1
2
3
4
5
6
7
8#include <linux/module.h>
9#include <linux/init.h>
10#include <linux/list.h>
11#include <linux/skbuff.h>
12#include <linux/netlink.h>
13#include <linux/vmalloc.h>
14#include <linux/rhashtable.h>
15#include <linux/netfilter.h>
16#include <linux/netfilter/nfnetlink.h>
17#include <linux/netfilter/nf_tables.h>
18#include <net/netfilter/nf_flow_table.h>
19#include <net/netfilter/nf_tables_core.h>
20#include <net/netfilter/nf_tables.h>
21#include <net/netfilter/nf_tables_offload.h>
22#include <net/net_namespace.h>
23#include <net/sock.h>
24
25#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
26
27static LIST_HEAD(nf_tables_expressions);
28static LIST_HEAD(nf_tables_objects);
29static LIST_HEAD(nf_tables_flowtables);
30static LIST_HEAD(nf_tables_destroy_list);
31static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32static u64 table_handle;
33
34enum {
35 NFT_VALIDATE_SKIP = 0,
36 NFT_VALIDATE_NEED,
37 NFT_VALIDATE_DO,
38};
39
40static struct rhltable nft_objname_ht;
41
42static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
45
46static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
49
50static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
56 .automatic_shrinking = true,
57};
58
59static const struct rhashtable_params nft_objname_ht_params = {
60 .head_offset = offsetof(struct nft_object, rhlhead),
61 .key_offset = offsetof(struct nft_object, key),
62 .hashfn = nft_objname_hash,
63 .obj_hashfn = nft_objname_hash_obj,
64 .obj_cmpfn = nft_objname_hash_cmp,
65 .automatic_shrinking = true,
66};
67
68static void nft_validate_state_update(struct net *net, u8 new_validate_state)
69{
70 switch (net->nft.validate_state) {
71 case NFT_VALIDATE_SKIP:
72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
73 break;
74 case NFT_VALIDATE_NEED:
75 break;
76 case NFT_VALIDATE_DO:
77 if (new_validate_state == NFT_VALIDATE_NEED)
78 return;
79 }
80
81 net->nft.validate_state = new_validate_state;
82}
83static void nf_tables_trans_destroy_work(struct work_struct *w);
84static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
85
86static void nft_ctx_init(struct nft_ctx *ctx,
87 struct net *net,
88 const struct sk_buff *skb,
89 const struct nlmsghdr *nlh,
90 u8 family,
91 struct nft_table *table,
92 struct nft_chain *chain,
93 const struct nlattr * const *nla)
94{
95 ctx->net = net;
96 ctx->family = family;
97 ctx->level = 0;
98 ctx->table = table;
99 ctx->chain = chain;
100 ctx->nla = nla;
101 ctx->portid = NETLINK_CB(skb).portid;
102 ctx->report = nlmsg_report(nlh);
103 ctx->flags = nlh->nlmsg_flags;
104 ctx->seq = nlh->nlmsg_seq;
105}
106
107static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
109{
110 struct nft_trans *trans;
111
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
113 if (trans == NULL)
114 return NULL;
115
116 trans->msg_type = msg_type;
117 trans->ctx = *ctx;
118
119 return trans;
120}
121
122static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
123 int msg_type, u32 size)
124{
125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
126}
127
128static void nft_trans_destroy(struct nft_trans *trans)
129{
130 list_del(&trans->list);
131 kfree(trans);
132}
133
134static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
135{
136 struct net *net = ctx->net;
137 struct nft_trans *trans;
138
139 if (!nft_set_is_anonymous(set))
140 return;
141
142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
143 switch (trans->msg_type) {
144 case NFT_MSG_NEWSET:
145 if (nft_trans_set(trans) == set)
146 nft_trans_set_bound(trans) = true;
147 break;
148 case NFT_MSG_NEWSETELEM:
149 if (nft_trans_elem_set(trans) == set)
150 nft_trans_elem_set_bound(trans) = true;
151 break;
152 }
153 }
154}
155
156static int nft_netdev_register_hooks(struct net *net,
157 struct list_head *hook_list)
158{
159 struct nft_hook *hook;
160 int err, j;
161
162 j = 0;
163 list_for_each_entry(hook, hook_list, list) {
164 err = nf_register_net_hook(net, &hook->ops);
165 if (err < 0)
166 goto err_register;
167
168 j++;
169 }
170 return 0;
171
172err_register:
173 list_for_each_entry(hook, hook_list, list) {
174 if (j-- <= 0)
175 break;
176
177 nf_unregister_net_hook(net, &hook->ops);
178 }
179 return err;
180}
181
182static void nft_netdev_unregister_hooks(struct net *net,
183 struct list_head *hook_list)
184{
185 struct nft_hook *hook;
186
187 list_for_each_entry(hook, hook_list, list)
188 nf_unregister_net_hook(net, &hook->ops);
189}
190
191static int nft_register_basechain_hooks(struct net *net, int family,
192 struct nft_base_chain *basechain)
193{
194 if (family == NFPROTO_NETDEV)
195 return nft_netdev_register_hooks(net, &basechain->hook_list);
196
197 return nf_register_net_hook(net, &basechain->ops);
198}
199
200static void nft_unregister_basechain_hooks(struct net *net, int family,
201 struct nft_base_chain *basechain)
202{
203 if (family == NFPROTO_NETDEV)
204 nft_netdev_unregister_hooks(net, &basechain->hook_list);
205 else
206 nf_unregister_net_hook(net, &basechain->ops);
207}
208
209static int nf_tables_register_hook(struct net *net,
210 const struct nft_table *table,
211 struct nft_chain *chain)
212{
213 struct nft_base_chain *basechain;
214 const struct nf_hook_ops *ops;
215
216 if (table->flags & NFT_TABLE_F_DORMANT ||
217 !nft_is_base_chain(chain))
218 return 0;
219
220 basechain = nft_base_chain(chain);
221 ops = &basechain->ops;
222
223 if (basechain->type->ops_register)
224 return basechain->type->ops_register(net, ops);
225
226 return nft_register_basechain_hooks(net, table->family, basechain);
227}
228
229static void nf_tables_unregister_hook(struct net *net,
230 const struct nft_table *table,
231 struct nft_chain *chain)
232{
233 struct nft_base_chain *basechain;
234 const struct nf_hook_ops *ops;
235
236 if (table->flags & NFT_TABLE_F_DORMANT ||
237 !nft_is_base_chain(chain))
238 return;
239 basechain = nft_base_chain(chain);
240 ops = &basechain->ops;
241
242 if (basechain->type->ops_unregister)
243 return basechain->type->ops_unregister(net, ops);
244
245 nft_unregister_basechain_hooks(net, table->family, basechain);
246}
247
248static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
249{
250 struct nft_trans *trans;
251
252 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
253 if (trans == NULL)
254 return -ENOMEM;
255
256 if (msg_type == NFT_MSG_NEWTABLE)
257 nft_activate_next(ctx->net, ctx->table);
258
259 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
260 return 0;
261}
262
263static int nft_deltable(struct nft_ctx *ctx)
264{
265 int err;
266
267 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
268 if (err < 0)
269 return err;
270
271 nft_deactivate_next(ctx->net, ctx->table);
272 return err;
273}
274
275static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
276{
277 struct nft_trans *trans;
278
279 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
280 if (trans == NULL)
281 return ERR_PTR(-ENOMEM);
282
283 if (msg_type == NFT_MSG_NEWCHAIN)
284 nft_activate_next(ctx->net, ctx->chain);
285
286 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
287 return trans;
288}
289
290static int nft_delchain(struct nft_ctx *ctx)
291{
292 struct nft_trans *trans;
293
294 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
295 if (IS_ERR(trans))
296 return PTR_ERR(trans);
297
298 ctx->table->use--;
299 nft_deactivate_next(ctx->net, ctx->chain);
300
301 return 0;
302}
303
304static void nft_rule_expr_activate(const struct nft_ctx *ctx,
305 struct nft_rule *rule)
306{
307 struct nft_expr *expr;
308
309 expr = nft_expr_first(rule);
310 while (expr != nft_expr_last(rule) && expr->ops) {
311 if (expr->ops->activate)
312 expr->ops->activate(ctx, expr);
313
314 expr = nft_expr_next(expr);
315 }
316}
317
318static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
319 struct nft_rule *rule,
320 enum nft_trans_phase phase)
321{
322 struct nft_expr *expr;
323
324 expr = nft_expr_first(rule);
325 while (expr != nft_expr_last(rule) && expr->ops) {
326 if (expr->ops->deactivate)
327 expr->ops->deactivate(ctx, expr, phase);
328
329 expr = nft_expr_next(expr);
330 }
331}
332
333static int
334nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
335{
336
337 if (nft_is_active_next(ctx->net, rule)) {
338 nft_deactivate_next(ctx->net, rule);
339 ctx->chain->use--;
340 return 0;
341 }
342 return -ENOENT;
343}
344
345static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
346 struct nft_rule *rule)
347{
348 struct nft_trans *trans;
349
350 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
351 if (trans == NULL)
352 return NULL;
353
354 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
355 nft_trans_rule_id(trans) =
356 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
357 }
358 nft_trans_rule(trans) = rule;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
360
361 return trans;
362}
363
364static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
365{
366 struct nft_flow_rule *flow;
367 struct nft_trans *trans;
368 int err;
369
370 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
371 if (trans == NULL)
372 return -ENOMEM;
373
374 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
375 flow = nft_flow_rule_create(ctx->net, rule);
376 if (IS_ERR(flow)) {
377 nft_trans_destroy(trans);
378 return PTR_ERR(flow);
379 }
380
381 nft_trans_flow_rule(trans) = flow;
382 }
383
384 err = nf_tables_delrule_deactivate(ctx, rule);
385 if (err < 0) {
386 nft_trans_destroy(trans);
387 return err;
388 }
389 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
390
391 return 0;
392}
393
394static int nft_delrule_by_chain(struct nft_ctx *ctx)
395{
396 struct nft_rule *rule;
397 int err;
398
399 list_for_each_entry(rule, &ctx->chain->rules, list) {
400 if (!nft_is_active_next(ctx->net, rule))
401 continue;
402
403 err = nft_delrule(ctx, rule);
404 if (err < 0)
405 return err;
406 }
407 return 0;
408}
409
410static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
411 struct nft_set *set)
412{
413 struct nft_trans *trans;
414
415 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
416 if (trans == NULL)
417 return -ENOMEM;
418
419 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
420 nft_trans_set_id(trans) =
421 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
422 nft_activate_next(ctx->net, set);
423 }
424 nft_trans_set(trans) = set;
425 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
426
427 return 0;
428}
429
430static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
431{
432 int err;
433
434 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
435 if (err < 0)
436 return err;
437
438 nft_deactivate_next(ctx->net, set);
439 ctx->table->use--;
440
441 return err;
442}
443
444static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
445 struct nft_object *obj)
446{
447 struct nft_trans *trans;
448
449 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
450 if (trans == NULL)
451 return -ENOMEM;
452
453 if (msg_type == NFT_MSG_NEWOBJ)
454 nft_activate_next(ctx->net, obj);
455
456 nft_trans_obj(trans) = obj;
457 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
458
459 return 0;
460}
461
462static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
463{
464 int err;
465
466 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
467 if (err < 0)
468 return err;
469
470 nft_deactivate_next(ctx->net, obj);
471 ctx->table->use--;
472
473 return err;
474}
475
476static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
477 struct nft_flowtable *flowtable)
478{
479 struct nft_trans *trans;
480
481 trans = nft_trans_alloc(ctx, msg_type,
482 sizeof(struct nft_trans_flowtable));
483 if (trans == NULL)
484 return -ENOMEM;
485
486 if (msg_type == NFT_MSG_NEWFLOWTABLE)
487 nft_activate_next(ctx->net, flowtable);
488
489 nft_trans_flowtable(trans) = flowtable;
490 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
491
492 return 0;
493}
494
495static int nft_delflowtable(struct nft_ctx *ctx,
496 struct nft_flowtable *flowtable)
497{
498 int err;
499
500 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
501 if (err < 0)
502 return err;
503
504 nft_deactivate_next(ctx->net, flowtable);
505 ctx->table->use--;
506
507 return err;
508}
509
510
511
512
513
514static struct nft_table *nft_table_lookup(const struct net *net,
515 const struct nlattr *nla,
516 u8 family, u8 genmask)
517{
518 struct nft_table *table;
519
520 if (nla == NULL)
521 return ERR_PTR(-EINVAL);
522
523 list_for_each_entry_rcu(table, &net->nft.tables, list,
524 lockdep_is_held(&net->nft.commit_mutex)) {
525 if (!nla_strcmp(nla, table->name) &&
526 table->family == family &&
527 nft_active_genmask(table, genmask))
528 return table;
529 }
530
531 return ERR_PTR(-ENOENT);
532}
533
534static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
535 const struct nlattr *nla,
536 u8 genmask)
537{
538 struct nft_table *table;
539
540 list_for_each_entry(table, &net->nft.tables, list) {
541 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
542 nft_active_genmask(table, genmask))
543 return table;
544 }
545
546 return ERR_PTR(-ENOENT);
547}
548
549static inline u64 nf_tables_alloc_handle(struct nft_table *table)
550{
551 return ++table->hgenerator;
552}
553
554static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
555
556static const struct nft_chain_type *
557__nft_chain_type_get(u8 family, enum nft_chain_types type)
558{
559 if (family >= NFPROTO_NUMPROTO ||
560 type >= NFT_CHAIN_T_MAX)
561 return NULL;
562
563 return chain_type[family][type];
564}
565
566static const struct nft_chain_type *
567__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
568{
569 const struct nft_chain_type *type;
570 int i;
571
572 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
573 type = __nft_chain_type_get(family, i);
574 if (!type)
575 continue;
576 if (!nla_strcmp(nla, type->name))
577 return type;
578 }
579 return NULL;
580}
581
582struct nft_module_request {
583 struct list_head list;
584 char module[MODULE_NAME_LEN];
585 bool done;
586};
587
588#ifdef CONFIG_MODULES
589static int nft_request_module(struct net *net, const char *fmt, ...)
590{
591 char module_name[MODULE_NAME_LEN];
592 struct nft_module_request *req;
593 va_list args;
594 int ret;
595
596 va_start(args, fmt);
597 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
598 va_end(args);
599 if (ret >= MODULE_NAME_LEN)
600 return 0;
601
602 list_for_each_entry(req, &net->nft.module_list, list) {
603 if (!strcmp(req->module, module_name)) {
604 if (req->done)
605 return 0;
606
607
608 return -EAGAIN;
609 }
610 }
611
612 req = kmalloc(sizeof(*req), GFP_KERNEL);
613 if (!req)
614 return -ENOMEM;
615
616 req->done = false;
617 strlcpy(req->module, module_name, MODULE_NAME_LEN);
618 list_add_tail(&req->list, &net->nft.module_list);
619
620 return -EAGAIN;
621}
622#endif
623
624static void lockdep_nfnl_nft_mutex_not_held(void)
625{
626#ifdef CONFIG_PROVE_LOCKING
627 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
628#endif
629}
630
631static const struct nft_chain_type *
632nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
633 u8 family, bool autoload)
634{
635 const struct nft_chain_type *type;
636
637 type = __nf_tables_chain_type_lookup(nla, family);
638 if (type != NULL)
639 return type;
640
641 lockdep_nfnl_nft_mutex_not_held();
642#ifdef CONFIG_MODULES
643 if (autoload) {
644 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
645 nla_len(nla),
646 (const char *)nla_data(nla)) == -EAGAIN)
647 return ERR_PTR(-EAGAIN);
648 }
649#endif
650 return ERR_PTR(-ENOENT);
651}
652
653static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
654 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
655 .len = NFT_TABLE_MAXNAMELEN - 1 },
656 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
657 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
658};
659
660static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
661 u32 portid, u32 seq, int event, u32 flags,
662 int family, const struct nft_table *table)
663{
664 struct nlmsghdr *nlh;
665 struct nfgenmsg *nfmsg;
666
667 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
668 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
669 if (nlh == NULL)
670 goto nla_put_failure;
671
672 nfmsg = nlmsg_data(nlh);
673 nfmsg->nfgen_family = family;
674 nfmsg->version = NFNETLINK_V0;
675 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
676
677 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
678 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
679 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
680 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
681 NFTA_TABLE_PAD))
682 goto nla_put_failure;
683
684 nlmsg_end(skb, nlh);
685 return 0;
686
687nla_put_failure:
688 nlmsg_trim(skb, nlh);
689 return -1;
690}
691
692static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
693{
694 struct sk_buff *skb;
695 int err;
696
697 if (!ctx->report &&
698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
699 return;
700
701 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
702 if (skb == NULL)
703 goto err;
704
705 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
706 event, 0, ctx->family, ctx->table);
707 if (err < 0) {
708 kfree_skb(skb);
709 goto err;
710 }
711
712 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
713 ctx->report, GFP_KERNEL);
714 return;
715err:
716 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
717}
718
719static int nf_tables_dump_tables(struct sk_buff *skb,
720 struct netlink_callback *cb)
721{
722 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
723 const struct nft_table *table;
724 unsigned int idx = 0, s_idx = cb->args[0];
725 struct net *net = sock_net(skb->sk);
726 int family = nfmsg->nfgen_family;
727
728 rcu_read_lock();
729 cb->seq = net->nft.base_seq;
730
731 list_for_each_entry_rcu(table, &net->nft.tables, list) {
732 if (family != NFPROTO_UNSPEC && family != table->family)
733 continue;
734
735 if (idx < s_idx)
736 goto cont;
737 if (idx > s_idx)
738 memset(&cb->args[1], 0,
739 sizeof(cb->args) - sizeof(cb->args[0]));
740 if (!nft_is_active(net, table))
741 continue;
742 if (nf_tables_fill_table_info(skb, net,
743 NETLINK_CB(cb->skb).portid,
744 cb->nlh->nlmsg_seq,
745 NFT_MSG_NEWTABLE, NLM_F_MULTI,
746 table->family, table) < 0)
747 goto done;
748
749 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
750cont:
751 idx++;
752 }
753done:
754 rcu_read_unlock();
755 cb->args[0] = idx;
756 return skb->len;
757}
758
759static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
760 const struct nlmsghdr *nlh,
761 struct netlink_dump_control *c)
762{
763 int err;
764
765 if (!try_module_get(THIS_MODULE))
766 return -EINVAL;
767
768 rcu_read_unlock();
769 err = netlink_dump_start(nlsk, skb, nlh, c);
770 rcu_read_lock();
771 module_put(THIS_MODULE);
772
773 return err;
774}
775
776
777static int nf_tables_gettable(struct net *net, struct sock *nlsk,
778 struct sk_buff *skb, const struct nlmsghdr *nlh,
779 const struct nlattr * const nla[],
780 struct netlink_ext_ack *extack)
781{
782 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
783 u8 genmask = nft_genmask_cur(net);
784 const struct nft_table *table;
785 struct sk_buff *skb2;
786 int family = nfmsg->nfgen_family;
787 int err;
788
789 if (nlh->nlmsg_flags & NLM_F_DUMP) {
790 struct netlink_dump_control c = {
791 .dump = nf_tables_dump_tables,
792 .module = THIS_MODULE,
793 };
794
795 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
796 }
797
798 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
799 if (IS_ERR(table)) {
800 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
801 return PTR_ERR(table);
802 }
803
804 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
805 if (!skb2)
806 return -ENOMEM;
807
808 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
809 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
810 family, table);
811 if (err < 0)
812 goto err;
813
814 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
815
816err:
817 kfree_skb(skb2);
818 return err;
819}
820
821static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
822{
823 struct nft_chain *chain;
824 u32 i = 0;
825
826 list_for_each_entry(chain, &table->chains, list) {
827 if (!nft_is_active_next(net, chain))
828 continue;
829 if (!nft_is_base_chain(chain))
830 continue;
831
832 if (cnt && i++ == cnt)
833 break;
834
835 nft_unregister_basechain_hooks(net, table->family,
836 nft_base_chain(chain));
837 }
838}
839
840static int nf_tables_table_enable(struct net *net, struct nft_table *table)
841{
842 struct nft_chain *chain;
843 int err, i = 0;
844
845 list_for_each_entry(chain, &table->chains, list) {
846 if (!nft_is_active_next(net, chain))
847 continue;
848 if (!nft_is_base_chain(chain))
849 continue;
850
851 err = nft_register_basechain_hooks(net, table->family,
852 nft_base_chain(chain));
853 if (err < 0)
854 goto err_register_hooks;
855
856 i++;
857 }
858 return 0;
859
860err_register_hooks:
861 if (i)
862 nft_table_disable(net, table, i);
863 return err;
864}
865
866static void nf_tables_table_disable(struct net *net, struct nft_table *table)
867{
868 nft_table_disable(net, table, 0);
869}
870
871static int nf_tables_updtable(struct nft_ctx *ctx)
872{
873 struct nft_trans *trans;
874 u32 flags;
875 int ret = 0;
876
877 if (!ctx->nla[NFTA_TABLE_FLAGS])
878 return 0;
879
880 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
881 if (flags & ~NFT_TABLE_F_DORMANT)
882 return -EINVAL;
883
884 if (flags == ctx->table->flags)
885 return 0;
886
887 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
888 sizeof(struct nft_trans_table));
889 if (trans == NULL)
890 return -ENOMEM;
891
892 if ((flags & NFT_TABLE_F_DORMANT) &&
893 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
894 nft_trans_table_enable(trans) = false;
895 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
896 ctx->table->flags & NFT_TABLE_F_DORMANT) {
897 ret = nf_tables_table_enable(ctx->net, ctx->table);
898 if (ret >= 0) {
899 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
900 nft_trans_table_enable(trans) = true;
901 }
902 }
903 if (ret < 0)
904 goto err;
905
906 nft_trans_table_update(trans) = true;
907 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
908 return 0;
909err:
910 nft_trans_destroy(trans);
911 return ret;
912}
913
914static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
915{
916 const char *name = data;
917
918 return jhash(name, strlen(name), seed);
919}
920
921static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
922{
923 const struct nft_chain *chain = data;
924
925 return nft_chain_hash(chain->name, 0, seed);
926}
927
928static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
929 const void *ptr)
930{
931 const struct nft_chain *chain = ptr;
932 const char *name = arg->key;
933
934 return strcmp(chain->name, name);
935}
936
937static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
938{
939 const struct nft_object_hash_key *k = data;
940
941 seed ^= hash_ptr(k->table, 32);
942
943 return jhash(k->name, strlen(k->name), seed);
944}
945
946static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
947{
948 const struct nft_object *obj = data;
949
950 return nft_objname_hash(&obj->key, 0, seed);
951}
952
953static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
954 const void *ptr)
955{
956 const struct nft_object_hash_key *k = arg->key;
957 const struct nft_object *obj = ptr;
958
959 if (obj->key.table != k->table)
960 return -1;
961
962 return strcmp(obj->key.name, k->name);
963}
964
965static int nf_tables_newtable(struct net *net, struct sock *nlsk,
966 struct sk_buff *skb, const struct nlmsghdr *nlh,
967 const struct nlattr * const nla[],
968 struct netlink_ext_ack *extack)
969{
970 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
971 u8 genmask = nft_genmask_next(net);
972 int family = nfmsg->nfgen_family;
973 const struct nlattr *attr;
974 struct nft_table *table;
975 u32 flags = 0;
976 struct nft_ctx ctx;
977 int err;
978
979 lockdep_assert_held(&net->nft.commit_mutex);
980 attr = nla[NFTA_TABLE_NAME];
981 table = nft_table_lookup(net, attr, family, genmask);
982 if (IS_ERR(table)) {
983 if (PTR_ERR(table) != -ENOENT)
984 return PTR_ERR(table);
985 } else {
986 if (nlh->nlmsg_flags & NLM_F_EXCL) {
987 NL_SET_BAD_ATTR(extack, attr);
988 return -EEXIST;
989 }
990 if (nlh->nlmsg_flags & NLM_F_REPLACE)
991 return -EOPNOTSUPP;
992
993 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
994 return nf_tables_updtable(&ctx);
995 }
996
997 if (nla[NFTA_TABLE_FLAGS]) {
998 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
999 if (flags & ~NFT_TABLE_F_DORMANT)
1000 return -EINVAL;
1001 }
1002
1003 err = -ENOMEM;
1004 table = kzalloc(sizeof(*table), GFP_KERNEL);
1005 if (table == NULL)
1006 goto err_kzalloc;
1007
1008 table->name = nla_strdup(attr, GFP_KERNEL);
1009 if (table->name == NULL)
1010 goto err_strdup;
1011
1012 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1013 if (err)
1014 goto err_chain_ht;
1015
1016 INIT_LIST_HEAD(&table->chains);
1017 INIT_LIST_HEAD(&table->sets);
1018 INIT_LIST_HEAD(&table->objects);
1019 INIT_LIST_HEAD(&table->flowtables);
1020 table->family = family;
1021 table->flags = flags;
1022 table->handle = ++table_handle;
1023
1024 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1025 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1026 if (err < 0)
1027 goto err_trans;
1028
1029 list_add_tail_rcu(&table->list, &net->nft.tables);
1030 return 0;
1031err_trans:
1032 rhltable_destroy(&table->chains_ht);
1033err_chain_ht:
1034 kfree(table->name);
1035err_strdup:
1036 kfree(table);
1037err_kzalloc:
1038 return err;
1039}
1040
1041static int nft_flush_table(struct nft_ctx *ctx)
1042{
1043 struct nft_flowtable *flowtable, *nft;
1044 struct nft_chain *chain, *nc;
1045 struct nft_object *obj, *ne;
1046 struct nft_set *set, *ns;
1047 int err;
1048
1049 list_for_each_entry(chain, &ctx->table->chains, list) {
1050 if (!nft_is_active_next(ctx->net, chain))
1051 continue;
1052
1053 ctx->chain = chain;
1054
1055 err = nft_delrule_by_chain(ctx);
1056 if (err < 0)
1057 goto out;
1058 }
1059
1060 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1061 if (!nft_is_active_next(ctx->net, set))
1062 continue;
1063
1064 if (nft_set_is_anonymous(set) &&
1065 !list_empty(&set->bindings))
1066 continue;
1067
1068 err = nft_delset(ctx, set);
1069 if (err < 0)
1070 goto out;
1071 }
1072
1073 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1074 if (!nft_is_active_next(ctx->net, flowtable))
1075 continue;
1076
1077 err = nft_delflowtable(ctx, flowtable);
1078 if (err < 0)
1079 goto out;
1080 }
1081
1082 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1083 if (!nft_is_active_next(ctx->net, obj))
1084 continue;
1085
1086 err = nft_delobj(ctx, obj);
1087 if (err < 0)
1088 goto out;
1089 }
1090
1091 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1092 if (!nft_is_active_next(ctx->net, chain))
1093 continue;
1094
1095 ctx->chain = chain;
1096
1097 err = nft_delchain(ctx);
1098 if (err < 0)
1099 goto out;
1100 }
1101
1102 err = nft_deltable(ctx);
1103out:
1104 return err;
1105}
1106
1107static int nft_flush(struct nft_ctx *ctx, int family)
1108{
1109 struct nft_table *table, *nt;
1110 const struct nlattr * const *nla = ctx->nla;
1111 int err = 0;
1112
1113 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1114 if (family != AF_UNSPEC && table->family != family)
1115 continue;
1116
1117 ctx->family = table->family;
1118
