nf_tables_api.c (249345B)
1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8#include <linux/module.h> 9#include <linux/init.h> 10#include <linux/list.h> 11#include <linux/skbuff.h> 12#include <linux/netlink.h> 13#include <linux/vmalloc.h> 14#include <linux/rhashtable.h> 15#include <linux/audit.h> 16#include <linux/netfilter.h> 17#include <linux/netfilter/nfnetlink.h> 18#include <linux/netfilter/nf_tables.h> 19#include <net/netfilter/nf_flow_table.h> 20#include <net/netfilter/nf_tables_core.h> 21#include <net/netfilter/nf_tables.h> 22#include <net/netfilter/nf_tables_offload.h> 23#include <net/net_namespace.h> 24#include <net/sock.h> 25 26#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 27 28unsigned int nf_tables_net_id __read_mostly; 29 30static LIST_HEAD(nf_tables_expressions); 31static LIST_HEAD(nf_tables_objects); 32static LIST_HEAD(nf_tables_flowtables); 33static LIST_HEAD(nf_tables_destroy_list); 34static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 35static u64 table_handle; 36 37enum { 38 NFT_VALIDATE_SKIP = 0, 39 NFT_VALIDATE_NEED, 40 NFT_VALIDATE_DO, 41}; 42 43static struct rhltable nft_objname_ht; 44 45static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 46static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 47static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 48 49static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 50static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 51static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 52 53static const struct rhashtable_params nft_chain_ht_params = { 54 .head_offset = offsetof(struct nft_chain, rhlhead), 55 .key_offset = offsetof(struct nft_chain, name), 56 .hashfn = nft_chain_hash, 57 .obj_hashfn = nft_chain_hash_obj, 58 .obj_cmpfn = nft_chain_hash_cmp, 59 .automatic_shrinking = true, 60}; 61 62static const struct rhashtable_params nft_objname_ht_params = { 63 .head_offset = offsetof(struct nft_object, rhlhead), 64 .key_offset = offsetof(struct nft_object, key), 65 .hashfn = nft_objname_hash, 66 .obj_hashfn = nft_objname_hash_obj, 67 .obj_cmpfn = nft_objname_hash_cmp, 68 .automatic_shrinking = true, 69}; 70 71struct nft_audit_data { 72 struct nft_table *table; 73 int entries; 74 int op; 75 struct list_head list; 76}; 77 78static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types 79 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER, 80 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID, 81 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER, 82 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER, 83 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID, 84 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER, 85 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER, 86 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID, 87 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER, 88 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER, 89 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID, 90 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER, 91 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER, 92 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID, 93 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER, 94 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER, 95 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID, 96 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID, 97 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER, 98 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID, 99 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER, 100 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET, 101 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER, 102 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID, 103 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER, 104}; 105 106static void nft_validate_state_update(struct net *net, u8 new_validate_state) 107{ 108 struct nftables_pernet *nft_net = nft_pernet(net); 109 110 switch (nft_net->validate_state) { 111 case NFT_VALIDATE_SKIP: 112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 113 break; 114 case NFT_VALIDATE_NEED: 115 break; 116 case NFT_VALIDATE_DO: 117 if (new_validate_state == NFT_VALIDATE_NEED) 118 return; 119 } 120 121 nft_net->validate_state = new_validate_state; 122} 123static void nf_tables_trans_destroy_work(struct work_struct *w); 124static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 125 126static void nft_ctx_init(struct nft_ctx *ctx, 127 struct net *net, 128 const struct sk_buff *skb, 129 const struct nlmsghdr *nlh, 130 u8 family, 131 struct nft_table *table, 132 struct nft_chain *chain, 133 const struct nlattr * const *nla) 134{ 135 ctx->net = net; 136 ctx->family = family; 137 ctx->level = 0; 138 ctx->table = table; 139 ctx->chain = chain; 140 ctx->nla = nla; 141 ctx->portid = NETLINK_CB(skb).portid; 142 ctx->report = nlmsg_report(nlh); 143 ctx->flags = nlh->nlmsg_flags; 144 ctx->seq = nlh->nlmsg_seq; 145} 146 147static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 148 int msg_type, u32 size, gfp_t gfp) 149{ 150 struct nft_trans *trans; 151 152 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 153 if (trans == NULL) 154 return NULL; 155 156 trans->msg_type = msg_type; 157 trans->ctx = *ctx; 158 159 return trans; 160} 161 162static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 163 int msg_type, u32 size) 164{ 165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 166} 167 168static void nft_trans_destroy(struct nft_trans *trans) 169{ 170 list_del(&trans->list); 171 kfree(trans); 172} 173 174static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 175{ 176 struct nftables_pernet *nft_net; 177 struct net *net = ctx->net; 178 struct nft_trans *trans; 179 180 if (!nft_set_is_anonymous(set)) 181 return; 182 183 nft_net = nft_pernet(net); 184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { 185 switch (trans->msg_type) { 186 case NFT_MSG_NEWSET: 187 if (nft_trans_set(trans) == set) 188 nft_trans_set_bound(trans) = true; 189 break; 190 case NFT_MSG_NEWSETELEM: 191 if (nft_trans_elem_set(trans) == set) 192 nft_trans_elem_set_bound(trans) = true; 193 break; 194 } 195 } 196} 197 198static int nft_netdev_register_hooks(struct net *net, 199 struct list_head *hook_list) 200{ 201 struct nft_hook *hook; 202 int err, j; 203 204 j = 0; 205 list_for_each_entry(hook, hook_list, list) { 206 err = nf_register_net_hook(net, &hook->ops); 207 if (err < 0) 208 goto err_register; 209 210 j++; 211 } 212 return 0; 213 214err_register: 215 list_for_each_entry(hook, hook_list, list) { 216 if (j-- <= 0) 217 break; 218 219 nf_unregister_net_hook(net, &hook->ops); 220 } 221 return err; 222} 223 224static void nft_netdev_unregister_hooks(struct net *net, 225 struct list_head *hook_list, 226 bool release_netdev) 227{ 228 struct nft_hook *hook, *next; 229 230 list_for_each_entry_safe(hook, next, hook_list, list) { 231 nf_unregister_net_hook(net, &hook->ops); 232 if (release_netdev) { 233 list_del(&hook->list); 234 kfree_rcu(hook, rcu); 235 } 236 } 237} 238 239static int nf_tables_register_hook(struct net *net, 240 const struct nft_table *table, 241 struct nft_chain *chain) 242{ 243 struct nft_base_chain *basechain; 244 const struct nf_hook_ops *ops; 245 246 if (table->flags & NFT_TABLE_F_DORMANT || 247 !nft_is_base_chain(chain)) 248 return 0; 249 250 basechain = nft_base_chain(chain); 251 ops = &basechain->ops; 252 253 if (basechain->type->ops_register) 254 return basechain->type->ops_register(net, ops); 255 256 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 257 return nft_netdev_register_hooks(net, &basechain->hook_list); 258 259 return nf_register_net_hook(net, &basechain->ops); 260} 261 262static void __nf_tables_unregister_hook(struct net *net, 263 const struct nft_table *table, 264 struct nft_chain *chain, 265 bool release_netdev) 266{ 267 struct nft_base_chain *basechain; 268 const struct nf_hook_ops *ops; 269 270 if (table->flags & NFT_TABLE_F_DORMANT || 271 !nft_is_base_chain(chain)) 272 return; 273 basechain = nft_base_chain(chain); 274 ops = &basechain->ops; 275 276 if (basechain->type->ops_unregister) 277 return basechain->type->ops_unregister(net, ops); 278 279 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) 280 nft_netdev_unregister_hooks(net, &basechain->hook_list, 281 release_netdev); 282 else 283 nf_unregister_net_hook(net, &basechain->ops); 284} 285 286static void nf_tables_unregister_hook(struct net *net, 287 const struct nft_table *table, 288 struct nft_chain *chain) 289{ 290 return __nf_tables_unregister_hook(net, table, chain, false); 291} 292 293static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) 294{ 295 struct nftables_pernet *nft_net = nft_pernet(net); 296 297 list_add_tail(&trans->list, &nft_net->commit_list); 298} 299 300static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 301{ 302 struct nft_trans *trans; 303 304 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 305 if (trans == NULL) 306 return -ENOMEM; 307 308 if (msg_type == NFT_MSG_NEWTABLE) 309 nft_activate_next(ctx->net, ctx->table); 310 311 nft_trans_commit_list_add_tail(ctx->net, trans); 312 return 0; 313} 314 315static int nft_deltable(struct nft_ctx *ctx) 316{ 317 int err; 318 319 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 320 if (err < 0) 321 return err; 322 323 nft_deactivate_next(ctx->net, ctx->table); 324 return err; 325} 326 327static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 328{ 329 struct nft_trans *trans; 330 331 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 332 if (trans == NULL) 333 return ERR_PTR(-ENOMEM); 334 335 if (msg_type == NFT_MSG_NEWCHAIN) { 336 nft_activate_next(ctx->net, ctx->chain); 337 338 if (ctx->nla[NFTA_CHAIN_ID]) { 339 nft_trans_chain_id(trans) = 340 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); 341 } 342 } 343 344 nft_trans_commit_list_add_tail(ctx->net, trans); 345 return trans; 346} 347 348static int nft_delchain(struct nft_ctx *ctx) 349{ 350 struct nft_trans *trans; 351 352 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 353 if (IS_ERR(trans)) 354 return PTR_ERR(trans); 355 356 ctx->table->use--; 357 nft_deactivate_next(ctx->net, ctx->chain); 358 359 return 0; 360} 361 362static void nft_rule_expr_activate(const struct nft_ctx *ctx, 363 struct nft_rule *rule) 364{ 365 struct nft_expr *expr; 366 367 expr = nft_expr_first(rule); 368 while (nft_expr_more(rule, expr)) { 369 if (expr->ops->activate) 370 expr->ops->activate(ctx, expr); 371 372 expr = nft_expr_next(expr); 373 } 374} 375 376static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 377 struct nft_rule *rule, 378 enum nft_trans_phase phase) 379{ 380 struct nft_expr *expr; 381 382 expr = nft_expr_first(rule); 383 while (nft_expr_more(rule, expr)) { 384 if (expr->ops->deactivate) 385 expr->ops->deactivate(ctx, expr, phase); 386 387 expr = nft_expr_next(expr); 388 } 389} 390 391static int 392nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 393{ 394 /* You cannot delete the same rule twice */ 395 if (nft_is_active_next(ctx->net, rule)) { 396 nft_deactivate_next(ctx->net, rule); 397 ctx->chain->use--; 398 return 0; 399 } 400 return -ENOENT; 401} 402 403static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 404 struct nft_rule *rule) 405{ 406 struct nft_trans *trans; 407 408 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 409 if (trans == NULL) 410 return NULL; 411 412 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 413 nft_trans_rule_id(trans) = 414 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 415 } 416 nft_trans_rule(trans) = rule; 417 nft_trans_commit_list_add_tail(ctx->net, trans); 418 419 return trans; 420} 421 422static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 423{ 424 struct nft_flow_rule *flow; 425 struct nft_trans *trans; 426 int err; 427 428 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 429 if (trans == NULL) 430 return -ENOMEM; 431 432 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 433 flow = nft_flow_rule_create(ctx->net, rule); 434 if (IS_ERR(flow)) { 435 nft_trans_destroy(trans); 436 return PTR_ERR(flow); 437 } 438 439 nft_trans_flow_rule(trans) = flow; 440 } 441 442 err = nf_tables_delrule_deactivate(ctx, rule); 443 if (err < 0) { 444 nft_trans_destroy(trans); 445 return err; 446 } 447 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 448 449 return 0; 450} 451 452static int nft_delrule_by_chain(struct nft_ctx *ctx) 453{ 454 struct nft_rule *rule; 455 int err; 456 457 list_for_each_entry(rule, &ctx->chain->rules, list) { 458 if (!nft_is_active_next(ctx->net, rule)) 459 continue; 460 461 err = nft_delrule(ctx, rule); 462 if (err < 0) 463 return err; 464 } 465 return 0; 466} 467 468static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 469 struct nft_set *set) 470{ 471 struct nft_trans *trans; 472 473 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 474 if (trans == NULL) 475 return -ENOMEM; 476 477 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 478 nft_trans_set_id(trans) = 479 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 480 nft_activate_next(ctx->net, set); 481 } 482 nft_trans_set(trans) = set; 483 nft_trans_commit_list_add_tail(ctx->net, trans); 484 485 return 0; 486} 487 488static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 489{ 490 int err; 491 492 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 493 if (err < 0) 494 return err; 495 496 nft_deactivate_next(ctx->net, set); 497 ctx->table->use--; 498 499 return err; 500} 501 502static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 503 struct nft_object *obj) 504{ 505 struct nft_trans *trans; 506 507 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 508 if (trans == NULL) 509 return -ENOMEM; 510 511 if (msg_type == NFT_MSG_NEWOBJ) 512 nft_activate_next(ctx->net, obj); 513 514 nft_trans_obj(trans) = obj; 515 nft_trans_commit_list_add_tail(ctx->net, trans); 516 517 return 0; 518} 519 520static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 521{ 522 int err; 523 524 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 525 if (err < 0) 526 return err; 527 528 nft_deactivate_next(ctx->net, obj); 529 ctx->table->use--; 530 531 return err; 532} 533 534static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 535 struct nft_flowtable *flowtable) 536{ 537 struct nft_trans *trans; 538 539 trans = nft_trans_alloc(ctx, msg_type, 540 sizeof(struct nft_trans_flowtable)); 541 if (trans == NULL) 542 return -ENOMEM; 543 544 if (msg_type == NFT_MSG_NEWFLOWTABLE) 545 nft_activate_next(ctx->net, flowtable); 546 547 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 548 nft_trans_flowtable(trans) = flowtable; 549 nft_trans_commit_list_add_tail(ctx->net, trans); 550 551 return 0; 552} 553 554static int nft_delflowtable(struct nft_ctx *ctx, 555 struct nft_flowtable *flowtable) 556{ 557 int err; 558 559 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 560 if (err < 0) 561 return err; 562 563 nft_deactivate_next(ctx->net, flowtable); 564 ctx->table->use--; 565 566 return err; 567} 568 569static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg) 570{ 571 int i; 572 573 for (i = track->regs[dreg].num_reg; i > 0; i--) 574 __nft_reg_track_cancel(track, dreg - i); 575} 576 577static void __nft_reg_track_update(struct nft_regs_track *track, 578 const struct nft_expr *expr, 579 u8 dreg, u8 num_reg) 580{ 581 track->regs[dreg].selector = expr; 582 track->regs[dreg].bitwise = NULL; 583 track->regs[dreg].num_reg = num_reg; 584} 585 586void nft_reg_track_update(struct nft_regs_track *track, 587 const struct nft_expr *expr, u8 dreg, u8 len) 588{ 589 unsigned int regcount; 590 int i; 591 592 __nft_reg_track_clobber(track, dreg); 593 594 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 595 for (i = 0; i < regcount; i++, dreg++) 596 __nft_reg_track_update(track, expr, dreg, i); 597} 598EXPORT_SYMBOL_GPL(nft_reg_track_update); 599 600void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len) 601{ 602 unsigned int regcount; 603 int i; 604 605 __nft_reg_track_clobber(track, dreg); 606 607 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE); 608 for (i = 0; i < regcount; i++, dreg++) 609 __nft_reg_track_cancel(track, dreg); 610} 611EXPORT_SYMBOL_GPL(nft_reg_track_cancel); 612 613void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg) 614{ 615 track->regs[dreg].selector = NULL; 616 track->regs[dreg].bitwise = NULL; 617 track->regs[dreg].num_reg = 0; 618} 619EXPORT_SYMBOL_GPL(__nft_reg_track_cancel); 620 621/* 622 * Tables 623 */ 624 625static struct nft_table *nft_table_lookup(const struct net *net, 626 const struct nlattr *nla, 627 u8 family, u8 genmask, u32 nlpid) 628{ 629 struct nftables_pernet *nft_net; 630 struct nft_table *table; 631 632 if (nla == NULL) 633 return ERR_PTR(-EINVAL); 634 635 nft_net = nft_pernet(net); 636 list_for_each_entry_rcu(table, &nft_net->tables, list, 637 lockdep_is_held(&nft_net->commit_mutex)) { 638 if (!nla_strcmp(nla, table->name) && 639 table->family == family && 640 nft_active_genmask(table, genmask)) { 641 if (nft_table_has_owner(table) && 642 nlpid && table->nlpid != nlpid) 643 return ERR_PTR(-EPERM); 644 645 return table; 646 } 647 } 648 649 return ERR_PTR(-ENOENT); 650} 651 652static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 653 const struct nlattr *nla, 654 u8 genmask, u32 nlpid) 655{ 656 struct nftables_pernet *nft_net; 657 struct nft_table *table; 658 659 nft_net = nft_pernet(net); 660 list_for_each_entry(table, &nft_net->tables, list) { 661 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 662 nft_active_genmask(table, genmask)) { 663 if (nft_table_has_owner(table) && 664 nlpid && table->nlpid != nlpid) 665 return ERR_PTR(-EPERM); 666 667 return table; 668 } 669 } 670 671 return ERR_PTR(-ENOENT); 672} 673 674static inline u64 nf_tables_alloc_handle(struct nft_table *table) 675{ 676 return ++table->hgenerator; 677} 678 679static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 680 681static const struct nft_chain_type * 682__nft_chain_type_get(u8 family, enum nft_chain_types type) 683{ 684 if (family >= NFPROTO_NUMPROTO || 685 type >= NFT_CHAIN_T_MAX) 686 return NULL; 687 688 return chain_type[family][type]; 689} 690 691static const struct nft_chain_type * 692__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 693{ 694 const struct nft_chain_type *type; 695 int i; 696 697 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 698 type = __nft_chain_type_get(family, i); 699 if (!type) 700 continue; 701 if (!nla_strcmp(nla, type->name)) 702 return type; 703 } 704 return NULL; 705} 706 707struct nft_module_request { 708 struct list_head list; 709 char module[MODULE_NAME_LEN]; 710 bool done; 711}; 712 713#ifdef CONFIG_MODULES 714__printf(2, 3) int nft_request_module(struct net *net, const char *fmt, 715 ...) 716{ 717 char module_name[MODULE_NAME_LEN]; 718 struct nftables_pernet *nft_net; 719 struct nft_module_request *req; 720 va_list args; 721 int ret; 722 723 va_start(args, fmt); 724 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 725 va_end(args); 726 if (ret >= MODULE_NAME_LEN) 727 return 0; 728 729 nft_net = nft_pernet(net); 730 list_for_each_entry(req, &nft_net->module_list, list) { 731 if (!strcmp(req->module, module_name)) { 732 if (req->done) 733 return 0; 734 735 /* A request to load this module already exists. */ 736 return -EAGAIN; 737 } 738 } 739 740 req = kmalloc(sizeof(*req), GFP_KERNEL); 741 if (!req) 742 return -ENOMEM; 743 744 req->done = false; 745 strlcpy(req->module, module_name, MODULE_NAME_LEN); 746 list_add_tail(&req->list, &nft_net->module_list); 747 748 return -EAGAIN; 749} 750EXPORT_SYMBOL_GPL(nft_request_module); 751#endif 752 753static void lockdep_nfnl_nft_mutex_not_held(void) 754{ 755#ifdef CONFIG_PROVE_LOCKING 756 if (debug_locks) 757 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 758#endif 759} 760 761static const struct nft_chain_type * 762nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 763 u8 family, bool autoload) 764{ 765 const struct nft_chain_type *type; 766 767 type = __nf_tables_chain_type_lookup(nla, family); 768 if (type != NULL) 769 return type; 770 771 lockdep_nfnl_nft_mutex_not_held(); 772#ifdef CONFIG_MODULES 773 if (autoload) { 774 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 775 nla_len(nla), 776 (const char *)nla_data(nla)) == -EAGAIN) 777 return ERR_PTR(-EAGAIN); 778 } 779#endif 780 return ERR_PTR(-ENOENT); 781} 782 783static __be16 nft_base_seq(const struct net *net) 784{ 785 struct nftables_pernet *nft_net = nft_pernet(net); 786 787 return htons(nft_net->base_seq & 0xffff); 788} 789 790static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 791 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 792 .len = NFT_TABLE_MAXNAMELEN - 1 }, 793 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 794 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 795 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 796 .len = NFT_USERDATA_MAXLEN } 797}; 798 799static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 800 u32 portid, u32 seq, int event, u32 flags, 801 int family, const struct nft_table *table) 802{ 803 struct nlmsghdr *nlh; 804 805 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 806 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 807 NFNETLINK_V0, nft_base_seq(net)); 808 if (!nlh) 809 goto nla_put_failure; 810 811 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 812 nla_put_be32(skb, NFTA_TABLE_FLAGS, 813 htonl(table->flags & NFT_TABLE_F_MASK)) || 814 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 815 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 816 NFTA_TABLE_PAD)) 817 goto nla_put_failure; 818 if (nft_table_has_owner(table) && 819 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid))) 820 goto nla_put_failure; 821 822 if (table->udata) { 823 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata)) 824 goto nla_put_failure; 825 } 826 827 nlmsg_end(skb, nlh); 828 return 0; 829 830nla_put_failure: 831 nlmsg_trim(skb, nlh); 832 return -1; 833} 834 835struct nftnl_skb_parms { 836 bool report; 837}; 838#define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb)) 839 840static void nft_notify_enqueue(struct sk_buff *skb, bool report, 841 struct list_head *notify_list) 842{ 843 NFT_CB(skb).report = report; 844 list_add_tail(&skb->list, notify_list); 845} 846 847static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 848{ 849 struct nftables_pernet *nft_net; 850 struct sk_buff *skb; 851 u16 flags = 0; 852 int err; 853 854 if (!ctx->report && 855 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 856 return; 857 858 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 859 if (skb == NULL) 860 goto err; 861 862 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 863 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 864 865 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 866 event, flags, ctx->family, ctx->table); 867 if (err < 0) { 868 kfree_skb(skb); 869 goto err; 870 } 871 872 nft_net = nft_pernet(ctx->net); 873 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 874 return; 875err: 876 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 877} 878 879static int nf_tables_dump_tables(struct sk_buff *skb, 880 struct netlink_callback *cb) 881{ 882 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 883 struct nftables_pernet *nft_net; 884 const struct nft_table *table; 885 unsigned int idx = 0, s_idx = cb->args[0]; 886 struct net *net = sock_net(skb->sk); 887 int family = nfmsg->nfgen_family; 888 889 rcu_read_lock(); 890 nft_net = nft_pernet(net); 891 cb->seq = nft_net->base_seq; 892 893 list_for_each_entry_rcu(table, &nft_net->tables, list) { 894 if (family != NFPROTO_UNSPEC && family != table->family) 895 continue; 896 897 if (idx < s_idx) 898 goto cont; 899 if (idx > s_idx) 900 memset(&cb->args[1], 0, 901 sizeof(cb->args) - sizeof(cb->args[0])); 902 if (!nft_is_active(net, table)) 903 continue; 904 if (nf_tables_fill_table_info(skb, net, 905 NETLINK_CB(cb->skb).portid, 906 cb->nlh->nlmsg_seq, 907 NFT_MSG_NEWTABLE, NLM_F_MULTI, 908 table->family, table) < 0) 909 goto done; 910 911 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 912cont: 913 idx++; 914 } 915done: 916 rcu_read_unlock(); 917 cb->args[0] = idx; 918 return skb->len; 919} 920 921static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 922 const struct nlmsghdr *nlh, 923 struct netlink_dump_control *c) 924{ 925 int err; 926 927 if (!try_module_get(THIS_MODULE)) 928 return -EINVAL; 929 930 rcu_read_unlock(); 931 err = netlink_dump_start(nlsk, skb, nlh, c); 932 rcu_read_lock(); 933 module_put(THIS_MODULE); 934 935 return err; 936} 937 938/* called with rcu_read_lock held */ 939static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info, 940 const struct nlattr * const nla[]) 941{ 942 struct netlink_ext_ack *extack = info->extack; 943 u8 genmask = nft_genmask_cur(info->net); 944 u8 family = info->nfmsg->nfgen_family; 945 const struct nft_table *table; 946 struct net *net = info->net; 947 struct sk_buff *skb2; 948 int err; 949 950 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 951 struct netlink_dump_control c = { 952 .dump = nf_tables_dump_tables, 953 .module = THIS_MODULE, 954 }; 955 956 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 957 } 958 959 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0); 960 if (IS_ERR(table)) { 961 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 962 return PTR_ERR(table); 963 } 964 965 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 966 if (!skb2) 967 return -ENOMEM; 968 969 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 970 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 971 0, family, table); 972 if (err < 0) 973 goto err_fill_table_info; 974 975 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 976 977err_fill_table_info: 978 kfree_skb(skb2); 979 return err; 980} 981 982static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 983{ 984 struct nft_chain *chain; 985 u32 i = 0; 986 987 list_for_each_entry(chain, &table->chains, list) { 988 if (!nft_is_active_next(net, chain)) 989 continue; 990 if (!nft_is_base_chain(chain)) 991 continue; 992 993 if (cnt && i++ == cnt) 994 break; 995 996 nf_tables_unregister_hook(net, table, chain); 997 } 998} 999 1000static int nf_tables_table_enable(struct net *net, struct nft_table *table) 1001{ 1002 struct nft_chain *chain; 1003 int err, i = 0; 1004 1005 list_for_each_entry(chain, &table->chains, list) { 1006 if (!nft_is_active_next(net, chain)) 1007 continue; 1008 if (!nft_is_base_chain(chain)) 1009 continue; 1010 1011 err = nf_tables_register_hook(net, table, chain); 1012 if (err < 0) 1013 goto err_register_hooks; 1014 1015 i++; 1016 } 1017 return 0; 1018 1019err_register_hooks: 1020 if (i) 1021 nft_table_disable(net, table, i); 1022 return err; 1023} 1024 1025static void nf_tables_table_disable(struct net *net, struct nft_table *table) 1026{ 1027 table->flags &= ~NFT_TABLE_F_DORMANT; 1028 nft_table_disable(net, table, 0); 1029 table->flags |= NFT_TABLE_F_DORMANT; 1030} 1031 1032#define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1) 1033#define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0) 1034#define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1) 1035#define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \ 1036 __NFT_TABLE_F_WAS_AWAKEN) 1037 1038static int nf_tables_updtable(struct nft_ctx *ctx) 1039{ 1040 struct nft_trans *trans; 1041 u32 flags; 1042 int ret; 1043 1044 if (!ctx->nla[NFTA_TABLE_FLAGS]) 1045 return 0; 1046 1047 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 1048 if (flags & ~NFT_TABLE_F_MASK) 1049 return -EOPNOTSUPP; 1050 1051 if (flags == ctx->table->flags) 1052 return 0; 1053 1054 if ((nft_table_has_owner(ctx->table) && 1055 !(flags & NFT_TABLE_F_OWNER)) || 1056 (!nft_table_has_owner(ctx->table) && 1057 flags & NFT_TABLE_F_OWNER)) 1058 return -EOPNOTSUPP; 1059 1060 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 1061 sizeof(struct nft_trans_table)); 1062 if (trans == NULL) 1063 return -ENOMEM; 1064 1065 if ((flags & NFT_TABLE_F_DORMANT) && 1066 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 1067 ctx->table->flags |= NFT_TABLE_F_DORMANT; 1068 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) 1069 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN; 1070 } else if (!(flags & NFT_TABLE_F_DORMANT) && 1071 ctx->table->flags & NFT_TABLE_F_DORMANT) { 1072 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 1073 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) { 1074 ret = nf_tables_table_enable(ctx->net, ctx->table); 1075 if (ret < 0) 1076 goto err_register_hooks; 1077 1078 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT; 1079 } 1080 } 1081 1082 nft_trans_table_update(trans) = true; 1083 nft_trans_commit_list_add_tail(ctx->net, trans); 1084 1085 return 0; 1086 1087err_register_hooks: 1088 nft_trans_destroy(trans); 1089 return ret; 1090} 1091 1092static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 1093{ 1094 const char *name = data; 1095 1096 return jhash(name, strlen(name), seed); 1097} 1098 1099static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 1100{ 1101 const struct nft_chain *chain = data; 1102 1103 return nft_chain_hash(chain->name, 0, seed); 1104} 1105 1106static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 1107 const void *ptr) 1108{ 1109 const struct nft_chain *chain = ptr; 1110 const char *name = arg->key; 1111 1112 return strcmp(chain->name, name); 1113} 1114 1115static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 1116{ 1117 const struct nft_object_hash_key *k = data; 1118 1119 seed ^= hash_ptr(k->table, 32); 1120 1121 return jhash(k->name, strlen(k->name), seed); 1122} 1123 1124static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 1125{ 1126 const struct nft_object *obj = data; 1127 1128 return nft_objname_hash(&obj->key, 0, seed); 1129} 1130 1131static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 1132 const void *ptr) 1133{ 1134 const struct nft_object_hash_key *k = arg->key; 1135 const struct nft_object *obj = ptr; 1136 1137 if (obj->key.table != k->table) 1138 return -1; 1139 1140 return strcmp(obj->key.name, k->name); 1141} 1142 1143static bool nft_supported_family(u8 family) 1144{ 1145 return false 1146#ifdef CONFIG_NF_TABLES_INET 1147 || family == NFPROTO_INET 1148#endif 1149#ifdef CONFIG_NF_TABLES_IPV4 1150 || family == NFPROTO_IPV4 1151#endif 1152#ifdef CONFIG_NF_TABLES_ARP 1153 || family == NFPROTO_ARP 1154#endif 1155#ifdef CONFIG_NF_TABLES_NETDEV 1156 || family == NFPROTO_NETDEV 1157#endif 1158#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) 1159 || family == NFPROTO_BRIDGE 1160#endif 1161#ifdef CONFIG_NF_TABLES_IPV6 1162 || family == NFPROTO_IPV6 1163#endif 1164 ; 1165} 1166 1167static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, 1168 const struct nlattr * const nla[]) 1169{ 1170 struct nftables_pernet *nft_net = nft_pernet(info->net); 1171 struct netlink_ext_ack *extack = info->extack; 1172 u8 genmask = nft_genmask_next(info->net); 1173 u8 family = info->nfmsg->nfgen_family; 1174 struct net *net = info->net; 1175 const struct nlattr *attr; 1176 struct nft_table *table; 1177 struct nft_ctx ctx; 1178 u32 flags = 0; 1179 int err; 1180 1181 if (!nft_supported_family(family)) 1182 return -EOPNOTSUPP; 1183 1184 lockdep_assert_held(&nft_net->commit_mutex); 1185 attr = nla[NFTA_TABLE_NAME]; 1186 table = nft_table_lookup(net, attr, family, genmask, 1187 NETLINK_CB(skb).portid); 1188 if (IS_ERR(table)) { 1189 if (PTR_ERR(table) != -ENOENT) 1190 return PTR_ERR(table); 1191 } else { 1192 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 1193 NL_SET_BAD_ATTR(extack, attr); 1194 return -EEXIST; 1195 } 1196 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 1197 return -EOPNOTSUPP; 1198 1199 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1200 1201 return nf_tables_updtable(&ctx); 1202 } 1203 1204 if (nla[NFTA_TABLE_FLAGS]) { 1205 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 1206 if (flags & ~NFT_TABLE_F_MASK) 1207 return -EOPNOTSUPP; 1208 } 1209 1210 err = -ENOMEM; 1211 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT); 1212 if (table == NULL) 1213 goto err_kzalloc; 1214 1215 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT); 1216 if (table->name == NULL) 1217 goto err_strdup; 1218 1219 if (nla[NFTA_TABLE_USERDATA]) { 1220 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT); 1221 if (table->udata == NULL) 1222 goto err_table_udata; 1223 1224 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]); 1225 } 1226 1227 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1228 if (err) 1229 goto err_chain_ht; 1230 1231 INIT_LIST_HEAD(&table->chains); 1232 INIT_LIST_HEAD(&table->sets); 1233 INIT_LIST_HEAD(&table->objects); 1234 INIT_LIST_HEAD(&table->flowtables); 1235 table->family = family; 1236 table->flags = flags; 1237 table->handle = ++table_handle; 1238 if (table->flags & NFT_TABLE_F_OWNER) 1239 table->nlpid = NETLINK_CB(skb).portid; 1240 1241 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 1242 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1243 if (err < 0) 1244 goto err_trans; 1245 1246 list_add_tail_rcu(&table->list, &nft_net->tables); 1247 return 0; 1248err_trans: 1249 rhltable_destroy(&table->chains_ht); 1250err_chain_ht: 1251 kfree(table->udata); 1252err_table_udata: 1253 kfree(table->name); 1254err_strdup: 1255 kfree(table); 1256err_kzalloc: 1257 return err; 1258} 1259 1260static int nft_flush_table(struct nft_ctx *ctx) 1261{ 1262 struct nft_flowtable *flowtable, *nft; 1263 struct nft_chain *chain, *nc; 1264 struct nft_object *obj, *ne; 1265 struct nft_set *set, *ns; 1266 int err; 1267 1268 list_for_each_entry(chain, &ctx->table->chains, list) { 1269 if (!nft_is_active_next(ctx->net, chain)) 1270 continue; 1271 1272 if (nft_chain_is_bound(chain)) 1273 continue; 1274 1275 ctx->chain = chain; 1276 1277 err = nft_delrule_by_chain(ctx); 1278 if (err < 0) 1279 goto out; 1280 } 1281 1282 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1283 if (!nft_is_active_next(ctx->net, set)) 1284 continue; 1285 1286 if (nft_set_is_anonymous(set) && 1287 !list_empty(&set->bindings)) 1288 continue; 1289 1290 err = nft_delset(ctx, set); 1291 if (err < 0) 1292 goto out; 1293 } 1294 1295 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1296 if (!nft_is_active_next(ctx->net, flowtable)) 1297 continue; 1298 1299 err = nft_delflowtable(ctx, flowtable); 1300 if (err < 0) 1301 goto out; 