]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:


5092c817c222abf5a413aee0c3bb3d95a5d5db12
[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nf_tables_api.c
1 /*
2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
9 */
10
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/sock.h>
22
23 static LIST_HEAD(nf_tables_afinfo);
24 static LIST_HEAD(nf_tables_expressions);
25
26 /**
27 * nft_register_afinfo - register nf_tables address family info
28 *
29 * @afi: address family info to register
30 *
31 * Register the address family for use with nf_tables. Returns zero on
32 * success or a negative errno code otherwise.
33 */
34 int nft_register_afinfo(struct nft_af_info *afi)
35 {
36 INIT_LIST_HEAD(&afi->tables);
37 nfnl_lock(NFNL_SUBSYS_NFTABLES);
38 list_add_tail(&afi->list, &nf_tables_afinfo);
39 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
40 return 0;
41 }
42 EXPORT_SYMBOL_GPL(nft_register_afinfo);
43
44 /**
45 * nft_unregister_afinfo - unregister nf_tables address family info
46 *
47 * @afi: address family info to unregister
48 *
49 * Unregister the address family for use with nf_tables.
50 */
51 void nft_unregister_afinfo(struct nft_af_info *afi)
52 {
53 nfnl_lock(NFNL_SUBSYS_NFTABLES);
54 list_del(&afi->list);
55 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
56 }
57 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
58
59 static struct nft_af_info *nft_afinfo_lookup(int family)
60 {
61 struct nft_af_info *afi;
62
63 list_for_each_entry(afi, &nf_tables_afinfo, list) {
64 if (afi->family == family)
65 return afi;
66 }
67 return NULL;
68 }
69
70 static struct nft_af_info *nf_tables_afinfo_lookup(int family, bool autoload)
71 {
72 struct nft_af_info *afi;
73
74 afi = nft_afinfo_lookup(family);
75 if (afi != NULL)
76 return afi;
77 #ifdef CONFIG_MODULES
78 if (autoload) {
79 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
80 request_module("nft-afinfo-%u", family);
81 nfnl_lock(NFNL_SUBSYS_NFTABLES);
82 afi = nft_afinfo_lookup(family);
83 if (afi != NULL)
84 return ERR_PTR(-EAGAIN);
85 }
86 #endif
87 return ERR_PTR(-EAFNOSUPPORT);
88 }
89
90 /*
91 * Tables
92 */
93
94 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
95 const struct nlattr *nla)
96 {
97 struct nft_table *table;
98
99 list_for_each_entry(table, &afi->tables, list) {
100 if (!nla_strcmp(nla, table->name))
101 return table;
102 }
103 return NULL;
104 }
105
106 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
107 const struct nlattr *nla,
108 bool autoload)
109 {
110 struct nft_table *table;
111
112 if (nla == NULL)
113 return ERR_PTR(-EINVAL);
114
115 table = nft_table_lookup(afi, nla);
116 if (table != NULL)
117 return table;
118
119 #ifdef CONFIG_MODULES
120 if (autoload) {
121 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
122 request_module("nft-table-%u-%*.s", afi->family,
123 nla_len(nla)-1, (const char *)nla_data(nla));
124 nfnl_lock(NFNL_SUBSYS_NFTABLES);
125 if (nft_table_lookup(afi, nla))
126 return ERR_PTR(-EAGAIN);
127 }
128 #endif
129 return ERR_PTR(-ENOENT);
130 }
131
132 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
133 {
134 return ++table->hgenerator;
135 }
136
137 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
138 [NFTA_TABLE_NAME] = { .type = NLA_STRING },
139 };
140
141 static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
142 int event, u32 flags, int family,
143 const struct nft_table *table)
144 {
145 struct nlmsghdr *nlh;
146 struct nfgenmsg *nfmsg;
147
148 event |= NFNL_SUBSYS_NFTABLES << 8;
149 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
150 if (nlh == NULL)
151 goto nla_put_failure;
152
153 nfmsg = nlmsg_data(nlh);
154 nfmsg->nfgen_family = family;
155 nfmsg->version = NFNETLINK_V0;
156 nfmsg->res_id = 0;
157
158 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name))
159 goto nla_put_failure;
160
161 return nlmsg_end(skb, nlh);
162
163 nla_put_failure:
164 nlmsg_trim(skb, nlh);
165 return -1;
166 }
167
168 static int nf_tables_table_notify(const struct sk_buff *oskb,
169 const struct nlmsghdr *nlh,
170 const struct nft_table *table,
171 int event, int family)
172 {
173 struct sk_buff *skb;
174 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
175 u32 seq = nlh ? nlh->nlmsg_seq : 0;
176 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
177 bool report;
178 int err;
179
180 report = nlh ? nlmsg_report(nlh) : false;
181 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
182 return 0;
183
184 err = -ENOBUFS;
185 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
186 if (skb == NULL)
187 goto err;
188
189 err = nf_tables_fill_table_info(skb, portid, seq, event, 0,
190 family, table);
191 if (err < 0) {
192 kfree_skb(skb);
193 goto err;
194 }
195
196 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
197 GFP_KERNEL);
198 err:
199 if (err < 0)
200 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
201 return err;
202 }
203
204 static int nf_tables_dump_tables(struct sk_buff *skb,
205 struct netlink_callback *cb)
206 {
207 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
208 const struct nft_af_info *afi;
209 const struct nft_table *table;
210 unsigned int idx = 0, s_idx = cb->args[0];
211 int family = nfmsg->nfgen_family;
212
213 list_for_each_entry(afi, &nf_tables_afinfo, list) {
214 if (family != NFPROTO_UNSPEC && family != afi->family)
215 continue;
216
217 list_for_each_entry(table, &afi->tables, list) {
218 if (idx < s_idx)
219 goto cont;
220 if (idx > s_idx)
221 memset(&cb->args[1], 0,
222 sizeof(cb->args) - sizeof(cb->args[0]));
223 if (nf_tables_fill_table_info(skb,
224 NETLINK_CB(cb->skb).portid,
225 cb->nlh->nlmsg_seq,
226 NFT_MSG_NEWTABLE,
227 NLM_F_MULTI,
228 afi->family, table) < 0)
229 goto done;
230 cont:
231 idx++;
232 }
233 }
234 done:
235 cb->args[0] = idx;
236 return skb->len;
237 }
238
239 static int nf_tables_gettable(struct sock *nlsk, struct sk_buff *skb,
240 const struct nlmsghdr *nlh,
241 const struct nlattr * const nla[])
242 {
243 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
244 const struct nft_af_info *afi;
245 const struct nft_table *table;
246 struct sk_buff *skb2;
247 int family = nfmsg->nfgen_family;
248 int err;
249
250 if (nlh->nlmsg_flags & NLM_F_DUMP) {
251 struct netlink_dump_control c = {
252 .dump = nf_tables_dump_tables,
253 };
254 return netlink_dump_start(nlsk, skb, nlh, &c);
255 }
256
257 afi = nf_tables_afinfo_lookup(family, false);
258 if (IS_ERR(afi))
259 return PTR_ERR(afi);
260
261 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], false);
262 if (IS_ERR(table))
263 return PTR_ERR(table);
264
265 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
266 if (!skb2)
267 return -ENOMEM;
268
269 err = nf_tables_fill_table_info(skb2, NETLINK_CB(skb).portid,
270 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
271 family, table);
272 if (err < 0)
273 goto err;
274
275 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
276
277 err:
278 kfree_skb(skb2);
279 return err;
280 }
281
282 static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
283 const struct nlmsghdr *nlh,
284 const struct nlattr * const nla[])
285 {
286 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
287 const struct nlattr *name;
288 struct nft_af_info *afi;
289 struct nft_table *table;
290 int family = nfmsg->nfgen_family;
291
292 afi = nf_tables_afinfo_lookup(family, true);
293 if (IS_ERR(afi))
294 return PTR_ERR(afi);
295
296 name = nla[NFTA_TABLE_NAME];
297 table = nf_tables_table_lookup(afi, name, false);
298 if (IS_ERR(table)) {
299 if (PTR_ERR(table) != -ENOENT)
300 return PTR_ERR(table);
301 table = NULL;
302 }
303
304 if (table != NULL) {
305 if (nlh->nlmsg_flags & NLM_F_EXCL)
306 return -EEXIST;
307 if (nlh->nlmsg_flags & NLM_F_REPLACE)
308 return -EOPNOTSUPP;
309 return 0;
310 }
311
312 table = kzalloc(sizeof(*table) + nla_len(name), GFP_KERNEL);
313 if (table == NULL)
314 return -ENOMEM;
315
316 nla_strlcpy(table->name, name, nla_len(name));
317 INIT_LIST_HEAD(&table->chains);
318 INIT_LIST_HEAD(&table->sets);
319
320 list_add_tail(&table->list, &afi->tables);
321 nf_tables_table_notify(skb, nlh, table, NFT_MSG_NEWTABLE, family);
322 return 0;
323 }
324
325 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
326 const struct nlmsghdr *nlh,
327 const struct nlattr * const nla[])
328 {
329 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
330 struct nft_af_info *afi;
331 struct nft_table *table;
332 int family = nfmsg->nfgen_family;
333
334 afi = nf_tables_afinfo_lookup(family, false);
335 if (IS_ERR(afi))
336 return PTR_ERR(afi);
337
338 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], false);
339 if (IS_ERR(table))
340 return PTR_ERR(table);
341
342 if (table->flags & NFT_TABLE_BUILTIN)
343 return -EOPNOTSUPP;
344
345 if (table->use)
346 return -EBUSY;
347
348 list_del(&table->list);
349 nf_tables_table_notify(skb, nlh, table, NFT_MSG_DELTABLE, family);
350 kfree(table);
351 return 0;
352 }
353
354 static struct nft_table *__nf_tables_table_lookup(const struct nft_af_info *afi,
355 const char *name)
356 {
357 struct nft_table *table;
358
359 list_for_each_entry(table, &afi->tables, list) {
360 if (!strcmp(name, table->name))
361 return table;
362 }
363
364 return ERR_PTR(-ENOENT);
365 }
366
367 static int nf_tables_chain_notify(const struct sk_buff *oskb,
368 const struct nlmsghdr *nlh,
369 const struct nft_table *table,
370 const struct nft_chain *chain,
371 int event, int family);
372
373 /**
374 * nft_register_table - register a built-in table
375 *
376 * @table: the table to register
377 * @family: protocol family to register table with
378 *
379 * Register a built-in table for use with nf_tables. Returns zero on
380 * success or a negative errno code otherwise.