1119 if (!nft_is_active_next(ctx->net, table))
1120 continue;
1121
1122 if (nla[NFTA_TABLE_NAME] &&
1123 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1124 continue;
1125
1126 ctx->table = table;
1127
1128 err = nft_flush_table(ctx);
1129 if (err < 0)
1130 goto out;
1131 }
1132out:
1133 return err;
1134}
1135
1136static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1137 struct sk_buff *skb, const struct nlmsghdr *nlh,
1138 const struct nlattr * const nla[],
1139 struct netlink_ext_ack *extack)
1140{
1141 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1142 u8 genmask = nft_genmask_next(net);
1143 int family = nfmsg->nfgen_family;
1144 const struct nlattr *attr;
1145 struct nft_table *table;
1146 struct nft_ctx ctx;
1147
1148 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1149 if (family == AF_UNSPEC ||
1150 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1151 return nft_flush(&ctx, family);
1152
1153 if (nla[NFTA_TABLE_HANDLE]) {
1154 attr = nla[NFTA_TABLE_HANDLE];
1155 table = nft_table_lookup_byhandle(net, attr, genmask);
1156 } else {
1157 attr = nla[NFTA_TABLE_NAME];
1158 table = nft_table_lookup(net, attr, family, genmask);
1159 }
1160
1161 if (IS_ERR(table)) {
1162 NL_SET_BAD_ATTR(extack, attr);
1163 return PTR_ERR(table);
1164 }
1165
1166 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1167 table->use > 0)
1168 return -EBUSY;
1169
1170 ctx.family = family;
1171 ctx.table = table;
1172
1173 return nft_flush_table(&ctx);
1174}
1175
1176static void nf_tables_table_destroy(struct nft_ctx *ctx)
1177{
1178 if (WARN_ON(ctx->table->use > 0))
1179 return;
1180
1181 rhltable_destroy(&ctx->table->chains_ht);
1182 kfree(ctx->table->name);
1183 kfree(ctx->table);
1184}
1185
1186void nft_register_chain_type(const struct nft_chain_type *ctype)
1187{
1188 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1189 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1190 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1191 return;
1192 }
1193 chain_type[ctype->family][ctype->type] = ctype;
1194 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1195}
1196EXPORT_SYMBOL_GPL(nft_register_chain_type);
1197
1198void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1199{
1200 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1201 chain_type[ctype->family][ctype->type] = NULL;
1202 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1203}
1204EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1205
1206
1207
1208
1209
1210static struct nft_chain *
1211nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1212{
1213 struct nft_chain *chain;
1214
1215 list_for_each_entry(chain, &table->chains, list) {
1216 if (chain->handle == handle &&
1217 nft_active_genmask(chain, genmask))
1218 return chain;
1219 }
1220
1221 return ERR_PTR(-ENOENT);
1222}
1223
1224static bool lockdep_commit_lock_is_held(const struct net *net)
1225{
1226#ifdef CONFIG_PROVE_LOCKING
1227 return lockdep_is_held(&net->nft.commit_mutex);
1228#else
1229 return true;
1230#endif
1231}
1232
1233static struct nft_chain *nft_chain_lookup(struct net *net,
1234 struct nft_table *table,
1235 const struct nlattr *nla, u8 genmask)
1236{
1237 char search[NFT_CHAIN_MAXNAMELEN + 1];
1238 struct rhlist_head *tmp, *list;
1239 struct nft_chain *chain;
1240
1241 if (nla == NULL)
1242 return ERR_PTR(-EINVAL);
1243
1244 nla_strlcpy(search, nla, sizeof(search));
1245
1246 WARN_ON(!rcu_read_lock_held() &&
1247 !lockdep_commit_lock_is_held(net));
1248
1249 chain = ERR_PTR(-ENOENT);
1250 rcu_read_lock();
1251 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1252 if (!list)
1253 goto out_unlock;
1254
1255 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1256 if (nft_active_genmask(chain, genmask))
1257 goto out_unlock;
1258 }
1259 chain = ERR_PTR(-ENOENT);
1260out_unlock:
1261 rcu_read_unlock();
1262 return chain;
1263}
1264
1265static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1266 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1267 .len = NFT_TABLE_MAXNAMELEN - 1 },
1268 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1269 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1270 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1271 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1272 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1273 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1274 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1275 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1276 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1277};
1278
1279static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1280 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1281 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1282 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1283 .len = IFNAMSIZ - 1 },
1284};
1285
1286static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1287{
1288 struct nft_stats *cpu_stats, total;
1289 struct nlattr *nest;
1290 unsigned int seq;
1291 u64 pkts, bytes;
1292 int cpu;
1293
1294 if (!stats)
1295 return 0;
1296
1297 memset(&total, 0, sizeof(total));
1298 for_each_possible_cpu(cpu) {
1299 cpu_stats = per_cpu_ptr(stats, cpu);
1300 do {
1301 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1302 pkts = cpu_stats->pkts;
1303 bytes = cpu_stats->bytes;
1304 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1305 total.pkts += pkts;
1306 total.bytes += bytes;
1307 }
1308 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1309 if (nest == NULL)
1310 goto nla_put_failure;
1311
1312 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1313 NFTA_COUNTER_PAD) ||
1314 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1315 NFTA_COUNTER_PAD))
1316 goto nla_put_failure;
1317
1318 nla_nest_end(skb, nest);
1319 return 0;
1320
1321nla_put_failure:
1322 return -ENOSPC;
1323}
1324
1325static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1326 const struct nft_base_chain *basechain)
1327{
1328 const struct nf_hook_ops *ops = &basechain->ops;
1329 struct nft_hook *hook, *first = NULL;
1330 struct nlattr *nest, *nest_devs;
1331 int n = 0;
1332
1333 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1334 if (nest == NULL)
1335 goto nla_put_failure;
1336 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1337 goto nla_put_failure;
1338 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1339 goto nla_put_failure;
1340
1341 if (family == NFPROTO_NETDEV) {
1342 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1343 list_for_each_entry(hook, &basechain->hook_list, list) {
1344 if (!first)
1345 first = hook;
1346
1347 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1348 hook->ops.dev->name))
1349 goto nla_put_failure;
1350 n++;
1351 }
1352 nla_nest_end(skb, nest_devs);
1353
1354 if (n == 1 &&
1355 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1356 goto nla_put_failure;
1357 }
1358 nla_nest_end(skb, nest);
1359
1360 return 0;
1361nla_put_failure:
1362 return -1;
1363}
1364
1365static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1366 u32 portid, u32 seq, int event, u32 flags,
1367 int family, const struct nft_table *table,
1368 const struct nft_chain *chain)
1369{
1370 struct nlmsghdr *nlh;
1371 struct nfgenmsg *nfmsg;
1372
1373 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1374 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1375 if (nlh == NULL)
1376 goto nla_put_failure;
1377
1378 nfmsg = nlmsg_data(nlh);
1379 nfmsg->nfgen_family = family;
1380 nfmsg->version = NFNETLINK_V0;
1381 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1382
1383 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1384 goto nla_put_failure;
1385 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1386 NFTA_CHAIN_PAD))
1387 goto nla_put_failure;
1388 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1389 goto nla_put_failure;
1390
1391 if (nft_is_base_chain(chain)) {
1392 const struct nft_base_chain *basechain = nft_base_chain(chain);
1393 struct nft_stats __percpu *stats;
1394
1395 if (nft_dump_basechain_hook(skb, family, basechain))
1396 goto nla_put_failure;
1397
1398 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1399 htonl(basechain->policy)))
1400 goto nla_put_failure;
1401
1402 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1403 goto nla_put_failure;
1404
1405 stats = rcu_dereference_check(basechain->stats,
1406 lockdep_commit_lock_is_held(net));
1407 if (nft_dump_stats(skb, stats))
1408 goto nla_put_failure;
1409
1410 if ((chain->flags & NFT_CHAIN_HW_OFFLOAD) &&
1411 nla_put_be32(skb, NFTA_CHAIN_FLAGS,
1412 htonl(NFT_CHAIN_HW_OFFLOAD)))
1413 goto nla_put_failure;
1414 }
1415
1416 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1417 goto nla_put_failure;
1418
1419 nlmsg_end(skb, nlh);
1420 return 0;
1421
1422nla_put_failure:
1423 nlmsg_trim(skb, nlh);
1424 return -1;
1425}
1426
1427static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1428{
1429 struct sk_buff *skb;
1430 int err;
1431
1432 if (!ctx->report &&
1433 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1434 return;
1435
1436 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1437 if (skb == NULL)
1438 goto err;
1439
1440 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1441 event, 0, ctx->family, ctx->table,
1442 ctx->chain);
1443 if (err < 0) {
1444 kfree_skb(skb);
1445 goto err;
1446 }
1447
1448 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1449 ctx->report, GFP_KERNEL);
1450 return;
1451err:
1452 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1453}
1454
1455static int nf_tables_dump_chains(struct sk_buff *skb,
1456 struct netlink_callback *cb)
1457{
1458 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1459 const struct nft_table *table;
1460 const struct nft_chain *chain;
1461 unsigned int idx = 0, s_idx = cb->args[0];
1462 struct net *net = sock_net(skb->sk);
1463 int family = nfmsg->nfgen_family;
1464
1465 rcu_read_lock();
1466 cb->seq = net->nft.base_seq;
1467
1468 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1469 if (family != NFPROTO_UNSPEC && family != table->family)
1470 continue;
1471
1472 list_for_each_entry_rcu(chain, &table->chains, list) {
1473 if (idx < s_idx)
1474 goto cont;
1475 if (idx > s_idx)
1476 memset(&cb->args[1], 0,
1477 sizeof(cb->args) - sizeof(cb->args[0]));
1478 if (!nft_is_active(net, chain))
1479 continue;
1480 if (nf_tables_fill_chain_info(skb, net,
1481 NETLINK_CB(cb->skb).portid,
1482 cb->nlh->nlmsg_seq,
1483 NFT_MSG_NEWCHAIN,
1484 NLM_F_MULTI,
1485 table->family, table,
1486 chain) < 0)
1487 goto done;
1488
1489 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1490cont:
1491 idx++;
1492 }
1493 }
1494done:
1495 rcu_read_unlock();
1496 cb->args[0] = idx;
1497 return skb->len;
1498}
1499
1500
1501static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1502 struct sk_buff *skb, const struct nlmsghdr *nlh,
1503 const struct nlattr * const nla[],
1504 struct netlink_ext_ack *extack)
1505{
1506 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1507 u8 genmask = nft_genmask_cur(net);
1508 const struct nft_chain *chain;
1509 struct nft_table *table;
1510 struct sk_buff *skb2;
1511 int family = nfmsg->nfgen_family;
1512 int err;
1513
1514 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1515 struct netlink_dump_control c = {
1516 .dump = nf_tables_dump_chains,
1517 .module = THIS_MODULE,
1518 };
1519
1520 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1521 }
1522
1523 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1524 if (IS_ERR(table)) {
1525 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1526 return PTR_ERR(table);
1527 }
1528
1529 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1530 if (IS_ERR(chain)) {
1531 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1532 return PTR_ERR(chain);
1533 }
1534
1535 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1536 if (!skb2)
1537 return -ENOMEM;
1538
1539 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1540 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1541 family, table, chain);
1542 if (err < 0)
1543 goto err;
1544
1545 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1546
1547err:
1548 kfree_skb(skb2);
1549 return err;
1550}
1551
1552static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1553 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1554 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1555};
1556
1557static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1558{
1559 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1560 struct nft_stats __percpu *newstats;
1561 struct nft_stats *stats;
1562 int err;
1563
1564 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1565 nft_counter_policy, NULL);
1566 if (err < 0)
1567 return ERR_PTR(err);
1568
1569 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1570 return ERR_PTR(-EINVAL);
1571
1572 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1573 if (newstats == NULL)
1574 return ERR_PTR(-ENOMEM);
1575
1576
1577
1578
1579 preempt_disable();
1580 stats = this_cpu_ptr(newstats);
1581 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1582 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1583 preempt_enable();
1584
1585 return newstats;
1586}
1587
1588static void nft_chain_stats_replace(struct nft_trans *trans)
1589{
1590 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1591
1592 if (!nft_trans_chain_stats(trans))
1593 return;
1594
1595 nft_trans_chain_stats(trans) =
1596 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1597 lockdep_commit_lock_is_held(trans->ctx.net));
1598
1599 if (!nft_trans_chain_stats(trans))
1600 static_branch_inc(&nft_counters_enabled);
1601}
1602
1603static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1604{
1605 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1606 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1607
1608 if (g0 != g1)
1609 kvfree(g1);
1610 kvfree(g0);
1611
1612
1613 WARN_ON_ONCE(chain->rules_next);
1614 kvfree(chain->rules_next);
1615}
1616
1617static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1618{
1619 struct nft_chain *chain = ctx->chain;
1620 struct nft_hook *hook, *next;
1621
1622 if (WARN_ON(chain->use > 0))
1623 return;
1624
1625
1626 nf_tables_chain_free_chain_rules(chain);
1627
1628 if (nft_is_base_chain(chain)) {
1629 struct nft_base_chain *basechain = nft_base_chain(chain);
1630
1631 if (ctx->family == NFPROTO_NETDEV) {
1632 list_for_each_entry_safe(hook, next,
1633 &basechain->hook_list, list) {
1634 list_del_rcu(&hook->list);
1635 kfree_rcu(hook, rcu);
1636 }
1637 }
1638 module_put(basechain->type->owner);
1639 if (rcu_access_pointer(basechain->stats)) {
1640 static_branch_dec(&nft_counters_enabled);
1641 free_percpu(rcu_dereference_raw(basechain->stats));
1642 }
1643 kfree(chain->name);
1644 kfree(basechain);
1645 } else {
1646 kfree(chain->name);
1647 kfree(chain);
1648 }
1649}
1650
1651static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1652 const struct nlattr *attr)
1653{
1654 struct net_device *dev;
1655 char ifname[IFNAMSIZ];
1656 struct nft_hook *hook;
1657 int err;
1658
1659 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1660 if (!hook) {
1661 err = -ENOMEM;
1662 goto err_hook_alloc;
1663 }
1664
1665 nla_strlcpy(ifname, attr, IFNAMSIZ);
1666 dev = __dev_get_by_name(net, ifname);
1667 if (!dev) {
1668 err = -ENOENT;
1669 goto err_hook_dev;
1670 }
1671 hook->ops.dev = dev;
1672
1673 return hook;
1674
1675err_hook_dev:
1676 kfree(hook);
1677err_hook_alloc:
1678 return ERR_PTR(err);
1679}
1680
1681static bool nft_hook_list_find(struct list_head *hook_list,
1682 const struct nft_hook *this)
1683{
1684 struct nft_hook *hook;
1685
1686 list_for_each_entry(hook, hook_list, list) {
1687 if (this->ops.dev == hook->ops.dev)
1688 return true;
1689 }
1690
1691 return false;
1692}
1693
1694static int nf_tables_parse_netdev_hooks(struct net *net,
1695 const struct nlattr *attr,
1696 struct list_head *hook_list)
1697{
1698 struct nft_hook *hook, *next;
1699 const struct nlattr *tmp;
1700 int rem, n = 0, err;
1701
1702 nla_for_each_nested(tmp, attr, rem) {
1703 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1704 err = -EINVAL;
1705 goto err_hook;
1706 }
1707
1708 hook = nft_netdev_hook_alloc(net, tmp);
1709 if (IS_ERR(hook)) {
1710 err = PTR_ERR(hook);
1711 goto err_hook;
1712 }
1713 if (nft_hook_list_find(hook_list, hook)) {
1714 kfree(hook);
1715 err = -EEXIST;
1716 goto err_hook;
1717 }
1718 list_add_tail(&hook->list, hook_list);
1719 n++;
1720
1721 if (n == NFT_NETDEVICE_MAX) {
1722 err = -EFBIG;
1723 goto err_hook;
1724 }
1725 }
1726 if (!n)
1727 return -EINVAL;
1728
1729 return 0;
1730
1731err_hook:
1732 list_for_each_entry_safe(hook, next, hook_list, list) {
1733 list_del(&hook->list);
1734 kfree(hook);
1735 }
1736 return err;
1737}
1738
1739struct nft_chain_hook {
1740 u32 num;
1741 s32 priority;
1742 const struct nft_chain_type *type;
1743 struct list_head list;
1744};
1745
1746static int nft_chain_parse_netdev(struct net *net,
1747 struct nlattr *tb[],
1748 struct list_head *hook_list)
1749{
1750 struct nft_hook *hook;
1751 int err;
1752
1753 if (tb[NFTA_HOOK_DEV]) {
1754 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1755 if (IS_ERR(hook))
1756 return PTR_ERR(hook);
1757
1758 list_add_tail(&hook->list, hook_list);
1759 } else if (tb[NFTA_HOOK_DEVS]) {
1760 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1761 hook_list);
1762 if (err < 0)
1763 return err;
1764 } else {
1765 return -EINVAL;
1766 }
1767
1768 return 0;
1769}
1770
1771static int nft_chain_parse_hook(struct net *net,
1772 const struct nlattr * const nla[],
1773 struct nft_chain_hook *hook, u8 family,
1774 bool autoload)
1775{
1776 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1777 const struct nft_chain_type *type;
1778 int err;
1779
1780 lockdep_assert_held(&net->nft.commit_mutex);
1781 lockdep_nfnl_nft_mutex_not_held();
1782
1783 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1784 nla[NFTA_CHAIN_HOOK],
1785 nft_hook_policy, NULL);
1786 if (err < 0)
1787 return err;
1788
1789 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1790 ha[NFTA_HOOK_PRIORITY] == NULL)
1791 return -EINVAL;
1792
1793 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1794 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1795
1796 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1797 if (!type)
1798 return -EOPNOTSUPP;
1799
1800 if (nla[NFTA_CHAIN_TYPE]) {
1801 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1802 family, autoload);
1803 if (IS_ERR(type))
1804 return PTR_ERR(type);
1805 }
1806 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1807 return -EOPNOTSUPP;
1808
1809 if (type->type == NFT_CHAIN_T_NAT &&
1810 hook->priority <= NF_IP_PRI_CONNTRACK)
1811 return -EOPNOTSUPP;
1812
1813 if (!try_module_get(type->owner))
1814 return -ENOENT;
1815
1816 hook->type = type;
1817
1818 INIT_LIST_HEAD(&hook->list);
1819 if (family == NFPROTO_NETDEV) {
1820 err = nft_chain_parse_netdev(net, ha, &hook->list);
1821 if (err < 0) {
1822 module_put(type->owner);
1823 return err;
1824 }
1825 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1826 module_put(type->owner);
1827 return -EOPNOTSUPP;
1828 }
1829
1830 return 0;
1831}
1832
1833static void nft_chain_release_hook(struct nft_chain_hook *hook)
1834{
1835 struct nft_hook *h, *next;
1836
1837 list_for_each_entry_safe(h, next, &hook->list, list) {
1838 list_del(&h->list);
1839 kfree(h);
1840 }
1841 module_put(hook->type->owner);
1842}
1843
1844struct nft_rules_old {
1845 struct rcu_head h;
1846 struct nft_rule **start;
1847};
1848
1849static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1850 unsigned int alloc)
1851{
1852 if (alloc > INT_MAX)
1853 return NULL;
1854
1855 alloc += 1;
1856 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1857 return NULL;
1858
1859 alloc *= sizeof(struct nft_rule *);
1860 alloc += sizeof(struct nft_rules_old);
1861
1862 return kvmalloc(alloc, GFP_KERNEL);
1863}
1864
1865static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1866 const struct nft_chain_hook *hook,
1867 struct nft_chain *chain)
1868{
1869 ops->pf = family;
1870 ops->hooknum = hook->num;
1871 ops->priority = hook->priority;
1872 ops->priv = chain;
1873 ops->hook = hook->type->hooks[ops->hooknum];
1874}
1875
1876static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1877 struct nft_chain_hook *hook, u32 flags)
1878{
1879 struct nft_chain *chain;
1880 struct nft_hook *h;
1881
1882 basechain->type = hook->type;
1883 INIT_LIST_HEAD(&basechain->hook_list);
1884 chain = &basechain->chain;
1885
1886 if (family == NFPROTO_NETDEV) {
1887 list_splice_init(&hook->list, &basechain->hook_list);
1888 list_for_each_entry(h, &basechain->hook_list, list)
1889 nft_basechain_hook_init(&h->ops, family, hook, chain);
1890
1891 basechain->ops.hooknum = hook->num;
1892 basechain->ops.priority = hook->priority;
1893 } else {
1894 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1895 }
1896
1897 chain->flags |= NFT_BASE_CHAIN | flags;
1898 basechain->policy = NF_ACCEPT;
1899 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1900 nft_chain_offload_priority(basechain) < 0)
1901 return -EOPNOTSUPP;
1902
1903 flow_block_init(&basechain->flow_block);
1904
1905 return 0;
1906}
1907
1908static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1909 u8 policy, u32 flags)
1910{
1911 const struct nlattr * const *nla = ctx->nla;
1912 struct nft_table *table = ctx->table;
1913 struct nft_base_chain *basechain;
1914 struct nft_stats __percpu *stats;
1915 struct net *net = ctx->net;
1916 struct nft_trans *trans;
1917 struct nft_chain *chain;
1918 struct nft_rule **rules;
1919 int err;
1920
1921 if (table->use == UINT_MAX)
1922 return -EOVERFLOW;
1923
1924 if (nla[NFTA_CHAIN_HOOK]) {
1925 struct nft_chain_hook hook;
1926
1927 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1928 if (err < 0)
1929 return err;
1930
1931 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1932 if (basechain == NULL) {
1933 nft_chain_release_hook(&hook);
1934 return -ENOMEM;
1935 }
1936 chain = &basechain->chain;
1937
1938 if (nla[NFTA_CHAIN_COUNTERS]) {
1939 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1940 if (IS_ERR(stats)) {
1941 nft_chain_release_hook(&hook);
1942 kfree(basechain);
1943 return PTR_ERR(stats);
1944 }
1945 rcu_assign_pointer(basechain->stats, stats);
1946 static_branch_inc(&nft_counters_enabled);
1947 }
1948
1949 err = nft_basechain_init(basechain, family, &hook, flags);
1950 if (err < 0) {
1951 nft_chain_release_hook(&hook);
1952 kfree(basechain);
1953 return err;
1954 }
1955 } else {
1956 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1957 if (chain == NULL)
1958 return -ENOMEM;
1959 }
1960 ctx->chain = chain;
1961
1962 INIT_LIST_HEAD(&chain->rules);
1963 chain->handle = nf_tables_alloc_handle(table);
1964 chain->table = table;
1965 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1966 if (!chain->name) {
1967 err = -ENOMEM;
1968 goto err1;
1969 }
1970
1971 rules = nf_tables_chain_alloc_rules(chain, 0);
1972 if (!rules) {
1973 err = -ENOMEM;
1974 goto err1;
1975 }
1976
1977 *rules = NULL;
1978 rcu_assign_pointer(chain->rules_gen_0, rules);
1979 rcu_assign_pointer(chain->rules_gen_1, rules);
1980
1981 err = nf_tables_register_hook(net, table, chain);
1982 if (err < 0)
1983 goto err1;
1984
1985 err = rhltable_insert_key(&table->chains_ht, chain->name,
1986 &chain->rhlhead, nft_chain_ht_params);
1987 if (err)
1988 goto err2;
1989
1990 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1991 if (IS_ERR(trans)) {
1992 err = PTR_ERR(trans);
1993 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1994 nft_chain_ht_params);
1995 goto err2;
1996 }
1997
1998 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1999 if (nft_is_base_chain(chain))
2000 nft_trans_chain_policy(trans) = policy;
2001
2002 table->use++;
2003 list_add_tail_rcu(&chain->list, &table->chains);
2004
2005 return 0;
2006err2:
2007 nf_tables_unregister_hook(net, table, chain);
2008err1:
2009 nf_tables_chain_destroy(ctx);
2010
2011 return err;
2012}
2013
2014static bool nft_hook_list_equal(struct list_head *hook_list1,
2015 struct list_head *hook_list2)
2016{
2017 struct nft_hook *hook;
2018 int n = 0, m = 0;
2019
2020 n = 0;
2021 list_for_each_entry(hook, hook_list2, list) {
2022 if (!nft_hook_list_find(hook_list1, hook))
2023 return false;
2024
2025 n++;
2026 }
2027 list_for_each_entry(hook, hook_list1, list)
2028 m++;
2029
2030 return n == m;
2031}
2032
2033static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2034 u32 flags)
2035{
2036 const struct nlattr * const *nla = ctx->nla;
2037 struct nft_table *table = ctx->table;
2038 struct nft_chain *chain = ctx->chain;
2039 struct nft_base_chain *basechain;
2040 struct nft_stats *stats = NULL;
2041 struct nft_chain_hook hook;
2042 struct nf_hook_ops *ops;
2043 struct nft_trans *trans;
2044 int err;
2045
2046 if (chain->flags ^ flags)
2047 return -EOPNOTSUPP;
2048
2049 if (nla[NFTA_CHAIN_HOOK]) {
2050 if (!nft_is_base_chain(chain))
2051 return -EBUSY;
2052
2053 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2054 false);
2055 if (err < 0)
2056 return err;
2057
2058 basechain = nft_base_chain(chain);
2059 if (basechain->type != hook.type) {
2060 nft_chain_release_hook(&hook);
2061 return -EBUSY;
2062 }
2063
2064 if (ctx->family == NFPROTO_NETDEV) {
2065 if (!nft_hook_list_equal(&basechain->hook_list,
2066 &hook.list)) {
2067 nft_chain_release_hook(&hook);
2068 return -EBUSY;
2069 }
2070 } else {
2071 ops = &basechain->ops;
2072 if (ops->hooknum != hook.num ||
2073 ops->priority != hook.priority) {
2074 nft_chain_release_hook(&hook);
2075 return -EBUSY;
2076 }
2077 }
2078 nft_chain_release_hook(&hook);
2079 }
2080
2081 if (nla[NFTA_CHAIN_HANDLE] &&
2082 nla[NFTA_CHAIN_NAME]) {
2083 struct nft_chain *chain2;
2084
2085 chain2 = nft_chain_lookup(ctx->net, table,
2086 nla[NFTA_CHAIN_NAME], genmask);
2087 if (!IS_ERR(chain2))
2088 return -EEXIST;
2089 }
2090
2091 if (nla[NFTA_CHAIN_COUNTERS]) {
2092 if (!nft_is_base_chain(chain))
2093 return -EOPNOTSUPP;
2094
2095 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2096 if (IS_ERR(stats))
2097 return PTR_ERR(stats);
2098 }
2099
2100 err = -ENOMEM;
2101 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2102 sizeof(struct nft_trans_chain));
2103 if (trans == NULL)
2104 goto err;
2105
2106 nft_trans_chain_stats(trans) = stats;
2107 nft_trans_chain_update(trans) = true;
2108
2109 if (nla[NFTA_CHAIN_POLICY])
2110 nft_trans_chain_policy(trans) = policy;
2111 else
2112 nft_trans_chain_policy(trans) = -1;
2113
2114 if (nla[NFTA_CHAIN_HANDLE] &&
2115 nla[NFTA_CHAIN_NAME]) {
2116 struct nft_trans *tmp;
2117 char *name;
2118
2119 err = -ENOMEM;
2120 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2121 if (!name)
2122 goto err;
2123
2124 err = -EEXIST;
2125 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2126 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2127 tmp->ctx.table == table &&
2128 nft_trans_chain_update(tmp) &&
2129 nft_trans_chain_name(tmp) &&
2130 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2131 kfree(name);
2132 goto err;
2133 }
2134 }
2135
2136 nft_trans_chain_name(trans) = name;
2137 }
2138 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2139
2140 return 0;
2141err:
2142 free_percpu(stats);
2143 kfree(trans);
2144 return err;
2145}
2146
2147static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2148 struct sk_buff *skb, const struct nlmsghdr *nlh,