1302 } 1303 1304 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1305 if (!nft_is_active_next(ctx->net, obj)) 1306 continue; 1307 1308 err = nft_delobj(ctx, obj); 1309 if (err < 0) 1310 goto out; 1311 } 1312 1313 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1314 if (!nft_is_active_next(ctx->net, chain)) 1315 continue; 1316 1317 if (nft_chain_is_bound(chain)) 1318 continue; 1319 1320 ctx->chain = chain; 1321 1322 err = nft_delchain(ctx); 1323 if (err < 0) 1324 goto out; 1325 } 1326 1327 err = nft_deltable(ctx); 1328out: 1329 return err; 1330} 1331 1332static int nft_flush(struct nft_ctx *ctx, int family) 1333{ 1334 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 1335 const struct nlattr * const *nla = ctx->nla; 1336 struct nft_table *table, *nt; 1337 int err = 0; 1338 1339 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 1340 if (family != AF_UNSPEC && table->family != family) 1341 continue; 1342 1343 ctx->family = table->family; 1344 1345 if (!nft_is_active_next(ctx->net, table)) 1346 continue; 1347 1348 if (nft_table_has_owner(table) && table->nlpid != ctx->portid) 1349 continue; 1350 1351 if (nla[NFTA_TABLE_NAME] && 1352 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1353 continue; 1354 1355 ctx->table = table; 1356 1357 err = nft_flush_table(ctx); 1358 if (err < 0) 1359 goto out; 1360 } 1361out: 1362 return err; 1363} 1364 1365static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info, 1366 const struct nlattr * const nla[]) 1367{ 1368 struct netlink_ext_ack *extack = info->extack; 1369 u8 genmask = nft_genmask_next(info->net); 1370 u8 family = info->nfmsg->nfgen_family; 1371 struct net *net = info->net; 1372 const struct nlattr *attr; 1373 struct nft_table *table; 1374 struct nft_ctx ctx; 1375 1376 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla); 1377 if (family == AF_UNSPEC || 1378 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1379 return nft_flush(&ctx, family); 1380 1381 if (nla[NFTA_TABLE_HANDLE]) { 1382 attr = nla[NFTA_TABLE_HANDLE]; 1383 table = nft_table_lookup_byhandle(net, attr, genmask, 1384 NETLINK_CB(skb).portid); 1385 } else { 1386 attr = nla[NFTA_TABLE_NAME]; 1387 table = nft_table_lookup(net, attr, family, genmask, 1388 NETLINK_CB(skb).portid); 1389 } 1390 1391 if (IS_ERR(table)) { 1392 NL_SET_BAD_ATTR(extack, attr); 1393 return PTR_ERR(table); 1394 } 1395 1396 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 1397 table->use > 0) 1398 return -EBUSY; 1399 1400 ctx.family = family; 1401 ctx.table = table; 1402 1403 return nft_flush_table(&ctx); 1404} 1405 1406static void nf_tables_table_destroy(struct nft_ctx *ctx) 1407{ 1408 if (WARN_ON(ctx->table->use > 0)) 1409 return; 1410 1411 rhltable_destroy(&ctx->table->chains_ht); 1412 kfree(ctx->table->name); 1413 kfree(ctx->table->udata); 1414 kfree(ctx->table); 1415} 1416 1417void nft_register_chain_type(const struct nft_chain_type *ctype) 1418{ 1419 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1420 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1421 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1422 return; 1423 } 1424 chain_type[ctype->family][ctype->type] = ctype; 1425 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1426} 1427EXPORT_SYMBOL_GPL(nft_register_chain_type); 1428 1429void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1430{ 1431 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1432 chain_type[ctype->family][ctype->type] = NULL; 1433 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1434} 1435EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1436 1437/* 1438 * Chains 1439 */ 1440 1441static struct nft_chain * 1442nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1443{ 1444 struct nft_chain *chain; 1445 1446 list_for_each_entry(chain, &table->chains, list) { 1447 if (chain->handle == handle && 1448 nft_active_genmask(chain, genmask)) 1449 return chain; 1450 } 1451 1452 return ERR_PTR(-ENOENT); 1453} 1454 1455static bool lockdep_commit_lock_is_held(const struct net *net) 1456{ 1457#ifdef CONFIG_PROVE_LOCKING 1458 struct nftables_pernet *nft_net = nft_pernet(net); 1459 1460 return lockdep_is_held(&nft_net->commit_mutex); 1461#else 1462 return true; 1463#endif 1464} 1465 1466static struct nft_chain *nft_chain_lookup(struct net *net, 1467 struct nft_table *table, 1468 const struct nlattr *nla, u8 genmask) 1469{ 1470 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1471 struct rhlist_head *tmp, *list; 1472 struct nft_chain *chain; 1473 1474 if (nla == NULL) 1475 return ERR_PTR(-EINVAL); 1476 1477 nla_strscpy(search, nla, sizeof(search)); 1478 1479 WARN_ON(!rcu_read_lock_held() && 1480 !lockdep_commit_lock_is_held(net)); 1481 1482 chain = ERR_PTR(-ENOENT); 1483 rcu_read_lock(); 1484 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1485 if (!list) 1486 goto out_unlock; 1487 1488 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1489 if (nft_active_genmask(chain, genmask)) 1490 goto out_unlock; 1491 } 1492 chain = ERR_PTR(-ENOENT); 1493out_unlock: 1494 rcu_read_unlock(); 1495 return chain; 1496} 1497 1498static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1499 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1500 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1501 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1502 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1503 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1504 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1505 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1506 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1507 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1508 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1509 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1510 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1511 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1512 .len = NFT_USERDATA_MAXLEN }, 1513}; 1514 1515static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1516 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1517 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1518 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1519 .len = IFNAMSIZ - 1 }, 1520}; 1521 1522static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1523{ 1524 struct nft_stats *cpu_stats, total; 1525 struct nlattr *nest; 1526 unsigned int seq; 1527 u64 pkts, bytes; 1528 int cpu; 1529 1530 if (!stats) 1531 return 0; 1532 1533 memset(&total, 0, sizeof(total)); 1534 for_each_possible_cpu(cpu) { 1535 cpu_stats = per_cpu_ptr(stats, cpu); 1536 do { 1537 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1538 pkts = cpu_stats->pkts; 1539 bytes = cpu_stats->bytes; 1540 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1541 total.pkts += pkts; 1542 total.bytes += bytes; 1543 } 1544 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1545 if (nest == NULL) 1546 goto nla_put_failure; 1547 1548 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1549 NFTA_COUNTER_PAD) || 1550 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1551 NFTA_COUNTER_PAD)) 1552 goto nla_put_failure; 1553 1554 nla_nest_end(skb, nest); 1555 return 0; 1556 1557nla_put_failure: 1558 return -ENOSPC; 1559} 1560 1561static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1562 const struct nft_base_chain *basechain) 1563{ 1564 const struct nf_hook_ops *ops = &basechain->ops; 1565 struct nft_hook *hook, *first = NULL; 1566 struct nlattr *nest, *nest_devs; 1567 int n = 0; 1568 1569 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1570 if (nest == NULL) 1571 goto nla_put_failure; 1572 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1573 goto nla_put_failure; 1574 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1575 goto nla_put_failure; 1576 1577 if (nft_base_chain_netdev(family, ops->hooknum)) { 1578 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1579 list_for_each_entry(hook, &basechain->hook_list, list) { 1580 if (!first) 1581 first = hook; 1582 1583 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1584 hook->ops.dev->name)) 1585 goto nla_put_failure; 1586 n++; 1587 } 1588 nla_nest_end(skb, nest_devs); 1589 1590 if (n == 1 && 1591 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1592 goto nla_put_failure; 1593 } 1594 nla_nest_end(skb, nest); 1595 1596 return 0; 1597nla_put_failure: 1598 return -1; 1599} 1600 1601static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1602 u32 portid, u32 seq, int event, u32 flags, 1603 int family, const struct nft_table *table, 1604 const struct nft_chain *chain) 1605{ 1606 struct nlmsghdr *nlh; 1607 1608 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1609 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 1610 NFNETLINK_V0, nft_base_seq(net)); 1611 if (!nlh) 1612 goto nla_put_failure; 1613 1614 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1615 goto nla_put_failure; 1616 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1617 NFTA_CHAIN_PAD)) 1618 goto nla_put_failure; 1619 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1620 goto nla_put_failure; 1621 1622 if (nft_is_base_chain(chain)) { 1623 const struct nft_base_chain *basechain = nft_base_chain(chain); 1624 struct nft_stats __percpu *stats; 1625 1626 if (nft_dump_basechain_hook(skb, family, basechain)) 1627 goto nla_put_failure; 1628 1629 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1630 htonl(basechain->policy))) 1631 goto nla_put_failure; 1632 1633 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1634 goto nla_put_failure; 1635 1636 stats = rcu_dereference_check(basechain->stats, 1637 lockdep_commit_lock_is_held(net)); 1638 if (nft_dump_stats(skb, stats)) 1639 goto nla_put_failure; 1640 } 1641 1642 if (chain->flags && 1643 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags))) 1644 goto nla_put_failure; 1645 1646 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1647 goto nla_put_failure; 1648 1649 if (chain->udata && 1650 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata)) 1651 goto nla_put_failure; 1652 1653 nlmsg_end(skb, nlh); 1654 return 0; 1655 1656nla_put_failure: 1657 nlmsg_trim(skb, nlh); 1658 return -1; 1659} 1660 1661static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1662{ 1663 struct nftables_pernet *nft_net; 1664 struct sk_buff *skb; 1665 u16 flags = 0; 1666 int err; 1667 1668 if (!ctx->report && 1669 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1670 return; 1671 1672 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1673 if (skb == NULL) 1674 goto err; 1675 1676 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 1677 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 1678 1679 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1680 event, flags, ctx->family, ctx->table, 1681 ctx->chain); 1682 if (err < 0) { 1683 kfree_skb(skb); 1684 goto err; 1685 } 1686 1687 nft_net = nft_pernet(ctx->net); 1688 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 1689 return; 1690err: 1691 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1692} 1693 1694static int nf_tables_dump_chains(struct sk_buff *skb, 1695 struct netlink_callback *cb) 1696{ 1697 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1698 unsigned int idx = 0, s_idx = cb->args[0]; 1699 struct net *net = sock_net(skb->sk); 1700 int family = nfmsg->nfgen_family; 1701 struct nftables_pernet *nft_net; 1702 const struct nft_table *table; 1703 const struct nft_chain *chain; 1704 1705 rcu_read_lock(); 1706 nft_net = nft_pernet(net); 1707 cb->seq = nft_net->base_seq; 1708 1709 list_for_each_entry_rcu(table, &nft_net->tables, list) { 1710 if (family != NFPROTO_UNSPEC && family != table->family) 1711 continue; 1712 1713 list_for_each_entry_rcu(chain, &table->chains, list) { 1714 if (idx < s_idx) 1715 goto cont; 1716 if (idx > s_idx) 1717 memset(&cb->args[1], 0, 1718 sizeof(cb->args) - sizeof(cb->args[0])); 1719 if (!nft_is_active(net, chain)) 1720 continue; 1721 if (nf_tables_fill_chain_info(skb, net, 1722 NETLINK_CB(cb->skb).portid, 1723 cb->nlh->nlmsg_seq, 1724 NFT_MSG_NEWCHAIN, 1725 NLM_F_MULTI, 1726 table->family, table, 1727 chain) < 0) 1728 goto done; 1729 1730 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1731cont: 1732 idx++; 1733 } 1734 } 1735done: 1736 rcu_read_unlock(); 1737 cb->args[0] = idx; 1738 return skb->len; 1739} 1740 1741/* called with rcu_read_lock held */ 1742static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info, 1743 const struct nlattr * const nla[]) 1744{ 1745 struct netlink_ext_ack *extack = info->extack; 1746 u8 genmask = nft_genmask_cur(info->net); 1747 u8 family = info->nfmsg->nfgen_family; 1748 const struct nft_chain *chain; 1749 struct net *net = info->net; 1750 struct nft_table *table; 1751 struct sk_buff *skb2; 1752 int err; 1753 1754 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1755 struct netlink_dump_control c = { 1756 .dump = nf_tables_dump_chains, 1757 .module = THIS_MODULE, 1758 }; 1759 1760 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 1761 } 1762 1763 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0); 1764 if (IS_ERR(table)) { 1765 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1766 return PTR_ERR(table); 1767 } 1768 1769 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1770 if (IS_ERR(chain)) { 1771 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1772 return PTR_ERR(chain); 1773 } 1774 1775 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1776 if (!skb2) 1777 return -ENOMEM; 1778 1779 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1780 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 1781 0, family, table, chain); 1782 if (err < 0) 1783 goto err_fill_chain_info; 1784 1785 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 1786 1787err_fill_chain_info: 1788 kfree_skb(skb2); 1789 return err; 1790} 1791 1792static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1793 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1794 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1795}; 1796 1797static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1798{ 1799 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1800 struct nft_stats __percpu *newstats; 1801 struct nft_stats *stats; 1802 int err; 1803 1804 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1805 nft_counter_policy, NULL); 1806 if (err < 0) 1807 return ERR_PTR(err); 1808 1809 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1810 return ERR_PTR(-EINVAL); 1811 1812 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1813 if (newstats == NULL) 1814 return ERR_PTR(-ENOMEM); 1815 1816 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1817 * are not exposed to userspace. 1818 */ 1819 preempt_disable(); 1820 stats = this_cpu_ptr(newstats); 1821 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1822 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1823 preempt_enable(); 1824 1825 return newstats; 1826} 1827 1828static void nft_chain_stats_replace(struct nft_trans *trans) 1829{ 1830 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1831 1832 if (!nft_trans_chain_stats(trans)) 1833 return; 1834 1835 nft_trans_chain_stats(trans) = 1836 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1837 lockdep_commit_lock_is_held(trans->ctx.net)); 1838 1839 if (!nft_trans_chain_stats(trans)) 1840 static_branch_inc(&nft_counters_enabled); 1841} 1842 1843static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1844{ 1845 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0); 1846 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1); 1847 1848 if (g0 != g1) 1849 kvfree(g1); 1850 kvfree(g0); 1851 1852 /* should be NULL either via abort or via successful commit */ 1853 WARN_ON_ONCE(chain->blob_next); 1854 kvfree(chain->blob_next); 1855} 1856 1857void nf_tables_chain_destroy(struct nft_ctx *ctx) 1858{ 1859 struct nft_chain *chain = ctx->chain; 1860 struct nft_hook *hook, *next; 1861 1862 if (WARN_ON(chain->use > 0)) 1863 return; 1864 1865 /* no concurrent access possible anymore */ 1866 nf_tables_chain_free_chain_rules(chain); 1867 1868 if (nft_is_base_chain(chain)) { 1869 struct nft_base_chain *basechain = nft_base_chain(chain); 1870 1871 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) { 1872 list_for_each_entry_safe(hook, next, 1873 &basechain->hook_list, list) { 1874 list_del_rcu(&hook->list); 1875 kfree_rcu(hook, rcu); 1876 } 1877 } 1878 module_put(basechain->type->owner); 1879 if (rcu_access_pointer(basechain->stats)) { 1880 static_branch_dec(&nft_counters_enabled); 1881 free_percpu(rcu_dereference_raw(basechain->stats)); 1882 } 1883 kfree(chain->name); 1884 kfree(chain->udata); 1885 kfree(basechain); 1886 } else { 1887 kfree(chain->name); 1888 kfree(chain->udata); 1889 kfree(chain); 1890 } 1891} 1892 1893static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1894 const struct nlattr *attr) 1895{ 1896 struct net_device *dev; 1897 char ifname[IFNAMSIZ]; 1898 struct nft_hook *hook; 1899 int err; 1900 1901 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT); 1902 if (!hook) { 1903 err = -ENOMEM; 1904 goto err_hook_alloc; 1905 } 1906 1907 nla_strscpy(ifname, attr, IFNAMSIZ); 1908 /* nf_tables_netdev_event() is called under rtnl_mutex, this is 1909 * indirectly serializing all the other holders of the commit_mutex with 1910 * the rtnl_mutex. 1911 */ 1912 dev = __dev_get_by_name(net, ifname); 1913 if (!dev) { 1914 err = -ENOENT; 1915 goto err_hook_dev; 1916 } 1917 hook->ops.dev = dev; 1918 1919 return hook; 1920 1921err_hook_dev: 1922 kfree(hook); 1923err_hook_alloc: 1924 return ERR_PTR(err); 1925} 1926 1927static struct nft_hook *nft_hook_list_find(struct list_head *hook_list, 1928 const struct nft_hook *this) 1929{ 1930 struct nft_hook *hook; 1931 1932 list_for_each_entry(hook, hook_list, list) { 1933 if (this->ops.dev == hook->ops.dev) 1934 return hook; 1935 } 1936 1937 return NULL; 1938} 1939 1940static int nf_tables_parse_netdev_hooks(struct net *net, 1941 const struct nlattr *attr, 1942 struct list_head *hook_list) 1943{ 1944 struct nft_hook *hook, *next; 1945 const struct nlattr *tmp; 1946 int rem, n = 0, err; 1947 1948 nla_for_each_nested(tmp, attr, rem) { 1949 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1950 err = -EINVAL; 1951 goto err_hook; 1952 } 1953 1954 hook = nft_netdev_hook_alloc(net, tmp); 1955 if (IS_ERR(hook)) { 1956 err = PTR_ERR(hook); 1957 goto err_hook; 1958 } 1959 if (nft_hook_list_find(hook_list, hook)) { 1960 kfree(hook); 1961 err = -EEXIST; 1962 goto err_hook; 1963 } 1964 list_add_tail(&hook->list, hook_list); 1965 n++; 1966 1967 if (n == NFT_NETDEVICE_MAX) { 1968 err = -EFBIG; 1969 goto err_hook; 1970 } 1971 } 1972 1973 return 0; 1974 1975err_hook: 1976 list_for_each_entry_safe(hook, next, hook_list, list) { 1977 list_del(&hook->list); 1978 kfree(hook); 1979 } 1980 return err; 1981} 1982 1983struct nft_chain_hook { 1984 u32 num; 1985 s32 priority; 1986 const struct nft_chain_type *type; 1987 struct list_head list; 1988}; 1989 1990static int nft_chain_parse_netdev(struct net *net, 1991 struct nlattr *tb[], 1992 struct list_head *hook_list) 1993{ 1994 struct nft_hook *hook; 1995 int err; 1996 1997 if (tb[NFTA_HOOK_DEV]) { 1998 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1999 if (IS_ERR(hook)) 2000 return PTR_ERR(hook); 2001 2002 list_add_tail(&hook->list, hook_list); 2003 } else if (tb[NFTA_HOOK_DEVS]) { 2004 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 2005 hook_list); 2006 if (err < 0) 2007 return err; 2008 2009 if (list_empty(hook_list)) 2010 return -EINVAL; 2011 } else { 2012 return -EINVAL; 2013 } 2014 2015 return 0; 2016} 2017 2018static int nft_chain_parse_hook(struct net *net, 2019 const struct nlattr * const nla[], 2020 struct nft_chain_hook *hook, u8 family, 2021 struct netlink_ext_ack *extack, bool autoload) 2022{ 2023 struct nftables_pernet *nft_net = nft_pernet(net); 2024 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 2025 const struct nft_chain_type *type; 2026 int err; 2027 2028 lockdep_assert_held(&nft_net->commit_mutex); 2029 lockdep_nfnl_nft_mutex_not_held(); 2030 2031 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 2032 nla[NFTA_CHAIN_HOOK], 2033 nft_hook_policy, NULL); 2034 if (err < 0) 2035 return err; 2036 2037 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 2038 ha[NFTA_HOOK_PRIORITY] == NULL) 2039 return -EINVAL; 2040 2041 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 2042 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 2043 2044 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 2045 if (!type) 2046 return -EOPNOTSUPP; 2047 2048 if (nla[NFTA_CHAIN_TYPE]) { 2049 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 2050 family, autoload); 2051 if (IS_ERR(type)) { 2052 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2053 return PTR_ERR(type); 2054 } 2055 } 2056 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 2057 return -EOPNOTSUPP; 2058 2059 if (type->type == NFT_CHAIN_T_NAT && 2060 hook->priority <= NF_IP_PRI_CONNTRACK) 2061 return -EOPNOTSUPP; 2062 2063 if (!try_module_get(type->owner)) { 2064 if (nla[NFTA_CHAIN_TYPE]) 2065 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]); 2066 return -ENOENT; 2067 } 2068 2069 hook->type = type; 2070 2071 INIT_LIST_HEAD(&hook->list); 2072 if (nft_base_chain_netdev(family, hook->num)) { 2073 err = nft_chain_parse_netdev(net, ha, &hook->list); 2074 if (err < 0) { 2075 module_put(type->owner); 2076 return err; 2077 } 2078 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 2079 module_put(type->owner); 2080 return -EOPNOTSUPP; 2081 } 2082 2083 return 0; 2084} 2085 2086static void nft_chain_release_hook(struct nft_chain_hook *hook) 2087{ 2088 struct nft_hook *h, *next; 2089 2090 list_for_each_entry_safe(h, next, &hook->list, list) { 2091 list_del(&h->list); 2092 kfree(h); 2093 } 2094 module_put(hook->type->owner); 2095} 2096 2097struct nft_rules_old { 2098 struct rcu_head h; 2099 struct nft_rule_blob *blob; 2100}; 2101 2102static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr) 2103{ 2104 struct nft_rule_dp *prule; 2105 2106 prule = (struct nft_rule_dp *)ptr; 2107 prule->is_last = 1; 2108 /* blob size does not include the trailer rule */ 2109} 2110 2111static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size) 2112{ 2113 struct nft_rule_blob *blob; 2114 2115 /* size must include room for the last rule */ 2116 if (size < offsetof(struct nft_rule_dp, data)) 2117 return NULL; 2118 2119 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old); 2120 if (size > INT_MAX) 2121 return NULL; 2122 2123 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); 2124 if (!blob) 2125 return NULL; 2126 2127 blob->size = 0; 2128 nft_last_rule(blob, blob->data); 2129 2130 return blob; 2131} 2132 2133static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 2134 const struct nft_chain_hook *hook, 2135 struct nft_chain *chain) 2136{ 2137 ops->pf = family; 2138 ops->hooknum = hook->num; 2139 ops->priority = hook->priority; 2140 ops->priv = chain; 2141 ops->hook = hook->type->hooks[ops->hooknum]; 2142 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES; 2143} 2144 2145static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 2146 struct nft_chain_hook *hook, u32 flags) 2147{ 2148 struct nft_chain *chain; 2149 struct nft_hook *h; 2150 2151 basechain->type = hook->type; 2152 INIT_LIST_HEAD(&basechain->hook_list); 2153 chain = &basechain->chain; 2154 2155 if (nft_base_chain_netdev(family, hook->num)) { 2156 list_splice_init(&hook->list, &basechain->hook_list); 2157 list_for_each_entry(h, &basechain->hook_list, list) 2158 nft_basechain_hook_init(&h->ops, family, hook, chain); 2159 2160 basechain->ops.hooknum = hook->num; 2161 basechain->ops.priority = hook->priority; 2162 } else { 2163 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 2164 } 2165 2166 chain->flags |= NFT_CHAIN_BASE | flags; 2167 basechain->policy = NF_ACCEPT; 2168 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 2169 !nft_chain_offload_support(basechain)) 2170 return -EOPNOTSUPP; 2171 2172 flow_block_init(&basechain->flow_block); 2173 2174 return 0; 2175} 2176 2177static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) 2178{ 2179 int err; 2180 2181 err = rhltable_insert_key(&table->chains_ht, chain->name, 2182 &chain->rhlhead, nft_chain_ht_params); 2183 if (err) 2184 return err; 2185 2186 list_add_tail_rcu(&chain->list, &table->chains); 2187 2188 return 0; 2189} 2190 2191static u64 chain_id; 2192 2193static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 2194 u8 policy, u32 flags, 2195 struct netlink_ext_ack *extack) 2196{ 2197 const struct nlattr * const *nla = ctx->nla; 2198 struct nft_table *table = ctx->table; 2199 struct nft_base_chain *basechain; 2200 struct nft_stats __percpu *stats; 2201 struct net *net = ctx->net; 2202 char name[NFT_NAME_MAXLEN]; 2203 struct nft_rule_blob *blob; 2204 struct nft_trans *trans; 2205 struct nft_chain *chain; 2206 unsigned int data_size; 2207 int err; 2208 2209 if (table->use == UINT_MAX) 2210 return -EOVERFLOW; 2211 2212 if (nla[NFTA_CHAIN_HOOK]) { 2213 struct nft_chain_hook hook; 2214 2215 if (flags & NFT_CHAIN_BINDING) 2216 return -EOPNOTSUPP; 2217 2218 err = nft_chain_parse_hook(net, nla, &hook, family, extack, 2219 true); 2220 if (err < 0) 2221 return err; 2222 2223 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT); 2224 if (basechain == NULL) { 2225 nft_chain_release_hook(&hook); 2226 return -ENOMEM; 2227 } 2228 chain = &basechain->chain; 2229 2230 if (nla[NFTA_CHAIN_COUNTERS]) { 2231 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2232 if (IS_ERR(stats)) { 2233 nft_chain_release_hook(&hook); 2234 kfree(basechain); 2235 return PTR_ERR(stats); 2236 } 2237 rcu_assign_pointer(basechain->stats, stats); 2238 static_branch_inc(&nft_counters_enabled); 2239 } 2240 2241 err = nft_basechain_init(basechain, family, &hook, flags); 2242 if (err < 0) { 2243 nft_chain_release_hook(&hook); 2244 kfree(basechain); 2245 return err; 2246 } 2247 } else { 2248 if (flags & NFT_CHAIN_BASE) 2249 return -EINVAL; 2250 if (flags & NFT_CHAIN_HW_OFFLOAD) 2251 return -EOPNOTSUPP; 2252 2253 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT); 2254 if (chain == NULL) 2255 return -ENOMEM; 2256 2257 chain->flags = flags; 2258 } 2259 ctx->chain = chain; 2260 2261 INIT_LIST_HEAD(&chain->rules); 2262 chain->handle = nf_tables_alloc_handle(table); 2263 chain->table = table; 2264 2265 if (nla[NFTA_CHAIN_NAME]) { 2266 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2267 } else { 2268 if (!(flags & NFT_CHAIN_BINDING)) { 2269 err = -EINVAL; 2270 goto err_destroy_chain; 2271 } 2272 2273 snprintf(name, sizeof(name), "__chain%llu", ++chain_id); 2274 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT); 2275 } 2276 2277 if (!chain->name) { 2278 err = -ENOMEM; 2279 goto err_destroy_chain; 2280 } 2281 2282 if (nla[NFTA_CHAIN_USERDATA]) { 2283 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT); 2284 if (chain->udata == NULL) { 2285 err = -ENOMEM; 2286 goto err_destroy_chain; 2287 } 2288 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2289 } 2290 2291 data_size = offsetof(struct nft_rule_dp, data); /* last rule */ 2292 blob = nf_tables_chain_alloc_rules(data_size); 2293 if (!blob) { 2294 err = -ENOMEM; 2295 goto err_destroy_chain; 2296 } 2297 2298 RCU_INIT_POINTER(chain->blob_gen_0, blob); 2299 RCU_INIT_POINTER(chain->blob_gen_1, blob); 2300 2301 err = nf_tables_register_hook(net, table, chain); 2302 if (err < 0) 2303 goto err_destroy_chain; 2304 2305 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 2306 if (IS_ERR(trans)) { 2307 err = PTR_ERR(trans); 2308 goto err_unregister_hook; 2309 } 2310 2311 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 2312 if (nft_is_base_chain(chain)) 2313 nft_trans_chain_policy(trans) = policy; 2314 2315 err = nft_chain_add(table, chain); 2316 if (err < 0) { 2317 nft_trans_destroy(trans); 2318 goto err_unregister_hook; 2319 } 2320 2321 table->use++; 2322 2323 return 0; 2324err_unregister_hook: 2325 nf_tables_unregister_hook(net, table, chain); 2326err_destroy_chain: 2327 nf_tables_chain_destroy(ctx); 2328 2329 return err; 2330} 2331 2332static bool nft_hook_list_equal(struct list_head *hook_list1, 2333 struct list_head *hook_list2) 2334{ 2335 struct nft_hook *hook; 2336 int n = 0, m = 0; 2337 2338 n = 0; 2339 list_for_each_entry(hook, hook_list2, list) { 2340 if (!nft_hook_list_find(hook_list1, hook)) 2341 return false; 2342 2343 n++; 2344 } 2345 list_for_each_entry(hook, hook_list1, list) 2346 m++; 2347 2348 return n == m; 2349} 2350 2351static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2352 u32 flags, const struct nlattr *attr, 2353 struct netlink_ext_ack *extack) 2354{ 2355 const struct nlattr * const *nla = ctx->nla; 2356 struct nft_table *table = ctx->table; 2357 struct nft_chain *chain = ctx->chain; 2358 struct nft_base_chain *basechain; 2359 struct nft_stats *stats = NULL; 2360 struct nft_chain_hook hook; 2361 struct nf_hook_ops *ops; 2362 struct nft_trans *trans; 2363 int err; 2364 2365 if (chain->flags ^ flags) 2366 return -EOPNOTSUPP; 2367 2368 if (nla[NFTA_CHAIN_HOOK]) { 2369 if (!nft_is_base_chain(chain)) { 2370 NL_SET_BAD_ATTR(extack, attr); 2371 return -EEXIST; 2372 } 2373 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2374 extack, false); 2375 if (err < 0) 2376 return err; 2377 2378 basechain = nft_base_chain(chain); 2379 if (basechain->type != hook.type) { 2380 nft_chain_release_hook(&hook); 2381 NL_SET_BAD_ATTR(extack, attr); 2382 return -EEXIST; 2383 } 2384 2385 if (nft_base_chain_netdev(ctx->family, hook.num)) { 2386 if (!nft_hook_list_equal(&basechain->hook_list, 2387 &hook.list)) { 2388 nft_chain_release_hook(&hook); 2389 NL_SET_BAD_ATTR(extack, attr); 2390 return -EEXIST; 2391 } 2392 } else { 2393 ops = &basechain->ops; 2394 if (ops->hooknum != hook.num || 2395 ops->priority != hook.priority) { 2396 nft_chain_release_hook(&hook); 2397 NL_SET_BAD_ATTR(extack, attr); 2398 return -EEXIST; 2399 } 2400 } 2401 nft_chain_release_hook(&hook); 2402 } 2403 2404 if (nla[NFTA_CHAIN_HANDLE] && 2405 nla[NFTA_CHAIN_NAME]) { 2406 struct nft_chain *chain2; 2407 2408 chain2 = nft_chain_lookup(ctx->net, table, 2409 nla[NFTA_CHAIN_NAME], genmask); 2410 if (!IS_ERR(chain2)) { 2411 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2412 return -EEXIST; 2413 } 2414 } 2415 2416 if (nla[NFTA_CHAIN_COUNTERS]) { 2417 if (!nft_is_base_chain(chain)) 2418 return -EOPNOTSUPP; 2419 2420 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2421 if (IS_ERR(stats)) 2422 return PTR_ERR(stats); 2423 } 2424 2425 err = -ENOMEM; 2426 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2427 sizeof(struct nft_trans_chain)); 2428 if (trans == NULL) 2429 goto err; 2430 2431 nft_trans_chain_stats(trans) = stats; 2432 nft_trans_chain_update(trans) = true; 2433 2434 if (nla[NFTA_CHAIN_POLICY]) 2435 nft_trans_chain_policy(trans) = policy; 2436 else 2437 nft_trans_chain_policy(trans) = -1; 2438 2439 if (nla[NFTA_CHAIN_HANDLE] && 2440 nla[NFTA_CHAIN_NAME]) { 2441 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 2442 struct nft_trans *tmp; 2443 char *name; 2444 2445 err = -ENOMEM; 2446 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT); 2447 if (!name) 2448 goto err; 2449 2450 err = -EEXIST; 2451 list_for_each_entry(tmp, &nft_net->commit_list, list) { 2452 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2453 tmp->ctx.table == table && 2454 nft_trans_chain_update(tmp) && 2455 nft_trans_chain_name(tmp) && 2456 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2457 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 2458 kfree(name); 2459 goto err; 2460 } 2461 } 2462 2463 nft_trans_chain_name(trans) = name; 2464 } 2465 nft_trans_commit_list_add_tail(ctx->net, trans); 2466 2467 return 0; 2468err: 2469 free_percpu(stats); 2470 kfree(trans); 2471 return err; 2472} 2473 2474static struct nft_chain *nft_chain_lookup_byid(const struct net *net, 2475 const struct nlattr *nla) 2476{ 2477 struct nftables_pernet *nft_net = nft_pernet(net); 2478 u32 id = ntohl(nla_get_be32(nla)); 2479 struct nft_trans *trans; 2480 2481 list_for_each_entry(trans, &nft_net->commit_list, list) { 2482 struct nft_chain *chain = trans->ctx.chain; 2483 2484 if (trans->msg_type == NFT_MSG_NEWCHAIN && 2485 id == nft_trans_chain_id(trans)) 2486 return chain; 2487 } 2488 return ERR_PTR(-ENOENT); 2489} 2490 2491static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info, 2492 const struct nlattr * const nla[]) 2493{ 2494 struct nftables_pernet *nft_net = nft_pernet(info->net); 2495 struct netlink_ext_ack *extack = info->extack; 2496 u8 genmask = nft_genmask_next(info->net); 2497 u8 family = info->nfmsg->nfgen_family; 2498 struct nft_chain *chain = NULL; 2499 struct net *net = info->net; 2500 const struct nlattr *attr; 2501 struct nft_table *table; 2502 u8 policy = NF_ACCEPT; 2503 struct nft_ctx ctx; 2504 u64 handle = 0; 2505 u32 flags = 0; 2506 2507 lockdep_assert_held(&nft_net->commit_mutex); 2508 2509 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2510 NETLINK_CB(skb).portid); 2511 if (IS_ERR(table)) { 2512 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2513 return PTR_ERR(table); 2514 } 2515 2516 chain = NULL; 2517 attr = nla[NFTA_CHAIN_NAME]; 2518 2519 if (nla[NFTA_CHAIN_HANDLE]) { 2520 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2521 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2522 if (IS_ERR(chain)) { 2523 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2524 return PTR_ERR(chain); 2525 } 2526 attr = nla[NFTA_CHAIN_HANDLE]; 2527 } else if (nla[NFTA_CHAIN_NAME]) { 2528 chain = nft_chain_lookup(net, table, attr, genmask); 2529 if (IS_ERR(chain)) { 2530 if (PTR_ERR(chain) != -ENOENT) { 2531 NL_SET_BAD_ATTR(extack, attr); 2532 return PTR_ERR(chain); 2533 } 2534 chain = NULL; 2535 } 2536 } else if (!nla[NFTA_CHAIN_ID]) { 2537 return -EINVAL; 2538 } 2539 2540 if (nla[NFTA_CHAIN_POLICY]) { 2541 if (chain != NULL && 2542 !nft_is_base_chain(chain)) { 2543 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2544 return -EOPNOTSUPP; 2545 } 2546 2547 if (chain == NULL && 2548 nla[NFTA_CHAIN_HOOK] == NULL) { 2549 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2550 return -EOPNOTSUPP; 2551 } 2552 2553 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2554 switch (policy) { 2555 case NF_DROP: 2556 case NF_ACCEPT: 2557 break; 2558 default: 2559 return -EINVAL; 2560 } 2561 } 2562 2563 if (nla[NFTA_CHAIN_FLAGS]) 2564 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2565 else if (chain) 2566 flags = chain->flags; 2567 2568 if (flags & ~NFT_CHAIN_FLAGS) 2569 return -EOPNOTSUPP; 2570 2571 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2572 2573 if (chain != NULL) { 2574 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 2575 NL_SET_BAD_ATTR(extack, attr); 2576 return -EEXIST; 2577 } 2578 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 2579 return -EOPNOTSUPP; 2580 2581 flags |= chain->flags & NFT_CHAIN_BASE; 2582 return nf_tables_updchain(&ctx, genmask, policy, flags, attr, 2583 extack); 2584 } 2585 2586 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack); 2587} 2588 2589static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info, 2590 const struct nlattr * const nla[]) 2591{ 2592 struct netlink_ext_ack *extack = info->extack; 2593 u8 genmask = nft_genmask_next(info->net); 2594 u8 family = info->nfmsg->nfgen_family; 2595 struct net *net = info->net; 2596 const struct nlattr *attr; 2597 struct nft_table *table; 2598 struct nft_chain *chain; 2599 struct nft_rule *rule; 2600 struct nft_ctx ctx; 2601 u64 handle; 2602 u32 use; 2603 int err; 2604 2605 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 2606 NETLINK_CB(skb).portid); 2607 if (IS_ERR(table)) { 2608 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2609 return PTR_ERR(table); 2610 } 2611 2612 if (nla[NFTA_CHAIN_HANDLE]) { 2613 attr = nla[NFTA_CHAIN_HANDLE]; 2614 handle = be64_to_cpu(nla_get_be64(attr)); 2615 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2616 } else { 2617 attr = nla[NFTA_CHAIN_NAME]; 2618 chain = nft_chain_lookup(net, table, attr, genmask); 2619 } 2620 if (IS_ERR(chain)) { 2621 NL_SET_BAD_ATTR(extack, attr); 2622 return PTR_ERR(chain); 2623 } 2624 2625 if (info->nlh->nlmsg_flags & NLM_F_NONREC && 2626 chain->use > 0) 2627 return -EBUSY; 2628 2629 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 2630 2631 use = chain->use; 2632 list_for_each_entry(rule, &chain->rules, list) { 2633 if (!nft_is_active_next(net, rule)) 2634 continue; 2635 use--; 2636 2637 err = nft_delrule(&ctx, rule); 2638 if (err < 0) 2639 return err; 2640 } 2641 2642 /* There are rules and elements that are still holding references to us, 2643 * we cannot do a recursive removal in this case. 2644 */ 2645 if (use > 0) { 2646 NL_SET_BAD_ATTR(extack, attr); 2647 return -EBUSY; 2648 } 2649 2650 return nft_delchain(&ctx); 2651} 2652 2653/* 2654 * Expressions 2655 */ 2656 2657/** 2658 * nft_register_expr - register nf_tables expr type 2659 * @type: expr type 2660 * 2661 * Registers the expr type for use with nf_tables. Returns zero on 2662 * success or a negative errno code otherwise. 