(batch_skb).report, GFP_KERNEL);
8614 }
8615
8616 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
8617}
8618
8619static int nf_tables_commit_audit_alloc(struct list_head *adl,
8620 struct nft_table *table)
8621{
8622 struct nft_audit_data *adp;
8623
8624 list_for_each_entry(adp, adl, list) {
8625 if (adp->table == table)
8626 return 0;
8627 }
8628 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
8629 if (!adp)
8630 return -ENOMEM;
8631 adp->table = table;
8632 list_add(&adp->list, adl);
8633 return 0;
8634}
8635
8636static void nf_tables_commit_audit_free(struct list_head *adl)
8637{
8638 struct nft_audit_data *adp, *adn;
8639
8640 list_for_each_entry_safe(adp, adn, adl, list) {
8641 list_del(&adp->list);
8642 kfree(adp);
8643 }
8644}
8645
8646static void nf_tables_commit_audit_collect(struct list_head *adl,
8647 struct nft_table *table, u32 op)
8648{
8649 struct nft_audit_data *adp;
8650
8651 list_for_each_entry(adp, adl, list) {
8652 if (adp->table == table)
8653 goto found;
8654 }
8655 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
8656 return;
8657found:
8658 adp->entries++;
8659 if (!adp->op || adp->op > op)
8660 adp->op = op;
8661}
8662
8663#define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
8664
8665static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
8666{
8667 struct nft_audit_data *adp, *adn;
8668 char aubuf[AUNFTABLENAMELEN];
8669
8670 list_for_each_entry_safe(adp, adn, adl, list) {
8671 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
8672 generation);
8673 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
8674 nft2audit_op[adp->op], GFP_KERNEL);
8675 list_del(&adp->list);
8676 kfree(adp);
8677 }
8678}
8679
8680static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8681{
8682 struct nftables_pernet *nft_net = nft_pernet(net);
8683 struct nft_trans *trans, *next;
8684 struct nft_trans_elem *te;
8685 struct nft_chain *chain;
8686 struct nft_table *table;
8687 LIST_HEAD(adl);
8688 int err;
8689
8690 if (list_empty(&nft_net->commit_list)) {
8691 mutex_unlock(&nft_net->commit_mutex);
8692 return 0;
8693 }
8694
8695
8696 if (nf_tables_validate(net) < 0)
8697 return -EAGAIN;
8698
8699 err = nft_flow_rule_offload_commit(net);
8700 if (err < 0)
8701 return err;
8702
8703
8704 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8705 int ret;
8706
8707 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
8708 if (ret) {
8709 nf_tables_commit_chain_prepare_cancel(net);
8710 nf_tables_commit_audit_free(&adl);
8711 return ret;
8712 }
8713 if (trans->msg_type == NFT_MSG_NEWRULE ||
8714 trans->msg_type == NFT_MSG_DELRULE) {
8715 chain = trans->ctx.chain;
8716
8717 ret = nf_tables_commit_chain_prepare(net, chain);
8718 if (ret < 0) {
8719 nf_tables_commit_chain_prepare_cancel(net);
8720 nf_tables_commit_audit_free(&adl);
8721 return ret;
8722 }
8723 }
8724 }
8725
8726
8727 list_for_each_entry(table, &nft_net->tables, list) {
8728 list_for_each_entry(chain, &table->chains, list)
8729 nf_tables_commit_chain(net, chain);
8730 }
8731
8732
8733
8734
8735
8736 while (++nft_net->base_seq == 0)
8737 ;
8738
8739
8740 net->nft.gencursor = nft_gencursor_next(net);
8741
8742 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8743 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8744 trans->msg_type);
8745 switch (trans->msg_type) {
8746 case NFT_MSG_NEWTABLE:
8747 if (nft_trans_table_update(trans)) {
8748 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
8749 nft_trans_destroy(trans);
8750 break;
8751 }
8752 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
8753 nf_tables_table_disable(net, trans->ctx.table);
8754
8755 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
8756 } else {
8757 nft_clear(net, trans->ctx.table);
8758 }
8759 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8760 nft_trans_destroy(trans);
8761 break;
8762 case NFT_MSG_DELTABLE:
8763 list_del_rcu(&trans->ctx.table->list);
8764 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8765 break;
8766 case NFT_MSG_NEWCHAIN:
8767 if (nft_trans_chain_update(trans)) {
8768 nft_chain_commit_update(trans);
8769 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8770
8771 } else {
8772 nft_chain_commit_drop_policy(trans);
8773 nft_clear(net, trans->ctx.chain);
8774 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8775 nft_trans_destroy(trans);
8776 }
8777 break;
8778 case NFT_MSG_DELCHAIN:
8779 nft_chain_del(trans->ctx.chain);
8780 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8781 nf_tables_unregister_hook(trans->ctx.net,
