]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: nf_tables: add stateful object reference to set elements
[mirror_ubuntu-artful-kernel.git] / net / netfilter / nf_tables_api.c
1 /*
2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
9 */
10
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/net_namespace.h>
22 #include <net/sock.h>
23
24 static LIST_HEAD(nf_tables_expressions);
25 static LIST_HEAD(nf_tables_objects);
26
27 /**
28 * nft_register_afinfo - register nf_tables address family info
29 *
30 * @afi: address family info to register
31 *
32 * Register the address family for use with nf_tables. Returns zero on
33 * success or a negative errno code otherwise.
34 */
35 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
36 {
37 INIT_LIST_HEAD(&afi->tables);
38 nfnl_lock(NFNL_SUBSYS_NFTABLES);
39 list_add_tail_rcu(&afi->list, &net->nft.af_info);
40 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
41 return 0;
42 }
43 EXPORT_SYMBOL_GPL(nft_register_afinfo);
44
45 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
46
47 /**
48 * nft_unregister_afinfo - unregister nf_tables address family info
49 *
50 * @afi: address family info to unregister
51 *
52 * Unregister the address family for use with nf_tables.
53 */
54 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
55 {
56 nfnl_lock(NFNL_SUBSYS_NFTABLES);
57 __nft_release_afinfo(net, afi);
58 list_del_rcu(&afi->list);
59 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
60 }
61 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
62
63 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
64 {
65 struct nft_af_info *afi;
66
67 list_for_each_entry(afi, &net->nft.af_info, list) {
68 if (afi->family == family)
69 return afi;
70 }
71 return NULL;
72 }
73
74 static struct nft_af_info *
75 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
76 {
77 struct nft_af_info *afi;
78
79 afi = nft_afinfo_lookup(net, family);
80 if (afi != NULL)
81 return afi;
82 #ifdef CONFIG_MODULES
83 if (autoload) {
84 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
85 request_module("nft-afinfo-%u", family);
86 nfnl_lock(NFNL_SUBSYS_NFTABLES);
87 afi = nft_afinfo_lookup(net, family);
88 if (afi != NULL)
89 return ERR_PTR(-EAGAIN);
90 }
91 #endif
92 return ERR_PTR(-EAFNOSUPPORT);
93 }
94
95 static void nft_ctx_init(struct nft_ctx *ctx,
96 struct net *net,
97 const struct sk_buff *skb,
98 const struct nlmsghdr *nlh,
99 struct nft_af_info *afi,
100 struct nft_table *table,
101 struct nft_chain *chain,
102 const struct nlattr * const *nla)
103 {
104 ctx->net = net;
105 ctx->afi = afi;
106 ctx->table = table;
107 ctx->chain = chain;
108 ctx->nla = nla;
109 ctx->portid = NETLINK_CB(skb).portid;
110 ctx->report = nlmsg_report(nlh);
111 ctx->seq = nlh->nlmsg_seq;
112 }
113
114 static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type,
115 u32 size)
116 {
117 struct nft_trans *trans;
118
119 trans = kzalloc(sizeof(struct nft_trans) + size, GFP_KERNEL);
120 if (trans == NULL)
121 return NULL;
122
123 trans->msg_type = msg_type;
124 trans->ctx = *ctx;
125
126 return trans;
127 }
128
129 static void nft_trans_destroy(struct nft_trans *trans)
130 {
131 list_del(&trans->list);
132 kfree(trans);
133 }
134
135 static int nf_tables_register_hooks(struct net *net,
136 const struct nft_table *table,
137 struct nft_chain *chain,
138 unsigned int hook_nops)
139 {
140 if (table->flags & NFT_TABLE_F_DORMANT ||
141 !(chain->flags & NFT_BASE_CHAIN))
142 return 0;
143
144 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
145 hook_nops);
146 }
147
148 static void nf_tables_unregister_hooks(struct net *net,
149 const struct nft_table *table,
150 struct nft_chain *chain,
151 unsigned int hook_nops)
152 {
153 if (table->flags & NFT_TABLE_F_DORMANT ||
154 !(chain->flags & NFT_BASE_CHAIN))
155 return;
156
157 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
158 }
159
160 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
161 {
162 struct nft_trans *trans;
163
164 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
165 if (trans == NULL)
166 return -ENOMEM;
167
168 if (msg_type == NFT_MSG_NEWTABLE)
169 nft_activate_next(ctx->net, ctx->table);
170
171 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
172 return 0;
173 }
174
175 static int nft_deltable(struct nft_ctx *ctx)
176 {
177 int err;
178
179 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
180 if (err < 0)
181 return err;
182
183 nft_deactivate_next(ctx->net, ctx->table);
184 return err;
185 }
186
187 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