381 */
382 int nft_register_table(struct nft_table *table, int family)
383 {
384 struct nft_af_info *afi;
385 struct nft_table *t;
386 struct nft_chain *chain;
387 int err;
388
389 nfnl_lock(NFNL_SUBSYS_NFTABLES);
390 again:
391 afi = nf_tables_afinfo_lookup(family, true);
392 if (IS_ERR(afi)) {
393 err = PTR_ERR(afi);
394 if (err == -EAGAIN)
395 goto again;
396 goto err;
397 }
398
399 t = __nf_tables_table_lookup(afi, table->name);
400 if (IS_ERR(t)) {
401 err = PTR_ERR(t);
402 if (err != -ENOENT)
403 goto err;
404 t = NULL;
405 }
406
407 if (t != NULL) {
408 err = -EEXIST;
409 goto err;
410 }
411
412 table->flags |= NFT_TABLE_BUILTIN;
413 INIT_LIST_HEAD(&table->sets);
414 list_add_tail(&table->list, &afi->tables);
415 nf_tables_table_notify(NULL, NULL, table, NFT_MSG_NEWTABLE, family);
416 list_for_each_entry(chain, &table->chains, list)
417 nf_tables_chain_notify(NULL, NULL, table, chain,
418 NFT_MSG_NEWCHAIN, family);
419 err = 0;
420 err:
421 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
422 return err;
423 }
424 EXPORT_SYMBOL_GPL(nft_register_table);
425
426 /**
427 * nft_unregister_table - unregister a built-in table
428 *
429 * @table: the table to unregister
430 * @family: protocol family to unregister table with
431 *
432 * Unregister a built-in table for use with nf_tables.
433 */
434 void nft_unregister_table(struct nft_table *table, int family)
435 {
436 struct nft_chain *chain;
437
438 nfnl_lock(NFNL_SUBSYS_NFTABLES);
439 list_del(&table->list);
440 list_for_each_entry(chain, &table->chains, list)
441 nf_tables_chain_notify(NULL, NULL, table, chain,
442 NFT_MSG_DELCHAIN, family);
443 nf_tables_table_notify(NULL, NULL, table, NFT_MSG_DELTABLE, family);
444 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
445 }
446 EXPORT_SYMBOL_GPL(nft_unregister_table);
447
448 /*
449 * Chains
450 */
451
452 static struct nft_chain *
453 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
454 {
455 struct nft_chain *chain;
456
457 list_for_each_entry(chain, &table->chains, list) {
458 if (chain->handle == handle)
459 return chain;
460 }
461
462 return ERR_PTR(-ENOENT);
463 }
464
465 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
466 const struct nlattr *nla)
467 {
468 struct nft_chain *chain;
469
470 if (nla == NULL)
471 return ERR_PTR(-EINVAL);
472
473 list_for_each_entry(chain, &table->chains, list) {
474 if (!nla_strcmp(nla, chain->name))
475 return chain;
476 }
477
478 return ERR_PTR(-ENOENT);
479 }
480
481 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
482 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
483 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
484 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
485 .len = NFT_CHAIN_MAXNAMELEN - 1 },
486 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
487 };
488
489 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
490 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
491 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
492 };
493
494 static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
495 int event, u32 flags, int family,
496 const struct nft_table *table,
497 const struct nft_chain *chain)
498 {
499 struct nlmsghdr *nlh;
500 struct nfgenmsg *nfmsg;
501
502 event |= NFNL_SUBSYS_NFTABLES << 8;
503 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
504 if (nlh == NULL)
505 goto nla_put_failure;
506
507 nfmsg = nlmsg_data(nlh);
508 nfmsg->nfgen_family = family;
509 nfmsg->version = NFNETLINK_V0;
510 nfmsg->res_id = 0;
511
512 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
513 goto nla_put_failure;
514 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
515 goto nla_put_failure;
516 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
517 goto nla_put_failure;
518
519 if (chain->flags & NFT_BASE_CHAIN) {
520 const struct nf_hook_ops *ops = &nft_base_chain(chain)->ops;
521 struct nlattr *nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
522 if (nest == NULL)
523 goto nla_put_failure;
524 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
525 goto nla_put_failure;
526 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
527 goto nla_put_failure;
528 nla_nest_end(skb, nest);
529 }
530
531 return nlmsg_end(skb, nlh);
532
533 nla_put_failure:
534 nlmsg_trim(skb, nlh);
535 return -1;
536 }
537
538 static int nf_tables_chain_notify(const struct sk_buff *oskb,
539 const struct nlmsghdr *nlh,
540 const struct nft_table *table,
541 const struct nft_chain *chain,
542 int event, int family)
543 {
544 struct sk_buff *skb;
545 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
546 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
547 u32 seq = nlh ? nlh->nlmsg_seq : 0;
548 bool report;
549 int err;
550
551 report = nlh ? nlmsg_report(nlh) : false;
552 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
553 return 0;
554
555 err = -ENOBUFS;
556 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
557 if (skb == NULL)
558 goto err;
559
560 err = nf_tables_fill_chain_info(skb, portid, seq, event, 0, family,
561 table, chain);
562 if (err < 0) {
563 kfree_skb(skb);
564 goto err;
565 }
566
567 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
568 GFP_KERNEL);
569 err:
570 if (err < 0)
571 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
572 return err;
573 }
574
575 static int nf_tables_dump_chains(struct sk_buff *skb,
576 struct netlink_callback *cb)
577 {
578 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
579 const struct nft_af_info *afi;
580 const struct nft_table *table;
581 const struct nft_chain *chain;
582 unsigned int idx = 0, s_idx = cb->args[0];
583 int family = nfmsg->nfgen_family;
584
585 list_for_each_entry(afi, &nf_tables_afinfo, list) {
586 if (family != NFPROTO_UNSPEC && family != afi->family)
587 continue;
588
589 list_for_each_entry(table, &afi->tables, list) {
590 list_for_each_entry(chain, &table->chains, list) {
591 if (idx < s_idx)
592 goto cont;
593 if (idx > s_idx)
594 memset(&cb->args[1], 0,
595 sizeof(cb->args) - sizeof(cb->args[0]));
596 if (nf_tables_fill_chain_info(skb, NETLINK_CB(cb->skb).portid,
597 cb->nlh->nlmsg_seq,
598 NFT_MSG_NEWCHAIN,
599 NLM_F_MULTI,
600 afi->family, table, chain) < 0)
601 goto done;
602 cont:
603 idx++;
604 }
605 }
606 }
607 done:
608 cb->args[0] = idx;
609 return skb->len;
610 }
611
612
613 static int nf_tables_getchain(struct sock *nlsk, struct sk_buff *skb,
614 const struct nlmsghdr *nlh,
615 const struct nlattr * const nla[])
616 {
617 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
618 const struct nft_af_info *afi;
619 const struct nft_table *table;
620 const struct nft_chain *chain;
621 struct sk_buff *skb2;
622 int family = nfmsg->nfgen_family;
623 int err;
624
625 if (nlh->nlmsg_flags & NLM_F_DUMP) {
626 struct netlink_dump_control c = {
627 .dump = nf_tables_dump_chains,
628 };
629 return netlink_dump_start(nlsk, skb, nlh, &c);
630 }
631
632 afi = nf_tables_afinfo_lookup(family, false);
633 if (IS_ERR(afi))
634 return PTR_ERR(afi);
635
636 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], false);
637 if (IS_ERR(table))
638 return PTR_ERR(table);
639
640 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
641 if (IS_ERR(chain))
642 return PTR_ERR(chain);
643
644 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
645 if (!skb2)
646 return -ENOMEM;
647
648 err = nf_tables_fill_chain_info(skb2, NETLINK_CB(skb).portid,
649 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
650 family, table, chain);
651 if (err < 0)
652 goto err;
653
654 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
655
656 err:
657 kfree_skb(skb2);
658 return err;
659 }
660
661 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
662 const struct nlmsghdr *nlh,
663 const struct nlattr * const nla[])
664 {
665 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
666 const struct nlattr * uninitialized_var(name);
667 const struct nft_af_info *afi;
668 struct nft_table *table;
669 struct nft_chain *chain;
670 struct nft_base_chain *basechain;
671 struct nlattr *ha[NFTA_HOOK_MAX + 1];
672 int family = nfmsg->nfgen_family;
673 u64 handle = 0;
674 int err;
675 bool create;
676
677 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
678
679 afi = nf_tables_afinfo_lookup(family, true);
680 if (IS_ERR(afi))
681 return PTR_ERR(afi);
682
683 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], create);
684 if (IS_ERR(table))
685 return PTR_ERR(table);
686
687 if (table->use == UINT_MAX)
688 return -EOVERFLOW;
689
690 chain = NULL;
691 name = nla[NFTA_CHAIN_NAME];
692
693 if (nla[NFTA_CHAIN_HANDLE]) {
694 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
695 chain = nf_tables_chain_lookup_byhandle(table, handle);
696 if (IS_ERR(chain))
697 return PTR_ERR(chain);
698 } else {
699 chain = nf_tables_chain_lookup(table, name);
700 if (IS_ERR(chain)) {
701 if (PTR_ERR(chain) != -ENOENT)
702 return PTR_ERR(chain);
703 chain = NULL;
704 }
705 }
706
707 if (chain != NULL) {
708 if (nlh->nlmsg_flags & NLM_F_EXCL)
709 return -EEXIST;
710 if (nlh->nlmsg_flags & NLM_F_REPLACE)
711 return -EOPNOTSUPP;
712
713 if (nla[NFTA_CHAIN_HANDLE] && name &&
714 !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME])))
715 return -EEXIST;
716
717 if (nla[NFTA_CHAIN_HANDLE] && name)
718 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
719
720 goto notify;
721 }
722
723 if (nla[NFTA_CHAIN_HOOK]) {
724 struct nf_hook_ops *ops;
725
726 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
727 nft_hook_policy);
728 if (err < 0)
729 return err;
730 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
731 ha[NFTA_HOOK_PRIORITY] == NULL)
732 return -EINVAL;
733 if (ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])) >= afi->nhooks)
734 return -EINVAL;
735
736 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
737 if (basechain == NULL)
738 return -ENOMEM;
739 chain = &basechain->chain;
740
741 ops = &basechain->ops;
742 ops->pf = family;
743 ops->owner = afi->owner;
744 ops->hooknum = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
745 ops->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
746 ops->priv = chain;
747 ops->hook = nft_do_chain;
748 if (afi->hooks[ops->hooknum])
749 ops->hook = afi->hooks[ops->hooknum];
750
751 chain->flags |= NFT_BASE_CHAIN;
752 } else {
753 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
754 if (chain == NULL)
755 return -ENOMEM;
756 }
757
758 INIT_LIST_HEAD(&chain->rules);
759 chain->handle = nf_tables_alloc_handle(table);
760 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
761
762 list_add_tail(&chain->list, &table->chains);
763 table->use++;
764 notify:
765 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
766 family);
767 return 0;
768 }
769
770 static void nf_tables_rcu_chain_destroy(struct rcu_head *head)
771 {
772 struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
773
774 BUG_ON(chain->use > 0);
775
776 if (chain->flags & NFT_BASE_CHAIN)
777 kfree(nft_base_chain(chain));
778 else
779 kfree(chain);
780 }
781
782 static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
783 const struct nlmsghdr *nlh,
784 const struct nlattr * const nla[])
785 {
786 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
787 const struct nft_af_info *afi;
788 struct nft_table *table;
789 struct nft_chain *chain;
790 int family = nfmsg->nfgen_family;
791
792 afi = nf_tables_afinfo_lookup(family, false);
793 if (IS_ERR(afi))
794 return PTR_ERR(afi);
795
796 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], false);
797 if (IS_ERR(table))
798 return PTR_ERR(table);
799
800 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]);
801 if (IS_ERR(chain))
802 return PTR_ERR(chain);
803
804 if (chain->flags & NFT_CHAIN_BUILTIN)
805 return -EOPNOTSUPP;
806
807 if (!list_empty(&chain->rules))
808 return -EBUSY;
809
810 list_del(&chain->list);
811 table->use--;
812
813 if (chain->flags & NFT_BASE_CHAIN)
814 nf_unregister_hook(&nft_base_chain(chain)->ops);
815
816 nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_DELCHAIN,
817 family);
818
819 /* Make sure all rule references are gone before this is released */
820 call_rcu(&chain->rcu_head, nf_tables_rcu_chain_destroy);
821 return 0;
822 }
823
824 static void nft_ctx_init(struct nft_ctx *ctx,
825 const struct sk_buff *skb,
826 const struct nlmsghdr *nlh,
827 const struct nft_af_info *afi,
828 const struct nft_table *table,
829 const struct nft_chain *chain)
830 {
831 ctx->skb = skb;
832 ctx->nlh = nlh;
833 ctx->afi = afi;
834 ctx->table = table;
835 ctx->chain = chain;
836 }
837
838 /*
839 * Expressions
840 */
841
842 /**
843 * nft_register_expr - register nf_tables expr operations
844 * @ops: expr operations
845 *
846 * Registers the expr operations for use with nf_tables. Returns zero on
847 * success or a negative errno code otherwise.