8782 trans->ctx.table,
8783 trans->ctx.chain);
8784 break;
8785 case NFT_MSG_NEWRULE:
8786 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8787 nf_tables_rule_notify(&trans->ctx,
8788 nft_trans_rule(trans),
8789 NFT_MSG_NEWRULE);
8790 nft_trans_destroy(trans);
8791 break;
8792 case NFT_MSG_DELRULE:
8793 list_del_rcu(&nft_trans_rule(trans)->list);
8794 nf_tables_rule_notify(&trans->ctx,
8795 nft_trans_rule(trans),
8796 NFT_MSG_DELRULE);
8797 nft_rule_expr_deactivate(&trans->ctx,
8798 nft_trans_rule(trans),
8799 NFT_TRANS_COMMIT);
8800 break;
8801 case NFT_MSG_NEWSET:
8802 nft_clear(net, nft_trans_set(trans));
8803
8804
8805
8806 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8807 !list_empty(&nft_trans_set(trans)->bindings))
8808 trans->ctx.table->use--;
8809
8810 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8811 NFT_MSG_NEWSET, GFP_KERNEL);
8812 nft_trans_destroy(trans);
8813 break;
8814 case NFT_MSG_DELSET:
8815 list_del_rcu(&nft_trans_set(trans)->list);
8816 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8817 NFT_MSG_DELSET, GFP_KERNEL);
8818 break;
8819 case NFT_MSG_NEWSETELEM:
8820 te = (struct nft_trans_elem *)trans->data;
8821
8822 nft_setelem_activate(net, te->set, &te->elem);
8823 nf_tables_setelem_notify(&trans->ctx, te->set,
8824 &te->elem,
8825 NFT_MSG_NEWSETELEM);
8826 nft_trans_destroy(trans);
8827 break;
8828 case NFT_MSG_DELSETELEM:
8829 te = (struct nft_trans_elem *)trans->data;
8830
8831 nf_tables_setelem_notify(&trans->ctx, te->set,
8832 &te->elem,
8833 NFT_MSG_DELSETELEM);
8834 nft_setelem_remove(net, te->set, &te->elem);
8835 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
8836 atomic_dec(&te->set->nelems);
8837 te->set->ndeact--;
8838 }
8839 break;
8840 case NFT_MSG_NEWOBJ:
8841 if (nft_trans_obj_update(trans)) {
8842 nft_obj_commit_update(trans);
8843 nf_tables_obj_notify(&trans->ctx,
8844 nft_trans_obj(trans),
8845 NFT_MSG_NEWOBJ);
8846 } else {
8847 nft_clear(net, nft_trans_obj(trans));
8848 nf_tables_obj_notify(&trans->ctx,
8849 nft_trans_obj(trans),
8850 NFT_MSG_NEWOBJ);
8851 nft_trans_destroy(trans);
8852 }
8853 break;
8854 case NFT_MSG_DELOBJ:
8855 nft_obj_del(nft_trans_obj(trans));
8856 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8857 NFT_MSG_DELOBJ);
8858 break;
8859 case NFT_MSG_NEWFLOWTABLE:
8860 if (nft_trans_flowtable_update(trans)) {
8861 nft_trans_flowtable(trans)->data.flags =
8862 nft_trans_flowtable_flags(trans);
8863 nf_tables_flowtable_notify(&trans->ctx,
8864 nft_trans_flowtable(trans),
8865 &nft_trans_flowtable_hooks(trans),
8866 NFT_MSG_NEWFLOWTABLE);
8867 list_splice(&nft_trans_flowtable_hooks(trans),
8868 &nft_trans_flowtable(trans)->hook_list);
8869 } else {
8870 nft_clear(net, nft_trans_flowtable(trans));
8871 nf_tables_flowtable_notify(&trans->ctx,
8872 nft_trans_flowtable(trans),
8873 &nft_trans_flowtable(trans)->hook_list,
8874 NFT_MSG_NEWFLOWTABLE);
8875 }
8876 nft_trans_destroy(trans);
8877 break;
8878 case NFT_MSG_DELFLOWTABLE:
8879 if (nft_trans_flowtable_update(trans)) {
8880 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8881 &nft_trans_flowtable_hooks(trans));
8882 nf_tables_flowtable_notify(&trans->ctx,
8883 nft_trans_flowtable(trans),
8884 &nft_trans_flowtable_hooks(trans),
8885 NFT_MSG_DELFLOWTABLE);
8886 nft_unregister_flowtable_net_hooks(net,
8887 &nft_trans_flowtable_hooks(trans));
8888 } else {
8889 list_del_rcu(&nft_trans_flowtable(trans)->list);
8890 nf_tables_flowtable_notify(&trans->ctx,
8891 nft_trans_flowtable(trans),
8892 &nft_trans_flowtable(trans)->hook_list,
8893 NFT_MSG_DELFLOWTABLE);
8894 nft_unregister_flowtable_net_hooks(net,
8895 &nft_trans_flowtable(trans)->hook_list);
8896 }
8897 break;
8898 }
8899 }
8900
8901 nft_commit_notify(net, NETLINK_CB(skb).portid);
8902 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8903 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
8904 nf_tables_commit_release(net);
8905
8906 return 0;
8907}
8908
8909static void nf_tables_module_autoload(struct net *net)
8910{
8911 struct nftables_pernet *nft_net = nft_pernet(net);
8912 struct nft_module_request *req, *next;
8913 LIST_HEAD(module_list);
8914
8915 list_splice_init(&nft_net->module_list, &module_list);
8916 mutex_unlock(&nft_net->commit_mutex);
8917 list_for_each_entry_safe(req, next, &module_list, list) {
8918 request_module("%s", req->module);
8919 req->done = true;
8920 }
8921 mutex_lock(&nft_net->commit_mutex);
8922 list_splice(&module_list, &nft_net->module_list);
8923}
8924
8925static void nf_tables_abort_release(struct nft_trans *trans)
8926{