188 {
189 struct nft_trans *trans;
190
191 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
192 if (trans == NULL)
193 return -ENOMEM;
194
195 if (msg_type == NFT_MSG_NEWCHAIN)
196 nft_activate_next(ctx->net, ctx->chain);
197
198 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
199 return 0;
200 }
201
202 static int nft_delchain(struct nft_ctx *ctx)
203 {
204 int err;
205
206 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
207 if (err < 0)
208 return err;
209
210 ctx->table->use--;
211 nft_deactivate_next(ctx->net, ctx->chain);
212
213 return err;
214 }
215
216 static int
217 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
218 {
219 /* You cannot delete the same rule twice */
220 if (nft_is_active_next(ctx->net, rule)) {
221 nft_deactivate_next(ctx->net, rule);
222 ctx->chain->use--;
223 return 0;
224 }
225 return -ENOENT;
226 }
227
228 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
229 struct nft_rule *rule)
230 {
231 struct nft_trans *trans;
232
233 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
234 if (trans == NULL)
235 return NULL;
236
237 nft_trans_rule(trans) = rule;
238 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
239
240 return trans;
241 }
242
243 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
244 {
245 struct nft_trans *trans;
246 int err;
247
248 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
249 if (trans == NULL)
250 return -ENOMEM;
251
252 err = nf_tables_delrule_deactivate(ctx, rule);
253 if (err < 0) {
254 nft_trans_destroy(trans);
255 return err;
256 }
257
258 return 0;
259 }
260
261 static int nft_delrule_by_chain(struct nft_ctx *ctx)
262 {
263 struct nft_rule *rule;
264 int err;
265
266 list_for_each_entry(rule, &ctx->chain->rules, list) {
267 err = nft_delrule(ctx, rule);
268 if (err < 0)
269 return err;
270 }
271 return 0;
272 }
273
274 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
275 struct nft_set *set)
276 {
277 struct nft_trans *trans;
278
279 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
280 if (trans == NULL)
281 return -ENOMEM;
282
283 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
284 nft_trans_set_id(trans) =
285 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
286 nft_activate_next(ctx->net, set);
287 }
288 nft_trans_set(trans) = set;
289 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
290
291 return 0;
292 }
293
294 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
295 {
296 int err;
297
298 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
299 if (err < 0)
300 return err;
301
302 nft_deactivate_next(ctx->net, set);
303 ctx->table->use--;
304
305 return err;
306 }
307
308 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
309 struct nft_object *obj)
310 {
311 struct nft_trans *trans;
312
313 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
314 if (trans == NULL)
315 return -ENOMEM;
316
317 if (msg_type == NFT_MSG_NEWOBJ)
318 nft_activate_next(ctx->net, obj);
319
320 nft_trans_obj(trans) = obj;
321 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
322
323 return 0;
324 }
325
326 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
327 {
328 int err;
329
330 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
331 if (err < 0)
332 return err;
333
334 nft_deactivate_next(ctx->net, obj);
335 ctx->table->use--;
336
337 return err;
338 }
339
340 /*
341 * Tables
342 */
343
344 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
345 const struct nlattr *nla,
346 u8 genmask)
347 {
348 struct nft_table *table;
349
350 list_for_each_entry(table, &afi->tables, list) {
351 if (!nla_strcmp(nla, table->name) &&
352 nft_active_genmask(table, genmask))
353 return table;
354 }
355 return NULL;
356 }
357
358 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
359 const struct nlattr *nla,
360 u8 genmask)
361 {
362 struct nft_table *table;
363
364 if (nla == NULL)
365 return ERR_PTR(-EINVAL);
366
367 table = nft_table_lookup(afi, nla, genmask);
368 if (table != NULL)
369 return table;
370
371 return ERR_PTR(-ENOENT);
372 }
373
374 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
375 {
376 return ++table->hgenerator;
377 }
378
379 static const struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
380
381 static const struct nf_chain_type *
382 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
383 {
384 int i;
385
386 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
387 if (chain_type[family][i] != NULL &&
388 !nla_strcmp(nla, chain_type[family][i]->name))
389 return chain_type[family][i];
