1
2
3
4
5
6
7
8#include <linux/module.h>
9#include <linux/init.h>
10#include <linux/list.h>
11#include <linux/skbuff.h>
12#include <linux/netlink.h>
13#include <linux/vmalloc.h>
14#include <linux/rhashtable.h>
15#include <linux/netfilter.h>
16#include <linux/netfilter/nfnetlink.h>
17#include <linux/netfilter/nf_tables.h>
18#include <net/netfilter/nf_flow_table.h>
19#include <net/netfilter/nf_tables_core.h>
20#include <net/netfilter/nf_tables.h>
21#include <net/net_namespace.h>
22#include <net/sock.h>
23
24static LIST_HEAD(nf_tables_expressions);
25static LIST_HEAD(nf_tables_objects);
26static LIST_HEAD(nf_tables_flowtables);
27static LIST_HEAD(nf_tables_destroy_list);
28static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
29static u64 table_handle;
30
31enum {
32 NFT_VALIDATE_SKIP = 0,
33 NFT_VALIDATE_NEED,
34 NFT_VALIDATE_DO,
35};
36
37static struct rhltable nft_objname_ht;
38
39static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
40static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
41static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
42
43static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
44static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
45static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
46
47static const struct rhashtable_params nft_chain_ht_params = {
48 .head_offset = offsetof(struct nft_chain, rhlhead),
49 .key_offset = offsetof(struct nft_chain, name),
50 .hashfn = nft_chain_hash,
51 .obj_hashfn = nft_chain_hash_obj,
52 .obj_cmpfn = nft_chain_hash_cmp,
53 .automatic_shrinking = true,
54};
55
56static const struct rhashtable_params nft_objname_ht_params = {
57 .head_offset = offsetof(struct nft_object, rhlhead),
58 .key_offset = offsetof(struct nft_object, key),
59 .hashfn = nft_objname_hash,
60 .obj_hashfn = nft_objname_hash_obj,
61 .obj_cmpfn = nft_objname_hash_cmp,
62 .automatic_shrinking = true,
63};
64
65static void nft_validate_state_update(struct net *net, u8 new_validate_state)
66{
67 switch (net->nft.validate_state) {
68 case NFT_VALIDATE_SKIP:
69 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
70 break;
71 case NFT_VALIDATE_NEED:
72 break;
73 case NFT_VALIDATE_DO:
74 if (new_validate_state == NFT_VALIDATE_NEED)
75 return;
76 }
77
78 net->nft.validate_state = new_validate_state;
79}
80static void nf_tables_trans_destroy_work(struct work_struct *w);
81static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
82
83static void nft_ctx_init(struct nft_ctx *ctx,
84 struct net *net,
85 const struct sk_buff *skb,
86 const struct nlmsghdr *nlh,
87 u8 family,
88 struct nft_table *table,
89 struct nft_chain *chain,
90 const struct nlattr * const *nla)
91{
92 ctx->net = net;
93 ctx->family = family;
94 ctx->level = 0;
95 ctx->table = table;
96 ctx->chain = chain;
97 ctx->nla = nla;
98 ctx->portid = NETLINK_CB(skb).portid;
99 ctx->report = nlmsg_report(nlh);
100 ctx->seq = nlh->nlmsg_seq;
101}
102
103static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
104 int msg_type, u32 size, gfp_t gfp)
105{
106 struct nft_trans *trans;
107
108 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
109 if (trans == NULL)
110 return NULL;
111
112 trans->msg_type = msg_type;
113 trans->ctx = *ctx;
114
115 return trans;
116}
117
118static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
119 int msg_type, u32 size)
120{
121 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
122}
123
124static void nft_trans_destroy(struct nft_trans *trans)
125{
126 list_del(&trans->list);
127 kfree(trans);
128}
129
130static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
131{
132 struct net *net = ctx->net;
133 struct nft_trans *trans;
134
135 if (!nft_set_is_anonymous(set))
136 return;
137
138 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
139 if (trans->msg_type == NFT_MSG_NEWSET &&
140 nft_trans_set(trans) == set) {
141 set->bound = true;
142 break;
143 }
144 }
145}
146
147static int nf_tables_register_hook(struct net *net,
148 const struct nft_table *table,
149 struct nft_chain *chain)
150{
151 const struct nft_base_chain *basechain;
152 const struct nf_hook_ops *ops;
153
154 if (table->flags & NFT_TABLE_F_DORMANT ||
155 !nft_is_base_chain(chain))
156 return 0;
157
158 basechain = nft_base_chain(chain);
159 ops = &basechain->ops;
160
161 if (basechain->type->ops_register)
162 return basechain->type->ops_register(net, ops);
163
164 return nf_register_net_hook(net, ops);
165}
166
167static void nf_tables_unregister_hook(struct net *net,
168 const struct nft_table *table,
169 struct nft_chain *chain)
170{
171 const struct nft_base_chain *basechain;
172 const struct nf_hook_ops *ops;
173
174 if (table->flags & NFT_TABLE_F_DORMANT ||
175 !nft_is_base_chain(chain))
176 return;
177 basechain = nft_base_chain(chain);
178 ops = &basechain->ops;
179
180 if (basechain->type->ops_unregister)
181 return basechain->type->ops_unregister(net, ops);
182
183 nf_unregister_net_hook(net, ops);
184}
185
186static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
187{
188 struct nft_trans *trans;
189
190 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
191 if (trans == NULL)
192 return -ENOMEM;
193
194 if (msg_type == NFT_MSG_NEWTABLE)
195 nft_activate_next(ctx->net, ctx->table);
196
197 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
198 return 0;
199}
200
201static int nft_deltable(struct nft_ctx *ctx)
202{
203 int err;
204
205 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
206 if (err < 0)
207 return err;
208
209 nft_deactivate_next(ctx->net, ctx->table);
210 return err;
211}
212
213static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
214{
215 struct nft_trans *trans;
216
217 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
218 if (trans == NULL)
219 return ERR_PTR(-ENOMEM);
220
221 if (msg_type == NFT_MSG_NEWCHAIN)
222 nft_activate_next(ctx->net, ctx->chain);
223
224 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
225 return trans;
226}
227
228static int nft_delchain(struct nft_ctx *ctx)
229{
230 struct nft_trans *trans;
231
232 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
233 if (IS_ERR(trans))
234 return PTR_ERR(trans);
235
236 ctx->table->use--;
237 nft_deactivate_next(ctx->net, ctx->chain);
238
239 return 0;
240}
241
242static void nft_rule_expr_activate(const struct nft_ctx *ctx,
243 struct nft_rule *rule)
244{
245 struct nft_expr *expr;
246
247 expr = nft_expr_first(rule);
248 while (expr != nft_expr_last(rule) && expr->ops) {
249 if (expr->ops->activate)
250 expr->ops->activate(ctx, expr);
251
252 expr = nft_expr_next(expr);
253 }
254}
255
256static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
257 struct nft_rule *rule,
258 enum nft_trans_phase phase)
259{
260 struct nft_expr *expr;
261
262 expr = nft_expr_first(rule);
263 while (expr != nft_expr_last(rule) && expr->ops) {
264 if (expr->ops->deactivate)
265 expr->ops->deactivate(ctx, expr, phase);
266
267 expr = nft_expr_next(expr);
268 }
269}
270
271static int
272nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
273{
274
275 if (nft_is_active_next(ctx->net, rule)) {
276 nft_deactivate_next(ctx->net, rule);
277 ctx->chain->use--;
278 return 0;
279 }
280 return -ENOENT;
281}
282
283static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
284 struct nft_rule *rule)
285{
286 struct nft_trans *trans;
287
288 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
289 if (trans == NULL)
290 return NULL;
291
292 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
293 nft_trans_rule_id(trans) =
294 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
295 }
296 nft_trans_rule(trans) = rule;
297 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
298
299 return trans;
300}
301
302static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
303{
304 struct nft_trans *trans;
305 int err;
306
307 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
308 if (trans == NULL)
309 return -ENOMEM;
310
311 err = nf_tables_delrule_deactivate(ctx, rule);
312 if (err < 0) {
313 nft_trans_destroy(trans);
314 return err;
315 }
316 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
317
318 return 0;
319}
320
321static int nft_delrule_by_chain(struct nft_ctx *ctx)
322{
323 struct nft_rule *rule;
324 int err;
325
326 list_for_each_entry(rule, &ctx->chain->rules, list) {
327 if (!nft_is_active_next(ctx->net, rule))
328 continue;
329
330 err = nft_delrule(ctx, rule);
331 if (err < 0)
332 return err;
333 }
334 return 0;
335}
336
337static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
338 struct nft_set *set)
339{
340 struct nft_trans *trans;
341
342 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
343 if (trans == NULL)
344 return -ENOMEM;
345
346 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
347 nft_trans_set_id(trans) =
348 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
349 nft_activate_next(ctx->net, set);
350 }
351 nft_trans_set(trans) = set;
352 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
353
354 return 0;
355}
356
357static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
358{
359 int err;
360
361 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
362 if (err < 0)
363 return err;
364
365 nft_deactivate_next(ctx->net, set);
366 ctx->table->use--;
367
368 return err;
369}
370
371static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
372 struct nft_object *obj)
373{
374 struct nft_trans *trans;
375
376 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
377 if (trans == NULL)
378 return -ENOMEM;
379
380 if (msg_type == NFT_MSG_NEWOBJ)
381 nft_activate_next(ctx->net, obj);
382
383 nft_trans_obj(trans) = obj;
384 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
385
386 return 0;
387}
388
389static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
390{
391 int err;
392
393 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
394 if (err < 0)
395 return err;
396
397 nft_deactivate_next(ctx->net, obj);
398 ctx->table->use--;
399
400 return err;
401}
402
403static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
404 struct nft_flowtable *flowtable)
405{
406 struct nft_trans *trans;
407
408 trans = nft_trans_alloc(ctx, msg_type,
409 sizeof(struct nft_trans_flowtable));
410 if (trans == NULL)
411 return -ENOMEM;
412
413 if (msg_type == NFT_MSG_NEWFLOWTABLE)
414 nft_activate_next(ctx->net, flowtable);
415
416 nft_trans_flowtable(trans) = flowtable;
417 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
418
419 return 0;
420}
421
422static int nft_delflowtable(struct nft_ctx *ctx,
423 struct nft_flowtable *flowtable)
424{
425 int err;
426
427 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
428 if (err < 0)
429 return err;
430
431 nft_deactivate_next(ctx->net, flowtable);
432 ctx->table->use--;
433
434 return err;
435}
436
437
438
439
440
441static struct nft_table *nft_table_lookup(const struct net *net,
442 const struct nlattr *nla,
443 u8 family, u8 genmask)
444{
445 struct nft_table *table;
446
447 if (nla == NULL)
448 return ERR_PTR(-EINVAL);
449
450 list_for_each_entry_rcu(table, &net->nft.tables, list) {
451 if (!nla_strcmp(nla, table->name) &&
452 table->family == family &&
453 nft_active_genmask(table, genmask))
454 return table;
455 }
456
457 return ERR_PTR(-ENOENT);
458}
459
460static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
461 const struct nlattr *nla,
462 u8 genmask)
463{
464 struct nft_table *table;
465
466 list_for_each_entry(table, &net->nft.tables, list) {
467 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
468 nft_active_genmask(table, genmask))
469 return table;
470 }
471
472 return ERR_PTR(-ENOENT);
473}
474
475static inline u64 nf_tables_alloc_handle(struct nft_table *table)
476{
477 return ++table->hgenerator;
478}
479
480static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
481
482static const struct nft_chain_type *
483__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
484{
485 int i;
486
487 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
488 if (chain_type[family][i] != NULL &&
489 !nla_strcmp(nla, chain_type[family][i]->name))
490 return chain_type[family][i];
491 }
492 return NULL;
493}
494
495
496
497
498
499
500
501
502
503#ifdef CONFIG_MODULES
504static int __nf_tables_abort(struct net *net);
505
506static void nft_request_module(struct net *net, const char *fmt, ...)
507{
508 char module_name[MODULE_NAME_LEN];
509 va_list args;
510 int ret;
511
512 __nf_tables_abort(net);
513
514 va_start(args, fmt);
515 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
516 va_end(args);
517 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
518 return;
519
520 mutex_unlock(&net->nft.commit_mutex);
521 request_module("%s", module_name);
522 mutex_lock(&net->nft.commit_mutex);
523}
524#endif
525
526static void lockdep_nfnl_nft_mutex_not_held(void)
527{
528#ifdef CONFIG_PROVE_LOCKING
529 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
530#endif
531}
532
533static const struct nft_chain_type *
534nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
535 u8 family, bool autoload)
536{
537 const struct nft_chain_type *type;
538
539 type = __nf_tables_chain_type_lookup(nla, family);
540 if (type != NULL)
541 return type;
542
543 lockdep_nfnl_nft_mutex_not_held();
544#ifdef CONFIG_MODULES
545 if (autoload) {
546 nft_request_module(net, "nft-chain-%u-%.*s", family,
547 nla_len(nla), (const char *)nla_data(nla));
548 type = __nf_tables_chain_type_lookup(nla, family);
549 if (type != NULL)
550 return ERR_PTR(-EAGAIN);
551 }
552#endif
553 return ERR_PTR(-ENOENT);
554}
555
556static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
557 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
558 .len = NFT_TABLE_MAXNAMELEN - 1 },
559 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
560 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
561};
562
563static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
564 u32 portid, u32 seq, int event, u32 flags,
565 int family, const struct nft_table *table)
566{
567 struct nlmsghdr *nlh;
568 struct nfgenmsg *nfmsg;
569
570 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
571 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
572 if (nlh == NULL)
573 goto nla_put_failure;
574
575 nfmsg = nlmsg_data(nlh);
576 nfmsg->nfgen_family = family;
577 nfmsg->version = NFNETLINK_V0;
578 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
579
580 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
581 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
582 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
583 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
584 NFTA_TABLE_PAD))
585 goto nla_put_failure;
586
587 nlmsg_end(skb, nlh);
588 return 0;
589
590nla_put_failure:
591 nlmsg_trim(skb, nlh);
592 return -1;
593}
594
595static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
596{
597 struct sk_buff *skb;
598 int err;
599
600 if (!ctx->report &&
601 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
602 return;
603
604 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
605 if (skb == NULL)
606 goto err;
607
608 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
609 event, 0, ctx->family, ctx->table);
610 if (err < 0) {
611 kfree_skb(skb);
612 goto err;
613 }
614
615 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
616 ctx->report, GFP_KERNEL);
617 return;
618err:
619 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
620}
621
622static int nf_tables_dump_tables(struct sk_buff *skb,
623 struct netlink_callback *cb)
624{
625 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
626 const struct nft_table *table;
627 unsigned int idx = 0, s_idx = cb->args[0];
628 struct net *net = sock_net(skb->sk);
629 int family = nfmsg->nfgen_family;
630
631 rcu_read_lock();
632 cb->seq = net->nft.base_seq;
633
634 list_for_each_entry_rcu(table, &net->nft.tables, list) {
635 if (family != NFPROTO_UNSPEC && family != table->family)
636 continue;
637
638 if (idx < s_idx)
639 goto cont;
640 if (idx > s_idx)
641 memset(&cb->args[1], 0,
642 sizeof(cb->args) - sizeof(cb->args[0]));
643 if (!nft_is_active(net, table))
644 continue;
645 if (nf_tables_fill_table_info(skb, net,
646 NETLINK_CB(cb->skb).portid,
647 cb->nlh->nlmsg_seq,
648 NFT_MSG_NEWTABLE, NLM_F_MULTI,
649 table->family, table) < 0)
650 goto done;
651
652 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
653cont:
654 idx++;
655 }
656done:
657 rcu_read_unlock();
658 cb->args[0] = idx;
659 return skb->len;
660}
661
662static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
663 const struct nlmsghdr *nlh,
664 struct netlink_dump_control *c)
665{
666 int err;
667
668 if (!try_module_get(THIS_MODULE))
669 return -EINVAL;
670
671 rcu_read_unlock();
672 err = netlink_dump_start(nlsk, skb, nlh, c);
673 rcu_read_lock();
674 module_put(THIS_MODULE);
675
676 return err;
677}
678
679
680static int nf_tables_gettable(struct net *net, struct sock *nlsk,
681 struct sk_buff *skb, const struct nlmsghdr *nlh,
682 const struct nlattr * const nla[],
683 struct netlink_ext_ack *extack)
684{
685 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
686 u8 genmask = nft_genmask_cur(net);
687 const struct nft_table *table;
688 struct sk_buff *skb2;
689 int family = nfmsg->nfgen_family;
690 int err;
691
692 if (nlh->nlmsg_flags & NLM_F_DUMP) {
693 struct netlink_dump_control c = {
694 .dump = nf_tables_dump_tables,
695 .module = THIS_MODULE,
696 };
697
698 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
699 }
700
701 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
702 if (IS_ERR(table)) {
703 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
704 return PTR_ERR(table);
705 }
706
707 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
708 if (!skb2)
709 return -ENOMEM;
710
711 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
712 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
713 family, table);
714 if (err < 0)
715 goto err;
716
717 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
718
719err:
720 kfree_skb(skb2);
721 return err;
722}
723
724static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
725{
726 struct nft_chain *chain;
727 u32 i = 0;
728
729 list_for_each_entry(chain, &table->chains, list) {
730 if (!nft_is_active_next(net, chain))
731 continue;
732 if (!nft_is_base_chain(chain))
733 continue;
734
735 if (cnt && i++ == cnt)
736 break;
737
738 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
739 }
740}
741
742static int nf_tables_table_enable(struct net *net, struct nft_table *table)
743{
744 struct nft_chain *chain;
745 int err, i = 0;
746
747 list_for_each_entry(chain, &table->chains, list) {
748 if (!nft_is_active_next(net, chain))
749 continue;
750 if (!nft_is_base_chain(chain))
751 continue;
752
753 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
754 if (err < 0)
755 goto err;
756
757 i++;
758 }
759 return 0;
760err:
761 if (i)
762 nft_table_disable(net, table, i);
763 return err;
764}
765
766static void nf_tables_table_disable(struct net *net, struct nft_table *table)
767{
768 nft_table_disable(net, table, 0);
769}
770
771static int nf_tables_updtable(struct nft_ctx *ctx)
772{
773 struct nft_trans *trans;
774 u32 flags;
775 int ret = 0;
776
777 if (!ctx->nla[NFTA_TABLE_FLAGS])
778 return 0;
779
780 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
781 if (flags & ~NFT_TABLE_F_DORMANT)
782 return -EINVAL;
783
784 if (flags == ctx->table->flags)
785 return 0;
786
787 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
788 sizeof(struct nft_trans_table));
789 if (trans == NULL)
790 return -ENOMEM;
791
792 if ((flags & NFT_TABLE_F_DORMANT) &&
793 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
794 nft_trans_table_enable(trans) = false;
795 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
796 ctx->table->flags & NFT_TABLE_F_DORMANT) {
797 ret = nf_tables_table_enable(ctx->net, ctx->table);
798 if (ret >= 0) {
799 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
800 nft_trans_table_enable(trans) = true;
801 }
802 }
803 if (ret < 0)
804 goto err;
805
806 nft_trans_table_update(trans) = true;
807 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
808 return 0;
809err:
810 nft_trans_destroy(trans);
811 return ret;
812}
813
814static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
815{
816 const char *name = data;
817
818 return jhash(name, strlen(name), seed);
819}
820
821static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
822{
823 const struct nft_chain *chain = data;
824
825 return nft_chain_hash(chain->name, 0, seed);
826}
827
828static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
829 const void *ptr)
830{
831 const struct nft_chain *chain = ptr;
832 const char *name = arg->key;
833
834 return strcmp(chain->name, name);
835}
836
837static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
838{
839 const struct nft_object_hash_key *k = data;
840
841 seed ^= hash_ptr(k->table, 32);
842
843 return jhash(k->name, strlen(k->name), seed);
844}
845
846static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
847{
848 const struct nft_object *obj = data;
849
850 return nft_objname_hash(&obj->key, 0, seed);
851}
852
853static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
854 const void *ptr)
855{
856 const struct nft_object_hash_key *k = arg->key;
857 const struct nft_object *obj = ptr;
858
859 if (obj->key.table != k->table)
860 return -1;
861
862 return strcmp(obj->key.name, k->name);
863}
864
865static int nf_tables_newtable(struct net *net, struct sock *nlsk,
866 struct sk_buff *skb, const struct nlmsghdr *nlh,
867 const struct nlattr * const nla[],
868 struct netlink_ext_ack *extack)
869{
870 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
871 u8 genmask = nft_genmask_next(net);
872 int family = nfmsg->nfgen_family;
873 const struct nlattr *attr;
874 struct nft_table *table;
875 u32 flags = 0;
876 struct nft_ctx ctx;
877 int err;
878
879 lockdep_assert_held(&net->nft.commit_mutex);
880 attr = nla[NFTA_TABLE_NAME];
881 table = nft_table_lookup(net, attr, family, genmask);
882 if (IS_ERR(table)) {
883 if (PTR_ERR(table) != -ENOENT)
884 return PTR_ERR(table);
885 } else {
886 if (nlh->nlmsg_flags & NLM_F_EXCL) {
887 NL_SET_BAD_ATTR(extack, attr);
888 return -EEXIST;
889 }
890 if (nlh->nlmsg_flags & NLM_F_REPLACE)
891 return -EOPNOTSUPP;
892
893 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
894 return nf_tables_updtable(&ctx);
895 }
896
897 if (nla[NFTA_TABLE_FLAGS]) {
898 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
899 if (flags & ~NFT_TABLE_F_DORMANT)
900 return -EINVAL;
901 }
902
903 err = -ENOMEM;
904 table = kzalloc(sizeof(*table), GFP_KERNEL);
905 if (table == NULL)
906 goto err_kzalloc;
907
908 table->name = nla_strdup(attr, GFP_KERNEL);
909 if (table->name == NULL)
910 goto err_strdup;
911
912 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
913 if (err)
914 goto err_chain_ht;
915
916 INIT_LIST_HEAD(&table->chains);
917 INIT_LIST_HEAD(&table->sets);
918 INIT_LIST_HEAD(&table->objects);
919 INIT_LIST_HEAD(&table->flowtables);
920 table->family = family;
921 table->flags = flags;
922 table->handle = ++table_handle;
923
924 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
925 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
926 if (err < 0)
927 goto err_trans;
928
929 list_add_tail_rcu(&table->list, &net->nft.tables);
930 return 0;
931err_trans:
932 rhltable_destroy(&table->chains_ht);
933err_chain_ht:
934 kfree(table->name);
935err_strdup:
936 kfree(table);
937err_kzalloc:
938 return err;
939}
940
941static int nft_flush_table(struct nft_ctx *ctx)
942{
943 struct nft_flowtable *flowtable, *nft;
944 struct nft_chain *chain, *nc;
945 struct nft_object *obj, *ne;
946 struct nft_set *set, *ns;
947 int err;
948
949 list_for_each_entry(chain, &ctx->table->chains, list) {
950 if (!nft_is_active_next(ctx->net, chain))
951 continue;
952
953 ctx->chain = chain;
954
955 err = nft_delrule_by_chain(ctx);
956 if (err < 0)
957 goto out;
958 }
959
960 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
961 if (!nft_is_active_next(ctx->net, set))
962 continue;
963
964 if (nft_set_is_anonymous(set) &&
965 !list_empty(&set->bindings))
966 continue;
967
968 err = nft_delset(ctx, set);
969 if (err < 0)
970 goto out;
971 }
972
973 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
974 err = nft_delflowtable(ctx, flowtable);
975 if (err < 0)
976 goto out;
977 }
978
979 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
980 err = nft_delobj(ctx, obj);
981 if (err < 0)
982 goto out;
983 }
984
985 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
986 if (!nft_is_active_next(ctx->net, chain))
987 continue;
988
989 ctx->chain = chain;