8927 switch (trans->msg_type) {
8928 case NFT_MSG_NEWTABLE:
8929 nf_tables_table_destroy(&trans->ctx);
8930 break;
8931 case NFT_MSG_NEWCHAIN:
8932 nf_tables_chain_destroy(&trans->ctx);
8933 break;
8934 case NFT_MSG_NEWRULE:
8935 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8936 break;
8937 case NFT_MSG_NEWSET:
8938 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8939 break;
8940 case NFT_MSG_NEWSETELEM:
8941 nft_set_elem_destroy(nft_trans_elem_set(trans),
8942 nft_trans_elem(trans).priv, true);
8943 break;
8944 case NFT_MSG_NEWOBJ:
8945 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8946 break;
8947 case NFT_MSG_NEWFLOWTABLE:
8948 if (nft_trans_flowtable_update(trans))
8949 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8950 else
8951 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8952 break;
8953 }
8954 kfree(trans);
8955}
8956
8957static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8958{
8959 struct nftables_pernet *nft_net = nft_pernet(net);
8960 struct nft_trans *trans, *next;
8961 struct nft_trans_elem *te;
8962 struct nft_hook *hook;
8963
8964 if (action == NFNL_ABORT_VALIDATE &&
8965 nf_tables_validate(net) < 0)
8966 return -EAGAIN;
8967
8968 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
8969 list) {
8970 switch (trans->msg_type) {
8971 case NFT_MSG_NEWTABLE:
8972 if (nft_trans_table_update(trans)) {
8973 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
8974 nft_trans_destroy(trans);
8975 break;
8976 }
8977 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
8978 nf_tables_table_disable(net, trans->ctx.table);
8979 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8980 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
8981 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
8982 }
8983 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
8984 nft_trans_destroy(trans);
8985 } else {
8986 list_del_rcu(&trans->ctx.table->list);
8987 }
8988 break;
8989 case NFT_MSG_DELTABLE:
8990 nft_clear(trans->ctx.net, trans->ctx.table);
8991 nft_trans_destroy(trans);
8992 break;
8993 case NFT_MSG_NEWCHAIN:
8994 if (nft_trans_chain_update(trans)) {
8995 free_percpu(nft_trans_chain_stats(trans));
8996 kfree(nft_trans_chain_name(trans));
8997 nft_trans_destroy(trans);
8998 } else {
8999 if (nft_chain_is_bound(trans->ctx.chain)) {
9000 nft_trans_destroy(trans);
9001 break;
9002 }
9003 trans->ctx.table->use--;
9004 nft_chain_del(trans->ctx.chain);
9005 nf_tables_unregister_hook(trans->ctx.net,
9006 trans->ctx.table,
9007 trans->ctx.chain);
9008 }
9009 break;
9010 case NFT_MSG_DELCHAIN:
9011 trans->ctx.table->use++;
9012 nft_clear(trans->ctx.net, trans->ctx.chain);
9013 nft_trans_destroy(trans);
9014 break;
9015 case NFT_MSG_NEWRULE:
9016 trans->ctx.chain->use--;
9017 list_del_rcu(&nft_trans_rule(trans)->list);
9018 nft_rule_expr_deactivate(&trans->ctx,
9019 nft_trans_rule(trans),
9020 NFT_TRANS_ABORT);
9021 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9022 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9023 break;
9024 case NFT_MSG_DELRULE:
9025 trans->ctx.chain->use++;
9026 nft_clear(trans->ctx.net, nft_trans_rule(trans));
9027 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
9028 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
9029 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
9030
9031 nft_trans_destroy(trans);
9032 break;
9033 case NFT_MSG_NEWSET:
9034 trans->ctx.table->use--;
9035 if (nft_trans_set_bound(trans)) {
9036 nft_trans_destroy(trans);
9037 break;
9038 }
9039 list_del_rcu(&nft_trans_set(trans)->list);
9040 break;
9041 case NFT_MSG_DELSET:
9042 trans->ctx.table->use++;
9043 nft_clear(trans->ctx.net, nft_trans_set(trans));
9044 nft_trans_destroy(trans);
9045 break;
9046 case NFT_MSG_NEWSETELEM:
9047 if (nft_trans_elem_set_bound(trans)) {
9048 nft_trans_destroy(trans);
9049 break;
9050 }
9051 te = (struct nft_trans_elem *)trans->data;
9052 nft_setelem_remove(net, te->set, &te->elem);
9053 if (!nft_setelem_is_catchall(te->set, &te->elem))
9054 atomic_dec(&te->set->nelems);
9055 break;
9056 case NFT_MSG_DELSETELEM:
9057 te = (struct nft_trans_elem *)trans->data;
9058
9059 nft_setelem_data_activate(net, te->set, &te->elem);
9060 nft_setelem_activate(net, te->set, &te->elem);
9061 if (!nft_setelem_is_catchall(te->set, &te->elem))
9062 te->set->ndeact--;
9063
9064 nft_trans_destroy(trans);
9065 break;
9066 case NFT_MSG_NEWOBJ:
9067 if (nft_trans_obj_update(trans)) {
9068 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
9069 nft_trans_destroy(trans);
9070 } else {