848 */
849 int nft_register_expr(struct nft_expr_ops *ops)
850 {
851 nfnl_lock(NFNL_SUBSYS_NFTABLES);
852 list_add_tail(&ops->list, &nf_tables_expressions);
853 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
854 return 0;
855 }
856 EXPORT_SYMBOL_GPL(nft_register_expr);
857
858 /**
859 * nft_unregister_expr - unregister nf_tables expr operations
860 * @ops: expr operations
861 *
862 * Unregisters the expr operations for use with nf_tables.
863 */
864 void nft_unregister_expr(struct nft_expr_ops *ops)
865 {
866 nfnl_lock(NFNL_SUBSYS_NFTABLES);
867 list_del(&ops->list);
868 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
869 }
870 EXPORT_SYMBOL_GPL(nft_unregister_expr);
871
872 static const struct nft_expr_ops *__nft_expr_ops_get(struct nlattr *nla)
873 {
874 const struct nft_expr_ops *ops;
875
876 list_for_each_entry(ops, &nf_tables_expressions, list) {
877 if (!nla_strcmp(nla, ops->name))
878 return ops;
879 }
880 return NULL;
881 }
882
883 static const struct nft_expr_ops *nft_expr_ops_get(struct nlattr *nla)
884 {
885 const struct nft_expr_ops *ops;
886
887 if (nla == NULL)
888 return ERR_PTR(-EINVAL);
889
890 ops = __nft_expr_ops_get(nla);
891 if (ops != NULL && try_module_get(ops->owner))
892 return ops;
893
894 #ifdef CONFIG_MODULES
895 if (ops == NULL) {
896 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
897 request_module("nft-expr-%.*s",
898 nla_len(nla), (char *)nla_data(nla));
899 nfnl_lock(NFNL_SUBSYS_NFTABLES);
900 if (__nft_expr_ops_get(nla))
901 return ERR_PTR(-EAGAIN);
902 }
903 #endif
904 return ERR_PTR(-ENOENT);
905 }
906
907 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
908 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
909 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
910 };
911
912 static int nf_tables_fill_expr_info(struct sk_buff *skb,
913 const struct nft_expr *expr)
914 {
915 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->name))
916 goto nla_put_failure;
917
918 if (expr->ops->dump) {
919 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
920 if (data == NULL)
921 goto nla_put_failure;
922 if (expr->ops->dump(skb, expr) < 0)
923 goto nla_put_failure;
924 nla_nest_end(skb, data);
925 }
926
927 return skb->len;
928
929 nla_put_failure:
930 return -1;
931 };
932
933 struct nft_expr_info {
934 const struct nft_expr_ops *ops;
935 struct nlattr *tb[NFTA_EXPR_MAX + 1];
936 };
937
938 static int nf_tables_expr_parse(const struct nlattr *nla,
939 struct nft_expr_info *info)
940 {
941 const struct nft_expr_ops *ops;
942 int err;
943
944 err = nla_parse_nested(info->tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
945 if (err < 0)
946 return err;
947
948 ops = nft_expr_ops_get(info->tb[NFTA_EXPR_NAME]);
949 if (IS_ERR(ops))
950 return PTR_ERR(ops);
951 info->ops = ops;
952 return 0;
953 }
954
955 static int nf_tables_newexpr(const struct nft_ctx *ctx,
956 struct nft_expr_info *info,
957 struct nft_expr *expr)
958 {
959 const struct nft_expr_ops *ops = info->ops;
960 int err;
961
962 expr->ops = ops;
963 if (ops->init) {
964 struct nlattr *ma[ops->maxattr + 1];
965
966 if (info->tb[NFTA_EXPR_DATA]) {
967 err = nla_parse_nested(ma, ops->maxattr,
968 info->tb[NFTA_EXPR_DATA],
969 ops->policy);
970 if (err < 0)
971 goto err1;
972 } else
973 memset(ma, 0, sizeof(ma[0]) * (ops->maxattr + 1));
974
975 err = ops->init(ctx, expr, (const struct nlattr **)ma);
976 if (err < 0)
977 goto err1;
978 }
979
980 info->ops = NULL;
981 return 0;
982
983 err1:
984 expr->ops = NULL;
985 return err;
986 }
987
988 static void nf_tables_expr_destroy(struct nft_expr *expr)
989 {
990 if (expr->ops->destroy)
991 expr->ops->destroy(expr);
992 module_put(expr->ops->owner);
993 }
994
995 /*
996 * Rules
997 */
998
999 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1000 u64 handle)
1001 {
1002 struct nft_rule *rule;
1003
1004 // FIXME: this sucks
1005 list_for_each_entry(rule, &chain->rules, list) {
1006 if (handle == rule->handle)
1007 return rule;
1008 }
1009
1010 return ERR_PTR(-ENOENT);
1011 }
1012
1013 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1014 const struct nlattr *nla)
1015 {
1016 if (nla == NULL)
1017 return ERR_PTR(-EINVAL);
1018
1019 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1020 }
1021
1022 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1023 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1024 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1025 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1026 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1027 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1028 };
1029
1030 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
1031 int event, u32 flags, int family,
1032 const struct nft_table *table,
1033 const struct nft_chain *chain,
1034 const struct nft_rule *rule)
1035 {
1036 struct nlmsghdr *nlh;
1037 struct nfgenmsg *nfmsg;
1038 const struct nft_expr *expr, *next;
1039 struct nlattr *list;
1040
1041 event |= NFNL_SUBSYS_NFTABLES << 8;
1042 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
1043 flags);
1044 if (nlh == NULL)
1045 goto nla_put_failure;
1046
1047 nfmsg = nlmsg_data(nlh);
1048 nfmsg->nfgen_family = family;
1049 nfmsg->version = NFNETLINK_V0;
1050 nfmsg->res_id = 0;
1051
1052 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1053 goto nla_put_failure;
1054 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1055 goto nla_put_failure;
1056 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle)))
1057 goto nla_put_failure;
1058
1059 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1060 if (list == NULL)
1061 goto nla_put_failure;
1062 nft_rule_for_each_expr(expr, next, rule) {
1063 struct nlattr *elem = nla_nest_start(skb, NFTA_LIST_ELEM);
1064 if (elem == NULL)
1065 goto nla_put_failure;
1066 if (nf_tables_fill_expr_info(skb, expr) < 0)
1067 goto nla_put_failure;
1068 nla_nest_end(skb, elem);
1069 }
1070 nla_nest_end(skb, list);
1071
1072 return nlmsg_end(skb, nlh);
1073
1074 nla_put_failure:
1075 nlmsg_trim(skb, nlh);
1076 return -1;
1077 }
1078
1079 static int nf_tables_rule_notify(const struct sk_buff *oskb,
1080 const struct nlmsghdr *nlh,
1081 const struct nft_table *table,
1082 const struct nft_chain *chain,
1083 const struct nft_rule *rule,
1084 int event, u32 flags, int family)
1085 {
1086 struct sk_buff *skb;
1087 u32 portid = NETLINK_CB(oskb).portid;
1088 struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
1089 u32 seq = nlh->nlmsg_seq;
1090 bool report;
1091 int err;
1092
1093 report = nlmsg_report(nlh);
1094 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1095 return 0;
1096
1097 err = -ENOBUFS;
1098 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1099 if (skb == NULL)
1100 goto err;
1101
1102 err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
1103 family, table, chain, rule);
1104 if (err < 0) {
1105 kfree_skb(skb);
1106 goto err;
1107 }
1108
1109 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1110 GFP_KERNEL);
1111 err:
1112 if (err < 0)
1113 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1114 return err;
1115 }
1116
1117 static int nf_tables_dump_rules(struct sk_buff *skb,
1118 struct netlink_callback *cb)
1119 {
1120 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1121 const struct nft_af_info *afi;
1122 const struct nft_table *table;
1123 const struct nft_chain *chain;
1124 const struct nft_rule *rule;
1125 unsigned int idx = 0, s_idx = cb->args[0];
1126 int family = nfmsg->nfgen_family;
1127
1128 list_for_each_entry(afi, &nf_tables_afinfo, list) {
1129 if (family != NFPROTO_UNSPEC && family != afi->family)
1130 continue;
1131
1132 list_for_each_entry(table, &afi->tables, list) {
1133 list_for_each_entry(chain, &table->chains, list) {
1134 list_for_each_entry(rule, &chain->rules, list) {
1135 if (idx < s_idx)
1136 goto cont;
1137 if (idx > s_idx)
1138 memset(&cb->args[1], 0,
1139 sizeof(cb->args) - sizeof(cb->args[0]));
1140 if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
1141 cb->nlh->nlmsg_seq,
1142 NFT_MSG_NEWRULE,
1143 NLM_F_MULTI | NLM_F_APPEND,
1144 afi->family, table, chain, rule) < 0)
1145 goto done;
1146 cont:
1147 idx++;
1148 }
1149 }
1150 }
1151 }
1152 done:
1153 cb->args[0] = idx;
1154 return skb->len;
1155 }
1156
1157 static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
1158 const struct nlmsghdr *nlh,
1159 const struct nlattr * const nla[])
1160 {
1161 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1162 const struct nft_af_info *afi;
1163 const struct nft_table *table;
1164 const struct nft_chain *chain;
1165 const struct nft_rule *rule;
1166 struct sk_buff *skb2;
1167 int family = nfmsg->nfgen_family;
1168 int err;
1169
1170 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1171 struct netlink_dump_control c = {
1172 .dump = nf_tables_dump_rules,
1173 };
1174 return netlink_dump_start(nlsk, skb, nlh, &c);
1175 }
1176
1177 afi = nf_tables_afinfo_lookup(family, false);
1178 if (IS_ERR(afi))
1179 return PTR_ERR(afi);
1180
1181 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], false);
1182 if (IS_ERR(table))
1183 return PTR_ERR(table);
1184