990
991 err = nft_delchain(ctx);
992 if (err < 0)
993 goto out;
994 }
995
996 err = nft_deltable(ctx);
997out:
998 return err;
999}
1000
1001static int nft_flush(struct nft_ctx *ctx, int family)
1002{
1003 struct nft_table *table, *nt;
1004 const struct nlattr * const *nla = ctx->nla;
1005 int err = 0;
1006
1007 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1008 if (family != AF_UNSPEC && table->family != family)
1009 continue;
1010
1011 ctx->family = table->family;
1012
1013 if (!nft_is_active_next(ctx->net, table))
1014 continue;
1015
1016 if (nla[NFTA_TABLE_NAME] &&
1017 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1018 continue;
1019
1020 ctx->table = table;
1021
1022 err = nft_flush_table(ctx);
1023 if (err < 0)
1024 goto out;
1025 }
1026out:
1027 return err;
1028}
1029
1030static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1031 struct sk_buff *skb, const struct nlmsghdr *nlh,
1032 const struct nlattr * const nla[],
1033 struct netlink_ext_ack *extack)
1034{
1035 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1036 u8 genmask = nft_genmask_next(net);
1037 int family = nfmsg->nfgen_family;
1038 const struct nlattr *attr;
1039 struct nft_table *table;
1040 struct nft_ctx ctx;
1041
1042 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1043 if (family == AF_UNSPEC ||
1044 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1045 return nft_flush(&ctx, family);
1046
1047 if (nla[NFTA_TABLE_HANDLE]) {
1048 attr = nla[NFTA_TABLE_HANDLE];
1049 table = nft_table_lookup_byhandle(net, attr, genmask);
1050 } else {
1051 attr = nla[NFTA_TABLE_NAME];
1052 table = nft_table_lookup(net, attr, family, genmask);
1053 }
1054
1055 if (IS_ERR(table)) {
1056 NL_SET_BAD_ATTR(extack, attr);
1057 return PTR_ERR(table);
1058 }
1059
1060 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1061 table->use > 0)
1062 return -EBUSY;
1063
1064 ctx.family = family;
1065 ctx.table = table;
1066
1067 return nft_flush_table(&ctx);
1068}
1069
1070static void nf_tables_table_destroy(struct nft_ctx *ctx)
1071{
1072 if (WARN_ON(ctx->table->use > 0))
1073 return;
1074
1075 rhltable_destroy(&ctx->table->chains_ht);
1076 kfree(ctx->table->name);
1077 kfree(ctx->table);
1078}
1079
1080void nft_register_chain_type(const struct nft_chain_type *ctype)
1081{
1082 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1083 return;
1084
1085 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1086 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1087 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1088 return;
1089 }
1090 chain_type[ctype->family][ctype->type] = ctype;
1091 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1092}
1093EXPORT_SYMBOL_GPL(nft_register_chain_type);
1094
1095void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1096{
1097 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1098 chain_type[ctype->family][ctype->type] = NULL;
1099 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1100}
1101EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1102
1103
1104
1105
1106
1107static struct nft_chain *
1108nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1109{
1110 struct nft_chain *chain;
1111
1112 list_for_each_entry(chain, &table->chains, list) {
1113 if (chain->handle == handle &&
1114 nft_active_genmask(chain, genmask))
1115 return chain;
1116 }
1117
1118 return ERR_PTR(-ENOENT);
1119}
1120
1121static bool lockdep_commit_lock_is_held(const struct net *net)
1122{
1123#ifdef CONFIG_PROVE_LOCKING
1124 return lockdep_is_held(&net->nft.commit_mutex);
1125#else
1126 return true;
1127#endif
1128}
1129
1130static struct nft_chain *nft_chain_lookup(struct net *net,
1131 struct nft_table *table,
1132 const struct nlattr *nla, u8 genmask)
1133{
1134 char search[NFT_CHAIN_MAXNAMELEN + 1];
1135 struct rhlist_head *tmp, *list;
1136 struct nft_chain *chain;
1137
1138 if (nla == NULL)
1139 return ERR_PTR(-EINVAL);
1140
1141 nla_strlcpy(search, nla, sizeof(search));
1142
1143 WARN_ON(!rcu_read_lock_held() &&
1144 !lockdep_commit_lock_is_held(net));
1145
1146 chain = ERR_PTR(-ENOENT);
1147 rcu_read_lock();
1148 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1149 if (!list)
1150 goto out_unlock;
1151
1152 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1153 if (nft_active_genmask(chain, genmask))
1154 goto out_unlock;
1155 }
1156 chain = ERR_PTR(-ENOENT);
1157out_unlock:
1158 rcu_read_unlock();
1159 return chain;
1160}
1161
1162static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1163 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1164 .len = NFT_TABLE_MAXNAMELEN - 1 },
1165 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1166 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1167 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1168 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1169 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1170 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1171 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1172};
1173
1174static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1175 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1176 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1177 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1178 .len = IFNAMSIZ - 1 },
1179};
1180
1181static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1182{
1183 struct nft_stats *cpu_stats, total;
1184 struct nlattr *nest;
1185 unsigned int seq;
1186 u64 pkts, bytes;
1187 int cpu;
1188
1189 if (!stats)
1190 return 0;
1191
1192 memset(&total, 0, sizeof(total));
1193 for_each_possible_cpu(cpu) {
1194 cpu_stats = per_cpu_ptr(stats, cpu);
1195 do {
1196 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1197 pkts = cpu_stats->pkts;
1198 bytes = cpu_stats->bytes;
1199 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1200 total.pkts += pkts;
1201 total.bytes += bytes;
1202 }
1203 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1204 if (nest == NULL)
1205 goto nla_put_failure;
1206
1207 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1208 NFTA_COUNTER_PAD) ||
1209 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1210 NFTA_COUNTER_PAD))
1211 goto nla_put_failure;
1212
1213 nla_nest_end(skb, nest);
1214 return 0;
1215
1216nla_put_failure:
1217 return -ENOSPC;
1218}
1219
1220static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1221 u32 portid, u32 seq, int event, u32 flags,
1222 int family, const struct nft_table *table,
1223 const struct nft_chain *chain)
1224{
1225 struct nlmsghdr *nlh;
1226 struct nfgenmsg *nfmsg;
1227
1228 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1229 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1230 if (nlh == NULL)
1231 goto nla_put_failure;
1232
1233 nfmsg = nlmsg_data(nlh);
1234 nfmsg->nfgen_family = family;
1235 nfmsg->version = NFNETLINK_V0;
1236 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1237
1238 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1239 goto nla_put_failure;
1240 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1241 NFTA_CHAIN_PAD))
1242 goto nla_put_failure;
1243 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1244 goto nla_put_failure;
1245
1246 if (nft_is_base_chain(chain)) {
1247 const struct nft_base_chain *basechain = nft_base_chain(chain);
1248 const struct nf_hook_ops *ops = &basechain->ops;
1249 struct nft_stats __percpu *stats;
1250 struct nlattr *nest;
1251
1252 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1253 if (nest == NULL)
1254 goto nla_put_failure;
1255 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1256 goto nla_put_failure;
1257 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1258 goto nla_put_failure;
1259 if (basechain->dev_name[0] &&
1260 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1261 goto nla_put_failure;
1262 nla_nest_end(skb, nest);
1263
1264 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1265 htonl(basechain->policy)))
1266 goto nla_put_failure;
1267
1268 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1269 goto nla_put_failure;
1270
1271 stats = rcu_dereference_check(basechain->stats,
1272 lockdep_commit_lock_is_held(net));
1273 if (nft_dump_stats(skb, stats))
1274 goto nla_put_failure;
1275 }
1276
1277 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1278 goto nla_put_failure;
1279
1280 nlmsg_end(skb, nlh);
1281 return 0;
1282
1283nla_put_failure:
1284 nlmsg_trim(skb, nlh);
1285 return -1;
1286}
1287
1288static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1289{
1290 struct sk_buff *skb;
1291 int err;
1292
1293 if (!ctx->report &&
1294 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1295 return;
1296
1297 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1298 if (skb == NULL)
1299 goto err;
1300
1301 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1302 event, 0, ctx->family, ctx->table,
1303 ctx->chain);
1304 if (err < 0) {
1305 kfree_skb(skb);
1306 goto err;
1307 }
1308
1309 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1310 ctx->report, GFP_KERNEL);
1311 return;
1312err:
1313 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1314}
1315
1316static int nf_tables_dump_chains(struct sk_buff *skb,
1317 struct netlink_callback *cb)
1318{
1319 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1320 const struct nft_table *table;
1321 const struct nft_chain *chain;
1322 unsigned int idx = 0, s_idx = cb->args[0];
1323 struct net *net = sock_net(skb->sk);
1324 int family = nfmsg->nfgen_family;
1325
1326 rcu_read_lock();
1327 cb->seq = net->nft.base_seq;
1328
1329 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1330 if (family != NFPROTO_UNSPEC && family != table->family)
1331 continue;
1332
1333 list_for_each_entry_rcu(chain, &table->chains, list) {
1334 if (idx < s_idx)
1335 goto cont;
1336 if (idx > s_idx)
1337 memset(&cb->args[1], 0,
1338 sizeof(cb->args) - sizeof(cb->args[0]));
1339 if (!nft_is_active(net, chain))
1340 continue;
1341 if (nf_tables_fill_chain_info(skb, net,
1342 NETLINK_CB(cb->skb).portid,
1343 cb->nlh->nlmsg_seq,
1344 NFT_MSG_NEWCHAIN,
1345 NLM_F_MULTI,
1346 table->family, table,
1347 chain) < 0)
1348 goto done;
1349
1350 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1351cont:
1352 idx++;
1353 }
1354 }
1355done:
1356 rcu_read_unlock();
1357 cb->args[0] = idx;
1358 return skb->len;
1359}
1360
1361
1362static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1363 struct sk_buff *skb, const struct nlmsghdr *nlh,
1364 const struct nlattr * const nla[],
1365 struct netlink_ext_ack *extack)
1366{
1367 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1368 u8 genmask = nft_genmask_cur(net);
1369 const struct nft_chain *chain;
1370 struct nft_table *table;
1371 struct sk_buff *skb2;
1372 int family = nfmsg->nfgen_family;
1373 int err;
1374
1375 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1376 struct netlink_dump_control c = {
1377 .dump = nf_tables_dump_chains,
1378 .module = THIS_MODULE,
1379 };
1380
1381 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1382 }
1383
1384 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1385 if (IS_ERR(table)) {
1386 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1387 return PTR_ERR(table);
1388 }
1389
1390 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1391 if (IS_ERR(chain)) {
1392 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1393 return PTR_ERR(chain);
1394 }
1395
1396 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1397 if (!skb2)
1398 return -ENOMEM;
1399
1400 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1401 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1402 family, table, chain);
1403 if (err < 0)
1404 goto err;
1405
1406 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1407
1408err:
1409 kfree_skb(skb2);
1410 return err;
1411}
1412
1413static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1414 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1415 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1416};
1417
1418static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1419{
1420 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1421 struct nft_stats __percpu *newstats;
1422 struct nft_stats *stats;
1423 int err;
1424
1425 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1426 nft_counter_policy, NULL);
1427 if (err < 0)
1428 return ERR_PTR(err);
1429
1430 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1431 return ERR_PTR(-EINVAL);
1432
1433 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1434 if (newstats == NULL)
1435 return ERR_PTR(-ENOMEM);
1436
1437
1438
1439
1440 preempt_disable();
1441 stats = this_cpu_ptr(newstats);
1442 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1443 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1444 preempt_enable();
1445
1446 return newstats;
1447}
1448
1449static void nft_chain_stats_replace(struct net *net,
1450 struct nft_base_chain *chain,
1451 struct nft_stats __percpu *newstats)
1452{
1453 struct nft_stats __percpu *oldstats;
1454
1455 if (newstats == NULL)
1456 return;
1457
1458 if (rcu_access_pointer(chain->stats)) {
1459 oldstats = rcu_dereference_protected(chain->stats,
1460 lockdep_commit_lock_is_held(net));
1461 rcu_assign_pointer(chain->stats, newstats);
1462 synchronize_rcu();
1463 free_percpu(oldstats);
1464 } else {
1465 rcu_assign_pointer(chain->stats, newstats);
1466 static_branch_inc(&nft_counters_enabled);
1467 }
1468}
1469
1470static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1471{
1472 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1473 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1474
1475 if (g0 != g1)
1476 kvfree(g1);
1477 kvfree(g0);
1478
1479
1480 WARN_ON_ONCE(chain->rules_next);
1481 kvfree(chain->rules_next);
1482}
1483
1484static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1485{
1486 struct nft_chain *chain = ctx->chain;
1487
1488 if (WARN_ON(chain->use > 0))
1489 return;
1490
1491
1492 nf_tables_chain_free_chain_rules(chain);
1493
1494 if (nft_is_base_chain(chain)) {
1495 struct nft_base_chain *basechain = nft_base_chain(chain);
1496
1497 module_put(basechain->type->owner);
1498 if (rcu_access_pointer(basechain->stats)) {
1499 static_branch_dec(&nft_counters_enabled);
1500 free_percpu(rcu_dereference_raw(basechain->stats));
1501 }
1502 kfree(chain->name);
1503 kfree(basechain);
1504 } else {
1505 kfree(chain->name);
1506 kfree(chain);
1507 }
1508}
1509
1510struct nft_chain_hook {
1511 u32 num;
1512 s32 priority;
1513 const struct nft_chain_type *type;
1514 struct net_device *dev;
1515};
1516
1517static int nft_chain_parse_hook(struct net *net,
1518 const struct nlattr * const nla[],
1519 struct nft_chain_hook *hook, u8 family,
1520 bool autoload)
1521{
1522 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1523 const struct nft_chain_type *type;
1524 struct net_device *dev;
1525 int err;
1526
1527 lockdep_assert_held(&net->nft.commit_mutex);
1528 lockdep_nfnl_nft_mutex_not_held();
1529
1530 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1531 nla[NFTA_CHAIN_HOOK],
1532 nft_hook_policy, NULL);
1533 if (err < 0)
1534 return err;
1535
1536 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1537 ha[NFTA_HOOK_PRIORITY] == NULL)
1538 return -EINVAL;
1539
1540 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1541 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1542
1543 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1544 if (nla[NFTA_CHAIN_TYPE]) {
1545 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1546 family, autoload);
1547 if (IS_ERR(type))
1548 return PTR_ERR(type);
1549 }
1550 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1551 return -EOPNOTSUPP;
1552
1553 if (type->type == NFT_CHAIN_T_NAT &&
1554 hook->priority <= NF_IP_PRI_CONNTRACK)
1555 return -EOPNOTSUPP;
1556
1557 if (!try_module_get(type->owner))
1558 return -ENOENT;
1559
1560 hook->type = type;
1561
1562 hook->dev = NULL;
1563 if (family == NFPROTO_NETDEV) {
1564 char ifname[IFNAMSIZ];
1565
1566 if (!ha[NFTA_HOOK_DEV]) {
1567 module_put(type->owner);
1568 return -EOPNOTSUPP;
1569 }
1570
1571 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1572 dev = __dev_get_by_name(net, ifname);
1573 if (!dev) {
1574 module_put(type->owner);
1575 return -ENOENT;
1576 }
1577 hook->dev = dev;
1578 } else if (ha[NFTA_HOOK_DEV]) {
1579 module_put(type->owner);
1580 return -EOPNOTSUPP;
1581 }
1582
1583 return 0;
1584}
1585
1586static void nft_chain_release_hook(struct nft_chain_hook *hook)
1587{
1588 module_put(hook->type->owner);
1589}
1590
1591struct nft_rules_old {
1592 struct rcu_head h;
1593 struct nft_rule **start;
1594};
1595
1596static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1597 unsigned int alloc)
1598{
1599 if (alloc > INT_MAX)
1600 return NULL;
1601
1602 alloc += 1;
1603 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1604 return NULL;
1605
1606 alloc *= sizeof(struct nft_rule *);
1607 alloc += sizeof(struct nft_rules_old);
1608
1609 return kvmalloc(alloc, GFP_KERNEL);
1610}
1611
1612static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1613 u8 policy)
1614{
1615 const struct nlattr * const *nla = ctx->nla;
1616 struct nft_table *table = ctx->table;
1617 struct nft_base_chain *basechain;
1618 struct nft_stats __percpu *stats;
1619 struct net *net = ctx->net;
1620 struct nft_trans *trans;
1621 struct nft_chain *chain;
1622 struct nft_rule **rules;
1623 int err;
1624
1625 if (table->use == UINT_MAX)
1626 return -EOVERFLOW;
1627
1628 if (nla[NFTA_CHAIN_HOOK]) {
1629 struct nft_chain_hook hook;
1630 struct nf_hook_ops *ops;
1631
1632 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1633 if (err < 0)
1634 return err;
1635
1636 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1637 if (basechain == NULL) {
1638 nft_chain_release_hook(&hook);
1639 return -ENOMEM;
1640 }
1641
1642 if (hook.dev != NULL)
1643 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1644
1645 if (nla[NFTA_CHAIN_COUNTERS]) {
1646 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1647 if (IS_ERR(stats)) {
1648 nft_chain_release_hook(&hook);
1649 kfree(basechain);
1650 return PTR_ERR(stats);
1651 }
1652 rcu_assign_pointer(basechain->stats, stats);
1653 static_branch_inc(&nft_counters_enabled);
1654 }
1655
1656 basechain->type = hook.type;
1657 chain = &basechain->chain;
1658
1659 ops = &basechain->ops;
1660 ops->pf = family;
1661 ops->hooknum = hook.num;
1662 ops->priority = hook.priority;
1663 ops->priv = chain;
1664 ops->hook = hook.type->hooks[ops->hooknum];
1665 ops->dev = hook.dev;
1666
1667 chain->flags |= NFT_BASE_CHAIN;
1668 basechain->policy = NF_ACCEPT;
1669 } else {
1670 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1671 if (chain == NULL)
1672 return -ENOMEM;
1673 }
1674 ctx->chain = chain;
1675
1676 INIT_LIST_HEAD(&chain->rules);
1677 chain->handle = nf_tables_alloc_handle(table);
1678 chain->table = table;
1679 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1680 if (!chain->name) {
1681 err = -ENOMEM;
1682 goto err1;
1683 }
1684
1685 rules = nf_tables_chain_alloc_rules(chain, 0);
1686 if (!rules) {
1687 err = -ENOMEM;
1688 goto err1;
1689 }
1690
1691 *rules = NULL;
1692 rcu_assign_pointer(chain->rules_gen_0, rules);
1693 rcu_assign_pointer(chain->rules_gen_1, rules);
1694
1695 err = nf_tables_register_hook(net, table, chain);
1696 if (err < 0)
1697 goto err1;
1698
1699 err = rhltable_insert_key(&table->chains_ht, chain->name,
1700 &chain->rhlhead, nft_chain_ht_params);
1701 if (err)
1702 goto err2;
1703
1704 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1705 if (IS_ERR(trans)) {
1706 err = PTR_ERR(trans);
1707 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1708 nft_chain_ht_params);
1709 goto err2;
1710 }
1711
1712 nft_trans_chain_policy(trans) = -1;
1713 if (nft_is_base_chain(chain))
1714 nft_trans_chain_policy(trans) = policy;
1715
1716 table->use++;
1717 list_add_tail_rcu(&chain->list, &table->chains);
1718
1719 return 0;
1720err2:
1721 nf_tables_unregister_hook(net, table, chain);
1722err1:
1723 nf_tables_chain_destroy(ctx);
1724
1725 return err;
1726}
1727
1728static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy)
1729{
1730 const struct nlattr * const *nla = ctx->nla;
1731 struct nft_table *table = ctx->table;
1732 struct nft_chain *chain = ctx->chain;
1733 struct nft_base_chain *basechain;
1734 struct nft_stats *stats = NULL;
1735 struct nft_chain_hook hook;
1736 struct nf_hook_ops *ops;
1737 struct nft_trans *trans;
1738 int err;
1739
1740 if (nla[NFTA_CHAIN_HOOK]) {
1741 if (!nft_is_base_chain(chain))
1742 return -EBUSY;
1743
1744 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1745 false);
1746 if (err < 0)
1747 return err;
1748
1749 basechain = nft_base_chain(chain);
1750 if (basechain->type != hook.type) {
1751 nft_chain_release_hook(&hook);
1752 return -EBUSY;
1753 }
1754
1755 ops = &basechain->ops;
1756 if (ops->hooknum != hook.num ||
1757 ops->priority != hook.priority ||
1758 ops->dev != hook.dev) {
1759 nft_chain_release_hook(&hook);
1760 return -EBUSY;
1761 }
1762 nft_chain_release_hook(&hook);
1763 }
1764
1765 if (nla[NFTA_CHAIN_HANDLE] &&
1766 nla[NFTA_CHAIN_NAME]) {
1767 struct nft_chain *chain2;
1768
1769 chain2 = nft_chain_lookup(ctx->net, table,
1770 nla[NFTA_CHAIN_NAME], genmask);
1771 if (!IS_ERR(chain2))
1772 return -EEXIST;
1773 }
1774
1775 if (nla[NFTA_CHAIN_COUNTERS]) {
1776 if (!nft_is_base_chain(chain))
1777 return -EOPNOTSUPP;
1778
1779 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1780 if (IS_ERR(stats))
1781 return PTR_ERR(stats);
1782 }
1783
1784 err = -ENOMEM;
1785 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1786 sizeof(struct nft_trans_chain));
1787 if (trans == NULL)
1788 goto err;
1789
1790 nft_trans_chain_stats(trans) = stats;
1791 nft_trans_chain_update(trans) = true;
1792
1793 if (nla[NFTA_CHAIN_POLICY])
1794 nft_trans_chain_policy(trans) = policy;
1795 else
1796 nft_trans_chain_policy(trans) = -1;
1797
1798 if (nla[NFTA_CHAIN_HANDLE] &&
1799 nla[NFTA_CHAIN_NAME]) {
1800 struct nft_trans *tmp;
1801 char *name;
1802
1803 err = -ENOMEM;
1804 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1805 if (!name)
1806 goto err;
1807
1808 err = -EEXIST;
1809 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1810 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1811 tmp->ctx.table == table &&
1812 nft_trans_chain_update(tmp) &&
1813 nft_trans_chain_name(tmp) &&
1814 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1815 kfree(name);
1816 goto err;
1817 }
1818 }
1819
1820 nft_trans_chain_name(trans) = name;
1821 }
1822 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1823
1824 return 0;
1825err:
1826 free_percpu(stats);
1827 kfree(trans);
1828 return err;
1829}
1830
1831static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1832 struct sk_buff *skb, const struct nlmsghdr *nlh,
1833 const struct nlattr * const nla[],
1834 struct netlink_ext_ack *extack)
1835{
1836 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1837 u8 genmask = nft_genmask_next(net);
1838 int family = nfmsg->nfgen_family;
1839 const struct nlattr *attr;
1840 struct nft_table *table;
1841 struct nft_chain *chain;
1842 u8 policy = NF_ACCEPT;
1843 struct nft_ctx ctx;
1844 u64 handle = 0;
1845
1846 lockdep_assert_held(&net->nft.commit_mutex);
1847
1848 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1849 if (IS_ERR(table)) {
1850 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1851 return PTR_ERR(table);
1852 }
1853
1854 chain = NULL;
1855 attr = nla[NFTA_CHAIN_NAME];
1856
1857 if (nla[NFTA_CHAIN_HANDLE]) {
1858 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1859 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1860 if (IS_ERR(chain)) {
1861 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1862 return PTR_ERR(chain);
1863 }
1864 attr = nla[NFTA_CHAIN_HANDLE];
1865 } else {
1866 chain = nft_chain_lookup(net, table, attr, genmask);
1867 if (IS_ERR(chain)) {
1868 if (PTR_ERR(chain) != -ENOENT) {
1869 NL_SET_BAD_ATTR(extack, attr);
1870 return PTR_ERR(chain);
1871 }
1872 chain = NULL;
1873 }
1874 }
1875
1876 if (nla[NFTA_CHAIN_POLICY]) {
1877 if (chain != NULL &&
1878 !nft_is_base_chain(chain)) {
1879 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1880 return -EOPNOTSUPP;
1881 }
1882
1883 if (chain == NULL &&
1884 nla[NFTA_CHAIN_HOOK] == NULL) {
1885 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1886 return -EOPNOTSUPP;
1887 }
1888
1889 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1890 switch (policy) {
1891 case NF_DROP:
1892 case NF_ACCEPT:
1893 break;
1894 default:
1895 return -EINVAL;
1896 }
1897 }
1898
1899 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1900