2663 */ 2664int nft_register_expr(struct nft_expr_type *type) 2665{ 2666 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2667 if (type->family == NFPROTO_UNSPEC) 2668 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2669 else 2670 list_add_rcu(&type->list, &nf_tables_expressions); 2671 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2672 return 0; 2673} 2674EXPORT_SYMBOL_GPL(nft_register_expr); 2675 2676/** 2677 * nft_unregister_expr - unregister nf_tables expr type 2678 * @type: expr type 2679 * 2680 * Unregisters the expr typefor use with nf_tables. 2681 */ 2682void nft_unregister_expr(struct nft_expr_type *type) 2683{ 2684 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2685 list_del_rcu(&type->list); 2686 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2687} 2688EXPORT_SYMBOL_GPL(nft_unregister_expr); 2689 2690static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2691 struct nlattr *nla) 2692{ 2693 const struct nft_expr_type *type, *candidate = NULL; 2694 2695 list_for_each_entry(type, &nf_tables_expressions, list) { 2696 if (!nla_strcmp(nla, type->name)) { 2697 if (!type->family && !candidate) 2698 candidate = type; 2699 else if (type->family == family) 2700 candidate = type; 2701 } 2702 } 2703 return candidate; 2704} 2705 2706#ifdef CONFIG_MODULES 2707static int nft_expr_type_request_module(struct net *net, u8 family, 2708 struct nlattr *nla) 2709{ 2710 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2711 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2712 return -EAGAIN; 2713 2714 return 0; 2715} 2716#endif 2717 2718static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2719 u8 family, 2720 struct nlattr *nla) 2721{ 2722 const struct nft_expr_type *type; 2723 2724 if (nla == NULL) 2725 return ERR_PTR(-EINVAL); 2726 2727 type = __nft_expr_type_get(family, nla); 2728 if (type != NULL && try_module_get(type->owner)) 2729 return type; 2730 2731 lockdep_nfnl_nft_mutex_not_held(); 2732#ifdef CONFIG_MODULES 2733 if (type == NULL) { 2734 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2735 return ERR_PTR(-EAGAIN); 2736 2737 if (nft_request_module(net, "nft-expr-%.*s", 2738 nla_len(nla), 2739 (char *)nla_data(nla)) == -EAGAIN) 2740 return ERR_PTR(-EAGAIN); 2741 } 2742#endif 2743 return ERR_PTR(-ENOENT); 2744} 2745 2746static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2747 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2748 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2749 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2750}; 2751 2752static int nf_tables_fill_expr_info(struct sk_buff *skb, 2753 const struct nft_expr *expr) 2754{ 2755 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2756 goto nla_put_failure; 2757 2758 if (expr->ops->dump) { 2759 struct nlattr *data = nla_nest_start_noflag(skb, 2760 NFTA_EXPR_DATA); 2761 if (data == NULL) 2762 goto nla_put_failure; 2763 if (expr->ops->dump(skb, expr) < 0) 2764 goto nla_put_failure; 2765 nla_nest_end(skb, data); 2766 } 2767 2768 return skb->len; 2769 2770nla_put_failure: 2771 return -1; 2772}; 2773 2774int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2775 const struct nft_expr *expr) 2776{ 2777 struct nlattr *nest; 2778 2779 nest = nla_nest_start_noflag(skb, attr); 2780 if (!nest) 2781 goto nla_put_failure; 2782 if (nf_tables_fill_expr_info(skb, expr) < 0) 2783 goto nla_put_failure; 2784 nla_nest_end(skb, nest); 2785 return 0; 2786 2787nla_put_failure: 2788 return -1; 2789} 2790 2791struct nft_expr_info { 2792 const struct nft_expr_ops *ops; 2793 const struct nlattr *attr; 2794 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2795}; 2796 2797static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2798 const struct nlattr *nla, 2799 struct nft_expr_info *info) 2800{ 2801 const struct nft_expr_type *type; 2802 const struct nft_expr_ops *ops; 2803 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2804 int err; 2805 2806 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2807 nft_expr_policy, NULL); 2808 if (err < 0) 2809 return err; 2810 2811 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2812 if (IS_ERR(type)) 2813 return PTR_ERR(type); 2814 2815 if (tb[NFTA_EXPR_DATA]) { 2816 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2817 tb[NFTA_EXPR_DATA], 2818 type->policy, NULL); 2819 if (err < 0) 2820 goto err1; 2821 } else 2822 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2823 2824 if (type->select_ops != NULL) { 2825 ops = type->select_ops(ctx, 2826 (const struct nlattr * const *)info->tb); 2827 if (IS_ERR(ops)) { 2828 err = PTR_ERR(ops); 2829#ifdef CONFIG_MODULES 2830 if (err == -EAGAIN) 2831 if (nft_expr_type_request_module(ctx->net, 2832 ctx->family, 2833 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2834 err = -ENOENT; 2835#endif 2836 goto err1; 2837 } 2838 } else 2839 ops = type->ops; 2840 2841 info->attr = nla; 2842 info->ops = ops; 2843 2844 return 0; 2845 2846err1: 2847 module_put(type->owner); 2848 return err; 2849} 2850 2851static int nf_tables_newexpr(const struct nft_ctx *ctx, 2852 const struct nft_expr_info *expr_info, 2853 struct nft_expr *expr) 2854{ 2855 const struct nft_expr_ops *ops = expr_info->ops; 2856 int err; 2857 2858 expr->ops = ops; 2859 if (ops->init) { 2860 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb); 2861 if (err < 0) 2862 goto err1; 2863 } 2864 2865 return 0; 2866err1: 2867 expr->ops = NULL; 2868 return err; 2869} 2870 2871static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2872 struct nft_expr *expr) 2873{ 2874 const struct nft_expr_type *type = expr->ops->type; 2875 2876 if (expr->ops->destroy) 2877 expr->ops->destroy(ctx, expr); 2878 module_put(type->owner); 2879} 2880 2881static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2882 const struct nlattr *nla) 2883{ 2884 struct nft_expr_info expr_info; 2885 struct nft_expr *expr; 2886 struct module *owner; 2887 int err; 2888 2889 err = nf_tables_expr_parse(ctx, nla, &expr_info); 2890 if (err < 0) 2891 goto err_expr_parse; 2892 2893 err = -EOPNOTSUPP; 2894 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL)) 2895 goto err_expr_stateful; 2896 2897 err = -ENOMEM; 2898 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT); 2899 if (expr == NULL) 2900 goto err_expr_stateful; 2901 2902 err = nf_tables_newexpr(ctx, &expr_info, expr); 2903 if (err < 0) 2904 goto err_expr_new; 2905 2906 return expr; 2907err_expr_new: 2908 kfree(expr); 2909err_expr_stateful: 2910 owner = expr_info.ops->type->owner; 2911 if (expr_info.ops->type->release_ops) 2912 expr_info.ops->type->release_ops(expr_info.ops); 2913 2914 module_put(owner); 2915err_expr_parse: 2916 return ERR_PTR(err); 2917} 2918 2919int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 2920{ 2921 int err; 2922 2923 if (src->ops->clone) { 2924 dst->ops = src->ops; 2925 err = src->ops->clone(dst, src); 2926 if (err < 0) 2927 return err; 2928 } else { 2929 memcpy(dst, src, src->ops->size); 2930 } 2931 2932 __module_get(src->ops->type->owner); 2933 2934 return 0; 2935} 2936 2937void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2938{ 2939 nf_tables_expr_destroy(ctx, expr); 2940 kfree(expr); 2941} 2942 2943/* 2944 * Rules 2945 */ 2946 2947static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2948 u64 handle) 2949{ 2950 struct nft_rule *rule; 2951 2952 // FIXME: this sucks 2953 list_for_each_entry_rcu(rule, &chain->rules, list) { 2954 if (handle == rule->handle) 2955 return rule; 2956 } 2957 2958 return ERR_PTR(-ENOENT); 2959} 2960 2961static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2962 const struct nlattr *nla) 2963{ 2964 if (nla == NULL) 2965 return ERR_PTR(-EINVAL); 2966 2967 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2968} 2969 2970static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2971 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2972 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2973 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2974 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2975 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2976 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2977 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2978 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2979 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2980 .len = NFT_USERDATA_MAXLEN }, 2981 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2982 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2983 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 }, 2984}; 2985 2986static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2987 u32 portid, u32 seq, int event, 2988 u32 flags, int family, 2989 const struct nft_table *table, 2990 const struct nft_chain *chain, 2991 const struct nft_rule *rule, u64 handle) 2992{ 2993 struct nlmsghdr *nlh; 2994 const struct nft_expr *expr, *next; 2995 struct nlattr *list; 2996 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2997 2998 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, 2999 nft_base_seq(net)); 3000 if (!nlh) 3001 goto nla_put_failure; 3002 3003 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 3004 goto nla_put_failure; 3005 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 3006 goto nla_put_failure; 3007 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 3008 NFTA_RULE_PAD)) 3009 goto nla_put_failure; 3010 3011 if (event != NFT_MSG_DELRULE && handle) { 3012 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle), 3013 NFTA_RULE_PAD)) 3014 goto nla_put_failure; 3015 } 3016 3017 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) 3018 nft_flow_rule_stats(chain, rule); 3019 3020 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 3021 if (list == NULL) 3022 goto nla_put_failure; 3023 nft_rule_for_each_expr(expr, next, rule) { 3024 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 3025 goto nla_put_failure; 3026 } 3027 nla_nest_end(skb, list); 3028 3029 if (rule->udata) { 3030 struct nft_userdata *udata = nft_userdata(rule); 3031 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 3032 udata->data) < 0) 3033 goto nla_put_failure; 3034 } 3035 3036 nlmsg_end(skb, nlh); 3037 return 0; 3038 3039nla_put_failure: 3040 nlmsg_trim(skb, nlh); 3041 return -1; 3042} 3043 3044static void nf_tables_rule_notify(const struct nft_ctx *ctx, 3045 const struct nft_rule *rule, int event) 3046{ 3047 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3048 const struct nft_rule *prule; 3049 struct sk_buff *skb; 3050 u64 handle = 0; 3051 u16 flags = 0; 3052 int err; 3053 3054 if (!ctx->report && 3055 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3056 return; 3057 3058 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 3059 if (skb == NULL) 3060 goto err; 3061 3062 if (event == NFT_MSG_NEWRULE && 3063 !list_is_first(&rule->list, &ctx->chain->rules) && 3064 !list_is_last(&rule->list, &ctx->chain->rules)) { 3065 prule = list_prev_entry(rule, list); 3066 handle = prule->handle; 3067 } 3068 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE)) 3069 flags |= NLM_F_APPEND; 3070 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 3071 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 3072 3073 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 3074 event, flags, ctx->family, ctx->table, 3075 ctx->chain, rule, handle); 3076 if (err < 0) { 3077 kfree_skb(skb); 3078 goto err; 3079 } 3080 3081 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 3082 return; 3083err: 3084 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 3085} 3086 3087struct nft_rule_dump_ctx { 3088 char *table; 3089 char *chain; 3090}; 3091 3092static int __nf_tables_dump_rules(struct sk_buff *skb, 3093 unsigned int *idx, 3094 struct netlink_callback *cb, 3095 const struct nft_table *table, 3096 const struct nft_chain *chain) 3097{ 3098 struct net *net = sock_net(skb->sk); 3099 const struct nft_rule *rule, *prule; 3100 unsigned int s_idx = cb->args[0]; 3101 u64 handle; 3102 3103 prule = NULL; 3104 list_for_each_entry_rcu(rule, &chain->rules, list) { 3105 if (!nft_is_active(net, rule)) 3106 goto cont_skip; 3107 if (*idx < s_idx) 3108 goto cont; 3109 if (*idx > s_idx) { 3110 memset(&cb->args[1], 0, 3111 sizeof(cb->args) - sizeof(cb->args[0])); 3112 } 3113 if (prule) 3114 handle = prule->handle; 3115 else 3116 handle = 0; 3117 3118 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 3119 cb->nlh->nlmsg_seq, 3120 NFT_MSG_NEWRULE, 3121 NLM_F_MULTI | NLM_F_APPEND, 3122 table->family, 3123 table, chain, rule, handle) < 0) 3124 return 1; 3125 3126 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3127cont: 3128 prule = rule; 3129cont_skip: 3130 (*idx)++; 3131 } 3132 return 0; 3133} 3134 3135static int nf_tables_dump_rules(struct sk_buff *skb, 3136 struct netlink_callback *cb) 3137{ 3138 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3139 const struct nft_rule_dump_ctx *ctx = cb->data; 3140 struct nft_table *table; 3141 const struct nft_chain *chain; 3142 unsigned int idx = 0; 3143 struct net *net = sock_net(skb->sk); 3144 int family = nfmsg->nfgen_family; 3145 struct nftables_pernet *nft_net; 3146 3147 rcu_read_lock(); 3148 nft_net = nft_pernet(net); 3149 cb->seq = nft_net->base_seq; 3150 3151 list_for_each_entry_rcu(table, &nft_net->tables, list) { 3152 if (family != NFPROTO_UNSPEC && family != table->family) 3153 continue; 3154 3155 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 3156 continue; 3157 3158 if (ctx && ctx->table && ctx->chain) { 3159 struct rhlist_head *list, *tmp; 3160 3161 list = rhltable_lookup(&table->chains_ht, ctx->chain, 3162 nft_chain_ht_params); 3163 if (!list) 3164 goto done; 3165 3166 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 3167 if (!nft_is_active(net, chain)) 3168 continue; 3169 __nf_tables_dump_rules(skb, &idx, 3170 cb, table, chain); 3171 break; 3172 } 3173 goto done; 3174 } 3175 3176 list_for_each_entry_rcu(chain, &table->chains, list) { 3177 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 3178 goto done; 3179 } 3180 3181 if (ctx && ctx->table) 3182 break; 3183 } 3184done: 3185 rcu_read_unlock(); 3186 3187 cb->args[0] = idx; 3188 return skb->len; 3189} 3190 3191static int nf_tables_dump_rules_start(struct netlink_callback *cb) 3192{ 3193 const struct nlattr * const *nla = cb->data; 3194 struct nft_rule_dump_ctx *ctx = NULL; 3195 3196 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 3197 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 3198 if (!ctx) 3199 return -ENOMEM; 3200 3201 if (nla[NFTA_RULE_TABLE]) { 3202 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 3203 GFP_ATOMIC); 3204 if (!ctx->table) { 3205 kfree(ctx); 3206 return -ENOMEM; 3207 } 3208 } 3209 if (nla[NFTA_RULE_CHAIN]) { 3210 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 3211 GFP_ATOMIC); 3212 if (!ctx->chain) { 3213 kfree(ctx->table); 3214 kfree(ctx); 3215 return -ENOMEM; 3216 } 3217 } 3218 } 3219 3220 cb->data = ctx; 3221 return 0; 3222} 3223 3224static int nf_tables_dump_rules_done(struct netlink_callback *cb) 3225{ 3226 struct nft_rule_dump_ctx *ctx = cb->data; 3227 3228 if (ctx) { 3229 kfree(ctx->table); 3230 kfree(ctx->chain); 3231 kfree(ctx); 3232 } 3233 return 0; 3234} 3235 3236/* called with rcu_read_lock held */ 3237static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info, 3238 const struct nlattr * const nla[]) 3239{ 3240 struct netlink_ext_ack *extack = info->extack; 3241 u8 genmask = nft_genmask_cur(info->net); 3242 u8 family = info->nfmsg->nfgen_family; 3243 const struct nft_chain *chain; 3244 const struct nft_rule *rule; 3245 struct net *net = info->net; 3246 struct nft_table *table; 3247 struct sk_buff *skb2; 3248 int err; 3249 3250 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3251 struct netlink_dump_control c = { 3252 .start= nf_tables_dump_rules_start, 3253 .dump = nf_tables_dump_rules, 3254 .done = nf_tables_dump_rules_done, 3255 .module = THIS_MODULE, 3256 .data = (void *)nla, 3257 }; 3258 3259 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 3260 } 3261 3262 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0); 3263 if (IS_ERR(table)) { 3264 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3265 return PTR_ERR(table); 3266 } 3267 3268 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3269 if (IS_ERR(chain)) { 3270 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3271 return PTR_ERR(chain); 3272 } 3273 3274 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3275 if (IS_ERR(rule)) { 3276 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3277 return PTR_ERR(rule); 3278 } 3279 3280 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3281 if (!skb2) 3282 return -ENOMEM; 3283 3284 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 3285 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 3286 family, table, chain, rule, 0); 3287 if (err < 0) 3288 goto err_fill_rule_info; 3289 3290 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 3291 3292err_fill_rule_info: 3293 kfree_skb(skb2); 3294 return err; 3295} 3296 3297static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 3298 struct nft_rule *rule) 3299{ 3300 struct nft_expr *expr, *next; 3301 3302 /* 3303 * Careful: some expressions might not be initialized in case this 3304 * is called on error from nf_tables_newrule(). 3305 */ 3306 expr = nft_expr_first(rule); 3307 while (nft_expr_more(rule, expr)) { 3308 next = nft_expr_next(expr); 3309 nf_tables_expr_destroy(ctx, expr); 3310 expr = next; 3311 } 3312 kfree(rule); 3313} 3314 3315void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) 3316{ 3317 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 3318 nf_tables_rule_destroy(ctx, rule); 3319} 3320 3321int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 3322{ 3323 struct nft_expr *expr, *last; 3324 const struct nft_data *data; 3325 struct nft_rule *rule; 3326 int err; 3327 3328 if (ctx->level == NFT_JUMP_STACK_SIZE) 3329 return -EMLINK; 3330 3331 list_for_each_entry(rule, &chain->rules, list) { 3332 if (!nft_is_active_next(ctx->net, rule)) 3333 continue; 3334 3335 nft_rule_for_each_expr(expr, last, rule) { 3336 if (!expr->ops->validate) 3337 continue; 3338 3339 err = expr->ops->validate(ctx, expr, &data); 3340 if (err < 0) 3341 return err; 3342 } 3343 } 3344 3345 return 0; 3346} 3347EXPORT_SYMBOL_GPL(nft_chain_validate); 3348 3349static int nft_table_validate(struct net *net, const struct nft_table *table) 3350{ 3351 struct nft_chain *chain; 3352 struct nft_ctx ctx = { 3353 .net = net, 3354 .family = table->family, 3355 }; 3356 int err; 3357 3358 list_for_each_entry(chain, &table->chains, list) { 3359 if (!nft_is_base_chain(chain)) 3360 continue; 3361 3362 ctx.chain = chain; 3363 err = nft_chain_validate(&ctx, chain); 3364 if (err < 0) 3365 return err; 3366 } 3367 3368 return 0; 3369} 3370 3371static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3372 const struct nlattr *nla); 3373 3374#define NFT_RULE_MAXEXPRS 128 3375 3376static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, 3377 const struct nlattr * const nla[]) 3378{ 3379 struct nftables_pernet *nft_net = nft_pernet(info->net); 3380 struct netlink_ext_ack *extack = info->extack; 3381 unsigned int size, i, n, ulen = 0, usize = 0; 3382 u8 genmask = nft_genmask_next(info->net); 3383 struct nft_rule *rule, *old_rule = NULL; 3384 struct nft_expr_info *expr_info = NULL; 3385 u8 family = info->nfmsg->nfgen_family; 3386 struct nft_flow_rule *flow = NULL; 3387 struct net *net = info->net; 3388 struct nft_userdata *udata; 3389 struct nft_table *table; 3390 struct nft_chain *chain; 3391 struct nft_trans *trans; 3392 u64 handle, pos_handle; 3393 struct nft_expr *expr; 3394 struct nft_ctx ctx; 3395 struct nlattr *tmp; 3396 int err, rem; 3397 3398 lockdep_assert_held(&nft_net->commit_mutex); 3399 3400 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3401 NETLINK_CB(skb).portid); 3402 if (IS_ERR(table)) { 3403 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3404 return PTR_ERR(table); 3405 } 3406 3407 if (nla[NFTA_RULE_CHAIN]) { 3408 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3409 genmask); 3410 if (IS_ERR(chain)) { 3411 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3412 return PTR_ERR(chain); 3413 } 3414 if (nft_chain_is_bound(chain)) 3415 return -EOPNOTSUPP; 3416 3417 } else if (nla[NFTA_RULE_CHAIN_ID]) { 3418 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); 3419 if (IS_ERR(chain)) { 3420 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); 3421 return PTR_ERR(chain); 3422 } 3423 } else { 3424 return -EINVAL; 3425 } 3426 3427 if (nla[NFTA_RULE_HANDLE]) { 3428 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3429 rule = __nft_rule_lookup(chain, handle); 3430 if (IS_ERR(rule)) { 3431 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3432 return PTR_ERR(rule); 3433 } 3434 3435 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 3436 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3437 return -EEXIST; 3438 } 3439 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 3440 old_rule = rule; 3441 else 3442 return -EOPNOTSUPP; 3443 } else { 3444 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) || 3445 info->nlh->nlmsg_flags & NLM_F_REPLACE) 3446 return -EINVAL; 3447 handle = nf_tables_alloc_handle(table); 3448 3449 if (chain->use == UINT_MAX) 3450 return -EOVERFLOW; 3451 3452 if (nla[NFTA_RULE_POSITION]) { 3453 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3454 old_rule = __nft_rule_lookup(chain, pos_handle); 3455 if (IS_ERR(old_rule)) { 3456 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3457 return PTR_ERR(old_rule); 3458 } 3459 } else if (nla[NFTA_RULE_POSITION_ID]) { 3460 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3461 if (IS_ERR(old_rule)) { 3462 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3463 return PTR_ERR(old_rule); 3464 } 3465 } 3466 } 3467 3468 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3469 3470 n = 0; 3471 size = 0; 3472 if (nla[NFTA_RULE_EXPRESSIONS]) { 3473 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3474 sizeof(struct nft_expr_info), 3475 GFP_KERNEL); 3476 if (!expr_info) 3477 return -ENOMEM; 3478 3479 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3480 err = -EINVAL; 3481 if (nla_type(tmp) != NFTA_LIST_ELEM) 3482 goto err_release_expr; 3483 if (n == NFT_RULE_MAXEXPRS) 3484 goto err_release_expr; 3485 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]); 3486 if (err < 0) { 3487 NL_SET_BAD_ATTR(extack, tmp); 3488 goto err_release_expr; 3489 } 3490 size += expr_info[n].ops->size; 3491 n++; 3492 } 3493 } 3494 /* Check for overflow of dlen field */ 3495 err = -EFBIG; 3496 if (size >= 1 << 12) 3497 goto err_release_expr; 3498 3499 if (nla[NFTA_RULE_USERDATA]) { 3500 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3501 if (ulen > 0) 3502 usize = sizeof(struct nft_userdata) + ulen; 3503 } 3504 3505 err = -ENOMEM; 3506 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT); 3507 if (rule == NULL) 3508 goto err_release_expr; 3509 3510 nft_activate_next(net, rule); 3511 3512 rule->handle = handle; 3513 rule->dlen = size; 3514 rule->udata = ulen ? 1 : 0; 3515 3516 if (ulen) { 3517 udata = nft_userdata(rule); 3518 udata->len = ulen - 1; 3519 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3520 } 3521 3522 expr = nft_expr_first(rule); 3523 for (i = 0; i < n; i++) { 3524 err = nf_tables_newexpr(&ctx, &expr_info[i], expr); 3525 if (err < 0) { 3526 NL_SET_BAD_ATTR(extack, expr_info[i].attr); 3527 goto err_release_rule; 3528 } 3529 3530 if (expr_info[i].ops->validate) 3531 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3532 3533 expr_info[i].ops = NULL; 3534 expr = nft_expr_next(expr); 3535 } 3536 3537 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3538 flow = nft_flow_rule_create(net, rule); 3539 if (IS_ERR(flow)) { 3540 err = PTR_ERR(flow); 3541 goto err_release_rule; 3542 } 3543 } 3544 3545 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { 3546 err = nft_delrule(&ctx, old_rule); 3547 if (err < 0) 3548 goto err_destroy_flow_rule; 3549 3550 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3551 if (trans == NULL) { 3552 err = -ENOMEM; 3553 goto err_destroy_flow_rule; 3554 } 3555 list_add_tail_rcu(&rule->list, &old_rule->list); 3556 } else { 3557 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3558 if (!trans) { 3559 err = -ENOMEM; 3560 goto err_destroy_flow_rule; 3561 } 3562 3563 if (info->nlh->nlmsg_flags & NLM_F_APPEND) { 3564 if (old_rule) 3565 list_add_rcu(&rule->list, &old_rule->list); 3566 else 3567 list_add_tail_rcu(&rule->list, &chain->rules); 3568 } else { 3569 if (old_rule) 3570 list_add_tail_rcu(&rule->list, &old_rule->list); 3571 else 3572 list_add_rcu(&rule->list, &chain->rules); 3573 } 3574 } 3575 kvfree(expr_info); 3576 chain->use++; 3577 3578 if (flow) 3579 nft_trans_flow_rule(trans) = flow; 3580 3581 if (nft_net->validate_state == NFT_VALIDATE_DO) 3582 return nft_table_validate(net, table); 3583 3584 return 0; 3585 3586err_destroy_flow_rule: 3587 if (flow) 3588 nft_flow_rule_destroy(flow); 3589err_release_rule: 3590 nf_tables_rule_release(&ctx, rule); 3591err_release_expr: 3592 for (i = 0; i < n; i++) { 3593 if (expr_info[i].ops) { 3594 module_put(expr_info[i].ops->type->owner); 3595 if (expr_info[i].ops->type->release_ops) 3596 expr_info[i].ops->type->release_ops(expr_info[i].ops); 3597 } 3598 } 3599 kvfree(expr_info); 3600 3601 return err; 3602} 3603 3604static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3605 const struct nlattr *nla) 3606{ 3607 struct nftables_pernet *nft_net = nft_pernet(net); 3608 u32 id = ntohl(nla_get_be32(nla)); 3609 struct nft_trans *trans; 3610 3611 list_for_each_entry(trans, &nft_net->commit_list, list) { 3612 struct nft_rule *rule = nft_trans_rule(trans); 3613 3614 if (trans->msg_type == NFT_MSG_NEWRULE && 3615 id == nft_trans_rule_id(trans)) 3616 return rule; 3617 } 3618 return ERR_PTR(-ENOENT); 3619} 3620 3621static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, 3622 const struct nlattr * const nla[]) 3623{ 3624 struct netlink_ext_ack *extack = info->extack; 3625 u8 genmask = nft_genmask_next(info->net); 3626 u8 family = info->nfmsg->nfgen_family; 3627 struct nft_chain *chain = NULL; 3628 struct net *net = info->net; 3629 struct nft_table *table; 3630 struct nft_rule *rule; 3631 struct nft_ctx ctx; 3632 int err = 0; 3633 3634 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 3635 NETLINK_CB(skb).portid); 3636 if (IS_ERR(table)) { 3637 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3638 return PTR_ERR(table); 3639 } 3640 3641 if (nla[NFTA_RULE_CHAIN]) { 3642 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3643 genmask); 3644 if (IS_ERR(chain)) { 3645 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3646 return PTR_ERR(chain); 3647 } 3648 if (nft_chain_is_bound(chain)) 3649 return -EOPNOTSUPP; 3650 } 3651 3652 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla); 3653 3654 if (chain) { 3655 if (nla[NFTA_RULE_HANDLE]) { 3656 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3657 if (IS_ERR(rule)) { 3658 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3659 return PTR_ERR(rule); 3660 } 3661 3662 err = nft_delrule(&ctx, rule); 3663 } else if (nla[NFTA_RULE_ID]) { 3664 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3665 if (IS_ERR(rule)) { 3666 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3667 return PTR_ERR(rule); 3668 } 3669 3670 err = nft_delrule(&ctx, rule); 3671 } else { 3672 err = nft_delrule_by_chain(&ctx); 3673 } 3674 } else { 3675 list_for_each_entry(chain, &table->chains, list) { 3676 if (!nft_is_active_next(net, chain)) 3677 continue; 3678 3679 ctx.chain = chain; 3680 err = nft_delrule_by_chain(&ctx); 3681 if (err < 0) 3682 break; 3683 } 3684 } 3685 3686 return err; 3687} 3688 3689/* 3690 * Sets 3691 */ 3692static const struct nft_set_type *nft_set_types[] = { 3693 &nft_set_hash_fast_type, 3694 &nft_set_hash_type, 3695 &nft_set_rhash_type, 3696 &nft_set_bitmap_type, 3697 &nft_set_rbtree_type, 3698#if defined(CONFIG_X86_64) && !defined(CONFIG_UML) 3699 &nft_set_pipapo_avx2_type, 3700#endif 3701 &nft_set_pipapo_type, 3702}; 3703 3704#define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3705 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3706 NFT_SET_EVAL) 3707 3708static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3709{ 3710 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3711} 3712 3713/* 3714 * Select a set implementation based on the data characteristics and the 3715 * given policy. The total memory use might not be known if no size is 3716 * given, in that case the amount of memory per element is used. 3717 */ 3718static const struct nft_set_ops * 3719nft_select_set_ops(const struct nft_ctx *ctx, 3720 const struct nlattr * const nla[], 3721 const struct nft_set_desc *desc, 3722 enum nft_set_policies policy) 3723{ 3724 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 3725 const struct nft_set_ops *ops, *bops; 3726 struct nft_set_estimate est, best; 3727 const struct nft_set_type *type; 3728 u32 flags = 0; 3729 int i; 3730 3731 lockdep_assert_held(&nft_net->commit_mutex); 3732 lockdep_nfnl_nft_mutex_not_held(); 3733 3734 if (nla[NFTA_SET_FLAGS] != NULL) 3735 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3736 3737 bops = NULL; 3738 best.size = ~0; 3739 best.lookup = ~0; 3740 best.space = ~0; 3741 3742 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) { 3743 type = nft_set_types[i]; 3744 ops = &type->ops; 3745 3746 if (!nft_set_ops_candidate(type, flags)) 3747 continue; 3748 if (!ops->estimate(desc, flags, &est)) 3749 continue; 3750 3751 switch (policy) { 3752 case NFT_SET_POL_PERFORMANCE: 3753 if (est.lookup < best.lookup) 3754 break; 3755 if (est.lookup == best.lookup && 3756 est.space < best.space) 3757 break; 3758 continue; 3759 case NFT_SET_POL_MEMORY: 3760 if (!desc->size) { 3761 if (est.space < best.space) 3762 break; 3763 if (est.space == best.space && 3764 est.lookup < best.lookup) 3765 break; 3766 } else if (est.size < best.size || !bops) { 3767 break; 3768 } 3769 continue; 3770 default: 3771 break; 3772 } 3773 3774 bops = ops; 3775 best = est; 3776 } 3777 3778 if (bops != NULL) 3779 return bops; 3780 3781 return ERR_PTR(-EOPNOTSUPP); 3782} 3783 3784static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3785 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3786 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3787 [NFTA_SET_NAME] = { .type = NLA_STRING, 3788 .len = NFT_SET_MAXNAMELEN - 1 }, 3789 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3790 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3791 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3792 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3793 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3794 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3795 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3796 [NFTA_SET_ID] = { .type = NLA_U32 }, 3797 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3798 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3799 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3800 .len = NFT_USERDATA_MAXLEN }, 3801 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3802 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3803 [NFTA_SET_EXPR] = { .type = NLA_NESTED }, 3804 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED }, 3805}; 3806 3807static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3808 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3809 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3810}; 3811 3812static struct nft_set *nft_set_lookup(const struct nft_table *table, 3813 const struct nlattr *nla, u8 genmask) 3814{ 3815 struct nft_set *set; 3816 3817 if (nla == NULL) 3818 return ERR_PTR(-EINVAL); 3819 3820 list_for_each_entry_rcu(set, &table->sets, list) { 3821 if (!nla_strcmp(nla, set->name) && 3822 nft_active_genmask(set, genmask)) 3823 return set; 3824 } 3825 return ERR_PTR(-ENOENT); 3826} 3827 