9071 trans->ctx.table->use--;
9072 nft_obj_del(nft_trans_obj(trans));
9073 }
9074 break;
9075 case NFT_MSG_DELOBJ:
9076 trans->ctx.table->use++;
9077 nft_clear(trans->ctx.net, nft_trans_obj(trans));
9078 nft_trans_destroy(trans);
9079 break;
9080 case NFT_MSG_NEWFLOWTABLE:
9081 if (nft_trans_flowtable_update(trans)) {
9082 nft_unregister_flowtable_net_hooks(net,
9083 &nft_trans_flowtable_hooks(trans));
9084 } else {
9085 trans->ctx.table->use--;
9086 list_del_rcu(&nft_trans_flowtable(trans)->list);
9087 nft_unregister_flowtable_net_hooks(net,
9088 &nft_trans_flowtable(trans)->hook_list);
9089 }
9090 break;
9091 case NFT_MSG_DELFLOWTABLE:
9092 if (nft_trans_flowtable_update(trans)) {
9093 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
9094 hook->inactive = false;
9095 } else {
9096 trans->ctx.table->use++;
9097 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
9098 }
9099 nft_trans_destroy(trans);
9100 break;
9101 }
9102 }
9103
9104 synchronize_rcu();
9105
9106 list_for_each_entry_safe_reverse(trans, next,
9107 &nft_net->commit_list, list) {
9108 list_del(&trans->list);
9109 nf_tables_abort_release(trans);
9110 }
9111
9112 if (action == NFNL_ABORT_AUTOLOAD)
9113 nf_tables_module_autoload(net);
9114 else
9115 nf_tables_module_autoload_cleanup(net);
9116
9117 return 0;
9118}
9119
9120static void nf_tables_cleanup(struct net *net)
9121{
9122 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
9123}
9124
9125static int nf_tables_abort(struct net *net, struct sk_buff *skb,
9126 enum nfnl_abort_action action)
9127{
9128 struct nftables_pernet *nft_net = nft_pernet(net);
9129 int ret = __nf_tables_abort(net, action);
9130
9131 mutex_unlock(&nft_net->commit_mutex);
9132
9133 return ret;
9134}
9135
9136static bool nf_tables_valid_genid(struct net *net, u32 genid)
9137{
9138 struct nftables_pernet *nft_net = nft_pernet(net);
9139 bool genid_ok;
9140
9141 mutex_lock(&nft_net->commit_mutex);
9142
9143 genid_ok = genid == 0 || nft_net->base_seq == genid;
9144 if (!genid_ok)
9145 mutex_unlock(&nft_net->commit_mutex);
9146
9147
9148 return genid_ok;
9149}
9150
9151static const struct nfnetlink_subsystem nf_tables_subsys = {
9152 .name = "nf_tables",
9153 .subsys_id = NFNL_SUBSYS_NFTABLES,
9154 .cb_count = NFT_MSG_MAX,
9155 .cb = nf_tables_cb,
9156 .commit = nf_tables_commit,
9157 .abort = nf_tables_abort,
9158 .cleanup = nf_tables_cleanup,
9159 .valid_genid = nf_tables_valid_genid,
9160 .owner = THIS_MODULE,
9161};
9162
9163int nft_chain_validate_dependency(const struct nft_chain *chain,
9164 enum nft_chain_types type)
9165{
9166 const struct nft_base_chain *basechain;
9167
9168 if (nft_is_base_chain(chain)) {
9169 basechain = nft_base_chain(chain);
9170 if (basechain->type->type != type)
9171 return -EOPNOTSUPP;
9172 }
9173 return 0;
9174}
9175EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
9176
9177int nft_chain_validate_hooks(const struct nft_chain *chain,
9178 unsigned int hook_flags)
9179{
9180 struct nft_base_chain *basechain;
9181
9182 if (nft_is_base_chain(chain)) {
9183 basechain = nft_base_chain(chain);
9184
9185 if ((1 << basechain->ops.hooknum) & hook_flags)
9186 return 0;
9187
9188 return -EOPNOTSUPP;
9189 }
9190
9191 return 0;
9192}
9193EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
9194
9195
9196
9197
9198
9199
9200
9201
9202
9203
9204static int nf_tables_check_loops(const struct nft_ctx *ctx,
9205 const struct nft_chain *chain);
9206
9207static int nft_check_loops(const struct nft_ctx *ctx,
9208 const struct nft_set_ext *ext)
9209{
9210 const struct nft_data *data;
9211 int ret;
9212
9213 data = nft_set_ext_data(ext);
9214 switch (data->verdict.code) {
9215 case NFT_JUMP:
9216 case NFT_GOTO:
9217 ret = nf_tables_check_loops(ctx, data->verdict.chain);
9218 break;
9219 default:
9220 ret = 0;
9221 break;
9222 }
9223
9224 return ret;
9225}
9226
9227static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
9228 struct nft_set *set,
9229 const struct nft_set_iter *iter,
9230 struct nft_set_elem *elem)
9231{
9232 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
9233
9234 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
9235 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
9236 return 0;
9237
9238 return nft_check_loops(ctx, ext);
9239}
9240
9241static int nft_set_catchall_loops(const struct nft_ctx *ctx,
9242 struct nft_set *set)
9243{
9244 u8 genmask = nft_genmask_next(ctx->net);
9245 struct nft_set_elem_catchall *catchall;
9246 struct nft_set_ext *ext;
9247 int ret = 0;
9248