1185 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1186 if (IS_ERR(chain))
1187 return PTR_ERR(chain);
1188
1189 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1190 if (IS_ERR(rule))
1191 return PTR_ERR(rule);
1192
1193 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1194 if (!skb2)
1195 return -ENOMEM;
1196
1197 err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
1198 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
1199 family, table, chain, rule);
1200 if (err < 0)
1201 goto err;
1202
1203 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1204
1205 err:
1206 kfree_skb(skb2);
1207 return err;
1208 }
1209
1210 static void nf_tables_rcu_rule_destroy(struct rcu_head *head)
1211 {
1212 struct nft_rule *rule = container_of(head, struct nft_rule, rcu_head);
1213 struct nft_expr *expr;
1214
1215 /*
1216 * Careful: some expressions might not be initialized in case this
1217 * is called on error from nf_tables_newrule().
1218 */
1219 expr = nft_expr_first(rule);
1220 while (expr->ops && expr != nft_expr_last(rule)) {
1221 nf_tables_expr_destroy(expr);
1222 expr = nft_expr_next(expr);
1223 }
1224 kfree(rule);
1225 }
1226
1227 static void nf_tables_rule_destroy(struct nft_rule *rule)
1228 {
1229 call_rcu(&rule->rcu_head, nf_tables_rcu_rule_destroy);
1230 }
1231
1232 #define NFT_RULE_MAXEXPRS 128
1233
1234 static struct nft_expr_info *info;
1235
1236 static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
1237 const struct nlmsghdr *nlh,
1238 const struct nlattr * const nla[])
1239 {
1240 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1241 const struct nft_af_info *afi;
1242 struct nft_table *table;
1243 struct nft_chain *chain;
1244 struct nft_rule *rule, *old_rule = NULL;
1245 struct nft_expr *expr;
1246 struct nft_ctx ctx;
1247 struct nlattr *tmp;
1248 unsigned int size, i, n;
1249 int err, rem;
1250 bool create;
1251 u64 handle;
1252
1253 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1254
1255 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, create);
1256 if (IS_ERR(afi))
1257 return PTR_ERR(afi);
1258
1259 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], create);
1260 if (IS_ERR(table))
1261 return PTR_ERR(table);
1262
1263 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1264 if (IS_ERR(chain))
1265 return PTR_ERR(chain);
1266
1267 if (nla[NFTA_RULE_HANDLE]) {
1268 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
1269 rule = __nf_tables_rule_lookup(chain, handle);
1270 if (IS_ERR(rule))
1271 return PTR_ERR(rule);
1272
1273 if (nlh->nlmsg_flags & NLM_F_EXCL)
1274 return -EEXIST;
1275 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1276 old_rule = rule;
1277 else
1278 return -EOPNOTSUPP;
1279 } else {
1280 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
1281 return -EINVAL;
1282 handle = nf_tables_alloc_handle(table);
1283 }
1284
1285 n = 0;
1286 size = 0;
1287 if (nla[NFTA_RULE_EXPRESSIONS]) {
1288 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
1289 err = -EINVAL;
1290 if (nla_type(tmp) != NFTA_LIST_ELEM)
1291 goto err1;
1292 if (n == NFT_RULE_MAXEXPRS)
1293 goto err1;
1294 err = nf_tables_expr_parse(tmp, &info[n]);
1295 if (err < 0)
1296 goto err1;
1297 size += info[n].ops->size;
1298 n++;
1299 }
1300 }
1301
1302 err = -ENOMEM;
1303 rule = kzalloc(sizeof(*rule) + size, GFP_KERNEL);
1304 if (rule == NULL)
1305 goto err1;
1306
1307 rule->handle = handle;
1308 rule->dlen = size;
1309
1310 nft_ctx_init(&ctx, skb, nlh, afi, table, chain);
1311 expr = nft_expr_first(rule);
1312 for (i = 0; i < n; i++) {
1313 err = nf_tables_newexpr(&ctx, &info[i], expr);
1314 if (err < 0)
1315 goto err2;
1316 expr = nft_expr_next(expr);
1317 }
1318
1319 /* Register hook when first rule is inserted into a base chain */
1320 if (list_empty(&chain->rules) && chain->flags & NFT_BASE_CHAIN) {
1321 err = nf_register_hook(&nft_base_chain(chain)->ops);
1322 if (err < 0)
1323 goto err2;
1324 }
1325
1326 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
1327 list_replace_rcu(&old_rule->list, &rule->list);
1328 nf_tables_rule_destroy(old_rule);
1329 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
1330 list_add_tail_rcu(&rule->list, &chain->rules);
1331 else
1332 list_add_rcu(&rule->list, &chain->rules);
1333
1334 nf_tables_rule_notify(skb, nlh, table, chain, rule, NFT_MSG_NEWRULE,
1335 nlh->nlmsg_flags & (NLM_F_APPEND | NLM_F_REPLACE),
1336 nfmsg->nfgen_family);
1337 return 0;
1338
1339 err2:
1340 nf_tables_rule_destroy(rule);
1341 err1:
1342 for (i = 0; i < n; i++) {
1343 if (info[i].ops != NULL)
1344 module_put(info[i].ops->owner);
1345 }
1346 return err;
1347 }
1348
1349 static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
1350 const struct nlmsghdr *nlh,
1351 const struct nlattr * const nla[])
1352 {
1353 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1354 const struct nft_af_info *afi;
1355 const struct nft_table *table;
1356 struct nft_chain *chain;
1357 struct nft_rule *rule, *tmp;
1358 int family = nfmsg->nfgen_family;
1359
1360 afi = nf_tables_afinfo_lookup(family, false);
1361 if (IS_ERR(afi))
1362 return PTR_ERR(afi);
1363
1364 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], false);
1365 if (IS_ERR(table))
1366 return PTR_ERR(table);
1367
1368 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN]);
1369 if (IS_ERR(chain))
1370 return PTR_ERR(chain);
1371
1372 if (nla[NFTA_RULE_HANDLE]) {
1373 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
1374 if (IS_ERR(rule))
1375 return PTR_ERR(rule);
1376
1377 /* List removal must be visible before destroying expressions */
1378 list_del_rcu(&rule->list);
1379
1380 nf_tables_rule_notify(skb, nlh, table, chain, rule,
1381 NFT_MSG_DELRULE, 0, family);
1382 nf_tables_rule_destroy(rule);
1383 } else {
1384 /* Remove all rules in this chain */
1385 list_for_each_entry_safe(rule, tmp, &chain->rules, list) {
1386 list_del_rcu(&rule->list);
1387
1388 nf_tables_rule_notify(skb, nlh, table, chain, rule,
1389 NFT_MSG_DELRULE, 0, family);
1390 nf_tables_rule_destroy(rule);
1391 }
1392 }
1393
1394 /* Unregister hook when last rule from base chain is deleted */
1395 if (list_empty(&chain->rules) && chain->flags & NFT_BASE_CHAIN)
1396 nf_unregister_hook(&nft_base_chain(chain)->ops);
1397
1398 return 0;
1399 }
1400
1401 /*
1402 * Sets
1403 */
1404
1405 static LIST_HEAD(nf_tables_set_ops);
1406
1407 int nft_register_set(struct nft_set_ops *ops)
1408 {
1409 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1410 list_add_tail(&ops->list, &nf_tables_set_ops);
1411 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1412 return 0;
1413 }
1414 EXPORT_SYMBOL_GPL(nft_register_set);
1415
1416 void nft_unregister_set(struct nft_set_ops *ops)
1417 {
1418 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1419 list_del(&ops->list);
1420 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1421 }
1422 EXPORT_SYMBOL_GPL(nft_unregister_set);
1423
1424 static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const nla[])
1425 {
1426 const struct nft_set_ops *ops;
1427 u32 features;
1428
1429 #ifdef CONFIG_MODULES
1430 if (list_empty(&nf_tables_set_ops)) {
1431 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1432 request_module("nft-set");
1433 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1434 if (!list_empty(&nf_tables_set_ops))
1435 return ERR_PTR(-EAGAIN);
1436 }
1437 #endif
1438 features = 0;
1439 if (nla[NFTA_SET_FLAGS] != NULL) {
1440 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1441 features &= NFT_SET_INTERVAL | NFT_SET_MAP;
1442 }
1443
1444 // FIXME: implement selection properly
1445 list_for_each_entry(ops, &nf_tables_set_ops, list) {
1446 if ((ops->features & features) != features)
1447 continue;
1448 if (!try_module_get(ops->owner))
1449 continue;
1450 return ops;
1451 }
1452
1453 return ERR_PTR(-EOPNOTSUPP);
1454 }
1455
1456 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1457 [NFTA_SET_TABLE] = { .type = NLA_STRING },
1458 [NFTA_SET_NAME] = { .type = NLA_STRING },
1459 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
1460 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1461 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
1462 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
1463 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
1464 };
1465
1466 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
1467 const struct sk_buff *skb,
1468 const struct nlmsghdr *nlh,
1469 const struct nlattr * const nla[])
1470 {
1471 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1472 const struct nft_af_info *afi;
1473 const struct nft_table *table = NULL;
1474
1475 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, false);
1476 if (IS_ERR(afi))
1477 return PTR_ERR(afi);
1478
1479 if (nla[NFTA_SET_TABLE] != NULL) {
1480 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], false);
1481 if (IS_ERR(table))
1482 return PTR_ERR(table);
1483 }
1484
1485 nft_ctx_init(ctx, skb, nlh, afi, table, NULL);
1486 return 0;
1487 }
1488
1489 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
1490 const struct nlattr *nla)
1491 {
1492 struct nft_set *set;
1493
1494 if (nla == NULL)
1495 return ERR_PTR(-EINVAL);
1496