3828static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3829 const struct nlattr *nla, 3830 u8 genmask) 3831{ 3832 struct nft_set *set; 3833 3834 list_for_each_entry(set, &table->sets, list) { 3835 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3836 nft_active_genmask(set, genmask)) 3837 return set; 3838 } 3839 return ERR_PTR(-ENOENT); 3840} 3841 3842static struct nft_set *nft_set_lookup_byid(const struct net *net, 3843 const struct nlattr *nla, u8 genmask) 3844{ 3845 struct nftables_pernet *nft_net = nft_pernet(net); 3846 u32 id = ntohl(nla_get_be32(nla)); 3847 struct nft_trans *trans; 3848 3849 list_for_each_entry(trans, &nft_net->commit_list, list) { 3850 if (trans->msg_type == NFT_MSG_NEWSET) { 3851 struct nft_set *set = nft_trans_set(trans); 3852 3853 if (id == nft_trans_set_id(trans) && 3854 nft_active_genmask(set, genmask)) 3855 return set; 3856 } 3857 } 3858 return ERR_PTR(-ENOENT); 3859} 3860 3861struct nft_set *nft_set_lookup_global(const struct net *net, 3862 const struct nft_table *table, 3863 const struct nlattr *nla_set_name, 3864 const struct nlattr *nla_set_id, 3865 u8 genmask) 3866{ 3867 struct nft_set *set; 3868 3869 set = nft_set_lookup(table, nla_set_name, genmask); 3870 if (IS_ERR(set)) { 3871 if (!nla_set_id) 3872 return set; 3873 3874 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3875 } 3876 return set; 3877} 3878EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3879 3880static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3881 const char *name) 3882{ 3883 const struct nft_set *i; 3884 const char *p; 3885 unsigned long *inuse; 3886 unsigned int n = 0, min = 0; 3887 3888 p = strchr(name, '%'); 3889 if (p != NULL) { 3890 if (p[1] != 'd' || strchr(p + 2, '%')) 3891 return -EINVAL; 3892 3893 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3894 if (inuse == NULL) 3895 return -ENOMEM; 3896cont: 3897 list_for_each_entry(i, &ctx->table->sets, list) { 3898 int tmp; 3899 3900 if (!nft_is_active_next(ctx->net, set)) 3901 continue; 3902 if (!sscanf(i->name, name, &tmp)) 3903 continue; 3904 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3905 continue; 3906 3907 set_bit(tmp - min, inuse); 3908 } 3909 3910 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3911 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3912 min += BITS_PER_BYTE * PAGE_SIZE; 3913 memset(inuse, 0, PAGE_SIZE); 3914 goto cont; 3915 } 3916 free_page((unsigned long)inuse); 3917 } 3918 3919 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n); 3920 if (!set->name) 3921 return -ENOMEM; 3922 3923 list_for_each_entry(i, &ctx->table->sets, list) { 3924 if (!nft_is_active_next(ctx->net, i)) 3925 continue; 3926 if (!strcmp(set->name, i->name)) { 3927 kfree(set->name); 3928 set->name = NULL; 3929 return -ENFILE; 3930 } 3931 } 3932 return 0; 3933} 3934 3935int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3936{ 3937 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3938 u64 max = (u64)(~((u64)0)); 3939 3940 max = div_u64(max, NSEC_PER_MSEC); 3941 if (ms >= max) 3942 return -ERANGE; 3943 3944 ms *= NSEC_PER_MSEC; 3945 *result = nsecs_to_jiffies64(ms); 3946 return 0; 3947} 3948 3949__be64 nf_jiffies64_to_msecs(u64 input) 3950{ 3951 return cpu_to_be64(jiffies64_to_msecs(input)); 3952} 3953 3954static int nf_tables_fill_set_concat(struct sk_buff *skb, 3955 const struct nft_set *set) 3956{ 3957 struct nlattr *concat, *field; 3958 int i; 3959 3960 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3961 if (!concat) 3962 return -ENOMEM; 3963 3964 for (i = 0; i < set->field_count; i++) { 3965 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3966 if (!field) 3967 return -ENOMEM; 3968 3969 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3970 htonl(set->field_len[i]))) 3971 return -ENOMEM; 3972 3973 nla_nest_end(skb, field); 3974 } 3975 3976 nla_nest_end(skb, concat); 3977 3978 return 0; 3979} 3980 3981static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3982 const struct nft_set *set, u16 event, u16 flags) 3983{ 3984 struct nlmsghdr *nlh; 3985 u32 portid = ctx->portid; 3986 struct nlattr *nest; 3987 u32 seq = ctx->seq; 3988 int i; 3989 3990 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3991 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 3992 NFNETLINK_V0, nft_base_seq(ctx->net)); 3993 if (!nlh) 3994 goto nla_put_failure; 3995 3996 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3997 goto nla_put_failure; 3998 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3999 goto nla_put_failure; 4000 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 4001 NFTA_SET_PAD)) 4002 goto nla_put_failure; 4003 if (set->flags != 0) 4004 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 4005 goto nla_put_failure; 4006 4007 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 4008 goto nla_put_failure; 4009 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 4010 goto nla_put_failure; 4011 if (set->flags & NFT_SET_MAP) { 4012 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 4013 goto nla_put_failure; 4014 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 4015 goto nla_put_failure; 4016 } 4017 if (set->flags & NFT_SET_OBJECT && 4018 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 4019 goto nla_put_failure; 4020 4021 if (set->timeout && 4022 nla_put_be64(skb, NFTA_SET_TIMEOUT, 4023 nf_jiffies64_to_msecs(set->timeout), 4024 NFTA_SET_PAD)) 4025 goto nla_put_failure; 4026 if (set->gc_int && 4027 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 4028 goto nla_put_failure; 4029 4030 if (set->policy != NFT_SET_POL_PERFORMANCE) { 4031 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 4032 goto nla_put_failure; 4033 } 4034 4035 if (set->udata && 4036 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 4037 goto nla_put_failure; 4038 4039 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC); 4040 if (!nest) 4041 goto nla_put_failure; 4042 if (set->size && 4043 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 4044 goto nla_put_failure; 4045 4046 if (set->field_count > 1 && 4047 nf_tables_fill_set_concat(skb, set)) 4048 goto nla_put_failure; 4049 4050 nla_nest_end(skb, nest); 4051 4052 if (set->num_exprs == 1) { 4053 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR); 4054 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0) 4055 goto nla_put_failure; 4056 4057 nla_nest_end(skb, nest); 4058 } else if (set->num_exprs > 1) { 4059 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS); 4060 if (nest == NULL) 4061 goto nla_put_failure; 4062 4063 for (i = 0; i < set->num_exprs; i++) { 4064 if (nft_expr_dump(skb, NFTA_LIST_ELEM, 4065 set->exprs[i]) < 0) 4066 goto nla_put_failure; 4067 } 4068 nla_nest_end(skb, nest); 4069 } 4070 4071 nlmsg_end(skb, nlh); 4072 return 0; 4073 4074nla_put_failure: 4075 nlmsg_trim(skb, nlh); 4076 return -1; 4077} 4078 4079static void nf_tables_set_notify(const struct nft_ctx *ctx, 4080 const struct nft_set *set, int event, 4081 gfp_t gfp_flags) 4082{ 4083 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 4084 u32 portid = ctx->portid; 4085 struct sk_buff *skb; 4086 u16 flags = 0; 4087 int err; 4088 4089 if (!ctx->report && 4090 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 4091 return; 4092 4093 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 4094 if (skb == NULL) 4095 goto err; 4096 4097 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 4098 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 4099 4100 err = nf_tables_fill_set(skb, ctx, set, event, flags); 4101 if (err < 0) { 4102 kfree_skb(skb); 4103 goto err; 4104 } 4105 4106 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 4107 return; 4108err: 4109 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4110} 4111 4112static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 4113{ 4114 const struct nft_set *set; 4115 unsigned int idx, s_idx = cb->args[0]; 4116 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 4117 struct net *net = sock_net(skb->sk); 4118 struct nft_ctx *ctx = cb->data, ctx_set; 4119 struct nftables_pernet *nft_net; 4120 4121 if (cb->args[1]) 4122 return skb->len; 4123 4124 rcu_read_lock(); 4125 nft_net = nft_pernet(net); 4126 cb->seq = nft_net->base_seq; 4127 4128 list_for_each_entry_rcu(table, &nft_net->tables, list) { 4129 if (ctx->family != NFPROTO_UNSPEC && 4130 ctx->family != table->family) 4131 continue; 4132 4133 if (ctx->table && ctx->table != table) 4134 continue; 4135 4136 if (cur_table) { 4137 if (cur_table != table) 4138 continue; 4139 4140 cur_table = NULL; 4141 } 4142 idx = 0; 4143 list_for_each_entry_rcu(set, &table->sets, list) { 4144 if (idx < s_idx) 4145 goto cont; 4146 if (!nft_is_active(net, set)) 4147 goto cont; 4148 4149 ctx_set = *ctx; 4150 ctx_set.table = table; 4151 ctx_set.family = table->family; 4152 4153 if (nf_tables_fill_set(skb, &ctx_set, set, 4154 NFT_MSG_NEWSET, 4155 NLM_F_MULTI) < 0) { 4156 cb->args[0] = idx; 4157 cb->args[2] = (unsigned long) table; 4158 goto done; 4159 } 4160 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 4161cont: 4162 idx++; 4163 } 4164 if (s_idx) 4165 s_idx = 0; 4166 } 4167 cb->args[1] = 1; 4168done: 4169 rcu_read_unlock(); 4170 return skb->len; 4171} 4172 4173static int nf_tables_dump_sets_start(struct netlink_callback *cb) 4174{ 4175 struct nft_ctx *ctx_dump = NULL; 4176 4177 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 4178 if (ctx_dump == NULL) 4179 return -ENOMEM; 4180 4181 cb->data = ctx_dump; 4182 return 0; 4183} 4184 4185static int nf_tables_dump_sets_done(struct netlink_callback *cb) 4186{ 4187 kfree(cb->data); 4188 return 0; 4189} 4190 4191/* called with rcu_read_lock held */ 4192static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info, 4193 const struct nlattr * const nla[]) 4194{ 4195 struct netlink_ext_ack *extack = info->extack; 4196 u8 genmask = nft_genmask_cur(info->net); 4197 u8 family = info->nfmsg->nfgen_family; 4198 struct nft_table *table = NULL; 4199 struct net *net = info->net; 4200 const struct nft_set *set; 4201 struct sk_buff *skb2; 4202 struct nft_ctx ctx; 4203 int err; 4204 4205 if (nla[NFTA_SET_TABLE]) { 4206 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4207 genmask, 0); 4208 if (IS_ERR(table)) { 4209 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4210 return PTR_ERR(table); 4211 } 4212 } 4213 4214 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4215 4216 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 4217 struct netlink_dump_control c = { 4218 .start = nf_tables_dump_sets_start, 4219 .dump = nf_tables_dump_sets, 4220 .done = nf_tables_dump_sets_done, 4221 .data = &ctx, 4222 .module = THIS_MODULE, 4223 }; 4224 4225 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 4226 } 4227 4228 /* Only accept unspec with dump */ 4229 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4230 return -EAFNOSUPPORT; 4231 if (!nla[NFTA_SET_TABLE]) 4232 return -EINVAL; 4233 4234 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4235 if (IS_ERR(set)) 4236 return PTR_ERR(set); 4237 4238 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 4239 if (skb2 == NULL) 4240 return -ENOMEM; 4241 4242 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 4243 if (err < 0) 4244 goto err_fill_set_info; 4245 4246 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 4247 4248err_fill_set_info: 4249 kfree_skb(skb2); 4250 return err; 4251} 4252 4253static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 4254 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 4255}; 4256 4257static int nft_set_desc_concat_parse(const struct nlattr *attr, 4258 struct nft_set_desc *desc) 4259{ 4260 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 4261 u32 len; 4262 int err; 4263 4264 if (desc->field_count >= ARRAY_SIZE(desc->field_len)) 4265 return -E2BIG; 4266 4267 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 4268 nft_concat_policy, NULL); 4269 if (err < 0) 4270 return err; 4271 4272 if (!tb[NFTA_SET_FIELD_LEN]) 4273 return -EINVAL; 4274 4275 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 4276 if (!len || len > U8_MAX) 4277 return -EINVAL; 4278 4279 desc->field_len[desc->field_count++] = len; 4280 4281 return 0; 4282} 4283 4284static int nft_set_desc_concat(struct nft_set_desc *desc, 4285 const struct nlattr *nla) 4286{ 4287 struct nlattr *attr; 4288 u32 num_regs = 0; 4289 int rem, err, i; 4290 4291 nla_for_each_nested(attr, nla, rem) { 4292 if (nla_type(attr) != NFTA_LIST_ELEM) 4293 return -EINVAL; 4294 4295 err = nft_set_desc_concat_parse(attr, desc); 4296 if (err < 0) 4297 return err; 4298 } 4299 4300 for (i = 0; i < desc->field_count; i++) 4301 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32)); 4302 4303 if (num_regs > NFT_REG32_COUNT) 4304 return -E2BIG; 4305 4306 return 0; 4307} 4308 4309static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 4310 const struct nlattr *nla) 4311{ 4312 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 4313 int err; 4314 4315 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 4316 nft_set_desc_policy, NULL); 4317 if (err < 0) 4318 return err; 4319 4320 if (da[NFTA_SET_DESC_SIZE] != NULL) 4321 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 4322 if (da[NFTA_SET_DESC_CONCAT]) 4323 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 4324 4325 return err; 4326} 4327 4328static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, 4329 const struct nlattr * const nla[]) 4330{ 4331 u32 ktype, dtype, flags, policy, gc_int, objtype; 4332 struct netlink_ext_ack *extack = info->extack; 4333 u8 genmask = nft_genmask_next(info->net); 4334 u8 family = info->nfmsg->nfgen_family; 4335 const struct nft_set_ops *ops; 4336 struct nft_expr *expr = NULL; 4337 struct net *net = info->net; 4338 struct nft_set_desc desc; 4339 struct nft_table *table; 4340 unsigned char *udata; 4341 struct nft_set *set; 4342 struct nft_ctx ctx; 4343 size_t alloc_size; 4344 u64 timeout; 4345 char *name; 4346 int err, i; 4347 u16 udlen; 4348 u64 size; 4349 4350 if (nla[NFTA_SET_TABLE] == NULL || 4351 nla[NFTA_SET_NAME] == NULL || 4352 nla[NFTA_SET_KEY_LEN] == NULL || 4353 nla[NFTA_SET_ID] == NULL) 4354 return -EINVAL; 4355 4356 memset(&desc, 0, sizeof(desc)); 4357 4358 ktype = NFT_DATA_VALUE; 4359 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 4360 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 4361 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 4362 return -EINVAL; 4363 } 4364 4365 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 4366 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 4367 return -EINVAL; 4368 4369 flags = 0; 4370 if (nla[NFTA_SET_FLAGS] != NULL) { 4371 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 4372 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 4373 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 4374 NFT_SET_MAP | NFT_SET_EVAL | 4375 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR)) 4376 return -EOPNOTSUPP; 4377 /* Only one of these operations is supported */ 4378 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 4379 (NFT_SET_MAP | NFT_SET_OBJECT)) 4380 return -EOPNOTSUPP; 4381 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 4382 (NFT_SET_EVAL | NFT_SET_OBJECT)) 4383 return -EOPNOTSUPP; 4384 } 4385 4386 dtype = 0; 4387 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 4388 if (!(flags & NFT_SET_MAP)) 4389 return -EINVAL; 4390 4391 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 4392 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 4393 dtype != NFT_DATA_VERDICT) 4394 return -EINVAL; 4395 4396 if (dtype != NFT_DATA_VERDICT) { 4397 if (nla[NFTA_SET_DATA_LEN] == NULL) 4398 return -EINVAL; 4399 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 4400 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 4401 return -EINVAL; 4402 } else 4403 desc.dlen = sizeof(struct nft_verdict); 4404 } else if (flags & NFT_SET_MAP) 4405 return -EINVAL; 4406 4407 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 4408 if (!(flags & NFT_SET_OBJECT)) 4409 return -EINVAL; 4410 4411 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 4412 if (objtype == NFT_OBJECT_UNSPEC || 4413 objtype > NFT_OBJECT_MAX) 4414 return -EOPNOTSUPP; 4415 } else if (flags & NFT_SET_OBJECT) 4416 return -EINVAL; 4417 else 4418 objtype = NFT_OBJECT_UNSPEC; 4419 4420 timeout = 0; 4421 if (nla[NFTA_SET_TIMEOUT] != NULL) { 4422 if (!(flags & NFT_SET_TIMEOUT)) 4423 return -EINVAL; 4424 4425 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 4426 if (err) 4427 return err; 4428 } 4429 gc_int = 0; 4430 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4431 if (!(flags & NFT_SET_TIMEOUT)) 4432 return -EINVAL; 4433 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4434 } 4435 4436 policy = NFT_SET_POL_PERFORMANCE; 4437 if (nla[NFTA_SET_POLICY] != NULL) 4438 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4439 4440 if (nla[NFTA_SET_DESC] != NULL) { 4441 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4442 if (err < 0) 4443 return err; 4444 } 4445 4446 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS]) 4447 desc.expr = true; 4448 4449 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask, 4450 NETLINK_CB(skb).portid); 4451 if (IS_ERR(table)) { 4452 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4453 return PTR_ERR(table); 4454 } 4455 4456 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4457 4458 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4459 if (IS_ERR(set)) { 4460 if (PTR_ERR(set) != -ENOENT) { 4461 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4462 return PTR_ERR(set); 4463 } 4464 } else { 4465 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 4466 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4467 return -EEXIST; 4468 } 4469 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 4470 return -EOPNOTSUPP; 4471 4472 return 0; 4473 } 4474 4475 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE)) 4476 return -ENOENT; 4477 4478 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4479 if (IS_ERR(ops)) 4480 return PTR_ERR(ops); 4481 4482 udlen = 0; 4483 if (nla[NFTA_SET_USERDATA]) 4484 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4485 4486 size = 0; 4487 if (ops->privsize != NULL) 4488 size = ops->privsize(nla, &desc); 4489 alloc_size = sizeof(*set) + size + udlen; 4490 if (alloc_size < size || alloc_size > INT_MAX) 4491 return -ENOMEM; 4492 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT); 4493 if (!set) 4494 return -ENOMEM; 4495 4496 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT); 4497 if (!name) { 4498 err = -ENOMEM; 4499 goto err_set_name; 4500 } 4501 4502 err = nf_tables_set_alloc_name(&ctx, set, name); 4503 kfree(name); 4504 if (err < 0) 4505 goto err_set_name; 4506 4507 udata = NULL; 4508 if (udlen) { 4509 udata = set->data + size; 4510 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4511 } 4512 4513 INIT_LIST_HEAD(&set->bindings); 4514 INIT_LIST_HEAD(&set->catchall_list); 4515 set->table = table; 4516 write_pnet(&set->net, net); 4517 set->ops = ops; 4518 set->ktype = ktype; 4519 set->klen = desc.klen; 4520 set->dtype = dtype; 4521 set->objtype = objtype; 4522 set->dlen = desc.dlen; 4523 set->flags = flags; 4524 set->size = desc.size; 4525 set->policy = policy; 4526 set->udlen = udlen; 4527 set->udata = udata; 4528 set->timeout = timeout; 4529 set->gc_int = gc_int; 4530 4531 set->field_count = desc.field_count; 4532 for (i = 0; i < desc.field_count; i++) 4533 set->field_len[i] = desc.field_len[i]; 4534 4535 err = ops->init(set, &desc, nla); 4536 if (err < 0) 4537 goto err_set_init; 4538 4539 if (nla[NFTA_SET_EXPR]) { 4540 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); 4541 if (IS_ERR(expr)) { 4542 err = PTR_ERR(expr); 4543 goto err_set_expr_alloc; 4544 } 4545 set->exprs[0] = expr; 4546 set->num_exprs++; 4547 } else if (nla[NFTA_SET_EXPRESSIONS]) { 4548 struct nft_expr *expr; 4549 struct nlattr *tmp; 4550 int left; 4551 4552 if (!(flags & NFT_SET_EXPR)) { 4553 err = -EINVAL; 4554 goto err_set_expr_alloc; 4555 } 4556 i = 0; 4557 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) { 4558 if (i == NFT_SET_EXPR_MAX) { 4559 err = -E2BIG; 4560 goto err_set_expr_alloc; 4561 } 4562 if (nla_type(tmp) != NFTA_LIST_ELEM) { 4563 err = -EINVAL; 4564 goto err_set_expr_alloc; 4565 } 4566 expr = nft_set_elem_expr_alloc(&ctx, set, tmp); 4567 if (IS_ERR(expr)) { 4568 err = PTR_ERR(expr); 4569 goto err_set_expr_alloc; 4570 } 4571 set->exprs[i++] = expr; 4572 set->num_exprs++; 4573 } 4574 } 4575 4576 set->handle = nf_tables_alloc_handle(table); 4577 4578 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4579 if (err < 0) 4580 goto err_set_expr_alloc; 4581 4582 list_add_tail_rcu(&set->list, &table->sets); 4583 table->use++; 4584 return 0; 4585 4586err_set_expr_alloc: 4587 for (i = 0; i < set->num_exprs; i++) 4588 nft_expr_destroy(&ctx, set->exprs[i]); 4589 4590 ops->destroy(set); 4591err_set_init: 4592 kfree(set->name); 4593err_set_name: 4594 kvfree(set); 4595 return err; 4596} 4597 4598struct nft_set_elem_catchall { 4599 struct list_head list; 4600 struct rcu_head rcu; 4601 void *elem; 4602}; 4603 4604static void nft_set_catchall_destroy(const struct nft_ctx *ctx, 4605 struct nft_set *set) 4606{ 4607 struct nft_set_elem_catchall *next, *catchall; 4608 4609 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 4610 list_del_rcu(&catchall->list); 4611 nft_set_elem_destroy(set, catchall->elem, true); 4612 kfree_rcu(catchall, rcu); 4613 } 4614} 4615 4616static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) 4617{ 4618 int i; 4619 4620 if (WARN_ON(set->use > 0)) 4621 return; 4622 4623 for (i = 0; i < set->num_exprs; i++) 4624 nft_expr_destroy(ctx, set->exprs[i]); 4625 4626 set->ops->destroy(set); 4627 nft_set_catchall_destroy(ctx, set); 4628 kfree(set->name); 4629 kvfree(set); 4630} 4631 4632static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info, 4633 const struct nlattr * const nla[]) 4634{ 4635 struct netlink_ext_ack *extack = info->extack; 4636 u8 genmask = nft_genmask_next(info->net); 4637 u8 family = info->nfmsg->nfgen_family; 4638 struct net *net = info->net; 4639 const struct nlattr *attr; 4640 struct nft_table *table; 4641 struct nft_set *set; 4642 struct nft_ctx ctx; 4643 4644 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC) 4645 return -EAFNOSUPPORT; 4646 4647 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 4648 genmask, NETLINK_CB(skb).portid); 4649 if (IS_ERR(table)) { 4650 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4651 return PTR_ERR(table); 4652 } 4653 4654 if (nla[NFTA_SET_HANDLE]) { 4655 attr = nla[NFTA_SET_HANDLE]; 4656 set = nft_set_lookup_byhandle(table, attr, genmask); 4657 } else { 4658 attr = nla[NFTA_SET_NAME]; 4659 set = nft_set_lookup(table, attr, genmask); 4660 } 4661 4662 if (IS_ERR(set)) { 4663 NL_SET_BAD_ATTR(extack, attr); 4664 return PTR_ERR(set); 4665 } 4666 if (set->use || 4667 (info->nlh->nlmsg_flags & NLM_F_NONREC && 4668 atomic_read(&set->nelems) > 0)) { 4669 NL_SET_BAD_ATTR(extack, attr); 4670 return -EBUSY; 4671 } 4672 4673 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 4674 4675 return nft_delset(&ctx, set); 4676} 4677 4678static int nft_validate_register_store(const struct nft_ctx *ctx, 4679 enum nft_registers reg, 4680 const struct nft_data *data, 4681 enum nft_data_types type, 4682 unsigned int len); 4683 4684static int nft_setelem_data_validate(const struct nft_ctx *ctx, 4685 struct nft_set *set, 4686 struct nft_set_elem *elem) 4687{ 4688 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4689 enum nft_registers dreg; 4690 4691 dreg = nft_type_to_reg(set->dtype); 4692 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4693 set->dtype == NFT_DATA_VERDICT ? 4694 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4695 set->dlen); 4696} 4697 4698static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4699 struct nft_set *set, 4700 const struct nft_set_iter *iter, 4701 struct nft_set_elem *elem) 4702{ 4703 return nft_setelem_data_validate(ctx, set, elem); 4704} 4705 4706static int nft_set_catchall_bind_check(const struct nft_ctx *ctx, 4707 struct nft_set *set) 4708{ 4709 u8 genmask = nft_genmask_next(ctx->net); 4710 struct nft_set_elem_catchall *catchall; 4711 struct nft_set_elem elem; 4712 struct nft_set_ext *ext; 4713 int ret = 0; 4714 4715 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 4716 ext = nft_set_elem_ext(set, catchall->elem); 4717 if (!nft_set_elem_active(ext, genmask)) 4718 continue; 4719 4720 elem.priv = catchall->elem; 4721 ret = nft_setelem_data_validate(ctx, set, &elem); 4722 if (ret < 0) 4723 break; 4724 } 4725 4726 return ret; 4727} 4728 4729int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4730 struct nft_set_binding *binding) 4731{ 4732 struct nft_set_binding *i; 4733 struct nft_set_iter iter; 4734 4735 if (set->use == UINT_MAX) 4736 return -EOVERFLOW; 4737 4738 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4739 return -EBUSY; 4740 4741 if (binding->flags & NFT_SET_MAP) { 4742 /* If the set is already bound to the same chain all 4743 * jumps are already validated for that chain. 4744 */ 4745 list_for_each_entry(i, &set->bindings, list) { 4746 if (i->flags & NFT_SET_MAP && 4747 i->chain == binding->chain) 4748 goto bind; 4749 } 4750 4751 iter.genmask = nft_genmask_next(ctx->net); 4752 iter.skip = 0; 4753 iter.count = 0; 4754 iter.err = 0; 4755 iter.fn = nf_tables_bind_check_setelem; 4756 4757 set->ops->walk(ctx, set, &iter); 4758 if (!iter.err) 4759 iter.err = nft_set_catchall_bind_check(ctx, set); 4760 4761 if (iter.err < 0) 4762 return iter.err; 4763 } 4764bind: 4765 binding->chain = ctx->chain; 4766 list_add_tail_rcu(&binding->list, &set->bindings); 4767 nft_set_trans_bind(ctx, set); 4768 set->use++; 4769 4770 return 0; 4771} 4772EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4773 4774static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4775 struct nft_set_binding *binding, bool event) 4776{ 4777 list_del_rcu(&binding->list); 4778 4779 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4780 list_del_rcu(&set->list); 4781 if (event) 4782 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4783 GFP_KERNEL); 4784 } 4785} 4786 4787void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4788 struct nft_set_binding *binding, 4789 enum nft_trans_phase phase) 4790{ 4791 switch (phase) { 4792 case NFT_TRANS_PREPARE: 4793 set->use--; 4794 return; 4795 case NFT_TRANS_ABORT: 4796 case NFT_TRANS_RELEASE: 4797 set->use--; 4798 fallthrough; 4799 default: 4800 nf_tables_unbind_set(ctx, set, binding, 4801 phase == NFT_TRANS_COMMIT); 4802 } 4803} 4804EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4805 4806void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4807{ 4808 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4809 nft_set_destroy(ctx, set); 4810} 4811EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4812 4813const struct nft_set_ext_type nft_set_ext_types[] = { 4814 [NFT_SET_EXT_KEY] = { 4815 .align = __alignof__(u32), 4816 }, 4817 [NFT_SET_EXT_DATA] = { 4818 .align = __alignof__(u32), 4819 }, 4820 [NFT_SET_EXT_EXPRESSIONS] = { 4821 .align = __alignof__(struct nft_set_elem_expr), 4822 }, 4823 [NFT_SET_EXT_OBJREF] = { 4824 .len = sizeof(struct nft_object *), 4825 .align = __alignof__(struct nft_object *), 4826 }, 4827 [NFT_SET_EXT_FLAGS] = { 4828 .len = sizeof(u8), 4829 .align = __alignof__(u8), 4830 }, 4831 [NFT_SET_EXT_TIMEOUT] = { 4832 .len = sizeof(u64), 4833 .align = __alignof__(u64), 4834 }, 4835 [NFT_SET_EXT_EXPIRATION] = { 4836 .len = sizeof(u64), 4837 .align = __alignof__(u64), 4838 }, 4839 [NFT_SET_EXT_USERDATA] = { 4840 .len = sizeof(struct nft_userdata), 4841 .align = __alignof__(struct nft_userdata), 4842 }, 4843 [NFT_SET_EXT_KEY_END] = { 4844 .align = __alignof__(u32), 4845 }, 4846}; 4847 4848/* 4849 * Set elements 4850 */ 4851 4852static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4853 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4854 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4855 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4856 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4857 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4858 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4859 .len = NFT_USERDATA_MAXLEN }, 4860 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4861 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4862 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4863 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4864 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED }, 4865}; 4866 4867static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4868 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4869 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4870 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4871 .len = NFT_SET_MAXNAMELEN - 1 }, 4872 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4873 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4874}; 4875 4876static int nft_set_elem_expr_dump(struct sk_buff *skb, 4877 const struct nft_set *set, 4878 const struct nft_set_ext *ext) 4879{ 4880 struct nft_set_elem_expr *elem_expr; 4881 u32 size, num_exprs = 0; 4882 struct nft_expr *expr; 4883 struct nlattr *nest; 4884 4885 elem_expr = nft_set_ext_expr(ext); 4886 nft_setelem_expr_foreach(expr, elem_expr, size) 4887 num_exprs++; 4888 4889 if (num_exprs == 1) { 4890 expr = nft_setelem_expr_at(elem_expr, 0); 4891 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0) 4892 return -1; 4893 4894 return 0; 4895 } else if (num_exprs > 1) { 4896 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS); 4897 if (nest == NULL) 4898 goto nla_put_failure; 4899 4900 nft_setelem_expr_foreach(expr, elem_expr, size) { 4901 expr = nft_setelem_expr_at(elem_expr, size); 4902 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 4903 goto nla_put_failure; 4904 } 4905 nla_nest_end(skb, nest); 4906 } 4907 return 0; 4908 4909nla_put_failure: 4910 return -1; 4911} 4912 4913static int nf_tables_fill_setelem(struct sk_buff *skb, 4914 const struct nft_set *set, 4915 const struct nft_set_elem *elem) 4916{ 4917 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4918 unsigned char *b = skb_tail_pointer(skb); 4919 struct nlattr *nest; 4920 4921 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4922 if (nest == NULL) 4923 goto nla_put_failure; 4924 4925 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) && 4926 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4927 NFT_DATA_VALUE, set->klen) < 0) 4928 goto nla_put_failure; 4929 4930 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4931 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4932 NFT_DATA_VALUE, set->klen) < 0) 4933 goto nla_put_failure; 4934 4935 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4936 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4937 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4938 set->dlen) < 0) 4939 goto nla_put_failure; 4940 4941 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) && 4942 nft_set_elem_expr_dump(skb, set, ext)) 4943 goto nla_put_failure; 4944 4945 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4946 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4947 (*nft_set_ext_obj(ext))->key.name) < 0) 4948 goto nla_put_failure; 4949 4950 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4951 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4952 htonl(*nft_set_ext_flags(ext)))) 4953 goto nla_put_failure; 4954 4955 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4956 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4957 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4958 NFTA_SET_ELEM_PAD)) 4959 goto nla_put_failure; 4960 4961 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4962 u64 expires, now = get_jiffies_64(); 4963 4964 expires = *nft_set_ext_expiration(ext); 4965 if (time_before64(now, expires)) 4966 expires -= now; 4967 else 4968 expires = 0; 4969 4970 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4971 nf_jiffies64_to_msecs(expires), 4972 NFTA_SET_ELEM_PAD)) 4973 goto nla_put_failure; 4974 } 4975 4976 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4977 struct nft_userdata *udata; 4978 4979 udata = nft_set_ext_userdata(ext); 4980 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4981 udata->len + 1, udata->data)) 4982 goto nla_put_failure; 4983 } 4984 4985 nla_nest_end(skb, nest); 4986 return 0; 4987 4988nla_put_failure: 4989 nlmsg_trim(skb, b); 4990 return -EMSGSIZE; 4991} 4992 4993struct nft_set_dump_args { 4994 const struct netlink_callback *cb; 4995 struct nft_set_iter iter; 4996 struct sk_buff *skb; 4997}; 4998 4999static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 5000 struct nft_set *set, 5001 const struct nft_set_iter *iter, 5002 struct nft_set_elem *elem) 5003{ 5004 struct nft_set_dump_args *args; 5005 5006 args = container_of(iter, struct nft_set_dump_args, iter); 5007 return nf_tables_fill_setelem(args->skb, set, elem); 5008} 5009 5010struct nft_set_dump_ctx { 5011 const struct nft_set *set; 5012 struct nft_ctx ctx; 5013}; 5014 5015static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb, 5016 const struct nft_set *set) 5017{ 5018 struct nft_set_elem_catchall *catchall; 5019 u8 genmask = nft_genmask_cur(net); 5020 struct nft_set_elem elem; 5021 struct nft_set_ext *ext; 5022 int ret = 0; 5023 5024 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5025 ext = nft_set_elem_ext(set, catchall->elem); 5026 if (!nft_set_elem_active(ext, genmask) || 5027 nft_set_elem_expired(ext)) 5028 continue; 5029 5030 elem.priv = catchall->elem; 5031 ret = nf_tables_fill_setelem(skb, set, &elem); 5032 break; 5033 } 5034 5035 return ret; 5036} 5037 5038static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 5039{ 5040 struct nft_set_dump_ctx *dump_ctx = cb->data; 5041 struct net *net = sock_net(skb->sk); 5042 struct nftables_pernet *nft_net; 5043 struct nft_table *table; 5044 struct nft_set *set; 5045 struct nft_set_dump_args args; 5046 bool set_found = false; 5047 struct nlmsghdr *nlh; 5048 struct nlattr *nest; 5049 u32 portid, seq; 5050 int event; 5051 5052 rcu_read_lock(); 5053 nft_net = nft_pernet(net); 5054 list_for_each_entry_rcu(table, &nft_net->tables, list) { 5055 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 5056 dump_ctx->ctx.family != table->family) 5057 continue; 5058 5059 if (table != dump_ctx->ctx.table) 5060 continue; 5061 5062 list_for_each_entry_rcu(set, &table->sets, list) { 5063 if (set == dump_ctx->set) { 5064 set_found = true; 5065 break; 5066 } 5067 } 5068 break; 5069 } 5070 5071 if (!set_found) { 5072 rcu_read_unlock(); 5073 return -ENOENT; 5074 } 5075 5076 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 5077 portid = NETLINK_CB(cb->skb).portid; 5078 seq = cb->nlh->nlmsg_seq; 5079 5080 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, 5081 table->family, NFNETLINK_V0, nft_base_seq(net)); 5082 if (!nlh) 5083 goto nla_put_failure; 5084 5085 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 5086 goto nla_put_failure; 5087 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 5088 goto nla_put_failure; 5089 5090 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5091 if (nest == NULL) 5092 goto nla_put_failure; 5093 5094 args.cb = cb; 5095 args.skb = skb; 5096 args.iter.genmask = nft_genmask_cur(net); 5097 args.iter.skip = cb->args[0]; 5098 args.iter.count = 0; 5099 args.iter.err = 0; 5100 args.iter.fn = nf_tables_dump_setelem; 5101 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 5102 5103 if (!args.iter.err && args.iter.count == cb->args[0]) 5104 args.iter.err = nft_set_catchall_dump(net, skb, set); 5105 rcu_read_unlock(); 5106 5107 nla_nest_end(skb, nest); 5108 nlmsg_end(skb, nlh); 5109 5110 if (args.iter.err && args.iter.err != -EMSGSIZE) 5111 return args.iter.err; 5112 if (args.iter.count == cb->args[0]) 5113 return 0; 5114 5115 cb->args[0] = args.iter.count; 5116 return skb->len; 5117 5118nla_put_failure: 5119 rcu_read_unlock(); 5120 return -ENOSPC; 5121} 5122 5123static int nf_tables_dump_set_start(struct netlink_callback *cb) 5124{ 5125 struct nft_set_dump_ctx *dump_ctx = cb->data; 5126 5127 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 5128 5129 return cb->data ? 