9249 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9250 ext = nft_set_elem_ext(set, catchall->elem);
9251 if (!nft_set_elem_active(ext, genmask))
9252 continue;
9253
9254 ret = nft_check_loops(ctx, ext);
9255 if (ret < 0)
9256 return ret;
9257 }
9258
9259 return ret;
9260}
9261
9262static int nf_tables_check_loops(const struct nft_ctx *ctx,
9263 const struct nft_chain *chain)
9264{
9265 const struct nft_rule *rule;
9266 const struct nft_expr *expr, *last;
9267 struct nft_set *set;
9268 struct nft_set_binding *binding;
9269 struct nft_set_iter iter;
9270
9271 if (ctx->chain == chain)
9272 return -ELOOP;
9273
9274 list_for_each_entry(rule, &chain->rules, list) {
9275 nft_rule_for_each_expr(expr, last, rule) {
9276 struct nft_immediate_expr *priv;
9277 const struct nft_data *data;
9278 int err;
9279
9280 if (strcmp(expr->ops->type->name, "immediate"))
9281 continue;
9282
9283 priv = nft_expr_priv(expr);
9284 if (priv->dreg != NFT_REG_VERDICT)
9285 continue;
9286
9287 data = &priv->data;
9288 switch (data->verdict.code) {
9289 case NFT_JUMP:
9290 case NFT_GOTO:
9291 err = nf_tables_check_loops(ctx,
9292 data->verdict.chain);
9293 if (err < 0)
9294 return err;
9295 break;
9296 default:
9297 break;
9298 }
9299 }
9300 }
9301
9302 list_for_each_entry(set, &ctx->table->sets, list) {
9303 if (!nft_is_active_next(ctx->net, set))
9304 continue;
9305 if (!(set->flags & NFT_SET_MAP) ||
9306 set->dtype != NFT_DATA_VERDICT)
9307 continue;
9308
9309 list_for_each_entry(binding, &set->bindings, list) {
9310 if (!(binding->flags & NFT_SET_MAP) ||
9311 binding->chain != chain)
9312 continue;
9313
9314 iter.genmask = nft_genmask_next(ctx->net);
9315 iter.skip = 0;
9316 iter.count = 0;
9317 iter.err = 0;
9318 iter.fn = nf_tables_loop_check_setelem;
9319
9320 set->ops->walk(ctx, set, &iter);
9321 if (!iter.err)
9322 iter.err = nft_set_catchall_loops(ctx, set);
9323
9324 if (iter.err < 0)
9325 return iter.err;
9326 }
9327 }
9328
9329 return 0;
9330}
9331
9332
9333
9334
9335
9336
9337
9338
9339
9340
9341
9342
9343
9344int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
9345{
9346 u32 val;
9347
9348 val = ntohl(nla_get_be32(attr));
9349 if (val > max)
9350 return -ERANGE;
9351
9352 *dest = val;
9353 return 0;
9354}
9355EXPORT_SYMBOL_GPL(nft_parse_u32_check);
9356
9357static int nft_parse_register(const struct nlattr *attr, u32 *preg)
9358{
9359 unsigned int reg;
9360
9361 reg = ntohl(nla_get_be32(attr));
9362 switch (reg) {
9363 case NFT_REG_VERDICT...NFT_REG_4:
9364 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
9365 break;
9366 case NFT_REG32_00...NFT_REG32_15:
9367 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
9368 break;
9369 default:
9370 return -ERANGE;
9371 }
9372
9373 return 0;
9374}
9375
9376
9377
9378
9379
9380
9381
9382
9383
9384
9385
9386
9387int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
9388{
9389 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
9390 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
9391 else
9392 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
9393
9394 return nla_put_be32(skb, attr, htonl(reg));
9395}
9396EXPORT_SYMBOL_GPL(nft_dump_register);
9397
9398static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
9399{
9400 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9401 return -EINVAL;
9402 if (len == 0)
9403 return -EINVAL;
9404 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
9405 return -ERANGE;
9406
9407 return 0;
9408}
9409
9410int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
9411{
9412 u32 reg;
9413 int err;
9414
9415 err = nft_parse_register(attr, ®);
9416 if (err < 0)
9417 return err;
9418
9419 err = nft_validate_register_load(reg, len);
9420 if (err < 0)
9421 return err;
9422
9423 *sreg = reg;
9424 return 0;
9425}
9426EXPORT_SYMBOL_GPL(nft_parse_register_load);
9427
9428static int nft_validate_register_store(const struct nft_ctx *ctx,
9429 enum nft_registers reg,
9430 const struct nft_data *data,
9431 enum nft_data_types type,
9432 unsigned int len)
9433{
9434 int err;
9435
9436 switch (reg) {
9437 case NFT_REG_VERDICT:
9438 if (type != NFT_DATA_VERDICT)
9439 return -EINVAL;
9440
9441 if (data != NULL &&
9442 (data->verdict.code == NFT_GOTO ||
9443 data->verdict.code == NFT_JUMP)) {
9444 err = nf_tables_check_loops(ctx, data->verdict.chain);
9445 if (err < 0)
9446 return err;
9447 }
9448
9449 return 0;
9450 default:
9451 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9452 return -EINVAL;
9453 if (len == 0)
9454 return -EINVAL;
9455 if (reg * NFT_REG32_SIZE + len >
9456 sizeof_field(struct nft_regs, data))