1497 list_for_each_entry(set, &table->sets, list) {
1498 if (!nla_strcmp(nla, set->name))
1499 return set;
1500 }
1501 return ERR_PTR(-ENOENT);
1502 }
1503
1504 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
1505 const char *name)
1506 {
1507 const struct nft_set *i;
1508 const char *p;
1509 unsigned long *inuse;
1510 unsigned int n = 0;
1511
1512 p = strnchr(name, IFNAMSIZ, '%');
1513 if (p != NULL) {
1514 if (p[1] != 'd' || strchr(p + 2, '%'))
1515 return -EINVAL;
1516
1517 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
1518 if (inuse == NULL)
1519 return -ENOMEM;
1520
1521 list_for_each_entry(i, &ctx->table->sets, list) {
1522 if (!sscanf(i->name, name, &n))
1523 continue;
1524 if (n < 0 || n > BITS_PER_LONG * PAGE_SIZE)
1525 continue;
1526 set_bit(n, inuse);
1527 }
1528
1529 n = find_first_zero_bit(inuse, BITS_PER_LONG * PAGE_SIZE);
1530 free_page((unsigned long)inuse);
1531 }
1532
1533 snprintf(set->name, sizeof(set->name), name, n);
1534 list_for_each_entry(i, &ctx->table->sets, list) {
1535 if (!strcmp(set->name, i->name))
1536 return -ENFILE;
1537 }
1538 return 0;
1539 }
1540
1541 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
1542 const struct nft_set *set, u16 event, u16 flags)
1543 {
1544 struct nfgenmsg *nfmsg;
1545 struct nlmsghdr *nlh;
1546 u32 portid = NETLINK_CB(ctx->skb).portid;
1547 u32 seq = ctx->nlh->nlmsg_seq;
1548
1549 event |= NFNL_SUBSYS_NFTABLES << 8;
1550 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
1551 flags);
1552 if (nlh == NULL)
1553 goto nla_put_failure;
1554
1555 nfmsg = nlmsg_data(nlh);
1556 nfmsg->nfgen_family = ctx->afi->family;
1557 nfmsg->version = NFNETLINK_V0;
1558 nfmsg->res_id = 0;
1559
1560 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
1561 goto nla_put_failure;
1562 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
1563 goto nla_put_failure;
1564 if (set->flags != 0)
1565 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
1566 goto nla_put_failure;
1567
1568 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
1569 goto nla_put_failure;
1570 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
1571 goto nla_put_failure;
1572 if (set->flags & NFT_SET_MAP) {
1573 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
1574 goto nla_put_failure;
1575 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
1576 goto nla_put_failure;
1577 }
1578
1579 return nlmsg_end(skb, nlh);
1580
1581 nla_put_failure:
1582 nlmsg_trim(skb, nlh);
1583 return -1;
1584 }
1585
1586 static int nf_tables_set_notify(const struct nft_ctx *ctx,
1587 const struct nft_set *set,
1588 int event)
1589 {
1590 struct sk_buff *skb;
1591 u32 portid = NETLINK_CB(ctx->skb).portid;
1592 struct net *net = sock_net(ctx->skb->sk);
1593 bool report;
1594 int err;
1595
1596 report = nlmsg_report(ctx->nlh);
1597 if (!report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
1598 return 0;
1599
1600 err = -ENOBUFS;
1601 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1602 if (skb == NULL)
1603 goto err;
1604
1605 err = nf_tables_fill_set(skb, ctx, set, event, 0);
1606 if (err < 0) {
1607 kfree_skb(skb);
1608 goto err;
1609 }
1610
1611 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
1612 GFP_KERNEL);
1613 err:
1614 if (err < 0)
1615 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
1616 return err;
1617 }
1618
1619 static int nf_tables_dump_sets_table(struct nft_ctx *ctx, struct sk_buff *skb,
1620 struct netlink_callback *cb)
1621 {
1622 const struct nft_set *set;
1623 unsigned int idx = 0, s_idx = cb->args[0];
1624
1625 if (cb->args[1])
1626 return skb->len;
1627
1628 list_for_each_entry(set, &ctx->table->sets, list) {
1629 if (idx < s_idx)
1630 goto cont;
1631 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
1632 NLM_F_MULTI) < 0) {
1633 cb->args[0] = idx;
1634 goto done;
1635 }
1636 cont:
1637 idx++;
1638 }
1639 cb->args[1] = 1;
1640 done:
1641 return skb->len;
1642 }
1643
1644 static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
1645 struct netlink_callback *cb)
1646 {
1647 const struct nft_set *set;
1648 unsigned int idx = 0, s_idx = cb->args[0];
1649 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
1650
1651 if (cb->args[1])
1652 return skb->len;
1653
1654 list_for_each_entry(table, &ctx->afi->tables, list) {
1655 if (cur_table && cur_table != table)
1656 continue;
1657
1658 ctx->table = table;
1659 list_for_each_entry(set, &ctx->table->sets, list) {
1660 if (idx < s_idx)
1661 goto cont;
1662 if (nf_tables_fill_set(skb, ctx, set, NFT_MSG_NEWSET,
1663 NLM_F_MULTI) < 0) {
1664 cb->args[0] = idx;
1665 cb->args[2] = (unsigned long) table;
1666 goto done;
1667 }
1668 cont:
1669 idx++;
1670 }
1671 }
1672 cb->args[1] = 1;
1673 done:
1674 return skb->len;
1675 }
1676
1677 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
1678 {
1679 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1680 struct nlattr *nla[NFTA_SET_MAX + 1];
1681 struct nft_ctx ctx;
1682 int err, ret;
1683
1684 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_MAX,
1685 nft_set_policy);
1686 if (err < 0)
1687 return err;
1688
1689 err = nft_ctx_init_from_setattr(&ctx, cb->skb, cb->nlh, (void *)nla);
1690 if (err < 0)
1691 return err;
1692
1693 if (ctx.table == NULL)
1694 ret = nf_tables_dump_sets_all(&ctx, skb, cb);
1695 else
1696 ret = nf_tables_dump_sets_table(&ctx, skb, cb);
1697
1698 return ret;
1699 }
1700
1701 static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
1702 const struct nlmsghdr *nlh,
1703 const struct nlattr * const nla[])
1704 {
1705 const struct nft_set *set;
1706 struct nft_ctx ctx;
1707 struct sk_buff *skb2;
1708 int err;
1709
1710 /* Verify existance before starting dump */
1711 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
1712 if (err < 0)
1713 return err;
1714
1715 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1716 struct netlink_dump_control c = {
1717 .dump = nf_tables_dump_sets,
1718 };
1719 return netlink_dump_start(nlsk, skb, nlh, &c);
1720 }
1721
1722 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
1723 if (IS_ERR(set))
1724 return PTR_ERR(set);
1725
1726 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1727 if (skb2 == NULL)
1728 return -ENOMEM;
1729
1730 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
1731 if (err < 0)
1732 goto err;
1733
1734 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1735
1736 err:
1737 kfree_skb(skb2);
1738 return err;
1739 }
1740
1741 static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
1742 const struct nlmsghdr *nlh,
1743 const struct nlattr * const nla[])
1744 {
1745 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1746 const struct nft_set_ops *ops;
1747 const struct nft_af_info *afi;
1748 struct nft_table *table;
1749 struct nft_set *set;
1750 struct nft_ctx ctx;
1751 char name[IFNAMSIZ];
1752 unsigned int size;
1753 bool create;
1754 u32 ktype, klen, dlen, dtype, flags;
1755 int err;
1756
1757 if (nla[NFTA_SET_TABLE] == NULL ||
1758 nla[NFTA_SET_NAME] == NULL ||
1759 nla[NFTA_SET_KEY_LEN] == NULL)
1760 return -EINVAL;
1761
1762 ktype = NFT_DATA_VALUE;
1763 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
1764 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
1765 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
1766 return -EINVAL;
1767 }
1768
1769 klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
1770 if (klen == 0 || klen > FIELD_SIZEOF(struct nft_data, data))
1771 return -EINVAL;
1772
1773 flags = 0;
1774 if (nla[NFTA_SET_FLAGS] != NULL) {
1775 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
1776 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
1777 NFT_SET_INTERVAL | NFT_SET_MAP))
1778 return -EINVAL;
1779 }
1780
1781 dtype = 0;
1782 dlen = 0;
1783 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
1784 if (!(flags & NFT_SET_MAP))
1785 return -EINVAL;
1786
1787 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
1788 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
1789 dtype != NFT_DATA_VERDICT)
1790 return -EINVAL;
1791
1792 if (dtype != NFT_DATA_VERDICT) {
1793 if (nla[NFTA_SET_DATA_LEN] == NULL)
1794 return -EINVAL;
1795 dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
1796 if (dlen == 0 ||
1797 dlen > FIELD_SIZEOF(struct nft_data, data))
1798 return -EINVAL;
1799 } else
1800 dlen = sizeof(struct nft_data);
1801 } else if (flags & NFT_SET_MAP)
1802 return -EINVAL;
1803
1804 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1805
1806 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, create);
1807 if (IS_ERR(afi))
1808 return PTR_ERR(afi);
1809
1810 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], create);
1811 if (IS_ERR(table))
1812 return PTR_ERR(table);
1813
1814 nft_ctx_init(&ctx, skb, nlh, afi, table, NULL);
1815
1816 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
1817 if (IS_ERR(set)) {
1818 if (PTR_ERR(set) != -ENOENT)
1819 return PTR_ERR(set);
1820 set = NULL;
1821 }
1822
1823 if (set != NULL) {
1824 if (nlh->nlmsg_flags & NLM_F_EXCL)
1825 return -EEXIST;
1826 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1827 return -EOPNOTSUPP;
1828 return 0;
1829 }
1830
1831 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