0 : -ENOMEM; 5130} 5131 5132static int nf_tables_dump_set_done(struct netlink_callback *cb) 5133{ 5134 kfree(cb->data); 5135 return 0; 5136} 5137 5138static int nf_tables_fill_setelem_info(struct sk_buff *skb, 5139 const struct nft_ctx *ctx, u32 seq, 5140 u32 portid, int event, u16 flags, 5141 const struct nft_set *set, 5142 const struct nft_set_elem *elem) 5143{ 5144 struct nlmsghdr *nlh; 5145 struct nlattr *nest; 5146 int err; 5147 5148 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5149 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, 5150 NFNETLINK_V0, nft_base_seq(ctx->net)); 5151 if (!nlh) 5152 goto nla_put_failure; 5153 5154 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 5155 goto nla_put_failure; 5156 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 5157 goto nla_put_failure; 5158 5159 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 5160 if (nest == NULL) 5161 goto nla_put_failure; 5162 5163 err = nf_tables_fill_setelem(skb, set, elem); 5164 if (err < 0) 5165 goto nla_put_failure; 5166 5167 nla_nest_end(skb, nest); 5168 5169 nlmsg_end(skb, nlh); 5170 return 0; 5171 5172nla_put_failure: 5173 nlmsg_trim(skb, nlh); 5174 return -1; 5175} 5176 5177static int nft_setelem_parse_flags(const struct nft_set *set, 5178 const struct nlattr *attr, u32 *flags) 5179{ 5180 if (attr == NULL) 5181 return 0; 5182 5183 *flags = ntohl(nla_get_be32(attr)); 5184 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) 5185 return -EOPNOTSUPP; 5186 if (!(set->flags & NFT_SET_INTERVAL) && 5187 *flags & NFT_SET_ELEM_INTERVAL_END) 5188 return -EINVAL; 5189 5190 return 0; 5191} 5192 5193static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 5194 struct nft_data *key, struct nlattr *attr) 5195{ 5196 struct nft_data_desc desc; 5197 int err; 5198 5199 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 5200 if (err < 0) 5201 return err; 5202 5203 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 5204 nft_data_release(key, desc.type); 5205 return -EINVAL; 5206 } 5207 5208 return 0; 5209} 5210 5211static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, 5212 struct nft_data_desc *desc, 5213 struct nft_data *data, 5214 struct nlattr *attr) 5215{ 5216 u32 dtype; 5217 int err; 5218 5219 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); 5220 if (err < 0) 5221 return err; 5222 5223 if (set->dtype == NFT_DATA_VERDICT) 5224 dtype = NFT_DATA_VERDICT; 5225 else 5226 dtype = NFT_DATA_VALUE; 5227 5228 if (dtype != desc->type || 5229 set->dlen != desc->len) { 5230 nft_data_release(data, desc->type); 5231 return -EINVAL; 5232 } 5233 5234 return 0; 5235} 5236 5237static void *nft_setelem_catchall_get(const struct net *net, 5238 const struct nft_set *set) 5239{ 5240 struct nft_set_elem_catchall *catchall; 5241 u8 genmask = nft_genmask_cur(net); 5242 struct nft_set_ext *ext; 5243 void *priv = NULL; 5244 5245 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5246 ext = nft_set_elem_ext(set, catchall->elem); 5247 if (!nft_set_elem_active(ext, genmask) || 5248 nft_set_elem_expired(ext)) 5249 continue; 5250 5251 priv = catchall->elem; 5252 break; 5253 } 5254 5255 return priv; 5256} 5257 5258static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set, 5259 struct nft_set_elem *elem, u32 flags) 5260{ 5261 void *priv; 5262 5263 if (!(flags & NFT_SET_ELEM_CATCHALL)) { 5264 priv = set->ops->get(ctx->net, set, elem, flags); 5265 if (IS_ERR(priv)) 5266 return PTR_ERR(priv); 5267 } else { 5268 priv = nft_setelem_catchall_get(ctx->net, set); 5269 if (!priv) 5270 return -ENOENT; 5271 } 5272 elem->priv = priv; 5273 5274 return 0; 5275} 5276 5277static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5278 const struct nlattr *attr) 5279{ 5280 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5281 struct nft_set_elem elem; 5282 struct sk_buff *skb; 5283 uint32_t flags = 0; 5284 int err; 5285 5286 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5287 nft_set_elem_policy, NULL); 5288 if (err < 0) 5289 return err; 5290 5291 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5292 if (err < 0) 5293 return err; 5294 5295 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5296 return -EINVAL; 5297 5298 if (nla[NFTA_SET_ELEM_KEY]) { 5299 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5300 nla[NFTA_SET_ELEM_KEY]); 5301 if (err < 0) 5302 return err; 5303 } 5304 5305 if (nla[NFTA_SET_ELEM_KEY_END]) { 5306 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5307 nla[NFTA_SET_ELEM_KEY_END]); 5308 if (err < 0) 5309 return err; 5310 } 5311 5312 err = nft_setelem_get(ctx, set, &elem, flags); 5313 if (err < 0) 5314 return err; 5315 5316 err = -ENOMEM; 5317 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 5318 if (skb == NULL) 5319 return err; 5320 5321 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 5322 NFT_MSG_NEWSETELEM, 0, set, &elem); 5323 if (err < 0) 5324 goto err_fill_setelem; 5325 5326 return nfnetlink_unicast(skb, ctx->net, ctx->portid); 5327 5328err_fill_setelem: 5329 kfree_skb(skb); 5330 return err; 5331} 5332 5333/* called with rcu_read_lock held */ 5334static int nf_tables_getsetelem(struct sk_buff *skb, 5335 const struct nfnl_info *info, 5336 const struct nlattr * const nla[]) 5337{ 5338 struct netlink_ext_ack *extack = info->extack; 5339 u8 genmask = nft_genmask_cur(info->net); 5340 u8 family = info->nfmsg->nfgen_family; 5341 struct net *net = info->net; 5342 struct nft_table *table; 5343 struct nft_set *set; 5344 struct nlattr *attr; 5345 struct nft_ctx ctx; 5346 int rem, err = 0; 5347 5348 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 5349 genmask, NETLINK_CB(skb).portid); 5350 if (IS_ERR(table)) { 5351 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 5352 return PTR_ERR(table); 5353 } 5354 5355 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5356 if (IS_ERR(set)) 5357 return PTR_ERR(set); 5358 5359 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5360 5361 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 5362 struct netlink_dump_control c = { 5363 .start = nf_tables_dump_set_start, 5364 .dump = nf_tables_dump_set, 5365 .done = nf_tables_dump_set_done, 5366 .module = THIS_MODULE, 5367 }; 5368 struct nft_set_dump_ctx dump_ctx = { 5369 .set = set, 5370 .ctx = ctx, 5371 }; 5372 5373 c.data = &dump_ctx; 5374 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 5375 } 5376 5377 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 5378 return -EINVAL; 5379 5380 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5381 err = nft_get_set_elem(&ctx, set, attr); 5382 if (err < 0) { 5383 NL_SET_BAD_ATTR(extack, attr); 5384 break; 5385 } 5386 } 5387 5388 return err; 5389} 5390 5391static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 5392 const struct nft_set *set, 5393 const struct nft_set_elem *elem, 5394 int event) 5395{ 5396 struct nftables_pernet *nft_net; 5397 struct net *net = ctx->net; 5398 u32 portid = ctx->portid; 5399 struct sk_buff *skb; 5400 u16 flags = 0; 5401 int err; 5402 5403 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 5404 return; 5405 5406 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 5407 if (skb == NULL) 5408 goto err; 5409 5410 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 5411 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 5412 5413 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 5414 set, elem); 5415 if (err < 0) { 5416 kfree_skb(skb); 5417 goto err; 5418 } 5419 5420 nft_net = nft_pernet(net); 5421 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 5422 return; 5423err: 5424 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 5425} 5426 5427static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 5428 int msg_type, 5429 struct nft_set *set) 5430{ 5431 struct nft_trans *trans; 5432 5433 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 5434 if (trans == NULL) 5435 return NULL; 5436 5437 nft_trans_elem_set(trans) = set; 5438 return trans; 5439} 5440 5441struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, 5442 const struct nft_set *set, 5443 const struct nlattr *attr) 5444{ 5445 struct nft_expr *expr; 5446 int err; 5447 5448 expr = nft_expr_init(ctx, attr); 5449 if (IS_ERR(expr)) 5450 return expr; 5451 5452 err = -EOPNOTSUPP; 5453 if (expr->ops->type->flags & NFT_EXPR_GC) { 5454 if (set->flags & NFT_SET_TIMEOUT) 5455 goto err_set_elem_expr; 5456 if (!set->ops->gc_init) 5457 goto err_set_elem_expr; 5458 set->ops->gc_init(set); 5459 } 5460 5461 return expr; 5462 5463err_set_elem_expr: 5464 nft_expr_destroy(ctx, expr); 5465 return ERR_PTR(err); 5466} 5467 5468void *nft_set_elem_init(const struct nft_set *set, 5469 const struct nft_set_ext_tmpl *tmpl, 5470 const u32 *key, const u32 *key_end, 5471 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 5472{ 5473 struct nft_set_ext *ext; 5474 void *elem; 5475 5476 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 5477 if (elem == NULL) 5478 return NULL; 5479 5480 ext = nft_set_elem_ext(set, elem); 5481 nft_set_ext_init(ext, tmpl); 5482 5483 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY)) 5484 memcpy(nft_set_ext_key(ext), key, set->klen); 5485 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 5486 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 5487 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5488 memcpy(nft_set_ext_data(ext), data, set->dlen); 5489 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 5490 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 5491 if (expiration == 0) 5492 *nft_set_ext_expiration(ext) += timeout; 5493 } 5494 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 5495 *nft_set_ext_timeout(ext) = timeout; 5496 5497 return elem; 5498} 5499 5500static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5501 struct nft_expr *expr) 5502{ 5503 if (expr->ops->destroy_clone) { 5504 expr->ops->destroy_clone(ctx, expr); 5505 module_put(expr->ops->type->owner); 5506 } else { 5507 nf_tables_expr_destroy(ctx, expr); 5508 } 5509} 5510 5511static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx, 5512 struct nft_set_elem_expr *elem_expr) 5513{ 5514 struct nft_expr *expr; 5515 u32 size; 5516 5517 nft_setelem_expr_foreach(expr, elem_expr, size) 5518 __nft_set_elem_expr_destroy(ctx, expr); 5519} 5520 5521void nft_set_elem_destroy(const struct nft_set *set, void *elem, 5522 bool destroy_expr) 5523{ 5524 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5525 struct nft_ctx ctx = { 5526 .net = read_pnet(&set->net), 5527 .family = set->table->family, 5528 }; 5529 5530 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 5531 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5532 nft_data_release(nft_set_ext_data(ext), set->dtype); 5533 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5534 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); 5535 5536 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5537 (*nft_set_ext_obj(ext))->use--; 5538 kfree(elem); 5539} 5540EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 5541 5542/* Only called from commit path, nft_setelem_data_deactivate() already deals 5543 * with the refcounting from the preparation phase. 5544 */ 5545static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 5546 const struct nft_set *set, void *elem) 5547{ 5548 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 5549 5550 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS)) 5551 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext)); 5552 5553 kfree(elem); 5554} 5555 5556int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, 5557 struct nft_expr *expr_array[]) 5558{ 5559 struct nft_expr *expr; 5560 int err, i, k; 5561 5562 for (i = 0; i < set->num_exprs; i++) { 5563 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT); 5564 if (!expr) 5565 goto err_expr; 5566 5567 err = nft_expr_clone(expr, set->exprs[i]); 5568 if (err < 0) { 5569 nft_expr_destroy(ctx, expr); 5570 goto err_expr; 5571 } 5572 expr_array[i] = expr; 5573 } 5574 5575 return 0; 5576 5577err_expr: 5578 for (k = i - 1; k >= 0; k--) 5579 nft_expr_destroy(ctx, expr_array[k]); 5580 5581 return -ENOMEM; 5582} 5583 5584static int nft_set_elem_expr_setup(struct nft_ctx *ctx, 5585 const struct nft_set_ext *ext, 5586 struct nft_expr *expr_array[], 5587 u32 num_exprs) 5588{ 5589 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); 5590 struct nft_expr *expr; 5591 int i, err; 5592 5593 for (i = 0; i < num_exprs; i++) { 5594 expr = nft_setelem_expr_at(elem_expr, elem_expr->size); 5595 err = nft_expr_clone(expr, expr_array[i]); 5596 if (err < 0) 5597 goto err_elem_expr_setup; 5598 5599 elem_expr->size += expr_array[i]->ops->size; 5600 nft_expr_destroy(ctx, expr_array[i]); 5601 expr_array[i] = NULL; 5602 } 5603 5604 return 0; 5605 5606err_elem_expr_setup: 5607 for (; i < num_exprs; i++) { 5608 nft_expr_destroy(ctx, expr_array[i]); 5609 expr_array[i] = NULL; 5610 } 5611 5612 return -ENOMEM; 5613} 5614 5615struct nft_set_ext *nft_set_catchall_lookup(const struct net *net, 5616 const struct nft_set *set) 5617{ 5618 struct nft_set_elem_catchall *catchall; 5619 u8 genmask = nft_genmask_cur(net); 5620 struct nft_set_ext *ext; 5621 5622 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5623 ext = nft_set_elem_ext(set, catchall->elem); 5624 if (nft_set_elem_active(ext, genmask) && 5625 !nft_set_elem_expired(ext)) 5626 return ext; 5627 } 5628 5629 return NULL; 5630} 5631EXPORT_SYMBOL_GPL(nft_set_catchall_lookup); 5632 5633void *nft_set_catchall_gc(const struct nft_set *set) 5634{ 5635 struct nft_set_elem_catchall *catchall, *next; 5636 struct nft_set_ext *ext; 5637 void *elem = NULL; 5638 5639 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5640 ext = nft_set_elem_ext(set, catchall->elem); 5641 5642 if (!nft_set_elem_expired(ext) || 5643 nft_set_elem_mark_busy(ext)) 5644 continue; 5645 5646 elem = catchall->elem; 5647 list_del_rcu(&catchall->list); 5648 kfree_rcu(catchall, rcu); 5649 break; 5650 } 5651 5652 return elem; 5653} 5654EXPORT_SYMBOL_GPL(nft_set_catchall_gc); 5655 5656static int nft_setelem_catchall_insert(const struct net *net, 5657 struct nft_set *set, 5658 const struct nft_set_elem *elem, 5659 struct nft_set_ext **pext) 5660{ 5661 struct nft_set_elem_catchall *catchall; 5662 u8 genmask = nft_genmask_next(net); 5663 struct nft_set_ext *ext; 5664 5665 list_for_each_entry(catchall, &set->catchall_list, list) { 5666 ext = nft_set_elem_ext(set, catchall->elem); 5667 if (nft_set_elem_active(ext, genmask)) { 5668 *pext = ext; 5669 return -EEXIST; 5670 } 5671 } 5672 5673 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL); 5674 if (!catchall) 5675 return -ENOMEM; 5676 5677 catchall->elem = elem->priv; 5678 list_add_tail_rcu(&catchall->list, &set->catchall_list); 5679 5680 return 0; 5681} 5682 5683static int nft_setelem_insert(const struct net *net, 5684 struct nft_set *set, 5685 const struct nft_set_elem *elem, 5686 struct nft_set_ext **ext, unsigned int flags) 5687{ 5688 int ret; 5689 5690 if (flags & NFT_SET_ELEM_CATCHALL) 5691 ret = nft_setelem_catchall_insert(net, set, elem, ext); 5692 else 5693 ret = set->ops->insert(net, set, elem, ext); 5694 5695 return ret; 5696} 5697 5698static bool nft_setelem_is_catchall(const struct nft_set *set, 5699 const struct nft_set_elem *elem) 5700{ 5701 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5702 5703 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 5704 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL) 5705 return true; 5706 5707 return false; 5708} 5709 5710static void nft_setelem_activate(struct net *net, struct nft_set *set, 5711 struct nft_set_elem *elem) 5712{ 5713 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5714 5715 if (nft_setelem_is_catchall(set, elem)) { 5716 nft_set_elem_change_active(net, set, ext); 5717 nft_set_elem_clear_busy(ext); 5718 } else { 5719 set->ops->activate(net, set, elem); 5720 } 5721} 5722 5723static int nft_setelem_catchall_deactivate(const struct net *net, 5724 struct nft_set *set, 5725 struct nft_set_elem *elem) 5726{ 5727 struct nft_set_elem_catchall *catchall; 5728 struct nft_set_ext *ext; 5729 5730 list_for_each_entry(catchall, &set->catchall_list, list) { 5731 ext = nft_set_elem_ext(set, catchall->elem); 5732 if (!nft_is_active(net, ext) || 5733 nft_set_elem_mark_busy(ext)) 5734 continue; 5735 5736 kfree(elem->priv); 5737 elem->priv = catchall->elem; 5738 nft_set_elem_change_active(net, set, ext); 5739 return 0; 5740 } 5741 5742 return -ENOENT; 5743} 5744 5745static int __nft_setelem_deactivate(const struct net *net, 5746 struct nft_set *set, 5747 struct nft_set_elem *elem) 5748{ 5749 void *priv; 5750 5751 priv = set->ops->deactivate(net, set, elem); 5752 if (!priv) 5753 return -ENOENT; 5754 5755 kfree(elem->priv); 5756 elem->priv = priv; 5757 set->ndeact++; 5758 5759 return 0; 5760} 5761 5762static int nft_setelem_deactivate(const struct net *net, 5763 struct nft_set *set, 5764 struct nft_set_elem *elem, u32 flags) 5765{ 5766 int ret; 5767 5768 if (flags & NFT_SET_ELEM_CATCHALL) 5769 ret = nft_setelem_catchall_deactivate(net, set, elem); 5770 else 5771 ret = __nft_setelem_deactivate(net, set, elem); 5772 5773 return ret; 5774} 5775 5776static void nft_setelem_catchall_remove(const struct net *net, 5777 const struct nft_set *set, 5778 const struct nft_set_elem *elem) 5779{ 5780 struct nft_set_elem_catchall *catchall, *next; 5781 5782 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) { 5783 if (catchall->elem == elem->priv) { 5784 list_del_rcu(&catchall->list); 5785 kfree_rcu(catchall, rcu); 5786 break; 5787 } 5788 } 5789} 5790 5791static void nft_setelem_remove(const struct net *net, 5792 const struct nft_set *set, 5793 const struct nft_set_elem *elem) 5794{ 5795 if (nft_setelem_is_catchall(set, elem)) 5796 nft_setelem_catchall_remove(net, set, elem); 5797 else 5798 set->ops->remove(net, set, elem); 5799} 5800 5801static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 5802 const struct nlattr *attr, u32 nlmsg_flags) 5803{ 5804 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {}; 5805 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5806 u8 genmask = nft_genmask_next(ctx->net); 5807 u32 flags = 0, size = 0, num_exprs = 0; 5808 struct nft_set_ext_tmpl tmpl; 5809 struct nft_set_ext *ext, *ext2; 5810 struct nft_set_elem elem; 5811 struct nft_set_binding *binding; 5812 struct nft_object *obj = NULL; 5813 struct nft_userdata *udata; 5814 struct nft_data_desc desc; 5815 enum nft_registers dreg; 5816 struct nft_trans *trans; 5817 u64 timeout; 5818 u64 expiration; 5819 int err, i; 5820 u8 ulen; 5821 5822 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5823 nft_set_elem_policy, NULL); 5824 if (err < 0) 5825 return err; 5826 5827 nft_set_ext_prepare(&tmpl); 5828 5829 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5830 if (err < 0) 5831 return err; 5832 5833 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 5834 return -EINVAL; 5835 5836 if (flags != 0) 5837 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5838 5839 if (set->flags & NFT_SET_MAP) { 5840 if (nla[NFTA_SET_ELEM_DATA] == NULL && 5841 !(flags & NFT_SET_ELEM_INTERVAL_END)) 5842 return -EINVAL; 5843 } else { 5844 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5845 return -EINVAL; 5846 } 5847 5848 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 5849 (nla[NFTA_SET_ELEM_DATA] || 5850 nla[NFTA_SET_ELEM_OBJREF] || 5851 nla[NFTA_SET_ELEM_TIMEOUT] || 5852 nla[NFTA_SET_ELEM_EXPIRATION] || 5853 nla[NFTA_SET_ELEM_USERDATA] || 5854 nla[NFTA_SET_ELEM_EXPR] || 5855 nla[NFTA_SET_ELEM_EXPRESSIONS])) 5856 return -EINVAL; 5857 5858 timeout = 0; 5859 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 5860 if (!(set->flags & NFT_SET_TIMEOUT)) 5861 return -EINVAL; 5862 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 5863 &timeout); 5864 if (err) 5865 return err; 5866 } else if (set->flags & NFT_SET_TIMEOUT) { 5867 timeout = set->timeout; 5868 } 5869 5870 expiration = 0; 5871 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 5872 if (!(set->flags & NFT_SET_TIMEOUT)) 5873 return -EINVAL; 5874 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 5875 &expiration); 5876 if (err) 5877 return err; 5878 } 5879 5880 if (nla[NFTA_SET_ELEM_EXPR]) { 5881 struct nft_expr *expr; 5882 5883 if (set->num_exprs && set->num_exprs != 1) 5884 return -EOPNOTSUPP; 5885 5886 expr = nft_set_elem_expr_alloc(ctx, set, 5887 nla[NFTA_SET_ELEM_EXPR]); 5888 if (IS_ERR(expr)) 5889 return PTR_ERR(expr); 5890 5891 expr_array[0] = expr; 5892 num_exprs = 1; 5893 5894 if (set->num_exprs && set->exprs[0]->ops != expr->ops) { 5895 err = -EOPNOTSUPP; 5896 goto err_set_elem_expr; 5897 } 5898 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) { 5899 struct nft_expr *expr; 5900 struct nlattr *tmp; 5901 int left; 5902 5903 i = 0; 5904 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) { 5905 if (i == NFT_SET_EXPR_MAX || 5906 (set->num_exprs && set->num_exprs == i)) { 5907 err = -E2BIG; 5908 goto err_set_elem_expr; 5909 } 5910 if (nla_type(tmp) != NFTA_LIST_ELEM) { 5911 err = -EINVAL; 5912 goto err_set_elem_expr; 5913 } 5914 expr = nft_set_elem_expr_alloc(ctx, set, tmp); 5915 if (IS_ERR(expr)) { 5916 err = PTR_ERR(expr); 5917 goto err_set_elem_expr; 5918 } 5919 expr_array[i] = expr; 5920 num_exprs++; 5921 5922 if (set->num_exprs && expr->ops != set->exprs[i]->ops) { 5923 err = -EOPNOTSUPP; 5924 goto err_set_elem_expr; 5925 } 5926 i++; 5927 } 5928 if (set->num_exprs && set->num_exprs != i) { 5929 err = -EOPNOTSUPP; 5930 goto err_set_elem_expr; 5931 } 5932 } else if (set->num_exprs > 0) { 5933 err = nft_set_elem_expr_clone(ctx, set, expr_array); 5934 if (err < 0) 5935 goto err_set_elem_expr_clone; 5936 5937 num_exprs = set->num_exprs; 5938 } 5939 5940 if (nla[NFTA_SET_ELEM_KEY]) { 5941 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5942 nla[NFTA_SET_ELEM_KEY]); 5943 if (err < 0) 5944 goto err_set_elem_expr; 5945 5946 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5947 } 5948 5949 if (nla[NFTA_SET_ELEM_KEY_END]) { 5950 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5951 nla[NFTA_SET_ELEM_KEY_END]); 5952 if (err < 0) 5953 goto err_parse_key; 5954 5955 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5956 } 5957 5958 if (timeout > 0) { 5959 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 5960 if (timeout != set->timeout) 5961 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 5962 } 5963 5964 if (num_exprs) { 5965 for (i = 0; i < num_exprs; i++) 5966 size += expr_array[i]->ops->size; 5967 5968 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS, 5969 sizeof(struct nft_set_elem_expr) + 5970 size); 5971 } 5972 5973 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 5974 if (!(set->flags & NFT_SET_OBJECT)) { 5975 err = -EINVAL; 5976 goto err_parse_key_end; 5977 } 5978 obj = nft_obj_lookup(ctx->net, ctx->table, 5979 nla[NFTA_SET_ELEM_OBJREF], 5980 set->objtype, genmask); 5981 if (IS_ERR(obj)) { 5982 err = PTR_ERR(obj); 5983 goto err_parse_key_end; 5984 } 5985 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 5986 } 5987 5988 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 5989 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val, 5990 nla[NFTA_SET_ELEM_DATA]); 5991 if (err < 0) 5992 goto err_parse_key_end; 5993 5994 dreg = nft_type_to_reg(set->dtype); 5995 list_for_each_entry(binding, &set->bindings, list) { 5996 struct nft_ctx bind_ctx = { 5997 .net = ctx->net, 5998 .family = ctx->family, 5999 .table = ctx->table, 6000 .chain = (struct nft_chain *)binding->chain, 6001 }; 6002 6003 if (!(binding->flags & NFT_SET_MAP)) 6004 continue; 6005 6006 err = nft_validate_register_store(&bind_ctx, dreg, 6007 &elem.data.val, 6008 desc.type, desc.len); 6009 if (err < 0) 6010 goto err_parse_data; 6011 6012 if (desc.type == NFT_DATA_VERDICT && 6013 (elem.data.val.verdict.code == NFT_GOTO || 6014 elem.data.val.verdict.code == NFT_JUMP)) 6015 nft_validate_state_update(ctx->net, 6016 NFT_VALIDATE_NEED); 6017 } 6018 6019 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 6020 } 6021 6022 /* The full maximum length of userdata can exceed the maximum 6023 * offset value (U8_MAX) for following extensions, therefor it 6024 * must be the last extension added. 6025 */ 6026 ulen = 0; 6027 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 6028 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 6029 if (ulen > 0) 6030 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 6031 ulen); 6032 } 6033 6034 err = -ENOMEM; 6035 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 6036 elem.key_end.val.data, elem.data.val.data, 6037 timeout, expiration, GFP_KERNEL_ACCOUNT); 6038 if (elem.priv == NULL) 6039 goto err_parse_data; 6040 6041 ext = nft_set_elem_ext(set, elem.priv); 6042 if (flags) 6043 *nft_set_ext_flags(ext) = flags; 6044 if (ulen > 0) { 6045 udata = nft_set_ext_userdata(ext); 6046 udata->len = ulen - 1; 6047 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 6048 } 6049 if (obj) { 6050 *nft_set_ext_obj(ext) = obj; 6051 obj->use++; 6052 } 6053 err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs); 6054 if (err < 0) 6055 goto err_elem_expr; 6056 6057 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 6058 if (trans == NULL) { 6059 err = -ENOMEM; 6060 goto err_elem_expr; 6061 } 6062 6063 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 6064 6065 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags); 6066 if (err) { 6067 if (err == -EEXIST) { 6068 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 6069 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 6070 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 6071 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) 6072 goto err_element_clash; 6073 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 6074 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 6075 memcmp(nft_set_ext_data(ext), 6076 nft_set_ext_data(ext2), set->dlen) != 0) || 6077 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 6078 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 6079 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 6080 goto err_element_clash; 6081 else if (!(nlmsg_flags & NLM_F_EXCL)) 6082 err = 0; 6083 } else if (err == -ENOTEMPTY) { 6084 /* ENOTEMPTY reports overlapping between this element 6085 * and an existing one. 6086 */ 6087 err = -EEXIST; 6088 } 6089 goto err_element_clash; 6090 } 6091 6092 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size && 6093 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 6094 err = -ENFILE; 6095 goto err_set_full; 6096 } 6097 6098 nft_trans_elem(trans) = elem; 6099 nft_trans_commit_list_add_tail(ctx->net, trans); 6100 return 0; 6101 6102err_set_full: 6103 nft_setelem_remove(ctx->net, set, &elem); 6104err_element_clash: 6105 kfree(trans); 6106err_elem_expr: 6107 if (obj) 6108 obj->use--; 6109 6110 nf_tables_set_elem_destroy(ctx, set, elem.priv); 6111err_parse_data: 6112 if (nla[NFTA_SET_ELEM_DATA] != NULL) 6113 nft_data_release(&elem.data.val, desc.type); 6114err_parse_key_end: 6115 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 6116err_parse_key: 6117 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6118err_set_elem_expr: 6119 for (i = 0; i < num_exprs && expr_array[i]; i++) 6120 nft_expr_destroy(ctx, expr_array[i]); 6121err_set_elem_expr_clone: 6122 return err; 6123} 6124 6125static int nf_tables_newsetelem(struct sk_buff *skb, 6126 const struct nfnl_info *info, 6127 const struct nlattr * const nla[]) 6128{ 6129 struct nftables_pernet *nft_net = nft_pernet(info->net); 6130 struct netlink_ext_ack *extack = info->extack; 6131 u8 genmask = nft_genmask_next(info->net); 6132 u8 family = info->nfmsg->nfgen_family; 6133 struct net *net = info->net; 6134 const struct nlattr *attr; 6135 struct nft_table *table; 6136 struct nft_set *set; 6137 struct nft_ctx ctx; 6138 int rem, err; 6139 6140 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 6141 return -EINVAL; 6142 6143 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6144 genmask, NETLINK_CB(skb).portid); 6145 if (IS_ERR(table)) { 6146 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6147 return PTR_ERR(table); 6148 } 6149 6150 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET], 6151 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 6152 if (IS_ERR(set)) 6153 return PTR_ERR(set); 6154 6155 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6156 return -EBUSY; 6157 6158 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6159 6160 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6161 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); 6162 if (err < 0) { 6163 NL_SET_BAD_ATTR(extack, attr); 6164 return err; 6165 } 6166 } 6167 6168 if (nft_net->validate_state == NFT_VALIDATE_DO) 6169 return nft_table_validate(net, table); 6170 6171 return 0; 6172} 6173 6174/** 6175 * nft_data_hold - hold a nft_data item 6176 * 6177 * @data: struct nft_data to release 6178 * @type: type of data 6179 * 6180 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 6181 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 6182 * NFT_GOTO verdicts. This function must be called on active data objects 6183 * from the second phase of the commit protocol. 