390 }
391 return NULL;
392 }
393
394 static const struct nf_chain_type *
395 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
396 const struct nlattr *nla,
397 bool autoload)
398 {
399 const struct nf_chain_type *type;
400
401 type = __nf_tables_chain_type_lookup(afi->family, nla);
402 if (type != NULL)
403 return type;
404 #ifdef CONFIG_MODULES
405 if (autoload) {
406 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
407 request_module("nft-chain-%u-%.*s", afi->family,
408 nla_len(nla), (const char *)nla_data(nla));
409 nfnl_lock(NFNL_SUBSYS_NFTABLES);
410 type = __nf_tables_chain_type_lookup(afi->family, nla);
411 if (type != NULL)
412 return ERR_PTR(-EAGAIN);
413 }
414 #endif
415 return ERR_PTR(-ENOENT);
416 }
417
418 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
419 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
420 .len = NFT_TABLE_MAXNAMELEN - 1 },
421 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
422 };
423
424 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
425 u32 portid, u32 seq, int event, u32 flags,
426 int family, const struct nft_table *table)
427 {
428 struct nlmsghdr *nlh;
429 struct nfgenmsg *nfmsg;
430
431 event |= NFNL_SUBSYS_NFTABLES << 8;
432 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
433 if (nlh == NULL)
434 goto nla_put_failure;
435
436 nfmsg = nlmsg_data(nlh);
437 nfmsg->nfgen_family = family;
438 nfmsg->version = NFNETLINK_V0;
439 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
440
441 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
442 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
443 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
444 goto nla_put_failure;
445
446 nlmsg_end(skb, nlh);
447 return 0;
448
449 nla_put_failure:
450 nlmsg_trim(skb, nlh);
451 return -1;
452 }
453
454 static int nf_tables_table_notify(const struct nft_ctx *ctx, int event)
455 {
456 struct sk_buff *skb;
457 int err;
458
459 if (!ctx->report &&
460 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
461 return 0;
462
463 err = -ENOBUFS;
464 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
465 if (skb == NULL)
466 goto err;
467
468 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
469 event, 0, ctx->afi->family, ctx->table);
470 if (err < 0) {
471 kfree_skb(skb);
472 goto err;
473 }
474
475 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
476 ctx->report, GFP_KERNEL);
477 err:
478 if (err < 0) {
479 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
480 err);
481 }
482 return err;
483 }
484
485 static int nf_tables_dump_tables(struct sk_buff *skb,
486 struct netlink_callback *cb)
487 {
488 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
489 const struct nft_af_info *afi;
490 const struct nft_table *table;
491 unsigned int idx = 0, s_idx = cb->args[0];
492 struct net *net = sock_net(skb->sk);
493 int family = nfmsg->nfgen_family;
494
495 rcu_read_lock();
496 cb->seq = net->nft.base_seq;
497
498 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
499 if (family != NFPROTO_UNSPEC && family != afi->family)
500 continue;
501
502 list_for_each_entry_rcu(table, &afi->tables, list) {
503 if (idx < s_idx)
504 goto cont;
505 if (idx > s_idx)
506 memset(&cb->args[1], 0,
507 sizeof(cb->args) - sizeof(cb->args[0]));
508 if (!nft_is_active(net, table))
509 continue;
510 if (nf_tables_fill_table_info(skb, net,
511 NETLINK_CB(cb->skb).portid,
512 cb->nlh->nlmsg_seq,
513 NFT_MSG_NEWTABLE,
514 NLM_F_MULTI,
515 afi->family, table) < 0)
516 goto done;
517
518 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
519 cont:
520 idx++;
521 }
522 }
523 done:
524 rcu_read_unlock();
525 cb->args[0] = idx;
526 return skb->len;
527 }
528
529 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
530 struct sk_buff *skb, const struct nlmsghdr *nlh,
531 const struct nlattr * const nla[])
532 {
533 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
534 u8 genmask = nft_genmask_cur(net);
535 const struct nft_af_info *afi;
536 const struct nft_table *table;
537 struct sk_buff *skb2;
538 int family = nfmsg->nfgen_family;
539 int err;
540
541 if (nlh->nlmsg_flags & NLM_F_DUMP) {
542 struct netlink_dump_control c = {
543 .dump = nf_tables_dump_tables,
544 };
545 return netlink_dump_start(nlsk, skb, nlh, &c);
546 }
547
548 afi = nf_tables_afinfo_lookup(net, family, false);
549 if (IS_ERR(afi))
550 return PTR_ERR(afi);
551
552 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
553 if (IS_ERR(table))
554 return PTR_ERR(table);
555
556 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