1901 if (chain != NULL) {
1902 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1903 NL_SET_BAD_ATTR(extack, attr);
1904 return -EEXIST;
1905 }
1906 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1907 return -EOPNOTSUPP;
1908
1909 return nf_tables_updchain(&ctx, genmask, policy);
1910 }
1911
1912 return nf_tables_addchain(&ctx, family, genmask, policy);
1913}
1914
1915static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1916 struct sk_buff *skb, const struct nlmsghdr *nlh,
1917 const struct nlattr * const nla[],
1918 struct netlink_ext_ack *extack)
1919{
1920 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1921 u8 genmask = nft_genmask_next(net);
1922 int family = nfmsg->nfgen_family;
1923 const struct nlattr *attr;
1924 struct nft_table *table;
1925 struct nft_chain *chain;
1926 struct nft_rule *rule;
1927 struct nft_ctx ctx;
1928 u64 handle;
1929 u32 use;
1930 int err;
1931
1932 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1933 if (IS_ERR(table)) {
1934 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1935 return PTR_ERR(table);
1936 }
1937
1938 if (nla[NFTA_CHAIN_HANDLE]) {
1939 attr = nla[NFTA_CHAIN_HANDLE];
1940 handle = be64_to_cpu(nla_get_be64(attr));
1941 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1942 } else {
1943 attr = nla[NFTA_CHAIN_NAME];
1944 chain = nft_chain_lookup(net, table, attr, genmask);
1945 }
1946 if (IS_ERR(chain)) {
1947 NL_SET_BAD_ATTR(extack, attr);
1948 return PTR_ERR(chain);
1949 }
1950
1951 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1952 chain->use > 0)
1953 return -EBUSY;
1954
1955 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1956
1957 use = chain->use;
1958 list_for_each_entry(rule, &chain->rules, list) {
1959 if (!nft_is_active_next(net, rule))
1960 continue;
1961 use--;
1962
1963 err = nft_delrule(&ctx, rule);
1964 if (err < 0)
1965 return err;
1966 }
1967
1968
1969
1970
1971 if (use > 0) {
1972 NL_SET_BAD_ATTR(extack, attr);
1973 return -EBUSY;
1974 }
1975
1976 return nft_delchain(&ctx);
1977}
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990int nft_register_expr(struct nft_expr_type *type)
1991{
1992 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1993 if (type->family == NFPROTO_UNSPEC)
1994 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1995 else
1996 list_add_rcu(&type->list, &nf_tables_expressions);
1997 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1998 return 0;
1999}
2000EXPORT_SYMBOL_GPL(nft_register_expr);
2001
2002
2003
2004
2005
2006
2007
2008void nft_unregister_expr(struct nft_expr_type *type)
2009{
2010 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2011 list_del_rcu(&type->list);
2012 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2013}
2014EXPORT_SYMBOL_GPL(nft_unregister_expr);
2015
2016static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2017 struct nlattr *nla)
2018{
2019 const struct nft_expr_type *type;
2020
2021 list_for_each_entry(type, &nf_tables_expressions, list) {
2022 if (!nla_strcmp(nla, type->name) &&
2023 (!type->family || type->family == family))
2024 return type;
2025 }
2026 return NULL;
2027}
2028
2029static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2030 u8 family,
2031 struct nlattr *nla)
2032{
2033 const struct nft_expr_type *type;
2034
2035 if (nla == NULL)
2036 return ERR_PTR(-EINVAL);
2037
2038 type = __nft_expr_type_get(family, nla);
2039 if (type != NULL && try_module_get(type->owner))
2040 return type;
2041
2042 lockdep_nfnl_nft_mutex_not_held();
2043#ifdef CONFIG_MODULES
2044 if (type == NULL) {
2045 nft_request_module(net, "nft-expr-%u-%.*s", family,
2046 nla_len(nla), (char *)nla_data(nla));
2047 if (__nft_expr_type_get(family, nla))
2048 return ERR_PTR(-EAGAIN);
2049
2050 nft_request_module(net, "nft-expr-%.*s",
2051 nla_len(nla), (char *)nla_data(nla));
2052 if (__nft_expr_type_get(family, nla))
2053 return ERR_PTR(-EAGAIN);
2054 }
2055#endif
2056 return ERR_PTR(-ENOENT);
2057}
2058
2059static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2060 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2061 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2062};
2063
2064static int nf_tables_fill_expr_info(struct sk_buff *skb,
2065 const struct nft_expr *expr)
2066{
2067 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2068 goto nla_put_failure;
2069
2070 if (expr->ops->dump) {
2071 struct nlattr *data = nla_nest_start_noflag(skb,
2072 NFTA_EXPR_DATA);
2073 if (data == NULL)
2074 goto nla_put_failure;
2075 if (expr->ops->dump(skb, expr) < 0)
2076 goto nla_put_failure;
2077 nla_nest_end(skb, data);
2078 }
2079
2080 return skb->len;
2081
2082nla_put_failure:
2083 return -1;
2084};
2085
2086int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2087 const struct nft_expr *expr)
2088{
2089 struct nlattr *nest;
2090
2091 nest = nla_nest_start_noflag(skb, attr);
2092 if (!nest)
2093 goto nla_put_failure;
2094 if (nf_tables_fill_expr_info(skb, expr) < 0)
2095 goto nla_put_failure;
2096 nla_nest_end(skb, nest);
2097 return 0;
2098
2099nla_put_failure:
2100 return -1;
2101}
2102
2103struct nft_expr_info {
2104 const struct nft_expr_ops *ops;
2105 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2106};
2107
2108static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2109 const struct nlattr *nla,
2110 struct nft_expr_info *info)
2111{
2112 const struct nft_expr_type *type;
2113 const struct nft_expr_ops *ops;
2114 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2115 int err;
2116
2117 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2118 nft_expr_policy, NULL);
2119 if (err < 0)
2120 return err;
2121
2122 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2123 if (IS_ERR(type))
2124 return PTR_ERR(type);
2125
2126 if (tb[NFTA_EXPR_DATA]) {
2127 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2128 tb[NFTA_EXPR_DATA],
2129 type->policy, NULL);
2130 if (err < 0)
2131 goto err1;
2132 } else
2133 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2134
2135 if (type->select_ops != NULL) {
2136 ops = type->select_ops(ctx,
2137 (const struct nlattr * const *)info->tb);
2138 if (IS_ERR(ops)) {
2139 err = PTR_ERR(ops);
2140 goto err1;
2141 }
2142 } else
2143 ops = type->ops;
2144
2145 info->ops = ops;
2146 return 0;
2147
2148err1:
2149 module_put(type->owner);
2150 return err;
2151}
2152
2153static int nf_tables_newexpr(const struct nft_ctx *ctx,
2154 const struct nft_expr_info *info,
2155 struct nft_expr *expr)
2156{
2157 const struct nft_expr_ops *ops = info->ops;
2158 int err;
2159
2160 expr->ops = ops;
2161 if (ops->init) {
2162 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2163 if (err < 0)
2164 goto err1;
2165 }
2166
2167 return 0;
2168err1:
2169 expr->ops = NULL;
2170 return err;
2171}
2172
2173static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2174 struct nft_expr *expr)
2175{
2176 const struct nft_expr_type *type = expr->ops->type;
2177
2178 if (expr->ops->destroy)
2179 expr->ops->destroy(ctx, expr);
2180 module_put(type->owner);
2181}
2182
2183struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2184 const struct nlattr *nla)
2185{
2186 struct nft_expr_info info;
2187 struct nft_expr *expr;
2188 struct module *owner;
2189 int err;
2190
2191 err = nf_tables_expr_parse(ctx, nla, &info);
2192 if (err < 0)
2193 goto err1;
2194
2195 err = -ENOMEM;
2196 expr = kzalloc(info.ops->size, GFP_KERNEL);
2197 if (expr == NULL)
2198 goto err2;
2199
2200 err = nf_tables_newexpr(ctx, &info, expr);
2201 if (err < 0)
2202 goto err3;
2203
2204 return expr;
2205err3:
2206 kfree(expr);
2207err2:
2208 owner = info.ops->type->owner;
2209 if (info.ops->type->release_ops)
2210 info.ops->type->release_ops(info.ops);
2211
2212 module_put(owner);
2213err1:
2214 return ERR_PTR(err);
2215}
2216
2217void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2218{
2219 nf_tables_expr_destroy(ctx, expr);
2220 kfree(expr);
2221}
2222
2223
2224
2225
2226
2227static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2228 u64 handle)
2229{
2230 struct nft_rule *rule;
2231
2232
2233 list_for_each_entry_rcu(rule, &chain->rules, list) {
2234 if (handle == rule->handle)
2235 return rule;
2236 }
2237
2238 return ERR_PTR(-ENOENT);
2239}
2240
2241static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2242 const struct nlattr *nla)
2243{
2244 if (nla == NULL)
2245 return ERR_PTR(-EINVAL);
2246
2247 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2248}
2249
2250static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2251 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2252 .len = NFT_TABLE_MAXNAMELEN - 1 },
2253 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2254 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2255 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2256 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2257 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2258 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2259 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2260 .len = NFT_USERDATA_MAXLEN },
2261 [NFTA_RULE_ID] = { .type = NLA_U32 },
2262 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2263};
2264
2265static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2266 u32 portid, u32 seq, int event,
2267 u32 flags, int family,
2268 const struct nft_table *table,
2269 const struct nft_chain *chain,
2270 const struct nft_rule *rule,
2271 const struct nft_rule *prule)
2272{
2273 struct nlmsghdr *nlh;
2274 struct nfgenmsg *nfmsg;
2275 const struct nft_expr *expr, *next;
2276 struct nlattr *list;
2277 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2278
2279 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2280 if (nlh == NULL)
2281 goto nla_put_failure;
2282
2283 nfmsg = nlmsg_data(nlh);
2284 nfmsg->nfgen_family = family;
2285 nfmsg->version = NFNETLINK_V0;
2286 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2287
2288 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2289 goto nla_put_failure;
2290 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2291 goto nla_put_failure;
2292 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2293 NFTA_RULE_PAD))
2294 goto nla_put_failure;
2295
2296 if (event != NFT_MSG_DELRULE && prule) {
2297 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2298 cpu_to_be64(prule->handle),
2299 NFTA_RULE_PAD))
2300 goto nla_put_failure;
2301 }
2302
2303 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2304 if (list == NULL)
2305 goto nla_put_failure;
2306 nft_rule_for_each_expr(expr, next, rule) {
2307 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2308 goto nla_put_failure;
2309 }
2310 nla_nest_end(skb, list);
2311
2312 if (rule->udata) {
2313 struct nft_userdata *udata = nft_userdata(rule);
2314 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2315 udata->data) < 0)
2316 goto nla_put_failure;
2317 }
2318
2319 nlmsg_end(skb, nlh);
2320 return 0;
2321
2322nla_put_failure:
2323 nlmsg_trim(skb, nlh);
2324 return -1;
2325}
2326
2327static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2328 const struct nft_rule *rule, int event)
2329{
2330 struct sk_buff *skb;
2331 int err;
2332
2333 if (!ctx->report &&
2334 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2335 return;
2336
2337 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2338 if (skb == NULL)
2339 goto err;
2340
2341 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2342 event, 0, ctx->family, ctx->table,
2343 ctx->chain, rule, NULL);
2344 if (err < 0) {
2345 kfree_skb(skb);
2346 goto err;
2347 }
2348
2349 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2350 ctx->report, GFP_KERNEL);
2351 return;
2352err:
2353 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2354}
2355
2356struct nft_rule_dump_ctx {
2357 char *table;
2358 char *chain;
2359};
2360
2361static int __nf_tables_dump_rules(struct sk_buff *skb,
2362 unsigned int *idx,
2363 struct netlink_callback *cb,
2364 const struct nft_table *table,
2365 const struct nft_chain *chain)
2366{
2367 struct net *net = sock_net(skb->sk);
2368 const struct nft_rule *rule, *prule;
2369 unsigned int s_idx = cb->args[0];
2370
2371 prule = NULL;
2372 list_for_each_entry_rcu(rule, &chain->rules, list) {
2373 if (!nft_is_active(net, rule))
2374 goto cont_skip;
2375 if (*idx < s_idx)
2376 goto cont;
2377 if (*idx > s_idx) {
2378 memset(&cb->args[1], 0,
2379 sizeof(cb->args) - sizeof(cb->args[0]));
2380 }
2381 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2382 cb->nlh->nlmsg_seq,
2383 NFT_MSG_NEWRULE,
2384 NLM_F_MULTI | NLM_F_APPEND,
2385 table->family,
2386 table, chain, rule, prule) < 0)
2387 return 1;
2388
2389 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2390cont:
2391 prule = rule;
2392cont_skip:
2393 (*idx)++;
2394 }
2395 return 0;
2396}
2397
2398static int nf_tables_dump_rules(struct sk_buff *skb,
2399 struct netlink_callback *cb)
2400{
2401 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2402 const struct nft_rule_dump_ctx *ctx = cb->data;
2403 struct nft_table *table;
2404 const struct nft_chain *chain;
2405 unsigned int idx = 0;
2406 struct net *net = sock_net(skb->sk);
2407 int family = nfmsg->nfgen_family;
2408
2409 rcu_read_lock();
2410 cb->seq = net->nft.base_seq;
2411
2412 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2413 if (family != NFPROTO_UNSPEC && family != table->family)
2414 continue;
2415
2416 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2417 continue;
2418
2419 if (ctx && ctx->table && ctx->chain) {
2420 struct rhlist_head *list, *tmp;
2421
2422 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2423 nft_chain_ht_params);
2424 if (!list)
2425 goto done;
2426
2427 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2428 if (!nft_is_active(net, chain))
2429 continue;
2430 __nf_tables_dump_rules(skb, &idx,
2431 cb, table, chain);
2432 break;
2433 }
2434 goto done;
2435 }
2436
2437 list_for_each_entry_rcu(chain, &table->chains, list) {
2438 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2439 goto done;
2440 }
2441
2442 if (ctx && ctx->table)
2443 break;
2444 }
2445done:
2446 rcu_read_unlock();
2447
2448 cb->args[0] = idx;
2449 return skb->len;
2450}
2451
2452static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2453{
2454 const struct nlattr * const *nla = cb->data;
2455 struct nft_rule_dump_ctx *ctx = NULL;
2456
2457 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2458 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2459 if (!ctx)
2460 return -ENOMEM;
2461
2462 if (nla[NFTA_RULE_TABLE]) {
2463 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2464 GFP_ATOMIC);
2465 if (!ctx->table) {
2466 kfree(ctx);
2467 return -ENOMEM;
2468 }
2469 }
2470 if (nla[NFTA_RULE_CHAIN]) {
2471 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2472 GFP_ATOMIC);
2473 if (!ctx->chain) {
2474 kfree(ctx->table);
2475 kfree(ctx);
2476 return -ENOMEM;
2477 }
2478 }
2479 }
2480
2481 cb->data = ctx;
2482 return 0;
2483}
2484
2485static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2486{
2487 struct nft_rule_dump_ctx *ctx = cb->data;
2488
2489 if (ctx) {
2490 kfree(ctx->table);
2491 kfree(ctx->chain);
2492 kfree(ctx);
2493 }
2494 return 0;
2495}
2496
2497
2498static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2499 struct sk_buff *skb, const struct nlmsghdr *nlh,
2500 const struct nlattr * const nla[],
2501 struct netlink_ext_ack *extack)
2502{
2503 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2504 u8 genmask = nft_genmask_cur(net);
2505 const struct nft_chain *chain;
2506 const struct nft_rule *rule;
2507 struct nft_table *table;
2508 struct sk_buff *skb2;
2509 int family = nfmsg->nfgen_family;
2510 int err;
2511
2512 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2513 struct netlink_dump_control c = {
2514 .start= nf_tables_dump_rules_start,
2515 .dump = nf_tables_dump_rules,
2516 .done = nf_tables_dump_rules_done,
2517 .module = THIS_MODULE,
2518 .data = (void *)nla,
2519 };
2520
2521 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2522 }
2523
2524 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2525 if (IS_ERR(table)) {
2526 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2527 return PTR_ERR(table);
2528 }
2529
2530 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2531 if (IS_ERR(chain)) {
2532 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2533 return PTR_ERR(chain);
2534 }
2535
2536 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2537 if (IS_ERR(rule)) {
2538 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2539 return PTR_ERR(rule);
2540 }
2541
2542 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2543 if (!skb2)
2544 return -ENOMEM;
2545
2546 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2547 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2548 family, table, chain, rule, NULL);
2549 if (err < 0)
2550 goto err;
2551
2552 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2553
2554err:
2555 kfree_skb(skb2);
2556 return err;
2557}
2558
2559static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2560 struct nft_rule *rule)
2561{
2562 struct nft_expr *expr, *next;
2563
2564
2565
2566
2567
2568 expr = nft_expr_first(rule);
2569 while (expr != nft_expr_last(rule) && expr->ops) {
2570 next = nft_expr_next(expr);
2571 nf_tables_expr_destroy(ctx, expr);
2572 expr = next;
2573 }
2574 kfree(rule);
2575}
2576
2577static void nf_tables_rule_release(const struct nft_ctx *ctx,
2578 struct nft_rule *rule)
2579{
2580 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2581 nf_tables_rule_destroy(ctx, rule);
2582}
2583
2584int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2585{
2586 struct nft_expr *expr, *last;
2587 const struct nft_data *data;
2588 struct nft_rule *rule;
2589 int err;
2590
2591 if (ctx->level == NFT_JUMP_STACK_SIZE)
2592 return -EMLINK;
2593
2594 list_for_each_entry(rule, &chain->rules, list) {
2595 if (!nft_is_active_next(ctx->net, rule))
2596 continue;
2597
2598 nft_rule_for_each_expr(expr, last, rule) {
2599 if (!expr->ops->validate)
2600 continue;
2601
2602 err = expr->ops->validate(ctx, expr, &data);
2603 if (err < 0)
2604 return err;
2605 }
2606 }
2607
2608 return 0;
2609}
2610EXPORT_SYMBOL_GPL(nft_chain_validate);
2611
2612static int nft_table_validate(struct net *net, const struct nft_table *table)
2613{
2614 struct nft_chain *chain;
2615 struct nft_ctx ctx = {
2616 .net = net,
2617 .family = table->family,
2618 };
2619 int err;
2620
2621 list_for_each_entry(chain, &table->chains, list) {
2622 if (!nft_is_base_chain(chain))
2623 continue;
2624
2625 ctx.chain = chain;
2626 err = nft_chain_validate(&ctx, chain);
2627 if (err < 0)
2628 return err;
2629 }
2630
2631 return 0;
2632}
2633
2634static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2635 const struct nlattr *nla);
2636
2637#define NFT_RULE_MAXEXPRS 128
2638
2639static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2640 struct sk_buff *skb, const struct nlmsghdr *nlh,
2641 const struct nlattr * const nla[],
2642 struct netlink_ext_ack *extack)
2643{
2644 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2645 u8 genmask = nft_genmask_next(net);
2646 struct nft_expr_info *info = NULL;
2647 int family = nfmsg->nfgen_family;
2648 struct nft_table *table;
2649 struct nft_chain *chain;
2650 struct nft_rule *rule, *old_rule = NULL;
2651 struct nft_userdata *udata;
2652 struct nft_trans *trans = NULL;
2653 struct nft_expr *expr;
2654 struct nft_ctx ctx;
2655 struct nlattr *tmp;
2656 unsigned int size, i, n, ulen = 0, usize = 0;
2657 int err, rem;
2658 u64 handle, pos_handle;
2659
2660 lockdep_assert_held(&net->nft.commit_mutex);
2661
2662 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2663 if (IS_ERR(table)) {
2664 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2665 return PTR_ERR(table);
2666 }
2667
2668 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2669 if (IS_ERR(chain)) {
2670 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2671 return PTR_ERR(chain);
2672 }
2673
2674 if (nla[NFTA_RULE_HANDLE]) {
2675 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2676 rule = __nft_rule_lookup(chain, handle);
2677 if (IS_ERR(rule)) {
2678 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2679 return PTR_ERR(rule);
2680 }
2681
2682 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2683 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2684 return -EEXIST;
2685 }
2686 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2687 old_rule = rule;
2688 else
2689 return -EOPNOTSUPP;
2690 } else {
2691 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2692 nlh->nlmsg_flags & NLM_F_REPLACE)
2693 return -EINVAL;
2694 handle = nf_tables_alloc_handle(table);
2695
2696 if (chain->use == UINT_MAX)
2697 return -EOVERFLOW;
2698
2699 if (nla[NFTA_RULE_POSITION]) {
2700 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2701 old_rule = __nft_rule_lookup(chain, pos_handle);
2702 if (IS_ERR(old_rule)) {
2703 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2704 return PTR_ERR(old_rule);
2705 }
2706 } else if (nla[NFTA_RULE_POSITION_ID]) {
2707 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2708 if (IS_ERR(old_rule)) {
2709 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2710 return PTR_ERR(old_rule);
2711 }
2712 }
2713 }
2714
2715 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2716
2717 n = 0;
2718 size = 0;
2719 if (nla[NFTA_RULE_EXPRESSIONS]) {
2720 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2721 sizeof(struct nft_expr_info),
2722 GFP_KERNEL);
2723 if (!info)
2724 return -ENOMEM;
2725
2726 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2727 err = -EINVAL;
2728 if (nla_type(tmp) != NFTA_LIST_ELEM)
2729 goto err1;
2730 if (n == NFT_RULE_MAXEXPRS)
2731 goto err1;
2732 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2733 if (err < 0)
2734 goto err1;
2735 size += info[n].ops->size;
2736 n++;
2737 }
2738 }
2739
2740 err = -EFBIG;
2741 if (size >= 1 << 12)
2742 goto err1;
2743
2744 if (nla[NFTA_RULE_USERDATA]) {
2745 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2746 if (ulen > 0)
2747 usize = sizeof(struct nft_userdata) + ulen;
2748 }
2749
2750 err = -ENOMEM;
2751 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2752 if (rule == NULL)
2753 goto err1;
2754
2755 nft_activate_next(net, rule);
2756
2757 rule->handle = handle;
2758 rule->dlen = size;
2759 rule->udata = ulen ? 1 : 0;
2760
2761 if (ulen) {
2762 udata = nft_userdata(rule);
2763 udata->len = ulen - 1;
2764 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2765 }
2766
2767 expr = nft_expr_first(rule);
2768 for (i = 0; i < n; i++) {
2769 err = nf_tables_newexpr(&ctx, &info[i], expr);
2770 if (err < 0)
2771 goto err2;
2772
2773 if (info[i].ops->validate)
2774 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2775
2776 info[i].ops = NULL;
2777 expr = nft_expr_next(expr);
2778 }
2779
2780 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2781 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2782 if (trans == NULL) {
2783 err = -ENOMEM;
2784 goto err2;
2785 }
2786 err = nft_delrule(&ctx, old_rule);
2787 if (err < 0) {
2788 nft_trans_destroy(trans);
2789 goto err2;
2790 }
2791
2792 list_add_tail_rcu(&rule->list, &old_rule->list);
2793 } else {
2794 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2795 err = -ENOMEM;
2796 goto err2;
2797 }
2798
2799 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2800 if (old_rule)
2801 list_add_rcu(&rule->list, &old_rule->list);
2802 else
2803 list_add_tail_rcu(&rule->list, &chain->rules);
2804 } else {
2805 if (old_rule)
2806 list_add_tail_rcu(&rule->list, &old_rule->list);
2807 else
2808 list_add_rcu(&rule->list, &chain->rules);
2809 }
2810 }
2811 kvfree(info);
2812 chain->use++;
2813
2814 if (net->nft.validate_state == NFT_VALIDATE_DO)
2815 return nft_table_validate(net, table);
2816
2817 return 0;
2818err2:
2819 nf_tables_rule_release(&ctx, rule);
2820err1:
2821 for (i = 0; i < n; i++) {
2822 if (info[i].ops) {
2823 module_put(info[i].ops->type->owner);
2824 if (info[i].ops->type->release_ops)
2825 info[i].ops->type->release_ops(info[i].ops);
2826 }
2827 }
2828 kvfree(info);
2829 return err;
2830}
2831
2832static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2833 const struct nlattr *nla)
2834{
2835 u32 id = ntohl(nla_get_be32(nla));
2836 struct nft_trans *trans;
2837
2838 list_for_each_entry(trans, &net->nft.commit_list, list) {
2839 struct nft_rule *rule = nft_trans_rule(trans);
2840
2841 if (trans->msg_type == NFT_MSG_NEWRULE &&
2842 id == nft_trans_rule_id(trans))
2843 return rule;
2844 }
2845 return ERR_PTR(-ENOENT);
2846}
2847