1832 return -ENOENT;
1833
1834 ops = nft_select_set_ops(nla);
1835 if (IS_ERR(ops))
1836 return PTR_ERR(ops);
1837
1838 size = 0;
1839 if (ops->privsize != NULL)
1840 size = ops->privsize(nla);
1841
1842 err = -ENOMEM;
1843 set = kzalloc(sizeof(*set) + size, GFP_KERNEL);
1844 if (set == NULL)
1845 goto err1;
1846
1847 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
1848 err = nf_tables_set_alloc_name(&ctx, set, name);
1849 if (err < 0)
1850 goto err2;
1851
1852 INIT_LIST_HEAD(&set->bindings);
1853 set->ops = ops;
1854 set->ktype = ktype;
1855 set->klen = klen;
1856 set->dtype = dtype;
1857 set->dlen = dlen;
1858 set->flags = flags;
1859
1860 err = ops->init(set, nla);
1861 if (err < 0)
1862 goto err2;
1863
1864 list_add_tail(&set->list, &table->sets);
1865 nf_tables_set_notify(&ctx, set, NFT_MSG_NEWSET);
1866 return 0;
1867
1868 err2:
1869 kfree(set);
1870 err1:
1871 module_put(ops->owner);
1872 return err;
1873 }
1874
1875 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
1876 {
1877 list_del(&set->list);
1878 if (!(set->flags & NFT_SET_ANONYMOUS))
1879 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET);
1880
1881 set->ops->destroy(set);
1882 module_put(set->ops->owner);
1883 kfree(set);
1884 }
1885
1886 static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
1887 const struct nlmsghdr *nlh,
1888 const struct nlattr * const nla[])
1889 {
1890 struct nft_set *set;
1891 struct nft_ctx ctx;
1892 int err;
1893
1894 if (nla[NFTA_SET_TABLE] == NULL)
1895 return -EINVAL;
1896
1897 err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
1898 if (err < 0)
1899 return err;
1900
1901 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME]);
1902 if (IS_ERR(set))
1903 return PTR_ERR(set);
1904 if (!list_empty(&set->bindings))
1905 return -EBUSY;
1906
1907 nf_tables_set_destroy(&ctx, set);
1908 return 0;
1909 }
1910
1911 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
1912 const struct nft_set *set,
1913 const struct nft_set_iter *iter,
1914 const struct nft_set_elem *elem)
1915 {
1916 enum nft_registers dreg;
1917
1918 dreg = nft_type_to_reg(set->dtype);
1919 return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
1920 }
1921
1922 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
1923 struct nft_set_binding *binding)
1924 {
1925 struct nft_set_binding *i;
1926 struct nft_set_iter iter;
1927
1928 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
1929 return -EBUSY;
1930
1931 if (set->flags & NFT_SET_MAP) {
1932 /* If the set is already bound to the same chain all
1933 * jumps are already validated for that chain.
1934 */
1935 list_for_each_entry(i, &set->bindings, list) {
1936 if (i->chain == binding->chain)
1937 goto bind;
1938 }
1939
1940 iter.skip = 0;
1941 iter.count = 0;
1942 iter.err = 0;
1943 iter.fn = nf_tables_bind_check_setelem;
1944
1945 set->ops->walk(ctx, set, &iter);
1946 if (iter.err < 0) {
1947 /* Destroy anonymous sets if binding fails */
1948 if (set->flags & NFT_SET_ANONYMOUS)
1949 nf_tables_set_destroy(ctx, set);
1950
1951 return iter.err;
1952 }
1953 }
1954 bind:
1955 binding->chain = ctx->chain;
1956 list_add_tail(&binding->list, &set->bindings);
1957 return 0;
1958 }
1959
1960 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
1961 struct nft_set_binding *binding)
1962 {
1963 list_del(&binding->list);
1964
1965 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
1966 nf_tables_set_destroy(ctx, set);
1967 }
1968
1969 /*
1970 * Set elements
1971 */
1972
1973 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
1974 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
1975 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
1976 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
1977 };
1978
1979 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
1980 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
1981 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
1982 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
1983 };
1984
1985 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
1986 const struct sk_buff *skb,
1987 const struct nlmsghdr *nlh,
1988 const struct nlattr * const nla[])
1989 {
1990 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1991 const struct nft_af_info *afi;
1992 const struct nft_table *table;
1993
1994 afi = nf_tables_afinfo_lookup(nfmsg->nfgen_family, false);
1995 if (IS_ERR(afi))
1996 return PTR_ERR(afi);
1997
1998 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE], false);
1999 if (IS_ERR(table))
2000 return PTR_ERR(table);
2001
2002 nft_ctx_init(ctx, skb, nlh, afi, table, NULL);
2003 return 0;
2004 }
2005
2006 static int nf_tables_fill_setelem(struct sk_buff *skb,
2007 const struct nft_set *set,
2008 const struct nft_set_elem *elem)
2009 {
2010 unsigned char *b = skb_tail_pointer(skb);
2011 struct nlattr *nest;
2012
2013 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
2014 if (nest == NULL)
2015 goto nla_put_failure;
2016
2017 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, &elem->key, NFT_DATA_VALUE,
2018 set->klen) < 0)
2019 goto nla_put_failure;
2020
2021 if (set->flags & NFT_SET_MAP &&
2022 !(elem->flags & NFT_SET_ELEM_INTERVAL_END) &&
2023 nft_data_dump(skb, NFTA_SET_ELEM_DATA, &elem->data,
2024 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
2025 set->dlen) < 0)
2026 goto nla_put_failure;
2027
2028 if (elem->flags != 0)
2029 if (nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, htonl(elem->flags)))
2030 goto nla_put_failure;
2031
2032 nla_nest_end(skb, nest);
2033 return 0;
2034
2035 nla_put_failure:
2036 nlmsg_trim(skb, b);
2037 return -EMSGSIZE;
2038 }
2039
2040 struct nft_set_dump_args {
2041 const struct netlink_callback *cb;
2042 struct nft_set_iter iter;
2043 struct sk_buff *skb;
2044 };
2045
2046 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
2047 const struct nft_set *set,
2048 const struct nft_set_iter *iter,
2049 const struct nft_set_elem *elem)
2050 {
2051 struct nft_set_dump_args *args;
2052
2053 args = container_of(iter, struct nft_set_dump_args, iter);
2054 return nf_tables_fill_setelem(args->skb, set, elem);
2055 }
2056
2057 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
2058 {
2059 const struct nft_set *set;
2060 struct nft_set_dump_args args;
2061 struct nft_ctx ctx;
2062 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
2063 struct nfgenmsg *nfmsg;
2064 struct nlmsghdr *nlh;
2065 struct nlattr *nest;
2066 u32 portid, seq;
2067 int event, err;
2068
2069 nfmsg = nlmsg_data(cb->nlh);
2070 err = nlmsg_parse(cb->nlh, sizeof(*nfmsg), nla, NFTA_SET_ELEM_LIST_MAX,
2071 nft_set_elem_list_policy);
2072 if (err < 0)
2073 return err;
2074
2075 err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla);
2076 if (err < 0)
2077 return err;
2078
2079 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2080 if (IS_ERR(set))
2081 return PTR_ERR(set);
2082
2083 event = NFT_MSG_NEWSETELEM;
2084 event |= NFNL_SUBSYS_NFTABLES << 8;
2085 portid = NETLINK_CB(cb->skb).portid;
2086 seq = cb->nlh->nlmsg_seq;
2087
2088 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2089 NLM_F_MULTI);
2090 if (nlh == NULL)
2091 goto nla_put_failure;
2092
2093 nfmsg = nlmsg_data(nlh);
2094 nfmsg->nfgen_family = NFPROTO_UNSPEC;
2095 nfmsg->version = NFNETLINK_V0;
2096 nfmsg->res_id = 0;
2097
2098 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
2099 goto nla_put_failure;
2100 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
2101 goto nla_put_failure;
2102
2103 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
2104 if (nest == NULL)
2105 goto nla_put_failure;
2106
2107 args.cb = cb;
2108 args.skb = skb;
2109 args.iter.skip = cb->args[0];
2110 args.iter.count = 0;
2111 args.iter.err = 0;
2112 args.iter.fn = nf_tables_dump_setelem;
2113 set->ops->walk(&ctx, set, &args.iter);
2114
2115 nla_nest_end(skb, nest);
2116 nlmsg_end(skb, nlh);
2117
2118 if (args.iter.err && args.iter.err != -EMSGSIZE)
2119 return args.iter.err;
2120 if (args.iter.count == cb->args[0])
2121 return 0;
2122
2123 cb->args[0] = args.iter.count;
2124 return skb->len;
2125
2126 nla_put_failure:
2127 return -ENOSPC;
2128 }
2129
2130 static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
2131 const struct nlmsghdr *nlh,
2132 const struct nlattr * const nla[])
2133 {
2134 const struct nft_set *set;
2135 struct nft_ctx ctx;
2136 int err;
2137
2138 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2139 if (err < 0)
2140 return err;
2141
2142 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2143 if (IS_ERR(set))
2144 return PTR_ERR(set);
2145
2146 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2147 struct netlink_dump_control c = {
2148 .dump = nf_tables_dump_set,
2149 };
2150 return netlink_dump_start(nlsk, skb, nlh, &c);
2151 }
2152 return -EOPNOTSUPP;
2153 }
2154
2155 static int nft_add_set_elem(const struct nft_ctx *ctx, struct nft_set *set,
2156 const struct nlattr *attr)
2157 {
2158 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2159 struct nft_data_desc d1, d2;
2160 struct nft_set_elem elem;
2161 struct nft_set_binding *binding;
2162 enum nft_registers dreg;
2163 int err;
2164