2149 const struct nlattr * const nla[],
2150 struct netlink_ext_ack *extack)
2151{
2152 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2153 u8 genmask = nft_genmask_next(net);
2154 int family = nfmsg->nfgen_family;
2155 const struct nlattr *attr;
2156 struct nft_table *table;
2157 struct nft_chain *chain;
2158 u8 policy = NF_ACCEPT;
2159 struct nft_ctx ctx;
2160 u64 handle = 0;
2161 u32 flags = 0;
2162
2163 lockdep_assert_held(&net->nft.commit_mutex);
2164
2165 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2166 if (IS_ERR(table)) {
2167 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2168 return PTR_ERR(table);
2169 }
2170
2171 chain = NULL;
2172 attr = nla[NFTA_CHAIN_NAME];
2173
2174 if (nla[NFTA_CHAIN_HANDLE]) {
2175 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2176 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2177 if (IS_ERR(chain)) {
2178 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2179 return PTR_ERR(chain);
2180 }
2181 attr = nla[NFTA_CHAIN_HANDLE];
2182 } else {
2183 chain = nft_chain_lookup(net, table, attr, genmask);
2184 if (IS_ERR(chain)) {
2185 if (PTR_ERR(chain) != -ENOENT) {
2186 NL_SET_BAD_ATTR(extack, attr);
2187 return PTR_ERR(chain);
2188 }
2189 chain = NULL;
2190 }
2191 }
2192
2193 if (nla[NFTA_CHAIN_POLICY]) {
2194 if (chain != NULL &&
2195 !nft_is_base_chain(chain)) {
2196 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2197 return -EOPNOTSUPP;
2198 }
2199
2200 if (chain == NULL &&
2201 nla[NFTA_CHAIN_HOOK] == NULL) {
2202 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2203 return -EOPNOTSUPP;
2204 }
2205
2206 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2207 switch (policy) {
2208 case NF_DROP:
2209 case NF_ACCEPT:
2210 break;
2211 default:
2212 return -EINVAL;
2213 }
2214 }
2215
2216 if (nla[NFTA_CHAIN_FLAGS])
2217 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2218 else if (chain)
2219 flags = chain->flags;
2220
2221 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2222
2223 if (chain != NULL) {
2224 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2225 NL_SET_BAD_ATTR(extack, attr);
2226 return -EEXIST;
2227 }
2228 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2229 return -EOPNOTSUPP;
2230
2231 flags |= chain->flags & NFT_BASE_CHAIN;
2232 return nf_tables_updchain(&ctx, genmask, policy, flags);
2233 }
2234
2235 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2236}
2237
2238static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2239 struct sk_buff *skb, const struct nlmsghdr *nlh,
2240 const struct nlattr * const nla[],
2241 struct netlink_ext_ack *extack)
2242{
2243 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2244 u8 genmask = nft_genmask_next(net);
2245 int family = nfmsg->nfgen_family;
2246 const struct nlattr *attr;
2247 struct nft_table *table;
2248 struct nft_chain *chain;
2249 struct nft_rule *rule;
2250 struct nft_ctx ctx;
2251 u64 handle;
2252 u32 use;
2253 int err;
2254
2255 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2256 if (IS_ERR(table)) {
2257 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2258 return PTR_ERR(table);
2259 }
2260
2261 if (nla[NFTA_CHAIN_HANDLE]) {
2262 attr = nla[NFTA_CHAIN_HANDLE];
2263 handle = be64_to_cpu(nla_get_be64(attr));
2264 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2265 } else {
2266 attr = nla[NFTA_CHAIN_NAME];
2267 chain = nft_chain_lookup(net, table, attr, genmask);
2268 }
2269 if (IS_ERR(chain)) {
2270 NL_SET_BAD_ATTR(extack, attr);
2271 return PTR_ERR(chain);
2272 }
2273
2274 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2275 chain->use > 0)
2276 return -EBUSY;
2277
2278 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2279
2280 use = chain->use;
2281 list_for_each_entry(rule, &chain->rules, list) {
2282 if (!nft_is_active_next(net, rule))
2283 continue;
2284 use--;
2285
2286 err = nft_delrule(&ctx, rule);
2287 if (err < 0)
2288 return err;
2289 }
2290
2291
2292
2293
2294 if (use > 0) {
2295 NL_SET_BAD_ATTR(extack, attr);
2296 return -EBUSY;
2297 }
2298
2299 return nft_delchain(&ctx);
2300}
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313int nft_register_expr(struct nft_expr_type *type)
2314{
2315 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2316 if (type->family == NFPROTO_UNSPEC)
2317 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2318 else
2319 list_add_rcu(&type->list, &nf_tables_expressions);
2320 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2321 return 0;
2322}
2323EXPORT_SYMBOL_GPL(nft_register_expr);
2324
2325
2326
2327
2328
2329
2330
2331void nft_unregister_expr(struct nft_expr_type *type)
2332{
2333 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2334 list_del_rcu(&type->list);
2335 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2336}
2337EXPORT_SYMBOL_GPL(nft_unregister_expr);
2338
2339static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2340 struct nlattr *nla)
2341{
2342 const struct nft_expr_type *type, *candidate = NULL;
2343
2344 list_for_each_entry(type, &nf_tables_expressions, list) {
2345 if (!nla_strcmp(nla, type->name)) {
2346 if (!type->family && !candidate)
2347 candidate = type;
2348 else if (type->family == family)
2349 candidate = type;
2350 }
2351 }
2352 return candidate;
2353}
2354
2355#ifdef CONFIG_MODULES
2356static int nft_expr_type_request_module(struct net *net, u8 family,
2357 struct nlattr *nla)
2358{
2359 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2360 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2361 return -EAGAIN;
2362
2363 return 0;
2364}
2365#endif
2366
2367static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2368 u8 family,
2369 struct nlattr *nla)
2370{
2371 const struct nft_expr_type *type;
2372
2373 if (nla == NULL)
2374 return ERR_PTR(-EINVAL);
2375
2376 type = __nft_expr_type_get(family, nla);
2377 if (type != NULL && try_module_get(type->owner))
2378 return type;
2379
2380 lockdep_nfnl_nft_mutex_not_held();
2381#ifdef CONFIG_MODULES
2382 if (type == NULL) {
2383 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2384 return ERR_PTR(-EAGAIN);
2385
2386 if (nft_request_module(net, "nft-expr-%.*s",
2387 nla_len(nla),
2388 (char *)nla_data(nla)) == -EAGAIN)
2389 return ERR_PTR(-EAGAIN);
2390 }
2391#endif
2392 return ERR_PTR(-ENOENT);
2393}
2394
2395static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2396 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2397 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2398 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2399};
2400
2401static int nf_tables_fill_expr_info(struct sk_buff *skb,
2402 const struct nft_expr *expr)
2403{
2404 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2405 goto nla_put_failure;
2406
2407 if (expr->ops->dump) {
2408 struct nlattr *data = nla_nest_start_noflag(skb,
2409 NFTA_EXPR_DATA);
2410 if (data == NULL)
2411 goto nla_put_failure;
2412 if (expr->ops->dump(skb, expr) < 0)
2413 goto nla_put_failure;
2414 nla_nest_end(skb, data);
2415 }
2416
2417 return skb->len;
2418
2419nla_put_failure:
2420 return -1;
2421};
2422
2423int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2424 const struct nft_expr *expr)
2425{
2426 struct nlattr *nest;
2427
2428 nest = nla_nest_start_noflag(skb, attr);
2429 if (!nest)
2430 goto nla_put_failure;
2431 if (nf_tables_fill_expr_info(skb, expr) < 0)
2432 goto nla_put_failure;
2433 nla_nest_end(skb, nest);
2434 return 0;
2435
2436nla_put_failure:
2437 return -1;
2438}
2439
2440struct nft_expr_info {
2441 const struct nft_expr_ops *ops;
2442 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2443};
2444
2445static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2446 const struct nlattr *nla,
2447 struct nft_expr_info *info)
2448{
2449 const struct nft_expr_type *type;
2450 const struct nft_expr_ops *ops;
2451 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2452 int err;
2453
2454 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2455 nft_expr_policy, NULL);
2456 if (err < 0)
2457 return err;
2458
2459 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2460 if (IS_ERR(type))
2461 return PTR_ERR(type);
2462
2463 if (tb[NFTA_EXPR_DATA]) {
2464 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2465 tb[NFTA_EXPR_DATA],
2466 type->policy, NULL);
2467 if (err < 0)
2468 goto err1;
2469 } else
2470 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2471
2472 if (type->select_ops != NULL) {
2473 ops = type->select_ops(ctx,
2474 (const struct nlattr * const *)info->tb);
2475 if (IS_ERR(ops)) {
2476 err = PTR_ERR(ops);
2477#ifdef CONFIG_MODULES
2478 if (err == -EAGAIN)
2479 if (nft_expr_type_request_module(ctx->net,
2480 ctx->family,
2481 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2482 err = -ENOENT;
2483#endif
2484 goto err1;
2485 }
2486 } else
2487 ops = type->ops;
2488
2489 info->ops = ops;
2490 return 0;
2491
2492err1:
2493 module_put(type->owner);
2494 return err;
2495}
2496
2497static int nf_tables_newexpr(const struct nft_ctx *ctx,
2498 const struct nft_expr_info *info,
2499 struct nft_expr *expr)
2500{
2501 const struct nft_expr_ops *ops = info->ops;
2502 int err;
2503
2504 expr->ops = ops;
2505 if (ops->init) {
2506 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2507 if (err < 0)
2508 goto err1;
2509 }
2510
2511 return 0;
2512err1:
2513 expr->ops = NULL;
2514 return err;
2515}
2516
2517static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2518 struct nft_expr *expr)
2519{
2520 const struct nft_expr_type *type = expr->ops->type;
2521
2522 if (expr->ops->destroy)
2523 expr->ops->destroy(ctx, expr);
2524 module_put(type->owner);
2525}
2526
2527static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2528 const struct nlattr *nla)
2529{
2530 struct nft_expr_info info;
2531 struct nft_expr *expr;
2532 struct module *owner;
2533 int err;
2534
2535 err = nf_tables_expr_parse(ctx, nla, &info);
2536 if (err < 0)
2537 goto err1;
2538
2539 err = -ENOMEM;
2540 expr = kzalloc(info.ops->size, GFP_KERNEL);
2541 if (expr == NULL)
2542 goto err2;
2543
2544 err = nf_tables_newexpr(ctx, &info, expr);
2545 if (err < 0)
2546 goto err3;
2547
2548 return expr;
2549err3:
2550 kfree(expr);
2551err2:
2552 owner = info.ops->type->owner;
2553 if (info.ops->type->release_ops)
2554 info.ops->type->release_ops(info.ops);
2555
2556 module_put(owner);
2557err1:
2558 return ERR_PTR(err);
2559}
2560
2561int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2562{
2563 int err;
2564
2565 if (src->ops->clone) {
2566 dst->ops = src->ops;
2567 err = src->ops->clone(dst, src);
2568 if (err < 0)
2569 return err;
2570 } else {
2571 memcpy(dst, src, src->ops->size);
2572 }
2573
2574 __module_get(src->ops->type->owner);
2575
2576 return 0;
2577}
2578
2579void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2580{
2581 nf_tables_expr_destroy(ctx, expr);
2582 kfree(expr);
2583}
2584
2585
2586
2587
2588
2589static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2590 u64 handle)
2591{
2592 struct nft_rule *rule;
2593
2594
2595 list_for_each_entry_rcu(rule, &chain->rules, list) {
2596 if (handle == rule->handle)
2597 return rule;
2598 }
2599
2600 return ERR_PTR(-ENOENT);
2601}
2602
2603static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2604 const struct nlattr *nla)
2605{
2606 if (nla == NULL)
2607 return ERR_PTR(-EINVAL);
2608
2609 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2610}
2611
2612static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2613 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2614 .len = NFT_TABLE_MAXNAMELEN - 1 },
2615 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2616 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2617 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2618 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2619 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2620 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2621 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2622 .len = NFT_USERDATA_MAXLEN },
2623 [NFTA_RULE_ID] = { .type = NLA_U32 },
2624 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2625};
2626
2627static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2628 u32 portid, u32 seq, int event,
2629 u32 flags, int family,
2630 const struct nft_table *table,
2631 const struct nft_chain *chain,
2632 const struct nft_rule *rule,
2633 const struct nft_rule *prule)
2634{
2635 struct nlmsghdr *nlh;
2636 struct nfgenmsg *nfmsg;
2637 const struct nft_expr *expr, *next;
2638 struct nlattr *list;
2639 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2640
2641 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2642 if (nlh == NULL)
2643 goto nla_put_failure;
2644
2645 nfmsg = nlmsg_data(nlh);
2646 nfmsg->nfgen_family = family;
2647 nfmsg->version = NFNETLINK_V0;
2648 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2649
2650 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2651 goto nla_put_failure;
2652 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2653 goto nla_put_failure;
2654 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2655 NFTA_RULE_PAD))
2656 goto nla_put_failure;
2657
2658 if (event != NFT_MSG_DELRULE && prule) {
2659 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2660 cpu_to_be64(prule->handle),
2661 NFTA_RULE_PAD))
2662 goto nla_put_failure;
2663 }
2664
2665 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2666 if (list == NULL)
2667 goto nla_put_failure;
2668 nft_rule_for_each_expr(expr, next, rule) {
2669 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2670 goto nla_put_failure;
2671 }
2672 nla_nest_end(skb, list);
2673
2674 if (rule->udata) {
2675 struct nft_userdata *udata = nft_userdata(rule);
2676 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2677 udata->data) < 0)
2678 goto nla_put_failure;
2679 }
2680
2681 nlmsg_end(skb, nlh);
2682 return 0;
2683
2684nla_put_failure:
2685 nlmsg_trim(skb, nlh);
2686 return -1;
2687}
2688
2689static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2690 const struct nft_rule *rule, int event)
2691{
2692 struct sk_buff *skb;
2693 int err;
2694
2695 if (!ctx->report &&
2696 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2697 return;
2698
2699 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2700 if (skb == NULL)
2701 goto err;
2702
2703 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2704 event, 0, ctx->family, ctx->table,
2705 ctx->chain, rule, NULL);
2706 if (err < 0) {
2707 kfree_skb(skb);
2708 goto err;
2709 }
2710
2711 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2712 ctx->report, GFP_KERNEL);
2713 return;
2714err:
2715 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2716}
2717
2718struct nft_rule_dump_ctx {
2719 char *table;
2720 char *chain;
2721};
2722
2723static int __nf_tables_dump_rules(struct sk_buff *skb,
2724 unsigned int *idx,
2725 struct netlink_callback *cb,
2726 const struct nft_table *table,
2727 const struct nft_chain *chain)
2728{
2729 struct net *net = sock_net(skb->sk);
2730 const struct nft_rule *rule, *prule;
2731 unsigned int s_idx = cb->args[0];
2732
2733 prule = NULL;
2734 list_for_each_entry_rcu(rule, &chain->rules, list) {
2735 if (!nft_is_active(net, rule))
2736 goto cont_skip;
2737 if (*idx < s_idx)
2738 goto cont;
2739 if (*idx > s_idx) {
2740 memset(&cb->args[1], 0,
2741 sizeof(cb->args) - sizeof(cb->args[0]));
2742 }
2743 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2744 cb->nlh->nlmsg_seq,
2745 NFT_MSG_NEWRULE,
2746 NLM_F_MULTI | NLM_F_APPEND,
2747 table->family,
2748 table, chain, rule, prule) < 0)
2749 return 1;
2750
2751 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2752cont:
2753 prule = rule;
2754cont_skip:
2755 (*idx)++;
2756 }
2757 return 0;
2758}
2759
2760static int nf_tables_dump_rules(struct sk_buff *skb,
2761 struct netlink_callback *cb)
2762{
2763 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2764 const struct nft_rule_dump_ctx *ctx = cb->data;
2765 struct nft_table *table;
2766 const struct nft_chain *chain;
2767 unsigned int idx = 0;
2768 struct net *net = sock_net(skb->sk);
2769 int family = nfmsg->nfgen_family;
2770
2771 rcu_read_lock();
2772 cb->seq = net->nft.base_seq;
2773
2774 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2775 if (family != NFPROTO_UNSPEC && family != table->family)
2776 continue;
2777
2778 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2779 continue;
2780
2781 if (ctx && ctx->table && ctx->chain) {
2782 struct rhlist_head *list, *tmp;
2783
2784 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2785 nft_chain_ht_params);
2786 if (!list)
2787 goto done;
2788
2789 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2790 if (!nft_is_active(net, chain))
2791 continue;
2792 __nf_tables_dump_rules(skb, &idx,
2793 cb, table, chain);
2794 break;
2795 }
2796 goto done;
2797 }
2798
2799 list_for_each_entry_rcu(chain, &table->chains, list) {
2800 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2801 goto done;
2802 }
2803
2804 if (ctx && ctx->table)
2805 break;
2806 }
2807done:
2808 rcu_read_unlock();
2809
2810 cb->args[0] = idx;
2811 return skb->len;
2812}
2813
2814static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2815{
2816 const struct nlattr * const *nla = cb->data;
2817 struct nft_rule_dump_ctx *ctx = NULL;
2818
2819 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2820 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2821 if (!ctx)
2822 return -ENOMEM;
2823
2824 if (nla[NFTA_RULE_TABLE]) {
2825 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2826 GFP_ATOMIC);
2827 if (!ctx->table) {
2828 kfree(ctx);
2829 return -ENOMEM;
2830 }
2831 }
2832 if (nla[NFTA_RULE_CHAIN]) {
2833 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2834 GFP_ATOMIC);
2835 if (!ctx->chain) {
2836 kfree(ctx->table);
2837 kfree(ctx);
2838 return -ENOMEM;
2839 }
2840 }
2841 }
2842
2843 cb->data = ctx;
2844 return 0;
2845}
2846
2847static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2848{
2849 struct nft_rule_dump_ctx *ctx = cb->data;
2850
2851 if (ctx) {
2852 kfree(ctx->table);
2853 kfree(ctx->chain);
2854 kfree(ctx);
2855 }
2856 return 0;
2857}
2858
2859
2860static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2861 struct sk_buff *skb, const struct nlmsghdr *nlh,
2862 const struct nlattr * const nla[],
2863 struct netlink_ext_ack *extack)
2864{
2865 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2866 u8 genmask = nft_genmask_cur(net);
2867 const struct nft_chain *chain;
2868 const struct nft_rule *rule;
2869 struct nft_table *table;
2870 struct sk_buff *skb2;
2871 int family = nfmsg->nfgen_family;
2872 int err;
2873
2874 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2875 struct netlink_dump_control c = {
2876 .start= nf_tables_dump_rules_start,
2877 .dump = nf_tables_dump_rules,
2878 .done = nf_tables_dump_rules_done,
2879 .module = THIS_MODULE,
2880 .data = (void *)nla,
2881 };
2882
2883 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2884 }
2885
2886 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2887 if (IS_ERR(table)) {
2888 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2889 return PTR_ERR(table);
2890 }
2891
2892 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2893 if (IS_ERR(chain)) {
2894 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2895 return PTR_ERR(chain);
2896 }
2897
2898 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2899 if (IS_ERR(rule)) {
2900 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2901 return PTR_ERR(rule);
2902 }
2903
2904 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2905 if (!skb2)
2906 return -ENOMEM;
2907
2908 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2909 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2910 family, table, chain, rule, NULL);
2911 if (err < 0)
2912 goto err;
2913
2914 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2915
2916err:
2917 kfree_skb(skb2);
2918 return err;
2919}
2920
2921static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2922 struct nft_rule *rule)
2923{
2924 struct nft_expr *expr, *next;
2925
2926
2927
2928
2929
2930 expr = nft_expr_first(rule);
2931 while (expr != nft_expr_last(rule) && expr->ops) {
2932 next = nft_expr_next(expr);
2933 nf_tables_expr_destroy(ctx, expr);
2934 expr = next;
2935 }
2936 kfree(rule);
2937}
2938
2939static void nf_tables_rule_release(const struct nft_ctx *ctx,
2940 struct nft_rule *rule)
2941{
2942 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2943 nf_tables_rule_destroy(ctx, rule);
2944}
2945
2946int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2947{
2948 struct nft_expr *expr, *last;
2949 const struct nft_data *data;
2950 struct nft_rule *rule;
2951 int err;
2952
2953 if (ctx->level == NFT_JUMP_STACK_SIZE)
2954 return -EMLINK;
2955
2956 list_for_each_entry(rule, &chain->rules, list) {
2957 if (!nft_is_active_next(ctx->net, rule))
2958 continue;
2959
2960 nft_rule_for_each_expr(expr, last, rule) {
2961 if (!expr->ops->validate)
2962 continue;
2963
2964 err = expr->ops->validate(ctx, expr, &data);
2965 if (err < 0)
2966 return err;
2967 }
2968 }
2969
2970 return 0;
2971}
2972EXPORT_SYMBOL_GPL(nft_chain_validate);
2973
2974static int nft_table_validate(struct net *net, const struct nft_table *table)
2975{
2976 struct nft_chain *chain;
2977 struct nft_ctx ctx = {
2978 .net = net,
2979 .family = table->family,
2980 };
2981 int err;
2982
2983 list_for_each_entry(chain, &table->chains, list) {
2984 if (!nft_is_base_chain(chain))
2985 continue;
2986
2987 ctx.chain = chain;
2988 err = nft_chain_validate(&ctx, chain);
2989 if (err < 0)
2990 return err;
2991 }
2992
2993 return 0;
2994}
2995
2996static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2997 const struct nlattr *nla);
2998
2999#define NFT_RULE_MAXEXPRS 128
3000
3001static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3002 struct sk_buff *skb, const struct nlmsghdr *nlh,
3003 const struct nlattr * const nla[],
3004 struct netlink_ext_ack *extack)
3005{
3006 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3007 u8 genmask = nft_genmask_next(net);
3008 struct nft_expr_info *info = NULL;
3009 int family = nfmsg->nfgen_family;
3010 struct nft_flow_rule *flow;
3011 struct nft_table *table;
3012 struct nft_chain *chain;
3013 struct nft_rule *rule, *old_rule = NULL;
3014 struct nft_userdata *udata;
3015 struct nft_trans *trans = NULL;
3016 struct nft_expr *expr;
3017 struct nft_ctx ctx;
3018 struct nlattr *tmp;
3019 unsigned int size, i, n, ulen = 0, usize = 0;
3020 int err, rem;
3021 u64 handle, pos_handle;
3022
3023 lockdep_assert_held(&net->nft.commit_mutex);
3024
3025 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3026 if (IS_ERR(table)) {
3027 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3028 return PTR_ERR(table);
3029 }
3030
3031 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3032 if (IS_ERR(chain)) {
3033 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3034 return PTR_ERR(chain);
3035 }
3036
3037 if (nla[NFTA_RULE_HANDLE]) {
3038 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3039 rule = __nft_rule_lookup(chain, handle);
3040 if (IS_ERR(rule)) {
3041 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3042 return PTR_ERR(rule);
3043 }
3044
3045 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3046 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3047 return -EEXIST;
3048 }
3049 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3050 old_rule = rule;
3051 else
3052 return -EOPNOTSUPP;
3053 } else {
3054 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3055 nlh->nlmsg_flags & NLM_F_REPLACE)
3056 return -EINVAL;
3057 handle = nf_tables_alloc_handle(table);
3058
3059 if (chain->use == UINT_MAX)
3060 return -EOVERFLOW;
3061
3062 if (nla[NFTA_RULE_POSITION]) {
3063 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3064 old_rule = __nft_rule_lookup(chain, pos_handle);
3065 if (IS_ERR(old_rule)) {
3066 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3067 return PTR_ERR(old_rule);
3068 }
3069 } else if (nla[NFTA_RULE_POSITION_ID]) {
3070 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3071 if (IS_ERR(old_rule)) {
3072 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3073 return PTR_ERR(old_rule);
3074 }
3075 }
3076 }
3077
3078 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3079
3080 n = 0;
3081 size = 0;
3082 if (nla[NFTA_RULE_EXPRESSIONS]) {
3083 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3084 sizeof(struct nft_expr_info),
3085 GFP_KERNEL);
3086 if (!info)
3087 return -ENOMEM;
3088
3089 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3090 err = -EINVAL;
3091 if (nla_type(tmp) != NFTA_LIST_ELEM)
3092 goto err1;
3093 if (n == NFT_RULE_MAXEXPRS)
3094 goto err1;
3095 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3096 if (err < 0)
3097 goto err1;
3098 size += info[n].ops->size;
3099 n++;
3100 }
3101 }
3102
3103 err = -EFBIG;
3104 if (size >= 1 << 12)
3105 goto err1;
3106
3107 if (nla[NFTA_RULE_USERDATA]) {
3108 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3109 if (ulen > 0)
3110 usize = sizeof(struct nft_userdata) + ulen;
3111 }
3112
3113 err = -ENOMEM;
3114 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3115 if (rule == NULL)
3116 goto err1;
3117
3118 nft_activate_next(net, rule);
3119
3120 rule->handle = handle;
3121 rule->dlen = size;
3122 rule->udata = ulen ? 1 : 0;
3123
3124 if (ulen) {
3125 udata = nft_userdata(rule);
3126 udata->len = ulen - 1;
3127 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3128 }
3129
3130 expr = nft_expr_first(rule);
3131 for (i = 0; i < n; i++) {
3132 err = nf_tables_newexpr(&ctx, &info[i], expr);
3133 if (err < 0)
3134 goto err2;
3135
3136 if (info[i].ops->validate)
3137 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3138
3139 info[i].ops = NULL;
3140 expr = nft_expr_next(expr);
3141 }
3142
3143 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3144 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3145 if (trans == NULL) {
3146 err = -ENOMEM;
3147 goto err2;
3148 }
3149 err = nft_delrule(&ctx, old_rule);
3150 if (err < 0) {
3151 nft_trans_destroy(trans);
3152 goto err2;
3153 }
3154
3155 list_add_tail_rcu(&rule->list, &old_rule->list);
3156 } else {
3157 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3158 if (!trans) {
3159 err = -ENOMEM;
3160 goto err2;
3161 }
3162
3163 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3164 if (old_rule)
3165 list_add_rcu(&rule->list, &old_rule->list);
3166 else
3167 list_add_tail_rcu(&rule->list, &chain->rules);
3168 } else {
3169 if (old_rule)
3170 list_add_tail_rcu(&rule->list, &old_rule->list);
3171 else
3172 list_add_rcu(&rule->list, &chain->rules);
3173 }
3174 }
3175 kvfree(info);
3176 chain->use++;
3177
3178 if (net->nft.validate_state == NFT_VALIDATE_DO)
3179 return nft_table_validate(net, table);
3180
3181 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3182 flow = nft_flow_rule_create(net, rule);
3183 if (IS_ERR(flow))
3184 return PTR_ERR(flow);
3185
3186 nft_trans_flow_rule(trans) = flow;
3187 }
3188
3189 return 0;
3190err2:
3191 nf_tables_rule_release(&ctx, rule);
3192err1:
3193 for (i = 0; i < n; i++) {
3194 if (info[i].ops) {
3195 module_put(info[i].ops->type->owner);
3196 if (info[i].ops->type->release_ops)
3197 info[i].ops->type->release_ops(info[i].ops);
3198 }
3199 }
3200 kvfree(info);
3201 return err;
3202}
3203
3204static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3205 const struct nlattr *nla)
3206{