2848static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2849 struct sk_buff *skb, const struct nlmsghdr *nlh,
2850 const struct nlattr * const nla[],
2851 struct netlink_ext_ack *extack)
2852{
2853 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2854 u8 genmask = nft_genmask_next(net);
2855 struct nft_table *table;
2856 struct nft_chain *chain = NULL;
2857 struct nft_rule *rule;
2858 int family = nfmsg->nfgen_family, err = 0;
2859 struct nft_ctx ctx;
2860
2861 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2862 if (IS_ERR(table)) {
2863 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2864 return PTR_ERR(table);
2865 }
2866
2867 if (nla[NFTA_RULE_CHAIN]) {
2868 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2869 genmask);
2870 if (IS_ERR(chain)) {
2871 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2872 return PTR_ERR(chain);
2873 }
2874 }
2875
2876 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2877
2878 if (chain) {
2879 if (nla[NFTA_RULE_HANDLE]) {
2880 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2881 if (IS_ERR(rule)) {
2882 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2883 return PTR_ERR(rule);
2884 }
2885
2886 err = nft_delrule(&ctx, rule);
2887 } else if (nla[NFTA_RULE_ID]) {
2888 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2889 if (IS_ERR(rule)) {
2890 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2891 return PTR_ERR(rule);
2892 }
2893
2894 err = nft_delrule(&ctx, rule);
2895 } else {
2896 err = nft_delrule_by_chain(&ctx);
2897 }
2898 } else {
2899 list_for_each_entry(chain, &table->chains, list) {
2900 if (!nft_is_active_next(net, chain))
2901 continue;
2902
2903 ctx.chain = chain;
2904 err = nft_delrule_by_chain(&ctx);
2905 if (err < 0)
2906 break;
2907 }
2908 }
2909
2910 return err;
2911}
2912
2913
2914
2915
2916
2917static LIST_HEAD(nf_tables_set_types);
2918
2919int nft_register_set(struct nft_set_type *type)
2920{
2921 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2922 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2923 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2924 return 0;
2925}
2926EXPORT_SYMBOL_GPL(nft_register_set);
2927
2928void nft_unregister_set(struct nft_set_type *type)
2929{
2930 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2931 list_del_rcu(&type->list);
2932 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2933}
2934EXPORT_SYMBOL_GPL(nft_unregister_set);
2935
2936#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2937 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2938 NFT_SET_EVAL)
2939
2940static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2941{
2942 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2943}
2944
2945
2946
2947
2948
2949
2950static const struct nft_set_ops *
2951nft_select_set_ops(const struct nft_ctx *ctx,
2952 const struct nlattr * const nla[],
2953 const struct nft_set_desc *desc,
2954 enum nft_set_policies policy)
2955{
2956 const struct nft_set_ops *ops, *bops;
2957 struct nft_set_estimate est, best;
2958 const struct nft_set_type *type;
2959 u32 flags = 0;
2960
2961 lockdep_assert_held(&ctx->net->nft.commit_mutex);
2962 lockdep_nfnl_nft_mutex_not_held();
2963#ifdef CONFIG_MODULES
2964 if (list_empty(&nf_tables_set_types)) {
2965 nft_request_module(ctx->net, "nft-set");
2966 if (!list_empty(&nf_tables_set_types))
2967 return ERR_PTR(-EAGAIN);
2968 }
2969#endif
2970 if (nla[NFTA_SET_FLAGS] != NULL)
2971 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2972
2973 bops = NULL;
2974 best.size = ~0;
2975 best.lookup = ~0;
2976 best.space = ~0;
2977
2978 list_for_each_entry(type, &nf_tables_set_types, list) {
2979 ops = &type->ops;
2980
2981 if (!nft_set_ops_candidate(type, flags))
2982 continue;
2983 if (!ops->estimate(desc, flags, &est))
2984 continue;
2985
2986 switch (policy) {
2987 case NFT_SET_POL_PERFORMANCE:
2988 if (est.lookup < best.lookup)
2989 break;
2990 if (est.lookup == best.lookup &&
2991 est.space < best.space)
2992 break;
2993 continue;
2994 case NFT_SET_POL_MEMORY:
2995 if (!desc->size) {
2996 if (est.space < best.space)
2997 break;
2998 if (est.space == best.space &&
2999 est.lookup < best.lookup)
3000 break;
3001 } else if (est.size < best.size || !bops) {
3002 break;
3003 }
3004 continue;
3005 default:
3006 break;
3007 }
3008
3009 if (!try_module_get(type->owner))
3010 continue;
3011 if (bops != NULL)
3012 module_put(to_set_type(bops)->owner);
3013
3014 bops = ops;
3015 best = est;
3016 }
3017
3018 if (bops != NULL)
3019 return bops;
3020
3021 return ERR_PTR(-EOPNOTSUPP);
3022}
3023
3024static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3025 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3026 .len = NFT_TABLE_MAXNAMELEN - 1 },
3027 [NFTA_SET_NAME] = { .type = NLA_STRING,
3028 .len = NFT_SET_MAXNAMELEN - 1 },
3029 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3030 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3031 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3032 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3033 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3034 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3035 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3036 [NFTA_SET_ID] = { .type = NLA_U32 },
3037 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3038 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3039 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3040 .len = NFT_USERDATA_MAXLEN },
3041 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3042 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3043};
3044
3045static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3046 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3047};
3048
3049static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3050 const struct sk_buff *skb,
3051 const struct nlmsghdr *nlh,
3052 const struct nlattr * const nla[],
3053 struct netlink_ext_ack *extack,
3054 u8 genmask)
3055{
3056 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3057 int family = nfmsg->nfgen_family;
3058 struct nft_table *table = NULL;
3059
3060 if (nla[NFTA_SET_TABLE] != NULL) {
3061 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3062 genmask);
3063 if (IS_ERR(table)) {
3064 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3065 return PTR_ERR(table);
3066 }
3067 }
3068
3069 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3070 return 0;
3071}
3072
3073static struct nft_set *nft_set_lookup(const struct nft_table *table,
3074 const struct nlattr *nla, u8 genmask)
3075{
3076 struct nft_set *set;
3077
3078 if (nla == NULL)
3079 return ERR_PTR(-EINVAL);
3080
3081 list_for_each_entry_rcu(set, &table->sets, list) {
3082 if (!nla_strcmp(nla, set->name) &&
3083 nft_active_genmask(set, genmask))
3084 return set;
3085 }
3086 return ERR_PTR(-ENOENT);
3087}
3088
3089static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3090 const struct nlattr *nla,
3091 u8 genmask)
3092{
3093 struct nft_set *set;
3094
3095 list_for_each_entry(set, &table->sets, list) {
3096 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3097 nft_active_genmask(set, genmask))
3098 return set;
3099 }
3100 return ERR_PTR(-ENOENT);
3101}
3102
3103static struct nft_set *nft_set_lookup_byid(const struct net *net,
3104 const struct nlattr *nla, u8 genmask)
3105{
3106 struct nft_trans *trans;
3107 u32 id = ntohl(nla_get_be32(nla));
3108
3109 list_for_each_entry(trans, &net->nft.commit_list, list) {
3110 if (trans->msg_type == NFT_MSG_NEWSET) {
3111 struct nft_set *set = nft_trans_set(trans);
3112
3113 if (id == nft_trans_set_id(trans) &&
3114 nft_active_genmask(set, genmask))
3115 return set;
3116 }
3117 }
3118 return ERR_PTR(-ENOENT);
3119}
3120
3121struct nft_set *nft_set_lookup_global(const struct net *net,
3122 const struct nft_table *table,
3123 const struct nlattr *nla_set_name,
3124 const struct nlattr *nla_set_id,
3125 u8 genmask)
3126{
3127 struct nft_set *set;
3128
3129 set = nft_set_lookup(table, nla_set_name, genmask);
3130 if (IS_ERR(set)) {
3131 if (!nla_set_id)
3132 return set;
3133
3134 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3135 }
3136 return set;
3137}
3138EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3139
3140static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3141 const char *name)
3142{
3143 const struct nft_set *i;
3144 const char *p;
3145 unsigned long *inuse;
3146 unsigned int n = 0, min = 0;
3147
3148 p = strchr(name, '%');
3149 if (p != NULL) {
3150 if (p[1] != 'd' || strchr(p + 2, '%'))
3151 return -EINVAL;
3152
3153 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3154 if (inuse == NULL)
3155 return -ENOMEM;
3156cont:
3157 list_for_each_entry(i, &ctx->table->sets, list) {
3158 int tmp;
3159
3160 if (!nft_is_active_next(ctx->net, set))
3161 continue;
3162 if (!sscanf(i->name, name, &tmp))
3163 continue;
3164 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3165 continue;
3166
3167 set_bit(tmp - min, inuse);
3168 }
3169
3170 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3171 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3172 min += BITS_PER_BYTE * PAGE_SIZE;
3173 memset(inuse, 0, PAGE_SIZE);
3174 goto cont;
3175 }
3176 free_page((unsigned long)inuse);
3177 }
3178
3179 set->name = kasprintf(GFP_KERNEL, name, min + n);
3180 if (!set->name)
3181 return -ENOMEM;
3182
3183 list_for_each_entry(i, &ctx->table->sets, list) {
3184 if (!nft_is_active_next(ctx->net, i))
3185 continue;
3186 if (!strcmp(set->name, i->name)) {
3187 kfree(set->name);
3188 return -ENFILE;
3189 }
3190 }
3191 return 0;
3192}
3193
3194static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3195{
3196 u64 ms = be64_to_cpu(nla_get_be64(nla));
3197 u64 max = (u64)(~((u64)0));
3198
3199 max = div_u64(max, NSEC_PER_MSEC);
3200 if (ms >= max)
3201 return -ERANGE;
3202
3203 ms *= NSEC_PER_MSEC;
3204 *result = nsecs_to_jiffies64(ms);
3205 return 0;
3206}
3207
3208static __be64 nf_jiffies64_to_msecs(u64 input)
3209{
3210 return cpu_to_be64(jiffies64_to_msecs(input));
3211}
3212
3213static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3214 const struct nft_set *set, u16 event, u16 flags)
3215{
3216 struct nfgenmsg *nfmsg;
3217 struct nlmsghdr *nlh;
3218 struct nlattr *desc;
3219 u32 portid = ctx->portid;
3220 u32 seq = ctx->seq;
3221
3222 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3223 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3224 flags);
3225 if (nlh == NULL)
3226 goto nla_put_failure;
3227
3228 nfmsg = nlmsg_data(nlh);
3229 nfmsg->nfgen_family = ctx->family;
3230 nfmsg->version = NFNETLINK_V0;
3231 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3232
3233 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3234 goto nla_put_failure;
3235 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3236 goto nla_put_failure;
3237 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3238 NFTA_SET_PAD))
3239 goto nla_put_failure;
3240 if (set->flags != 0)
3241 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3242 goto nla_put_failure;
3243
3244 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3245 goto nla_put_failure;
3246 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3247 goto nla_put_failure;
3248 if (set->flags & NFT_SET_MAP) {
3249 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3250 goto nla_put_failure;
3251 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3252 goto nla_put_failure;
3253 }
3254 if (set->flags & NFT_SET_OBJECT &&
3255 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3256 goto nla_put_failure;
3257
3258 if (set->timeout &&
3259 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3260 nf_jiffies64_to_msecs(set->timeout),
3261 NFTA_SET_PAD))
3262 goto nla_put_failure;
3263 if (set->gc_int &&
3264 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3265 goto nla_put_failure;
3266
3267 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3268 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3269 goto nla_put_failure;
3270 }
3271
3272 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3273 goto nla_put_failure;
3274
3275 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3276 if (desc == NULL)
3277 goto nla_put_failure;
3278 if (set->size &&
3279 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3280 goto nla_put_failure;
3281 nla_nest_end(skb, desc);
3282
3283 nlmsg_end(skb, nlh);
3284 return 0;
3285
3286nla_put_failure:
3287 nlmsg_trim(skb, nlh);
3288 return -1;
3289}
3290
3291static void nf_tables_set_notify(const struct nft_ctx *ctx,
3292 const struct nft_set *set, int event,
3293 gfp_t gfp_flags)
3294{
3295 struct sk_buff *skb;
3296 u32 portid = ctx->portid;
3297 int err;
3298
3299 if (!ctx->report &&
3300 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3301 return;
3302
3303 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3304 if (skb == NULL)
3305 goto err;
3306
3307 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3308 if (err < 0) {
3309 kfree_skb(skb);
3310 goto err;
3311 }
3312
3313 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3314 gfp_flags);
3315 return;
3316err:
3317 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3318}
3319
3320static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3321{
3322 const struct nft_set *set;
3323 unsigned int idx, s_idx = cb->args[0];
3324 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3325 struct net *net = sock_net(skb->sk);
3326 struct nft_ctx *ctx = cb->data, ctx_set;
3327
3328 if (cb->args[1])
3329 return skb->len;
3330
3331 rcu_read_lock();
3332 cb->seq = net->nft.base_seq;
3333
3334 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3335 if (ctx->family != NFPROTO_UNSPEC &&
3336 ctx->family != table->family)
3337 continue;
3338
3339 if (ctx->table && ctx->table != table)
3340 continue;
3341
3342 if (cur_table) {
3343 if (cur_table != table)
3344 continue;
3345
3346 cur_table = NULL;
3347 }
3348 idx = 0;
3349 list_for_each_entry_rcu(set, &table->sets, list) {
3350 if (idx < s_idx)
3351 goto cont;
3352 if (!nft_is_active(net, set))
3353 goto cont;
3354
3355 ctx_set = *ctx;
3356 ctx_set.table = table;
3357 ctx_set.family = table->family;
3358
3359 if (nf_tables_fill_set(skb, &ctx_set, set,
3360 NFT_MSG_NEWSET,
3361 NLM_F_MULTI) < 0) {
3362 cb->args[0] = idx;
3363 cb->args[2] = (unsigned long) table;
3364 goto done;
3365 }
3366 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3367cont:
3368 idx++;
3369 }
3370 if (s_idx)
3371 s_idx = 0;
3372 }
3373 cb->args[1] = 1;
3374done:
3375 rcu_read_unlock();
3376 return skb->len;
3377}
3378
3379static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3380{
3381 struct nft_ctx *ctx_dump = NULL;
3382
3383 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3384 if (ctx_dump == NULL)
3385 return -ENOMEM;
3386
3387 cb->data = ctx_dump;
3388 return 0;
3389}
3390
3391static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3392{
3393 kfree(cb->data);
3394 return 0;
3395}
3396
3397
3398static int nf_tables_getset(struct net *net, struct sock *nlsk,
3399 struct sk_buff *skb, const struct nlmsghdr *nlh,
3400 const struct nlattr * const nla[],
3401 struct netlink_ext_ack *extack)
3402{
3403 u8 genmask = nft_genmask_cur(net);
3404 const struct nft_set *set;
3405 struct nft_ctx ctx;
3406 struct sk_buff *skb2;
3407 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3408 int err;
3409
3410
3411 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3412 genmask);
3413 if (err < 0)
3414 return err;
3415
3416 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3417 struct netlink_dump_control c = {
3418 .start = nf_tables_dump_sets_start,
3419 .dump = nf_tables_dump_sets,
3420 .done = nf_tables_dump_sets_done,
3421 .data = &ctx,
3422 .module = THIS_MODULE,
3423 };
3424
3425 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3426 }
3427
3428
3429 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3430 return -EAFNOSUPPORT;
3431 if (!nla[NFTA_SET_TABLE])
3432 return -EINVAL;
3433
3434 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3435 if (IS_ERR(set))
3436 return PTR_ERR(set);
3437
3438 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3439 if (skb2 == NULL)
3440 return -ENOMEM;
3441
3442 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3443 if (err < 0)
3444 goto err;
3445
3446 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3447
3448err:
3449 kfree_skb(skb2);
3450 return err;
3451}
3452
3453static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3454 const struct nlattr *nla)
3455{
3456 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3457 int err;
3458
3459 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3460 nft_set_desc_policy, NULL);
3461 if (err < 0)
3462 return err;
3463
3464 if (da[NFTA_SET_DESC_SIZE] != NULL)
3465 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3466
3467 return 0;
3468}
3469
3470static int nf_tables_newset(struct net *net, struct sock *nlsk,
3471 struct sk_buff *skb, const struct nlmsghdr *nlh,
3472 const struct nlattr * const nla[],
3473 struct netlink_ext_ack *extack)
3474{
3475 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3476 u8 genmask = nft_genmask_next(net);
3477 int family = nfmsg->nfgen_family;
3478 const struct nft_set_ops *ops;
3479 struct nft_table *table;
3480 struct nft_set *set;
3481 struct nft_ctx ctx;
3482 char *name;
3483 u64 size;
3484 u64 timeout;
3485 u32 ktype, dtype, flags, policy, gc_int, objtype;
3486 struct nft_set_desc desc;
3487 unsigned char *udata;
3488 u16 udlen;
3489 int err;
3490
3491 if (nla[NFTA_SET_TABLE] == NULL ||
3492 nla[NFTA_SET_NAME] == NULL ||
3493 nla[NFTA_SET_KEY_LEN] == NULL ||
3494 nla[NFTA_SET_ID] == NULL)
3495 return -EINVAL;
3496
3497 memset(&desc, 0, sizeof(desc));
3498
3499 ktype = NFT_DATA_VALUE;
3500 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3501 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3502 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3503 return -EINVAL;
3504 }
3505
3506 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3507 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3508 return -EINVAL;
3509
3510 flags = 0;
3511 if (nla[NFTA_SET_FLAGS] != NULL) {
3512 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3513 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3514 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3515 NFT_SET_MAP | NFT_SET_EVAL |
3516 NFT_SET_OBJECT))
3517 return -EINVAL;
3518
3519 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3520 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
3521 return -EOPNOTSUPP;
3522 }
3523
3524 dtype = 0;
3525 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3526 if (!(flags & NFT_SET_MAP))
3527 return -EINVAL;
3528
3529 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3530 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3531 dtype != NFT_DATA_VERDICT)
3532 return -EINVAL;
3533
3534 if (dtype != NFT_DATA_VERDICT) {
3535 if (nla[NFTA_SET_DATA_LEN] == NULL)
3536 return -EINVAL;
3537 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3538 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3539 return -EINVAL;
3540 } else
3541 desc.dlen = sizeof(struct nft_verdict);
3542 } else if (flags & NFT_SET_MAP)
3543 return -EINVAL;
3544
3545 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3546 if (!(flags & NFT_SET_OBJECT))
3547 return -EINVAL;
3548
3549 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3550 if (objtype == NFT_OBJECT_UNSPEC ||
3551 objtype > NFT_OBJECT_MAX)
3552 return -EINVAL;
3553 } else if (flags & NFT_SET_OBJECT)
3554 return -EINVAL;
3555 else
3556 objtype = NFT_OBJECT_UNSPEC;
3557
3558 timeout = 0;
3559 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3560 if (!(flags & NFT_SET_TIMEOUT))
3561 return -EINVAL;
3562
3563 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3564 if (err)
3565 return err;
3566 }
3567 gc_int = 0;
3568 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3569 if (!(flags & NFT_SET_TIMEOUT))
3570 return -EINVAL;
3571 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3572 }
3573
3574 policy = NFT_SET_POL_PERFORMANCE;
3575 if (nla[NFTA_SET_POLICY] != NULL)
3576 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3577
3578 if (nla[NFTA_SET_DESC] != NULL) {
3579 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3580 if (err < 0)
3581 return err;
3582 }
3583
3584 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3585 if (IS_ERR(table)) {
3586 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3587 return PTR_ERR(table);
3588 }
3589
3590 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3591
3592 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3593 if (IS_ERR(set)) {
3594 if (PTR_ERR(set) != -ENOENT) {
3595 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3596 return PTR_ERR(set);
3597 }
3598 } else {
3599 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3600 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3601 return -EEXIST;
3602 }
3603 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3604 return -EOPNOTSUPP;
3605
3606 return 0;
3607 }
3608
3609 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3610 return -ENOENT;
3611
3612 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3613 if (IS_ERR(ops))
3614 return PTR_ERR(ops);
3615
3616 udlen = 0;
3617 if (nla[NFTA_SET_USERDATA])
3618 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3619
3620 size = 0;
3621 if (ops->privsize != NULL)
3622 size = ops->privsize(nla, &desc);
3623
3624 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3625 if (!set) {
3626 err = -ENOMEM;
3627 goto err1;
3628 }
3629
3630 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3631 if (!name) {
3632 err = -ENOMEM;
3633 goto err2;
3634 }
3635
3636 err = nf_tables_set_alloc_name(&ctx, set, name);
3637 kfree(name);
3638 if (err < 0)
3639 goto err2;
3640
3641 udata = NULL;
3642 if (udlen) {
3643 udata = set->data + size;
3644 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3645 }
3646
3647 INIT_LIST_HEAD(&set->bindings);
3648 set->table = table;
3649 write_pnet(&set->net, net);
3650 set->ops = ops;
3651 set->ktype = ktype;
3652 set->klen = desc.klen;
3653 set->dtype = dtype;
3654 set->objtype = objtype;
3655 set->dlen = desc.dlen;
3656 set->flags = flags;
3657 set->size = desc.size;
3658 set->policy = policy;
3659 set->udlen = udlen;
3660 set->udata = udata;
3661 set->timeout = timeout;
3662 set->gc_int = gc_int;
3663 set->handle = nf_tables_alloc_handle(table);
3664
3665 err = ops->init(set, &desc, nla);
3666 if (err < 0)
3667 goto err3;
3668
3669 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3670 if (err < 0)
3671 goto err4;
3672
3673 list_add_tail_rcu(&set->list, &table->sets);
3674 table->use++;
3675 return 0;
3676
3677err4:
3678 ops->destroy(set);
3679err3:
3680 kfree(set->name);
3681err2:
3682 kvfree(set);
3683err1:
3684 module_put(to_set_type(ops)->owner);
3685 return err;
3686}
3687
3688static void nft_set_destroy(struct nft_set *set)
3689{
3690 if (WARN_ON(set->use > 0))
3691 return;
3692
3693 set->ops->destroy(set);
3694 module_put(to_set_type(set->ops)->owner);
3695 kfree(set->name);
3696 kvfree(set);
3697}
3698
3699static int nf_tables_delset(struct net *net, struct sock *nlsk,
3700 struct sk_buff *skb, const struct nlmsghdr *nlh,
3701 const struct nlattr * const nla[],
3702 struct netlink_ext_ack *extack)
3703{
3704 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3705 u8 genmask = nft_genmask_next(net);
3706 const struct nlattr *attr;
3707 struct nft_set *set;
3708 struct nft_ctx ctx;
3709 int err;
3710
3711 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3712 return -EAFNOSUPPORT;
3713 if (nla[NFTA_SET_TABLE] == NULL)
3714 return -EINVAL;
3715
3716 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3717 genmask);
3718 if (err < 0)
3719 return err;
3720
3721 if (nla[NFTA_SET_HANDLE]) {
3722 attr = nla[NFTA_SET_HANDLE];
3723 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3724 } else {
3725 attr = nla[NFTA_SET_NAME];
3726 set = nft_set_lookup(ctx.table, attr, genmask);
3727 }
3728
3729 if (IS_ERR(set)) {
3730 NL_SET_BAD_ATTR(extack, attr);
3731 return PTR_ERR(set);
3732 }
3733 if (set->use ||
3734 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3735 NL_SET_BAD_ATTR(extack, attr);
3736 return -EBUSY;
3737 }
3738
3739 return nft_delset(&ctx, set);
3740}
3741
3742static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3743 struct nft_set *set,
3744 const struct nft_set_iter *iter,
3745 struct nft_set_elem *elem)
3746{
3747 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3748 enum nft_registers dreg;
3749
3750 dreg = nft_type_to_reg(set->dtype);
3751 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3752 set->dtype == NFT_DATA_VERDICT ?