2165 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2166 nft_set_elem_policy);
2167 if (err < 0)
2168 return err;
2169
2170 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2171 return -EINVAL;
2172
2173 elem.flags = 0;
2174 if (nla[NFTA_SET_ELEM_FLAGS] != NULL) {
2175 elem.flags = ntohl(nla_get_be32(nla[NFTA_SET_ELEM_FLAGS]));
2176 if (elem.flags & ~NFT_SET_ELEM_INTERVAL_END)
2177 return -EINVAL;
2178 }
2179
2180 if (set->flags & NFT_SET_MAP) {
2181 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
2182 !(elem.flags & NFT_SET_ELEM_INTERVAL_END))
2183 return -EINVAL;
2184 } else {
2185 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2186 return -EINVAL;
2187 }
2188
2189 err = nft_data_init(ctx, &elem.key, &d1, nla[NFTA_SET_ELEM_KEY]);
2190 if (err < 0)
2191 goto err1;
2192 err = -EINVAL;
2193 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
2194 goto err2;
2195
2196 err = -EEXIST;
2197 if (set->ops->get(set, &elem) == 0)
2198 goto err2;
2199
2200 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
2201 err = nft_data_init(ctx, &elem.data, &d2, nla[NFTA_SET_ELEM_DATA]);
2202 if (err < 0)
2203 goto err2;
2204
2205 err = -EINVAL;
2206 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
2207 goto err3;
2208
2209 dreg = nft_type_to_reg(set->dtype);
2210 list_for_each_entry(binding, &set->bindings, list) {
2211 struct nft_ctx bind_ctx = {
2212 .afi = ctx->afi,
2213 .table = ctx->table,
2214 .chain = binding->chain,
2215 };
2216
2217 err = nft_validate_data_load(&bind_ctx, dreg,
2218 &elem.data, d2.type);
2219 if (err < 0)
2220 goto err3;
2221 }
2222 }
2223
2224 err = set->ops->insert(set, &elem);
2225 if (err < 0)
2226 goto err3;
2227
2228 return 0;
2229
2230 err3:
2231 if (nla[NFTA_SET_ELEM_DATA] != NULL)
2232 nft_data_uninit(&elem.data, d2.type);
2233 err2:
2234 nft_data_uninit(&elem.key, d1.type);
2235 err1:
2236 return err;
2237 }
2238
2239 static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
2240 const struct nlmsghdr *nlh,
2241 const struct nlattr * const nla[])
2242 {
2243 const struct nlattr *attr;
2244 struct nft_set *set;
2245 struct nft_ctx ctx;
2246 int rem, err;
2247
2248 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2249 if (err < 0)
2250 return err;
2251
2252 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2253 if (IS_ERR(set))
2254 return PTR_ERR(set);
2255 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2256 return -EBUSY;
2257
2258 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2259 err = nft_add_set_elem(&ctx, set, attr);
2260 if (err < 0)
2261 return err;
2262 }
2263 return 0;
2264 }
2265
2266 static int nft_del_setelem(const struct nft_ctx *ctx, struct nft_set *set,
2267 const struct nlattr *attr)
2268 {
2269 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
2270 struct nft_data_desc desc;
2271 struct nft_set_elem elem;
2272 int err;
2273
2274 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
2275 nft_set_elem_policy);
2276 if (err < 0)
2277 goto err1;
2278
2279 err = -EINVAL;
2280 if (nla[NFTA_SET_ELEM_KEY] == NULL)
2281 goto err1;
2282
2283 err = nft_data_init(ctx, &elem.key, &desc, nla[NFTA_SET_ELEM_KEY]);
2284 if (err < 0)
2285 goto err1;
2286
2287 err = -EINVAL;
2288 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
2289 goto err2;
2290
2291 err = set->ops->get(set, &elem);
2292 if (err < 0)
2293 goto err2;
2294
2295 set->ops->remove(set, &elem);
2296
2297 nft_data_uninit(&elem.key, NFT_DATA_VALUE);
2298 if (set->flags & NFT_SET_MAP)
2299 nft_data_uninit(&elem.data, set->dtype);
2300
2301 err2:
2302 nft_data_uninit(&elem.key, desc.type);
2303 err1:
2304 return err;
2305 }
2306
2307 static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
2308 const struct nlmsghdr *nlh,
2309 const struct nlattr * const nla[])
2310 {
2311 const struct nlattr *attr;
2312 struct nft_set *set;
2313 struct nft_ctx ctx;
2314 int rem, err;
2315
2316 err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla);
2317 if (err < 0)
2318 return err;
2319
2320 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET]);
2321 if (IS_ERR(set))
2322 return PTR_ERR(set);
2323 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
2324 return -EBUSY;
2325
2326 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
2327 err = nft_del_setelem(&ctx, set, attr);
2328 if (err < 0)
2329 return err;
2330 }
2331 return 0;
2332 }
2333
2334 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
2335 [NFT_MSG_NEWTABLE] = {
2336 .call = nf_tables_newtable,
2337 .attr_count = NFTA_TABLE_MAX,
2338 .policy = nft_table_policy,
2339 },
2340 [NFT_MSG_GETTABLE] = {
2341 .call = nf_tables_gettable,
2342 .attr_count = NFTA_TABLE_MAX,
2343 .policy = nft_table_policy,
2344 },
2345 [NFT_MSG_DELTABLE] = {
2346 .call = nf_tables_deltable,
2347 .attr_count = NFTA_TABLE_MAX,
2348 .policy = nft_table_policy,
2349 },
2350 [NFT_MSG_NEWCHAIN] = {
2351 .call = nf_tables_newchain,
2352 .attr_count = NFTA_CHAIN_MAX,
2353 .policy = nft_chain_policy,
2354 },
2355 [NFT_MSG_GETCHAIN] = {
2356 .call = nf_tables_getchain,
2357 .attr_count = NFTA_CHAIN_MAX,
2358 .policy = nft_chain_policy,
2359 },
2360 [NFT_MSG_DELCHAIN] = {
2361 .call = nf_tables_delchain,
2362 .attr_count = NFTA_CHAIN_MAX,
2363 .policy = nft_chain_policy,
2364 },
2365 [NFT_MSG_NEWRULE] = {
2366 .call = nf_tables_newrule,
2367 .attr_count = NFTA_RULE_MAX,
2368 .policy = nft_rule_policy,
2369 },
2370 [NFT_MSG_GETRULE] = {
2371 .call = nf_tables_getrule,
2372 .attr_count = NFTA_RULE_MAX,
2373 .policy = nft_rule_policy,
2374 },
2375 [NFT_MSG_DELRULE] = {
2376 .call = nf_tables_delrule,
2377 .attr_count = NFTA_RULE_MAX,
2378 .policy = nft_rule_policy,
2379 },
2380 [NFT_MSG_NEWSET] = {
2381 .call = nf_tables_newset,
2382 .attr_count = NFTA_SET_MAX,
2383 .policy = nft_set_policy,
2384 },
2385 [NFT_MSG_GETSET] = {
2386 .call = nf_tables_getset,
2387 .attr_count = NFTA_SET_MAX,
2388 .policy = nft_set_policy,
2389 },
2390 [NFT_MSG_DELSET] = {
2391 .call = nf_tables_delset,
2392 .attr_count = NFTA_SET_MAX,
2393 .policy = nft_set_policy,
2394 },
2395 [NFT_MSG_NEWSETELEM] = {
2396 .call = nf_tables_newsetelem,
2397 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2398 .policy = nft_set_elem_list_policy,
2399 },
2400 [NFT_MSG_GETSETELEM] = {
2401 .call = nf_tables_getsetelem,
2402 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2403 .policy = nft_set_elem_list_policy,
2404 },
2405 [NFT_MSG_DELSETELEM] = {
2406 .call = nf_tables_delsetelem,
2407 .attr_count = NFTA_SET_ELEM_LIST_MAX,
2408 .policy = nft_set_elem_list_policy,
2409 },
2410 };
2411
2412 static const struct nfnetlink_subsystem nf_tables_subsys = {
2413 .name = "nf_tables",
2414 .subsys_id = NFNL_SUBSYS_NFTABLES,
2415 .cb_count = NFT_MSG_MAX,
2416 .cb = nf_tables_cb,
2417 };
2418
2419 /*
2420 * Loop detection - walk through the ruleset beginning at the destination chain
2421 * of a new jump until either the source chain is reached (loop) or all
2422 * reachable chains have been traversed.
2423 *
2424 * The loop check is performed whenever a new jump verdict is added to an
2425 * expression or verdict map or a verdict map is bound to a new chain.
2426 */
2427
2428 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2429 const struct nft_chain *chain);
2430
2431 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
2432 const struct nft_set *set,
2433 const struct nft_set_iter *iter,
2434 const struct nft_set_elem *elem)
2435 {
2436 switch (elem->data.verdict) {
2437 case NFT_JUMP:
2438 case NFT_GOTO:
2439 return nf_tables_check_loops(ctx, elem->data.chain);
2440 default:
2441 return 0;
2442 }
2443 }
2444
2445 static int nf_tables_check_loops(const struct nft_ctx *ctx,
2446 const struct nft_chain *chain)
2447 {
2448 const struct nft_rule *rule;
2449 const struct nft_expr *expr, *last;
2450 const struct nft_data *data;
2451 const struct nft_set *set;
2452 struct nft_set_binding *binding;
2453 struct nft_set_iter iter;
2454 int err;
2455
2456 if (ctx->chain == chain)
2457 return -ELOOP;
2458
2459 list_for_each_entry(rule, &chain->rules, list) {
2460 nft_rule_for_each_expr(expr, last, rule) {
2461 if (!expr->ops->get_verdict)
2462 continue;
2463
2464 data = expr->ops->get_verdict(expr);
2465 if (data == NULL)
2466 break;
2467
2468 switch (data->verdict) {
2469 case NFT_JUMP:
2470 case NFT_GOTO:
2471 err = nf_tables_check_loops(ctx, data->chain);
2472 if (err < 0)
2473 return err;
2474 default:
2475 break;
2476 }
2477 }
2478 }
2479
2480 list_for_each_entry(set, &ctx->table->sets, list) {
2481 if (!(set->flags & NFT_SET_MAP) ||
2482 set->dtype != NFT_DATA_VERDICT)
2483 continue;
2484
2485 list_for_each_entry(binding, &set->bindings, list) {
2486 if (binding->chain != chain)
2487 continue;
2488
2489 iter.skip = 0;
2490 iter.count = 0;
2491 iter.err = 0;
2492 iter.fn = nf_tables_loop_check_setelem;
2493
2494 set->ops->walk(ctx, set, &iter);
2495 if (iter.err < 0)
2496 return iter.err;
2497 }
2498 }
2499
2500 return 0;
2501 }
2502
2503 /**
2504 * nft_validate_input_register - validate an expressions' input register
2505 *
2506 * @reg: the register number
2507 *
2508 * Validate that the input register is one of the general purpose
2509 * registers.