9457 return -ERANGE;
9458
9459 if (data != NULL && type != NFT_DATA_VALUE)
9460 return -EINVAL;
9461 return 0;
9462 }
9463}
9464
9465int nft_parse_register_store(const struct nft_ctx *ctx,
9466 const struct nlattr *attr, u8 *dreg,
9467 const struct nft_data *data,
9468 enum nft_data_types type, unsigned int len)
9469{
9470 int err;
9471 u32 reg;
9472
9473 err = nft_parse_register(attr, ®);
9474 if (err < 0)
9475 return err;
9476
9477 err = nft_validate_register_store(ctx, reg, data, type, len);
9478 if (err < 0)
9479 return err;
9480
9481 *dreg = reg;
9482 return 0;
9483}
9484EXPORT_SYMBOL_GPL(nft_parse_register_store);
9485
9486static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
9487 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
9488 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
9489 .len = NFT_CHAIN_MAXNAMELEN - 1 },
9490 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
9491};
9492
9493static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
9494 struct nft_data_desc *desc, const struct nlattr *nla)
9495{
9496 u8 genmask = nft_genmask_next(ctx->net);
9497 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
9498 struct nft_chain *chain;
9499 int err;
9500
9501 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
9502 nft_verdict_policy, NULL);
9503 if (err < 0)
9504 return err;
9505
9506 if (!tb[NFTA_VERDICT_CODE])
9507 return -EINVAL;
9508 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
9509
9510 switch (data->verdict.code) {
9511 default:
9512 switch (data->verdict.code & NF_VERDICT_MASK) {
9513 case NF_ACCEPT:
9514 case NF_DROP:
9515 case NF_QUEUE:
9516 break;
9517 default:
9518 return -EINVAL;
9519 }
9520 fallthrough;
9521 case NFT_CONTINUE:
9522 case NFT_BREAK:
9523 case NFT_RETURN:
9524 break;
9525 case NFT_JUMP:
9526 case NFT_GOTO:
9527 if (tb[NFTA_VERDICT_CHAIN]) {
9528 chain = nft_chain_lookup(ctx->net, ctx->table,
9529 tb[NFTA_VERDICT_CHAIN],
9530 genmask);
9531 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
9532 chain = nft_chain_lookup_byid(ctx->net,
9533 tb[NFTA_VERDICT_CHAIN_ID]);
9534 if (IS_ERR(chain))
9535 return PTR_ERR(chain);
9536 } else {
9537 return -EINVAL;
9538 }
9539
9540 if (IS_ERR(chain))
9541 return PTR_ERR(chain);
9542 if (nft_is_base_chain(chain))
9543 return -EOPNOTSUPP;
9544
9545 chain->use++;
9546 data->verdict.chain = chain;
9547 break;
9548 }
9549
9550 desc->len = sizeof(data->verdict);
9551 desc->type = NFT_DATA_VERDICT;
9552 return 0;
9553}
9554
9555static void nft_verdict_uninit(const struct nft_data *data)
9556{
9557 struct nft_chain *chain;
9558 struct nft_rule *rule;
9559
9560 switch (data->verdict.code) {
9561 case NFT_JUMP:
9562 case NFT_GOTO:
9563 chain = data->verdict.chain;
9564 chain->use--;
9565
9566 if (!nft_chain_is_bound(chain))
9567 break;
9568
9569 chain->table->use--;
9570 list_for_each_entry(rule, &chain->rules, list)
9571 chain->use--;
9572
9573 nft_chain_del(chain);
9574 break;
9575 }
9576}
9577
9578int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
9579{
9580 struct nlattr *nest;
9581
9582 nest = nla_nest_start_noflag(skb, type);
9583 if (!nest)
9584 goto nla_put_failure;
9585
9586 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
9587 goto nla_put_failure;
9588
9589 switch (v->code) {
9590 case NFT_JUMP:
9591 case NFT_GOTO:
9592 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
9593 v->chain->name))
9594 goto nla_put_failure;
9595 }
9596 nla_nest_end(skb, nest);
9597 return 0;
9598
9599nla_put_failure:
9600 return -1;
9601}
9602
9603static int nft_value_init(const struct nft_ctx *ctx,
9604 struct nft_data *data, unsigned int size,
9605 struct nft_data_desc *desc, const struct nlattr *nla)
9606{
9607 unsigned int len;
9608
9609 len = nla_len(nla);
9610 if (len == 0)
9611 return -EINVAL;
9612 if (len > size)
9613 return -EOVERFLOW;
9614
9615 nla_memcpy(data->data, nla, len);
9616 desc->type = NFT_DATA_VALUE;
9617 desc->len = len;
9618 return 0;
9619}
9620
9621static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
9622 unsigned int len)
9623{
9624 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
9625}
9626
9627static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
9628 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
9629 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
9630};
9631
9632
9633
9634
9635
9636
9637
9638
9639
9640
9641
9642
9643
9644
9645
9646
9647int nft_data_init(const struct nft_ctx *ctx,
9648 struct nft_data *data, unsigned int size,
9649 struct nft_data_desc *desc, const struct nlattr *nla)
9650{