3753 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3754 set->dlen);
3755}
3756
3757int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3758 struct nft_set_binding *binding)
3759{
3760 struct nft_set_binding *i;
3761 struct nft_set_iter iter;
3762
3763 if (set->use == UINT_MAX)
3764 return -EOVERFLOW;
3765
3766 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3767 return -EBUSY;
3768
3769 if (binding->flags & NFT_SET_MAP) {
3770
3771
3772
3773 list_for_each_entry(i, &set->bindings, list) {
3774 if (i->flags & NFT_SET_MAP &&
3775 i->chain == binding->chain)
3776 goto bind;
3777 }
3778
3779 iter.genmask = nft_genmask_next(ctx->net);
3780 iter.skip = 0;
3781 iter.count = 0;
3782 iter.err = 0;
3783 iter.fn = nf_tables_bind_check_setelem;
3784
3785 set->ops->walk(ctx, set, &iter);
3786 if (iter.err < 0)
3787 return iter.err;
3788 }
3789bind:
3790 binding->chain = ctx->chain;
3791 list_add_tail_rcu(&binding->list, &set->bindings);
3792 nft_set_trans_bind(ctx, set);
3793 set->use++;
3794
3795 return 0;
3796}
3797EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3798
3799static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3800 struct nft_set_binding *binding, bool event)
3801{
3802 list_del_rcu(&binding->list);
3803
3804 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3805 list_del_rcu(&set->list);
3806 if (event)
3807 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3808 GFP_KERNEL);
3809 }
3810}
3811
3812void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3813 struct nft_set_binding *binding,
3814 enum nft_trans_phase phase)
3815{
3816 switch (phase) {
3817 case NFT_TRANS_PREPARE:
3818 set->use--;
3819 return;
3820 case NFT_TRANS_ABORT:
3821 case NFT_TRANS_RELEASE:
3822 set->use--;
3823
3824 default:
3825 nf_tables_unbind_set(ctx, set, binding,
3826 phase == NFT_TRANS_COMMIT);
3827 }
3828}
3829EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3830
3831void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3832{
3833 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3834 nft_set_destroy(set);
3835}
3836EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3837
3838const struct nft_set_ext_type nft_set_ext_types[] = {
3839 [NFT_SET_EXT_KEY] = {
3840 .align = __alignof__(u32),
3841 },
3842 [NFT_SET_EXT_DATA] = {
3843 .align = __alignof__(u32),
3844 },
3845 [NFT_SET_EXT_EXPR] = {
3846 .align = __alignof__(struct nft_expr),
3847 },
3848 [NFT_SET_EXT_OBJREF] = {
3849 .len = sizeof(struct nft_object *),
3850 .align = __alignof__(struct nft_object *),
3851 },
3852 [NFT_SET_EXT_FLAGS] = {
3853 .len = sizeof(u8),
3854 .align = __alignof__(u8),
3855 },
3856 [NFT_SET_EXT_TIMEOUT] = {
3857 .len = sizeof(u64),
3858 .align = __alignof__(u64),
3859 },
3860 [NFT_SET_EXT_EXPIRATION] = {
3861 .len = sizeof(u64),
3862 .align = __alignof__(u64),
3863 },
3864 [NFT_SET_EXT_USERDATA] = {
3865 .len = sizeof(struct nft_userdata),
3866 .align = __alignof__(struct nft_userdata),
3867 },
3868};
3869EXPORT_SYMBOL_GPL(nft_set_ext_types);
3870
3871
3872
3873
3874
3875static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3876 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3877 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3878 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3879 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3880 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3881 .len = NFT_USERDATA_MAXLEN },
3882 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3883 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3884};
3885
3886static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3887 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3888 .len = NFT_TABLE_MAXNAMELEN - 1 },
3889 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3890 .len = NFT_SET_MAXNAMELEN - 1 },
3891 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3892 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3893};
3894
3895static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3896 const struct sk_buff *skb,
3897 const struct nlmsghdr *nlh,
3898 const struct nlattr * const nla[],
3899 struct netlink_ext_ack *extack,
3900 u8 genmask)
3901{
3902 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3903 int family = nfmsg->nfgen_family;
3904 struct nft_table *table;
3905
3906 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3907 genmask);
3908 if (IS_ERR(table)) {
3909 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3910 return PTR_ERR(table);
3911 }
3912
3913 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3914 return 0;
3915}
3916
3917static int nf_tables_fill_setelem(struct sk_buff *skb,
3918 const struct nft_set *set,
3919 const struct nft_set_elem *elem)
3920{
3921 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3922 unsigned char *b = skb_tail_pointer(skb);
3923 struct nlattr *nest;
3924
3925 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3926 if (nest == NULL)
3927 goto nla_put_failure;
3928
3929 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3930 NFT_DATA_VALUE, set->klen) < 0)
3931 goto nla_put_failure;
3932
3933 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3934 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3935 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3936 set->dlen) < 0)
3937 goto nla_put_failure;
3938
3939 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3940 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3941 goto nla_put_failure;
3942
3943 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3944 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3945 (*nft_set_ext_obj(ext))->key.name) < 0)
3946 goto nla_put_failure;
3947
3948 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3949 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3950 htonl(*nft_set_ext_flags(ext))))
3951 goto nla_put_failure;
3952
3953 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3954 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3955 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
3956 NFTA_SET_ELEM_PAD))
3957 goto nla_put_failure;
3958
3959 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3960 u64 expires, now = get_jiffies_64();
3961
3962 expires = *nft_set_ext_expiration(ext);
3963 if (time_before64(now, expires))
3964 expires -= now;
3965 else
3966 expires = 0;
3967
3968 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3969 nf_jiffies64_to_msecs(expires),
3970 NFTA_SET_ELEM_PAD))
3971 goto nla_put_failure;
3972 }
3973
3974 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3975 struct nft_userdata *udata;
3976
3977 udata = nft_set_ext_userdata(ext);
3978 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3979 udata->len + 1, udata->data))
3980 goto nla_put_failure;
3981 }
3982
3983 nla_nest_end(skb, nest);
3984 return 0;
3985
3986nla_put_failure:
3987 nlmsg_trim(skb, b);
3988 return -EMSGSIZE;
3989}
3990
3991struct nft_set_dump_args {
3992 const struct netlink_callback *cb;
3993 struct nft_set_iter iter;
3994 struct sk_buff *skb;
3995};
3996
3997static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3998 struct nft_set *set,
3999 const struct nft_set_iter *iter,
4000 struct nft_set_elem *elem)
4001{
4002 struct nft_set_dump_args *args;
4003
4004 args = container_of(iter, struct nft_set_dump_args, iter);
4005 return nf_tables_fill_setelem(args->skb, set, elem);
4006}
4007
4008struct nft_set_dump_ctx {
4009 const struct nft_set *set;
4010 struct nft_ctx ctx;
4011};
4012
4013static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4014{
4015 struct nft_set_dump_ctx *dump_ctx = cb->data;
4016 struct net *net = sock_net(skb->sk);
4017 struct nft_table *table;
4018 struct nft_set *set;
4019 struct nft_set_dump_args args;
4020 bool set_found = false;
4021 struct nfgenmsg *nfmsg;
4022 struct nlmsghdr *nlh;
4023 struct nlattr *nest;
4024 u32 portid, seq;
4025 int event;
4026
4027 rcu_read_lock();
4028 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4029 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4030 dump_ctx->ctx.family != table->family)
4031 continue;
4032
4033 if (table != dump_ctx->ctx.table)
4034 continue;
4035
4036 list_for_each_entry_rcu(set, &table->sets, list) {
4037 if (set == dump_ctx->set) {
4038 set_found = true;
4039 break;
4040 }
4041 }
4042 break;
4043 }
4044
4045 if (!set_found) {
4046 rcu_read_unlock();
4047 return -ENOENT;
4048 }
4049
4050 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4051 portid = NETLINK_CB(cb->skb).portid;
4052 seq = cb->nlh->nlmsg_seq;
4053
4054 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4055 NLM_F_MULTI);
4056 if (nlh == NULL)
4057 goto nla_put_failure;
4058
4059 nfmsg = nlmsg_data(nlh);
4060 nfmsg->nfgen_family = table->family;
4061 nfmsg->version = NFNETLINK_V0;
4062 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4063
4064 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4065 goto nla_put_failure;
4066 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4067 goto nla_put_failure;
4068
4069 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4070 if (nest == NULL)
4071 goto nla_put_failure;
4072
4073 args.cb = cb;
4074 args.skb = skb;
4075 args.iter.genmask = nft_genmask_cur(net);
4076 args.iter.skip = cb->args[0];
4077 args.iter.count = 0;
4078 args.iter.err = 0;
4079 args.iter.fn = nf_tables_dump_setelem;
4080 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4081 rcu_read_unlock();
4082
4083 nla_nest_end(skb, nest);
4084 nlmsg_end(skb, nlh);
4085
4086 if (args.iter.err && args.iter.err != -EMSGSIZE)
4087 return args.iter.err;
4088 if (args.iter.count == cb->args[0])
4089 return 0;
4090
4091 cb->args[0] = args.iter.count;
4092 return skb->len;
4093
4094nla_put_failure:
4095 rcu_read_unlock();
4096 return -ENOSPC;
4097}
4098
4099static int nf_tables_dump_set_start(struct netlink_callback *cb)
4100{
4101 struct nft_set_dump_ctx *dump_ctx = cb->data;
4102
4103 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4104
4105 return cb->data ? 0 : -ENOMEM;
4106}
4107
4108static int nf_tables_dump_set_done(struct netlink_callback *cb)
4109{
4110 kfree(cb->data);
4111 return 0;
4112}
4113
4114static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4115 const struct nft_ctx *ctx, u32 seq,
4116 u32 portid, int event, u16 flags,
4117 const struct nft_set *set,
4118 const struct nft_set_elem *elem)
4119{
4120 struct nfgenmsg *nfmsg;
4121 struct nlmsghdr *nlh;
4122 struct nlattr *nest;
4123 int err;
4124
4125 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4126 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4127 flags);
4128 if (nlh == NULL)
4129 goto nla_put_failure;
4130
4131 nfmsg = nlmsg_data(nlh);
4132 nfmsg->nfgen_family = ctx->family;
4133 nfmsg->version = NFNETLINK_V0;
4134 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4135
4136 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4137 goto nla_put_failure;
4138 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4139 goto nla_put_failure;
4140
4141 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4142 if (nest == NULL)
4143 goto nla_put_failure;
4144
4145 err = nf_tables_fill_setelem(skb, set, elem);
4146 if (err < 0)
4147 goto nla_put_failure;
4148
4149 nla_nest_end(skb, nest);
4150
4151 nlmsg_end(skb, nlh);
4152 return 0;
4153
4154nla_put_failure:
4155 nlmsg_trim(skb, nlh);
4156 return -1;
4157}
4158
4159static int nft_setelem_parse_flags(const struct nft_set *set,
4160 const struct nlattr *attr, u32 *flags)
4161{
4162 if (attr == NULL)
4163 return 0;
4164
4165 *flags = ntohl(nla_get_be32(attr));
4166 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4167 return -EINVAL;
4168 if (!(set->flags & NFT_SET_INTERVAL) &&
4169 *flags & NFT_SET_ELEM_INTERVAL_END)
4170 return -EINVAL;
4171
4172 return 0;
4173}
4174
4175static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4176 const struct nlattr *attr)
4177{
4178 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4179 struct nft_data_desc desc;
4180 struct nft_set_elem elem;
4181 struct sk_buff *skb;
4182 uint32_t flags = 0;
4183 void *priv;
4184 int err;
4185
4186 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4187 nft_set_elem_policy, NULL);
4188 if (err < 0)
4189 return err;
4190
4191 if (!nla[NFTA_SET_ELEM_KEY])
4192 return -EINVAL;
4193
4194 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4195 if (err < 0)
4196 return err;
4197
4198 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4199 nla[NFTA_SET_ELEM_KEY]);
4200 if (err < 0)
4201 return err;
4202
4203 err = -EINVAL;
4204 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4205 return err;
4206
4207 priv = set->ops->get(ctx->net, set, &elem, flags);
4208 if (IS_ERR(priv))
4209 return PTR_ERR(priv);
4210
4211 elem.priv = priv;
4212
4213 err = -ENOMEM;
4214 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4215 if (skb == NULL)
4216 goto err1;
4217
4218 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4219 NFT_MSG_NEWSETELEM, 0, set, &elem);
4220 if (err < 0)
4221 goto err2;
4222
4223 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4224
4225 if (err < 0)
4226 goto err1;
4227
4228 return 0;
4229err2:
4230 kfree_skb(skb);
4231err1:
4232
4233 return err == -EAGAIN ? -ENOBUFS : err;
4234}
4235
4236
4237static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4238 struct sk_buff *skb, const struct nlmsghdr *nlh,
4239 const struct nlattr * const nla[],
4240 struct netlink_ext_ack *extack)
4241{
4242 u8 genmask = nft_genmask_cur(net);
4243 struct nft_set *set;
4244 struct nlattr *attr;
4245 struct nft_ctx ctx;
4246 int rem, err = 0;
4247
4248 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4249 genmask);
4250 if (err < 0)
4251 return err;
4252
4253 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4254 if (IS_ERR(set))
4255 return PTR_ERR(set);
4256
4257 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4258 struct netlink_dump_control c = {
4259 .start = nf_tables_dump_set_start,
4260 .dump = nf_tables_dump_set,
4261 .done = nf_tables_dump_set_done,
4262 .module = THIS_MODULE,
4263 };
4264 struct nft_set_dump_ctx dump_ctx = {
4265 .set = set,
4266 .ctx = ctx,
4267 };
4268
4269 c.data = &dump_ctx;
4270 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4271 }
4272
4273 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4274 return -EINVAL;
4275
4276 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4277 err = nft_get_set_elem(&ctx, set, attr);
4278 if (err < 0)
4279 break;
4280 }
4281
4282 return err;
4283}
4284
4285static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4286 const struct nft_set *set,
4287 const struct nft_set_elem *elem,
4288 int event, u16 flags)
4289{
4290 struct net *net = ctx->net;
4291 u32 portid = ctx->portid;
4292 struct sk_buff *skb;
4293 int err;
4294
4295 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4296 return;
4297
4298 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4299 if (skb == NULL)
4300 goto err;
4301
4302 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4303 set, elem);
4304 if (err < 0) {
4305 kfree_skb(skb);
4306 goto err;
4307 }
4308
4309 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4310 GFP_KERNEL);
4311 return;
4312err:
4313 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4314}
4315
4316static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4317 int msg_type,
4318 struct nft_set *set)
4319{
4320 struct nft_trans *trans;
4321
4322 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4323 if (trans == NULL)
4324 return NULL;
4325
4326 nft_trans_elem_set(trans) = set;
4327 return trans;
4328}
4329
4330void *nft_set_elem_init(const struct nft_set *set,
4331 const struct nft_set_ext_tmpl *tmpl,
4332 const u32 *key, const u32 *data,
4333 u64 timeout, gfp_t gfp)
4334{
4335 struct nft_set_ext *ext;
4336 void *elem;
4337
4338 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4339 if (elem == NULL)
4340 return NULL;
4341
4342 ext = nft_set_elem_ext(set, elem);
4343 nft_set_ext_init(ext, tmpl);
4344
4345 memcpy(nft_set_ext_key(ext), key, set->klen);
4346 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4347 memcpy(nft_set_ext_data(ext), data, set->dlen);
4348 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
4349 *nft_set_ext_expiration(ext) =
4350 get_jiffies_64() + timeout;
4351 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4352 *nft_set_ext_timeout(ext) = timeout;
4353
4354 return elem;
4355}
4356
4357void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4358 bool destroy_expr)
4359{
4360 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4361 struct nft_ctx ctx = {
4362 .net = read_pnet(&set->net),
4363 .family = set->table->family,
4364 };
4365
4366 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4367 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4368 nft_data_release(nft_set_ext_data(ext), set->dtype);
4369 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4370 struct nft_expr *expr = nft_set_ext_expr(ext);
4371
4372 if (expr->ops->destroy_clone) {
4373 expr->ops->destroy_clone(&ctx, expr);
4374 module_put(expr->ops->type->owner);
4375 } else {
4376 nf_tables_expr_destroy(&ctx, expr);
4377 }
4378 }
4379 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4380 (*nft_set_ext_obj(ext))->use--;
4381 kfree(elem);
4382}
4383EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4384
4385
4386
4387
4388static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4389 const struct nft_set *set, void *elem)
4390{
4391 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4392
4393 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4394 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4395 kfree(elem);
4396}
4397
4398static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4399 const struct nlattr *attr, u32 nlmsg_flags)
4400{
4401 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4402 u8 genmask = nft_genmask_next(ctx->net);
4403 struct nft_data_desc d1, d2;
4404 struct nft_set_ext_tmpl tmpl;
4405 struct nft_set_ext *ext, *ext2;
4406 struct nft_set_elem elem;
4407 struct nft_set_binding *binding;
4408 struct nft_object *obj = NULL;
4409 struct nft_userdata *udata;
4410 struct nft_data data;
4411 enum nft_registers dreg;
4412 struct nft_trans *trans;
4413 u32 flags = 0;
4414 u64 timeout;
4415 u8 ulen;
4416 int err;
4417
4418 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4419 nft_set_elem_policy, NULL);
4420 if (err < 0)
4421 return err;
4422
4423 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4424 return -EINVAL;
4425
4426 nft_set_ext_prepare(&tmpl);
4427
4428 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4429 if (err < 0)
4430 return err;
4431 if (flags != 0)
4432 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4433
4434 if (set->flags & NFT_SET_MAP) {
4435 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4436 !(flags & NFT_SET_ELEM_INTERVAL_END))
4437 return -EINVAL;
4438 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4439 flags & NFT_SET_ELEM_INTERVAL_END)
4440 return -EINVAL;
4441 } else {
4442 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4443 return -EINVAL;
4444 }
4445
4446 timeout = 0;
4447 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4448 if (!(set->flags & NFT_SET_TIMEOUT))
4449 return -EINVAL;
4450 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4451 &timeout);
4452 if (err)
4453 return err;
4454 } else if (set->flags & NFT_SET_TIMEOUT) {
4455 timeout = set->timeout;
4456 }
4457
4458 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4459 nla[NFTA_SET_ELEM_KEY]);
4460 if (err < 0)
4461 goto err1;
4462 err = -EINVAL;
4463 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4464 goto err2;
4465
4466 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4467 if (timeout > 0) {
4468 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4469 if (timeout != set->timeout)
4470 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4471 }
4472
4473 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4474 if (!(set->flags & NFT_SET_OBJECT)) {
4475 err = -EINVAL;
4476 goto err2;
4477 }
4478 obj = nft_obj_lookup(ctx->net, ctx->table,
4479 nla[NFTA_SET_ELEM_OBJREF],
4480 set->objtype, genmask);
4481 if (IS_ERR(obj)) {
4482 err = PTR_ERR(obj);
4483 goto err2;
4484 }
4485 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4486 }
4487
4488 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4489 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4490 nla[NFTA_SET_ELEM_DATA]);
4491 if (err < 0)
4492 goto err2;
4493
4494 err = -EINVAL;
4495 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4496 goto err3;
4497
4498 dreg = nft_type_to_reg(set->dtype);
4499 list_for_each_entry(binding, &set->bindings, list) {
4500 struct nft_ctx bind_ctx = {
4501 .net = ctx->net,
4502 .family = ctx->family,
4503 .table = ctx->table,
4504 .chain = (struct nft_chain *)binding->chain,
4505 };
4506
4507 if (!(binding->flags & NFT_SET_MAP))
4508 continue;
4509
4510 err = nft_validate_register_store(&bind_ctx, dreg,
4511 &data,
4512 d2.type, d2.len);
4513 if (err < 0)
4514 goto err3;
4515
4516 if (d2.type == NFT_DATA_VERDICT &&
4517 (data.verdict.code == NFT_GOTO ||
4518 data.verdict.code == NFT_JUMP))
4519 nft_validate_state_update(ctx->net,
4520 NFT_VALIDATE_NEED);
4521 }
4522
4523 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4524 }
4525
4526
4527
4528
4529
4530 ulen = 0;
4531 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4532 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4533 if (ulen > 0)
4534 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4535 ulen);
4536 }
4537
4538 err = -ENOMEM;
4539 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4540 timeout, GFP_KERNEL);
4541 if (elem.priv == NULL)
4542 goto err3;
4543
4544 ext = nft_set_elem_ext(set, elem.priv);
4545 if (flags)
4546 *nft_set_ext_flags(ext) = flags;
4547 if (ulen > 0) {
4548 udata = nft_set_ext_userdata(ext);
4549 udata->len = ulen - 1;
4550 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4551 }
4552 if (obj) {
4553 *nft_set_ext_obj(ext) = obj;
4554 obj->use++;
4555 }
4556
4557 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4558 if (trans == NULL)
4559 goto err4;
4560
4561 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4562 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4563 if (err) {
4564 if (err == -EEXIST) {
4565 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4566 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4567 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4568 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4569 err = -EBUSY;
4570 goto err5;
4571 }
4572 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4573 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4574 memcmp(nft_set_ext_data(ext),
4575 nft_set_ext_data(ext2), set->dlen) != 0) ||
4576 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4577 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4578 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4579 err = -EBUSY;
4580 else if (!(nlmsg_flags & NLM_F_EXCL))
4581 err = 0;
4582 }
4583 goto err5;
4584 }
4585
4586 if (set->size &&
4587 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4588 err = -ENFILE;
4589 goto err6;
4590 }
4591
4592 nft_trans_elem(trans) = elem;
4593 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4594 return 0;
4595
4596err6:
4597 set->ops->remove(ctx->net, set, &elem);
4598err5:
4599 kfree(trans);
4600err4:
4601 if (obj)
4602 obj->use--;
4603 kfree(elem.priv);
4604err3:
4605 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4606 nft_data_release(&data, d2.type);
4607err2:
4608 nft_data_release(&elem.key.val, d1.type);
4609err1:
4610 return err;
4611}
4612
4613static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4614 struct sk_buff *skb, const struct nlmsghdr *nlh,
4615 const struct nlattr * const nla[],
4616 struct netlink_ext_ack *extack)
4617{
4618 u8 genmask = nft_genmask_next(net);
4619 const struct nlattr *attr;
4620 struct nft_set *set;
4621 struct nft_ctx ctx;
4622 int rem, err;
4623
4624 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4625 return -EINVAL;
4626
4627 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4628 genmask);
4629 if (err < 0)
4630 return err;
4631
4632 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4633 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4634 if (IS_ERR(set))
4635 return PTR_ERR(set);
4636
4637 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4638 return -EBUSY;
4639
4640 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4641 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4642 if (err < 0)
4643 return err;
4644 }
4645
4646 if (net->nft.validate_state == NFT_VALIDATE_DO)
4647 return nft_table_validate(net, ctx.table);
4648
4649 return 0;
4650}
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4664{
4665 if (type == NFT_DATA_VERDICT) {
4666 switch (data->verdict.code) {
4667 case NFT_JUMP:
4668 case NFT_GOTO:
4669 data->verdict.chain->use++;
4670 break;
4671 }
4672 }
4673}
4674
4675static void nft_set_elem_activate(const struct net *net,
4676 const struct nft_set *set,
4677 struct nft_set_elem *elem)
4678{
4679 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4680
4681 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4682 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4683 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4684 (*nft_set_ext_obj(ext))->use++;