2510 */
2511 int nft_validate_input_register(enum nft_registers reg)
2512 {
2513 if (reg <= NFT_REG_VERDICT)
2514 return -EINVAL;
2515 if (reg > NFT_REG_MAX)
2516 return -ERANGE;
2517 return 0;
2518 }
2519 EXPORT_SYMBOL_GPL(nft_validate_input_register);
2520
2521 /**
2522 * nft_validate_output_register - validate an expressions' output register
2523 *
2524 * @reg: the register number
2525 *
2526 * Validate that the output register is one of the general purpose
2527 * registers or the verdict register.
2528 */
2529 int nft_validate_output_register(enum nft_registers reg)
2530 {
2531 if (reg < NFT_REG_VERDICT)
2532 return -EINVAL;
2533 if (reg > NFT_REG_MAX)
2534 return -ERANGE;
2535 return 0;
2536 }
2537 EXPORT_SYMBOL_GPL(nft_validate_output_register);
2538
2539 /**
2540 * nft_validate_data_load - validate an expressions' data load
2541 *
2542 * @ctx: context of the expression performing the load
2543 * @reg: the destination register number
2544 * @data: the data to load
2545 * @type: the data type
2546 *
2547 * Validate that a data load uses the appropriate data type for
2548 * the destination register. A value of NULL for the data means
2549 * that its runtime gathered data, which is always of type
2550 * NFT_DATA_VALUE.
2551 */
2552 int nft_validate_data_load(const struct nft_ctx *ctx, enum nft_registers reg,
2553 const struct nft_data *data,
2554 enum nft_data_types type)
2555 {
2556 int err;
2557
2558 switch (reg) {
2559 case NFT_REG_VERDICT:
2560 if (data == NULL || type != NFT_DATA_VERDICT)
2561 return -EINVAL;
2562
2563 if (data->verdict == NFT_GOTO || data->verdict == NFT_JUMP) {
2564 err = nf_tables_check_loops(ctx, data->chain);
2565 if (err < 0)
2566 return err;
2567
2568 if (ctx->chain->level + 1 > data->chain->level) {
2569 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
2570 return -EMLINK;
2571 data->chain->level = ctx->chain->level + 1;
2572 }
2573 }
2574
2575 return 0;
2576 default:
2577 if (data != NULL && type != NFT_DATA_VALUE)
2578 return -EINVAL;
2579 return 0;
2580 }
2581 }
2582 EXPORT_SYMBOL_GPL(nft_validate_data_load);
2583
2584 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
2585 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
2586 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
2587 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2588 };
2589
2590 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
2591 struct nft_data_desc *desc, const struct nlattr *nla)
2592 {
2593 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
2594 struct nft_chain *chain;
2595 int err;
2596
2597 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
2598 if (err < 0)
2599 return err;
2600
2601 if (!tb[NFTA_VERDICT_CODE])
2602 return -EINVAL;
2603 data->verdict = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
2604
2605 switch (data->verdict) {
2606 case NF_ACCEPT:
2607 case NF_DROP:
2608 case NF_QUEUE:
2609 case NFT_CONTINUE:
2610 case NFT_BREAK:
2611 case NFT_RETURN:
2612 desc->len = sizeof(data->verdict);
2613 break;
2614 case NFT_JUMP:
2615 case NFT_GOTO:
2616 if (!tb[NFTA_VERDICT_CHAIN])
2617 return -EINVAL;
2618 chain = nf_tables_chain_lookup(ctx->table,
2619 tb[NFTA_VERDICT_CHAIN]);
2620 if (IS_ERR(chain))
2621 return PTR_ERR(chain);
2622 if (chain->flags & NFT_BASE_CHAIN)
2623 return -EOPNOTSUPP;
2624
2625 chain->use++;
2626 data->chain = chain;
2627 desc->len = sizeof(data);
2628 break;
2629 default:
2630 return -EINVAL;
2631 }
2632
2633 desc->type = NFT_DATA_VERDICT;
2634 return 0;
2635 }
2636
2637 static void nft_verdict_uninit(const struct nft_data *data)
2638 {
2639 switch (data->verdict) {
2640 case NFT_JUMP:
2641 case NFT_GOTO:
2642 data->chain->use--;
2643 break;
2644 }
2645 }
2646
2647 static int nft_verdict_dump(struct sk_buff *skb, const struct nft_data *data)
2648 {
2649 struct nlattr *nest;
2650
2651 nest = nla_nest_start(skb, NFTA_DATA_VERDICT);
2652 if (!nest)
2653 goto nla_put_failure;
2654
2655 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(data->verdict)))
2656 goto nla_put_failure;
2657
2658 switch (data->verdict) {
2659 case NFT_JUMP:
2660 case NFT_GOTO:
2661 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, data->chain->name))
2662 goto nla_put_failure;
2663 }
2664 nla_nest_end(skb, nest);
2665 return 0;
2666
2667 nla_put_failure:
2668 return -1;
2669 }
2670
2671 static int nft_value_init(const struct nft_ctx *ctx, struct nft_data *data,
2672 struct nft_data_desc *desc, const struct nlattr *nla)
2673 {
2674 unsigned int len;
2675
2676 len = nla_len(nla);
2677 if (len == 0)
2678 return -EINVAL;
2679 if (len > sizeof(data->data))
2680 return -EOVERFLOW;
2681
2682 nla_memcpy(data->data, nla, sizeof(data->data));
2683 desc->type = NFT_DATA_VALUE;
2684 desc->len = len;
2685 return 0;
2686 }
2687
2688 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
2689 unsigned int len)
2690 {
2691 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
2692 }
2693
2694 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
2695 [NFTA_DATA_VALUE] = { .type = NLA_BINARY,
2696 .len = FIELD_SIZEOF(struct nft_data, data) },
2697 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
2698 };
2699
2700 /**
2701 * nft_data_init - parse nf_tables data netlink attributes
2702 *
2703 * @ctx: context of the expression using the data
2704 * @data: destination struct nft_data
2705 * @desc: data description
2706 * @nla: netlink attribute containing data
2707 *
2708 * Parse the netlink data attributes and initialize a struct nft_data.
2709 * The type and length of data are returned in the data description.
2710 *
2711 * The caller can indicate that it only wants to accept data of type
2712 * NFT_DATA_VALUE by passing NULL for the ctx argument.
2713 */
2714 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
2715 struct nft_data_desc *desc, const struct nlattr *nla)
2716 {
2717 struct nlattr *tb[NFTA_DATA_MAX + 1];
2718 int err;
2719
2720 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
2721 if (err < 0)
2722 return err;
2723
2724 if (tb[NFTA_DATA_VALUE])
2725 return nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
2726 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
2727 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
2728 return -EINVAL;
2729 }
2730 EXPORT_SYMBOL_GPL(nft_data_init);
2731
2732 /**
2733 * nft_data_uninit - release a nft_data item
2734 *
2735 * @data: struct nft_data to release
2736 * @type: type of data
2737 *
2738 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
2739 * all others need to be released by calling this function.
2740 */
2741 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
2742 {
2743 switch (type) {
2744 case NFT_DATA_VALUE:
2745 return;
2746 case NFT_DATA_VERDICT:
2747 return nft_verdict_uninit(data);
2748 default:
2749 WARN_ON(1);
2750 }
2751 }
2752 EXPORT_SYMBOL_GPL(nft_data_uninit);
2753
2754 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
2755 enum nft_data_types type, unsigned int len)
2756 {
2757 struct nlattr *nest;
2758 int err;
2759
2760 nest = nla_nest_start(skb, attr);
2761 if (nest == NULL)
2762 return -1;
2763
2764 switch (type) {
2765 case NFT_DATA_VALUE:
2766 err = nft_value_dump(skb, data, len);
2767 break;
2768 case NFT_DATA_VERDICT:
2769 err = nft_verdict_dump(skb, data);
2770 break;
2771 default:
2772 err = -EINVAL;
2773 WARN_ON(1);
2774 }
2775
2776 nla_nest_end(skb, nest);
2777 return err;
2778 }
2779 EXPORT_SYMBOL_GPL(nft_data_dump);
2780
2781 static int __init nf_tables_module_init(void)
2782 {
2783 int err;
2784
2785 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
2786 GFP_KERNEL);
2787 if (info == NULL) {
2788 err = -ENOMEM;
2789 goto err1;
2790 }
2791
2792 err = nf_tables_core_module_init();
2793 if (err < 0)
2794 goto err2;
2795
2796 err = nfnetlink_subsys_register(&nf_tables_subsys);
2797 if (err < 0)
2798 goto err3;
2799
2800 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
2801 return 0;
2802 err3:
2803 nf_tables_core_module_exit();
2804 err2:
2805 kfree(info);
2806 err1:
2807 return err;
2808 }
2809
2810 static void __exit nf_tables_module_exit(void)
2811 {
2812 nfnetlink_subsys_unregister(&nf_tables_subsys);
2813 nf_tables_core_module_exit();
2814 kfree(info);
2815 }
2816
2817 module_init(nf_tables_module_init);
2818 module_exit(nf_tables_module_exit);
2819
2820 MODULE_LICENSE("GPL");
2821 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
2822 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
ubuntu-bionic-kernel mirror