6184 */ 6185void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 6186{ 6187 struct nft_chain *chain; 6188 struct nft_rule *rule; 6189 6190 if (type == NFT_DATA_VERDICT) { 6191 switch (data->verdict.code) { 6192 case NFT_JUMP: 6193 case NFT_GOTO: 6194 chain = data->verdict.chain; 6195 chain->use++; 6196 6197 if (!nft_chain_is_bound(chain)) 6198 break; 6199 6200 chain->table->use++; 6201 list_for_each_entry(rule, &chain->rules, list) 6202 chain->use++; 6203 6204 nft_chain_add(chain->table, chain); 6205 break; 6206 } 6207 } 6208} 6209 6210static void nft_setelem_data_activate(const struct net *net, 6211 const struct nft_set *set, 6212 struct nft_set_elem *elem) 6213{ 6214 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6215 6216 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6217 nft_data_hold(nft_set_ext_data(ext), set->dtype); 6218 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6219 (*nft_set_ext_obj(ext))->use++; 6220} 6221 6222static void nft_setelem_data_deactivate(const struct net *net, 6223 const struct nft_set *set, 6224 struct nft_set_elem *elem) 6225{ 6226 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 6227 6228 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 6229 nft_data_release(nft_set_ext_data(ext), set->dtype); 6230 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 6231 (*nft_set_ext_obj(ext))->use--; 6232} 6233 6234static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 6235 const struct nlattr *attr) 6236{ 6237 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 6238 struct nft_set_ext_tmpl tmpl; 6239 struct nft_set_elem elem; 6240 struct nft_set_ext *ext; 6241 struct nft_trans *trans; 6242 u32 flags = 0; 6243 int err; 6244 6245 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 6246 nft_set_elem_policy, NULL); 6247 if (err < 0) 6248 return err; 6249 6250 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 6251 if (err < 0) 6252 return err; 6253 6254 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL)) 6255 return -EINVAL; 6256 6257 nft_set_ext_prepare(&tmpl); 6258 6259 if (flags != 0) 6260 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 6261 6262 if (nla[NFTA_SET_ELEM_KEY]) { 6263 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 6264 nla[NFTA_SET_ELEM_KEY]); 6265 if (err < 0) 6266 return err; 6267 6268 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 6269 } 6270 6271 if (nla[NFTA_SET_ELEM_KEY_END]) { 6272 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 6273 nla[NFTA_SET_ELEM_KEY_END]); 6274 if (err < 0) 6275 return err; 6276 6277 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 6278 } 6279 6280 err = -ENOMEM; 6281 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 6282 elem.key_end.val.data, NULL, 0, 0, 6283 GFP_KERNEL_ACCOUNT); 6284 if (elem.priv == NULL) 6285 goto fail_elem; 6286 6287 ext = nft_set_elem_ext(set, elem.priv); 6288 if (flags) 6289 *nft_set_ext_flags(ext) = flags; 6290 6291 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 6292 if (trans == NULL) 6293 goto fail_trans; 6294 6295 err = nft_setelem_deactivate(ctx->net, set, &elem, flags); 6296 if (err < 0) 6297 goto fail_ops; 6298 6299 nft_setelem_data_deactivate(ctx->net, set, &elem); 6300 6301 nft_trans_elem(trans) = elem; 6302 nft_trans_commit_list_add_tail(ctx->net, trans); 6303 return 0; 6304 6305fail_ops: 6306 kfree(trans); 6307fail_trans: 6308 kfree(elem.priv); 6309fail_elem: 6310 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 6311 return err; 6312} 6313 6314static int nft_setelem_flush(const struct nft_ctx *ctx, 6315 struct nft_set *set, 6316 const struct nft_set_iter *iter, 6317 struct nft_set_elem *elem) 6318{ 6319 struct nft_trans *trans; 6320 int err; 6321 6322 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6323 sizeof(struct nft_trans_elem), GFP_ATOMIC); 6324 if (!trans) 6325 return -ENOMEM; 6326 6327 if (!set->ops->flush(ctx->net, set, elem->priv)) { 6328 err = -ENOENT; 6329 goto err1; 6330 } 6331 set->ndeact++; 6332 6333 nft_setelem_data_deactivate(ctx->net, set, elem); 6334 nft_trans_elem_set(trans) = set; 6335 nft_trans_elem(trans) = *elem; 6336 nft_trans_commit_list_add_tail(ctx->net, trans); 6337 6338 return 0; 6339err1: 6340 kfree(trans); 6341 return err; 6342} 6343 6344static int __nft_set_catchall_flush(const struct nft_ctx *ctx, 6345 struct nft_set *set, 6346 struct nft_set_elem *elem) 6347{ 6348 struct nft_trans *trans; 6349 6350 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 6351 sizeof(struct nft_trans_elem), GFP_KERNEL); 6352 if (!trans) 6353 return -ENOMEM; 6354 6355 nft_setelem_data_deactivate(ctx->net, set, elem); 6356 nft_trans_elem_set(trans) = set; 6357 nft_trans_elem(trans) = *elem; 6358 nft_trans_commit_list_add_tail(ctx->net, trans); 6359 6360 return 0; 6361} 6362 6363static int nft_set_catchall_flush(const struct nft_ctx *ctx, 6364 struct nft_set *set) 6365{ 6366 u8 genmask = nft_genmask_next(ctx->net); 6367 struct nft_set_elem_catchall *catchall; 6368 struct nft_set_elem elem; 6369 struct nft_set_ext *ext; 6370 int ret = 0; 6371 6372 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 6373 ext = nft_set_elem_ext(set, catchall->elem); 6374 if (!nft_set_elem_active(ext, genmask) || 6375 nft_set_elem_mark_busy(ext)) 6376 continue; 6377 6378 elem.priv = catchall->elem; 6379 ret = __nft_set_catchall_flush(ctx, set, &elem); 6380 if (ret < 0) 6381 break; 6382 } 6383 6384 return ret; 6385} 6386 6387static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) 6388{ 6389 struct nft_set_iter iter = { 6390 .genmask = genmask, 6391 .fn = nft_setelem_flush, 6392 }; 6393 6394 set->ops->walk(ctx, set, &iter); 6395 if (!iter.err) 6396 iter.err = nft_set_catchall_flush(ctx, set); 6397 6398 return iter.err; 6399} 6400 6401static int nf_tables_delsetelem(struct sk_buff *skb, 6402 const struct nfnl_info *info, 6403 const struct nlattr * const nla[]) 6404{ 6405 struct netlink_ext_ack *extack = info->extack; 6406 u8 genmask = nft_genmask_next(info->net); 6407 u8 family = info->nfmsg->nfgen_family; 6408 struct net *net = info->net; 6409 const struct nlattr *attr; 6410 struct nft_table *table; 6411 struct nft_set *set; 6412 struct nft_ctx ctx; 6413 int rem, err = 0; 6414 6415 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 6416 genmask, NETLINK_CB(skb).portid); 6417 if (IS_ERR(table)) { 6418 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 6419 return PTR_ERR(table); 6420 } 6421 6422 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6423 if (IS_ERR(set)) 6424 return PTR_ERR(set); 6425 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 6426 return -EBUSY; 6427 6428 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6429 6430 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 6431 return nft_set_flush(&ctx, set, genmask); 6432 6433 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 6434 err = nft_del_setelem(&ctx, set, attr); 6435 if (err < 0) { 6436 NL_SET_BAD_ATTR(extack, attr); 6437 break; 6438 } 6439 } 6440 return err; 6441} 6442 6443void nft_set_gc_batch_release(struct rcu_head *rcu) 6444{ 6445 struct nft_set_gc_batch *gcb; 6446 unsigned int i; 6447 6448 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 6449 for (i = 0; i < gcb->head.cnt; i++) 6450 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 6451 kfree(gcb); 6452} 6453 6454struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 6455 gfp_t gfp) 6456{ 6457 struct nft_set_gc_batch *gcb; 6458 6459 gcb = kzalloc(sizeof(*gcb), gfp); 6460 if (gcb == NULL) 6461 return gcb; 6462 gcb->head.set = set; 6463 return gcb; 6464} 6465 6466/* 6467 * Stateful objects 6468 */ 6469 6470/** 6471 * nft_register_obj- register nf_tables stateful object type 6472 * @obj_type: object type 6473 * 6474 * Registers the object type for use with nf_tables. Returns zero on 6475 * success or a negative errno code otherwise. 6476 */ 6477int nft_register_obj(struct nft_object_type *obj_type) 6478{ 6479 if (obj_type->type == NFT_OBJECT_UNSPEC) 6480 return -EINVAL; 6481 6482 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6483 list_add_rcu(&obj_type->list, &nf_tables_objects); 6484 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6485 return 0; 6486} 6487EXPORT_SYMBOL_GPL(nft_register_obj); 6488 6489/** 6490 * nft_unregister_obj - unregister nf_tables object type 6491 * @obj_type: object type 6492 * 6493 * Unregisters the object type for use with nf_tables. 6494 */ 6495void nft_unregister_obj(struct nft_object_type *obj_type) 6496{ 6497 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6498 list_del_rcu(&obj_type->list); 6499 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6500} 6501EXPORT_SYMBOL_GPL(nft_unregister_obj); 6502 6503struct nft_object *nft_obj_lookup(const struct net *net, 6504 const struct nft_table *table, 6505 const struct nlattr *nla, u32 objtype, 6506 u8 genmask) 6507{ 6508 struct nft_object_hash_key k = { .table = table }; 6509 char search[NFT_OBJ_MAXNAMELEN]; 6510 struct rhlist_head *tmp, *list; 6511 struct nft_object *obj; 6512 6513 nla_strscpy(search, nla, sizeof(search)); 6514 k.name = search; 6515 6516 WARN_ON_ONCE(!rcu_read_lock_held() && 6517 !lockdep_commit_lock_is_held(net)); 6518 6519 rcu_read_lock(); 6520 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 6521 if (!list) 6522 goto out; 6523 6524 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 6525 if (objtype == obj->ops->type->type && 6526 nft_active_genmask(obj, genmask)) { 6527 rcu_read_unlock(); 6528 return obj; 6529 } 6530 } 6531out: 6532 rcu_read_unlock(); 6533 return ERR_PTR(-ENOENT); 6534} 6535EXPORT_SYMBOL_GPL(nft_obj_lookup); 6536 6537static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 6538 const struct nlattr *nla, 6539 u32 objtype, u8 genmask) 6540{ 6541 struct nft_object *obj; 6542 6543 list_for_each_entry(obj, &table->objects, list) { 6544 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 6545 objtype == obj->ops->type->type && 6546 nft_active_genmask(obj, genmask)) 6547 return obj; 6548 } 6549 return ERR_PTR(-ENOENT); 6550} 6551 6552static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 6553 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 6554 .len = NFT_TABLE_MAXNAMELEN - 1 }, 6555 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 6556 .len = NFT_OBJ_MAXNAMELEN - 1 }, 6557 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 6558 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 6559 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 6560 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY, 6561 .len = NFT_USERDATA_MAXLEN }, 6562}; 6563 6564static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 6565 const struct nft_object_type *type, 6566 const struct nlattr *attr) 6567{ 6568 struct nlattr **tb; 6569 const struct nft_object_ops *ops; 6570 struct nft_object *obj; 6571 int err = -ENOMEM; 6572 6573 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 6574 if (!tb) 6575 goto err1; 6576 6577 if (attr) { 6578 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 6579 type->policy, NULL); 6580 if (err < 0) 6581 goto err2; 6582 } else { 6583 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 6584 } 6585 6586 if (type->select_ops) { 6587 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 6588 if (IS_ERR(ops)) { 6589 err = PTR_ERR(ops); 6590 goto err2; 6591 } 6592 } else { 6593 ops = type->ops; 6594 } 6595 6596 err = -ENOMEM; 6597 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT); 6598 if (!obj) 6599 goto err2; 6600 6601 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 6602 if (err < 0) 6603 goto err3; 6604 6605 obj->ops = ops; 6606 6607 kfree(tb); 6608 return obj; 6609err3: 6610 kfree(obj); 6611err2: 6612 kfree(tb); 6613err1: 6614 return ERR_PTR(err); 6615} 6616 6617static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 6618 struct nft_object *obj, bool reset) 6619{ 6620 struct nlattr *nest; 6621 6622 nest = nla_nest_start_noflag(skb, attr); 6623 if (!nest) 6624 goto nla_put_failure; 6625 if (obj->ops->dump(skb, obj, reset) < 0) 6626 goto nla_put_failure; 6627 nla_nest_end(skb, nest); 6628 return 0; 6629 6630nla_put_failure: 6631 return -1; 6632} 6633 6634static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 6635{ 6636 const struct nft_object_type *type; 6637 6638 list_for_each_entry(type, &nf_tables_objects, list) { 6639 if (objtype == type->type) 6640 return type; 6641 } 6642 return NULL; 6643} 6644 6645static const struct nft_object_type * 6646nft_obj_type_get(struct net *net, u32 objtype) 6647{ 6648 const struct nft_object_type *type; 6649 6650 type = __nft_obj_type_get(objtype); 6651 if (type != NULL && try_module_get(type->owner)) 6652 return type; 6653 6654 lockdep_nfnl_nft_mutex_not_held(); 6655#ifdef CONFIG_MODULES 6656 if (type == NULL) { 6657 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 6658 return ERR_PTR(-EAGAIN); 6659 } 6660#endif 6661 return ERR_PTR(-ENOENT); 6662} 6663 6664static int nf_tables_updobj(const struct nft_ctx *ctx, 6665 const struct nft_object_type *type, 6666 const struct nlattr *attr, 6667 struct nft_object *obj) 6668{ 6669 struct nft_object *newobj; 6670 struct nft_trans *trans; 6671 int err = -ENOMEM; 6672 6673 if (!try_module_get(type->owner)) 6674 return -ENOENT; 6675 6676 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 6677 sizeof(struct nft_trans_obj)); 6678 if (!trans) 6679 goto err_trans; 6680 6681 newobj = nft_obj_init(ctx, type, attr); 6682 if (IS_ERR(newobj)) { 6683 err = PTR_ERR(newobj); 6684 goto err_free_trans; 6685 } 6686 6687 nft_trans_obj(trans) = obj; 6688 nft_trans_obj_update(trans) = true; 6689 nft_trans_obj_newobj(trans) = newobj; 6690 nft_trans_commit_list_add_tail(ctx->net, trans); 6691 6692 return 0; 6693 6694err_free_trans: 6695 kfree(trans); 6696err_trans: 6697 module_put(type->owner); 6698 return err; 6699} 6700 6701static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, 6702 const struct nlattr * const nla[]) 6703{ 6704 struct netlink_ext_ack *extack = info->extack; 6705 u8 genmask = nft_genmask_next(info->net); 6706 u8 family = info->nfmsg->nfgen_family; 6707 const struct nft_object_type *type; 6708 struct net *net = info->net; 6709 struct nft_table *table; 6710 struct nft_object *obj; 6711 struct nft_ctx ctx; 6712 u32 objtype; 6713 int err; 6714 6715 if (!nla[NFTA_OBJ_TYPE] || 6716 !nla[NFTA_OBJ_NAME] || 6717 !nla[NFTA_OBJ_DATA]) 6718 return -EINVAL; 6719 6720 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 6721 NETLINK_CB(skb).portid); 6722 if (IS_ERR(table)) { 6723 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6724 return PTR_ERR(table); 6725 } 6726 6727 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6728 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6729 if (IS_ERR(obj)) { 6730 err = PTR_ERR(obj); 6731 if (err != -ENOENT) { 6732 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6733 return err; 6734 } 6735 } else { 6736 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 6737 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6738 return -EEXIST; 6739 } 6740 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 6741 return -EOPNOTSUPP; 6742 6743 type = __nft_obj_type_get(objtype); 6744 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6745 6746 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 6747 } 6748 6749 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 6750 6751 type = nft_obj_type_get(net, objtype); 6752 if (IS_ERR(type)) 6753 return PTR_ERR(type); 6754 6755 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 6756 if (IS_ERR(obj)) { 6757 err = PTR_ERR(obj); 6758 goto err_init; 6759 } 6760 obj->key.table = table; 6761 obj->handle = nf_tables_alloc_handle(table); 6762 6763 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT); 6764 if (!obj->key.name) { 6765 err = -ENOMEM; 6766 goto err_strdup; 6767 } 6768 6769 if (nla[NFTA_OBJ_USERDATA]) { 6770 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL); 6771 if (obj->udata == NULL) 6772 goto err_userdata; 6773 6774 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]); 6775 } 6776 6777 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 6778 if (err < 0) 6779 goto err_trans; 6780 6781 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 6782 nft_objname_ht_params); 6783 if (err < 0) 6784 goto err_obj_ht; 6785 6786 list_add_tail_rcu(&obj->list, &table->objects); 6787 table->use++; 6788 return 0; 6789err_obj_ht: 6790 /* queued in transaction log */ 6791 INIT_LIST_HEAD(&obj->list); 6792 return err; 6793err_trans: 6794 kfree(obj->udata); 6795err_userdata: 6796 kfree(obj->key.name); 6797err_strdup: 6798 if (obj->ops->destroy) 6799 obj->ops->destroy(&ctx, obj); 6800 kfree(obj); 6801err_init: 6802 module_put(type->owner); 6803 return err; 6804} 6805 6806static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 6807 u32 portid, u32 seq, int event, u32 flags, 6808 int family, const struct nft_table *table, 6809 struct nft_object *obj, bool reset) 6810{ 6811 struct nlmsghdr *nlh; 6812 6813 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6814 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 6815 NFNETLINK_V0, nft_base_seq(net)); 6816 if (!nlh) 6817 goto nla_put_failure; 6818 6819 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 6820 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 6821 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 6822 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 6823 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 6824 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 6825 NFTA_OBJ_PAD)) 6826 goto nla_put_failure; 6827 6828 if (obj->udata && 6829 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata)) 6830 goto nla_put_failure; 6831 6832 nlmsg_end(skb, nlh); 6833 return 0; 6834 6835nla_put_failure: 6836 nlmsg_trim(skb, nlh); 6837 return -1; 6838} 6839 6840struct nft_obj_filter { 6841 char *table; 6842 u32 type; 6843}; 6844 6845static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 6846{ 6847 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6848 const struct nft_table *table; 6849 unsigned int idx = 0, s_idx = cb->args[0]; 6850 struct nft_obj_filter *filter = cb->data; 6851 struct net *net = sock_net(skb->sk); 6852 int family = nfmsg->nfgen_family; 6853 struct nftables_pernet *nft_net; 6854 struct nft_object *obj; 6855 bool reset = false; 6856 6857 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 6858 reset = true; 6859 6860 rcu_read_lock(); 6861 nft_net = nft_pernet(net); 6862 cb->seq = nft_net->base_seq; 6863 6864 list_for_each_entry_rcu(table, &nft_net->tables, list) { 6865 if (family != NFPROTO_UNSPEC && family != table->family) 6866 continue; 6867 6868 list_for_each_entry_rcu(obj, &table->objects, list) { 6869 if (!nft_is_active(net, obj)) 6870 goto cont; 6871 if (idx < s_idx) 6872 goto cont; 6873 if (idx > s_idx) 6874 memset(&cb->args[1], 0, 6875 sizeof(cb->args) - sizeof(cb->args[0])); 6876 if (filter && filter->table && 6877 strcmp(filter->table, table->name)) 6878 goto cont; 6879 if (filter && 6880 filter->type != NFT_OBJECT_UNSPEC && 6881 obj->ops->type->type != filter->type) 6882 goto cont; 6883 if (reset) { 6884 char *buf = kasprintf(GFP_ATOMIC, 6885 "%s:%u", 6886 table->name, 6887 nft_net->base_seq); 6888 6889 audit_log_nfcfg(buf, 6890 family, 6891 obj->handle, 6892 AUDIT_NFT_OP_OBJ_RESET, 6893 GFP_ATOMIC); 6894 kfree(buf); 6895 } 6896 6897 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 6898 cb->nlh->nlmsg_seq, 6899 NFT_MSG_NEWOBJ, 6900 NLM_F_MULTI | NLM_F_APPEND, 6901 table->family, table, 6902 obj, reset) < 0) 6903 goto done; 6904 6905 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6906cont: 6907 idx++; 6908 } 6909 } 6910done: 6911 rcu_read_unlock(); 6912 6913 cb->args[0] = idx; 6914 return skb->len; 6915} 6916 6917static int nf_tables_dump_obj_start(struct netlink_callback *cb) 6918{ 6919 const struct nlattr * const *nla = cb->data; 6920 struct nft_obj_filter *filter = NULL; 6921 6922 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 6923 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6924 if (!filter) 6925 return -ENOMEM; 6926 6927 if (nla[NFTA_OBJ_TABLE]) { 6928 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 6929 if (!filter->table) { 6930 kfree(filter); 6931 return -ENOMEM; 6932 } 6933 } 6934 6935 if (nla[NFTA_OBJ_TYPE]) 6936 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6937 } 6938 6939 cb->data = filter; 6940 return 0; 6941} 6942 6943static int nf_tables_dump_obj_done(struct netlink_callback *cb) 6944{ 6945 struct nft_obj_filter *filter = cb->data; 6946 6947 if (filter) { 6948 kfree(filter->table); 6949 kfree(filter); 6950 } 6951 6952 return 0; 6953} 6954 6955/* called with rcu_read_lock held */ 6956static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info, 6957 const struct nlattr * const nla[]) 6958{ 6959 struct netlink_ext_ack *extack = info->extack; 6960 u8 genmask = nft_genmask_cur(info->net); 6961 u8 family = info->nfmsg->nfgen_family; 6962 const struct nft_table *table; 6963 struct net *net = info->net; 6964 struct nft_object *obj; 6965 struct sk_buff *skb2; 6966 bool reset = false; 6967 u32 objtype; 6968 int err; 6969 6970 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 6971 struct netlink_dump_control c = { 6972 .start = nf_tables_dump_obj_start, 6973 .dump = nf_tables_dump_obj, 6974 .done = nf_tables_dump_obj_done, 6975 .module = THIS_MODULE, 6976 .data = (void *)nla, 6977 }; 6978 6979 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 6980 } 6981 6982 if (!nla[NFTA_OBJ_NAME] || 6983 !nla[NFTA_OBJ_TYPE]) 6984 return -EINVAL; 6985 6986 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0); 6987 if (IS_ERR(table)) { 6988 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 6989 return PTR_ERR(table); 6990 } 6991 6992 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 6993 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 6994 if (IS_ERR(obj)) { 6995 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 6996 return PTR_ERR(obj); 6997 } 6998 6999 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7000 if (!skb2) 7001 return -ENOMEM; 7002 7003 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 7004 reset = true; 7005 7006 if (reset) { 7007 const struct nftables_pernet *nft_net; 7008 char *buf; 7009 7010 nft_net = nft_pernet(net); 7011 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq); 7012 7013 audit_log_nfcfg(buf, 7014 family, 7015 obj->handle, 7016 AUDIT_NFT_OP_OBJ_RESET, 7017 GFP_ATOMIC); 7018 kfree(buf); 7019 } 7020 7021 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 7022 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 7023 family, table, obj, reset); 7024 if (err < 0) 7025 goto err_fill_obj_info; 7026 7027 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7028 7029err_fill_obj_info: 7030 kfree_skb(skb2); 7031 return err; 7032} 7033 7034static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 7035{ 7036 if (obj->ops->destroy) 7037 obj->ops->destroy(ctx, obj); 7038 7039 module_put(obj->ops->type->owner); 7040 kfree(obj->key.name); 7041 kfree(obj->udata); 7042 kfree(obj); 7043} 7044 7045static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info, 7046 const struct nlattr * const nla[]) 7047{ 7048 struct netlink_ext_ack *extack = info->extack; 7049 u8 genmask = nft_genmask_next(info->net); 7050 u8 family = info->nfmsg->nfgen_family; 7051 struct net *net = info->net; 7052 const struct nlattr *attr; 7053 struct nft_table *table; 7054 struct nft_object *obj; 7055 struct nft_ctx ctx; 7056 u32 objtype; 7057 7058 if (!nla[NFTA_OBJ_TYPE] || 7059 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 7060 return -EINVAL; 7061 7062 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 7063 NETLINK_CB(skb).portid); 7064 if (IS_ERR(table)) { 7065 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 7066 return PTR_ERR(table); 7067 } 7068 7069 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 7070 if (nla[NFTA_OBJ_HANDLE]) { 7071 attr = nla[NFTA_OBJ_HANDLE]; 7072 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 7073 } else { 7074 attr = nla[NFTA_OBJ_NAME]; 7075 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 7076 } 7077 7078 if (IS_ERR(obj)) { 7079 NL_SET_BAD_ATTR(extack, attr); 7080 return PTR_ERR(obj); 7081 } 7082 if (obj->use > 0) { 7083 NL_SET_BAD_ATTR(extack, attr); 7084 return -EBUSY; 7085 } 7086 7087 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7088 7089 return nft_delobj(&ctx, obj); 7090} 7091 7092void nft_obj_notify(struct net *net, const struct nft_table *table, 7093 struct nft_object *obj, u32 portid, u32 seq, int event, 7094 u16 flags, int family, int report, gfp_t gfp) 7095{ 7096 struct nftables_pernet *nft_net = nft_pernet(net); 7097 struct sk_buff *skb; 7098 int err; 7099 char *buf = kasprintf(gfp, "%s:%u", 7100 table->name, nft_net->base_seq); 7101 7102 audit_log_nfcfg(buf, 7103 family, 7104 obj->handle, 7105 event == NFT_MSG_NEWOBJ ? 7106 AUDIT_NFT_OP_OBJ_REGISTER : 7107 AUDIT_NFT_OP_OBJ_UNREGISTER, 7108 gfp); 7109 kfree(buf); 7110 7111 if (!report && 7112 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 7113 return; 7114 7115 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 7116 if (skb == NULL) 7117 goto err; 7118 7119 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 7120 flags & (NLM_F_CREATE | NLM_F_EXCL), 7121 family, table, obj, false); 7122 if (err < 0) { 7123 kfree_skb(skb); 7124 goto err; 7125 } 7126 7127 nft_notify_enqueue(skb, report, &nft_net->notify_list); 7128 return; 7129err: 7130 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 7131} 7132EXPORT_SYMBOL_GPL(nft_obj_notify); 7133 7134static void nf_tables_obj_notify(const struct nft_ctx *ctx, 7135 struct nft_object *obj, int event) 7136{ 7137 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 7138 ctx->flags, ctx->family, ctx->report, GFP_KERNEL); 7139} 7140 7141/* 7142 * Flow tables 7143 */ 7144void nft_register_flowtable_type(struct nf_flowtable_type *type) 7145{ 7146 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7147 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 7148 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7149} 7150EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 7151 7152void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 7153{ 7154 nfnl_lock(NFNL_SUBSYS_NFTABLES); 7155 list_del_rcu(&type->list); 7156 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 7157} 7158EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 7159 7160static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 7161 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 7162 .len = NFT_NAME_MAXLEN - 1 }, 7163 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 7164 .len = NFT_NAME_MAXLEN - 1 }, 7165 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 7166 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 7167 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 7168}; 7169 7170struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 7171 const struct nlattr *nla, u8 genmask) 7172{ 7173 struct nft_flowtable *flowtable; 7174 7175 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7176 if (!nla_strcmp(nla, flowtable->name) && 7177 nft_active_genmask(flowtable, genmask)) 7178 return flowtable; 7179 } 7180 return ERR_PTR(-ENOENT); 7181} 7182EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 7183 7184void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 7185 struct nft_flowtable *flowtable, 7186 enum nft_trans_phase phase) 7187{ 7188 switch (phase) { 7189 case NFT_TRANS_PREPARE: 7190 case NFT_TRANS_ABORT: 7191 case NFT_TRANS_RELEASE: 7192 flowtable->use--; 7193 fallthrough; 7194 default: 7195 return; 7196 } 7197} 7198EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 7199 7200static struct nft_flowtable * 7201nft_flowtable_lookup_byhandle(const struct nft_table *table, 7202 const struct nlattr *nla, u8 genmask) 7203{ 7204 struct nft_flowtable *flowtable; 7205 7206 list_for_each_entry(flowtable, &table->flowtables, list) { 7207 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 7208 nft_active_genmask(flowtable, genmask)) 7209 return flowtable; 7210 } 7211 return ERR_PTR(-ENOENT); 7212} 7213 7214struct nft_flowtable_hook { 7215 u32 num; 7216 int priority; 7217 struct list_head list; 7218}; 7219 7220static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 7221 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 7222 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 7223 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 7224}; 7225 7226static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, 7227 const struct nlattr *attr, 7228 struct nft_flowtable_hook *flowtable_hook, 7229 struct nft_flowtable *flowtable, bool add) 7230{ 7231 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 7232 struct nft_hook *hook; 7233 int hooknum, priority; 7234 int err; 7235 7236 INIT_LIST_HEAD(&flowtable_hook->list); 7237 7238 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 7239 nft_flowtable_hook_policy, NULL); 7240 if (err < 0) 7241 return err; 7242 7243 if (add) { 7244 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 7245 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) 7246 return -EINVAL; 7247 7248 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7249 if (hooknum != NF_NETDEV_INGRESS) 7250 return -EOPNOTSUPP; 7251 7252 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7253 7254 flowtable_hook->priority = priority; 7255 flowtable_hook->num = hooknum; 7256 } else { 7257 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) { 7258 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 7259 if (hooknum != flowtable->hooknum) 7260 return -EOPNOTSUPP; 7261 } 7262 7263 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) { 7264 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 7265 if (priority != flowtable->data.priority) 7266 return -EOPNOTSUPP; 7267 } 7268 7269 flowtable_hook->priority = flowtable->data.priority; 7270 flowtable_hook->num = flowtable->hooknum; 7271 } 7272 7273 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) { 7274 err = nf_tables_parse_netdev_hooks(ctx->net, 7275 tb[NFTA_FLOWTABLE_HOOK_DEVS], 7276 &flowtable_hook->list); 7277 if (err < 0) 7278 return err; 7279 } 7280 7281 list_for_each_entry(hook, &flowtable_hook->list, list) { 7282 hook->ops.pf = NFPROTO_NETDEV; 7283 hook->ops.hooknum = flowtable_hook->num; 7284 hook->ops.priority = flowtable_hook->priority; 7285 hook->ops.priv = &flowtable->data; 7286 hook->ops.hook = flowtable->data.type->hook; 7287 } 7288 7289 return err; 7290} 7291 7292static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 7293{ 7294 const struct nf_flowtable_type *type; 7295 7296 list_for_each_entry(type, &nf_tables_flowtables, list) { 7297 if (family == type->family) 7298 return type; 7299 } 7300 return NULL; 7301} 7302 7303static const struct nf_flowtable_type * 7304nft_flowtable_type_get(struct net *net, u8 family) 7305{ 7306 const struct nf_flowtable_type *type; 7307 7308 type = __nft_flowtable_type_get(family); 7309 if (type != NULL && try_module_get(type->owner)) 7310 return type; 7311 7312 lockdep_nfnl_nft_mutex_not_held(); 7313#ifdef CONFIG_MODULES 7314 if (type == NULL) { 7315 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 7316 return ERR_PTR(-EAGAIN); 7317 } 7318#endif 7319 return ERR_PTR(-ENOENT); 7320} 7321 7322/* Only called from error and netdev event paths. */ 7323static void nft_unregister_flowtable_hook(struct net *net, 7324 struct nft_flowtable *flowtable, 7325 struct nft_hook *hook) 7326{ 7327 nf_unregister_net_hook(net, &hook->ops); 7328 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7329 FLOW_BLOCK_UNBIND); 7330} 7331 7332static void __nft_unregister_flowtable_net_hooks(struct net *net, 7333 struct list_head *hook_list, 7334 bool release_netdev) 7335{ 7336 struct nft_hook *hook, *next; 7337 7338 list_for_each_entry_safe(hook, next, hook_list, list) { 7339 nf_unregister_net_hook(net, &hook->ops); 7340 if (release_netdev) { 7341 list_del(&hook->list); 7342 kfree_rcu(hook, rcu); 7343 } 7344 } 7345} 7346 7347static void nft_unregister_flowtable_net_hooks(struct net *net, 7348 struct list_head *hook_list) 7349{ 7350 __nft_unregister_flowtable_net_hooks(net, hook_list, false); 7351} 7352 7353static int nft_register_flowtable_net_hooks(struct net *net, 7354 struct nft_table *table, 7355 struct list_head *hook_list, 7356 struct nft_flowtable *flowtable) 7357{ 7358 struct nft_hook *hook, *hook2, *next; 7359 struct nft_flowtable *ft; 7360 int err, i = 0; 7361 7362 list_for_each_entry(hook, hook_list, list) { 7363 list_for_each_entry(ft, &table->flowtables, list) { 7364 if (!nft_is_active_next(net, ft)) 7365 continue; 7366 7367 list_for_each_entry(hook2, &ft->hook_list, list) { 7368 if (hook->ops.dev == hook2->ops.dev && 7369 hook->ops.pf == hook2->ops.pf) { 7370 err = -EEXIST; 7371 goto err_unregister_net_hooks; 7372 } 7373 } 7374 } 7375 7376 err = flowtable->data.type->setup(&flowtable->data, 7377 hook->ops.dev, 7378 FLOW_BLOCK_BIND); 7379 if (err < 0) 7380 goto err_unregister_net_hooks; 7381 7382 err = nf_register_net_hook(net, &hook->ops); 7383 if (err < 0) { 7384 flowtable->data.type->setup(&flowtable->data, 7385 hook->ops.dev, 7386 FLOW_BLOCK_UNBIND); 7387 goto err_unregister_net_hooks; 7388 } 7389 7390 i++; 7391 } 7392 7393 return 0; 7394 7395err_unregister_net_hooks: 7396 list_for_each_entry_safe(hook, next, hook_list, list) { 7397 if (i-- <= 0) 7398 break; 7399 7400 nft_unregister_flowtable_hook(net, flowtable, hook); 7401 list_del_rcu(&hook->list); 7402 kfree_rcu(hook, rcu); 7403 } 7404 7405 return err; 7406} 7407 7408static void nft_flowtable_hooks_destroy(struct list_head *hook_list) 7409{ 7410 struct nft_hook *hook, *next; 7411 7412 list_for_each_entry_safe(hook, next, hook_list, list) { 7413 list_del_rcu(&hook->list); 7414 kfree_rcu(hook, rcu); 7415 } 7416} 7417 7418static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, 7419 struct nft_flowtable *flowtable) 7420{ 7421 const struct nlattr * const *nla = ctx->nla; 7422 struct nft_flowtable_hook flowtable_hook; 7423 struct nft_hook *hook, *next; 7424 struct nft_trans *trans; 7425 bool unregister = false; 7426 u32 flags; 7427 int err; 7428 7429 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7430 &flowtable_hook, flowtable, false); 7431 if (err < 0) 7432 return err; 7433 7434 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7435 if (nft_hook_list_find(&flowtable->hook_list, hook)) { 7436 list_del(&hook->list); 7437 kfree(hook); 7438 } 7439 } 7440 7441 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7442 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7443 if (flags & ~NFT_FLOWTABLE_MASK) { 7444 err = -EOPNOTSUPP; 7445 goto err_flowtable_update_hook; 7446 } 7447 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^ 7448 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) { 7449 err = -EOPNOTSUPP; 7450 goto err_flowtable_update_hook; 7451 } 7452 } else { 7453 flags = flowtable->data.flags; 7454 } 7455 7456 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table, 7457 &flowtable_hook.list, flowtable); 7458 if (err < 0) 7459 goto err_flowtable_update_hook; 7460 7461 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE, 7462 sizeof(struct nft_trans_flowtable)); 7463 if (!trans) { 7464 unregister = true; 7465 err = -ENOMEM; 7466 goto err_flowtable_update_hook; 7467 } 7468 7469 nft_trans_flowtable_flags(trans) = flags; 7470 nft_trans_flowtable(trans) = flowtable; 7471 nft_trans_flowtable_update(trans) = true; 7472 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7473 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); 7474 7475 nft_trans_commit_list_add_tail(ctx->net, trans); 7476 7477 return 0; 7478 7479err_flowtable_update_hook: 7480 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) { 7481 if (unregister) 7482 nft_unregister_flowtable_hook(ctx->net, flowtable, hook); 7483 list_del_rcu(&hook->list); 7484 kfree_rcu(hook, rcu); 7485 } 7486 7487 return err; 7488 7489} 7490 7491static int nf_tables_newflowtable(struct sk_buff *skb, 7492 const struct nfnl_info *info, 7493 const struct nlattr * const nla[]) 7494{ 7495 struct netlink_ext_ack *extack = info->extack; 7496 struct nft_flowtable_hook flowtable_hook; 7497 u8 genmask = nft_genmask_next(info->net); 7498 u8 family = info->nfmsg->nfgen_family; 7499 const struct nf_flowtable_type *type; 7500 struct nft_flowtable *flowtable; 7501 struct nft_hook *hook, *next; 7502 struct net *net = info->net; 7503 struct nft_table *table; 7504 struct nft_ctx ctx; 7505 int err; 7506 7507 if (!nla[NFTA_FLOWTABLE_TABLE] || 7508 !nla[NFTA_FLOWTABLE_NAME] || 7509 !nla[NFTA_FLOWTABLE_HOOK]) 7510 return -EINVAL; 7511 7512 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7513 genmask, NETLINK_CB(skb).portid); 7514 if (IS_ERR(table)) { 7515 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7516 return PTR_ERR(table); 7517 } 7518 7519 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7520 genmask); 7521 if (IS_ERR(flowtable)) { 7522 err = PTR_ERR(flowtable); 7523 if (err != -ENOENT) { 7524 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7525 return err; 7526 } 7527 } else { 7528 if (info->nlh->nlmsg_flags & NLM_F_EXCL) { 7529 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 7530 return -EEXIST; 7531 } 7532 7533 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7534 7535 return nft_flowtable_update(&ctx, info->nlh, flowtable); 7536 } 7537 7538 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7539 7540 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT); 7541 if (!flowtable) 7542 return -ENOMEM; 7543 7544 flowtable->table = table; 7545 flowtable->handle = nf_tables_alloc_handle(table); 7546 INIT_LIST_HEAD(&flowtable->hook_list); 7547 7548 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT); 7549 if (!flowtable->name) { 7550 err = -ENOMEM; 7551 goto err1; 7552 } 7553 7554 type = nft_flowtable_type_get(net, family); 7555 if (IS_ERR(type)) { 7556 err = PTR_ERR(type); 7557 goto err2; 7558 } 7559 7560 if (nla[NFTA_FLOWTABLE_FLAGS]) { 7561 flowtable->data.flags = 7562 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 7563 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) { 7564 err = -EOPNOTSUPP; 7565 goto err3; 7566 } 7567 } 7568 7569 write_pnet(&flowtable->data.net, net); 7570 flowtable->data.type = type; 7571 err = type->init(&flowtable->data); 7572 if (err < 0) 7573 