3207 u32 id = ntohl(nla_get_be32(nla));
3208 struct nft_trans *trans;
3209
3210 list_for_each_entry(trans, &net->nft.commit_list, list) {
3211 struct nft_rule *rule = nft_trans_rule(trans);
3212
3213 if (trans->msg_type == NFT_MSG_NEWRULE &&
3214 id == nft_trans_rule_id(trans))
3215 return rule;
3216 }
3217 return ERR_PTR(-ENOENT);
3218}
3219
3220static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3221 struct sk_buff *skb, const struct nlmsghdr *nlh,
3222 const struct nlattr * const nla[],
3223 struct netlink_ext_ack *extack)
3224{
3225 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3226 u8 genmask = nft_genmask_next(net);
3227 struct nft_table *table;
3228 struct nft_chain *chain = NULL;
3229 struct nft_rule *rule;
3230 int family = nfmsg->nfgen_family, err = 0;
3231 struct nft_ctx ctx;
3232
3233 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3234 if (IS_ERR(table)) {
3235 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3236 return PTR_ERR(table);
3237 }
3238
3239 if (nla[NFTA_RULE_CHAIN]) {
3240 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3241 genmask);
3242 if (IS_ERR(chain)) {
3243 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3244 return PTR_ERR(chain);
3245 }
3246 }
3247
3248 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3249
3250 if (chain) {
3251 if (nla[NFTA_RULE_HANDLE]) {
3252 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3253 if (IS_ERR(rule)) {
3254 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3255 return PTR_ERR(rule);
3256 }
3257
3258 err = nft_delrule(&ctx, rule);
3259 } else if (nla[NFTA_RULE_ID]) {
3260 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3261 if (IS_ERR(rule)) {
3262 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3263 return PTR_ERR(rule);
3264 }
3265
3266 err = nft_delrule(&ctx, rule);
3267 } else {
3268 err = nft_delrule_by_chain(&ctx);
3269 }
3270 } else {
3271 list_for_each_entry(chain, &table->chains, list) {
3272 if (!nft_is_active_next(net, chain))
3273 continue;
3274
3275 ctx.chain = chain;
3276 err = nft_delrule_by_chain(&ctx);
3277 if (err < 0)
3278 break;
3279 }
3280 }
3281
3282 return err;
3283}
3284
3285
3286
3287
3288static const struct nft_set_type *nft_set_types[] = {
3289 &nft_set_hash_fast_type,
3290 &nft_set_hash_type,
3291 &nft_set_rhash_type,
3292 &nft_set_bitmap_type,
3293 &nft_set_rbtree_type,
3294#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3295 &nft_set_pipapo_avx2_type,
3296#endif
3297 &nft_set_pipapo_type,
3298};
3299
3300#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3301 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3302 NFT_SET_EVAL)
3303
3304static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3305{
3306 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3307}
3308
3309
3310
3311
3312
3313
3314static const struct nft_set_ops *
3315nft_select_set_ops(const struct nft_ctx *ctx,
3316 const struct nlattr * const nla[],
3317 const struct nft_set_desc *desc,
3318 enum nft_set_policies policy)
3319{
3320 const struct nft_set_ops *ops, *bops;
3321 struct nft_set_estimate est, best;
3322 const struct nft_set_type *type;
3323 u32 flags = 0;
3324 int i;
3325
3326 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3327 lockdep_nfnl_nft_mutex_not_held();
3328
3329 if (nla[NFTA_SET_FLAGS] != NULL)
3330 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3331
3332 bops = NULL;
3333 best.size = ~0;
3334 best.lookup = ~0;
3335 best.space = ~0;
3336
3337 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3338 type = nft_set_types[i];
3339 ops = &type->ops;
3340
3341 if (!nft_set_ops_candidate(type, flags))
3342 continue;
3343 if (!ops->estimate(desc, flags, &est))
3344 continue;
3345
3346 switch (policy) {
3347 case NFT_SET_POL_PERFORMANCE:
3348 if (est.lookup < best.lookup)
3349 break;
3350 if (est.lookup == best.lookup &&
3351 est.space < best.space)
3352 break;
3353 continue;
3354 case NFT_SET_POL_MEMORY:
3355 if (!desc->size) {
3356 if (est.space < best.space)
3357 break;
3358 if (est.space == best.space &&
3359 est.lookup < best.lookup)
3360 break;
3361 } else if (est.size < best.size || !bops) {
3362 break;
3363 }
3364 continue;
3365 default:
3366 break;
3367 }
3368
3369 bops = ops;
3370 best = est;
3371 }
3372
3373 if (bops != NULL)
3374 return bops;
3375
3376 return ERR_PTR(-EOPNOTSUPP);
3377}
3378
3379static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3380 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3381 .len = NFT_TABLE_MAXNAMELEN - 1 },
3382 [NFTA_SET_NAME] = { .type = NLA_STRING,
3383 .len = NFT_SET_MAXNAMELEN - 1 },
3384 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3385 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3386 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3387 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3388 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3389 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3390 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3391 [NFTA_SET_ID] = { .type = NLA_U32 },
3392 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3393 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3394 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3395 .len = NFT_USERDATA_MAXLEN },
3396 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3397 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3398 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3399};
3400
3401static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3402 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3403 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3404};
3405
3406static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3407 const struct sk_buff *skb,
3408 const struct nlmsghdr *nlh,
3409 const struct nlattr * const nla[],
3410 struct netlink_ext_ack *extack,
3411 u8 genmask)
3412{
3413 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3414 int family = nfmsg->nfgen_family;
3415 struct nft_table *table = NULL;
3416
3417 if (nla[NFTA_SET_TABLE] != NULL) {
3418 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3419 genmask);
3420 if (IS_ERR(table)) {
3421 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3422 return PTR_ERR(table);
3423 }
3424 }
3425
3426 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3427 return 0;
3428}
3429
3430static struct nft_set *nft_set_lookup(const struct nft_table *table,
3431 const struct nlattr *nla, u8 genmask)
3432{
3433 struct nft_set *set;
3434
3435 if (nla == NULL)
3436 return ERR_PTR(-EINVAL);
3437
3438 list_for_each_entry_rcu(set, &table->sets, list) {
3439 if (!nla_strcmp(nla, set->name) &&
3440 nft_active_genmask(set, genmask))
3441 return set;
3442 }
3443 return ERR_PTR(-ENOENT);
3444}
3445
3446static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3447 const struct nlattr *nla,
3448 u8 genmask)
3449{
3450 struct nft_set *set;
3451
3452 list_for_each_entry(set, &table->sets, list) {
3453 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3454 nft_active_genmask(set, genmask))
3455 return set;
3456 }
3457 return ERR_PTR(-ENOENT);
3458}
3459
3460static struct nft_set *nft_set_lookup_byid(const struct net *net,
3461 const struct nlattr *nla, u8 genmask)
3462{
3463 struct nft_trans *trans;
3464 u32 id = ntohl(nla_get_be32(nla));
3465
3466 list_for_each_entry(trans, &net->nft.commit_list, list) {
3467 if (trans->msg_type == NFT_MSG_NEWSET) {
3468 struct nft_set *set = nft_trans_set(trans);
3469
3470 if (id == nft_trans_set_id(trans) &&
3471 nft_active_genmask(set, genmask))
3472 return set;
3473 }
3474 }
3475 return ERR_PTR(-ENOENT);
3476}
3477
3478struct nft_set *nft_set_lookup_global(const struct net *net,
3479 const struct nft_table *table,
3480 const struct nlattr *nla_set_name,
3481 const struct nlattr *nla_set_id,
3482 u8 genmask)
3483{
3484 struct nft_set *set;
3485
3486 set = nft_set_lookup(table, nla_set_name, genmask);
3487 if (IS_ERR(set)) {
3488 if (!nla_set_id)
3489 return set;
3490
3491 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3492 }
3493 return set;
3494}
3495EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3496
3497static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3498 const char *name)
3499{
3500 const struct nft_set *i;
3501 const char *p;
3502 unsigned long *inuse;
3503 unsigned int n = 0, min = 0;
3504
3505 p = strchr(name, '%');
3506 if (p != NULL) {
3507 if (p[1] != 'd' || strchr(p + 2, '%'))
3508 return -EINVAL;
3509
3510 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3511 if (inuse == NULL)
3512 return -ENOMEM;
3513cont:
3514 list_for_each_entry(i, &ctx->table->sets, list) {
3515 int tmp;
3516
3517 if (!nft_is_active_next(ctx->net, set))
3518 continue;
3519 if (!sscanf(i->name, name, &tmp))
3520 continue;
3521 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3522 continue;
3523
3524 set_bit(tmp - min, inuse);
3525 }
3526
3527 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3528 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3529 min += BITS_PER_BYTE * PAGE_SIZE;
3530 memset(inuse, 0, PAGE_SIZE);
3531 goto cont;
3532 }
3533 free_page((unsigned long)inuse);
3534 }
3535
3536 set->name = kasprintf(GFP_KERNEL, name, min + n);
3537 if (!set->name)
3538 return -ENOMEM;
3539
3540 list_for_each_entry(i, &ctx->table->sets, list) {
3541 if (!nft_is_active_next(ctx->net, i))
3542 continue;
3543 if (!strcmp(set->name, i->name)) {
3544 kfree(set->name);
3545 set->name = NULL;
3546 return -ENFILE;
3547 }
3548 }
3549 return 0;
3550}
3551
3552static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3553{
3554 u64 ms = be64_to_cpu(nla_get_be64(nla));
3555 u64 max = (u64)(~((u64)0));
3556
3557 max = div_u64(max, NSEC_PER_MSEC);
3558 if (ms >= max)
3559 return -ERANGE;
3560
3561 ms *= NSEC_PER_MSEC;
3562 *result = nsecs_to_jiffies64(ms);
3563 return 0;
3564}
3565
3566static __be64 nf_jiffies64_to_msecs(u64 input)
3567{
3568 return cpu_to_be64(jiffies64_to_msecs(input));
3569}
3570
3571static int nf_tables_fill_set_concat(struct sk_buff *skb,
3572 const struct nft_set *set)
3573{
3574 struct nlattr *concat, *field;
3575 int i;
3576
3577 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3578 if (!concat)
3579 return -ENOMEM;
3580
3581 for (i = 0; i < set->field_count; i++) {
3582 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3583 if (!field)
3584 return -ENOMEM;
3585
3586 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3587 htonl(set->field_len[i])))
3588 return -ENOMEM;
3589
3590 nla_nest_end(skb, field);
3591 }
3592
3593 nla_nest_end(skb, concat);
3594
3595 return 0;
3596}
3597
3598static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3599 const struct nft_set *set, u16 event, u16 flags)
3600{
3601 struct nfgenmsg *nfmsg;
3602 struct nlmsghdr *nlh;
3603 u32 portid = ctx->portid;
3604 struct nlattr *nest;
3605 u32 seq = ctx->seq;
3606
3607 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3608 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3609 flags);
3610 if (nlh == NULL)
3611 goto nla_put_failure;
3612
3613 nfmsg = nlmsg_data(nlh);
3614 nfmsg->nfgen_family = ctx->family;
3615 nfmsg->version = NFNETLINK_V0;
3616 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3617
3618 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3619 goto nla_put_failure;
3620 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3621 goto nla_put_failure;
3622 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3623 NFTA_SET_PAD))
3624 goto nla_put_failure;
3625 if (set->flags != 0)
3626 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3627 goto nla_put_failure;
3628
3629 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3630 goto nla_put_failure;
3631 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3632 goto nla_put_failure;
3633 if (set->flags & NFT_SET_MAP) {
3634 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3635 goto nla_put_failure;
3636 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3637 goto nla_put_failure;
3638 }
3639 if (set->flags & NFT_SET_OBJECT &&
3640 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3641 goto nla_put_failure;
3642
3643 if (set->timeout &&
3644 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3645 nf_jiffies64_to_msecs(set->timeout),
3646 NFTA_SET_PAD))
3647 goto nla_put_failure;
3648 if (set->gc_int &&
3649 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3650 goto nla_put_failure;
3651
3652 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3653 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3654 goto nla_put_failure;
3655 }
3656
3657 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3658 goto nla_put_failure;
3659
3660 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3661 if (!nest)
3662 goto nla_put_failure;
3663 if (set->size &&
3664 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3665 goto nla_put_failure;
3666
3667 if (set->field_count > 1 &&
3668 nf_tables_fill_set_concat(skb, set))
3669 goto nla_put_failure;
3670
3671 nla_nest_end(skb, nest);
3672
3673 if (set->expr) {
3674 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3675 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3676 goto nla_put_failure;
3677
3678 nla_nest_end(skb, nest);
3679 }
3680
3681 nlmsg_end(skb, nlh);
3682 return 0;
3683
3684nla_put_failure:
3685 nlmsg_trim(skb, nlh);
3686 return -1;
3687}
3688
3689static void nf_tables_set_notify(const struct nft_ctx *ctx,
3690 const struct nft_set *set, int event,
3691 gfp_t gfp_flags)
3692{
3693 struct sk_buff *skb;
3694 u32 portid = ctx->portid;
3695 int err;
3696
3697 if (!ctx->report &&
3698 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3699 return;
3700
3701 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3702 if (skb == NULL)
3703 goto err;
3704
3705 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3706 if (err < 0) {
3707 kfree_skb(skb);
3708 goto err;
3709 }
3710
3711 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3712 gfp_flags);
3713 return;
3714err:
3715 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3716}
3717
3718static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3719{
3720 const struct nft_set *set;
3721 unsigned int idx, s_idx = cb->args[0];
3722 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3723 struct net *net = sock_net(skb->sk);
3724 struct nft_ctx *ctx = cb->data, ctx_set;
3725
3726 if (cb->args[1])
3727 return skb->len;
3728
3729 rcu_read_lock();
3730 cb->seq = net->nft.base_seq;
3731
3732 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3733 if (ctx->family != NFPROTO_UNSPEC &&
3734 ctx->family != table->family)
3735 continue;
3736
3737 if (ctx->table && ctx->table != table)
3738 continue;
3739
3740 if (cur_table) {
3741 if (cur_table != table)
3742 continue;
3743
3744 cur_table = NULL;
3745 }
3746 idx = 0;
3747 list_for_each_entry_rcu(set, &table->sets, list) {
3748 if (idx < s_idx)
3749 goto cont;
3750 if (!nft_is_active(net, set))
3751 goto cont;
3752
3753 ctx_set = *ctx;
3754 ctx_set.table = table;
3755 ctx_set.family = table->family;
3756
3757 if (nf_tables_fill_set(skb, &ctx_set, set,
3758 NFT_MSG_NEWSET,
3759 NLM_F_MULTI) < 0) {
3760 cb->args[0] = idx;
3761 cb->args[2] = (unsigned long) table;
3762 goto done;
3763 }
3764 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3765cont:
3766 idx++;
3767 }
3768 if (s_idx)
3769 s_idx = 0;
3770 }
3771 cb->args[1] = 1;
3772done:
3773 rcu_read_unlock();
3774 return skb->len;
3775}
3776
3777static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3778{
3779 struct nft_ctx *ctx_dump = NULL;
3780
3781 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3782 if (ctx_dump == NULL)
3783 return -ENOMEM;
3784
3785 cb->data = ctx_dump;
3786 return 0;
3787}
3788
3789static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3790{
3791 kfree(cb->data);
3792 return 0;
3793}
3794
3795
3796static int nf_tables_getset(struct net *net, struct sock *nlsk,
3797 struct sk_buff *skb, const struct nlmsghdr *nlh,
3798 const struct nlattr * const nla[],
3799 struct netlink_ext_ack *extack)
3800{
3801 u8 genmask = nft_genmask_cur(net);
3802 const struct nft_set *set;
3803 struct nft_ctx ctx;
3804 struct sk_buff *skb2;
3805 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3806 int err;
3807
3808
3809 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3810 genmask);
3811 if (err < 0)
3812 return err;
3813
3814 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3815 struct netlink_dump_control c = {
3816 .start = nf_tables_dump_sets_start,
3817 .dump = nf_tables_dump_sets,
3818 .done = nf_tables_dump_sets_done,
3819 .data = &ctx,
3820 .module = THIS_MODULE,
3821 };
3822
3823 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3824 }
3825
3826
3827 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3828 return -EAFNOSUPPORT;
3829 if (!nla[NFTA_SET_TABLE])
3830 return -EINVAL;
3831
3832 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3833 if (IS_ERR(set))
3834 return PTR_ERR(set);
3835
3836 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3837 if (skb2 == NULL)
3838 return -ENOMEM;
3839
3840 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3841 if (err < 0)
3842 goto err;
3843
3844 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3845
3846err:
3847 kfree_skb(skb2);
3848 return err;
3849}
3850
3851static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
3852 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
3853};
3854
3855static int nft_set_desc_concat_parse(const struct nlattr *attr,
3856 struct nft_set_desc *desc)
3857{
3858 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
3859 u32 len;
3860 int err;
3861
3862 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
3863 nft_concat_policy, NULL);
3864 if (err < 0)
3865 return err;
3866
3867 if (!tb[NFTA_SET_FIELD_LEN])
3868 return -EINVAL;
3869
3870 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
3871
3872 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
3873 return -E2BIG;
3874
3875 desc->field_len[desc->field_count++] = len;
3876
3877 return 0;
3878}
3879
3880static int nft_set_desc_concat(struct nft_set_desc *desc,
3881 const struct nlattr *nla)
3882{
3883 struct nlattr *attr;
3884 int rem, err;
3885
3886 nla_for_each_nested(attr, nla, rem) {
3887 if (nla_type(attr) != NFTA_LIST_ELEM)
3888 return -EINVAL;
3889
3890 err = nft_set_desc_concat_parse(attr, desc);
3891 if (err < 0)
3892 return err;
3893 }
3894
3895 return 0;
3896}
3897
3898static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3899 const struct nlattr *nla)
3900{
3901 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3902 int err;
3903
3904 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3905 nft_set_desc_policy, NULL);
3906 if (err < 0)
3907 return err;
3908
3909 if (da[NFTA_SET_DESC_SIZE] != NULL)
3910 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3911 if (da[NFTA_SET_DESC_CONCAT])
3912 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
3913
3914 return err;
3915}
3916
3917static int nf_tables_newset(struct net *net, struct sock *nlsk,
3918 struct sk_buff *skb, const struct nlmsghdr *nlh,
3919 const struct nlattr * const nla[],
3920 struct netlink_ext_ack *extack)
3921{
3922 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3923 u8 genmask = nft_genmask_next(net);
3924 int family = nfmsg->nfgen_family;
3925 const struct nft_set_ops *ops;
3926 struct nft_expr *expr = NULL;
3927 struct nft_table *table;
3928 struct nft_set *set;
3929 struct nft_ctx ctx;
3930 char *name;
3931 u64 size;
3932 u64 timeout;
3933 u32 ktype, dtype, flags, policy, gc_int, objtype;
3934 struct nft_set_desc desc;
3935 unsigned char *udata;
3936 u16 udlen;
3937 int err;
3938 int i;
3939
3940 if (nla[NFTA_SET_TABLE] == NULL ||
3941 nla[NFTA_SET_NAME] == NULL ||
3942 nla[NFTA_SET_KEY_LEN] == NULL ||
3943 nla[NFTA_SET_ID] == NULL)
3944 return -EINVAL;
3945
3946 memset(&desc, 0, sizeof(desc));
3947
3948 ktype = NFT_DATA_VALUE;
3949 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3950 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3951 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3952 return -EINVAL;
3953 }
3954
3955 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3956 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3957 return -EINVAL;
3958
3959 flags = 0;
3960 if (nla[NFTA_SET_FLAGS] != NULL) {
3961 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3962 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3963 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3964 NFT_SET_MAP | NFT_SET_EVAL |
3965 NFT_SET_OBJECT | NFT_SET_CONCAT))
3966 return -EOPNOTSUPP;
3967
3968 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3969 (NFT_SET_MAP | NFT_SET_OBJECT))
3970 return -EOPNOTSUPP;
3971 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3972 (NFT_SET_EVAL | NFT_SET_OBJECT))
3973 return -EOPNOTSUPP;
3974 }
3975
3976 dtype = 0;
3977 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3978 if (!(flags & NFT_SET_MAP))
3979 return -EINVAL;
3980
3981 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3982 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3983 dtype != NFT_DATA_VERDICT)
3984 return -EINVAL;
3985
3986 if (dtype != NFT_DATA_VERDICT) {
3987 if (nla[NFTA_SET_DATA_LEN] == NULL)
3988 return -EINVAL;
3989 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3990 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3991 return -EINVAL;
3992 } else
3993 desc.dlen = sizeof(struct nft_verdict);
3994 } else if (flags & NFT_SET_MAP)
3995 return -EINVAL;
3996
3997 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3998 if (!(flags & NFT_SET_OBJECT))
3999 return -EINVAL;
4000
4001 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4002 if (objtype == NFT_OBJECT_UNSPEC ||
4003 objtype > NFT_OBJECT_MAX)
4004 return -EOPNOTSUPP;
4005 } else if (flags & NFT_SET_OBJECT)
4006 return -EINVAL;
4007 else
4008 objtype = NFT_OBJECT_UNSPEC;
4009
4010 timeout = 0;
4011 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4012 if (!(flags & NFT_SET_TIMEOUT))
4013 return -EINVAL;
4014
4015 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4016 if (err)
4017 return err;
4018 }
4019 gc_int = 0;
4020 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4021 if (!(flags & NFT_SET_TIMEOUT))
4022 return -EINVAL;
4023 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4024 }
4025
4026 policy = NFT_SET_POL_PERFORMANCE;
4027 if (nla[NFTA_SET_POLICY] != NULL)
4028 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4029
4030 if (nla[NFTA_SET_DESC] != NULL) {
4031 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4032 if (err < 0)
4033 return err;
4034 }
4035
4036 if (nla[NFTA_SET_EXPR])
4037 desc.expr = true;
4038
4039 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4040 if (IS_ERR(table)) {
4041 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4042 return PTR_ERR(table);
4043 }
4044
4045 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4046
4047 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4048 if (IS_ERR(set)) {
4049 if (PTR_ERR(set) != -ENOENT) {
4050 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4051 return PTR_ERR(set);
4052 }
4053 } else {
4054 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4055 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4056 return -EEXIST;
4057 }
4058 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4059 return -EOPNOTSUPP;
4060
4061 return 0;
4062 }
4063
4064 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4065 return -ENOENT;
4066
4067 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4068 if (IS_ERR(ops))
4069 return PTR_ERR(ops);
4070
4071 udlen = 0;
4072 if (nla[NFTA_SET_USERDATA])
4073 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4074
4075 size = 0;
4076 if (ops->privsize != NULL)
4077 size = ops->privsize(nla, &desc);
4078
4079 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4080 if (!set)
4081 return -ENOMEM;
4082
4083 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4084 if (!name) {
4085 err = -ENOMEM;
4086 goto err_set_name;
4087 }
4088
4089 err = nf_tables_set_alloc_name(&ctx, set, name);
4090 kfree(name);
4091 if (err < 0)
4092 goto err_set_alloc_name;
4093
4094 if (nla[NFTA_SET_EXPR]) {
4095 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4096 if (IS_ERR(expr)) {
4097 err = PTR_ERR(expr);
4098 goto err_set_alloc_name;
4099 }
4100 }
4101
4102 udata = NULL;
4103 if (udlen) {
4104 udata = set->data + size;
4105 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4106 }
4107
4108 INIT_LIST_HEAD(&set->bindings);
4109 set->table = table;
4110 write_pnet(&set->net, net);
4111 set->ops = ops;
4112 set->ktype = ktype;
4113 set->klen = desc.klen;
4114 set->dtype = dtype;
4115 set->objtype = objtype;
4116 set->dlen = desc.dlen;
4117 set->expr = expr;
4118 set->flags = flags;
4119 set->size = desc.size;
4120 set->policy = policy;
4121 set->udlen = udlen;
4122 set->udata = udata;
4123 set->timeout = timeout;
4124 set->gc_int = gc_int;
4125 set->handle = nf_tables_alloc_handle(table);
4126
4127 set->field_count = desc.field_count;
4128 for (i = 0; i < desc.field_count; i++)
4129 set->field_len[i] = desc.field_len[i];
4130
4131 err = ops->init(set, &desc, nla);
4132 if (err < 0)
4133 goto err_set_init;
4134
4135 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4136 if (err < 0)
4137 goto err_set_trans;
4138
4139 list_add_tail_rcu(&set->list, &table->sets);
4140 table->use++;
4141 return 0;
4142
4143err_set_trans:
4144 ops->destroy(set);
4145err_set_init:
4146 if (expr)
4147 nft_expr_destroy(&ctx, expr);
4148err_set_alloc_name:
4149 kfree(set->name);
4150err_set_name:
4151 kvfree(set);
4152 return err;
4153}
4154
4155static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4156{
4157 if (WARN_ON(set->use > 0))
4158 return;
4159
4160 if (set->expr)
4161 nft_expr_destroy(ctx, set->expr);
4162
4163 set->ops->destroy(set);
4164 kfree(set->name);
4165 kvfree(set);
4166}
4167
4168static int nf_tables_delset(struct net *net, struct sock *nlsk,
4169 struct sk_buff *skb, const struct nlmsghdr *nlh,
4170 const struct nlattr * const nla[],
4171 struct netlink_ext_ack *extack)
4172{
4173 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4174 u8 genmask = nft_genmask_next(net);
4175 const struct nlattr *attr;
4176 struct nft_set *set;
4177 struct nft_ctx ctx;
4178 int err;
4179
4180 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4181 return -EAFNOSUPPORT;
4182 if (nla[NFTA_SET_TABLE] == NULL)
4183 return -EINVAL;
4184
4185 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4186 genmask);
4187 if (err < 0)
4188 return err;
4189
4190 if (nla[NFTA_SET_HANDLE]) {
4191 attr = nla[NFTA_SET_HANDLE];
4192 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4193 } else {
4194 attr = nla[NFTA_SET_NAME];
4195 set = nft_set_lookup(ctx.table, attr, genmask);
4196 }
4197
4198 if (IS_ERR(set)) {
4199 NL_SET_BAD_ATTR(extack, attr);
4200 return PTR_ERR(set);
4201 }
4202 if (set->use ||
4203 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4204 NL_SET_BAD_ATTR(extack, attr);
4205 return -EBUSY;
4206 }
4207
4208 return nft_delset(&ctx, set);
4209}
4210
4211static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4212 struct nft_set *set,
4213 const struct nft_set_iter *iter,
4214 struct nft_set_elem *elem)
4215{
4216 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4217 enum nft_registers dreg;
4218
4219 dreg = nft_type_to_reg(set->dtype);
4220 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4221 set->dtype == NFT_DATA_VERDICT ?