4685}
4686
4687static void nft_set_elem_deactivate(const struct net *net,
4688 const struct nft_set *set,
4689 struct nft_set_elem *elem)
4690{
4691 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4692
4693 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4694 nft_data_release(nft_set_ext_data(ext), set->dtype);
4695 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4696 (*nft_set_ext_obj(ext))->use--;
4697}
4698
4699static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4700 const struct nlattr *attr)
4701{
4702 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4703 struct nft_set_ext_tmpl tmpl;
4704 struct nft_data_desc desc;
4705 struct nft_set_elem elem;
4706 struct nft_set_ext *ext;
4707 struct nft_trans *trans;
4708 u32 flags = 0;
4709 void *priv;
4710 int err;
4711
4712 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4713 nft_set_elem_policy, NULL);
4714 if (err < 0)
4715 goto err1;
4716
4717 err = -EINVAL;
4718 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4719 goto err1;
4720
4721 nft_set_ext_prepare(&tmpl);
4722
4723 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4724 if (err < 0)
4725 return err;
4726 if (flags != 0)
4727 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4728
4729 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4730 nla[NFTA_SET_ELEM_KEY]);
4731 if (err < 0)
4732 goto err1;
4733
4734 err = -EINVAL;
4735 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4736 goto err2;
4737
4738 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4739
4740 err = -ENOMEM;
4741 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4742 GFP_KERNEL);
4743 if (elem.priv == NULL)
4744 goto err2;
4745
4746 ext = nft_set_elem_ext(set, elem.priv);
4747 if (flags)
4748 *nft_set_ext_flags(ext) = flags;
4749
4750 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4751 if (trans == NULL) {
4752 err = -ENOMEM;
4753 goto err3;
4754 }
4755
4756 priv = set->ops->deactivate(ctx->net, set, &elem);
4757 if (priv == NULL) {
4758 err = -ENOENT;
4759 goto err4;
4760 }
4761 kfree(elem.priv);
4762 elem.priv = priv;
4763
4764 nft_set_elem_deactivate(ctx->net, set, &elem);
4765
4766 nft_trans_elem(trans) = elem;
4767 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4768 return 0;
4769
4770err4:
4771 kfree(trans);
4772err3:
4773 kfree(elem.priv);
4774err2:
4775 nft_data_release(&elem.key.val, desc.type);
4776err1:
4777 return err;
4778}
4779
4780static int nft_flush_set(const struct nft_ctx *ctx,
4781 struct nft_set *set,
4782 const struct nft_set_iter *iter,
4783 struct nft_set_elem *elem)
4784{
4785 struct nft_trans *trans;
4786 int err;
4787
4788 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4789 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4790 if (!trans)
4791 return -ENOMEM;
4792
4793 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4794 err = -ENOENT;
4795 goto err1;
4796 }
4797 set->ndeact++;
4798
4799 nft_set_elem_deactivate(ctx->net, set, elem);
4800 nft_trans_elem_set(trans) = set;
4801 nft_trans_elem(trans) = *elem;
4802 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4803
4804 return 0;
4805err1:
4806 kfree(trans);
4807 return err;
4808}
4809
4810static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4811 struct sk_buff *skb, const struct nlmsghdr *nlh,
4812 const struct nlattr * const nla[],
4813 struct netlink_ext_ack *extack)
4814{
4815 u8 genmask = nft_genmask_next(net);
4816 const struct nlattr *attr;
4817 struct nft_set *set;
4818 struct nft_ctx ctx;
4819 int rem, err = 0;
4820
4821 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4822 genmask);
4823 if (err < 0)
4824 return err;
4825
4826 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4827 if (IS_ERR(set))
4828 return PTR_ERR(set);
4829 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4830 return -EBUSY;
4831
4832 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4833 struct nft_set_iter iter = {
4834 .genmask = genmask,
4835 .fn = nft_flush_set,
4836 };
4837 set->ops->walk(&ctx, set, &iter);
4838
4839 return iter.err;
4840 }
4841
4842 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4843 err = nft_del_setelem(&ctx, set, attr);
4844 if (err < 0)
4845 break;
4846
4847 set->ndeact++;
4848 }
4849 return err;
4850}
4851
4852void nft_set_gc_batch_release(struct rcu_head *rcu)
4853{
4854 struct nft_set_gc_batch *gcb;
4855 unsigned int i;
4856
4857 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4858 for (i = 0; i < gcb->head.cnt; i++)
4859 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4860 kfree(gcb);
4861}
4862EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4863
4864struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4865 gfp_t gfp)
4866{
4867 struct nft_set_gc_batch *gcb;
4868
4869 gcb = kzalloc(sizeof(*gcb), gfp);
4870 if (gcb == NULL)
4871 return gcb;
4872 gcb->head.set = set;
4873 return gcb;
4874}
4875EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888int nft_register_obj(struct nft_object_type *obj_type)
4889{
4890 if (obj_type->type == NFT_OBJECT_UNSPEC)
4891 return -EINVAL;
4892
4893 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4894 list_add_rcu(&obj_type->list, &nf_tables_objects);
4895 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4896 return 0;
4897}
4898EXPORT_SYMBOL_GPL(nft_register_obj);
4899
4900
4901
4902
4903
4904
4905
4906void nft_unregister_obj(struct nft_object_type *obj_type)
4907{
4908 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4909 list_del_rcu(&obj_type->list);
4910 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4911}
4912EXPORT_SYMBOL_GPL(nft_unregister_obj);
4913
4914struct nft_object *nft_obj_lookup(const struct net *net,
4915 const struct nft_table *table,
4916 const struct nlattr *nla, u32 objtype,
4917 u8 genmask)
4918{
4919 struct nft_object_hash_key k = { .table = table };
4920 char search[NFT_OBJ_MAXNAMELEN];
4921 struct rhlist_head *tmp, *list;
4922 struct nft_object *obj;
4923
4924 nla_strlcpy(search, nla, sizeof(search));
4925 k.name = search;
4926
4927 WARN_ON_ONCE(!rcu_read_lock_held() &&
4928 !lockdep_commit_lock_is_held(net));
4929
4930 rcu_read_lock();
4931 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
4932 if (!list)
4933 goto out;
4934
4935 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
4936 if (objtype == obj->ops->type->type &&
4937 nft_active_genmask(obj, genmask)) {
4938 rcu_read_unlock();
4939 return obj;
4940 }
4941 }
4942out:
4943 rcu_read_unlock();
4944 return ERR_PTR(-ENOENT);
4945}
4946EXPORT_SYMBOL_GPL(nft_obj_lookup);
4947
4948static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
4949 const struct nlattr *nla,
4950 u32 objtype, u8 genmask)
4951{
4952 struct nft_object *obj;
4953
4954 list_for_each_entry(obj, &table->objects, list) {
4955 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
4956 objtype == obj->ops->type->type &&
4957 nft_active_genmask(obj, genmask))
4958 return obj;
4959 }
4960 return ERR_PTR(-ENOENT);
4961}
4962
4963static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4964 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4965 .len = NFT_TABLE_MAXNAMELEN - 1 },
4966 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4967 .len = NFT_OBJ_MAXNAMELEN - 1 },
4968 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4969 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4970 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
4971};
4972
4973static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4974 const struct nft_object_type *type,
4975 const struct nlattr *attr)
4976{
4977 struct nlattr **tb;
4978 const struct nft_object_ops *ops;
4979 struct nft_object *obj;
4980 int err = -ENOMEM;
4981
4982 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
4983 if (!tb)
4984 goto err1;
4985
4986 if (attr) {
4987 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
4988 type->policy, NULL);
4989 if (err < 0)
4990 goto err2;
4991 } else {
4992 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4993 }
4994
4995 if (type->select_ops) {
4996 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4997 if (IS_ERR(ops)) {
4998 err = PTR_ERR(ops);
4999 goto err2;
5000 }
5001 } else {
5002 ops = type->ops;
5003 }
5004
5005 err = -ENOMEM;
5006 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5007 if (!obj)
5008 goto err2;
5009
5010 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5011 if (err < 0)
5012 goto err3;
5013
5014 obj->ops = ops;
5015
5016 kfree(tb);
5017 return obj;
5018err3:
5019 kfree(obj);
5020err2:
5021 kfree(tb);
5022err1:
5023 return ERR_PTR(err);
5024}
5025
5026static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5027 struct nft_object *obj, bool reset)
5028{
5029 struct nlattr *nest;
5030
5031 nest = nla_nest_start_noflag(skb, attr);
5032 if (!nest)
5033 goto nla_put_failure;
5034 if (obj->ops->dump(skb, obj, reset) < 0)
5035 goto nla_put_failure;
5036 nla_nest_end(skb, nest);
5037 return 0;
5038
5039nla_put_failure:
5040 return -1;
5041}
5042
5043static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5044{
5045 const struct nft_object_type *type;
5046
5047 list_for_each_entry(type, &nf_tables_objects, list) {
5048 if (objtype == type->type)
5049 return type;
5050 }
5051 return NULL;
5052}
5053
5054static const struct nft_object_type *
5055nft_obj_type_get(struct net *net, u32 objtype)
5056{
5057 const struct nft_object_type *type;
5058
5059 type = __nft_obj_type_get(objtype);
5060 if (type != NULL && try_module_get(type->owner))
5061 return type;
5062
5063 lockdep_nfnl_nft_mutex_not_held();
5064#ifdef CONFIG_MODULES
5065 if (type == NULL) {
5066 nft_request_module(net, "nft-obj-%u", objtype);
5067 if (__nft_obj_type_get(objtype))
5068 return ERR_PTR(-EAGAIN);
5069 }
5070#endif
5071 return ERR_PTR(-ENOENT);
5072}
5073
5074static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5075 struct sk_buff *skb, const struct nlmsghdr *nlh,
5076 const struct nlattr * const nla[],
5077 struct netlink_ext_ack *extack)
5078{
5079 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5080 const struct nft_object_type *type;
5081 u8 genmask = nft_genmask_next(net);
5082 int family = nfmsg->nfgen_family;
5083 struct nft_table *table;
5084 struct nft_object *obj;
5085 struct nft_ctx ctx;
5086 u32 objtype;
5087 int err;
5088
5089 if (!nla[NFTA_OBJ_TYPE] ||
5090 !nla[NFTA_OBJ_NAME] ||
5091 !nla[NFTA_OBJ_DATA])
5092 return -EINVAL;
5093
5094 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5095 if (IS_ERR(table)) {
5096 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5097 return PTR_ERR(table);
5098 }
5099
5100 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5101 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5102 if (IS_ERR(obj)) {
5103 err = PTR_ERR(obj);
5104 if (err != -ENOENT) {
5105 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5106 return err;
5107 }
5108 } else {
5109 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5110 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5111 return -EEXIST;
5112 }
5113 return 0;
5114 }
5115
5116 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5117
5118 type = nft_obj_type_get(net, objtype);
5119 if (IS_ERR(type))
5120 return PTR_ERR(type);
5121
5122 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5123 if (IS_ERR(obj)) {
5124 err = PTR_ERR(obj);
5125 goto err1;
5126 }
5127 obj->key.table = table;
5128 obj->handle = nf_tables_alloc_handle(table);
5129
5130 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5131 if (!obj->key.name) {
5132 err = -ENOMEM;
5133 goto err2;
5134 }
5135
5136 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5137 if (err < 0)
5138 goto err3;
5139
5140 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5141 nft_objname_ht_params);
5142 if (err < 0)
5143 goto err4;
5144
5145 list_add_tail_rcu(&obj->list, &table->objects);
5146 table->use++;
5147 return 0;
5148err4:
5149
5150 INIT_LIST_HEAD(&obj->list);
5151 return err;
5152err3:
5153 kfree(obj->key.name);
5154err2:
5155 if (obj->ops->destroy)
5156 obj->ops->destroy(&ctx, obj);
5157 kfree(obj);
5158err1:
5159 module_put(type->owner);
5160 return err;
5161}
5162
5163static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5164 u32 portid, u32 seq, int event, u32 flags,
5165 int family, const struct nft_table *table,
5166 struct nft_object *obj, bool reset)
5167{
5168 struct nfgenmsg *nfmsg;
5169 struct nlmsghdr *nlh;
5170
5171 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5172 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5173 if (nlh == NULL)
5174 goto nla_put_failure;
5175
5176 nfmsg = nlmsg_data(nlh);
5177 nfmsg->nfgen_family = family;
5178 nfmsg->version = NFNETLINK_V0;
5179 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5180
5181 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5182 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5183 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5184 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5185 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5186 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5187 NFTA_OBJ_PAD))
5188 goto nla_put_failure;
5189
5190 nlmsg_end(skb, nlh);
5191 return 0;
5192
5193nla_put_failure:
5194 nlmsg_trim(skb, nlh);
5195 return -1;
5196}
5197
5198struct nft_obj_filter {
5199 char *table;
5200 u32 type;
5201};
5202
5203static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5204{
5205 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5206 const struct nft_table *table;
5207 unsigned int idx = 0, s_idx = cb->args[0];
5208 struct nft_obj_filter *filter = cb->data;
5209 struct net *net = sock_net(skb->sk);
5210 int family = nfmsg->nfgen_family;
5211 struct nft_object *obj;
5212 bool reset = false;
5213
5214 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5215 reset = true;
5216
5217 rcu_read_lock();
5218 cb->seq = net->nft.base_seq;
5219
5220 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5221 if (family != NFPROTO_UNSPEC && family != table->family)
5222 continue;
5223
5224 list_for_each_entry_rcu(obj, &table->objects, list) {
5225 if (!nft_is_active(net, obj))
5226 goto cont;
5227 if (idx < s_idx)
5228 goto cont;
5229 if (idx > s_idx)
5230 memset(&cb->args[1], 0,
5231 sizeof(cb->args) - sizeof(cb->args[0]));
5232 if (filter && filter->table &&
5233 strcmp(filter->table, table->name))
5234 goto cont;
5235 if (filter &&
5236 filter->type != NFT_OBJECT_UNSPEC &&
5237 obj->ops->type->type != filter->type)
5238 goto cont;
5239
5240 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5241 cb->nlh->nlmsg_seq,
5242 NFT_MSG_NEWOBJ,
5243 NLM_F_MULTI | NLM_F_APPEND,
5244 table->family, table,
5245 obj, reset) < 0)
5246 goto done;
5247
5248 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5249cont:
5250 idx++;
5251 }
5252 }
5253done:
5254 rcu_read_unlock();
5255
5256 cb->args[0] = idx;
5257 return skb->len;
5258}
5259
5260static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5261{
5262 const struct nlattr * const *nla = cb->data;
5263 struct nft_obj_filter *filter = NULL;
5264
5265 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5266 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5267 if (!filter)
5268 return -ENOMEM;
5269
5270 if (nla[NFTA_OBJ_TABLE]) {
5271 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5272 if (!filter->table) {
5273 kfree(filter);
5274 return -ENOMEM;
5275 }
5276 }
5277
5278 if (nla[NFTA_OBJ_TYPE])
5279 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5280 }
5281
5282 cb->data = filter;
5283 return 0;
5284}
5285
5286static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5287{
5288 struct nft_obj_filter *filter = cb->data;
5289
5290 if (filter) {
5291 kfree(filter->table);
5292 kfree(filter);
5293 }
5294
5295 return 0;
5296}
5297
5298
5299static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5300 struct sk_buff *skb, const struct nlmsghdr *nlh,
5301 const struct nlattr * const nla[],
5302 struct netlink_ext_ack *extack)
5303{
5304 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5305 u8 genmask = nft_genmask_cur(net);
5306 int family = nfmsg->nfgen_family;
5307 const struct nft_table *table;
5308 struct nft_object *obj;
5309 struct sk_buff *skb2;
5310 bool reset = false;
5311 u32 objtype;
5312 int err;
5313
5314 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5315 struct netlink_dump_control c = {
5316 .start = nf_tables_dump_obj_start,
5317 .dump = nf_tables_dump_obj,
5318 .done = nf_tables_dump_obj_done,
5319 .module = THIS_MODULE,
5320 .data = (void *)nla,
5321 };
5322
5323 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5324 }
5325
5326 if (!nla[NFTA_OBJ_NAME] ||
5327 !nla[NFTA_OBJ_TYPE])
5328 return -EINVAL;
5329
5330 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5331 if (IS_ERR(table)) {
5332 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5333 return PTR_ERR(table);
5334 }
5335
5336 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5337 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5338 if (IS_ERR(obj)) {
5339 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5340 return PTR_ERR(obj);
5341 }
5342
5343 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5344 if (!skb2)
5345 return -ENOMEM;
5346
5347 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5348 reset = true;
5349
5350 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5351 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5352 family, table, obj, reset);
5353 if (err < 0)
5354 goto err;
5355
5356 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5357err:
5358 kfree_skb(skb2);
5359 return err;
5360}
5361
5362static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5363{
5364 if (obj->ops->destroy)
5365 obj->ops->destroy(ctx, obj);
5366
5367 module_put(obj->ops->type->owner);
5368 kfree(obj->key.name);
5369 kfree(obj);
5370}
5371
5372static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5373 struct sk_buff *skb, const struct nlmsghdr *nlh,
5374 const struct nlattr * const nla[],
5375 struct netlink_ext_ack *extack)
5376{
5377 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5378 u8 genmask = nft_genmask_next(net);
5379 int family = nfmsg->nfgen_family;
5380 const struct nlattr *attr;
5381 struct nft_table *table;
5382 struct nft_object *obj;
5383 struct nft_ctx ctx;
5384 u32 objtype;
5385
5386 if (!nla[NFTA_OBJ_TYPE] ||
5387 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5388 return -EINVAL;
5389
5390 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5391 if (IS_ERR(table)) {
5392 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5393 return PTR_ERR(table);
5394 }
5395
5396 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5397 if (nla[NFTA_OBJ_HANDLE]) {
5398 attr = nla[NFTA_OBJ_HANDLE];
5399 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5400 } else {
5401 attr = nla[NFTA_OBJ_NAME];
5402 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5403 }
5404
5405 if (IS_ERR(obj)) {
5406 NL_SET_BAD_ATTR(extack, attr);
5407 return PTR_ERR(obj);
5408 }
5409 if (obj->use > 0) {
5410 NL_SET_BAD_ATTR(extack, attr);
5411 return -EBUSY;
5412 }
5413
5414 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5415
5416 return nft_delobj(&ctx, obj);
5417}
5418
5419void nft_obj_notify(struct net *net, const struct nft_table *table,
5420 struct nft_object *obj, u32 portid, u32 seq, int event,
5421 int family, int report, gfp_t gfp)
5422{
5423 struct sk_buff *skb;
5424 int err;
5425
5426 if (!report &&
5427 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5428 return;
5429
5430 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5431 if (skb == NULL)
5432 goto err;
5433
5434 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5435 table, obj, false);
5436 if (err < 0) {
5437 kfree_skb(skb);
5438 goto err;
5439 }
5440
5441 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5442 return;
5443err:
5444 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5445}
5446EXPORT_SYMBOL_GPL(nft_obj_notify);
5447
5448static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5449 struct nft_object *obj, int event)
5450{
5451 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5452 ctx->family, ctx->report, GFP_KERNEL);
5453}
5454
5455
5456
5457
5458void nft_register_flowtable_type(struct nf_flowtable_type *type)
5459{
5460 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5461 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5462 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5463}
5464EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5465
5466void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5467{
5468 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5469 list_del_rcu(&type->list);
5470 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5471}
5472EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5473
5474static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5475 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5476 .len = NFT_NAME_MAXLEN - 1 },
5477 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5478 .len = NFT_NAME_MAXLEN - 1 },
5479 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5480 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5481};
5482
5483struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5484 const struct nlattr *nla, u8 genmask)
5485{
5486 struct nft_flowtable *flowtable;
5487
5488 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5489 if (!nla_strcmp(nla, flowtable->name) &&
5490 nft_active_genmask(flowtable, genmask))
5491 return flowtable;
5492 }
5493 return ERR_PTR(-ENOENT);
5494}
5495EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5496
5497static struct nft_flowtable *
5498nft_flowtable_lookup_byhandle(const struct nft_table *table,
5499 const struct nlattr *nla, u8 genmask)
5500{
5501 struct nft_flowtable *flowtable;
5502
5503 list_for_each_entry(flowtable, &table->flowtables, list) {
5504 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5505 nft_active_genmask(flowtable, genmask))
5506 return flowtable;
5507 }
5508 return ERR_PTR(-ENOENT);
5509}
5510
5511static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5512 const struct nlattr *attr,
5513 struct net_device *dev_array[], int *len)
5514{
5515 const struct nlattr *tmp;
5516 struct net_device *dev;
5517 char ifname[IFNAMSIZ];
5518 int rem, n = 0, err;
5519
5520 nla_for_each_nested(tmp, attr, rem) {
5521 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5522 err = -EINVAL;
5523 goto err1;
5524 }
5525
5526 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5527 dev = __dev_get_by_name(ctx->net, ifname);
5528 if (!dev) {
5529 err = -ENOENT;
5530 goto err1;
5531 }
5532
5533 dev_array[n++] = dev;
5534 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5535 err = -EFBIG;
5536 goto err1;
5537 }
5538 }
5539 if (!len)
5540 return -EINVAL;
5541
5542 err = 0;
5543err1:
5544 *len = n;
5545 return err;
5546}
5547
5548static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5549 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5550 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5551 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5552};
5553
5554static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5555 const struct nlattr *attr,
5556 struct nft_flowtable *flowtable)
5557{
5558 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5559 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5560 struct nf_hook_ops *ops;
5561 int hooknum, priority;
5562 int err, n = 0, i;
5563
5564 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5565 nft_flowtable_hook_policy, NULL);
5566 if (err < 0)
5567 return err;
5568
5569 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5570 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5571 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5572 return -EINVAL;
5573
5574 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5575 if (hooknum != NF_NETDEV_INGRESS)
5576 return -EINVAL;
5577
5578 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5579
5580 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5581 dev_array, &n);
5582 if (err < 0)
5583 return err;
5584
5585 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5586 if (!ops)
5587 return -ENOMEM;
5588
5589 flowtable->hooknum = hooknum;
5590 flowtable->priority = priority;
5591 flowtable->ops = ops;
5592 flowtable->ops_len = n;
5593
5594 for (i = 0; i < n; i++) {
5595 flowtable->ops[i].pf = NFPROTO_NETDEV;
5596 flowtable->ops[i].hooknum = hooknum;
5597 flowtable->ops[i].priority = priority;
5598 flowtable->ops[i].priv = &flowtable->data;
5599 flowtable->ops[i].hook = flowtable->data.type->hook;
5600 flowtable->ops[i].dev = dev_array[i];
5601 }
5602
5603 return err;
5604}
5605
5606static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5607{
5608 const struct nf_flowtable_type *type;
5609
5610 list_for_each_entry(type, &nf_tables_flowtables, list) {
5611 if (family == type->family)
5612 return type;
5613 }
5614 return NULL;
5615}
5616
5617static const struct nf_flowtable_type *
5618nft_flowtable_type_get(struct net *net, u8 family)
5619{
5620 const struct nf_flowtable_type *type;
5621
5622 type = __nft_flowtable_type_get(family);
5623 if (type != NULL && try_module_get(type->owner))
5624 return type;