goto err3; 7574 7575 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 7576 &flowtable_hook, flowtable, true); 7577 if (err < 0) 7578 goto err4; 7579 7580 list_splice(&flowtable_hook.list, &flowtable->hook_list); 7581 flowtable->data.priority = flowtable_hook.priority; 7582 flowtable->hooknum = flowtable_hook.num; 7583 7584 err = nft_register_flowtable_net_hooks(ctx.net, table, 7585 &flowtable->hook_list, 7586 flowtable); 7587 if (err < 0) { 7588 nft_flowtable_hooks_destroy(&flowtable->hook_list); 7589 goto err4; 7590 } 7591 7592 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 7593 if (err < 0) 7594 goto err5; 7595 7596 list_add_tail_rcu(&flowtable->list, &table->flowtables); 7597 table->use++; 7598 7599 return 0; 7600err5: 7601 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7602 nft_unregister_flowtable_hook(net, flowtable, hook); 7603 list_del_rcu(&hook->list); 7604 kfree_rcu(hook, rcu); 7605 } 7606err4: 7607 flowtable->data.type->free(&flowtable->data); 7608err3: 7609 module_put(type->owner); 7610err2: 7611 kfree(flowtable->name); 7612err1: 7613 kfree(flowtable); 7614 return err; 7615} 7616 7617static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook) 7618{ 7619 struct nft_hook *this, *next; 7620 7621 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) { 7622 list_del(&this->list); 7623 kfree(this); 7624 } 7625} 7626 7627static int nft_delflowtable_hook(struct nft_ctx *ctx, 7628 struct nft_flowtable *flowtable) 7629{ 7630 const struct nlattr * const *nla = ctx->nla; 7631 struct nft_flowtable_hook flowtable_hook; 7632 LIST_HEAD(flowtable_del_list); 7633 struct nft_hook *this, *hook; 7634 struct nft_trans *trans; 7635 int err; 7636 7637 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK], 7638 &flowtable_hook, flowtable, false); 7639 if (err < 0) 7640 return err; 7641 7642 list_for_each_entry(this, &flowtable_hook.list, list) { 7643 hook = nft_hook_list_find(&flowtable->hook_list, this); 7644 if (!hook) { 7645 err = -ENOENT; 7646 goto err_flowtable_del_hook; 7647 } 7648 list_move(&hook->list, &flowtable_del_list); 7649 } 7650 7651 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE, 7652 sizeof(struct nft_trans_flowtable)); 7653 if (!trans) { 7654 err = -ENOMEM; 7655 goto err_flowtable_del_hook; 7656 } 7657 7658 nft_trans_flowtable(trans) = flowtable; 7659 nft_trans_flowtable_update(trans) = true; 7660 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); 7661 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); 7662 nft_flowtable_hook_release(&flowtable_hook); 7663 7664 nft_trans_commit_list_add_tail(ctx->net, trans); 7665 7666 return 0; 7667 7668err_flowtable_del_hook: 7669 list_splice(&flowtable_del_list, &flowtable->hook_list); 7670 nft_flowtable_hook_release(&flowtable_hook); 7671 7672 return err; 7673} 7674 7675static int nf_tables_delflowtable(struct sk_buff *skb, 7676 const struct nfnl_info *info, 7677 const struct nlattr * const nla[]) 7678{ 7679 struct netlink_ext_ack *extack = info->extack; 7680 u8 genmask = nft_genmask_next(info->net); 7681 u8 family = info->nfmsg->nfgen_family; 7682 struct nft_flowtable *flowtable; 7683 struct net *net = info->net; 7684 const struct nlattr *attr; 7685 struct nft_table *table; 7686 struct nft_ctx ctx; 7687 7688 if (!nla[NFTA_FLOWTABLE_TABLE] || 7689 (!nla[NFTA_FLOWTABLE_NAME] && 7690 !nla[NFTA_FLOWTABLE_HANDLE])) 7691 return -EINVAL; 7692 7693 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7694 genmask, NETLINK_CB(skb).portid); 7695 if (IS_ERR(table)) { 7696 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 7697 return PTR_ERR(table); 7698 } 7699 7700 if (nla[NFTA_FLOWTABLE_HANDLE]) { 7701 attr = nla[NFTA_FLOWTABLE_HANDLE]; 7702 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 7703 } else { 7704 attr = nla[NFTA_FLOWTABLE_NAME]; 7705 flowtable = nft_flowtable_lookup(table, attr, genmask); 7706 } 7707 7708 if (IS_ERR(flowtable)) { 7709 NL_SET_BAD_ATTR(extack, attr); 7710 return PTR_ERR(flowtable); 7711 } 7712 7713 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7714 7715 if (nla[NFTA_FLOWTABLE_HOOK]) 7716 return nft_delflowtable_hook(&ctx, flowtable); 7717 7718 if (flowtable->use > 0) { 7719 NL_SET_BAD_ATTR(extack, attr); 7720 return -EBUSY; 7721 } 7722 7723 return nft_delflowtable(&ctx, flowtable); 7724} 7725 7726static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 7727 u32 portid, u32 seq, int event, 7728 u32 flags, int family, 7729 struct nft_flowtable *flowtable, 7730 struct list_head *hook_list) 7731{ 7732 struct nlattr *nest, *nest_devs; 7733 struct nft_hook *hook; 7734 struct nlmsghdr *nlh; 7735 7736 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 7737 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, 7738 NFNETLINK_V0, nft_base_seq(net)); 7739 if (!nlh) 7740 goto nla_put_failure; 7741 7742 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 7743 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 7744 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 7745 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 7746 NFTA_FLOWTABLE_PAD) || 7747 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 7748 goto nla_put_failure; 7749 7750 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 7751 if (!nest) 7752 goto nla_put_failure; 7753 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 7754 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 7755 goto nla_put_failure; 7756 7757 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 7758 if (!nest_devs) 7759 goto nla_put_failure; 7760 7761 list_for_each_entry_rcu(hook, hook_list, list) { 7762 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 7763 goto nla_put_failure; 7764 } 7765 nla_nest_end(skb, nest_devs); 7766 nla_nest_end(skb, nest); 7767 7768 nlmsg_end(skb, nlh); 7769 return 0; 7770 7771nla_put_failure: 7772 nlmsg_trim(skb, nlh); 7773 return -1; 7774} 7775 7776struct nft_flowtable_filter { 7777 char *table; 7778}; 7779 7780static int nf_tables_dump_flowtable(struct sk_buff *skb, 7781 struct netlink_callback *cb) 7782{ 7783 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 7784 struct nft_flowtable_filter *filter = cb->data; 7785 unsigned int idx = 0, s_idx = cb->args[0]; 7786 struct net *net = sock_net(skb->sk); 7787 int family = nfmsg->nfgen_family; 7788 struct nft_flowtable *flowtable; 7789 struct nftables_pernet *nft_net; 7790 const struct nft_table *table; 7791 7792 rcu_read_lock(); 7793 nft_net = nft_pernet(net); 7794 cb->seq = nft_net->base_seq; 7795 7796 list_for_each_entry_rcu(table, &nft_net->tables, list) { 7797 if (family != NFPROTO_UNSPEC && family != table->family) 7798 continue; 7799 7800 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 7801 if (!nft_is_active(net, flowtable)) 7802 goto cont; 7803 if (idx < s_idx) 7804 goto cont; 7805 if (idx > s_idx) 7806 memset(&cb->args[1], 0, 7807 sizeof(cb->args) - sizeof(cb->args[0])); 7808 if (filter && filter->table && 7809 strcmp(filter->table, table->name)) 7810 goto cont; 7811 7812 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 7813 cb->nlh->nlmsg_seq, 7814 NFT_MSG_NEWFLOWTABLE, 7815 NLM_F_MULTI | NLM_F_APPEND, 7816 table->family, 7817 flowtable, 7818 &flowtable->hook_list) < 0) 7819 goto done; 7820 7821 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 7822cont: 7823 idx++; 7824 } 7825 } 7826done: 7827 rcu_read_unlock(); 7828 7829 cb->args[0] = idx; 7830 return skb->len; 7831} 7832 7833static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 7834{ 7835 const struct nlattr * const *nla = cb->data; 7836 struct nft_flowtable_filter *filter = NULL; 7837 7838 if (nla[NFTA_FLOWTABLE_TABLE]) { 7839 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 7840 if (!filter) 7841 return -ENOMEM; 7842 7843 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 7844 GFP_ATOMIC); 7845 if (!filter->table) { 7846 kfree(filter); 7847 return -ENOMEM; 7848 } 7849 } 7850 7851 cb->data = filter; 7852 return 0; 7853} 7854 7855static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 7856{ 7857 struct nft_flowtable_filter *filter = cb->data; 7858 7859 if (!filter) 7860 return 0; 7861 7862 kfree(filter->table); 7863 kfree(filter); 7864 7865 return 0; 7866} 7867 7868/* called with rcu_read_lock held */ 7869static int nf_tables_getflowtable(struct sk_buff *skb, 7870 const struct nfnl_info *info, 7871 const struct nlattr * const nla[]) 7872{ 7873 u8 genmask = nft_genmask_cur(info->net); 7874 u8 family = info->nfmsg->nfgen_family; 7875 struct nft_flowtable *flowtable; 7876 const struct nft_table *table; 7877 struct net *net = info->net; 7878 struct sk_buff *skb2; 7879 int err; 7880 7881 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 7882 struct netlink_dump_control c = { 7883 .start = nf_tables_dump_flowtable_start, 7884 .dump = nf_tables_dump_flowtable, 7885 .done = nf_tables_dump_flowtable_done, 7886 .module = THIS_MODULE, 7887 .data = (void *)nla, 7888 }; 7889 7890 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 7891 } 7892 7893 if (!nla[NFTA_FLOWTABLE_NAME]) 7894 return -EINVAL; 7895 7896 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 7897 genmask, 0); 7898 if (IS_ERR(table)) 7899 return PTR_ERR(table); 7900 7901 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 7902 genmask); 7903 if (IS_ERR(flowtable)) 7904 return PTR_ERR(flowtable); 7905 7906 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 7907 if (!skb2) 7908 return -ENOMEM; 7909 7910 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 7911 info->nlh->nlmsg_seq, 7912 NFT_MSG_NEWFLOWTABLE, 0, family, 7913 flowtable, &flowtable->hook_list); 7914 if (err < 0) 7915 goto err_fill_flowtable_info; 7916 7917 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid); 7918 7919err_fill_flowtable_info: 7920 kfree_skb(skb2); 7921 return err; 7922} 7923 7924static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 7925 struct nft_flowtable *flowtable, 7926 struct list_head *hook_list, 7927 int event) 7928{ 7929 struct nftables_pernet *nft_net = nft_pernet(ctx->net); 7930 struct sk_buff *skb; 7931 u16 flags = 0; 7932 int err; 7933 7934 if (!ctx->report && 7935 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 7936 return; 7937 7938 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 7939 if (skb == NULL) 7940 goto err; 7941 7942 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL)) 7943 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL); 7944 7945 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 7946 ctx->seq, event, flags, 7947 ctx->family, flowtable, hook_list); 7948 if (err < 0) { 7949 kfree_skb(skb); 7950 goto err; 7951 } 7952 7953 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); 7954 return; 7955err: 7956 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 7957} 7958 7959static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 7960{ 7961 struct nft_hook *hook, *next; 7962 7963 flowtable->data.type->free(&flowtable->data); 7964 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 7965 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 7966 FLOW_BLOCK_UNBIND); 7967 list_del_rcu(&hook->list); 7968 kfree(hook); 7969 } 7970 kfree(flowtable->name); 7971 module_put(flowtable->data.type->owner); 7972 kfree(flowtable); 7973} 7974 7975static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 7976 u32 portid, u32 seq) 7977{ 7978 struct nftables_pernet *nft_net = nft_pernet(net); 7979 struct nlmsghdr *nlh; 7980 char buf[TASK_COMM_LEN]; 7981 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 7982 7983 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, 7984 NFNETLINK_V0, nft_base_seq(net)); 7985 if (!nlh) 7986 goto nla_put_failure; 7987 7988 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || 7989 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 7990 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 7991 goto nla_put_failure; 7992 7993 nlmsg_end(skb, nlh); 7994 return 0; 7995 7996nla_put_failure: 7997 nlmsg_trim(skb, nlh); 7998 return -EMSGSIZE; 7999} 8000 8001static void nft_flowtable_event(unsigned long event, struct net_device *dev, 8002 struct nft_flowtable *flowtable) 8003{ 8004 struct nft_hook *hook; 8005 8006 list_for_each_entry(hook, &flowtable->hook_list, list) { 8007 if (hook->ops.dev != dev) 8008 continue; 8009 8010 /* flow_offload_netdev_event() cleans up entries for us. */ 8011 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 8012 list_del_rcu(&hook->list); 8013 kfree_rcu(hook, rcu); 8014 break; 8015 } 8016} 8017 8018static int nf_tables_flowtable_event(struct notifier_block *this, 8019 unsigned long event, void *ptr) 8020{ 8021 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 8022 struct nft_flowtable *flowtable; 8023 struct nftables_pernet *nft_net; 8024 struct nft_table *table; 8025 struct net *net; 8026 8027 if (event != NETDEV_UNREGISTER) 8028 return 0; 8029 8030 net = dev_net(dev); 8031 nft_net = nft_pernet(net); 8032 mutex_lock(&nft_net->commit_mutex); 8033 list_for_each_entry(table, &nft_net->tables, list) { 8034 list_for_each_entry(flowtable, &table->flowtables, list) { 8035 nft_flowtable_event(event, dev, flowtable); 8036 } 8037 } 8038 mutex_unlock(&nft_net->commit_mutex); 8039 8040 return NOTIFY_DONE; 8041} 8042 8043static struct notifier_block nf_tables_flowtable_notifier = { 8044 .notifier_call = nf_tables_flowtable_event, 8045}; 8046 8047static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 8048 int event) 8049{ 8050 struct nlmsghdr *nlh = nlmsg_hdr(skb); 8051 struct sk_buff *skb2; 8052 int err; 8053 8054 if (!nlmsg_report(nlh) && 8055 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 8056 return; 8057 8058 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 8059 if (skb2 == NULL) 8060 goto err; 8061 8062 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 8063 nlh->nlmsg_seq); 8064 if (err < 0) { 8065 kfree_skb(skb2); 8066 goto err; 8067 } 8068 8069 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 8070 nlmsg_report(nlh), GFP_KERNEL); 8071 return; 8072err: 8073 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 8074 -ENOBUFS); 8075} 8076 8077static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info, 8078 const struct nlattr * const nla[]) 8079{ 8080 struct sk_buff *skb2; 8081 int err; 8082 8083 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 8084 if (skb2 == NULL) 8085 return -ENOMEM; 8086 8087 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid, 8088 info->nlh->nlmsg_seq); 8089 if (err < 0) 8090 goto err_fill_gen_info; 8091 8092 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 8093 8094err_fill_gen_info: 8095 kfree_skb(skb2); 8096 return err; 8097} 8098 8099static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 8100 [NFT_MSG_NEWTABLE] = { 8101 .call = nf_tables_newtable, 8102 .type = NFNL_CB_BATCH, 8103 .attr_count = NFTA_TABLE_MAX, 8104 .policy = nft_table_policy, 8105 }, 8106 [NFT_MSG_GETTABLE] = { 8107 .call = nf_tables_gettable, 8108 .type = NFNL_CB_RCU, 8109 .attr_count = NFTA_TABLE_MAX, 8110 .policy = nft_table_policy, 8111 }, 8112 [NFT_MSG_DELTABLE] = { 8113 .call = nf_tables_deltable, 8114 .type = NFNL_CB_BATCH, 8115 .attr_count = NFTA_TABLE_MAX, 8116 .policy = nft_table_policy, 8117 }, 8118 [NFT_MSG_NEWCHAIN] = { 8119 .call = nf_tables_newchain, 8120 .type = NFNL_CB_BATCH, 8121 .attr_count = NFTA_CHAIN_MAX, 8122 .policy = nft_chain_policy, 8123 }, 8124 [NFT_MSG_GETCHAIN] = { 8125 .call = nf_tables_getchain, 8126 .type = NFNL_CB_RCU, 8127 .attr_count = NFTA_CHAIN_MAX, 8128 .policy = nft_chain_policy, 8129 }, 8130 [NFT_MSG_DELCHAIN] = { 8131 .call = nf_tables_delchain, 8132 .type = NFNL_CB_BATCH, 8133 .attr_count = NFTA_CHAIN_MAX, 8134 .policy = nft_chain_policy, 8135 }, 8136 [NFT_MSG_NEWRULE] = { 8137 .call = nf_tables_newrule, 8138 .type = NFNL_CB_BATCH, 8139 .attr_count = NFTA_RULE_MAX, 8140 .policy = nft_rule_policy, 8141 }, 8142 [NFT_MSG_GETRULE] = { 8143 .call = nf_tables_getrule, 8144 .type = NFNL_CB_RCU, 8145 .attr_count = NFTA_RULE_MAX, 8146 .policy = nft_rule_policy, 8147 }, 8148 [NFT_MSG_DELRULE] = { 8149 .call = nf_tables_delrule, 8150 .type = NFNL_CB_BATCH, 8151 .attr_count = NFTA_RULE_MAX, 8152 .policy = nft_rule_policy, 8153 }, 8154 [NFT_MSG_NEWSET] = { 8155 .call = nf_tables_newset, 8156 .type = NFNL_CB_BATCH, 8157 .attr_count = NFTA_SET_MAX, 8158 .policy = nft_set_policy, 8159 }, 8160 [NFT_MSG_GETSET] = { 8161 .call = nf_tables_getset, 8162 .type = NFNL_CB_RCU, 8163 .attr_count = NFTA_SET_MAX, 8164 .policy = nft_set_policy, 8165 }, 8166 [NFT_MSG_DELSET] = { 8167 .call = nf_tables_delset, 8168 .type = NFNL_CB_BATCH, 8169 .attr_count = NFTA_SET_MAX, 8170 .policy = nft_set_policy, 8171 }, 8172 [NFT_MSG_NEWSETELEM] = { 8173 .call = nf_tables_newsetelem, 8174 .type = NFNL_CB_BATCH, 8175 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8176 .policy = nft_set_elem_list_policy, 8177 }, 8178 [NFT_MSG_GETSETELEM] = { 8179 .call = nf_tables_getsetelem, 8180 .type = NFNL_CB_RCU, 8181 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8182 .policy = nft_set_elem_list_policy, 8183 }, 8184 [NFT_MSG_DELSETELEM] = { 8185 .call = nf_tables_delsetelem, 8186 .type = NFNL_CB_BATCH, 8187 .attr_count = NFTA_SET_ELEM_LIST_MAX, 8188 .policy = nft_set_elem_list_policy, 8189 }, 8190 [NFT_MSG_GETGEN] = { 8191 .call = nf_tables_getgen, 8192 .type = NFNL_CB_RCU, 8193 }, 8194 [NFT_MSG_NEWOBJ] = { 8195 .call = nf_tables_newobj, 8196 .type = NFNL_CB_BATCH, 8197 .attr_count = NFTA_OBJ_MAX, 8198 .policy = nft_obj_policy, 8199 }, 8200 [NFT_MSG_GETOBJ] = { 8201 .call = nf_tables_getobj, 8202 .type = NFNL_CB_RCU, 8203 .attr_count = NFTA_OBJ_MAX, 8204 .policy = nft_obj_policy, 8205 }, 8206 [NFT_MSG_DELOBJ] = { 8207 .call = nf_tables_delobj, 8208 .type = NFNL_CB_BATCH, 8209 .attr_count = NFTA_OBJ_MAX, 8210 .policy = nft_obj_policy, 8211 }, 8212 [NFT_MSG_GETOBJ_RESET] = { 8213 .call = nf_tables_getobj, 8214 .type = NFNL_CB_RCU, 8215 .attr_count = NFTA_OBJ_MAX, 8216 .policy = nft_obj_policy, 8217 }, 8218 [NFT_MSG_NEWFLOWTABLE] = { 8219 .call = nf_tables_newflowtable, 8220 .type = NFNL_CB_BATCH, 8221 .attr_count = NFTA_FLOWTABLE_MAX, 8222 .policy = nft_flowtable_policy, 8223 }, 8224 [NFT_MSG_GETFLOWTABLE] = { 8225 .call = nf_tables_getflowtable, 8226 .type = NFNL_CB_RCU, 8227 .attr_count = NFTA_FLOWTABLE_MAX, 8228 .policy = nft_flowtable_policy, 8229 }, 8230 [NFT_MSG_DELFLOWTABLE] = { 8231 .call = nf_tables_delflowtable, 8232 .type = NFNL_CB_BATCH, 8233 .attr_count = NFTA_FLOWTABLE_MAX, 8234 .policy = nft_flowtable_policy, 8235 }, 8236}; 8237 8238static int nf_tables_validate(struct net *net) 8239{ 8240 struct nftables_pernet *nft_net = nft_pernet(net); 8241 struct nft_table *table; 8242 8243 switch (nft_net->validate_state) { 8244 case NFT_VALIDATE_SKIP: 8245 break; 8246 case NFT_VALIDATE_NEED: 8247 nft_validate_state_update(net, NFT_VALIDATE_DO); 8248 fallthrough; 8249 case NFT_VALIDATE_DO: 8250 list_for_each_entry(table, &nft_net->tables, list) { 8251 if (nft_table_validate(net, table) < 0) 8252 return -EAGAIN; 8253 } 8254 break; 8255 } 8256 8257 return 0; 8258} 8259 8260/* a drop policy has to be deferred until all rules have been activated, 8261 * otherwise a large ruleset that contains a drop-policy base chain will 8262 * cause all packets to get dropped until the full transaction has been 8263 * processed. 8264 * 8265 * We defer the drop policy until the transaction has been finalized. 8266 */ 8267static void nft_chain_commit_drop_policy(struct nft_trans *trans) 8268{ 8269 struct nft_base_chain *basechain; 8270 8271 if (nft_trans_chain_policy(trans) != NF_DROP) 8272 return; 8273 8274 if (!nft_is_base_chain(trans->ctx.chain)) 8275 return; 8276 8277 basechain = nft_base_chain(trans->ctx.chain); 8278 basechain->policy = NF_DROP; 8279} 8280 8281static void nft_chain_commit_update(struct nft_trans *trans) 8282{ 8283 struct nft_base_chain *basechain; 8284 8285 if (nft_trans_chain_name(trans)) { 8286 rhltable_remove(&trans->ctx.table->chains_ht, 8287 &trans->ctx.chain->rhlhead, 8288 nft_chain_ht_params); 8289 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 8290 rhltable_insert_key(&trans->ctx.table->chains_ht, 8291 trans->ctx.chain->name, 8292 &trans->ctx.chain->rhlhead, 8293 nft_chain_ht_params); 8294 } 8295 8296 if (!nft_is_base_chain(trans->ctx.chain)) 8297 return; 8298 8299 nft_chain_stats_replace(trans); 8300 8301 basechain = nft_base_chain(trans->ctx.chain); 8302 8303 switch (nft_trans_chain_policy(trans)) { 8304 case NF_DROP: 8305 case NF_ACCEPT: 8306 basechain->policy = nft_trans_chain_policy(trans); 8307 break; 8308 } 8309} 8310 8311static void nft_obj_commit_update(struct nft_trans *trans) 8312{ 8313 struct nft_object *newobj; 8314 struct nft_object *obj; 8315 8316 obj = nft_trans_obj(trans); 8317 newobj = nft_trans_obj_newobj(trans); 8318 8319 if (obj->ops->update) 8320 obj->ops->update(obj, newobj); 8321 8322 nft_obj_destroy(&trans->ctx, newobj); 8323} 8324 8325static void nft_commit_release(struct nft_trans *trans) 8326{ 8327 switch (trans->msg_type) { 8328 case NFT_MSG_DELTABLE: 8329 nf_tables_table_destroy(&trans->ctx); 8330 break; 8331 case NFT_MSG_NEWCHAIN: 8332 free_percpu(nft_trans_chain_stats(trans)); 8333 kfree(nft_trans_chain_name(trans)); 8334 break; 8335 case NFT_MSG_DELCHAIN: 8336 nf_tables_chain_destroy(&trans->ctx); 8337 break; 8338 case NFT_MSG_DELRULE: 8339 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 8340 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 8341 8342 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8343 break; 8344 case NFT_MSG_DELSET: 8345 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8346 break; 8347 case NFT_MSG_DELSETELEM: 8348 nf_tables_set_elem_destroy(&trans->ctx, 8349 nft_trans_elem_set(trans), 8350 nft_trans_elem(trans).priv); 8351 break; 8352 case NFT_MSG_DELOBJ: 8353 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8354 break; 8355 case NFT_MSG_DELFLOWTABLE: 8356 if (nft_trans_flowtable_update(trans)) 8357 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8358 else 8359 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8360 break; 8361 } 8362 8363 if (trans->put_net) 8364 put_net(trans->ctx.net); 8365 8366 kfree(trans); 8367} 8368 8369static void nf_tables_trans_destroy_work(struct work_struct *w) 8370{ 8371 struct nft_trans *trans, *next; 8372 LIST_HEAD(head); 8373 8374 spin_lock(&nf_tables_destroy_list_lock); 8375 list_splice_init(&nf_tables_destroy_list, &head); 8376 spin_unlock(&nf_tables_destroy_list_lock); 8377 8378 if (list_empty(&head)) 8379 return; 8380 8381 synchronize_rcu(); 8382 8383 list_for_each_entry_safe(trans, next, &head, list) { 8384 list_del(&trans->list); 8385 nft_commit_release(trans); 8386 } 8387} 8388 8389void nf_tables_trans_destroy_flush_work(void) 8390{ 8391 flush_work(&trans_destroy_work); 8392} 8393EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work); 8394 8395static bool nft_expr_reduce(struct nft_regs_track *track, 8396 const struct nft_expr *expr) 8397{ 8398 return false; 8399} 8400 8401static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 8402{ 8403 const struct nft_expr *expr, *last; 8404 struct nft_regs_track track = {}; 8405 unsigned int size, data_size; 8406 void *data, *data_boundary; 8407 struct nft_rule_dp *prule; 8408 struct nft_rule *rule; 8409 8410 /* already handled or inactive chain? */ 8411 if (chain->blob_next || !nft_is_active_next(net, chain)) 8412 return 0; 8413 8414 data_size = 0; 8415 list_for_each_entry(rule, &chain->rules, list) { 8416 if (nft_is_active_next(net, rule)) { 8417 data_size += sizeof(*prule) + rule->dlen; 8418 if (data_size > INT_MAX) 8419 return -ENOMEM; 8420 } 8421 } 8422 data_size += offsetof(struct nft_rule_dp, data); /* last rule */ 8423 8424 chain->blob_next = nf_tables_chain_alloc_rules(data_size); 8425 if (!chain->blob_next) 8426 return -ENOMEM; 8427 8428 data = (void *)chain->blob_next->data; 8429 data_boundary = data + data_size; 8430 size = 0; 8431 8432 list_for_each_entry(rule, &chain->rules, list) { 8433 if (!nft_is_active_next(net, rule)) 8434 continue; 8435 8436 prule = (struct nft_rule_dp *)data; 8437 data += offsetof(struct nft_rule_dp, data); 8438 if (WARN_ON_ONCE(data > data_boundary)) 8439 return -ENOMEM; 8440 8441 size = 0; 8442 track.last = nft_expr_last(rule); 8443 nft_rule_for_each_expr(expr, last, rule) { 8444 track.cur = expr; 8445 8446 if (nft_expr_reduce(&track, expr)) { 8447 expr = track.cur; 8448 continue; 8449 } 8450 8451 if (WARN_ON_ONCE(data + expr->ops->size > data_boundary)) 8452 return -ENOMEM; 8453 8454 memcpy(data + size, expr, expr->ops->size); 8455 size += expr->ops->size; 8456 } 8457 if (WARN_ON_ONCE(size >= 1 << 12)) 8458 return -ENOMEM; 8459 8460 prule->handle = rule->handle; 8461 prule->dlen = size; 8462 prule->is_last = 0; 8463 8464 data += size; 8465 size = 0; 8466 chain->blob_next->size += (unsigned long)(data - (void *)prule); 8467 } 8468 8469 prule = (struct nft_rule_dp *)data; 8470 data += offsetof(struct nft_rule_dp, data); 8471 if (WARN_ON_ONCE(data > data_boundary)) 8472 return -ENOMEM; 8473 8474 nft_last_rule(chain->blob_next, prule); 8475 8476 return 0; 8477} 8478 8479static void nf_tables_commit_chain_prepare_cancel(struct net *net) 8480{ 8481 struct nftables_pernet *nft_net = nft_pernet(net); 8482 struct nft_trans *trans, *next; 8483 8484 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8485 struct nft_chain *chain = trans->ctx.chain; 8486 8487 if (trans->msg_type == NFT_MSG_NEWRULE || 8488 trans->msg_type == NFT_MSG_DELRULE) { 8489 kvfree(chain->blob_next); 8490 chain->blob_next = NULL; 8491 } 8492 } 8493} 8494 8495static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 8496{ 8497 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 8498 8499 kvfree(o->blob); 8500} 8501 8502static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 8503{ 8504 struct nft_rules_old *old; 8505 8506 /* rcu_head is after end marker */ 8507 old = (void *)blob + sizeof(*blob) + blob->size; 8508 old->blob = blob; 8509 8510 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 8511} 8512 8513static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 8514{ 8515 struct nft_rule_blob *g0, *g1; 8516 bool next_genbit; 8517 8518 next_genbit = nft_gencursor_next(net); 8519 8520 g0 = rcu_dereference_protected(chain->blob_gen_0, 8521 lockdep_commit_lock_is_held(net)); 8522 g1 = rcu_dereference_protected(chain->blob_gen_1, 8523 lockdep_commit_lock_is_held(net)); 8524 8525 /* No changes to this chain? */ 8526 if (chain->blob_next == NULL) { 8527 /* chain had no change in last or next generation */ 8528 if (g0 == g1) 8529 return; 8530 /* 8531 * chain had no change in this generation; make sure next 8532 * one uses same rules as current generation. 8533 */ 8534 if (next_genbit) { 8535 rcu_assign_pointer(chain->blob_gen_1, g0); 8536 nf_tables_commit_chain_free_rules_old(g1); 8537 } else { 8538 rcu_assign_pointer(chain->blob_gen_0, g1); 8539 nf_tables_commit_chain_free_rules_old(g0); 8540 } 8541 8542 return; 8543 } 8544 8545 if (next_genbit) 8546 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next); 8547 else 8548 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next); 8549 8550 chain->blob_next = NULL; 8551 8552 if (g0 == g1) 8553 return; 8554 8555 if (next_genbit) 8556 nf_tables_commit_chain_free_rules_old(g1); 8557 else 8558 nf_tables_commit_chain_free_rules_old(g0); 8559} 8560 8561static void nft_obj_del(struct nft_object *obj) 8562{ 8563 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 8564 list_del_rcu(&obj->list); 8565} 8566 8567void nft_chain_del(struct nft_chain *chain) 8568{ 8569 struct nft_table *table = chain->table; 8570 8571 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 8572 nft_chain_ht_params)); 8573 list_del_rcu(&chain->list); 8574} 8575 8576static void nf_tables_module_autoload_cleanup(struct net *net) 8577{ 8578 struct nftables_pernet *nft_net = nft_pernet(net); 8579 struct nft_module_request *req, *next; 8580 8581 WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); 8582 list_for_each_entry_safe(req, next, &nft_net->module_list, list) { 8583 WARN_ON_ONCE(!req->done); 8584 list_del(&req->list); 8585 kfree(req); 8586 } 8587} 8588 8589static void nf_tables_commit_release(struct net *net) 8590{ 8591 struct nftables_pernet *nft_net = nft_pernet(net); 8592 struct nft_trans *trans; 8593 8594 /* all side effects have to be made visible. 8595 * For example, if a chain named 'foo' has been deleted, a 8596 * new transaction must not find it anymore. 8597 * 8598 * Memory reclaim happens asynchronously from work queue 8599 * to prevent expensive synchronize_rcu() in commit phase. 8600 */ 8601 if (list_empty(&nft_net->commit_list)) { 8602 nf_tables_module_autoload_cleanup(net); 8603 mutex_unlock(&nft_net->commit_mutex); 8604 return; 8605 } 8606 8607 trans = list_last_entry(&nft_net->commit_list, 8608 struct nft_trans, list); 8609 get_net(trans->ctx.net); 8610 WARN_ON_ONCE(trans->put_net); 8611 8612 trans->put_net = true; 8613 spin_lock(&nf_tables_destroy_list_lock); 8614 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); 8615 spin_unlock(&nf_tables_destroy_list_lock); 8616 8617 nf_tables_module_autoload_cleanup(net); 8618 schedule_work(&trans_destroy_work); 8619 8620 mutex_unlock(&nft_net->commit_mutex); 8621} 8622 8623static void nft_commit_notify(struct net *net, u32 portid) 8624{ 8625 struct nftables_pernet *nft_net = nft_pernet(net); 8626 struct sk_buff *batch_skb = NULL, *nskb, *skb; 8627 unsigned char *data; 8628 int len; 8629 8630 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { 8631 if (!batch_skb) { 8632new_batch: 8633 batch_skb = skb; 8634 len = NLMSG_GOODSIZE - skb->len; 8635 list_del(&skb->list); 8636 continue; 8637 } 8638 len -= skb->len; 8639 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) { 8640 data = skb_put(batch_skb, skb->len); 8641 memcpy(data, skb->data, skb->len); 8642 list_del(&skb->list); 8643 kfree_skb(skb); 8644 continue; 8645 } 8646 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8647 NFT_CB(batch_skb).report, GFP_KERNEL); 8648 goto new_batch; 8649 } 8650 8651 if (batch_skb) { 8652 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES, 8653 NFT_CB(batch_skb).report, GFP_KERNEL); 8654 } 8655 8656 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 8657} 8658 8659static int nf_tables_commit_audit_alloc(struct list_head *adl, 8660 struct nft_table *table) 8661{ 8662 struct nft_audit_data *adp; 8663 8664 list_for_each_entry(adp, adl, list) { 8665 if (adp->table == table) 8666 return 0; 8667 } 8668 adp = kzalloc(sizeof(*adp), GFP_KERNEL); 8669 if (!adp) 8670 return -ENOMEM; 8671 adp->table = table; 8672 list_add(&adp->list, adl); 8673 return 0; 8674} 8675 8676static void nf_tables_commit_audit_free(struct list_head *adl) 8677{ 8678 struct nft_audit_data *adp, *adn; 8679 8680 list_for_each_entry_safe(adp, adn, adl, list) { 8681 list_del(&adp->list); 8682 kfree(adp); 8683 } 8684} 8685 8686static void nf_tables_commit_audit_collect(struct list_head *adl, 8687 struct nft_table *table, u32 op) 8688{ 8689 struct nft_audit_data *adp; 8690 8691 list_for_each_entry(adp, adl, list) { 8692 if (adp->table == table) 8693 goto found; 8694 } 8695 WARN_ONCE(1, "table=%s not expected in commit list", table->name); 8696 return; 8697found: 8698 adp->entries++; 8699 if (!adp->op || adp->op > op) 8700 adp->op = op; 8701} 8702 8703#define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22) 8704 8705static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation) 8706{ 8707 struct nft_audit_data *adp, *adn; 8708 char aubuf[AUNFTABLENAMELEN]; 8709 8710 list_for_each_entry_safe(adp, adn, adl, list) { 8711 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name, 8712 generation); 8713 audit_log_nfcfg(aubuf, adp->table->family, adp->entries, 8714 nft2audit_op[adp->op], GFP_KERNEL); 8715 list_del(&adp->list); 8716 kfree(adp); 8717 } 8718} 8719 8720static int nf_tables_commit(struct net *net, struct sk_buff *skb) 8721{ 8722 struct nftables_pernet *nft_net = nft_pernet(net); 8723 struct nft_trans *trans, *next; 8724 struct nft_trans_elem *te; 8725 struct nft_chain *chain; 8726 struct nft_table *table; 8727 LIST_HEAD(adl); 8728 int err; 8729 8730 if (list_empty(&nft_net->commit_list)) { 8731 mutex_unlock(&nft_net->commit_mutex); 8732 return 0; 8733 } 8734 8735 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 8736 if (nf_tables_validate(net) < 0) 8737 return -EAGAIN; 8738 8739 err = nft_flow_rule_offload_commit(net); 8740 if (err < 0) 8741 return err; 8742 8743 /* 1. Allocate space for next generation rules_gen_X[] */ 8744 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8745 int ret; 8746 8747 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table); 8748 if (ret) { 8749 nf_tables_commit_chain_prepare_cancel(net); 8750 nf_tables_commit_audit_free(&adl); 8751 return ret; 8752 } 8753 if (trans->msg_type == NFT_MSG_NEWRULE || 8754 trans->msg_type == NFT_MSG_DELRULE) { 8755 chain = trans->ctx.chain; 8756 8757 ret = nf_tables_commit_chain_prepare(net, chain); 8758 if (ret < 0) { 8759 nf_tables_commit_chain_prepare_cancel(net); 8760 nf_tables_commit_audit_free(&adl); 8761 return ret; 8762 } 8763 } 8764 } 8765 8766 /* step 2. Make rules_gen_X visible to packet path */ 8767 list_for_each_entry(table, &nft_net->tables, list) { 8768 list_for_each_entry(chain, &table->chains, list) 8769 nf_tables_commit_chain(net, chain); 8770 } 8771 8772 /* 8773 * Bump generation counter, invalidate any dump in progress. 8774 * Cannot fail after this point. 