4222 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4223 set->dlen);
4224}
4225
4226int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4227 struct nft_set_binding *binding)
4228{
4229 struct nft_set_binding *i;
4230 struct nft_set_iter iter;
4231
4232 if (set->use == UINT_MAX)
4233 return -EOVERFLOW;
4234
4235 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4236 return -EBUSY;
4237
4238 if (binding->flags & NFT_SET_MAP) {
4239
4240
4241
4242 list_for_each_entry(i, &set->bindings, list) {
4243 if (i->flags & NFT_SET_MAP &&
4244 i->chain == binding->chain)
4245 goto bind;
4246 }
4247
4248 iter.genmask = nft_genmask_next(ctx->net);
4249 iter.skip = 0;
4250 iter.count = 0;
4251 iter.err = 0;
4252 iter.fn = nf_tables_bind_check_setelem;
4253
4254 set->ops->walk(ctx, set, &iter);
4255 if (iter.err < 0)
4256 return iter.err;
4257 }
4258bind:
4259 binding->chain = ctx->chain;
4260 list_add_tail_rcu(&binding->list, &set->bindings);
4261 nft_set_trans_bind(ctx, set);
4262 set->use++;
4263
4264 return 0;
4265}
4266EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4267
4268static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4269 struct nft_set_binding *binding, bool event)
4270{
4271 list_del_rcu(&binding->list);
4272
4273 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4274 list_del_rcu(&set->list);
4275 if (event)
4276 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4277 GFP_KERNEL);
4278 }
4279}
4280
4281void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4282 struct nft_set_binding *binding,
4283 enum nft_trans_phase phase)
4284{
4285 switch (phase) {
4286 case NFT_TRANS_PREPARE:
4287 set->use--;
4288 return;
4289 case NFT_TRANS_ABORT:
4290 case NFT_TRANS_RELEASE:
4291 set->use--;
4292
4293 default:
4294 nf_tables_unbind_set(ctx, set, binding,
4295 phase == NFT_TRANS_COMMIT);
4296 }
4297}
4298EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4299
4300void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4301{
4302 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4303 nft_set_destroy(ctx, set);
4304}
4305EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4306
4307const struct nft_set_ext_type nft_set_ext_types[] = {
4308 [NFT_SET_EXT_KEY] = {
4309 .align = __alignof__(u32),
4310 },
4311 [NFT_SET_EXT_DATA] = {
4312 .align = __alignof__(u32),
4313 },
4314 [NFT_SET_EXT_EXPR] = {
4315 .align = __alignof__(struct nft_expr),
4316 },
4317 [NFT_SET_EXT_OBJREF] = {
4318 .len = sizeof(struct nft_object *),
4319 .align = __alignof__(struct nft_object *),
4320 },
4321 [NFT_SET_EXT_FLAGS] = {
4322 .len = sizeof(u8),
4323 .align = __alignof__(u8),
4324 },
4325 [NFT_SET_EXT_TIMEOUT] = {
4326 .len = sizeof(u64),
4327 .align = __alignof__(u64),
4328 },
4329 [NFT_SET_EXT_EXPIRATION] = {
4330 .len = sizeof(u64),
4331 .align = __alignof__(u64),
4332 },
4333 [NFT_SET_EXT_USERDATA] = {
4334 .len = sizeof(struct nft_userdata),
4335 .align = __alignof__(struct nft_userdata),
4336 },
4337 [NFT_SET_EXT_KEY_END] = {
4338 .align = __alignof__(u32),
4339 },
4340};
4341
4342
4343
4344
4345
4346static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4347 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4348 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4349 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4350 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4351 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4352 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4353 .len = NFT_USERDATA_MAXLEN },
4354 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4355 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4356 .len = NFT_OBJ_MAXNAMELEN - 1 },
4357 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4358};
4359
4360static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4361 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4362 .len = NFT_TABLE_MAXNAMELEN - 1 },
4363 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4364 .len = NFT_SET_MAXNAMELEN - 1 },
4365 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4366 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4367};
4368
4369static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4370 const struct sk_buff *skb,
4371 const struct nlmsghdr *nlh,
4372 const struct nlattr * const nla[],
4373 struct netlink_ext_ack *extack,
4374 u8 genmask)
4375{
4376 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4377 int family = nfmsg->nfgen_family;
4378 struct nft_table *table;
4379
4380 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4381 genmask);
4382 if (IS_ERR(table)) {
4383 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4384 return PTR_ERR(table);
4385 }
4386
4387 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4388 return 0;
4389}
4390
4391static int nf_tables_fill_setelem(struct sk_buff *skb,
4392 const struct nft_set *set,
4393 const struct nft_set_elem *elem)
4394{
4395 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4396 unsigned char *b = skb_tail_pointer(skb);
4397 struct nlattr *nest;
4398
4399 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4400 if (nest == NULL)
4401 goto nla_put_failure;
4402
4403 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4404 NFT_DATA_VALUE, set->klen) < 0)
4405 goto nla_put_failure;
4406
4407 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4408 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4409 NFT_DATA_VALUE, set->klen) < 0)
4410 goto nla_put_failure;
4411
4412 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4413 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4414 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4415 set->dlen) < 0)
4416 goto nla_put_failure;
4417
4418 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4419 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4420 goto nla_put_failure;
4421
4422 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4423 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4424 (*nft_set_ext_obj(ext))->key.name) < 0)
4425 goto nla_put_failure;
4426
4427 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4428 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4429 htonl(*nft_set_ext_flags(ext))))
4430 goto nla_put_failure;
4431
4432 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4433 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4434 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4435 NFTA_SET_ELEM_PAD))
4436 goto nla_put_failure;
4437
4438 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4439 u64 expires, now = get_jiffies_64();
4440
4441 expires = *nft_set_ext_expiration(ext);
4442 if (time_before64(now, expires))
4443 expires -= now;
4444 else
4445 expires = 0;
4446
4447 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4448 nf_jiffies64_to_msecs(expires),
4449 NFTA_SET_ELEM_PAD))
4450 goto nla_put_failure;
4451 }
4452
4453 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4454 struct nft_userdata *udata;
4455
4456 udata = nft_set_ext_userdata(ext);
4457 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4458 udata->len + 1, udata->data))
4459 goto nla_put_failure;
4460 }
4461
4462 nla_nest_end(skb, nest);
4463 return 0;
4464
4465nla_put_failure:
4466 nlmsg_trim(skb, b);
4467 return -EMSGSIZE;
4468}
4469
4470struct nft_set_dump_args {
4471 const struct netlink_callback *cb;
4472 struct nft_set_iter iter;
4473 struct sk_buff *skb;
4474};
4475
4476static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4477 struct nft_set *set,
4478 const struct nft_set_iter *iter,
4479 struct nft_set_elem *elem)
4480{
4481 struct nft_set_dump_args *args;
4482
4483 args = container_of(iter, struct nft_set_dump_args, iter);
4484 return nf_tables_fill_setelem(args->skb, set, elem);
4485}
4486
4487struct nft_set_dump_ctx {
4488 const struct nft_set *set;
4489 struct nft_ctx ctx;
4490};
4491
4492static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4493{
4494 struct nft_set_dump_ctx *dump_ctx = cb->data;
4495 struct net *net = sock_net(skb->sk);
4496 struct nft_table *table;
4497 struct nft_set *set;
4498 struct nft_set_dump_args args;
4499 bool set_found = false;
4500 struct nfgenmsg *nfmsg;
4501 struct nlmsghdr *nlh;
4502 struct nlattr *nest;
4503 u32 portid, seq;
4504 int event;
4505
4506 rcu_read_lock();
4507 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4508 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4509 dump_ctx->ctx.family != table->family)
4510 continue;
4511
4512 if (table != dump_ctx->ctx.table)
4513 continue;
4514
4515 list_for_each_entry_rcu(set, &table->sets, list) {
4516 if (set == dump_ctx->set) {
4517 set_found = true;
4518 break;
4519 }
4520 }
4521 break;
4522 }
4523
4524 if (!set_found) {
4525 rcu_read_unlock();
4526 return -ENOENT;
4527 }
4528
4529 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4530 portid = NETLINK_CB(cb->skb).portid;
4531 seq = cb->nlh->nlmsg_seq;
4532
4533 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4534 NLM_F_MULTI);
4535 if (nlh == NULL)
4536 goto nla_put_failure;
4537
4538 nfmsg = nlmsg_data(nlh);
4539 nfmsg->nfgen_family = table->family;
4540 nfmsg->version = NFNETLINK_V0;
4541 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4542
4543 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4544 goto nla_put_failure;
4545 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4546 goto nla_put_failure;
4547
4548 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4549 if (nest == NULL)
4550 goto nla_put_failure;
4551
4552 args.cb = cb;
4553 args.skb = skb;
4554 args.iter.genmask = nft_genmask_cur(net);
4555 args.iter.skip = cb->args[0];
4556 args.iter.count = 0;
4557 args.iter.err = 0;
4558 args.iter.fn = nf_tables_dump_setelem;
4559 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4560 rcu_read_unlock();
4561
4562 nla_nest_end(skb, nest);
4563 nlmsg_end(skb, nlh);
4564
4565 if (args.iter.err && args.iter.err != -EMSGSIZE)
4566 return args.iter.err;
4567 if (args.iter.count == cb->args[0])
4568 return 0;
4569
4570 cb->args[0] = args.iter.count;
4571 return skb->len;
4572
4573nla_put_failure:
4574 rcu_read_unlock();
4575 return -ENOSPC;
4576}
4577
4578static int nf_tables_dump_set_start(struct netlink_callback *cb)
4579{
4580 struct nft_set_dump_ctx *dump_ctx = cb->data;
4581
4582 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4583
4584 return cb->data ? 0 : -ENOMEM;
4585}
4586
4587static int nf_tables_dump_set_done(struct netlink_callback *cb)
4588{
4589 kfree(cb->data);
4590 return 0;
4591}
4592
4593static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4594 const struct nft_ctx *ctx, u32 seq,
4595 u32 portid, int event, u16 flags,
4596 const struct nft_set *set,
4597 const struct nft_set_elem *elem)
4598{
4599 struct nfgenmsg *nfmsg;
4600 struct nlmsghdr *nlh;
4601 struct nlattr *nest;
4602 int err;
4603
4604 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4605 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4606 flags);
4607 if (nlh == NULL)
4608 goto nla_put_failure;
4609
4610 nfmsg = nlmsg_data(nlh);
4611 nfmsg->nfgen_family = ctx->family;
4612 nfmsg->version = NFNETLINK_V0;
4613 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4614
4615 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4616 goto nla_put_failure;
4617 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4618 goto nla_put_failure;
4619
4620 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4621 if (nest == NULL)
4622 goto nla_put_failure;
4623
4624 err = nf_tables_fill_setelem(skb, set, elem);
4625 if (err < 0)
4626 goto nla_put_failure;
4627
4628 nla_nest_end(skb, nest);
4629
4630 nlmsg_end(skb, nlh);
4631 return 0;
4632
4633nla_put_failure:
4634 nlmsg_trim(skb, nlh);
4635 return -1;
4636}
4637
4638static int nft_setelem_parse_flags(const struct nft_set *set,
4639 const struct nlattr *attr, u32 *flags)
4640{
4641 if (attr == NULL)
4642 return 0;
4643
4644 *flags = ntohl(nla_get_be32(attr));
4645 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4646 return -EINVAL;
4647 if (!(set->flags & NFT_SET_INTERVAL) &&
4648 *flags & NFT_SET_ELEM_INTERVAL_END)
4649 return -EINVAL;
4650
4651 return 0;
4652}
4653
4654static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4655 struct nft_data *key, struct nlattr *attr)
4656{
4657 struct nft_data_desc desc;
4658 int err;
4659
4660 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4661 if (err < 0)
4662 return err;
4663
4664 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4665 nft_data_release(key, desc.type);
4666 return -EINVAL;
4667 }
4668
4669 return 0;
4670}
4671
4672static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4673 const struct nlattr *attr)
4674{
4675 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4676 struct nft_set_elem elem;
4677 struct sk_buff *skb;
4678 uint32_t flags = 0;
4679 void *priv;
4680 int err;
4681
4682 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4683 nft_set_elem_policy, NULL);
4684 if (err < 0)
4685 return err;
4686
4687 if (!nla[NFTA_SET_ELEM_KEY])
4688 return -EINVAL;
4689
4690 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4691 if (err < 0)
4692 return err;
4693
4694 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4695 nla[NFTA_SET_ELEM_KEY]);
4696 if (err < 0)
4697 return err;
4698
4699 if (nla[NFTA_SET_ELEM_KEY_END]) {
4700 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4701 nla[NFTA_SET_ELEM_KEY_END]);
4702 if (err < 0)
4703 return err;
4704 }
4705
4706 priv = set->ops->get(ctx->net, set, &elem, flags);
4707 if (IS_ERR(priv))
4708 return PTR_ERR(priv);
4709
4710 elem.priv = priv;
4711
4712 err = -ENOMEM;
4713 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4714 if (skb == NULL)
4715 goto err1;
4716
4717 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4718 NFT_MSG_NEWSETELEM, 0, set, &elem);
4719 if (err < 0)
4720 goto err2;
4721
4722 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4723
4724 if (err < 0)
4725 goto err1;
4726
4727 return 0;
4728err2:
4729 kfree_skb(skb);
4730err1:
4731
4732 return err == -EAGAIN ? -ENOBUFS : err;
4733}
4734
4735
4736static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4737 struct sk_buff *skb, const struct nlmsghdr *nlh,
4738 const struct nlattr * const nla[],
4739 struct netlink_ext_ack *extack)
4740{
4741 u8 genmask = nft_genmask_cur(net);
4742 struct nft_set *set;
4743 struct nlattr *attr;
4744 struct nft_ctx ctx;
4745 int rem, err = 0;
4746
4747 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4748 genmask);
4749 if (err < 0)
4750 return err;
4751
4752 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4753 if (IS_ERR(set))
4754 return PTR_ERR(set);
4755
4756 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4757 struct netlink_dump_control c = {
4758 .start = nf_tables_dump_set_start,
4759 .dump = nf_tables_dump_set,
4760 .done = nf_tables_dump_set_done,
4761 .module = THIS_MODULE,
4762 };
4763 struct nft_set_dump_ctx dump_ctx = {
4764 .set = set,
4765 .ctx = ctx,
4766 };
4767
4768 c.data = &dump_ctx;
4769 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4770 }
4771
4772 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4773 return -EINVAL;
4774
4775 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4776 err = nft_get_set_elem(&ctx, set, attr);
4777 if (err < 0)
4778 break;
4779 }
4780
4781 return err;
4782}
4783
4784static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4785 const struct nft_set *set,
4786 const struct nft_set_elem *elem,
4787 int event, u16 flags)
4788{
4789 struct net *net = ctx->net;
4790 u32 portid = ctx->portid;
4791 struct sk_buff *skb;
4792 int err;
4793
4794 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4795 return;
4796
4797 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4798 if (skb == NULL)
4799 goto err;
4800
4801 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4802 set, elem);
4803 if (err < 0) {
4804 kfree_skb(skb);
4805 goto err;
4806 }
4807
4808 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4809 GFP_KERNEL);
4810 return;
4811err:
4812 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4813}
4814
4815static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4816 int msg_type,
4817 struct nft_set *set)
4818{
4819 struct nft_trans *trans;
4820
4821 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4822 if (trans == NULL)
4823 return NULL;
4824
4825 nft_trans_elem_set(trans) = set;
4826 return trans;
4827}
4828
4829struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
4830 const struct nft_set *set,
4831 const struct nlattr *attr)
4832{
4833 struct nft_expr *expr;
4834 int err;
4835
4836 expr = nft_expr_init(ctx, attr);
4837 if (IS_ERR(expr))
4838 return expr;
4839
4840 err = -EOPNOTSUPP;
4841 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
4842 goto err_set_elem_expr;
4843
4844 if (expr->ops->type->flags & NFT_EXPR_GC) {
4845 if (set->flags & NFT_SET_TIMEOUT)
4846 goto err_set_elem_expr;
4847 if (!set->ops->gc_init)
4848 goto err_set_elem_expr;
4849 set->ops->gc_init(set);
4850 }
4851
4852 return expr;
4853
4854err_set_elem_expr:
4855 nft_expr_destroy(ctx, expr);
4856 return ERR_PTR(err);
4857}
4858
4859void *nft_set_elem_init(const struct nft_set *set,
4860 const struct nft_set_ext_tmpl *tmpl,
4861 const u32 *key, const u32 *key_end,
4862 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
4863{
4864 struct nft_set_ext *ext;
4865 void *elem;
4866
4867 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4868 if (elem == NULL)
4869 return NULL;
4870
4871 ext = nft_set_elem_ext(set, elem);
4872 nft_set_ext_init(ext, tmpl);
4873
4874 memcpy(nft_set_ext_key(ext), key, set->klen);
4875 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
4876 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
4877 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4878 memcpy(nft_set_ext_data(ext), data, set->dlen);
4879 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4880 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4881 if (expiration == 0)
4882 *nft_set_ext_expiration(ext) += timeout;
4883 }
4884 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4885 *nft_set_ext_timeout(ext) = timeout;
4886
4887 return elem;
4888}
4889
4890static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
4891 struct nft_expr *expr)
4892{
4893 if (expr->ops->destroy_clone) {
4894 expr->ops->destroy_clone(ctx, expr);
4895 module_put(expr->ops->type->owner);
4896 } else {
4897 nf_tables_expr_destroy(ctx, expr);
4898 }
4899}
4900
4901void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4902 bool destroy_expr)
4903{
4904 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4905 struct nft_ctx ctx = {
4906 .net = read_pnet(&set->net),
4907 .family = set->table->family,
4908 };
4909
4910 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4911 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4912 nft_data_release(nft_set_ext_data(ext), set->dtype);
4913 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4914 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
4915
4916 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4917 (*nft_set_ext_obj(ext))->use--;
4918 kfree(elem);
4919}
4920EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4921
4922
4923
4924
4925static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4926 const struct nft_set *set, void *elem)
4927{
4928 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4929
4930 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4931 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
4932
4933 kfree(elem);
4934}
4935
4936static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4937 const struct nlattr *attr, u32 nlmsg_flags)
4938{
4939 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4940 u8 genmask = nft_genmask_next(ctx->net);
4941 struct nft_set_ext_tmpl tmpl;
4942 struct nft_set_ext *ext, *ext2;
4943 struct nft_set_elem elem;
4944 struct nft_set_binding *binding;
4945 struct nft_object *obj = NULL;
4946 struct nft_expr *expr = NULL;
4947 struct nft_userdata *udata;
4948 struct nft_data_desc desc;
4949 struct nft_data data;
4950 enum nft_registers dreg;
4951 struct nft_trans *trans;
4952 u32 flags = 0;
4953 u64 timeout;
4954 u64 expiration;
4955 u8 ulen;
4956 int err;
4957
4958 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4959 nft_set_elem_policy, NULL);
4960 if (err < 0)
4961 return err;
4962
4963 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4964 return -EINVAL;
4965
4966 nft_set_ext_prepare(&tmpl);
4967
4968 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4969 if (err < 0)
4970 return err;
4971 if (flags != 0)
4972 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4973
4974 if (set->flags & NFT_SET_MAP) {
4975 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4976 !(flags & NFT_SET_ELEM_INTERVAL_END))
4977 return -EINVAL;
4978 } else {
4979 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4980 return -EINVAL;
4981 }
4982
4983 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4984 (nla[NFTA_SET_ELEM_DATA] ||
4985 nla[NFTA_SET_ELEM_OBJREF] ||
4986 nla[NFTA_SET_ELEM_TIMEOUT] ||
4987 nla[NFTA_SET_ELEM_EXPIRATION] ||
4988 nla[NFTA_SET_ELEM_USERDATA] ||
4989 nla[NFTA_SET_ELEM_EXPR]))
4990 return -EINVAL;
4991
4992 timeout = 0;
4993 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4994 if (!(set->flags & NFT_SET_TIMEOUT))
4995 return -EINVAL;
4996 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4997 &timeout);
4998 if (err)
4999 return err;
5000 } else if (set->flags & NFT_SET_TIMEOUT) {
5001 timeout = set->timeout;
5002 }
5003
5004 expiration = 0;
5005 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5006 if (!(set->flags & NFT_SET_TIMEOUT))
5007 return -EINVAL;
5008 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5009 &expiration);
5010 if (err)
5011 return err;
5012 }
5013
5014 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5015 expr = nft_set_elem_expr_alloc(ctx, set,
5016 nla[NFTA_SET_ELEM_EXPR]);
5017 if (IS_ERR(expr))
5018 return PTR_ERR(expr);
5019
5020 err = -EOPNOTSUPP;
5021 if (set->expr && set->expr->ops != expr->ops)
5022 goto err_set_elem_expr;
5023 } else if (set->expr) {
5024 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5025 if (!expr)
5026 return -ENOMEM;
5027
5028 err = nft_expr_clone(expr, set->expr);
5029 if (err < 0)
5030 goto err_set_elem_expr;
5031 }
5032
5033 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5034 nla[NFTA_SET_ELEM_KEY]);
5035 if (err < 0)
5036 goto err_set_elem_expr;
5037
5038 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5039
5040 if (nla[NFTA_SET_ELEM_KEY_END]) {
5041 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5042 nla[NFTA_SET_ELEM_KEY_END]);
5043 if (err < 0)
5044 goto err_parse_key;
5045
5046 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5047 }
5048
5049 if (timeout > 0) {
5050 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5051 if (timeout != set->timeout)
5052 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5053 }
5054
5055 if (expr)
5056 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5057 expr->ops->size);
5058
5059 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5060 if (!(set->flags & NFT_SET_OBJECT)) {
5061 err = -EINVAL;
5062 goto err_parse_key_end;
5063 }
5064 obj = nft_obj_lookup(ctx->net, ctx->table,
5065 nla[NFTA_SET_ELEM_OBJREF],
5066 set->objtype, genmask);
5067 if (IS_ERR(obj)) {
5068 err = PTR_ERR(obj);
5069 goto err_parse_key_end;
5070 }
5071 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5072 }
5073
5074 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5075 err = nft_data_init(ctx, &data, sizeof(data), &desc,
5076 nla[NFTA_SET_ELEM_DATA]);
5077 if (err < 0)
5078 goto err_parse_key_end;
5079
5080 err = -EINVAL;
5081 if (set->dtype != NFT_DATA_VERDICT && desc.len != set->dlen)
5082 goto err_parse_data;
5083
5084 dreg = nft_type_to_reg(set->dtype);
5085 list_for_each_entry(binding, &set->bindings, list) {
5086 struct nft_ctx bind_ctx = {
5087 .net = ctx->net,
5088 .family = ctx->family,
5089 .table = ctx->table,
5090 .chain = (struct nft_chain *)binding->chain,
5091 };
5092
5093 if (!(binding->flags & NFT_SET_MAP))
5094 continue;
5095
5096 err = nft_validate_register_store(&bind_ctx, dreg,
5097 &data,
5098 desc.type, desc.len);
5099 if (err < 0)
5100 goto err_parse_data;
5101
5102 if (desc.type == NFT_DATA_VERDICT &&
5103 (data.verdict.code == NFT_GOTO ||
5104 data.verdict.code == NFT_JUMP))
5105 nft_validate_state_update(ctx->net,
5106 NFT_VALIDATE_NEED);
5107 }
5108
5109 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5110 }
5111
5112
5113
5114
5115
5116 ulen = 0;
5117 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5118 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5119 if (ulen > 0)
5120 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5121 ulen);
5122 }
5123
5124 err = -ENOMEM;
5125 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5126 elem.key_end.val.data, data.data,
5127 timeout, expiration, GFP_KERNEL);
5128 if (elem.priv == NULL)
5129 goto err_parse_data;
5130
5131 ext = nft_set_elem_ext(set, elem.priv);
5132 if (flags)
5133 *nft_set_ext_flags(ext) = flags;
5134 if (ulen > 0) {
5135 udata = nft_set_ext_userdata(ext);
5136 udata->len = ulen - 1;
5137 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5138 }
5139 if (obj) {
5140 *nft_set_ext_obj(ext) = obj;
5141 obj->use++;
5142 }
5143 if (expr) {
5144 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
5145 kfree(expr);
5146 expr = NULL;
5147 }
5148
5149 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5150 if (trans == NULL)
5151 goto err_trans;
5152
5153 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5154 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5155 if (err) {
5156 if (err == -EEXIST) {
5157 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5158 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5159 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5160 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
5161 err = -EBUSY;
5162 goto err_element_clash;
5163 }
5164 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5165 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5166 memcmp(nft_set_ext_data(ext),
5167 nft_set_ext_data(ext2), set->dlen) != 0) ||
5168 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5169 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5170 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5171 err = -EBUSY;
5172 else if (!(nlmsg_flags & NLM_F_EXCL))
5173 err = 0;
5174 } else if (err == -ENOTEMPTY) {
5175
5176
5177
5178 err = -EEXIST;
5179 }
5180 goto err_element_clash;
5181 }
5182
5183 if (set->size &&
5184 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5185 err = -ENFILE;
5186 goto err_set_full;
5187 }
5188
5189 nft_trans_elem(trans) = elem;
5190 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5191 return 0;
5192
5193err_set_full:
5194 set->ops->remove(ctx->net, set, &elem);
5195err_element_clash:
5196 kfree(trans);
5197err_trans:
5198 if (obj)
5199 obj->use--;
5200
5201 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5202err_parse_data:
5203 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5204 nft_data_release(&data, desc.type);
5205err_parse_key_end:
5206 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5207err_parse_key:
5208 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5209err_set_elem_expr:
5210 if (expr != NULL)
5211 nft_expr_destroy(ctx, expr);
5212
5213 return err;
5214}
5215
5216static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5217 struct sk_buff *skb, const struct nlmsghdr *nlh,
5218 const struct nlattr * const nla[],
5219 struct netlink_ext_ack *extack)
5220{
5221 u8 genmask = nft_genmask_next(net);
5222 const struct nlattr *attr;
5223 struct nft_set *set;
5224 struct nft_ctx ctx;
5225 int rem, err;
5226
5227 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5228 return -EINVAL;
5229
5230 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5231 genmask);
5232 if (err < 0)
5233 return err;
5234
5235 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5236 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5237 if (IS_ERR(set))
5238 return PTR_ERR(set);
5239
5240 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5241 return -EBUSY;
5242
5243 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5244 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5245 if (err < 0)
5246 return err;
5247 }
5248
5249 if (net->nft.validate_state == NFT_VALIDATE_DO)
5250 return nft_table_validate(net, ctx.table);
5251
5252 return 0;
5253}
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5267{
5268 if (type == NFT_DATA_VERDICT) {
5269 switch (data->verdict.code) {
5270 case NFT_JUMP:
5271 case NFT_GOTO:
5272 data->verdict.chain->use++;
5273 break;
5274 }
5275 }
5276}
5277
5278static void nft_set_elem_activate(const struct net *net,
5279 const struct nft_set *set,
5280 struct nft_set_elem *elem)
5281{
5282 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5283
5284 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5285 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5286 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5287 (*nft_set_ext_obj(ext))->use++;
5288}
5289
5290static void nft_set_elem_deactivate(const struct net *net,
5291 const struct nft_set *set,
5292 struct nft_set_elem *elem)
5293{
5294 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5295
5296 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5297 nft_data_release(nft_set_ext_data(ext), set->dtype);
5298 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5299 (*nft_set_ext_obj(ext))->use--;
5300}
5301
5302static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5303 const struct nlattr *attr)
5304{
5305 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5306 struct nft_set_ext_tmpl tmpl;
5307 struct nft_set_elem elem;
5308 struct nft_set_ext *ext;
5309 struct nft_trans *trans;
5310 u32 flags = 0;
5311 void *priv;
5312 int err;
5313
5314 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5315 nft_set_elem_policy, NULL);
5316 if (err < 0)
5317 return err;
5318
5319 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5320 return -EINVAL;
5321
5322 nft_set_ext_prepare(&tmpl);
5323
5324 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5325 if (err < 0)
5326 return err;
5327 if (flags != 0)
5328 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5329
5330 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5331 nla[NFTA_SET_ELEM_KEY]);
5332 if (err < 0)
5333 return err;
5334
5335 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5336
5337 if (nla[NFTA_SET_ELEM_KEY_END]) {
5338 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5339 nla[NFTA_SET_ELEM_KEY_END]);
5340 if (err < 0)
5341 return err;
5342
5343 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5344 }
5345
5346 err = -ENOMEM;
5347 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5348 elem.key_end.val.data, NULL, 0, 0,
5349 GFP_KERNEL);
5350 if (elem.priv == NULL)
5351 goto fail_elem;
5352
5353 ext = nft_set_elem_ext(set, elem.priv);
5354 if (flags)
5355 *nft_set_ext_flags(ext) = flags;
5356
5357 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5358 if (trans == NULL)
5359 goto fail_trans;
5360
5361 priv = set->ops->deactivate(ctx->net, set, &elem);
5362 if (priv == NULL) {
5363 err = -ENOENT;
5364 goto fail_ops;
5365 }
5366 kfree(elem.priv);
5367 elem.priv = priv;
5368
5369 nft_set_elem_deactivate(ctx->net, set, &elem);
5370
5371 nft_trans_elem(trans) = elem;
5372 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5373 return 0;
5374
5375fail_ops:
5376 kfree(trans);
5377fail_trans:
5378 kfree(elem.priv);
5379fail_elem:
5380 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5381 return err;
5382}
5383
5384static int nft_flush_set(const struct nft_ctx *ctx,
5385 struct nft_set *set,
5386 const struct nft_set_iter *iter,
5387 struct nft_set_elem *elem)
5388{
5389 struct nft_trans *trans;
5390 int err;
5391
5392 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5393 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5394 if (!trans)
5395 return -ENOMEM;
5396
5397 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5398 err = -ENOENT;
5399 goto err1;
5400 }
5401 set->ndeact++;
5402
5403 nft_set_elem_deactivate(ctx->net, set, elem);
5404 nft_trans_elem_set(trans) = set;
5405 nft_trans_elem(trans) = *elem;
5406 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5407
5408 return 0;
5409err1:
5410 kfree(trans);
5411 return err;
5412}
5413
5414static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5415 struct sk_buff *skb, const struct nlmsghdr *nlh,
5416 const struct nlattr * const nla[],
5417 struct netlink_ext_ack *extack)
5418{
5419 u8 genmask = nft_genmask_next(net);
5420 const struct nlattr *attr;
5421 struct nft_set *set;
5422 struct nft_ctx ctx;
5423 int rem, err = 0;
5424
5425 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5426 genmask);
5427 if (err < 0)
5428 return err;
5429
5430 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5431 if (IS_ERR(set))
5432 return PTR_ERR(set);
5433 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5434 return -EBUSY;
5435
5436 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5437 struct nft_set_iter iter = {
5438 .genmask = genmask,
5439 .fn = nft_flush_set,
5440 };
5441 set->ops->walk(&ctx, set, &iter);
5442
5443 return iter.err;
5444 }
5445
5446 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5447 err = nft_del_setelem(&ctx, set, attr);
5448 if (err < 0)
5449 break;
5450
5451 set->ndeact++;
5452 }
5453 return err;
5454}
5455
5456void nft_set_gc_batch_release(struct rcu_head *rcu)
5457{
5458 struct nft_set_gc_batch *gcb;
5459 unsigned int i;
5460
5461 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5462 for (i = 0; i < gcb->head.cnt; i++)
5463 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5464 kfree(gcb);
5465}
5466
5467struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5468 gfp_t gfp)
5469{
5470 struct nft_set_gc_batch *gcb;
5471
5472 gcb = kzalloc(sizeof(*gcb), gfp);
5473 if (gcb == NULL)
5474 return gcb;
5475 gcb->head.set = set;
5476 return gcb;
5477}
5478
5479
5480
5481
5482
5483
5484
5485
5486
5487
5488
5489
5490int nft_register_obj(struct nft_object_type *obj_type)
5491{
5492 if (obj_type->type == NFT_OBJECT_UNSPEC)
5493 return -EINVAL;
5494
5495 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5496 list_add_rcu(&obj_type->list, &nf_tables_objects);
5497 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5498 return 0;
5499}
5500EXPORT_SYMBOL_GPL(nft_register_obj);
5501
5502
5503
5504
5505
5506
5507
5508void nft_unregister_obj(struct nft_object_type *obj_type)
5509{
5510 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5511 list_del_rcu(&obj_type->list);
5512 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5513}
5514EXPORT_SYMBOL_GPL(nft_unregister_obj);
5515
5516struct nft_object *nft_obj_lookup(const struct net *net,
5517 const struct nft_table *table,
5518 const struct nlattr *nla, u32 objtype,
5519 u8 genmask)
5520{
5521 struct nft_object_hash_key k = { .table = table };
5522 char search[NFT_OBJ_MAXNAMELEN];
5523 struct rhlist_head *tmp, *list;
5524 struct nft_object *obj;
5525
5526 nla_strlcpy(search, nla, sizeof(search));
5527 k.name = search;
5528
5529 WARN_ON_ONCE(!rcu_read_lock_held() &&
5530 !lockdep_commit_lock_is_held(net));
5531
5532 rcu_read_lock();
5533 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5534 if (!list)
5535 goto out;
5536
5537 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5538 if (objtype == obj->ops->type->type &&
5539 nft_active_genmask(obj, genmask)) {
5540 rcu_read_unlock();
5541 return obj;
5542 }
5543 }
5544out:
5545 rcu_read_unlock();
5546 return ERR_PTR(-ENOENT);
5547}
5548EXPORT_SYMBOL_GPL(nft_obj_lookup);
5549
5550static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5551 const struct nlattr *nla,
5552 u32 objtype, u8 genmask)
5553{
5554 struct nft_object *obj;
5555
5556 list_for_each_entry(obj, &table->objects, list) {
5557 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5558 objtype == obj->ops->type->type &&
5559 nft_active_genmask(obj, genmask))
5560 return obj;
5561 }
5562 return ERR_PTR(-ENOENT);
5563}
5564
5565static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5566 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5567 .len = NFT_TABLE_MAXNAMELEN - 1 },
5568 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5569 .len = NFT_OBJ_MAXNAMELEN - 1 },
5570 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5571 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5572 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5573};
5574
5575static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5576 const struct nft_object_type *type,
5577 const struct nlattr *attr)
5578{
5579 struct nlattr **tb;
5580 const struct nft_object_ops *ops;
5581 struct nft_object *obj;
5582 int err = -ENOMEM;
5583
5584 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5585 if (!tb)
5586 goto err1;
5587
5588 if (attr) {
5589 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5590 type->policy, NULL);
5591 if (err < 0)
5592 goto err2;
5593 } else {
5594 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5595 }
5596
5597 if (type->select_ops) {
5598 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5599 if (IS_ERR(ops)) {
5600 err = PTR_ERR(ops);
5601 goto err2;
5602 }
5603 } else {
5604 ops = type->ops;
5605 }
5606
5607 err = -ENOMEM;
5608 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5609 if (!obj)
5610 goto err2;
5611
5612 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5613 if (err < 0)
5614 goto err3;
5615
5616 obj->ops = ops;
5617
5618 kfree(tb);
5619 return obj;
5620err3:
5621 kfree(obj);
5622err2:
5623 kfree(tb);
5624err1:
5625 return ERR_PTR(err);
5626}
5627
5628static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5629 struct nft_object *obj, bool reset)
5630{
5631 struct nlattr *nest;
5632
5633 nest = nla_nest_start_noflag(skb, attr);
5634 if (!nest)
5635 goto nla_put_failure;
5636 if (obj->ops->dump(skb, obj, reset) < 0)
5637 goto nla_put_failure;
5638 nla_nest_end(skb, nest);
5639 return 0;
5640
5641nla_put_failure:
5642 return -1;
5643}
5644
5645static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5646{
5647 const struct nft_object_type *type;
5648
5649 list_for_each_entry(type, &nf_tables_objects, list) {
5650 if (objtype == type->type)
5651 return type;
5652 }
5653 return NULL;
5654}
5655
5656static const struct nft_object_type *
5657nft_obj_type_get(struct net *net, u32 objtype)
5658{
5659 const struct nft_object_type *type;
5660
5661 type = __nft_obj_type_get(objtype);
5662 if (type != NULL && try_module_get(type->owner))
5663 return type;
5664
5665 lockdep_nfnl_nft_mutex_not_held();
5666#ifdef CONFIG_MODULES
5667 if (type == NULL) {
5668 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5669 return ERR_PTR(-EAGAIN);
5670 }
5671#endif
5672 return ERR_PTR(-ENOENT);
5673}
5674
5675static int nf_tables_updobj(const struct nft_ctx *ctx,
5676 const struct nft_object_type *type,
5677 const struct nlattr *attr,
5678 struct nft_object *obj)
5679{
5680 struct nft_object *newobj;
5681 struct nft_trans *trans;
5682 int err;
5683
5684 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5685 sizeof(struct nft_trans_obj));
5686 if (!trans)
5687 return -ENOMEM;
5688
5689 newobj = nft_obj_init(ctx, type, attr);
5690 if (IS_ERR(newobj)) {
5691 err = PTR_ERR(newobj);
5692 goto err_free_trans;
5693 }
5694
5695 nft_trans_obj(trans) = obj;
5696 nft_trans_obj_update(trans) = true;
5697 nft_trans_obj_newobj(trans) = newobj;
5698 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5699
5700 return 0;
5701
5702err_free_trans:
5703 kfree(trans);
5704 return err;
5705}
5706
5707static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5708 struct sk_buff *skb, const struct nlmsghdr *nlh,
5709 const struct nlattr * const nla[],
5710 struct netlink_ext_ack *extack)
5711{
5712 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5713 const struct nft_object_type *type;
5714 u8 genmask = nft_genmask_next(net);
5715 int family = nfmsg->nfgen_family;
5716 struct nft_table *table;
5717 struct nft_object *obj;
5718 struct nft_ctx ctx;
5719 u32 objtype;
5720 int err;
5721
5722 if (!nla[NFTA_OBJ_TYPE] ||
5723 !nla[NFTA_OBJ_NAME] ||
5724 !nla[NFTA_OBJ_DATA])
5725 return -EINVAL;
5726
5727 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5728 if (IS_ERR(table)) {
5729 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5730 return PTR_ERR(table);
5731 }
5732
5733 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5734 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5735 if (IS_ERR(obj)) {
5736 err = PTR_ERR(obj);
5737 if (err != -ENOENT) {
5738 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5739 return err;
5740 }
5741 } else {
5742 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5743 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5744 return -EEXIST;
5745 }
5746 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5747 return -EOPNOTSUPP;
5748
5749 type = __nft_obj_type_get(objtype);
5750 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5751
5752 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5753 }
5754
5755 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5756
5757 type = nft_obj_type_get(net, objtype);
5758 if (IS_ERR(type))
5759 return PTR_ERR(type);
5760
5761 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5762 if (IS_ERR(obj)) {
5763 err = PTR_ERR(obj);
5764 goto err1;
5765 }
5766 obj->key.table = table;
5767 obj->handle = nf_tables_alloc_handle(table);
5768
5769 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5770 if (!obj->key.name) {
5771 err = -ENOMEM;
5772 goto err2;
5773 }
5774
5775 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5776 if (err < 0)
5777 goto err3;
5778
5779 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5780 nft_objname_ht_params);
5781 if (err < 0)
5782 goto err4;
5783
5784 list_add_tail_rcu(&obj->list, &table->objects);
5785 table->use++;
5786 return 0;
5787err4:
5788
5789 INIT_LIST_HEAD(&obj->list);
5790 return err;
5791err3:
5792 kfree(obj->key.name);
5793err2:
5794 if (obj->ops->destroy)
5795 obj->ops->destroy(&ctx, obj);
5796 kfree(obj);
5797err1:
5798 module_put(type->owner);
5799 return err;
5800}
5801
5802static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5803 u32 portid, u32 seq, int event, u32 flags,
5804 int family, const struct nft_table *table,
5805 struct nft_object *obj, bool reset)
5806{
5807 struct nfgenmsg *nfmsg;
5808 struct nlmsghdr *nlh;
5809
5810 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5811 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5812 if (nlh == NULL)
5813 goto nla_put_failure;
5814
5815 nfmsg = nlmsg_data(nlh);
5816 nfmsg->nfgen_family = family;
5817 nfmsg->version = NFNETLINK_V0;
5818 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5819
5820 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5821 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5822 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5823 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5824 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5825 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5826 NFTA_OBJ_PAD))
5827 goto nla_put_failure;
5828
5829 nlmsg_end(skb, nlh);
5830 return 0;
5831
5832nla_put_failure:
5833 nlmsg_trim(skb, nlh);
5834 return -1;
5835}
5836
5837struct nft_obj_filter {
5838 char *table;
5839 u32 type;
5840};
5841
5842static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5843{
5844 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5845 const struct nft_table *table;
5846 unsigned int idx = 0, s_idx = cb->args[0];
5847 struct nft_obj_filter *filter = cb->data;
5848 struct net *net = sock_net(skb->sk);
5849 int family = nfmsg->nfgen_family;
5850 struct nft_object *obj;
5851 bool reset = false;
5852
5853 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5854 reset = true;
5855
5856 rcu_read_lock();
5857 cb->seq = net->nft.base_seq;
5858
5859 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5860 if (family != NFPROTO_UNSPEC && family != table->family)
5861 continue;
5862
5863 list_for_each_entry_rcu(obj, &table->objects, list) {
5864 if (!nft_is_active(net, obj))
5865 goto cont;
5866 if (idx < s_idx)
5867 goto cont;
5868 if (idx > s_idx)
5869 memset(&cb->args[1], 0,
5870 sizeof(cb->args) - sizeof(cb->args[0]));
5871 if (filter && filter->table &&
5872 strcmp(filter->table, table->name))
5873 goto cont;
5874 if (filter &&
5875 filter->type != NFT_OBJECT_UNSPEC &&
5876 obj->ops->type->type != filter->type)
5877 goto cont;
5878
5879 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5880 cb->nlh->nlmsg_seq,
5881 NFT_MSG_NEWOBJ,
5882 NLM_F_MULTI | NLM_F_APPEND,
5883 table->family, table,
5884 obj, reset) < 0)
5885 goto done;
5886
5887 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5888cont:
5889 idx++;
5890 }
5891 }
5892done:
5893 rcu_read_unlock();
5894
5895 cb->args[0] = idx;
5896 return skb->len;
5897}
5898
5899static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5900{
5901 const struct nlattr * const *nla = cb->data;
5902 struct nft_obj_filter *filter = NULL;
5903
5904 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5905 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5906 if (!filter)
5907 return -ENOMEM;
5908
5909 if (nla[NFTA_OBJ_TABLE]) {
5910 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5911 if (!filter->table) {
5912 kfree(filter);
5913 return -ENOMEM;
5914 }
5915 }
5916
5917 if (nla[NFTA_OBJ_TYPE])
5918 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5919 }
5920
5921 cb->data = filter;
5922 return 0;
5923}
5924
5925static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5926{
5927 struct nft_obj_filter *filter = cb->data;
5928
5929 if (filter) {
5930 kfree(filter->table);
5931 kfree(filter);
5932 }
5933
5934 return 0;
5935}
5936
5937
5938static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5939 struct sk_buff *skb, const struct nlmsghdr *nlh,
5940 const struct nlattr * const nla[],
5941 struct netlink_ext_ack *extack)
5942{
5943 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5944 u8 genmask = nft_genmask_cur(net);
5945 int family = nfmsg->nfgen_family;
5946 const struct nft_table *table;
5947 struct nft_object *obj;
5948 struct sk_buff *skb2;
5949 bool reset = false;
5950 u32 objtype;
5951 int err;
5952
5953 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5954 struct netlink_dump_control c = {
5955 .start = nf_tables_dump_obj_start,
5956 .dump = nf_tables_dump_obj,
5957 .done = nf_tables_dump_obj_done,
5958 .module = THIS_MODULE,
5959 .data = (void *)nla,
5960 };
5961
5962 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5963 }
5964
5965 if (!nla[NFTA_OBJ_NAME] ||
5966 !nla[NFTA_OBJ_TYPE])
5967 return -EINVAL;
5968
5969 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5970 if (IS_ERR(table)) {
5971 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5972 return PTR_ERR(table);
5973 }
5974
5975 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5976 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5977 if (IS_ERR(obj)) {
5978 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5979 return PTR_ERR(obj);
5980 }
5981
5982 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5983 if (!skb2)
5984 return -ENOMEM;
5985
5986 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5987 reset = true;
5988
5989 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5990 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5991 family, table, obj, reset);
5992 if (err < 0)
5993 goto err;
5994
5995 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5996err:
5997 kfree_skb(skb2);
5998 return err;
5999}
6000
6001static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6002{
6003 if (obj->ops->destroy)
6004 obj->ops->destroy(ctx, obj);
6005
6006 module_put(obj->ops->type->owner);
6007 kfree(obj->key.name);
6008 kfree(obj);
6009}
6010
6011static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6012 struct sk_buff *skb, const struct nlmsghdr *nlh,
6013 const struct nlattr * const nla[],
6014 struct netlink_ext_ack *extack)
6015{
6016 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6017 u8 genmask = nft_genmask_next(net);
6018 int family = nfmsg->nfgen_family;
6019 const struct nlattr *attr;
6020 struct nft_table *table;
6021 struct nft_object *obj;
6022 struct nft_ctx ctx;
6023 u32 objtype;
6024
6025 if (!nla[NFTA_OBJ_TYPE] ||
6026 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6027 return -EINVAL;
6028
6029 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6030 if (IS_ERR(table)) {
6031 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6032 return PTR_ERR(table);
6033 }
6034
6035 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6036 if (nla[NFTA_OBJ_HANDLE]) {
6037 attr = nla[NFTA_OBJ_HANDLE];
6038 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6039 } else {
6040 attr = nla[NFTA_OBJ_NAME];
6041 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6042 }
6043
6044 if (IS_ERR(obj)) {
6045 NL_SET_BAD_ATTR(extack, attr);
6046 return PTR_ERR(obj);
6047 }
6048 if (obj->use > 0) {
6049 NL_SET_BAD_ATTR(extack, attr);
6050 return -EBUSY;
6051 }
6052
6053 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6054
6055 return nft_delobj(&ctx, obj);
6056}
6057
6058void nft_obj_notify(struct net *net, const struct nft_table *table,
6059 struct nft_object *obj, u32 portid, u32 seq, int event,
6060 int family, int report, gfp_t gfp)
6061{
6062 struct sk_buff *skb;
6063 int err;
6064
6065 if (!report &&
6066 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6067 return;
6068
6069 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6070 if (skb == NULL)
6071 goto err;
6072
6073 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6074 table, obj, false);
6075 if (err < 0) {
6076 kfree_skb(skb);
6077 goto err;
6078 }
6079
6080 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
6081 return;
6082err:
6083 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6084}
6085EXPORT_SYMBOL_GPL(nft_obj_notify);
6086
6087static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6088 struct nft_object *obj, int event)
6089{
6090 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6091 ctx->family, ctx->report, GFP_KERNEL);
6092}
6093
6094
6095
6096
6097void nft_register_flowtable_type(struct nf_flowtable_type *type)
6098{
6099 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6100 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6101 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6102}
6103EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6104
6105void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6106{
6107 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6108 list_del_rcu(&type->list);
6109 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6110}
6111EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6112
6113static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6114 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6115 .len = NFT_NAME_MAXLEN - 1 },
6116 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6117 .len = NFT_NAME_MAXLEN - 1 },
6118 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6119 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6120 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6121};
6122
6123struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6124 const struct nlattr *nla, u8 genmask)
6125{
6126 struct nft_flowtable *flowtable;
6127
6128 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6129 if (!nla_strcmp(nla, flowtable->name) &&
6130 nft_active_genmask(flowtable, genmask))
6131 return flowtable;
6132 }
6133 return ERR_PTR(-ENOENT);
6134}
6135EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6136
6137void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6138 struct nft_flowtable *flowtable,
6139 enum nft_trans_phase phase)
6140{
6141 switch (phase) {
6142 case NFT_TRANS_PREPARE:
6143 case NFT_TRANS_ABORT:
6144 case NFT_TRANS_RELEASE:
6145 flowtable->use--;
6146
6147 default:
6148 return;
6149 }
6150}
6151EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6152
6153static struct nft_flowtable *
6154nft_flowtable_lookup_byhandle(const struct nft_table *table,
6155 const struct nlattr *nla, u8 genmask)
6156{
6157 struct nft_flowtable *flowtable;
6158
6159 list_for_each_entry(flowtable, &table->flowtables, list) {
6160 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6161 nft_active_genmask(flowtable, genmask))
6162 return flowtable;
6163 }
6164 return ERR_PTR(-ENOENT);
6165}
6166
6167static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6168 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6169 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6170 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6171};
6172
6173static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
6174 const struct nlattr *attr,
6175 struct nft_flowtable *flowtable)
6176{
6177 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6178 struct nft_hook *hook;
6179 int hooknum, priority;
6180 int err;
6181
6182 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6183 nft_flowtable_hook_policy, NULL);
6184 if (err < 0)
6185 return err;
6186
6187 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6188 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
6189 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
6190 return -EINVAL;
6191
6192 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6193 if (hooknum != NF_NETDEV_INGRESS)
6194 return -EINVAL;
6195
6196 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6197
6198 err = nf_tables_parse_netdev_hooks(ctx->net,
6199 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6200 &flowtable->hook_list);
6201 if (err < 0)
6202 return err;
6203
6204 flowtable->hooknum = hooknum;
6205 flowtable->data.priority = priority;
6206
6207 list_for_each_entry(hook, &flowtable->hook_list, list) {
6208 hook->ops.pf = NFPROTO_NETDEV;
6209 hook->ops.hooknum = hooknum;
6210 hook->ops.priority = priority;
6211 hook->ops.priv = &flowtable->data;
6212 hook->ops.hook = flowtable->data.type->hook;
6213 }
6214
6215 return err;
6216}
6217
6218static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6219{
6220 const struct nf_flowtable_type *type;
6221
6222 list_for_each_entry(type, &nf_tables_flowtables, list) {
6223 if (family == type->family)
6224 return type;
6225 }
6226 return NULL;
6227}
6228
6229static const struct nf_flowtable_type *
6230nft_flowtable_type_get(struct net *net, u8 family)