9651 struct nlattr *tb[NFTA_DATA_MAX + 1];
9652 int err;
9653
9654 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
9655 nft_data_policy, NULL);
9656 if (err < 0)
9657 return err;
9658
9659 if (tb[NFTA_DATA_VALUE])
9660 return nft_value_init(ctx, data, size, desc,
9661 tb[NFTA_DATA_VALUE]);
9662 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
9663 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
9664 return -EINVAL;
9665}
9666EXPORT_SYMBOL_GPL(nft_data_init);
9667
9668
9669
9670
9671
9672
9673
9674
9675
9676
9677void nft_data_release(const struct nft_data *data, enum nft_data_types type)
9678{
9679 if (type < NFT_DATA_VERDICT)
9680 return;
9681 switch (type) {
9682 case NFT_DATA_VERDICT:
9683 return nft_verdict_uninit(data);
9684 default:
9685 WARN_ON(1);
9686 }
9687}
9688EXPORT_SYMBOL_GPL(nft_data_release);
9689
9690int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
9691 enum nft_data_types type, unsigned int len)
9692{
9693 struct nlattr *nest;
9694 int err;
9695
9696 nest = nla_nest_start_noflag(skb, attr);
9697 if (nest == NULL)
9698 return -1;
9699
9700 switch (type) {
9701 case NFT_DATA_VALUE:
9702 err = nft_value_dump(skb, data, len);
9703 break;
9704 case NFT_DATA_VERDICT:
9705 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
9706 break;
9707 default:
9708 err = -EINVAL;
9709 WARN_ON(1);
9710 }
9711
9712 nla_nest_end(skb, nest);
9713 return err;
9714}
9715EXPORT_SYMBOL_GPL(nft_data_dump);
9716
9717int __nft_release_basechain(struct nft_ctx *ctx)
9718{
9719 struct nft_rule *rule, *nr;
9720
9721 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
9722 return 0;
9723
9724 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9725 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9726 list_del(&rule->list);
9727 ctx->chain->use--;
9728 nf_tables_rule_release(ctx, rule);
9729 }
9730 nft_chain_del(ctx->chain);
9731 ctx->table->use--;
9732 nf_tables_chain_destroy(ctx);
9733
9734 return 0;
9735}
9736EXPORT_SYMBOL_GPL(__nft_release_basechain);
9737
9738static void __nft_release_hook(struct net *net, struct nft_table *table)
9739{
9740 struct nft_flowtable *flowtable;
9741 struct nft_chain *chain;
9742
9743 list_for_each_entry(chain, &table->chains, list)
9744 nf_tables_unregister_hook(net, table, chain);
9745 list_for_each_entry(flowtable, &table->flowtables, list)
9746 nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list);
9747}
9748
9749static void __nft_release_hooks(struct net *net)
9750{
9751 struct nftables_pernet *nft_net = nft_pernet(net);
9752 struct nft_table *table;
9753
9754 list_for_each_entry(table, &nft_net->tables, list) {
9755 if (nft_table_has_owner(table))
9756 continue;
9757
9758 __nft_release_hook(net, table);
9759 }
9760}
9761
9762static void __nft_release_table(struct net *net, struct nft_table *table)
9763{
9764 struct nft_flowtable *flowtable, *nf;
9765 struct nft_chain *chain, *nc;
9766 struct nft_object *obj, *ne;
9767 struct nft_rule *rule, *nr;
9768 struct nft_set *set, *ns;
9769 struct nft_ctx ctx = {
9770 .net = net,
9771 .family = NFPROTO_NETDEV,
9772 };
9773
9774 ctx.family = table->family;
9775 ctx.table = table;
9776 list_for_each_entry(chain, &table->chains, list) {
9777 ctx.chain = chain;
9778 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9779 list_del(&rule->list);
9780 chain->use--;
9781 nf_tables_rule_release(&ctx, rule);
9782 }
9783 }
9784 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9785 list_del(&flowtable->list);
9786 table->use--;
9787 nf_tables_flowtable_destroy(flowtable);
9788 }
9789 list_for_each_entry_safe(set, ns, &table->sets, list) {
9790 list_del(&set->list);
9791 table->use--;
9792 nft_set_destroy(&ctx, set);
9793 }
9794 list_for_each_entry_safe(obj, ne, &table->objects, list) {
9795 nft_obj_del(obj);
9796 table->use--;
9797 nft_obj_destroy(&ctx, obj);
9798 }
9799 list_for_each_entry_safe(chain, nc, &table->chains, list) {
9800 ctx.chain = chain;
9801 nft_chain_del(chain);
9802 table->use--;
9803 nf_tables_chain_destroy(&ctx);
9804 }
9805 nf_tables_table_destroy(&ctx);
9806}
9807
9808static void __nft_release_tables(struct net *net)
9809{
9810 struct nftables_pernet *nft_net = nft_pernet(net);
9811 struct nft_table *table, *nt;
9812
9813 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
9814 if (nft_table_has_owner(table))
9815 continue;
9816
9817 list_del(&table->list);
9818
9819 __nft_release_table(net, table);
9820 }
9821}
9822
9823static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9824 void *ptr)
9825{
9826 struct nft_table *table, *to_delete[8];