8775 */ 8776 while (++nft_net->base_seq == 0) 8777 ; 8778 8779 /* step 3. Start new generation, rules_gen_X now in use. */ 8780 net->nft.gencursor = nft_gencursor_next(net); 8781 8782 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { 8783 nf_tables_commit_audit_collect(&adl, trans->ctx.table, 8784 trans->msg_type); 8785 switch (trans->msg_type) { 8786 case NFT_MSG_NEWTABLE: 8787 if (nft_trans_table_update(trans)) { 8788 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 8789 nft_trans_destroy(trans); 8790 break; 8791 } 8792 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT) 8793 nf_tables_table_disable(net, trans->ctx.table); 8794 8795 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 8796 } else { 8797 nft_clear(net, trans->ctx.table); 8798 } 8799 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 8800 nft_trans_destroy(trans); 8801 break; 8802 case NFT_MSG_DELTABLE: 8803 list_del_rcu(&trans->ctx.table->list); 8804 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 8805 break; 8806 case NFT_MSG_NEWCHAIN: 8807 if (nft_trans_chain_update(trans)) { 8808 nft_chain_commit_update(trans); 8809 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8810 /* trans destroyed after rcu grace period */ 8811 } else { 8812 nft_chain_commit_drop_policy(trans); 8813 nft_clear(net, trans->ctx.chain); 8814 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 8815 nft_trans_destroy(trans); 8816 } 8817 break; 8818 case NFT_MSG_DELCHAIN: 8819 nft_chain_del(trans->ctx.chain); 8820 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 8821 nf_tables_unregister_hook(trans->ctx.net, 8822 trans->ctx.table, 8823 trans->ctx.chain); 8824 break; 8825 case NFT_MSG_NEWRULE: 8826 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 8827 nf_tables_rule_notify(&trans->ctx, 8828 nft_trans_rule(trans), 8829 NFT_MSG_NEWRULE); 8830 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 8831 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 8832 8833 nft_trans_destroy(trans); 8834 break; 8835 case NFT_MSG_DELRULE: 8836 list_del_rcu(&nft_trans_rule(trans)->list); 8837 nf_tables_rule_notify(&trans->ctx, 8838 nft_trans_rule(trans), 8839 NFT_MSG_DELRULE); 8840 nft_rule_expr_deactivate(&trans->ctx, 8841 nft_trans_rule(trans), 8842 NFT_TRANS_COMMIT); 8843 break; 8844 case NFT_MSG_NEWSET: 8845 nft_clear(net, nft_trans_set(trans)); 8846 /* This avoids hitting -EBUSY when deleting the table 8847 * from the transaction. 8848 */ 8849 if (nft_set_is_anonymous(nft_trans_set(trans)) && 8850 !list_empty(&nft_trans_set(trans)->bindings)) 8851 trans->ctx.table->use--; 8852 8853 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8854 NFT_MSG_NEWSET, GFP_KERNEL); 8855 nft_trans_destroy(trans); 8856 break; 8857 case NFT_MSG_DELSET: 8858 list_del_rcu(&nft_trans_set(trans)->list); 8859 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 8860 NFT_MSG_DELSET, GFP_KERNEL); 8861 break; 8862 case NFT_MSG_NEWSETELEM: 8863 te = (struct nft_trans_elem *)trans->data; 8864 8865 nft_setelem_activate(net, te->set, &te->elem); 8866 nf_tables_setelem_notify(&trans->ctx, te->set, 8867 &te->elem, 8868 NFT_MSG_NEWSETELEM); 8869 nft_trans_destroy(trans); 8870 break; 8871 case NFT_MSG_DELSETELEM: 8872 te = (struct nft_trans_elem *)trans->data; 8873 8874 nf_tables_setelem_notify(&trans->ctx, te->set, 8875 &te->elem, 8876 NFT_MSG_DELSETELEM); 8877 nft_setelem_remove(net, te->set, &te->elem); 8878 if (!nft_setelem_is_catchall(te->set, &te->elem)) { 8879 atomic_dec(&te->set->nelems); 8880 te->set->ndeact--; 8881 } 8882 break; 8883 case NFT_MSG_NEWOBJ: 8884 if (nft_trans_obj_update(trans)) { 8885 nft_obj_commit_update(trans); 8886 nf_tables_obj_notify(&trans->ctx, 8887 nft_trans_obj(trans), 8888 NFT_MSG_NEWOBJ); 8889 } else { 8890 nft_clear(net, nft_trans_obj(trans)); 8891 nf_tables_obj_notify(&trans->ctx, 8892 nft_trans_obj(trans), 8893 NFT_MSG_NEWOBJ); 8894 nft_trans_destroy(trans); 8895 } 8896 break; 8897 case NFT_MSG_DELOBJ: 8898 nft_obj_del(nft_trans_obj(trans)); 8899 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 8900 NFT_MSG_DELOBJ); 8901 break; 8902 case NFT_MSG_NEWFLOWTABLE: 8903 if (nft_trans_flowtable_update(trans)) { 8904 nft_trans_flowtable(trans)->data.flags = 8905 nft_trans_flowtable_flags(trans); 8906 nf_tables_flowtable_notify(&trans->ctx, 8907 nft_trans_flowtable(trans), 8908 &nft_trans_flowtable_hooks(trans), 8909 NFT_MSG_NEWFLOWTABLE); 8910 list_splice(&nft_trans_flowtable_hooks(trans), 8911 &nft_trans_flowtable(trans)->hook_list); 8912 } else { 8913 nft_clear(net, nft_trans_flowtable(trans)); 8914 nf_tables_flowtable_notify(&trans->ctx, 8915 nft_trans_flowtable(trans), 8916 &nft_trans_flowtable(trans)->hook_list, 8917 NFT_MSG_NEWFLOWTABLE); 8918 } 8919 nft_trans_destroy(trans); 8920 break; 8921 case NFT_MSG_DELFLOWTABLE: 8922 if (nft_trans_flowtable_update(trans)) { 8923 nf_tables_flowtable_notify(&trans->ctx, 8924 nft_trans_flowtable(trans), 8925 &nft_trans_flowtable_hooks(trans), 8926 NFT_MSG_DELFLOWTABLE); 8927 nft_unregister_flowtable_net_hooks(net, 8928 &nft_trans_flowtable_hooks(trans)); 8929 } else { 8930 list_del_rcu(&nft_trans_flowtable(trans)->list); 8931 nf_tables_flowtable_notify(&trans->ctx, 8932 nft_trans_flowtable(trans), 8933 &nft_trans_flowtable(trans)->hook_list, 8934 NFT_MSG_DELFLOWTABLE); 8935 nft_unregister_flowtable_net_hooks(net, 8936 &nft_trans_flowtable(trans)->hook_list); 8937 } 8938 break; 8939 } 8940 } 8941 8942 nft_commit_notify(net, NETLINK_CB(skb).portid); 8943 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 8944 nf_tables_commit_audit_log(&adl, nft_net->base_seq); 8945 nf_tables_commit_release(net); 8946 8947 return 0; 8948} 8949 8950static void nf_tables_module_autoload(struct net *net) 8951{ 8952 struct nftables_pernet *nft_net = nft_pernet(net); 8953 struct nft_module_request *req, *next; 8954 LIST_HEAD(module_list); 8955 8956 list_splice_init(&nft_net->module_list, &module_list); 8957 mutex_unlock(&nft_net->commit_mutex); 8958 list_for_each_entry_safe(req, next, &module_list, list) { 8959 request_module("%s", req->module); 8960 req->done = true; 8961 } 8962 mutex_lock(&nft_net->commit_mutex); 8963 list_splice(&module_list, &nft_net->module_list); 8964} 8965 8966static void nf_tables_abort_release(struct nft_trans *trans) 8967{ 8968 switch (trans->msg_type) { 8969 case NFT_MSG_NEWTABLE: 8970 nf_tables_table_destroy(&trans->ctx); 8971 break; 8972 case NFT_MSG_NEWCHAIN: 8973 nf_tables_chain_destroy(&trans->ctx); 8974 break; 8975 case NFT_MSG_NEWRULE: 8976 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 8977 break; 8978 case NFT_MSG_NEWSET: 8979 nft_set_destroy(&trans->ctx, nft_trans_set(trans)); 8980 break; 8981 case NFT_MSG_NEWSETELEM: 8982 nft_set_elem_destroy(nft_trans_elem_set(trans), 8983 nft_trans_elem(trans).priv, true); 8984 break; 8985 case NFT_MSG_NEWOBJ: 8986 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 8987 break; 8988 case NFT_MSG_NEWFLOWTABLE: 8989 if (nft_trans_flowtable_update(trans)) 8990 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans)); 8991 else 8992 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 8993 break; 8994 } 8995 kfree(trans); 8996} 8997 8998static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) 8999{ 9000 struct nftables_pernet *nft_net = nft_pernet(net); 9001 struct nft_trans *trans, *next; 9002 struct nft_trans_elem *te; 9003 9004 if (action == NFNL_ABORT_VALIDATE && 9005 nf_tables_validate(net) < 0) 9006 return -EAGAIN; 9007 9008 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, 9009 list) { 9010 switch (trans->msg_type) { 9011 case NFT_MSG_NEWTABLE: 9012 if (nft_trans_table_update(trans)) { 9013 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) { 9014 nft_trans_destroy(trans); 9015 break; 9016 } 9017 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) { 9018 nf_tables_table_disable(net, trans->ctx.table); 9019 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 9020 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) { 9021 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT; 9022 } 9023 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE; 9024 nft_trans_destroy(trans); 9025 } else { 9026 list_del_rcu(&trans->ctx.table->list); 9027 } 9028 break; 9029 case NFT_MSG_DELTABLE: 9030 nft_clear(trans->ctx.net, trans->ctx.table); 9031 nft_trans_destroy(trans); 9032 break; 9033 case NFT_MSG_NEWCHAIN: 9034 if (nft_trans_chain_update(trans)) { 9035 free_percpu(nft_trans_chain_stats(trans)); 9036 kfree(nft_trans_chain_name(trans)); 9037 nft_trans_destroy(trans); 9038 } else { 9039 if (nft_chain_is_bound(trans->ctx.chain)) { 9040 nft_trans_destroy(trans); 9041 break; 9042 } 9043 trans->ctx.table->use--; 9044 nft_chain_del(trans->ctx.chain); 9045 nf_tables_unregister_hook(trans->ctx.net, 9046 trans->ctx.table, 9047 trans->ctx.chain); 9048 } 9049 break; 9050 case NFT_MSG_DELCHAIN: 9051 trans->ctx.table->use++; 9052 nft_clear(trans->ctx.net, trans->ctx.chain); 9053 nft_trans_destroy(trans); 9054 break; 9055 case NFT_MSG_NEWRULE: 9056 trans->ctx.chain->use--; 9057 list_del_rcu(&nft_trans_rule(trans)->list); 9058 nft_rule_expr_deactivate(&trans->ctx, 9059 nft_trans_rule(trans), 9060 NFT_TRANS_ABORT); 9061 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 9062 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 9063 break; 9064 case NFT_MSG_DELRULE: 9065 trans->ctx.chain->use++; 9066 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 9067 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 9068 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) 9069 nft_flow_rule_destroy(nft_trans_flow_rule(trans)); 9070 9071 nft_trans_destroy(trans); 9072 break; 9073 case NFT_MSG_NEWSET: 9074 trans->ctx.table->use--; 9075 if (nft_trans_set_bound(trans)) { 9076 nft_trans_destroy(trans); 9077 break; 9078 } 9079 list_del_rcu(&nft_trans_set(trans)->list); 9080 break; 9081 case NFT_MSG_DELSET: 9082 trans->ctx.table->use++; 9083 nft_clear(trans->ctx.net, nft_trans_set(trans)); 9084 nft_trans_destroy(trans); 9085 break; 9086 case NFT_MSG_NEWSETELEM: 9087 if (nft_trans_elem_set_bound(trans)) { 9088 nft_trans_destroy(trans); 9089 break; 9090 } 9091 te = (struct nft_trans_elem *)trans->data; 9092 nft_setelem_remove(net, te->set, &te->elem); 9093 if (!nft_setelem_is_catchall(te->set, &te->elem)) 9094 atomic_dec(&te->set->nelems); 9095 break; 9096 case NFT_MSG_DELSETELEM: 9097 te = (struct nft_trans_elem *)trans->data; 9098 9099 nft_setelem_data_activate(net, te->set, &te->elem); 9100 nft_setelem_activate(net, te->set, &te->elem); 9101 if (!nft_setelem_is_catchall(te->set, &te->elem)) 9102 te->set->ndeact--; 9103 9104 nft_trans_destroy(trans); 9105 break; 9106 case NFT_MSG_NEWOBJ: 9107 if (nft_trans_obj_update(trans)) { 9108 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans)); 9109 nft_trans_destroy(trans); 9110 } else { 9111 trans->ctx.table->use--; 9112 nft_obj_del(nft_trans_obj(trans)); 9113 } 9114 break; 9115 case NFT_MSG_DELOBJ: 9116 trans->ctx.table->use++; 9117 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 9118 nft_trans_destroy(trans); 9119 break; 9120 case NFT_MSG_NEWFLOWTABLE: 9121 if (nft_trans_flowtable_update(trans)) { 9122 nft_unregister_flowtable_net_hooks(net, 9123 &nft_trans_flowtable_hooks(trans)); 9124 } else { 9125 trans->ctx.table->use--; 9126 list_del_rcu(&nft_trans_flowtable(trans)->list); 9127 nft_unregister_flowtable_net_hooks(net, 9128 &nft_trans_flowtable(trans)->hook_list); 9129 } 9130 break; 9131 case NFT_MSG_DELFLOWTABLE: 9132 if (nft_trans_flowtable_update(trans)) { 9133 list_splice(&nft_trans_flowtable_hooks(trans), 9134 &nft_trans_flowtable(trans)->hook_list); 9135 } else { 9136 trans->ctx.table->use++; 9137 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 9138 } 9139 nft_trans_destroy(trans); 9140 break; 9141 } 9142 } 9143 9144 synchronize_rcu(); 9145 9146 list_for_each_entry_safe_reverse(trans, next, 9147 &nft_net->commit_list, list) { 9148 list_del(&trans->list); 9149 nf_tables_abort_release(trans); 9150 } 9151 9152 if (action == NFNL_ABORT_AUTOLOAD) 9153 nf_tables_module_autoload(net); 9154 else 9155 nf_tables_module_autoload_cleanup(net); 9156 9157 return 0; 9158} 9159 9160static void nf_tables_cleanup(struct net *net) 9161{ 9162 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 9163} 9164 9165static int nf_tables_abort(struct net *net, struct sk_buff *skb, 9166 enum nfnl_abort_action action) 9167{ 9168 struct nftables_pernet *nft_net = nft_pernet(net); 9169 int ret = __nf_tables_abort(net, action); 9170 9171 mutex_unlock(&nft_net->commit_mutex); 9172 9173 return ret; 9174} 9175 9176static bool nf_tables_valid_genid(struct net *net, u32 genid) 9177{ 9178 struct nftables_pernet *nft_net = nft_pernet(net); 9179 bool genid_ok; 9180 9181 mutex_lock(&nft_net->commit_mutex); 9182 9183 genid_ok = genid == 0 || nft_net->base_seq == genid; 9184 if (!genid_ok) 9185 mutex_unlock(&nft_net->commit_mutex); 9186 9187 /* else, commit mutex has to be released by commit or abort function */ 9188 return genid_ok; 9189} 9190 9191static const struct nfnetlink_subsystem nf_tables_subsys = { 9192 .name = "nf_tables", 9193 .subsys_id = NFNL_SUBSYS_NFTABLES, 9194 .cb_count = NFT_MSG_MAX, 9195 .cb = nf_tables_cb, 9196 .commit = nf_tables_commit, 9197 .abort = nf_tables_abort, 9198 .cleanup = nf_tables_cleanup, 9199 .valid_genid = nf_tables_valid_genid, 9200 .owner = THIS_MODULE, 9201}; 9202 9203int nft_chain_validate_dependency(const struct nft_chain *chain, 9204 enum nft_chain_types type) 9205{ 9206 const struct nft_base_chain *basechain; 9207 9208 if (nft_is_base_chain(chain)) { 9209 basechain = nft_base_chain(chain); 9210 if (basechain->type->type != type) 9211 return -EOPNOTSUPP; 9212 } 9213 return 0; 9214} 9215EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 9216 9217int nft_chain_validate_hooks(const struct nft_chain *chain, 9218 unsigned int hook_flags) 9219{ 9220 struct nft_base_chain *basechain; 9221 9222 if (nft_is_base_chain(chain)) { 9223 basechain = nft_base_chain(chain); 9224 9225 if ((1 << basechain->ops.hooknum) & hook_flags) 9226 return 0; 9227 9228 return -EOPNOTSUPP; 9229 } 9230 9231 return 0; 9232} 9233EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 9234 9235/* 9236 * Loop detection - walk through the ruleset beginning at the destination chain 9237 * of a new jump until either the source chain is reached (loop) or all 9238 * reachable chains have been traversed. 9239 * 9240 * The loop check is performed whenever a new jump verdict is added to an 9241 * expression or verdict map or a verdict map is bound to a new chain. 9242 */ 9243 9244static int nf_tables_check_loops(const struct nft_ctx *ctx, 9245 const struct nft_chain *chain); 9246 9247static int nft_check_loops(const struct nft_ctx *ctx, 9248 const struct nft_set_ext *ext) 9249{ 9250 const struct nft_data *data; 9251 int ret; 9252 9253 data = nft_set_ext_data(ext); 9254 switch (data->verdict.code) { 9255 case NFT_JUMP: 9256 case NFT_GOTO: 9257 ret = nf_tables_check_loops(ctx, data->verdict.chain); 9258 break; 9259 default: 9260 ret = 0; 9261 break; 9262 } 9263 9264 return ret; 9265} 9266 9267static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 9268 struct nft_set *set, 9269 const struct nft_set_iter *iter, 9270 struct nft_set_elem *elem) 9271{ 9272 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 9273 9274 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 9275 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 9276 return 0; 9277 9278 return nft_check_loops(ctx, ext); 9279} 9280 9281static int nft_set_catchall_loops(const struct nft_ctx *ctx, 9282 struct nft_set *set) 9283{ 9284 u8 genmask = nft_genmask_next(ctx->net); 9285 struct nft_set_elem_catchall *catchall; 9286 struct nft_set_ext *ext; 9287 int ret = 0; 9288 9289 list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 9290 ext = nft_set_elem_ext(set, catchall->elem); 9291 if (!nft_set_elem_active(ext, genmask)) 9292 continue; 9293 9294 ret = nft_check_loops(ctx, ext); 9295 if (ret < 0) 9296 return ret; 9297 } 9298 9299 return ret; 9300} 9301 9302static int nf_tables_check_loops(const struct nft_ctx *ctx, 9303 const struct nft_chain *chain) 9304{ 9305 const struct nft_rule *rule; 9306 const struct nft_expr *expr, *last; 9307 struct nft_set *set; 9308 struct nft_set_binding *binding; 9309 struct nft_set_iter iter; 9310 9311 if (ctx->chain == chain) 9312 return -ELOOP; 9313 9314 list_for_each_entry(rule, &chain->rules, list) { 9315 nft_rule_for_each_expr(expr, last, rule) { 9316 struct nft_immediate_expr *priv; 9317 const struct nft_data *data; 9318 int err; 9319 9320 if (strcmp(expr->ops->type->name, "immediate")) 9321 continue; 9322 9323 priv = nft_expr_priv(expr); 9324 if (priv->dreg != NFT_REG_VERDICT) 9325 continue; 9326 9327 data = &priv->data; 9328 switch (data->verdict.code) { 9329 case NFT_JUMP: 9330 case NFT_GOTO: 9331 err = nf_tables_check_loops(ctx, 9332 data->verdict.chain); 9333 if (err < 0) 9334 return err; 9335 break; 9336 default: 9337 break; 9338 } 9339 } 9340 } 9341 9342 list_for_each_entry(set, &ctx->table->sets, list) { 9343 if (!nft_is_active_next(ctx->net, set)) 9344 continue; 9345 if (!(set->flags & NFT_SET_MAP) || 9346 set->dtype != NFT_DATA_VERDICT) 9347 continue; 9348 9349 list_for_each_entry(binding, &set->bindings, list) { 9350 if (!(binding->flags & NFT_SET_MAP) || 9351 binding->chain != chain) 9352 continue; 9353 9354 iter.genmask = nft_genmask_next(ctx->net); 9355 iter.skip = 0; 9356 iter.count = 0; 9357 iter.err = 0; 9358 iter.fn = nf_tables_loop_check_setelem; 9359 9360 set->ops->walk(ctx, set, &iter); 9361 if (!iter.err) 9362 iter.err = nft_set_catchall_loops(ctx, set); 9363 9364 if (iter.err < 0) 9365 return iter.err; 9366 } 9367 } 9368 9369 return 0; 9370} 9371 9372/** 9373 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 9374 * 9375 * @attr: netlink attribute to fetch value from 9376 * @max: maximum value to be stored in dest 9377 * @dest: pointer to the variable 9378 * 9379 * Parse, check and store a given u32 netlink attribute into variable. 9380 * This function returns -ERANGE if the value goes over maximum value. 9381 * Otherwise a 0 is returned and the attribute value is stored in the 9382 * destination variable. 9383 */ 9384int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 9385{ 9386 u32 val; 9387 9388 val = ntohl(nla_get_be32(attr)); 9389 if (val > max) 9390 return -ERANGE; 9391 9392 *dest = val; 9393 return 0; 9394} 9395EXPORT_SYMBOL_GPL(nft_parse_u32_check); 9396 9397static int nft_parse_register(const struct nlattr *attr, u32 *preg) 9398{ 9399 unsigned int reg; 9400 9401 reg = ntohl(nla_get_be32(attr)); 9402 switch (reg) { 9403 case NFT_REG_VERDICT...NFT_REG_4: 9404 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; 9405 break; 9406 case NFT_REG32_00...NFT_REG32_15: 9407 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 9408 break; 9409 default: 9410 return -ERANGE; 9411 } 9412 9413 return 0; 9414} 9415 9416/** 9417 * nft_dump_register - dump a register value to a netlink attribute 9418 * 9419 * @skb: socket buffer 9420 * @attr: attribute number 9421 * @reg: register number 9422 * 9423 * Construct a netlink attribute containing the register number. For 9424 * compatibility reasons, register numbers being a multiple of 4 are 9425 * translated to the corresponding 128 bit register numbers. 9426 */ 9427int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 9428{ 9429 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 9430 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 9431 else 9432 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 9433 9434 return nla_put_be32(skb, attr, htonl(reg)); 9435} 9436EXPORT_SYMBOL_GPL(nft_dump_register); 9437 9438static int nft_validate_register_load(enum nft_registers reg, unsigned int len) 9439{ 9440 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9441 return -EINVAL; 9442 if (len == 0) 9443 return -EINVAL; 9444 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 9445 return -ERANGE; 9446 9447 return 0; 9448} 9449 9450int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) 9451{ 9452 u32 reg; 9453 int err; 9454 9455 err = nft_parse_register(attr, ®); 9456 if (err < 0) 9457 return err; 9458 9459 err = nft_validate_register_load(reg, len); 9460 if (err < 0) 9461 return err; 9462 9463 *sreg = reg; 9464 return 0; 9465} 9466EXPORT_SYMBOL_GPL(nft_parse_register_load); 9467 9468static int nft_validate_register_store(const struct nft_ctx *ctx, 9469 enum nft_registers reg, 9470 const struct nft_data *data, 9471 enum nft_data_types type, 9472 unsigned int len) 9473{ 9474 int err; 9475 9476 switch (reg) { 9477 case NFT_REG_VERDICT: 9478 if (type != NFT_DATA_VERDICT) 9479 return -EINVAL; 9480 9481 if (data != NULL && 9482 (data->verdict.code == NFT_GOTO || 9483 data->verdict.code == NFT_JUMP)) { 9484 err = nf_tables_check_loops(ctx, data->verdict.chain); 9485 if (err < 0) 9486 return err; 9487 } 9488 9489 return 0; 9490 default: 9491 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 9492 return -EINVAL; 9493 if (len == 0) 9494 return -EINVAL; 9495 if (reg * NFT_REG32_SIZE + len > 9496 sizeof_field(struct nft_regs, data)) 9497 return -ERANGE; 9498 9499 if (data != NULL && type != NFT_DATA_VALUE) 9500 return -EINVAL; 9501 return 0; 9502 } 9503} 9504 9505int nft_parse_register_store(const struct nft_ctx *ctx, 9506 const struct nlattr *attr, u8 *dreg, 9507 const struct nft_data *data, 9508 enum nft_data_types type, unsigned int len) 9509{ 9510 int err; 9511 u32 reg; 9512 9513 err = nft_parse_register(attr, ®); 9514 if (err < 0) 9515 return err; 9516 9517 err = nft_validate_register_store(ctx, reg, data, type, len); 9518 if (err < 0) 9519 return err; 9520 9521 *dreg = reg; 9522 return 0; 9523} 9524EXPORT_SYMBOL_GPL(nft_parse_register_store); 9525 9526static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 9527 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 9528 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 9529 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 9530 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 }, 9531}; 9532 9533static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 9534 struct nft_data_desc *desc, const struct nlattr *nla) 9535{ 9536 u8 genmask = nft_genmask_next(ctx->net); 9537 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 9538 struct nft_chain *chain; 9539 int err; 9540 9541 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 9542 nft_verdict_policy, NULL); 9543 if (err < 0) 9544 return err; 9545 9546 if (!tb[NFTA_VERDICT_CODE]) 9547 return -EINVAL; 9548 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 9549 9550 switch (data->verdict.code) { 9551 default: 9552 switch (data->verdict.code & NF_VERDICT_MASK) { 9553 case NF_ACCEPT: 9554 case NF_DROP: 9555 case NF_QUEUE: 9556 break; 9557 default: 9558 return -EINVAL; 9559 } 9560 fallthrough; 9561 case NFT_CONTINUE: 9562 case NFT_BREAK: 9563 case NFT_RETURN: 9564 break; 9565 case NFT_JUMP: 9566 case NFT_GOTO: 9567 if (tb[NFTA_VERDICT_CHAIN]) { 9568 chain = nft_chain_lookup(ctx->net, ctx->table, 9569 tb[NFTA_VERDICT_CHAIN], 9570 genmask); 9571 } else if (tb[NFTA_VERDICT_CHAIN_ID]) { 9572 chain = nft_chain_lookup_byid(ctx->net, 9573 tb[NFTA_VERDICT_CHAIN_ID]); 9574 if (IS_ERR(chain)) 9575 return PTR_ERR(chain); 9576 } else { 9577 return -EINVAL; 9578 } 9579 9580 if (IS_ERR(chain)) 9581 return PTR_ERR(chain); 9582 if (nft_is_base_chain(chain)) 9583 return -EOPNOTSUPP; 9584 9585 chain->use++; 9586 data->verdict.chain = chain; 9587 break; 9588 } 9589 9590 desc->len = sizeof(data->verdict); 9591 desc->type = NFT_DATA_VERDICT; 9592 return 0; 9593} 9594 9595static void nft_verdict_uninit(const struct nft_data *data) 9596{ 9597 struct nft_chain *chain; 9598 struct nft_rule *rule; 9599 9600 switch (data->verdict.code) { 9601 case NFT_JUMP: 9602 case NFT_GOTO: 9603 chain = data->verdict.chain; 9604 chain->use--; 9605 9606 if (!nft_chain_is_bound(chain)) 9607 break; 9608 9609 chain->table->use--; 9610 list_for_each_entry(rule, &chain->rules, list) 9611 chain->use--; 9612 9613 nft_chain_del(chain); 9614 break; 9615 } 9616} 9617 9618int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 9619{ 9620 struct nlattr *nest; 9621 9622 nest = nla_nest_start_noflag(skb, type); 9623 if (!nest) 9624 goto nla_put_failure; 9625 9626 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 9627 goto nla_put_failure; 9628 9629 switch (v->code) { 9630 case NFT_JUMP: 9631 case NFT_GOTO: 9632 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 9633 v->chain->name)) 9634 goto nla_put_failure; 9635 } 9636 nla_nest_end(skb, nest); 9637 return 0; 9638 9639nla_put_failure: 9640 return -1; 9641} 9642 9643static int nft_value_init(const struct nft_ctx *ctx, 9644 struct nft_data *data, unsigned int size, 9645 struct nft_data_desc *desc, const struct nlattr *nla) 9646{ 9647 unsigned int len; 9648 9649 len = nla_len(nla); 9650 if (len == 0) 9651 return -EINVAL; 9652 if (len > size) 9653 return -EOVERFLOW; 9654 9655 nla_memcpy(data->data, nla, len); 9656 desc->type = NFT_DATA_VALUE; 9657 desc->len = len; 9658 return 0; 9659} 9660 9661static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 9662 unsigned int len) 9663{ 9664 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 9665} 9666 9667static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 9668 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 9669 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 9670}; 9671 9672/** 9673 * nft_data_init - parse nf_tables data netlink attributes 9674 * 9675 * @ctx: context of the expression using the data 9676 * @data: destination struct nft_data 9677 * @size: maximum data length 9678 * @desc: data description 9679 * @nla: netlink attribute containing data 9680 * 9681 * Parse the netlink data attributes and initialize a struct nft_data. 9682 * The type and length of data are returned in the data description. 9683 * 9684 * The caller can indicate that it only wants to accept data of type 9685 * NFT_DATA_VALUE by passing NULL for the ctx argument. 9686 */ 9687int nft_data_init(const struct nft_ctx *ctx, 9688 struct nft_data *data, unsigned int size, 9689 struct nft_data_desc *desc, const struct nlattr *nla) 9690{ 9691 struct nlattr *tb[NFTA_DATA_MAX + 1]; 9692 int err; 9693 9694 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 9695 nft_data_policy, NULL); 9696 if (err < 0) 9697 return err; 9698 9699 if (tb[NFTA_DATA_VALUE]) 9700 return nft_value_init(ctx, data, size, desc, 9701 tb[NFTA_DATA_VALUE]); 9702 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 9703 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 9704 return -EINVAL; 9705} 9706EXPORT_SYMBOL_GPL(nft_data_init); 9707 9708/** 9709 * nft_data_release - release a nft_data item 9710 * 9711 * @data: struct nft_data to release 9712 * @type: type of data 9713 * 9714 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 9715 * all others need to be released by calling this function. 9716 */ 9717void nft_data_release(const struct nft_data *data, enum nft_data_types type) 9718{ 9719 if (type < NFT_DATA_VERDICT) 9720 return; 9721 switch (type) { 9722 case NFT_DATA_VERDICT: 9723 return nft_verdict_uninit(data); 9724 default: 9725 WARN_ON(1); 9726 } 9727} 9728EXPORT_SYMBOL_GPL(nft_data_release); 9729 9730int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 9731 enum nft_data_types type, unsigned int len) 9732{ 9733 struct nlattr *nest; 9734 int err; 9735 9736 nest = nla_nest_start_noflag(skb, attr); 9737 if (nest == NULL) 9738 return -1; 9739 9740 switch (type) { 9741 case NFT_DATA_VALUE: 9742 err = nft_value_dump(skb, data, len); 9743 break; 9744 case NFT_DATA_VERDICT: 9745 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 9746 break; 9747 default: 9748 err = -EINVAL; 9749 WARN_ON(1); 9750 } 9751 9752 nla_nest_end(skb, nest); 9753 return err; 9754} 9755EXPORT_SYMBOL_GPL(nft_data_dump); 9756 9757int __nft_release_basechain(struct nft_ctx *ctx) 9758{ 9759 struct nft_rule *rule, *nr; 9760 9761 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 9762 return 0; 9763 9764 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 9765 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 9766 list_del(&rule->list); 9767 ctx->chain->use--; 9768 nf_tables_rule_release(ctx, rule); 9769 } 9770 nft_chain_del(ctx->chain); 9771 ctx->table->use--; 9772 nf_tables_chain_destroy(ctx); 9773 9774 return 0; 9775} 9776EXPORT_SYMBOL_GPL(__nft_release_basechain); 9777 9778static void __nft_release_hook(struct net *net, struct nft_table *table) 9779{ 9780 struct nft_flowtable *flowtable; 9781 struct nft_chain *chain; 9782 9783 list_for_each_entry(chain, &table->chains, list) 9784 __nf_tables_unregister_hook(net, table, chain, true); 9785 list_for_each_entry(flowtable, &table->flowtables, list) 9786 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list, 9787 true); 9788} 9789 9790static void __nft_release_hooks(struct net *net) 9791{ 9792 struct nftables_pernet *nft_net = nft_pernet(net); 9793 struct nft_table *table; 9794 9795 list_for_each_entry(table, &nft_net->tables, list) { 9796 if (nft_table_has_owner(table)) 9797 continue; 9798 9799 __nft_release_hook(net, table); 9800 } 9801} 9802 9803static void __nft_release_table(struct net *net, struct nft_table *table) 9804{ 9805 struct nft_flowtable *flowtable, *nf; 9806 struct nft_chain *chain, *nc; 9807 struct nft_object *obj, *ne; 9808 struct nft_rule *rule, *nr; 9809 struct nft_set *set, *ns; 9810 struct nft_ctx ctx = { 9811 .net = net, 9812 .family = NFPROTO_NETDEV, 9813 }; 9814 9815 ctx.family = table->family; 9816 ctx.table = table; 9817 list_for_each_entry(chain, &table->chains, list) { 9818 ctx.chain = chain; 9819 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 9820 list_del(&rule->list); 9821 chain->use--; 9822 nf_tables_rule_release(&ctx, rule); 9823 } 9824 } 9825 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 9826 list_del(&flowtable->list); 9827 table->use--; 9828 nf_tables_flowtable_destroy(flowtable); 9829 } 9830 list_for_each_entry_safe(set, ns, &table->sets, list) { 9831 list_del(&set->list); 9832 table->use--; 9833 nft_set_destroy(&ctx, set); 9834 } 9835 list_for_each_entry_safe(obj, ne, &table->objects, list) { 9836 nft_obj_del(obj); 9837 table->use--; 9838 nft_obj_destroy(&ctx, obj); 9839 } 9840 list_for_each_entry_safe(chain, nc, &table->chains, list) { 9841 ctx.chain = chain; 9842 nft_chain_del(chain); 9843 table->use--; 9844 nf_tables_chain_destroy(&ctx); 9845 } 9846 nf_tables_table_destroy(&ctx); 9847} 9848 9849static void __nft_release_tables(struct net *net) 9850{ 9851 struct nftables_pernet *nft_net = nft_pernet(net); 9852 struct nft_table *table, *nt; 9853 9854 list_for_each_entry_safe(table, nt, &nft_net->tables, list) { 9855 if (nft_table_has_owner(table)) 9856 continue; 9857 9858 list_del(&table->list); 9859 9860 __nft_release_table(net, table); 9861 } 9862} 9863 9864static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, 9865 void *ptr) 9866{ 9867 struct nft_table *table, *to_delete[8]; 9868 struct nftables_pernet *nft_net; 9869 struct netlink_notify *n = ptr; 9870 struct net *net = n->net; 9871 unsigned int deleted; 9872 bool restart = false; 9873 9874 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER) 9875 return NOTIFY_DONE; 9876 9877 nft_net = nft_pernet(net); 9878 deleted = 0; 9879 mutex_lock(&nft_net->commit_mutex); 9880again: 9881 list_for_each_entry(table, &nft_net->tables, list) { 9882 if (nft_table_has_owner(table) && 9883 n->portid == table->nlpid) { 9884 __nft_release_hook(net, table); 9885 list_del_rcu(&table->list); 9886 to_delete[deleted++] = table; 9887 if (deleted >= ARRAY_SIZE(to_delete)) 9888 break; 9889 } 9890 } 9891 if (deleted) { 9892 restart = deleted >= ARRAY_SIZE(to_delete); 9893 synchronize_rcu(); 9894 while (deleted) 9895 __nft_release_table(net, to_delete[--deleted]); 9896 9897 if (restart) 9898 goto again; 9899 } 9900 mutex_unlock(&nft_net->commit_mutex); 9901 9902 return NOTIFY_DONE; 9903} 9904 9905static struct notifier_block nft_nl_notifier = { 9906 .notifier_call = nft_rcv_nl_event, 9907}; 9908 9909static int __net_init nf_tables_init_net(struct net *net) 9910{ 9911 struct nftables_pernet *nft_net = nft_pernet(net); 9912 9913 INIT_LIST_HEAD(&nft_net->tables); 9914 INIT_LIST_HEAD(&nft_net->commit_list); 9915 INIT_LIST_HEAD(&nft_net->module_list); 9916 INIT_LIST_HEAD(&nft_net->notify_list); 9917 mutex_init(&nft_net->commit_mutex); 9918 nft_net->base_seq = 1; 9919 nft_net->validate_state = NFT_VALIDATE_SKIP; 9920 9921 return 0; 9922} 9923 9924static void __net_exit nf_tables_pre_exit_net(struct net *net) 9925{ 9926 struct nftables_pernet *nft_net = nft_pernet(net); 9927 9928 mutex_lock(&nft_net->commit_mutex); 9929 __nft_release_hooks(net); 9930 mutex_unlock(&nft_net->commit_mutex); 9931} 9932 9933static void __net_exit nf_tables_exit_net(struct net *net) 9934{ 9935 struct nftables_pernet *nft_net = nft_pernet(net); 9936 9937 mutex_lock(&nft_net->commit_mutex); 9938 if (!list_empty(&nft_net->commit_list)) 9939 __nf_tables_abort(net, NFNL_ABORT_NONE); 9940 __nft_release_tables(net); 9941 mutex_unlock(&nft_net->commit_mutex); 9942 WARN_ON_ONCE(!list_empty(&nft_net->tables)); 9943 WARN_ON_ONCE(!list_empty(&nft_net->module_list)); 9944 WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); 9945} 9946 9947static struct pernet_operations nf_tables_net_ops = { 9948 .init = nf_tables_init_net, 9949 .pre_exit = nf_tables_pre_exit_net, 9950 .exit = nf_tables_exit_net, 9951 .id = &nf_tables_net_id, 9952 .size = sizeof(struct nftables_pernet), 9953}; 9954 9955static int __init nf_tables_module_init(void) 9956{ 9957 int err; 9958 9959 err = register_pernet_subsys(&nf_tables_net_ops); 9960 if (err < 0) 9961 return err; 9962 9963 err = nft_chain_filter_init(); 9964 if (err < 0) 9965 goto err_chain_filter; 9966 9967 err = nf_tables_core_module_init(); 9968 if (err < 0) 9969 goto err_core_module; 9970 9971 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 9972 if (err < 0) 9973 goto err_netdev_notifier; 9974 9975 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 9976 if (err < 0) 9977 goto err_rht_objname; 9978 9979 err = nft_offload_init(); 9980 if (err < 0) 9981 goto err_offload; 9982 9983 err = netlink_register_notifier(&nft_nl_notifier); 9984 if (err < 0) 9985 goto err_netlink_notifier; 9986 9987 /* must be last */ 9988 err = nfnetlink_subsys_register(&nf_tables_subsys); 9989 if (err < 0) 9990 goto err_nfnl_subsys; 9991 9992 nft_chain_route_init(); 9993 9994 return err; 9995 9996err_nfnl_subsys: 9997 netlink_unregister_notifier(&nft_nl_notifier); 9998err_netlink_notifier: 9999 nft_offload_exit(); 10000err_offload: 10001 rhltable_destroy(&nft_objname_ht); 10002err_rht_objname: 10003 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 10004err_netdev_notifier: 10005 nf_tables_core_module_exit(); 10006err_core_module: 10007 nft_chain_filter_fini(); 10008err_chain_filter: 10009 unregister_pernet_subsys(&nf_tables_net_ops); 10010 return err; 10011} 10012 10013static void __exit nf_tables_module_exit(void) 10014{ 10015 nfnetlink_subsys_unregister(&nf_tables_subsys); 10016 netlink_unregister_notifier(&nft_nl_notifier); 10017 nft_offload_exit(); 10018 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 10019 nft_chain_filter_fini(); 10020 nft_chain_route_fini(); 10021 unregister_pernet_subsys(&nf_tables_net_ops); 10022 cancel_work_sync(&trans_destroy_work); 10023 rcu_barrier(); 10024 rhltable_destroy(&nft_objname_ht); 10025 nf_tables_core_module_exit(); 10026} 10027 10028module_init(nf_tables_module_init); 10029module_exit(nf_tables_module_exit); 10030 10031MODULE_LICENSE("GPL"); 10032MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 10033MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);