6231{
6232 const struct nf_flowtable_type *type;
6233
6234 type = __nft_flowtable_type_get(family);
6235 if (type != NULL && try_module_get(type->owner))
6236 return type;
6237
6238 lockdep_nfnl_nft_mutex_not_held();
6239#ifdef CONFIG_MODULES
6240 if (type == NULL) {
6241 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6242 return ERR_PTR(-EAGAIN);
6243 }
6244#endif
6245 return ERR_PTR(-ENOENT);
6246}
6247
6248
6249static void nft_unregister_flowtable_hook(struct net *net,
6250 struct nft_flowtable *flowtable,
6251 struct nft_hook *hook)
6252{
6253 nf_unregister_net_hook(net, &hook->ops);
6254 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6255 FLOW_BLOCK_UNBIND);
6256}
6257
6258static void nft_unregister_flowtable_net_hooks(struct net *net,
6259 struct nft_flowtable *flowtable)
6260{
6261 struct nft_hook *hook;
6262
6263 list_for_each_entry(hook, &flowtable->hook_list, list)
6264 nf_unregister_net_hook(net, &hook->ops);
6265}
6266
6267static int nft_register_flowtable_net_hooks(struct net *net,
6268 struct nft_table *table,
6269 struct nft_flowtable *flowtable)
6270{
6271 struct nft_hook *hook, *hook2, *next;
6272 struct nft_flowtable *ft;
6273 int err, i = 0;
6274
6275 list_for_each_entry(hook, &flowtable->hook_list, list) {
6276 list_for_each_entry(ft, &table->flowtables, list) {
6277 list_for_each_entry(hook2, &ft->hook_list, list) {
6278 if (hook->ops.dev == hook2->ops.dev &&
6279 hook->ops.pf == hook2->ops.pf) {
6280 err = -EBUSY;
6281 goto err_unregister_net_hooks;
6282 }
6283 }
6284 }
6285
6286 err = flowtable->data.type->setup(&flowtable->data,
6287 hook->ops.dev,
6288 FLOW_BLOCK_BIND);
6289 if (err < 0)
6290 goto err_unregister_net_hooks;
6291
6292 err = nf_register_net_hook(net, &hook->ops);
6293 if (err < 0) {
6294 flowtable->data.type->setup(&flowtable->data,
6295 hook->ops.dev,
6296 FLOW_BLOCK_UNBIND);
6297 goto err_unregister_net_hooks;
6298 }
6299
6300 i++;
6301 }
6302
6303 return 0;
6304
6305err_unregister_net_hooks:
6306 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6307 if (i-- <= 0)
6308 break;
6309
6310 nft_unregister_flowtable_hook(net, flowtable, hook);
6311 list_del_rcu(&hook->list);
6312 kfree_rcu(hook, rcu);
6313 }
6314
6315 return err;
6316}
6317
6318static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6319 struct sk_buff *skb,
6320 const struct nlmsghdr *nlh,
6321 const struct nlattr * const nla[],
6322 struct netlink_ext_ack *extack)
6323{
6324 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6325 const struct nf_flowtable_type *type;
6326 u8 genmask = nft_genmask_next(net);
6327 int family = nfmsg->nfgen_family;
6328 struct nft_flowtable *flowtable;
6329 struct nft_hook *hook, *next;
6330 struct nft_table *table;
6331 struct nft_ctx ctx;
6332 int err;
6333
6334 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6335 !nla[NFTA_FLOWTABLE_NAME] ||
6336 !nla[NFTA_FLOWTABLE_HOOK])
6337 return -EINVAL;
6338
6339 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6340 genmask);
6341 if (IS_ERR(table)) {
6342 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6343 return PTR_ERR(table);
6344 }
6345
6346 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6347 genmask);
6348 if (IS_ERR(flowtable)) {
6349 err = PTR_ERR(flowtable);
6350 if (err != -ENOENT) {
6351 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6352 return err;
6353 }
6354 } else {
6355 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6356 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6357 return -EEXIST;
6358 }
6359
6360 return 0;
6361 }
6362
6363 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6364
6365 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6366 if (!flowtable)
6367 return -ENOMEM;
6368
6369 flowtable->table = table;
6370 flowtable->handle = nf_tables_alloc_handle(table);
6371 INIT_LIST_HEAD(&flowtable->hook_list);
6372
6373 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6374 if (!flowtable->name) {
6375 err = -ENOMEM;
6376 goto err1;
6377 }
6378
6379 type = nft_flowtable_type_get(net, family);
6380 if (IS_ERR(type)) {
6381 err = PTR_ERR(type);
6382 goto err2;
6383 }
6384
6385 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6386 flowtable->data.flags =
6387 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6388 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6389 goto err3;
6390 }
6391
6392 write_pnet(&flowtable->data.net, net);
6393 flowtable->data.type = type;
6394 err = type->init(&flowtable->data);
6395 if (err < 0)
6396 goto err3;
6397
6398 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6399 flowtable);
6400 if (err < 0)
6401 goto err4;
6402
6403 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable);
6404 if (err < 0) {
6405 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6406 list_del_rcu(&hook->list);
6407 kfree_rcu(hook, rcu);
6408 }
6409 goto err4;
6410 }
6411
6412 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6413 if (err < 0)
6414 goto err5;
6415
6416 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6417 table->use++;
6418
6419 return 0;
6420err5:
6421 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6422 nft_unregister_flowtable_hook(net, flowtable, hook);
6423 list_del_rcu(&hook->list);
6424 kfree_rcu(hook, rcu);
6425 }
6426err4:
6427 flowtable->data.type->free(&flowtable->data);
6428err3:
6429 module_put(type->owner);
6430err2:
6431 kfree(flowtable->name);
6432err1:
6433 kfree(flowtable);
6434 return err;
6435}
6436
6437static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6438 struct sk_buff *skb,
6439 const struct nlmsghdr *nlh,
6440 const struct nlattr * const nla[],
6441 struct netlink_ext_ack *extack)
6442{
6443 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6444 u8 genmask = nft_genmask_next(net);
6445 int family = nfmsg->nfgen_family;
6446 struct nft_flowtable *flowtable;
6447 const struct nlattr *attr;
6448 struct nft_table *table;
6449 struct nft_ctx ctx;
6450
6451 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6452 (!nla[NFTA_FLOWTABLE_NAME] &&
6453 !nla[NFTA_FLOWTABLE_HANDLE]))
6454 return -EINVAL;
6455
6456 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6457 genmask);
6458 if (IS_ERR(table)) {
6459 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6460 return PTR_ERR(table);
6461 }
6462
6463 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6464 attr = nla[NFTA_FLOWTABLE_HANDLE];
6465 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6466 } else {
6467 attr = nla[NFTA_FLOWTABLE_NAME];
6468 flowtable = nft_flowtable_lookup(table, attr, genmask);
6469 }
6470
6471 if (IS_ERR(flowtable)) {
6472 NL_SET_BAD_ATTR(extack, attr);
6473 return PTR_ERR(flowtable);
6474 }
6475 if (flowtable->use > 0) {
6476 NL_SET_BAD_ATTR(extack, attr);
6477 return -EBUSY;
6478 }
6479
6480 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6481
6482 return nft_delflowtable(&ctx, flowtable);
6483}
6484
6485static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6486 u32 portid, u32 seq, int event,
6487 u32 flags, int family,
6488 struct nft_flowtable *flowtable)
6489{
6490 struct nlattr *nest, *nest_devs;
6491 struct nfgenmsg *nfmsg;
6492 struct nft_hook *hook;
6493 struct nlmsghdr *nlh;
6494
6495 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6496 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6497 if (nlh == NULL)
6498 goto nla_put_failure;
6499
6500 nfmsg = nlmsg_data(nlh);
6501 nfmsg->nfgen_family = family;
6502 nfmsg->version = NFNETLINK_V0;
6503 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6504
6505 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6506 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6507 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6508 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6509 NFTA_FLOWTABLE_PAD) ||
6510 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6511 goto nla_put_failure;
6512
6513 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6514 if (!nest)
6515 goto nla_put_failure;
6516 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6517 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6518 goto nla_put_failure;
6519
6520 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6521 if (!nest_devs)
6522 goto nla_put_failure;
6523
6524 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) {
6525 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6526 goto nla_put_failure;
6527 }
6528 nla_nest_end(skb, nest_devs);
6529 nla_nest_end(skb, nest);
6530
6531 nlmsg_end(skb, nlh);
6532 return 0;
6533
6534nla_put_failure:
6535 nlmsg_trim(skb, nlh);
6536 return -1;
6537}
6538
6539struct nft_flowtable_filter {
6540 char *table;
6541};
6542
6543static int nf_tables_dump_flowtable(struct sk_buff *skb,
6544 struct netlink_callback *cb)
6545{
6546 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6547 struct nft_flowtable_filter *filter = cb->data;
6548 unsigned int idx = 0, s_idx = cb->args[0];
6549 struct net *net = sock_net(skb->sk);
6550 int family = nfmsg->nfgen_family;
6551 struct nft_flowtable *flowtable;
6552 const struct nft_table *table;
6553
6554 rcu_read_lock();
6555 cb->seq = net->nft.base_seq;
6556
6557 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6558 if (family != NFPROTO_UNSPEC && family != table->family)
6559 continue;
6560
6561 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6562 if (!nft_is_active(net, flowtable))
6563 goto cont;
6564 if (idx < s_idx)
6565 goto cont;
6566 if (idx > s_idx)
6567 memset(&cb->args[1], 0,
6568 sizeof(cb->args) - sizeof(cb->args[0]));
6569 if (filter && filter->table &&
6570 strcmp(filter->table, table->name))
6571 goto cont;
6572
6573 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6574 cb->nlh->nlmsg_seq,
6575 NFT_MSG_NEWFLOWTABLE,
6576 NLM_F_MULTI | NLM_F_APPEND,
6577 table->family, flowtable) < 0)
6578 goto done;
6579
6580 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6581cont:
6582 idx++;
6583 }
6584 }
6585done:
6586 rcu_read_unlock();
6587
6588 cb->args[0] = idx;
6589 return skb->len;
6590}
6591
6592static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6593{
6594 const struct nlattr * const *nla = cb->data;
6595 struct nft_flowtable_filter *filter = NULL;
6596
6597 if (nla[NFTA_FLOWTABLE_TABLE]) {
6598 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6599 if (!filter)
6600 return -ENOMEM;
6601
6602 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6603 GFP_ATOMIC);
6604 if (!filter->table) {
6605 kfree(filter);
6606 return -ENOMEM;
6607 }
6608 }
6609
6610 cb->data = filter;
6611 return 0;
6612}
6613
6614static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6615{
6616 struct nft_flowtable_filter *filter = cb->data;
6617
6618 if (!filter)
6619 return 0;
6620
6621 kfree(filter->table);
6622 kfree(filter);
6623
6624 return 0;
6625}
6626
6627
6628static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6629 struct sk_buff *skb,
6630 const struct nlmsghdr *nlh,
6631 const struct nlattr * const nla[],
6632 struct netlink_ext_ack *extack)
6633{
6634 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6635 u8 genmask = nft_genmask_cur(net);
6636 int family = nfmsg->nfgen_family;
6637 struct nft_flowtable *flowtable;
6638 const struct nft_table *table;
6639 struct sk_buff *skb2;
6640 int err;
6641
6642 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6643 struct netlink_dump_control c = {
6644 .start = nf_tables_dump_flowtable_start,
6645 .dump = nf_tables_dump_flowtable,
6646 .done = nf_tables_dump_flowtable_done,
6647 .module = THIS_MODULE,
6648 .data = (void *)nla,
6649 };
6650
6651 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6652 }
6653
6654 if (!nla[NFTA_FLOWTABLE_NAME])
6655 return -EINVAL;
6656
6657 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6658 genmask);
6659 if (IS_ERR(table))
6660 return PTR_ERR(table);
6661
6662 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6663 genmask);
6664 if (IS_ERR(flowtable))
6665 return PTR_ERR(flowtable);
6666
6667 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6668 if (!skb2)
6669 return -ENOMEM;
6670
6671 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6672 nlh->nlmsg_seq,
6673 NFT_MSG_NEWFLOWTABLE, 0, family,
6674 flowtable);
6675 if (err < 0)
6676 goto err;
6677
6678 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6679err:
6680 kfree_skb(skb2);
6681 return err;
6682}
6683
6684static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6685 struct nft_flowtable *flowtable,
6686 int event)
6687{
6688 struct sk_buff *skb;
6689 int err;
6690
6691 if (ctx->report &&
6692 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6693 return;
6694
6695 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6696 if (skb == NULL)
6697 goto err;
6698
6699 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6700 ctx->seq, event, 0,
6701 ctx->family, flowtable);
6702 if (err < 0) {
6703 kfree_skb(skb);
6704 goto err;
6705 }
6706
6707 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6708 ctx->report, GFP_KERNEL);
6709 return;
6710err:
6711 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6712}
6713
6714static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6715{
6716 struct nft_hook *hook, *next;
6717
6718 flowtable->data.type->free(&flowtable->data);
6719 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6720 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6721 FLOW_BLOCK_UNBIND);
6722 list_del_rcu(&hook->list);
6723 kfree(hook);
6724 }
6725 kfree(flowtable->name);
6726 module_put(flowtable->data.type->owner);
6727 kfree(flowtable);
6728}
6729
6730static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6731 u32 portid, u32 seq)
6732{
6733 struct nlmsghdr *nlh;
6734 struct nfgenmsg *nfmsg;
6735 char buf[TASK_COMM_LEN];
6736 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6737
6738 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6739 if (nlh == NULL)
6740 goto nla_put_failure;
6741
6742 nfmsg = nlmsg_data(nlh);
6743 nfmsg->nfgen_family = AF_UNSPEC;
6744 nfmsg->version = NFNETLINK_V0;
6745 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6746
6747 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6748 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6749 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6750 goto nla_put_failure;
6751
6752 nlmsg_end(skb, nlh);
6753 return 0;
6754
6755nla_put_failure:
6756 nlmsg_trim(skb, nlh);
6757 return -EMSGSIZE;
6758}
6759
6760static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6761 struct nft_flowtable *flowtable)
6762{
6763 struct nft_hook *hook;
6764
6765 list_for_each_entry(hook, &flowtable->hook_list, list) {
6766 if (hook->ops.dev != dev)
6767 continue;
6768
6769
6770 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
6771 list_del_rcu(&hook->list);
6772 kfree_rcu(hook, rcu);
6773 break;
6774 }
6775}
6776
6777static int nf_tables_flowtable_event(struct notifier_block *this,
6778 unsigned long event, void *ptr)
6779{
6780 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6781 struct nft_flowtable *flowtable;
6782 struct nft_table *table;
6783 struct net *net;
6784
6785 if (event != NETDEV_UNREGISTER)
6786 return 0;
6787
6788 net = dev_net(dev);
6789 mutex_lock(&net->nft.commit_mutex);
6790 list_for_each_entry(table, &net->nft.tables, list) {
6791 list_for_each_entry(flowtable, &table->flowtables, list) {
6792 nft_flowtable_event(event, dev, flowtable);
6793 }
6794 }
6795 mutex_unlock(&net->nft.commit_mutex);
6796
6797 return NOTIFY_DONE;
6798}
6799
6800static struct notifier_block nf_tables_flowtable_notifier = {
6801 .notifier_call = nf_tables_flowtable_event,
6802};
6803
6804static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6805 int event)
6806{
6807 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6808 struct sk_buff *skb2;
6809 int err;
6810
6811 if (nlmsg_report(nlh) &&
6812 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6813 return;
6814
6815 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6816 if (skb2 == NULL)
6817 goto err;
6818
6819 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6820 nlh->nlmsg_seq);
6821 if (err < 0) {
6822 kfree_skb(skb2);
6823 goto err;
6824 }
6825
6826 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6827 nlmsg_report(nlh), GFP_KERNEL);
6828 return;
6829err:
6830 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6831 -ENOBUFS);
6832}
6833
6834static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6835 struct sk_buff *skb, const struct nlmsghdr *nlh,
6836 const struct nlattr * const nla[],
6837 struct netlink_ext_ack *extack)
6838{
6839 struct sk_buff *skb2;
6840 int err;
6841
6842 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6843 if (skb2 == NULL)
6844 return -ENOMEM;
6845
6846 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6847 nlh->nlmsg_seq);
6848 if (err < 0)
6849 goto err;
6850
6851 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6852err:
6853 kfree_skb(skb2);
6854 return err;
6855}
6856
6857static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6858 [NFT_MSG_NEWTABLE] = {
6859 .call_batch = nf_tables_newtable,
6860 .attr_count = NFTA_TABLE_MAX,
6861 .policy = nft_table_policy,
6862 },
6863 [NFT_MSG_GETTABLE] = {
6864 .call_rcu = nf_tables_gettable,
6865 .attr_count = NFTA_TABLE_MAX,
6866 .policy = nft_table_policy,
6867 },
6868 [NFT_MSG_DELTABLE] = {
6869 .call_batch = nf_tables_deltable,
6870 .attr_count = NFTA_TABLE_MAX,
6871 .policy = nft_table_policy,
6872 },
6873 [NFT_MSG_NEWCHAIN] = {
6874 .call_batch = nf_tables_newchain,
6875 .attr_count = NFTA_CHAIN_MAX,
6876 .policy = nft_chain_policy,
6877 },
6878 [NFT_MSG_GETCHAIN] = {
6879 .call_rcu = nf_tables_getchain,
6880 .attr_count = NFTA_CHAIN_MAX,
6881 .policy = nft_chain_policy,
6882 },
6883 [NFT_MSG_DELCHAIN] = {
6884 .call_batch = nf_tables_delchain,
6885 .attr_count = NFTA_CHAIN_MAX,
6886 .policy = nft_chain_policy,
6887 },
6888 [NFT_MSG_NEWRULE] = {
6889 .call_batch = nf_tables_newrule,
6890 .attr_count = NFTA_RULE_MAX,
6891 .policy = nft_rule_policy,
6892 },
6893 [NFT_MSG_GETRULE] = {
6894 .call_rcu = nf_tables_getrule,
6895 .attr_count = NFTA_RULE_MAX,
6896 .policy = nft_rule_policy,
6897 },
6898 [NFT_MSG_DELRULE] = {
6899 .call_batch = nf_tables_delrule,
6900 .attr_count = NFTA_RULE_MAX,
6901 .policy = nft_rule_policy,
6902 },
6903 [NFT_MSG_NEWSET] = {
6904 .call_batch = nf_tables_newset,
6905 .attr_count = NFTA_SET_MAX,
6906 .policy = nft_set_policy,
6907 },
6908 [NFT_MSG_GETSET] = {
6909 .call_rcu = nf_tables_getset,
6910 .attr_count = NFTA_SET_MAX,
6911 .policy = nft_set_policy,
6912 },
6913 [NFT_MSG_DELSET] = {
6914 .call_batch = nf_tables_delset,
6915 .attr_count = NFTA_SET_MAX,
6916 .policy = nft_set_policy,
6917 },
6918 [NFT_MSG_NEWSETELEM] = {
6919 .call_batch = nf_tables_newsetelem,
6920 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6921 .policy = nft_set_elem_list_policy,
6922 },
6923 [NFT_MSG_GETSETELEM] = {
6924 .call_rcu = nf_tables_getsetelem,
6925 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6926 .policy = nft_set_elem_list_policy,
6927 },
6928 [NFT_MSG_DELSETELEM] = {
6929 .call_batch = nf_tables_delsetelem,
6930 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6931 .policy = nft_set_elem_list_policy,
6932 },
6933 [NFT_MSG_GETGEN] = {
6934 .call_rcu = nf_tables_getgen,
6935 },
6936 [NFT_MSG_NEWOBJ] = {
6937 .call_batch = nf_tables_newobj,
6938 .attr_count = NFTA_OBJ_MAX,
6939 .policy = nft_obj_policy,
6940 },
6941 [NFT_MSG_GETOBJ] = {
6942 .call_rcu = nf_tables_getobj,
6943 .attr_count = NFTA_OBJ_MAX,
6944 .policy = nft_obj_policy,
6945 },
6946 [NFT_MSG_DELOBJ] = {
6947 .call_batch = nf_tables_delobj,
6948 .attr_count = NFTA_OBJ_MAX,
6949 .policy = nft_obj_policy,
6950 },
6951 [NFT_MSG_GETOBJ_RESET] = {
6952 .call_rcu = nf_tables_getobj,
6953 .attr_count = NFTA_OBJ_MAX,
6954 .policy = nft_obj_policy,
6955 },
6956 [NFT_MSG_NEWFLOWTABLE] = {
6957 .call_batch = nf_tables_newflowtable,
6958 .attr_count = NFTA_FLOWTABLE_MAX,
6959 .policy = nft_flowtable_policy,
6960 },
6961 [NFT_MSG_GETFLOWTABLE] = {
6962 .call_rcu = nf_tables_getflowtable,
6963 .attr_count = NFTA_FLOWTABLE_MAX,
6964 .policy = nft_flowtable_policy,
6965 },
6966 [NFT_MSG_DELFLOWTABLE] = {
6967 .call_batch = nf_tables_delflowtable,
6968 .attr_count = NFTA_FLOWTABLE_MAX,
6969 .policy = nft_flowtable_policy,
6970 },
6971};
6972
6973static int nf_tables_validate(struct net *net)
6974{
6975 struct nft_table *table;
6976
6977 switch (net->nft.validate_state) {
6978 case NFT_VALIDATE_SKIP:
6979 break;
6980 case NFT_VALIDATE_NEED:
6981 nft_validate_state_update(net, NFT_VALIDATE_DO);
6982
6983 case NFT_VALIDATE_DO:
6984 list_for_each_entry(table, &net->nft.tables, list) {
6985 if (nft_table_validate(net, table) < 0)
6986 return -EAGAIN;
6987 }
6988 break;
6989 }
6990
6991 return 0;
6992}
6993
6994
6995
6996
6997
6998
6999
7000
7001static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7002{
7003 struct nft_base_chain *basechain;
7004
7005 if (nft_trans_chain_policy(trans) != NF_DROP)
7006 return;
7007
7008 if (!nft_is_base_chain(trans->ctx.chain))
7009 return;
7010
7011 basechain = nft_base_chain(trans->ctx.chain);
7012 basechain->policy = NF_DROP;
7013}
7014
7015static void nft_chain_commit_update(struct nft_trans *trans)
7016{
7017 struct nft_base_chain *basechain;
7018
7019 if (nft_trans_chain_name(trans)) {
7020 rhltable_remove(&trans->ctx.table->chains_ht,
7021 &trans->ctx.chain->rhlhead,
7022 nft_chain_ht_params);
7023 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7024 rhltable_insert_key(&trans->ctx.table->chains_ht,
7025 trans->ctx.chain->name,
7026 &trans->ctx.chain->rhlhead,
7027 nft_chain_ht_params);
7028 }
7029
7030 if (!nft_is_base_chain(trans->ctx.chain))
7031 return;
7032
7033 nft_chain_stats_replace(trans);
7034
7035 basechain = nft_base_chain(trans->ctx.chain);
7036
7037 switch (nft_trans_chain_policy(trans)) {
7038 case NF_DROP:
7039 case NF_ACCEPT:
7040 basechain->policy = nft_trans_chain_policy(trans);
7041 break;
7042 }
7043}
7044
7045static void nft_obj_commit_update(struct nft_trans *trans)
7046{
7047 struct nft_object *newobj;
7048 struct nft_object *obj;
7049
7050 obj = nft_trans_obj(trans);
7051 newobj = nft_trans_obj_newobj(trans);
7052
7053 if (obj->ops->update)
7054 obj->ops->update(obj, newobj);
7055
7056 kfree(newobj);
7057}
7058
7059static void nft_commit_release(struct nft_trans *trans)
7060{
7061 switch (trans->msg_type) {
7062 case NFT_MSG_DELTABLE:
7063 nf_tables_table_destroy(&trans->ctx);
7064 break;
7065 case NFT_MSG_NEWCHAIN:
7066 free_percpu(nft_trans_chain_stats(trans));
7067 kfree(nft_trans_chain_name(trans));
7068 break;
7069 case NFT_MSG_DELCHAIN:
7070 nf_tables_chain_destroy(&trans->ctx);
7071 break;
7072 case NFT_MSG_DELRULE:
7073 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7074 break;
7075 case NFT_MSG_DELSET:
7076 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7077 break;
7078 case NFT_MSG_DELSETELEM:
7079 nf_tables_set_elem_destroy(&trans->ctx,
7080 nft_trans_elem_set(trans),
7081 nft_trans_elem(trans).priv);
7082 break;
7083 case NFT_MSG_DELOBJ:
7084 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7085 break;
7086 case NFT_MSG_DELFLOWTABLE:
7087 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7088 break;
7089 }
7090
7091 if (trans->put_net)
7092 put_net(trans->ctx.net);
7093
7094 kfree(trans);
7095}
7096
7097static void nf_tables_trans_destroy_work(struct work_struct *w)
7098{
7099 struct nft_trans *trans, *next;
7100 LIST_HEAD(head);
7101
7102 spin_lock(&nf_tables_destroy_list_lock);
7103 list_splice_init(&nf_tables_destroy_list, &head);
7104 spin_unlock(&nf_tables_destroy_list_lock);
7105
7106 if (list_empty(&head))
7107 return;
7108
7109 synchronize_rcu();
7110
7111 list_for_each_entry_safe(trans, next, &head, list) {
7112 list_del(&trans->list);
7113 nft_commit_release(trans);
7114 }
7115}
7116
7117static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7118{
7119 struct nft_rule *rule;
7120 unsigned int alloc = 0;
7121 int i;
7122
7123
7124 if (chain->rules_next || !nft_is_active_next(net, chain))
7125 return 0;
7126
7127 rule = list_entry(&chain->rules, struct nft_rule, list);
7128 i = 0;
7129
7130 list_for_each_entry_continue(rule, &chain->rules, list) {
7131 if (nft_is_active_next(net, rule))
7132 alloc++;
7133 }
7134
7135 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7136 if (!chain->rules_next)
7137 return -ENOMEM;
7138
7139 list_for_each_entry_continue(rule, &chain->rules, list) {
7140 if (nft_is_active_next(net, rule))
7141 chain->rules_next[i++] = rule;
7142 }
7143
7144 chain->rules_next[i] = NULL;
7145 return 0;
7146}
7147
7148static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7149{
7150 struct nft_trans *trans, *next;
7151
7152 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7153 struct nft_chain *chain = trans->ctx.chain;
7154
7155 if (trans->msg_type == NFT_MSG_NEWRULE ||
7156 trans->msg_type == NFT_MSG_DELRULE) {
7157 kvfree(chain->rules_next);
7158 chain->rules_next = NULL;
7159 }
7160 }
7161}
7162
7163static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7164{
7165 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7166
7167 kvfree(o->start);
7168}
7169
7170static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7171{
7172 struct nft_rule **r = rules;
7173 struct nft_rules_old *old;
7174
7175 while (*r)
7176 r++;
7177
7178 r++;
7179 old = (void *) r;
7180 old->start = rules;
7181
7182 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7183}
7184
7185static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7186{
7187 struct nft_rule **g0, **g1;
7188 bool next_genbit;
7189
7190 next_genbit = nft_gencursor_next(net);
7191
7192 g0 = rcu_dereference_protected(chain->rules_gen_0,
7193 lockdep_commit_lock_is_held(net));
7194 g1 = rcu_dereference_protected(chain->rules_gen_1,
7195 lockdep_commit_lock_is_held(net));
7196
7197
7198 if (chain->rules_next == NULL) {
7199
7200 if (g0 == g1)
7201 return;
7202
7203
7204
7205
7206 if (next_genbit) {
7207 rcu_assign_pointer(chain->rules_gen_1, g0);
7208 nf_tables_commit_chain_free_rules_old(g1);
7209 } else {
7210 rcu_assign_pointer(chain->rules_gen_0, g1);
7211 nf_tables_commit_chain_free_rules_old(g0);
7212 }
7213
7214 return;
7215 }
7216
7217 if (next_genbit)
7218 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7219 else
7220 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7221
7222 chain->rules_next = NULL;
7223
7224 if (g0 == g1)
7225 return;
7226
7227 if (next_genbit)
7228 nf_tables_commit_chain_free_rules_old(g1);
7229 else
7230 nf_tables_commit_chain_free_rules_old(g0);
7231}
7232
7233static void nft_obj_del(struct nft_object *obj)
7234{
7235 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7236 list_del_rcu(&obj->list);
7237}
7238
7239static void nft_chain_del(struct nft_chain *chain)
7240{
7241 struct nft_table *table = chain->table;
7242
7243 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7244 nft_chain_ht_params));
7245 list_del_rcu(&chain->list);
7246}
7247
7248static void nf_tables_module_autoload_cleanup(struct net *net)
7249{
7250 struct nft_module_request *req, *next;
7251
7252 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7253 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7254 WARN_ON_ONCE(!req->done);
7255 list_del(&req->list);
7256 kfree(req);
7257 }
7258}
7259