557 if (!skb2)
558 return -ENOMEM;
559
560 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
561 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
562 family, table);
563 if (err < 0)
564 goto err;
565
566 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
567
568 err:
569 kfree_skb(skb2);
570 return err;
571 }
572
573 static int nf_tables_table_enable(struct net *net,
574 const struct nft_af_info *afi,
575 struct nft_table *table)
576 {
577 struct nft_chain *chain;
578 int err, i = 0;
579
580 list_for_each_entry(chain, &table->chains, list) {
581 if (!nft_is_active_next(net, chain))
582 continue;
583 if (!(chain->flags & NFT_BASE_CHAIN))
584 continue;
585
586 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
587 afi->nops);
588 if (err < 0)
589 goto err;
590
591 i++;
592 }
593 return 0;
594 err:
595 list_for_each_entry(chain, &table->chains, list) {
596 if (!nft_is_active_next(net, chain))
597 continue;
598 if (!(chain->flags & NFT_BASE_CHAIN))
599 continue;
600
601 if (i-- <= 0)
602 break;
603
604 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
605 afi->nops);
606 }
607 return err;
608 }
609
610 static void nf_tables_table_disable(struct net *net,
611 const struct nft_af_info *afi,
612 struct nft_table *table)
613 {
614 struct nft_chain *chain;
615
616 list_for_each_entry(chain, &table->chains, list) {
617 if (!nft_is_active_next(net, chain))
618 continue;
619 if (!(chain->flags & NFT_BASE_CHAIN))
620 continue;
621
622 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
623 afi->nops);
624 }
625 }
626
627 static int nf_tables_updtable(struct nft_ctx *ctx)
628 {
629 struct nft_trans *trans;
630 u32 flags;
631 int ret = 0;
632
633 if (!ctx->nla[NFTA_TABLE_FLAGS])
634 return 0;
635
636 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
637 if (flags & ~NFT_TABLE_F_DORMANT)
638 return -EINVAL;
639
640 if (flags == ctx->table->flags)
641 return 0;
642
643 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
644 sizeof(struct nft_trans_table));
645 if (trans == NULL)
646 return -ENOMEM;
647
648 if ((flags & NFT_TABLE_F_DORMANT) &&
649 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
650 nft_trans_table_enable(trans) = false;
651 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
652 ctx->table->flags & NFT_TABLE_F_DORMANT) {
653 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
654 if (ret >= 0) {
655 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
656 nft_trans_table_enable(trans) = true;
657 }
658 }
659 if (ret < 0)
660 goto err;
661
662 nft_trans_table_update(trans) = true;
663 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
664 return 0;
665 err:
666 nft_trans_destroy(trans);
667 return ret;
668 }
669
670 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
671 struct sk_buff *skb, const struct nlmsghdr *nlh,
672 const struct nlattr * const nla[])
673 {
674 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
675 u8 genmask = nft_genmask_next(net);
676 const struct nlattr *name;
677 struct nft_af_info *afi;
678 struct nft_table *table;
679 int family = nfmsg->nfgen_family;
680 u32 flags = 0;
681 struct nft_ctx ctx;
682 int err;
683
684 afi = nf_tables_afinfo_lookup(net, family, true);
685 if (IS_ERR(afi))
686 return PTR_ERR(afi);
687
688 name = nla[NFTA_TABLE_NAME];
689 table = nf_tables_table_lookup(afi, name, genmask);
690 if (IS_ERR(table)) {
691 if (PTR_ERR(table) != -ENOENT)
692 return PTR_ERR(table);
693 table = NULL;
694 }
695
696 if (table != NULL) {
697 if (nlh->nlmsg_flags & NLM_F_EXCL)
698 return -EEXIST;
699 if (nlh->nlmsg_flags & NLM_F_REPLACE)
700 return -EOPNOTSUPP;
701
702 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
703 return nf_tables_updtable(&ctx);
704 }
705
706 if (nla[NFTA_TABLE_FLAGS]) {
707 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
708 if (flags & ~NFT_TABLE_F_DORMANT)
709 return -EINVAL;
710 }
711
712 err = -EAFNOSUPPORT;
713 if (!try_module_get(afi->owner))
714 goto err1;
715
716 err = -ENOMEM;
717 table = kzalloc(sizeof(*table), GFP_KERNEL);
718 if (table == NULL)
719 goto err2;
720
721 nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
722 INIT_LIST_HEAD(&table->chains);
723 INIT_LIST_HEAD(&table->sets);
724 INIT_LIST_HEAD(&table->objects);
725 table->flags = flags;
726
727 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
728 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
729 if (err < 0)
730 goto err3;
731
732 list_add_tail_rcu(&table->list, &afi->tables);
733 return 0;
734 err3:
735 kfree(table);
736 err2:
737 module_put(afi->owner);
738 err1:
739 return err;
740 }
741
742 static int nft_flush_table(struct nft_ctx *ctx)
743 {
744 int err;
745 struct nft_chain *chain, *nc;
746 struct nft_object *obj, *ne;
747 struct nft_set *set, *ns;
748
749 list_for_each_entry(chain, &ctx->table->chains, list) {
750 if (!nft_is_active_next(ctx->net, chain))
751 continue;
752
753 ctx->chain = chain;
754
755 err = nft_delrule_by_chain(ctx);
756 if (err < 0)
757 goto out;
758 }
759
760 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
761 if (!nft_is_active_next(ctx->net, set))
762 continue;
763
764 if (set->flags & NFT_SET_ANONYMOUS &&
765 !list_empty(&set->bindings))
766 continue;
767
768 err = nft_delset(ctx, set);
769 if (err < 0)
770 goto out;
771 }
772
773 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
774 err = nft_delobj(ctx, obj);
775 if (err < 0)
776 goto out;
777 }
778
779 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
780 if (!nft_is_active_next(ctx->net, chain))
781 continue;
782
783 ctx->chain = chain;
784
785 err = nft_delchain(ctx);
786 if (err < 0)
787 goto out;
788 }
789
790 err = nft_deltable(ctx);
791 out:
792 return err;
793 }
794
795 static int nft_flush(struct nft_ctx *ctx, int family)
796 {
797 struct nft_af_info *afi;
798 struct nft_table *table, *nt;
799 const struct nlattr * const *nla = ctx->nla;
800 int err = 0;
801
802 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
803 if (family != AF_UNSPEC && afi->family != family)
804 continue;
805
806 ctx->afi = afi;
807 list_for_each_entry_safe(table, nt, &afi->tables, list) {
808 if (!nft_is_active_next(ctx->net, table))
809 continue;
810
811 if (nla[NFTA_TABLE_NAME] &&
812 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
813 continue;
814
815 ctx->table = table;
816
817 err = nft_flush_table(ctx);
818 if (err < 0)
819 goto out;
820 }
821 }
822 out:
823 return err;
824 }
825
826 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
827 struct sk_buff *skb, const struct nlmsghdr *nlh,
828 const struct nlattr * const nla[])
829 {
830 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
831 u8 genmask = nft_genmask_next(net);
832 struct nft_af_info *afi;
833 struct nft_table *table;
834 int family = nfmsg->nfgen_family;
835 struct nft_ctx ctx;
836
837 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
838 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
839 return nft_flush(&ctx, family);
840
841 afi = nf_tables_afinfo_lookup(net, family, false);
842 if (IS_ERR(afi))
843 return PTR_ERR(afi);
844
845 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
846 if (IS_ERR(table))
847 return PTR_ERR(table);
848
849 ctx.afi = afi;
850 ctx.table = table;
851
852 return nft_flush_table(&ctx);
853 }
854
855 static void nf_tables_table_destroy(struct nft_ctx *ctx)
856 {
857 BUG_ON(ctx->table->use > 0);
858
859 kfree(ctx->table);
860 module_put(ctx->afi->owner);
861 }
862
863 int nft_register_chain_type(const struct nf_chain_type *ctype)
864 {
865 int err = 0;
866
867 nfnl_lock(NFNL_SUBSYS_NFTABLES);
868 if (chain_type[ctype->family][ctype->type] != NULL) {
869 err = -EBUSY;
870 goto out;
871 }
872 chain_type[ctype->family][ctype->type] = ctype;
873 out:
874 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
875 return err;
876 }
877 EXPORT_SYMBOL_GPL(nft_register_chain_type);
878
879 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
880 {
881 nfnl_lock(NFNL_SUBSYS_NFTABLES);
882 chain_type[ctype->family][ctype->type] = NULL;
883 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
884 }
885 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
886
887 /*
888 * Chains
889 */
890
891 static struct nft_chain *
892 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
893 u8 genmask)
894 {
895 struct nft_chain *chain;
896
897 list_for_each_entry(chain, &table->chains, list) {
898 if (chain->handle == handle &&
899 nft_active_genmask(chain, genmask))
900 return chain;
901 }
902
903 return ERR_PTR(-ENOENT);
904 }
905
906 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
907 const struct nlattr *nla,
908 u8 genmask)
909 {
910 struct nft_chain *chain;
911
912 if (nla == NULL)
913 return ERR_PTR(-EINVAL);
914
915 list_for_each_entry(chain, &table->chains, list) {
916 if (!nla_strcmp(nla, chain->name) &&
917 nft_active_genmask(chain, genmask))
918 return chain;
919 }
920
921 return ERR_PTR(-ENOENT);
922 }
923
924 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
925 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING },
926 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