9827 struct nftables_pernet *nft_net;
9828 struct netlink_notify *n = ptr;
9829 struct net *net = n->net;
9830 unsigned int deleted;
9831 bool restart = false;
9832
9833 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9834 return NOTIFY_DONE;
9835
9836 nft_net = nft_pernet(net);
9837 deleted = 0;
9838 mutex_lock(&nft_net->commit_mutex);
9839again:
9840 list_for_each_entry(table, &nft_net->tables, list) {
9841 if (nft_table_has_owner(table) &&
9842 n->portid == table->nlpid) {
9843 __nft_release_hook(net, table);
9844 list_del_rcu(&table->list);
9845 to_delete[deleted++] = table;
9846 if (deleted >= ARRAY_SIZE(to_delete))
9847 break;
9848 }
9849 }
9850 if (deleted) {
9851 restart = deleted >= ARRAY_SIZE(to_delete);
9852 synchronize_rcu();
9853 while (deleted)
9854 __nft_release_table(net, to_delete[--deleted]);
9855
9856 if (restart)
9857 goto again;
9858 }
9859 mutex_unlock(&nft_net->commit_mutex);
9860
9861 return NOTIFY_DONE;
9862}
9863
9864static struct notifier_block nft_nl_notifier = {
9865 .notifier_call = nft_rcv_nl_event,
9866};
9867
9868static int __net_init nf_tables_init_net(struct net *net)
9869{
9870 struct nftables_pernet *nft_net = nft_pernet(net);
9871
9872 INIT_LIST_HEAD(&nft_net->tables);
9873 INIT_LIST_HEAD(&nft_net->commit_list);
9874 INIT_LIST_HEAD(&nft_net->module_list);
9875 INIT_LIST_HEAD(&nft_net->notify_list);
9876 mutex_init(&nft_net->commit_mutex);
9877 nft_net->base_seq = 1;
9878 nft_net->validate_state = NFT_VALIDATE_SKIP;
9879
9880 return 0;
9881}
9882
9883static void __net_exit nf_tables_pre_exit_net(struct net *net)
9884{
9885 __nft_release_hooks(net);
9886}
9887
9888static void __net_exit nf_tables_exit_net(struct net *net)
9889{
9890 struct nftables_pernet *nft_net = nft_pernet(net);
9891
9892 mutex_lock(&nft_net->commit_mutex);
9893 if (!list_empty(&nft_net->commit_list))
9894 __nf_tables_abort(net, NFNL_ABORT_NONE);
9895 __nft_release_tables(net);
9896 mutex_unlock(&nft_net->commit_mutex);
9897 WARN_ON_ONCE(!list_empty(&nft_net->tables));
9898 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
9899 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9900}
9901
9902static struct pernet_operations nf_tables_net_ops = {
9903 .init = nf_tables_init_net,
9904 .pre_exit = nf_tables_pre_exit_net,
9905 .exit = nf_tables_exit_net,
9906 .id = &nf_tables_net_id,
9907 .size = sizeof(struct nftables_pernet),
9908};
9909
9910static int __init nf_tables_module_init(void)
9911{
9912 int err;
9913
9914 err = register_pernet_subsys(&nf_tables_net_ops);
9915 if (err < 0)
9916 return err;
9917
9918 err = nft_chain_filter_init();
9919 if (err < 0)
9920 goto err_chain_filter;
9921
9922 err = nf_tables_core_module_init();
9923 if (err < 0)
9924 goto err_core_module;
9925
9926 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9927 if (err < 0)
9928 goto err_netdev_notifier;
9929
9930 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9931 if (err < 0)
9932 goto err_rht_objname;
9933
9934 err = nft_offload_init();
9935 if (err < 0)
9936 goto err_offload;
9937
9938 err = netlink_register_notifier(&nft_nl_notifier);
9939 if (err < 0)
9940 goto err_netlink_notifier;
9941
9942
9943 err = nfnetlink_subsys_register(&nf_tables_subsys);
9944 if (err < 0)
9945 goto err_nfnl_subsys;
9946
9947 nft_chain_route_init();
9948
9949 return err;
9950
9951err_nfnl_subsys:
9952 netlink_unregister_notifier(&nft_nl_notifier);
9953err_netlink_notifier:
9954 nft_offload_exit();
9955err_offload:
9956 rhltable_destroy(&nft_objname_ht);
9957err_rht_objname:
9958 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9959err_netdev_notifier:
9960 nf_tables_core_module_exit();
9961err_core_module:
9962 nft_chain_filter_fini();
9963err_chain_filter:
9964 unregister_pernet_subsys(&nf_tables_net_ops);
9965 return err;
9966}
9967
9968static void __exit nf_tables_module_exit(void)
9969{
9970 nfnetlink_subsys_unregister(&nf_tables_subsys);
9971 netlink_unregister_notifier(&nft_nl_notifier);
9972 nft_offload_exit();
9973 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9974 nft_chain_filter_fini();
9975 nft_chain_route_fini();
9976 unregister_pernet_subsys(&nf_tables_net_ops);
9977 cancel_work_sync(&trans_destroy_work);
9978 rcu_barrier();
9979 rhltable_destroy(&nft_objname_ht);
9980 nf_tables_core_module_exit();
9981}
9982
9983module_init(nf_tables_module_init);
9984module_exit(nf_tables_module_exit);
9985
9986MODULE_LICENSE("GPL");
9987MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9988MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
9989