7260static void nf_tables_commit_release(struct net *net)
7261{
7262 struct nft_trans *trans;
7263
7264
7265
7266
7267
7268
7269
7270
7271 if (list_empty(&net->nft.commit_list)) {
7272 nf_tables_module_autoload_cleanup(net);
7273 mutex_unlock(&net->nft.commit_mutex);
7274 return;
7275 }
7276
7277 trans = list_last_entry(&net->nft.commit_list,
7278 struct nft_trans, list);
7279 get_net(trans->ctx.net);
7280 WARN_ON_ONCE(trans->put_net);
7281
7282 trans->put_net = true;
7283 spin_lock(&nf_tables_destroy_list_lock);
7284 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7285 spin_unlock(&nf_tables_destroy_list_lock);
7286
7287 nf_tables_module_autoload_cleanup(net);
7288 mutex_unlock(&net->nft.commit_mutex);
7289
7290 schedule_work(&trans_destroy_work);
7291}
7292
7293static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7294{
7295 struct nft_trans *trans, *next;
7296 struct nft_trans_elem *te;
7297 struct nft_chain *chain;
7298 struct nft_table *table;
7299 int err;
7300
7301 if (list_empty(&net->nft.commit_list)) {
7302 mutex_unlock(&net->nft.commit_mutex);
7303 return 0;
7304 }
7305
7306
7307 if (nf_tables_validate(net) < 0)
7308 return -EAGAIN;
7309
7310 err = nft_flow_rule_offload_commit(net);
7311 if (err < 0)
7312 return err;
7313
7314
7315 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7316 int ret;
7317
7318 if (trans->msg_type == NFT_MSG_NEWRULE ||
7319 trans->msg_type == NFT_MSG_DELRULE) {
7320 chain = trans->ctx.chain;
7321
7322 ret = nf_tables_commit_chain_prepare(net, chain);
7323 if (ret < 0) {
7324 nf_tables_commit_chain_prepare_cancel(net);
7325 return ret;
7326 }
7327 }
7328 }
7329
7330
7331 list_for_each_entry(table, &net->nft.tables, list) {
7332 list_for_each_entry(chain, &table->chains, list)
7333 nf_tables_commit_chain(net, chain);
7334 }
7335
7336
7337
7338
7339
7340 while (++net->nft.base_seq == 0);
7341
7342
7343 net->nft.gencursor = nft_gencursor_next(net);
7344
7345 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7346 switch (trans->msg_type) {
7347 case NFT_MSG_NEWTABLE:
7348 if (nft_trans_table_update(trans)) {
7349 if (!nft_trans_table_enable(trans)) {
7350 nf_tables_table_disable(net,
7351 trans->ctx.table);
7352 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7353 }
7354 } else {
7355 nft_clear(net, trans->ctx.table);
7356 }
7357 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7358 nft_trans_destroy(trans);
7359 break;
7360 case NFT_MSG_DELTABLE:
7361 list_del_rcu(&trans->ctx.table->list);
7362 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7363 break;
7364 case NFT_MSG_NEWCHAIN:
7365 if (nft_trans_chain_update(trans)) {
7366 nft_chain_commit_update(trans);
7367 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7368
7369 } else {
7370 nft_chain_commit_drop_policy(trans);
7371 nft_clear(net, trans->ctx.chain);
7372 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7373 nft_trans_destroy(trans);
7374 }
7375 break;
7376 case NFT_MSG_DELCHAIN:
7377 nft_chain_del(trans->ctx.chain);
7378 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7379 nf_tables_unregister_hook(trans->ctx.net,
7380 trans->ctx.table,
7381 trans->ctx.chain);
7382 break;
7383 case NFT_MSG_NEWRULE:
7384 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7385 nf_tables_rule_notify(&trans->ctx,
7386 nft_trans_rule(trans),
7387 NFT_MSG_NEWRULE);
7388 nft_trans_destroy(trans);
7389 break;
7390 case NFT_MSG_DELRULE:
7391 list_del_rcu(&nft_trans_rule(trans)->list);
7392 nf_tables_rule_notify(&trans->ctx,
7393 nft_trans_rule(trans),
7394 NFT_MSG_DELRULE);
7395 nft_rule_expr_deactivate(&trans->ctx,
7396 nft_trans_rule(trans),
7397 NFT_TRANS_COMMIT);
7398 break;
7399 case NFT_MSG_NEWSET:
7400 nft_clear(net, nft_trans_set(trans));
7401
7402
7403
7404 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7405 !list_empty(&nft_trans_set(trans)->bindings))
7406 trans->ctx.table->use--;
7407
7408 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7409 NFT_MSG_NEWSET, GFP_KERNEL);
7410 nft_trans_destroy(trans);
7411 break;
7412 case NFT_MSG_DELSET:
7413 list_del_rcu(&nft_trans_set(trans)->list);
7414 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7415 NFT_MSG_DELSET, GFP_KERNEL);
7416 break;
7417 case NFT_MSG_NEWSETELEM:
7418 te = (struct nft_trans_elem *)trans->data;
7419
7420 te->set->ops->activate(net, te->set, &te->elem);
7421 nf_tables_setelem_notify(&trans->ctx, te->set,
7422 &te->elem,
7423 NFT_MSG_NEWSETELEM, 0);
7424 nft_trans_destroy(trans);
7425 break;
7426 case NFT_MSG_DELSETELEM:
7427 te = (struct nft_trans_elem *)trans->data;
7428
7429 nf_tables_setelem_notify(&trans->ctx, te->set,
7430 &te->elem,
7431 NFT_MSG_DELSETELEM, 0);
7432 te->set->ops->remove(net, te->set, &te->elem);
7433 atomic_dec(&te->set->nelems);
7434 te->set->ndeact--;
7435 break;
7436 case NFT_MSG_NEWOBJ:
7437 if (nft_trans_obj_update(trans)) {
7438 nft_obj_commit_update(trans);
7439 nf_tables_obj_notify(&trans->ctx,
7440 nft_trans_obj(trans),
7441 NFT_MSG_NEWOBJ);
7442 } else {
7443 nft_clear(net, nft_trans_obj(trans));
7444 nf_tables_obj_notify(&trans->ctx,
7445 nft_trans_obj(trans),
7446 NFT_MSG_NEWOBJ);
7447 nft_trans_destroy(trans);
7448 }
7449 break;
7450 case NFT_MSG_DELOBJ:
7451 nft_obj_del(nft_trans_obj(trans));
7452 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7453 NFT_MSG_DELOBJ);
7454 break;
7455 case NFT_MSG_NEWFLOWTABLE:
7456 nft_clear(net, nft_trans_flowtable(trans));
7457 nf_tables_flowtable_notify(&trans->ctx,
7458 nft_trans_flowtable(trans),
7459 NFT_MSG_NEWFLOWTABLE);
7460 nft_trans_destroy(trans);
7461 break;
7462 case NFT_MSG_DELFLOWTABLE:
7463 list_del_rcu(&nft_trans_flowtable(trans)->list);
7464 nf_tables_flowtable_notify(&trans->ctx,
7465 nft_trans_flowtable(trans),
7466 NFT_MSG_DELFLOWTABLE);
7467 nft_unregister_flowtable_net_hooks(net,
7468 nft_trans_flowtable(trans));
7469 break;
7470 }
7471 }
7472
7473 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
7474 nf_tables_commit_release(net);
7475
7476 return 0;
7477}
7478
7479static void nf_tables_module_autoload(struct net *net)
7480{
7481 struct nft_module_request *req, *next;
7482 LIST_HEAD(module_list);
7483
7484 list_splice_init(&net->nft.module_list, &module_list);
7485 mutex_unlock(&net->nft.commit_mutex);
7486 list_for_each_entry_safe(req, next, &module_list, list) {
7487 request_module("%s", req->module);
7488 req->done = true;
7489 }
7490 mutex_lock(&net->nft.commit_mutex);
7491 list_splice(&module_list, &net->nft.module_list);
7492}
7493
7494static void nf_tables_abort_release(struct nft_trans *trans)
7495{
7496 switch (trans->msg_type) {
7497 case NFT_MSG_NEWTABLE:
7498 nf_tables_table_destroy(&trans->ctx);
7499 break;
7500 case NFT_MSG_NEWCHAIN:
7501 nf_tables_chain_destroy(&trans->ctx);
7502 break;
7503 case NFT_MSG_NEWRULE:
7504 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7505 break;
7506 case NFT_MSG_NEWSET:
7507 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7508 break;
7509 case NFT_MSG_NEWSETELEM:
7510 nft_set_elem_destroy(nft_trans_elem_set(trans),
7511 nft_trans_elem(trans).priv, true);
7512 break;
7513 case NFT_MSG_NEWOBJ:
7514 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7515 break;
7516 case NFT_MSG_NEWFLOWTABLE:
7517 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7518 break;
7519 }
7520 kfree(trans);
7521}
7522
7523static int __nf_tables_abort(struct net *net, bool autoload)
7524{
7525 struct nft_trans *trans, *next;
7526 struct nft_trans_elem *te;
7527
7528 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7529 list) {
7530 switch (trans->msg_type) {
7531 case NFT_MSG_NEWTABLE:
7532 if (nft_trans_table_update(trans)) {
7533 if (nft_trans_table_enable(trans)) {
7534 nf_tables_table_disable(net,
7535 trans->ctx.table);
7536 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7537 }
7538 nft_trans_destroy(trans);
7539 } else {
7540 list_del_rcu(&trans->ctx.table->list);
7541 }
7542 break;
7543 case NFT_MSG_DELTABLE:
7544 nft_clear(trans->ctx.net, trans->ctx.table);
7545 nft_trans_destroy(trans);
7546 break;
7547 case NFT_MSG_NEWCHAIN:
7548 if (nft_trans_chain_update(trans)) {
7549 free_percpu(nft_trans_chain_stats(trans));
7550 kfree(nft_trans_chain_name(trans));
7551 nft_trans_destroy(trans);
7552 } else {
7553 trans->ctx.table->use--;
7554 nft_chain_del(trans->ctx.chain);
7555 nf_tables_unregister_hook(trans->ctx.net,
7556 trans->ctx.table,
7557 trans->ctx.chain);
7558 }
7559 break;
7560 case NFT_MSG_DELCHAIN:
7561 trans->ctx.table->use++;
7562 nft_clear(trans->ctx.net, trans->ctx.chain);
7563 nft_trans_destroy(trans);
7564 break;
7565 case NFT_MSG_NEWRULE:
7566 trans->ctx.chain->use--;
7567 list_del_rcu(&nft_trans_rule(trans)->list);
7568 nft_rule_expr_deactivate(&trans->ctx,
7569 nft_trans_rule(trans),
7570 NFT_TRANS_ABORT);
7571 break;
7572 case NFT_MSG_DELRULE:
7573 trans->ctx.chain->use++;
7574 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7575 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7576 nft_trans_destroy(trans);
7577 break;
7578 case NFT_MSG_NEWSET:
7579 trans->ctx.table->use--;
7580 if (nft_trans_set_bound(trans)) {
7581 nft_trans_destroy(trans);
7582 break;
7583 }
7584 list_del_rcu(&nft_trans_set(trans)->list);
7585 break;
7586 case NFT_MSG_DELSET:
7587 trans->ctx.table->use++;
7588 nft_clear(trans->ctx.net, nft_trans_set(trans));
7589 nft_trans_destroy(trans);
7590 break;
7591 case NFT_MSG_NEWSETELEM:
7592 if (nft_trans_elem_set_bound(trans)) {
7593 nft_trans_destroy(trans);
7594 break;
7595 }
7596 te = (struct nft_trans_elem *)trans->data;
7597 te->set->ops->remove(net, te->set, &te->elem);
7598 atomic_dec(&te->set->nelems);
7599 break;
7600 case NFT_MSG_DELSETELEM:
7601 te = (struct nft_trans_elem *)trans->data;
7602
7603 nft_set_elem_activate(net, te->set, &te->elem);
7604 te->set->ops->activate(net, te->set, &te->elem);
7605 te->set->ndeact--;
7606
7607 nft_trans_destroy(trans);
7608 break;
7609 case NFT_MSG_NEWOBJ:
7610 if (nft_trans_obj_update(trans)) {
7611 kfree(nft_trans_obj_newobj(trans));
7612 nft_trans_destroy(trans);
7613 } else {
7614 trans->ctx.table->use--;
7615 nft_obj_del(nft_trans_obj(trans));
7616 }
7617 break;
7618 case NFT_MSG_DELOBJ:
7619 trans->ctx.table->use++;
7620 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7621 nft_trans_destroy(trans);
7622 break;
7623 case NFT_MSG_NEWFLOWTABLE:
7624 trans->ctx.table->use--;
7625 list_del_rcu(&nft_trans_flowtable(trans)->list);
7626 nft_unregister_flowtable_net_hooks(net,
7627 nft_trans_flowtable(trans));
7628 break;
7629 case NFT_MSG_DELFLOWTABLE:
7630 trans->ctx.table->use++;
7631 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7632 nft_trans_destroy(trans);
7633 break;
7634 }
7635 }
7636
7637 synchronize_rcu();
7638
7639 list_for_each_entry_safe_reverse(trans, next,
7640 &net->nft.commit_list, list) {
7641 list_del(&trans->list);
7642 nf_tables_abort_release(trans);
7643 }
7644
7645 if (autoload)
7646 nf_tables_module_autoload(net);
7647 else
7648 nf_tables_module_autoload_cleanup(net);
7649
7650 return 0;
7651}
7652
7653static void nf_tables_cleanup(struct net *net)
7654{
7655 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7656}
7657
7658static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
7659{
7660 int ret = __nf_tables_abort(net, autoload);
7661
7662 mutex_unlock(&net->nft.commit_mutex);
7663
7664 return ret;
7665}
7666
7667static bool nf_tables_valid_genid(struct net *net, u32 genid)
7668{
7669 bool genid_ok;
7670
7671 mutex_lock(&net->nft.commit_mutex);
7672
7673 genid_ok = genid == 0 || net->nft.base_seq == genid;
7674 if (!genid_ok)
7675 mutex_unlock(&net->nft.commit_mutex);
7676
7677
7678 return genid_ok;
7679}
7680
7681static const struct nfnetlink_subsystem nf_tables_subsys = {
7682 .name = "nf_tables",
7683 .subsys_id = NFNL_SUBSYS_NFTABLES,
7684 .cb_count = NFT_MSG_MAX,
7685 .cb = nf_tables_cb,
7686 .commit = nf_tables_commit,
7687 .abort = nf_tables_abort,
7688 .cleanup = nf_tables_cleanup,
7689 .valid_genid = nf_tables_valid_genid,
7690 .owner = THIS_MODULE,
7691};
7692
7693int nft_chain_validate_dependency(const struct nft_chain *chain,
7694 enum nft_chain_types type)
7695{
7696 const struct nft_base_chain *basechain;
7697
7698 if (nft_is_base_chain(chain)) {
7699 basechain = nft_base_chain(chain);
7700 if (basechain->type->type != type)
7701 return -EOPNOTSUPP;
7702 }
7703 return 0;
7704}
7705EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7706
7707int nft_chain_validate_hooks(const struct nft_chain *chain,
7708 unsigned int hook_flags)
7709{
7710 struct nft_base_chain *basechain;
7711
7712 if (nft_is_base_chain(chain)) {
7713 basechain = nft_base_chain(chain);
7714
7715 if ((1 << basechain->ops.hooknum) & hook_flags)
7716 return 0;
7717
7718 return -EOPNOTSUPP;
7719 }
7720
7721 return 0;
7722}
7723EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7724
7725
7726
7727
7728
7729
7730
7731
7732
7733
7734static int nf_tables_check_loops(const struct nft_ctx *ctx,
7735 const struct nft_chain *chain);
7736
7737static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7738 struct nft_set *set,
7739 const struct nft_set_iter *iter,
7740 struct nft_set_elem *elem)
7741{
7742 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7743 const struct nft_data *data;
7744
7745 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7746 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7747 return 0;
7748
7749 data = nft_set_ext_data(ext);
7750 switch (data->verdict.code) {
7751 case NFT_JUMP:
7752 case NFT_GOTO:
7753 return nf_tables_check_loops(ctx, data->verdict.chain);
7754 default:
7755 return 0;
7756 }
7757}
7758
7759static int nf_tables_check_loops(const struct nft_ctx *ctx,
7760 const struct nft_chain *chain)
7761{
7762 const struct nft_rule *rule;
7763 const struct nft_expr *expr, *last;
7764 struct nft_set *set;
7765 struct nft_set_binding *binding;
7766 struct nft_set_iter iter;
7767
7768 if (ctx->chain == chain)
7769 return -ELOOP;
7770
7771 list_for_each_entry(rule, &chain->rules, list) {
7772 nft_rule_for_each_expr(expr, last, rule) {
7773 struct nft_immediate_expr *priv;
7774 const struct nft_data *data;
7775 int err;
7776
7777 if (strcmp(expr->ops->type->name, "immediate"))
7778 continue;
7779
7780 priv = nft_expr_priv(expr);
7781 if (priv->dreg != NFT_REG_VERDICT)
7782 continue;
7783
7784 data = &priv->data;
7785 switch (data->verdict.code) {
7786 case NFT_JUMP:
7787 case NFT_GOTO:
7788 err = nf_tables_check_loops(ctx,
7789 data->verdict.chain);
7790 if (err < 0)
7791 return err;
7792 default:
7793 break;
7794 }
7795 }
7796 }
7797
7798 list_for_each_entry(set, &ctx->table->sets, list) {
7799 if (!nft_is_active_next(ctx->net, set))
7800 continue;
7801 if (!(set->flags & NFT_SET_MAP) ||
7802 set->dtype != NFT_DATA_VERDICT)
7803 continue;
7804
7805 list_for_each_entry(binding, &set->bindings, list) {
7806 if (!(binding->flags & NFT_SET_MAP) ||
7807 binding->chain != chain)
7808 continue;
7809
7810 iter.genmask = nft_genmask_next(ctx->net);
7811 iter.skip = 0;
7812 iter.count = 0;
7813 iter.err = 0;
7814 iter.fn = nf_tables_loop_check_setelem;
7815
7816 set->ops->walk(ctx, set, &iter);
7817 if (iter.err < 0)
7818 return iter.err;
7819 }
7820 }
7821
7822 return 0;
7823}
7824
7825
7826
7827
7828
7829
7830
7831
7832
7833
7834
7835
7836
7837int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7838{
7839 u32 val;
7840
7841 val = ntohl(nla_get_be32(attr));
7842 if (val > max)
7843 return -ERANGE;
7844
7845 *dest = val;
7846 return 0;
7847}
7848EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7849
7850
7851
7852
7853
7854
7855
7856
7857
7858
7859unsigned int nft_parse_register(const struct nlattr *attr)
7860{
7861 unsigned int reg;
7862
7863 reg = ntohl(nla_get_be32(attr));
7864 switch (reg) {
7865 case NFT_REG_VERDICT...NFT_REG_4:
7866 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7867 default:
7868 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7869 }
7870}
7871EXPORT_SYMBOL_GPL(nft_parse_register);
7872
7873
7874
7875
7876
7877
7878
7879
7880
7881
7882
7883
7884int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7885{
7886 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7887 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7888 else
7889 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7890
7891 return nla_put_be32(skb, attr, htonl(reg));
7892}
7893EXPORT_SYMBOL_GPL(nft_dump_register);
7894
7895
7896
7897
7898
7899
7900
7901
7902
7903
7904int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7905{
7906 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7907 return -EINVAL;
7908 if (len == 0)
7909 return -EINVAL;
7910 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
7911 return -ERANGE;
7912
7913 return 0;
7914}
7915EXPORT_SYMBOL_GPL(nft_validate_register_load);
7916
7917
7918
7919
7920
7921
7922
7923
7924
7925
7926
7927
7928
7929
7930
7931int nft_validate_register_store(const struct nft_ctx *ctx,
7932 enum nft_registers reg,
7933 const struct nft_data *data,
7934 enum nft_data_types type, unsigned int len)
7935{
7936 int err;
7937
7938 switch (reg) {
7939 case NFT_REG_VERDICT:
7940 if (type != NFT_DATA_VERDICT)
7941 return -EINVAL;
7942
7943 if (data != NULL &&
7944 (data->verdict.code == NFT_GOTO ||
7945 data->verdict.code == NFT_JUMP)) {
7946 err = nf_tables_check_loops(ctx, data->verdict.chain);
7947 if (err < 0)
7948 return err;
7949 }
7950
7951 return 0;
7952 default:
7953 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7954 return -EINVAL;
7955 if (len == 0)
7956 return -EINVAL;
7957 if (reg * NFT_REG32_SIZE + len >
7958 sizeof_field(struct nft_regs, data))
7959 return -ERANGE;
7960
7961 if (data != NULL && type != NFT_DATA_VALUE)
7962 return -EINVAL;
7963 return 0;
7964 }
7965}
7966EXPORT_SYMBOL_GPL(nft_validate_register_store);
7967
7968static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7969 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7970 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7971 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7972};
7973
7974static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7975 struct nft_data_desc *desc, const struct nlattr *nla)
7976{
7977 u8 genmask = nft_genmask_next(ctx->net);
7978 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7979 struct nft_chain *chain;
7980 int err;
7981
7982 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7983 nft_verdict_policy, NULL);
7984 if (err < 0)
7985 return err;
7986
7987 if (!tb[NFTA_VERDICT_CODE])
7988 return -EINVAL;
7989 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7990
7991 switch (data->verdict.code) {
7992 default:
7993 switch (data->verdict.code & NF_VERDICT_MASK) {
7994 case NF_ACCEPT:
7995 case NF_DROP:
7996 case NF_QUEUE:
7997 break;
7998 default:
7999 return -EINVAL;
8000 }
8001
8002 case NFT_CONTINUE:
8003 case NFT_BREAK:
8004 case NFT_RETURN:
8005 break;
8006 case NFT_JUMP:
8007 case NFT_GOTO:
8008 if (!tb[NFTA_VERDICT_CHAIN])
8009 return -EINVAL;
8010 chain = nft_chain_lookup(ctx->net, ctx->table,
8011 tb[NFTA_VERDICT_CHAIN], genmask);
8012 if (IS_ERR(chain))
8013 return PTR_ERR(chain);
8014 if (nft_is_base_chain(chain))
8015 return -EOPNOTSUPP;
8016
8017 chain->use++;
8018 data->verdict.chain = chain;
8019 break;
8020 }
8021
8022 desc->len = sizeof(data->verdict);
8023 desc->type = NFT_DATA_VERDICT;
8024 return 0;
8025}
8026
8027static void nft_verdict_uninit(const struct nft_data *data)
8028{
8029 switch (data->verdict.code) {
8030 case NFT_JUMP:
8031 case NFT_GOTO:
8032 data->verdict.chain->use--;
8033 break;
8034 }
8035}
8036
8037int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8038{
8039 struct nlattr *nest;
8040
8041 nest = nla_nest_start_noflag(skb, type);
8042 if (!nest)
8043 goto nla_put_failure;
8044
8045 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8046 goto nla_put_failure;
8047
8048 switch (v->code) {
8049 case NFT_JUMP:
8050 case NFT_GOTO:
8051 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8052 v->chain->name))
8053 goto nla_put_failure;
8054 }
8055 nla_nest_end(skb, nest);
8056 return 0;
8057
8058nla_put_failure:
8059 return -1;
8060}
8061
8062static int nft_value_init(const struct nft_ctx *ctx,
8063 struct nft_data *data, unsigned int size,
8064 struct nft_data_desc *desc, const struct nlattr *nla)
8065{
8066 unsigned int len;
8067
8068 len = nla_len(nla);
8069 if (len == 0)
8070 return -EINVAL;
8071 if (len > size)
8072 return -EOVERFLOW;
8073
8074 nla_memcpy(data->data, nla, len);
8075 desc->type = NFT_DATA_VALUE;
8076 desc->len = len;
8077 return 0;
8078}
8079
8080static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8081 unsigned int len)
8082{
8083 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8084}
8085
8086static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8087 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8088 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8089};
8090
8091
8092
8093
8094
8095
8096
8097
8098
8099
8100
8101
8102
8103
8104
8105
8106int nft_data_init(const struct nft_ctx *ctx,
8107 struct nft_data *data, unsigned int size,
8108 struct nft_data_desc *desc, const struct nlattr *nla)
8109{
8110 struct nlattr *tb[NFTA_DATA_MAX + 1];
8111 int err;
8112
8113 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8114 nft_data_policy, NULL);
8115 if (err < 0)
8116 return err;
8117
8118 if (tb[NFTA_DATA_VALUE])
8119 return nft_value_init(ctx, data, size, desc,
8120 tb[NFTA_DATA_VALUE]);
8121 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8122 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8123 return -EINVAL;
8124}
8125EXPORT_SYMBOL_GPL(nft_data_init);
8126
8127
8128
8129
8130
8131
8132
8133
8134
8135
8136void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8137{
8138 if (type < NFT_DATA_VERDICT)
8139 return;
8140 switch (type) {
8141 case NFT_DATA_VERDICT:
8142 return nft_verdict_uninit(data);
8143 default:
8144 WARN_ON(1);
8145 }
8146}
8147EXPORT_SYMBOL_GPL(nft_data_release);
8148
8149int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8150 enum nft_data_types type, unsigned int len)
8151{
8152 struct nlattr *nest;
8153 int err;
8154
8155 nest = nla_nest_start_noflag(skb, attr);
8156 if (nest == NULL)
8157 return -1;
8158
8159 switch (type) {
8160 case NFT_DATA_VALUE:
8161 err = nft_value_dump(skb, data, len);
8162 break;
8163 case NFT_DATA_VERDICT:
8164 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8165 break;
8166 default:
8167 err = -EINVAL;
8168 WARN_ON(1);
8169 }
8170
8171 nla_nest_end(skb, nest);
8172 return err;
8173}
8174EXPORT_SYMBOL_GPL(nft_data_dump);
8175
8176int __nft_release_basechain(struct nft_ctx *ctx)
8177{
8178 struct nft_rule *rule, *nr;
8179
8180 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8181 return 0;
8182
8183 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8184 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8185 list_del(&rule->list);
8186 ctx->chain->use--;
8187 nf_tables_rule_release(ctx, rule);
8188 }
8189 nft_chain_del(ctx->chain);
8190 ctx->table->use--;
8191 nf_tables_chain_destroy(ctx);
8192
8193 return 0;
8194}
8195EXPORT_SYMBOL_GPL(__nft_release_basechain);
8196
8197static void __nft_release_tables(struct net *net)
8198{
8199 struct nft_flowtable *flowtable, *nf;
8200 struct nft_table *table, *nt;
8201 struct nft_chain *chain, *nc;
8202 struct nft_object *obj, *ne;
8203 struct nft_rule *rule, *nr;
8204 struct nft_set *set, *ns;
8205 struct nft_ctx ctx = {
8206 .net = net,
8207 .family = NFPROTO_NETDEV,
8208 };
8209
8210 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8211 ctx.family = table->family;
8212
8213 list_for_each_entry(chain, &table->chains, list)
8214 nf_tables_unregister_hook(net, table, chain);
8215
8216 ctx.table = table;
8217 list_for_each_entry(chain, &table->chains, list) {
8218 ctx.chain = chain;
8219 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8220 list_del(&rule->list);
8221 chain->use--;
8222 nf_tables_rule_release(&ctx, rule);
8223 }
8224 }
8225 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8226 list_del(&flowtable->list);
8227 table->use--;
8228 nf_tables_flowtable_destroy(flowtable);
8229 }
8230 list_for_each_entry_safe(set, ns, &table->sets, list) {
8231 list_del(&set->list);
8232 table->use--;
8233 nft_set_destroy(&ctx, set);
8234 }
8235 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8236 nft_obj_del(obj);
8237 table->use--;
8238 nft_obj_destroy(&ctx, obj);
8239 }
8240 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8241 ctx.chain = chain;
8242 nft_chain_del(chain);
8243 table->use--;
8244 nf_tables_chain_destroy(&ctx);
8245 }
8246 list_del(&table->list);
8247 nf_tables_table_destroy(&ctx);
8248 }
8249}
8250
8251static int __net_init nf_tables_init_net(struct net *net)
8252{
8253 INIT_LIST_HEAD(&net->nft.tables);
8254 INIT_LIST_HEAD(&net->nft.commit_list);
8255 INIT_LIST_HEAD(&net->nft.module_list);
8256 mutex_init(&net->nft.commit_mutex);
8257 net->nft.base_seq = 1;
8258 net->nft.validate_state = NFT_VALIDATE_SKIP;
8259
8260 return 0;
8261}
8262
8263static void __net_exit nf_tables_exit_net(struct net *net)
8264{
8265 mutex_lock(&net->nft.commit_mutex);
8266 if (!list_empty(&net->nft.commit_list))
8267 __nf_tables_abort(net, false);
8268 __nft_release_tables(net);
8269 mutex_unlock(&net->nft.commit_mutex);
8270 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8271 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8272}
8273
8274static struct pernet_operations nf_tables_net_ops = {
8275 .init = nf_tables_init_net,
8276 .exit = nf_tables_exit_net,
8277};
8278
8279static int __init nf_tables_module_init(void)
8280{
8281 int err;
8282
8283 spin_lock_init(&nf_tables_destroy_list_lock);
8284 err = register_pernet_subsys(&nf_tables_net_ops);
8285 if (err < 0)
8286 return err;
8287
8288 err = nft_chain_filter_init();
8289 if (err < 0)
8290 goto err1;
8291
8292 err = nf_tables_core_module_init();
8293 if (err < 0)
8294 goto err2;
8295
8296 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8297 if (err < 0)
8298 goto err3;
8299
8300 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8301 if (err < 0)
8302 goto err4;
8303
8304 err = nft_offload_init();
8305 if (err < 0)
8306 goto err5;
8307
8308
8309 err = nfnetlink_subsys_register(&nf_tables_subsys);
8310 if (err < 0)
8311 goto err6;
8312
8313 nft_chain_route_init();
8314
8315 return err;
8316err6:
8317 nft_offload_exit();
8318err5:
8319 rhltable_destroy(&nft_objname_ht);
8320err4:
8321 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8322err3:
8323 nf_tables_core_module_exit();
8324err2:
8325 nft_chain_filter_fini();
8326err1:
8327 unregister_pernet_subsys(&nf_tables_net_ops);
8328 return err;
8329}
8330
8331static void __exit nf_tables_module_exit(void)
8332{
8333 nfnetlink_subsys_unregister(&nf_tables_subsys);
8334 nft_offload_exit();
8335 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8336 nft_chain_filter_fini();
8337 nft_chain_route_fini();
8338 unregister_pernet_subsys(&nf_tables_net_ops);
8339 cancel_work_sync(&trans_destroy_work);
8340 rcu_barrier();
8341 rhltable_destroy(&nft_objname_ht);
8342 nf_tables_core_module_exit();
8343}
8344
8345module_init(nf_tables_module_init);
8346module_exit(nf_tables_module_exit);
8347
8348MODULE_LICENSE("GPL");
8349MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8350MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
8351