5625
5626 lockdep_nfnl_nft_mutex_not_held();
5627#ifdef CONFIG_MODULES
5628 if (type == NULL) {
5629 nft_request_module(net, "nf-flowtable-%u", family);
5630 if (__nft_flowtable_type_get(family))
5631 return ERR_PTR(-EAGAIN);
5632 }
5633#endif
5634 return ERR_PTR(-ENOENT);
5635}
5636
5637static void nft_unregister_flowtable_net_hooks(struct net *net,
5638 struct nft_flowtable *flowtable)
5639{
5640 int i;
5641
5642 for (i = 0; i < flowtable->ops_len; i++) {
5643 if (!flowtable->ops[i].dev)
5644 continue;
5645
5646 nf_unregister_net_hook(net, &flowtable->ops[i]);
5647 }
5648}
5649
5650static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5651 struct sk_buff *skb,
5652 const struct nlmsghdr *nlh,
5653 const struct nlattr * const nla[],
5654 struct netlink_ext_ack *extack)
5655{
5656 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5657 const struct nf_flowtable_type *type;
5658 struct nft_flowtable *flowtable, *ft;
5659 u8 genmask = nft_genmask_next(net);
5660 int family = nfmsg->nfgen_family;
5661 struct nft_table *table;
5662 struct nft_ctx ctx;
5663 int err, i, k;
5664
5665 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5666 !nla[NFTA_FLOWTABLE_NAME] ||
5667 !nla[NFTA_FLOWTABLE_HOOK])
5668 return -EINVAL;
5669
5670 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5671 genmask);
5672 if (IS_ERR(table)) {
5673 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5674 return PTR_ERR(table);
5675 }
5676
5677 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5678 genmask);
5679 if (IS_ERR(flowtable)) {
5680 err = PTR_ERR(flowtable);
5681 if (err != -ENOENT) {
5682 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5683 return err;
5684 }
5685 } else {
5686 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5687 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5688 return -EEXIST;
5689 }
5690
5691 return 0;
5692 }
5693
5694 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5695
5696 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5697 if (!flowtable)
5698 return -ENOMEM;
5699
5700 flowtable->table = table;
5701 flowtable->handle = nf_tables_alloc_handle(table);
5702
5703 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5704 if (!flowtable->name) {
5705 err = -ENOMEM;
5706 goto err1;
5707 }
5708
5709 type = nft_flowtable_type_get(net, family);
5710 if (IS_ERR(type)) {
5711 err = PTR_ERR(type);
5712 goto err2;
5713 }
5714
5715 flowtable->data.type = type;
5716 err = type->init(&flowtable->data);
5717 if (err < 0)
5718 goto err3;
5719
5720 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5721 flowtable);
5722 if (err < 0)
5723 goto err4;
5724
5725 for (i = 0; i < flowtable->ops_len; i++) {
5726 if (!flowtable->ops[i].dev)
5727 continue;
5728
5729 list_for_each_entry(ft, &table->flowtables, list) {
5730 for (k = 0; k < ft->ops_len; k++) {
5731 if (!ft->ops[k].dev)
5732 continue;
5733
5734 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5735 flowtable->ops[i].pf == ft->ops[k].pf) {
5736 err = -EBUSY;
5737 goto err5;
5738 }
5739 }
5740 }
5741
5742 err = nf_register_net_hook(net, &flowtable->ops[i]);
5743 if (err < 0)
5744 goto err5;
5745 }
5746
5747 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5748 if (err < 0)
5749 goto err6;
5750
5751 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5752 table->use++;
5753
5754 return 0;
5755err6:
5756 i = flowtable->ops_len;
5757err5:
5758 for (k = i - 1; k >= 0; k--)
5759 nf_unregister_net_hook(net, &flowtable->ops[k]);
5760
5761 kfree(flowtable->ops);
5762err4:
5763 flowtable->data.type->free(&flowtable->data);
5764err3:
5765 module_put(type->owner);
5766err2:
5767 kfree(flowtable->name);
5768err1:
5769 kfree(flowtable);
5770 return err;
5771}
5772
5773static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5774 struct sk_buff *skb,
5775 const struct nlmsghdr *nlh,
5776 const struct nlattr * const nla[],
5777 struct netlink_ext_ack *extack)
5778{
5779 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5780 u8 genmask = nft_genmask_next(net);
5781 int family = nfmsg->nfgen_family;
5782 struct nft_flowtable *flowtable;
5783 const struct nlattr *attr;
5784 struct nft_table *table;
5785 struct nft_ctx ctx;
5786
5787 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5788 (!nla[NFTA_FLOWTABLE_NAME] &&
5789 !nla[NFTA_FLOWTABLE_HANDLE]))
5790 return -EINVAL;
5791
5792 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5793 genmask);
5794 if (IS_ERR(table)) {
5795 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5796 return PTR_ERR(table);
5797 }
5798
5799 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5800 attr = nla[NFTA_FLOWTABLE_HANDLE];
5801 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5802 } else {
5803 attr = nla[NFTA_FLOWTABLE_NAME];
5804 flowtable = nft_flowtable_lookup(table, attr, genmask);
5805 }
5806
5807 if (IS_ERR(flowtable)) {
5808 NL_SET_BAD_ATTR(extack, attr);
5809 return PTR_ERR(flowtable);
5810 }
5811 if (flowtable->use > 0) {
5812 NL_SET_BAD_ATTR(extack, attr);
5813 return -EBUSY;
5814 }
5815
5816 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5817
5818 return nft_delflowtable(&ctx, flowtable);
5819}
5820
5821static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5822 u32 portid, u32 seq, int event,
5823 u32 flags, int family,
5824 struct nft_flowtable *flowtable)
5825{
5826 struct nlattr *nest, *nest_devs;
5827 struct nfgenmsg *nfmsg;
5828 struct nlmsghdr *nlh;
5829 int i;
5830
5831 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5832 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5833 if (nlh == NULL)
5834 goto nla_put_failure;
5835
5836 nfmsg = nlmsg_data(nlh);
5837 nfmsg->nfgen_family = family;
5838 nfmsg->version = NFNETLINK_V0;
5839 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5840
5841 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5842 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5843 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5844 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5845 NFTA_FLOWTABLE_PAD))
5846 goto nla_put_failure;
5847
5848 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
5849 if (!nest)
5850 goto nla_put_failure;
5851 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5852 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5853 goto nla_put_failure;
5854
5855 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5856 if (!nest_devs)
5857 goto nla_put_failure;
5858
5859 for (i = 0; i < flowtable->ops_len; i++) {
5860 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5861
5862 if (dev &&
5863 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5864 goto nla_put_failure;
5865 }
5866 nla_nest_end(skb, nest_devs);
5867 nla_nest_end(skb, nest);
5868
5869 nlmsg_end(skb, nlh);
5870 return 0;
5871
5872nla_put_failure:
5873 nlmsg_trim(skb, nlh);
5874 return -1;
5875}
5876
5877struct nft_flowtable_filter {
5878 char *table;
5879};
5880
5881static int nf_tables_dump_flowtable(struct sk_buff *skb,
5882 struct netlink_callback *cb)
5883{
5884 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5885 struct nft_flowtable_filter *filter = cb->data;
5886 unsigned int idx = 0, s_idx = cb->args[0];
5887 struct net *net = sock_net(skb->sk);
5888 int family = nfmsg->nfgen_family;
5889 struct nft_flowtable *flowtable;
5890 const struct nft_table *table;
5891
5892 rcu_read_lock();
5893 cb->seq = net->nft.base_seq;
5894
5895 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5896 if (family != NFPROTO_UNSPEC && family != table->family)
5897 continue;
5898
5899 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5900 if (!nft_is_active(net, flowtable))
5901 goto cont;
5902 if (idx < s_idx)
5903 goto cont;
5904 if (idx > s_idx)
5905 memset(&cb->args[1], 0,
5906 sizeof(cb->args) - sizeof(cb->args[0]));
5907 if (filter && filter->table &&
5908 strcmp(filter->table, table->name))
5909 goto cont;
5910
5911 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
5912 cb->nlh->nlmsg_seq,
5913 NFT_MSG_NEWFLOWTABLE,
5914 NLM_F_MULTI | NLM_F_APPEND,
5915 table->family, flowtable) < 0)
5916 goto done;
5917
5918 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5919cont:
5920 idx++;
5921 }
5922 }
5923done:
5924 rcu_read_unlock();
5925
5926 cb->args[0] = idx;
5927 return skb->len;
5928}
5929
5930static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
5931{
5932 const struct nlattr * const *nla = cb->data;
5933 struct nft_flowtable_filter *filter = NULL;
5934
5935 if (nla[NFTA_FLOWTABLE_TABLE]) {
5936 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5937 if (!filter)
5938 return -ENOMEM;
5939
5940 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
5941 GFP_ATOMIC);
5942 if (!filter->table) {
5943 kfree(filter);
5944 return -ENOMEM;
5945 }
5946 }
5947
5948 cb->data = filter;
5949 return 0;
5950}
5951
5952static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
5953{
5954 struct nft_flowtable_filter *filter = cb->data;
5955
5956 if (!filter)
5957 return 0;
5958
5959 kfree(filter->table);
5960 kfree(filter);
5961
5962 return 0;
5963}
5964
5965
5966static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
5967 struct sk_buff *skb,
5968 const struct nlmsghdr *nlh,
5969 const struct nlattr * const nla[],
5970 struct netlink_ext_ack *extack)
5971{
5972 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5973 u8 genmask = nft_genmask_cur(net);
5974 int family = nfmsg->nfgen_family;
5975 struct nft_flowtable *flowtable;
5976 const struct nft_table *table;
5977 struct sk_buff *skb2;
5978 int err;
5979
5980 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5981 struct netlink_dump_control c = {
5982 .start = nf_tables_dump_flowtable_start,
5983 .dump = nf_tables_dump_flowtable,
5984 .done = nf_tables_dump_flowtable_done,
5985 .module = THIS_MODULE,
5986 .data = (void *)nla,
5987 };
5988
5989 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5990 }
5991
5992 if (!nla[NFTA_FLOWTABLE_NAME])
5993 return -EINVAL;
5994
5995 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5996 genmask);
5997 if (IS_ERR(table))
5998 return PTR_ERR(table);
5999
6000 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6001 genmask);
6002 if (IS_ERR(flowtable))
6003 return PTR_ERR(flowtable);
6004
6005 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6006 if (!skb2)
6007 return -ENOMEM;
6008
6009 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6010 nlh->nlmsg_seq,
6011 NFT_MSG_NEWFLOWTABLE, 0, family,
6012 flowtable);
6013 if (err < 0)
6014 goto err;
6015
6016 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6017err:
6018 kfree_skb(skb2);
6019 return err;
6020}
6021
6022static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6023 struct nft_flowtable *flowtable,
6024 int event)
6025{
6026 struct sk_buff *skb;
6027 int err;
6028
6029 if (ctx->report &&
6030 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6031 return;
6032
6033 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6034 if (skb == NULL)
6035 goto err;
6036
6037 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6038 ctx->seq, event, 0,
6039 ctx->family, flowtable);
6040 if (err < 0) {
6041 kfree_skb(skb);
6042 goto err;
6043 }
6044
6045 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6046 ctx->report, GFP_KERNEL);
6047 return;
6048err:
6049 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6050}
6051
6052static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6053{
6054 kfree(flowtable->ops);
6055 kfree(flowtable->name);
6056 flowtable->data.type->free(&flowtable->data);
6057 module_put(flowtable->data.type->owner);
6058 kfree(flowtable);
6059}
6060
6061static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6062 u32 portid, u32 seq)
6063{
6064 struct nlmsghdr *nlh;
6065 struct nfgenmsg *nfmsg;
6066 char buf[TASK_COMM_LEN];
6067 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6068
6069 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6070 if (nlh == NULL)
6071 goto nla_put_failure;
6072
6073 nfmsg = nlmsg_data(nlh);
6074 nfmsg->nfgen_family = AF_UNSPEC;
6075 nfmsg->version = NFNETLINK_V0;
6076 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6077
6078 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6079 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6080 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6081 goto nla_put_failure;
6082
6083 nlmsg_end(skb, nlh);
6084 return 0;
6085
6086nla_put_failure:
6087 nlmsg_trim(skb, nlh);
6088 return -EMSGSIZE;
6089}
6090
6091static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6092 struct nft_flowtable *flowtable)
6093{
6094 int i;
6095
6096 for (i = 0; i < flowtable->ops_len; i++) {
6097 if (flowtable->ops[i].dev != dev)
6098 continue;
6099
6100 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6101 flowtable->ops[i].dev = NULL;
6102 break;
6103 }
6104}
6105
6106static int nf_tables_flowtable_event(struct notifier_block *this,
6107 unsigned long event, void *ptr)
6108{
6109 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6110 struct nft_flowtable *flowtable;
6111 struct nft_table *table;
6112 struct net *net;
6113
6114 if (event != NETDEV_UNREGISTER)
6115 return 0;
6116
6117 net = dev_net(dev);
6118 mutex_lock(&net->nft.commit_mutex);
6119 list_for_each_entry(table, &net->nft.tables, list) {
6120 list_for_each_entry(flowtable, &table->flowtables, list) {
6121 nft_flowtable_event(event, dev, flowtable);
6122 }
6123 }
6124 mutex_unlock(&net->nft.commit_mutex);
6125
6126 return NOTIFY_DONE;
6127}
6128
6129static struct notifier_block nf_tables_flowtable_notifier = {
6130 .notifier_call = nf_tables_flowtable_event,
6131};
6132
6133static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6134 int event)
6135{
6136 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6137 struct sk_buff *skb2;
6138 int err;
6139
6140 if (nlmsg_report(nlh) &&
6141 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6142 return;
6143
6144 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6145 if (skb2 == NULL)
6146 goto err;
6147
6148 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6149 nlh->nlmsg_seq);
6150 if (err < 0) {
6151 kfree_skb(skb2);
6152 goto err;
6153 }
6154
6155 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6156 nlmsg_report(nlh), GFP_KERNEL);
6157 return;
6158err:
6159 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6160 -ENOBUFS);
6161}
6162
6163static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6164 struct sk_buff *skb, const struct nlmsghdr *nlh,
6165 const struct nlattr * const nla[],
6166 struct netlink_ext_ack *extack)
6167{
6168 struct sk_buff *skb2;
6169 int err;
6170
6171 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6172 if (skb2 == NULL)
6173 return -ENOMEM;
6174
6175 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6176 nlh->nlmsg_seq);
6177 if (err < 0)
6178 goto err;
6179
6180 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6181err:
6182 kfree_skb(skb2);
6183 return err;
6184}
6185
6186static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6187 [NFT_MSG_NEWTABLE] = {
6188 .call_batch = nf_tables_newtable,
6189 .attr_count = NFTA_TABLE_MAX,
6190 .policy = nft_table_policy,
6191 },
6192 [NFT_MSG_GETTABLE] = {
6193 .call_rcu = nf_tables_gettable,
6194 .attr_count = NFTA_TABLE_MAX,
6195 .policy = nft_table_policy,
6196 },
6197 [NFT_MSG_DELTABLE] = {
6198 .call_batch = nf_tables_deltable,
6199 .attr_count = NFTA_TABLE_MAX,
6200 .policy = nft_table_policy,
6201 },
6202 [NFT_MSG_NEWCHAIN] = {
6203 .call_batch = nf_tables_newchain,
6204 .attr_count = NFTA_CHAIN_MAX,
6205 .policy = nft_chain_policy,
6206 },
6207 [NFT_MSG_GETCHAIN] = {
6208 .call_rcu = nf_tables_getchain,
6209 .attr_count = NFTA_CHAIN_MAX,
6210 .policy = nft_chain_policy,
6211 },
6212 [NFT_MSG_DELCHAIN] = {
6213 .call_batch = nf_tables_delchain,
6214 .attr_count = NFTA_CHAIN_MAX,
6215 .policy = nft_chain_policy,
6216 },
6217 [NFT_MSG_NEWRULE] = {
6218 .call_batch = nf_tables_newrule,
6219 .attr_count = NFTA_RULE_MAX,
6220 .policy = nft_rule_policy,
6221 },
6222 [NFT_MSG_GETRULE] = {
6223 .call_rcu = nf_tables_getrule,
6224 .attr_count = NFTA_RULE_MAX,
6225 .policy = nft_rule_policy,
6226 },
6227 [NFT_MSG_DELRULE] = {
6228 .call_batch = nf_tables_delrule,
6229 .attr_count = NFTA_RULE_MAX,
6230 .policy = nft_rule_policy,
6231 },
6232 [NFT_MSG_NEWSET] = {
6233 .call_batch = nf_tables_newset,
6234 .attr_count = NFTA_SET_MAX,
6235 .policy = nft_set_policy,
6236 },
6237 [NFT_MSG_GETSET] = {
6238 .call_rcu = nf_tables_getset,
6239 .attr_count = NFTA_SET_MAX,
6240 .policy = nft_set_policy,
6241 },
6242 [NFT_MSG_DELSET] = {
6243 .call_batch = nf_tables_delset,
6244 .attr_count = NFTA_SET_MAX,
6245 .policy = nft_set_policy,
6246 },
6247 [NFT_MSG_NEWSETELEM] = {
6248 .call_batch = nf_tables_newsetelem,
6249 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6250 .policy = nft_set_elem_list_policy,
6251 },
6252 [NFT_MSG_GETSETELEM] = {
6253 .call_rcu = nf_tables_getsetelem,
6254 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6255 .policy = nft_set_elem_list_policy,
6256 },
6257 [NFT_MSG_DELSETELEM] = {
6258 .call_batch = nf_tables_delsetelem,
6259 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6260 .policy = nft_set_elem_list_policy,
6261 },
6262 [NFT_MSG_GETGEN] = {
6263 .call_rcu = nf_tables_getgen,
6264 },
6265 [NFT_MSG_NEWOBJ] = {
6266 .call_batch = nf_tables_newobj,
6267 .attr_count = NFTA_OBJ_MAX,
6268 .policy = nft_obj_policy,
6269 },
6270 [NFT_MSG_GETOBJ] = {
6271 .call_rcu = nf_tables_getobj,
6272 .attr_count = NFTA_OBJ_MAX,
6273 .policy = nft_obj_policy,
6274 },
6275 [NFT_MSG_DELOBJ] = {
6276 .call_batch = nf_tables_delobj,
6277 .attr_count = NFTA_OBJ_MAX,
6278 .policy = nft_obj_policy,
6279 },
6280 [NFT_MSG_GETOBJ_RESET] = {
6281 .call_rcu = nf_tables_getobj,
6282 .attr_count = NFTA_OBJ_MAX,
6283 .policy = nft_obj_policy,
6284 },
6285 [NFT_MSG_NEWFLOWTABLE] = {
6286 .call_batch = nf_tables_newflowtable,
6287 .attr_count = NFTA_FLOWTABLE_MAX,
6288 .policy = nft_flowtable_policy,
6289 },
6290 [NFT_MSG_GETFLOWTABLE] = {
6291 .call_rcu = nf_tables_getflowtable,
6292 .attr_count = NFTA_FLOWTABLE_MAX,
6293 .policy = nft_flowtable_policy,
6294 },
6295 [NFT_MSG_DELFLOWTABLE] = {
6296 .call_batch = nf_tables_delflowtable,
6297 .attr_count = NFTA_FLOWTABLE_MAX,
6298 .policy = nft_flowtable_policy,
6299 },
6300};
6301
6302static int nf_tables_validate(struct net *net)
6303{
6304 struct nft_table *table;
6305
6306 switch (net->nft.validate_state) {
6307 case NFT_VALIDATE_SKIP:
6308 break;
6309 case NFT_VALIDATE_NEED:
6310 nft_validate_state_update(net, NFT_VALIDATE_DO);
6311
6312 case NFT_VALIDATE_DO:
6313 list_for_each_entry(table, &net->nft.tables, list) {
6314 if (nft_table_validate(net, table) < 0)
6315 return -EAGAIN;
6316 }
6317 break;
6318 }
6319
6320 return 0;
6321}
6322
6323
6324
6325
6326
6327
6328
6329
6330static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6331{
6332 struct nft_base_chain *basechain;
6333
6334 if (nft_trans_chain_policy(trans) != NF_DROP)
6335 return;
6336
6337 if (!nft_is_base_chain(trans->ctx.chain))
6338 return;
6339
6340 basechain = nft_base_chain(trans->ctx.chain);
6341 basechain->policy = NF_DROP;
6342}
6343
6344static void nft_chain_commit_update(struct nft_trans *trans)
6345{
6346 struct nft_base_chain *basechain;
6347
6348 if (nft_trans_chain_name(trans)) {
6349 rhltable_remove(&trans->ctx.table->chains_ht,
6350 &trans->ctx.chain->rhlhead,
6351 nft_chain_ht_params);
6352 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6353 rhltable_insert_key(&trans->ctx.table->chains_ht,
6354 trans->ctx.chain->name,
6355 &trans->ctx.chain->rhlhead,
6356 nft_chain_ht_params);
6357 }
6358
6359 if (!nft_is_base_chain(trans->ctx.chain))
6360 return;
6361
6362 basechain = nft_base_chain(trans->ctx.chain);
6363 nft_chain_stats_replace(trans->ctx.net, basechain,
6364 nft_trans_chain_stats(trans));
6365
6366 switch (nft_trans_chain_policy(trans)) {
6367 case NF_DROP:
6368 case NF_ACCEPT:
6369 basechain->policy = nft_trans_chain_policy(trans);
6370 break;
6371 }
6372}
6373
6374static void nft_commit_release(struct nft_trans *trans)
6375{
6376 switch (trans->msg_type) {
6377 case NFT_MSG_DELTABLE:
6378 nf_tables_table_destroy(&trans->ctx);
6379 break;
6380 case NFT_MSG_NEWCHAIN:
6381 kfree(nft_trans_chain_name(trans));
6382 break;
6383 case NFT_MSG_DELCHAIN:
6384 nf_tables_chain_destroy(&trans->ctx);
6385 break;
6386 case NFT_MSG_DELRULE:
6387 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6388 break;
6389 case NFT_MSG_DELSET:
6390 nft_set_destroy(nft_trans_set(trans));
6391 break;
6392 case NFT_MSG_DELSETELEM:
6393 nf_tables_set_elem_destroy(&trans->ctx,
6394 nft_trans_elem_set(trans),
6395 nft_trans_elem(trans).priv);
6396 break;
6397 case NFT_MSG_DELOBJ:
6398 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6399 break;
6400 case NFT_MSG_DELFLOWTABLE:
6401 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6402 break;
6403 }
6404
6405 if (trans->put_net)
6406 put_net(trans->ctx.net);
6407
6408 kfree(trans);
6409}
6410
6411static void nf_tables_trans_destroy_work(struct work_struct *w)
6412{
6413 struct nft_trans *trans, *next;
6414 LIST_HEAD(head);
6415
6416 spin_lock(&nf_tables_destroy_list_lock);
6417 list_splice_init(&nf_tables_destroy_list, &head);
6418 spin_unlock(&nf_tables_destroy_list_lock);
6419
6420 if (list_empty(&head))
6421 return;
6422
6423 synchronize_rcu();
6424
6425 list_for_each_entry_safe(trans, next, &head, list) {
6426 list_del(&trans->list);
6427 nft_commit_release(trans);
6428 }
6429}
6430
6431static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6432{
6433 struct nft_rule *rule;
6434 unsigned int alloc = 0;
6435 int i;
6436
6437
6438 if (chain->rules_next || !nft_is_active_next(net, chain))
6439 return 0;
6440
6441 rule = list_entry(&chain->rules, struct nft_rule, list);
6442 i = 0;
6443
6444 list_for_each_entry_continue(rule, &chain->rules, list) {
6445 if (nft_is_active_next(net, rule))
6446 alloc++;
6447 }
6448
6449 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6450 if (!chain->rules_next)
6451 return -ENOMEM;
6452
6453 list_for_each_entry_continue(rule, &chain->rules, list) {
6454 if (nft_is_active_next(net, rule))
6455 chain->rules_next[i++] = rule;
6456 }
6457
6458 chain->rules_next[i] = NULL;
6459 return 0;
6460}
6461
6462static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6463{
6464 struct nft_trans *trans, *next;
6465
6466 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6467 struct nft_chain *chain = trans->ctx.chain;
6468
6469 if (trans->msg_type == NFT_MSG_NEWRULE ||
6470 trans->msg_type == NFT_MSG_DELRULE) {
6471 kvfree(chain->rules_next);
6472 chain->rules_next = NULL;
6473 }
6474 }
6475}
6476
6477static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6478{
6479 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6480
6481 kvfree(o->start);
6482}
6483
6484static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6485{
6486 struct nft_rule **r = rules;
6487 struct nft_rules_old *old;
6488
6489 while (*r)
6490 r++;
6491
6492 r++;
6493 old = (void *) r;
6494 old->start = rules;
6495
6496 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6497}
6498
6499static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6500{
6501 struct nft_rule **g0, **g1;
6502 bool next_genbit;
6503
6504 next_genbit = nft_gencursor_next(net);
6505
6506 g0 = rcu_dereference_protected(chain->rules_gen_0,
6507 lockdep_commit_lock_is_held(net));
6508 g1 = rcu_dereference_protected(chain->rules_gen_1,
6509 lockdep_commit_lock_is_held(net));
6510
6511
6512 if (chain->rules_next == NULL) {
6513
6514 if (g0 == g1)
6515 return;
6516
6517
6518
6519
6520 if (next_genbit) {
6521 rcu_assign_pointer(chain->rules_gen_1, g0);
6522 nf_tables_commit_chain_free_rules_old(g1);
6523 } else {
6524 rcu_assign_pointer(chain->rules_gen_0, g1);
6525 nf_tables_commit_chain_free_rules_old(g0);
6526 }
6527
6528 return;
6529 }
6530
6531 if (next_genbit)
6532 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6533 else
6534 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6535
6536 chain->rules_next = NULL;
6537
6538 if (g0 == g1)
6539 return;
6540
6541 if (next_genbit)
6542 nf_tables_commit_chain_free_rules_old(g1);
6543 else
6544 nf_tables_commit_chain_free_rules_old(g0);
6545}
6546
6547static void nft_obj_del(struct nft_object *obj)
6548{
6549 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6550 list_del_rcu(&obj->list);
6551}
6552
6553static void nft_chain_del(struct nft_chain *chain)
6554{
6555 struct nft_table *table = chain->table;
6556
6557 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6558 nft_chain_ht_params));
6559 list_del_rcu(&chain->list);
6560}
6561
6562static void nf_tables_commit_release(struct net *net)
6563{
6564 struct nft_trans *trans;
6565
6566
6567
6568
6569
6570
6571
6572
6573 if (list_empty(&net->nft.commit_list)) {
6574 mutex_unlock(&net->nft.commit_mutex);
6575 return;
6576 }
6577
6578 trans = list_last_entry(&net->nft.commit_list,
6579 struct nft_trans, list);
6580 get_net(trans->ctx.net);
6581 WARN_ON_ONCE(trans->put_net);
6582
6583 trans->put_net = true;
6584 spin_lock(&nf_tables_destroy_list_lock);
6585 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6586 spin_unlock(&nf_tables_destroy_list_lock);
6587
6588 mutex_unlock(&net->nft.commit_mutex);
6589
6590 schedule_work(&trans_destroy_work);
6591}
6592
6593static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6594{
6595 struct nft_trans *trans, *next;
6596 struct nft_trans_elem *te;
6597 struct nft_chain *chain;
6598 struct nft_table *table;
6599
6600 if (list_empty(&net->nft.commit_list)) {
6601 mutex_unlock(&net->nft.commit_mutex);
6602 return 0;
6603 }
6604
6605
6606 if (nf_tables_validate(net) < 0)
6607 return -EAGAIN;
6608
6609
6610 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6611 int ret;
6612
6613 if (trans->msg_type == NFT_MSG_NEWRULE ||
6614 trans->msg_type == NFT_MSG_DELRULE) {
6615 chain = trans->ctx.chain;
6616
6617 ret = nf_tables_commit_chain_prepare(net, chain);
6618 if (ret < 0) {
6619 nf_tables_commit_chain_prepare_cancel(net);
6620 return ret;
6621 }
6622 }
6623 }
6624
6625
6626 list_for_each_entry(table, &net->nft.tables, list) {
6627 list_for_each_entry(chain, &table->chains, list)
6628 nf_tables_commit_chain(net, chain);
6629 }
6630
6631
6632
6633
6634
6635 while (++net->nft.base_seq == 0);
6636
6637
6638 net->nft.gencursor = nft_gencursor_next(net);
6639
6640 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6641 switch (trans->msg_type) {
6642 case NFT_MSG_NEWTABLE:
6643 if (nft_trans_table_update(trans)) {
6644 if (!nft_trans_table_enable(trans)) {
6645 nf_tables_table_disable(net,
6646 trans->ctx.table);
6647 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6648 }
6649 } else {
6650 nft_clear(net, trans->ctx.table);
6651 }
6652 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6653 nft_trans_destroy(trans);
6654 break;
6655 case NFT_MSG_DELTABLE:
6656 list_del_rcu(&trans->ctx.table->list);
6657 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6658 break;
6659 case NFT_MSG_NEWCHAIN:
6660 if (nft_trans_chain_update(trans)) {
6661 nft_chain_commit_update(trans);
6662 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6663
6664 } else {
6665 nft_chain_commit_drop_policy(trans);
6666 nft_clear(net, trans->ctx.chain);
6667 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6668 nft_trans_destroy(trans);
6669 }
6670 break;
6671 case NFT_MSG_DELCHAIN:
6672 nft_chain_del(trans->ctx.chain);
6673 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6674 nf_tables_unregister_hook(trans->ctx.net,
6675 trans->ctx.table,
6676 trans->ctx.chain);
6677 break;
6678 case NFT_MSG_NEWRULE:
6679 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6680 nf_tables_rule_notify(&trans->ctx,
6681 nft_trans_rule(trans),
6682 NFT_MSG_NEWRULE);
6683 nft_trans_destroy(trans);
6684 break;
6685 case NFT_MSG_DELRULE:
6686 list_del_rcu(&nft_trans_rule(trans)->list);
6687 nf_tables_rule_notify(&trans->ctx,
6688 nft_trans_rule(trans),
6689 NFT_MSG_DELRULE);
6690 nft_rule_expr_deactivate(&trans->ctx,
6691 nft_trans_rule(trans),
6692 NFT_TRANS_COMMIT);
6693 break;
6694 case NFT_MSG_NEWSET:
6695 nft_clear(net, nft_trans_set(trans));
6696
6697
6698
6699 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6700 !list_empty(&nft_trans_set(trans)->bindings))
6701 trans->ctx.table->use--;
6702
6703 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6704 NFT_MSG_NEWSET, GFP_KERNEL);
6705 nft_trans_destroy(trans);
6706 break;
6707 case NFT_MSG_DELSET:
6708 list_del_rcu(&nft_trans_set(trans)->list);
6709 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6710 NFT_MSG_DELSET, GFP_KERNEL);
6711 break;
6712 case NFT_MSG_NEWSETELEM:
6713 te = (struct nft_trans_elem *)trans->data;
6714
6715 te->set->ops->activate(net, te->set, &te->elem);
6716 nf_tables_setelem_notify(&trans->ctx, te->set,
6717 &te->elem,
6718 NFT_MSG_NEWSETELEM, 0);
6719 nft_trans_destroy(trans);
6720 break;
6721 case NFT_MSG_DELSETELEM:
6722 te = (struct nft_trans_elem *)trans->data;
6723
6724 nf_tables_setelem_notify(&trans->ctx, te->set,
6725 &te->elem,
6726 NFT_MSG_DELSETELEM, 0);
6727 te->set->ops->remove(net, te->set, &te->elem);
6728 atomic_dec(&te->set->nelems);
6729 te->set->ndeact--;
6730 break;
6731 case NFT_MSG_NEWOBJ:
6732 nft_clear(net, nft_trans_obj(trans));
6733 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6734 NFT_MSG_NEWOBJ);
6735 nft_trans_destroy(trans);
6736 break;
6737 case NFT_MSG_DELOBJ:
6738 nft_obj_del(nft_trans_obj(trans));
6739 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6740 NFT_MSG_DELOBJ);
6741 break;
6742 case NFT_MSG_NEWFLOWTABLE:
6743 nft_clear(net, nft_trans_flowtable(trans));
6744 nf_tables_flowtable_notify(&trans->ctx,
6745 nft_trans_flowtable(trans),
6746 NFT_MSG_NEWFLOWTABLE);
6747 nft_trans_destroy(trans);
6748 break;
6749 case NFT_MSG_DELFLOWTABLE:
6750 list_del_rcu(&nft_trans_flowtable(trans)->list);
6751 nf_tables_flowtable_notify(&trans->ctx,
6752 nft_trans_flowtable(trans),
6753 NFT_MSG_DELFLOWTABLE);
6754 nft_unregister_flowtable_net_hooks(net,
6755 nft_trans_flowtable(trans));
6756 break;
6757 }
6758 }
6759
6760 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6761 nf_tables_commit_release(net);
6762
6763 return 0;
6764}
6765
6766static void nf_tables_abort_release(struct nft_trans *trans)
6767{
6768 switch (trans->msg_type) {
6769 case NFT_MSG_NEWTABLE:
6770 nf_tables_table_destroy(&trans->ctx);
6771 break;
6772 case NFT_MSG_NEWCHAIN:
6773 nf_tables_chain_destroy(&trans->ctx);
6774 break;
6775 case NFT_MSG_NEWRULE:
6776 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6777 break;
6778 case NFT_MSG_NEWSET:
6779 nft_set_destroy(nft_trans_set(trans));
6780 break;
6781 case NFT_MSG_NEWSETELEM:
6782 nft_set_elem_destroy(nft_trans_elem_set(trans),
6783 nft_trans_elem(trans).priv, true);
6784 break;
6785 case NFT_MSG_NEWOBJ:
6786 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6787 break;
6788 case NFT_MSG_NEWFLOWTABLE:
6789 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6790 break;
6791 }
6792 kfree(trans);
6793}
6794
6795static int __nf_tables_abort(struct net *net)
6796{
6797 struct nft_trans *trans, *next;
6798 struct nft_trans_elem *te;
6799
6800 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6801 list) {
6802 switch (trans->msg_type) {
6803 case NFT_MSG_NEWTABLE:
6804 if (nft_trans_table_update(trans)) {
6805 if (nft_trans_table_enable(trans)) {
6806 nf_tables_table_disable(net,
6807 trans->ctx.table);
6808 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6809 }
6810 nft_trans_destroy(trans);
6811 } else {
6812 list_del_rcu(&trans->ctx.table->list);
6813 }
6814 break;
6815 case NFT_MSG_DELTABLE:
6816 nft_clear(trans->ctx.net, trans->ctx.table);
6817 nft_trans_destroy(trans);
6818 break;
6819 case NFT_MSG_NEWCHAIN:
6820 if (nft_trans_chain_update(trans)) {
6821 free_percpu(nft_trans_chain_stats(trans));
6822 kfree(nft_trans_chain_name(trans));
6823 nft_trans_destroy(trans);
6824 } else {
6825 trans->ctx.table->use--;
6826 nft_chain_del(trans->ctx.chain);
6827 nf_tables_unregister_hook(trans->ctx.net,
6828 trans->ctx.table,
6829 trans->ctx.chain);
6830 }
6831 break;
6832 case NFT_MSG_DELCHAIN:
6833 trans->ctx.table->use++;
6834 nft_clear(trans->ctx.net, trans->ctx.chain);
6835 nft_trans_destroy(trans);
6836 break;
6837 case NFT_MSG_NEWRULE:
6838 trans->ctx.chain->use--;
6839 list_del_rcu(&nft_trans_rule(trans)->list);
6840 nft_rule_expr_deactivate(&trans->ctx,
6841 nft_trans_rule(trans),
6842 NFT_TRANS_ABORT);
6843 break;
6844 case NFT_MSG_DELRULE:
6845 trans->ctx.chain->use++;
6846 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6847 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6848 nft_trans_destroy(trans);
6849 break;
6850 case NFT_MSG_NEWSET:
6851 trans->ctx.table->use--;
6852 if (nft_trans_set(trans)->bound) {
6853 nft_trans_destroy(trans);
6854 break;
6855 }
6856 list_del_rcu(&nft_trans_set(trans)->list);
6857 break;
6858 case NFT_MSG_DELSET:
6859 trans->ctx.table->use++;
6860 nft_clear(trans->ctx.net, nft_trans_set(trans));
6861 nft_trans_destroy(trans);
6862 break;
6863 case NFT_MSG_NEWSETELEM:
6864 if (nft_trans_elem_set(trans)->bound) {
6865 nft_trans_destroy(trans);
6866 break;
6867 }
6868 te = (struct nft_trans_elem *)trans->data;
6869 te->set->ops->remove(net, te->set, &te->elem);
6870 atomic_dec(&te->set->nelems);
6871 break;
6872 case NFT_MSG_DELSETELEM:
6873 te = (struct nft_trans_elem *)trans->data;
6874
6875 nft_set_elem_activate(net, te->set, &te->elem);
6876 te->set->ops->activate(net, te->set, &te->elem);
6877 te->set->ndeact--;
6878
6879 nft_trans_destroy(trans);
6880 break;
6881 case NFT_MSG_NEWOBJ:
6882 trans->ctx.table->use--;
6883 nft_obj_del(nft_trans_obj(trans));
6884 break;
6885 case NFT_MSG_DELOBJ:
6886 trans->ctx.table->use++;
6887 nft_clear(trans->ctx.net, nft_trans_obj(trans));
6888 nft_trans_destroy(trans);
6889 break;
6890 case NFT_MSG_NEWFLOWTABLE:
6891 trans->ctx.table->use--;
6892 list_del_rcu(&nft_trans_flowtable(trans)->list);
6893 nft_unregister_flowtable_net_hooks(net,
6894 nft_trans_flowtable(trans));
6895 break;
6896 case NFT_MSG_DELFLOWTABLE:
6897 trans->ctx.table->use++;
6898 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
6899 nft_trans_destroy(trans);
6900 break;
6901 }
6902 }
6903
6904 synchronize_rcu();
6905
6906 list_for_each_entry_safe_reverse(trans, next,
6907 &net->nft.commit_list, list) {
6908 list_del(&trans->list);
6909 nf_tables_abort_release(trans);
6910 }
6911
6912 return 0;
6913}
6914
6915static void nf_tables_cleanup(struct net *net)
6916{
6917 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
6918}
6919
6920static int nf_tables_abort(struct net *net, struct sk_buff *skb)
6921{
6922 int ret = __nf_tables_abort(net);
6923
6924 mutex_unlock(&net->nft.commit_mutex);
6925
6926 return ret;
6927}
6928
6929static bool nf_tables_valid_genid(struct net *net, u32 genid)
6930{
6931 bool genid_ok;
6932
6933 mutex_lock(&net->nft.commit_mutex);
6934
6935 genid_ok = genid == 0 || net->nft.base_seq == genid;
6936 if (!genid_ok)
6937 mutex_unlock(&net->nft.commit_mutex);
6938
6939
6940 return genid_ok;
6941}
6942
6943static const struct nfnetlink_subsystem nf_tables_subsys = {
6944 .name = "nf_tables",
6945 .subsys_id = NFNL_SUBSYS_NFTABLES,
6946 .cb_count = NFT_MSG_MAX,
6947 .cb = nf_tables_cb,
6948 .commit = nf_tables_commit,
6949 .abort = nf_tables_abort,
6950 .cleanup = nf_tables_cleanup,
6951 .valid_genid = nf_tables_valid_genid,
6952 .owner = THIS_MODULE,
6953};
6954
6955int nft_chain_validate_dependency(const struct nft_chain *chain,
6956 enum nft_chain_types type)
6957{
6958 const struct nft_base_chain *basechain;
6959
6960 if (nft_is_base_chain(chain)) {
6961 basechain = nft_base_chain(chain);
6962 if (basechain->type->type != type)
6963 return -EOPNOTSUPP;
6964 }
6965 return 0;
6966}
6967EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
6968
6969int nft_chain_validate_hooks(const struct nft_chain *chain,
6970 unsigned int hook_flags)
6971{
6972 struct nft_base_chain *basechain;
6973
6974 if (nft_is_base_chain(chain)) {
6975 basechain = nft_base_chain(chain);
6976
6977 if ((1 << basechain->ops.hooknum) & hook_flags)
6978 return 0;
6979
6980 return -EOPNOTSUPP;
6981 }
6982
6983 return 0;
6984}
6985EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
6986
6987
6988
6989
6990
6991
6992
6993
6994
6995
6996static int nf_tables_check_loops(const struct nft_ctx *ctx,
6997 const struct nft_chain *chain);
6998
6999static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7000 struct nft_set *set,
7001 const struct nft_set_iter *iter,
7002 struct nft_set_elem *elem)
7003{
7004 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7005 const struct nft_data *data;
7006
7007 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7008 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7009 return 0;
7010
7011 data = nft_set_ext_data(ext);
7012 switch (data->verdict.code) {
7013 case NFT_JUMP:
7014 case NFT_GOTO:
7015 return nf_tables_check_loops(ctx, data->verdict.chain);
7016 default:
7017 return 0;
7018 }
7019}
7020
7021static int nf_tables_check_loops(const struct nft_ctx *ctx,
7022 const struct nft_chain *chain)
7023{
7024 const struct nft_rule *rule;
7025 const struct nft_expr *expr, *last;
7026 struct nft_set *set;
7027 struct nft_set_binding *binding;
7028 struct nft_set_iter iter;
7029
7030 if (ctx->chain == chain)
7031 return -ELOOP;
7032
7033 list_for_each_entry(rule, &chain->rules, list) {
7034 nft_rule_for_each_expr(expr, last, rule) {
7035 struct nft_immediate_expr *priv;
7036 const struct nft_data *data;
7037 int err;
7038
7039 if (strcmp(expr->ops->type->name, "immediate"))
7040 continue;
7041
7042 priv = nft_expr_priv(expr);
7043 if (priv->dreg != NFT_REG_VERDICT)
7044 continue;
7045
7046 data = &priv->data;
7047 switch (data->verdict.code) {
7048 case NFT_JUMP:
7049 case NFT_GOTO:
7050 err = nf_tables_check_loops(ctx,
7051 data->verdict.chain);
7052 if (err < 0)
7053 return err;
7054 default:
7055 break;
7056 }
7057 }
7058 }
7059
7060 list_for_each_entry(set, &ctx->table->sets, list) {
7061 if (!nft_is_active_next(ctx->net, set))
7062 continue;
7063 if (!(set->flags & NFT_SET_MAP) ||
7064 set->dtype != NFT_DATA_VERDICT)
7065 continue;
7066
7067 list_for_each_entry(binding, &set->bindings, list) {
7068 if (!(binding->flags & NFT_SET_MAP) ||
7069 binding->chain != chain)
7070 continue;
7071
7072 iter.genmask = nft_genmask_next(ctx->net);
7073 iter.skip = 0;
7074 iter.count = 0;
7075 iter.err = 0;
7076 iter.fn = nf_tables_loop_check_setelem;
7077
7078 set->ops->walk(ctx, set, &iter);
7079 if (iter.err < 0)
7080 return iter.err;
7081 }
7082 }
7083
7084 return 0;
7085}
7086
7087
7088
7089
7090
7091
7092
7093
7094
7095
7096
7097
7098
7099int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7100{
7101 u32 val;
7102
7103 val = ntohl(nla_get_be32(attr));
7104 if (val > max)
7105 return -ERANGE;
7106
7107 *dest = val;
7108 return 0;
7109}
7110EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7111
7112
7113
7114
7115
7116
7117
7118
7119
7120
7121unsigned int nft_parse_register(const struct nlattr *attr)
7122{
7123 unsigned int reg;
7124
7125 reg = ntohl(nla_get_be32(attr));
7126 switch (reg) {
7127 case NFT_REG_VERDICT...NFT_REG_4:
7128 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7129 default:
7130 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7131 }
7132}
7133EXPORT_SYMBOL_GPL(nft_parse_register);
7134
7135
7136
7137
7138
7139
7140
7141
7142
7143
7144
7145
7146int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7147{
7148 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7149 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7150 else
7151 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7152
7153 return nla_put_be32(skb, attr, htonl(reg));
7154}
7155EXPORT_SYMBOL_GPL(nft_dump_register);
7156
7157
7158
7159
7160
7161
7162
7163
7164
7165
7166int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7167{
7168 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7169 return -EINVAL;
7170 if (len == 0)
7171 return -EINVAL;
7172 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7173 return -ERANGE;
7174
7175 return 0;
7176}
7177EXPORT_SYMBOL_GPL(nft_validate_register_load);
7178
7179
7180
7181
7182
7183
7184
7185
7186
7187
7188
7189
7190
7191
7192
7193int nft_validate_register_store(const struct nft_ctx *ctx,
7194 enum nft_registers reg,
7195 const struct nft_data *data,
7196 enum nft_data_types type, unsigned int len)
7197{
7198 int err;
7199
7200 switch (reg) {
7201 case NFT_REG_VERDICT:
7202 if (type != NFT_DATA_VERDICT)
7203 return -EINVAL;
7204
7205 if (data != NULL &&
7206 (data->verdict.code == NFT_GOTO ||
7207 data->verdict.code == NFT_JUMP)) {
7208 err = nf_tables_check_loops(ctx, data->verdict.chain);
7209 if (err < 0)
7210 return err;
7211 }
7212
7213 return 0;
7214 default:
7215 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7216 return -EINVAL;
7217 if (len == 0)
7218 return -EINVAL;
7219 if (reg * NFT_REG32_SIZE + len >
7220 FIELD_SIZEOF(struct nft_regs, data))
7221 return -ERANGE;
7222
7223 if (data != NULL && type != NFT_DATA_VALUE)
7224 return -EINVAL;
7225 return 0;
7226 }
7227}
7228EXPORT_SYMBOL_GPL(nft_validate_register_store);
7229
7230static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7231 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7232 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7233 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7234};
7235
7236static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7237 struct nft_data_desc *desc, const struct nlattr *nla)
7238{
7239 u8 genmask = nft_genmask_next(ctx->net);
7240 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7241 struct nft_chain *chain;
7242 int err;
7243
7244 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7245 nft_verdict_policy, NULL);
7246 if (err < 0)
7247 return err;
7248
7249 if (!tb[NFTA_VERDICT_CODE])
7250 return -EINVAL;
7251 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7252
7253 switch (data->verdict.code) {
7254 default:
7255 switch (data->verdict.code & NF_VERDICT_MASK) {
7256 case NF_ACCEPT:
7257 case NF_DROP:
7258 case NF_QUEUE:
7259 break;
7260 default:
7261 return -EINVAL;
7262 }
7263
7264 case NFT_CONTINUE:
7265 case NFT_BREAK:
7266 case NFT_RETURN:
7267 break;
7268 case NFT_JUMP:
7269 case NFT_GOTO:
7270 if (!tb[NFTA_VERDICT_CHAIN])
7271 return -EINVAL;
7272 chain = nft_chain_lookup(ctx->net, ctx->table,
7273 tb[NFTA_VERDICT_CHAIN], genmask);
7274 if (IS_ERR(chain))
7275 return PTR_ERR(chain);
7276 if (nft_is_base_chain(chain))
7277 return -EOPNOTSUPP;
7278
7279 chain->use++;
7280 data->verdict.chain = chain;
7281 break;
7282 }
7283
7284 desc->len = sizeof(data->verdict);
7285 desc->type = NFT_DATA_VERDICT;
7286 return 0;
7287}
7288
7289static void nft_verdict_uninit(const struct nft_data *data)
7290{
7291 switch (data->verdict.code) {
7292 case NFT_JUMP:
7293 case NFT_GOTO:
7294 data->verdict.chain->use--;
7295 break;
7296 }
7297}
7298
7299int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7300{
7301 struct nlattr *nest;
7302
7303 nest = nla_nest_start_noflag(skb, type);
7304 if (!nest)
7305 goto nla_put_failure;
7306
7307 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7308 goto nla_put_failure;
7309
7310 switch (v->code) {
7311 case NFT_JUMP:
7312 case NFT_GOTO:
7313 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7314 v->chain->name))
7315 goto nla_put_failure;
7316 }
7317 nla_nest_end(skb, nest);
7318 return 0;
7319
7320nla_put_failure:
7321 return -1;
7322}
7323
7324static int nft_value_init(const struct nft_ctx *ctx,
7325 struct nft_data *data, unsigned int size,
7326 struct nft_data_desc *desc, const struct nlattr *nla)
7327{
7328 unsigned int len;
7329
7330 len = nla_len(nla);
7331 if (len == 0)
7332 return -EINVAL;
7333 if (len > size)
7334 return -EOVERFLOW;
7335
7336 nla_memcpy(data->data, nla, len);
7337 desc->type = NFT_DATA_VALUE;
7338 desc->len = len;
7339 return 0;
7340}
7341
7342static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7343 unsigned int len)
7344{
7345 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7346}
7347
7348static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7349 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7350 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7351};
7352
7353
7354
7355
7356
7357
7358
7359
7360
7361
7362
7363
7364
7365
7366
7367
7368int nft_data_init(const struct nft_ctx *ctx,
7369 struct nft_data *data, unsigned int size,
7370 struct nft_data_desc *desc, const struct nlattr *nla)
7371{
7372 struct nlattr *tb[NFTA_DATA_MAX + 1];
7373 int err;
7374
7375 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7376 nft_data_policy, NULL);
7377 if (err < 0)
7378 return err;
7379
7380 if (tb[NFTA_DATA_VALUE])
7381 return nft_value_init(ctx, data, size, desc,
7382 tb[NFTA_DATA_VALUE]);
7383 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7384 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7385 return -EINVAL;
7386}
7387EXPORT_SYMBOL_GPL(nft_data_init);
7388
7389
7390
7391
7392
7393
7394
7395
7396
7397
7398void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7399{
7400 if (type < NFT_DATA_VERDICT)
7401 return;
7402 switch (type) {
7403 case NFT_DATA_VERDICT:
7404 return nft_verdict_uninit(data);
7405 default:
7406 WARN_ON(1);
7407 }
7408}
7409EXPORT_SYMBOL_GPL(nft_data_release);
7410
7411int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7412 enum nft_data_types type, unsigned int len)
7413{
7414 struct nlattr *nest;
7415 int err;
7416
7417 nest = nla_nest_start_noflag(skb, attr);
7418 if (nest == NULL)
7419 return -1;
7420
7421 switch (type) {
7422 case NFT_DATA_VALUE:
7423 err = nft_value_dump(skb, data, len);
7424 break;
7425 case NFT_DATA_VERDICT:
7426 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7427 break;
7428 default:
7429 err = -EINVAL;
7430 WARN_ON(1);
7431 }
7432
7433 nla_nest_end(skb, nest);
7434 return err;
7435}
7436EXPORT_SYMBOL_GPL(nft_data_dump);
7437
7438int __nft_release_basechain(struct nft_ctx *ctx)
7439{
7440 struct nft_rule *rule, *nr;
7441
7442 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7443 return 0;
7444
7445 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7446 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7447 list_del(&rule->list);
7448 ctx->chain->use--;
7449 nf_tables_rule_release(ctx, rule);
7450 }
7451 nft_chain_del(ctx->chain);
7452 ctx->table->use--;
7453 nf_tables_chain_destroy(ctx);
7454
7455 return 0;
7456}
7457EXPORT_SYMBOL_GPL(__nft_release_basechain);
7458
7459static void __nft_release_tables(struct net *net)
7460{
7461 struct nft_flowtable *flowtable, *nf;
7462 struct nft_table *table, *nt;
7463 struct nft_chain *chain, *nc;
7464 struct nft_object *obj, *ne;
7465 struct nft_rule *rule, *nr;
7466 struct nft_set *set, *ns;
7467 struct nft_ctx ctx = {
7468 .net = net,
7469 .family = NFPROTO_NETDEV,
7470 };
7471
7472 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7473 ctx.family = table->family;
7474
7475 list_for_each_entry(chain, &table->chains, list)
7476 nf_tables_unregister_hook(net, table, chain);
7477
7478 ctx.table = table;
7479 list_for_each_entry(chain, &table->chains, list) {
7480 ctx.chain = chain;
7481 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7482 list_del(&rule->list);
7483 chain->use--;
7484 nf_tables_rule_release(&ctx, rule);
7485 }
7486 }
7487 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7488 list_del(&flowtable->list);
7489 table->use--;
7490 nf_tables_flowtable_destroy(flowtable);
7491 }
7492 list_for_each_entry_safe(set, ns, &table->sets, list) {
7493 list_del(&set->list);
7494 table->use--;
7495 nft_set_destroy(set);
7496 }
7497 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7498 nft_obj_del(obj);
7499 table->use--;
7500 nft_obj_destroy(&ctx, obj);
7501 }
7502 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7503 ctx.chain = chain;
7504 nft_chain_del(chain);
7505 table->use--;
7506 nf_tables_chain_destroy(&ctx);
7507 }
7508 list_del(&table->list);
7509 nf_tables_table_destroy(&ctx);
7510 }
7511}
7512
7513static int __net_init nf_tables_init_net(struct net *net)
7514{
7515 INIT_LIST_HEAD(&net->nft.tables);
7516 INIT_LIST_HEAD(&net->nft.commit_list);
7517 mutex_init(&net->nft.commit_mutex);
7518 net->nft.base_seq = 1;
7519 net->nft.validate_state = NFT_VALIDATE_SKIP;
7520
7521 return 0;
7522}
7523
7524static void __net_exit nf_tables_exit_net(struct net *net)
7525{
7526 mutex_lock(&net->nft.commit_mutex);
7527 if (!list_empty(&net->nft.commit_list))
7528 __nf_tables_abort(net);
7529 __nft_release_tables(net);
7530 mutex_unlock(&net->nft.commit_mutex);
7531 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7532}
7533
7534static struct pernet_operations nf_tables_net_ops = {
7535 .init = nf_tables_init_net,
7536 .exit = nf_tables_exit_net,
7537};
7538
7539static int __init nf_tables_module_init(void)
7540{
7541 int err;
7542
7543 spin_lock_init(&nf_tables_destroy_list_lock);
7544 err = register_pernet_subsys(&nf_tables_net_ops);
7545 if (err < 0)
7546 return err;
7547
7548 err = nft_chain_filter_init();
7549 if (err < 0)
7550 goto err1;
7551
7552 err = nf_tables_core_module_init();
7553 if (err < 0)
7554 goto err2;
7555
7556 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7557 if (err < 0)
7558 goto err3;
7559
7560 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7561 if (err < 0)
7562 goto err4;
7563
7564
7565 err = nfnetlink_subsys_register(&nf_tables_subsys);
7566 if (err < 0)
7567 goto err5;
7568
7569 nft_chain_route_init();
7570 return err;
7571err5:
7572 rhltable_destroy(&nft_objname_ht);
7573err4:
7574 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7575err3:
7576 nf_tables_core_module_exit();
7577err2:
7578 nft_chain_filter_fini();
7579err1:
7580 unregister_pernet_subsys(&nf_tables_net_ops);
7581 return err;
7582}
7583
7584static void __exit nf_tables_module_exit(void)
7585{
7586 nfnetlink_subsys_unregister(&nf_tables_subsys);
7587 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7588 nft_chain_filter_fini();
7589 nft_chain_route_fini();
7590 unregister_pernet_subsys(&nf_tables_net_ops);
7591 cancel_work_sync(&trans_destroy_work);
7592 rcu_barrier();
7593 rhltable_destroy(&nft_objname_ht);
7594 nf_tables_core_module_exit();
7595}
7596
7597module_init(nf_tables_module_init);
7598module_exit(nf_tables_module_exit);
7599
7600MODULE_LICENSE("GPL");
7601MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7602MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
7603