927 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
928 .len = NFT_CHAIN_MAXNAMELEN - 1 },
929 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
930 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
931 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
932 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
933 };
934
935 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
936 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
937 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
938 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
939 .len = IFNAMSIZ - 1 },
940 };
941
942 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
943 {
944 struct nft_stats *cpu_stats, total;
945 struct nlattr *nest;
946 unsigned int seq;
947 u64 pkts, bytes;
948 int cpu;
949
950 memset(&total, 0, sizeof(total));
951 for_each_possible_cpu(cpu) {
952 cpu_stats = per_cpu_ptr(stats, cpu);
953 do {
954 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
955 pkts = cpu_stats->pkts;
956 bytes = cpu_stats->bytes;
957 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
958 total.pkts += pkts;
959 total.bytes += bytes;
960 }
961 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
962 if (nest == NULL)
963 goto nla_put_failure;
964
965 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
966 NFTA_COUNTER_PAD) ||
967 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
968 NFTA_COUNTER_PAD))
969 goto nla_put_failure;
970
971 nla_nest_end(skb, nest);
972 return 0;
973
974 nla_put_failure:
975 return -ENOSPC;
976 }
977
978 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
979 u32 portid, u32 seq, int event, u32 flags,
980 int family, const struct nft_table *table,
981 const struct nft_chain *chain)
982 {
983 struct nlmsghdr *nlh;
984 struct nfgenmsg *nfmsg;
985
986 event |= NFNL_SUBSYS_NFTABLES << 8;
987 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
988 if (nlh == NULL)
989 goto nla_put_failure;
990
991 nfmsg = nlmsg_data(nlh);
992 nfmsg->nfgen_family = family;
993 nfmsg->version = NFNETLINK_V0;
994 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
995
996 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
997 goto nla_put_failure;
998 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
999 NFTA_CHAIN_PAD))
1000 goto nla_put_failure;
1001 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1002 goto nla_put_failure;
1003
1004 if (chain->flags & NFT_BASE_CHAIN) {
1005 const struct nft_base_chain *basechain = nft_base_chain(chain);
1006 const struct nf_hook_ops *ops = &basechain->ops[0];
1007 struct nlattr *nest;
1008
1009 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1010 if (nest == NULL)
1011 goto nla_put_failure;
1012 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1013 goto nla_put_failure;
1014 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1015 goto nla_put_failure;
1016 if (basechain->dev_name[0] &&
1017 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1018 goto nla_put_failure;
1019 nla_nest_end(skb, nest);
1020
1021 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1022 htonl(basechain->policy)))
1023 goto nla_put_failure;
1024
1025 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1026 goto nla_put_failure;
1027
1028 if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
1029 goto nla_put_failure;
1030 }
1031
1032 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1033 goto nla_put_failure;
1034
1035 nlmsg_end(skb, nlh);
1036 return 0;
1037
1038 nla_put_failure:
1039 nlmsg_trim(skb, nlh);
1040 return -1;
1041 }
1042
1043 static int nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1044 {
1045 struct sk_buff *skb;
1046 int err;
1047
1048 if (!ctx->report &&
1049 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1050 return 0;
1051
1052 err = -ENOBUFS;
1053 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1054 if (skb == NULL)
1055 goto err;
1056
1057 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1058 event, 0, ctx->afi->family, ctx->table,
1059 ctx->chain);
1060 if (err < 0) {
1061 kfree_skb(skb);
1062 goto err;
1063 }
1064
1065 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1066 ctx->report, GFP_KERNEL);
1067 err:
1068 if (err < 0) {
1069 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1070 err);
1071 }
1072 return err;
1073 }
1074
1075 static int nf_tables_dump_chains(struct sk_buff *skb,
1076 struct netlink_callback *cb)
1077 {
1078 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1079 const struct nft_af_info *afi;
1080 const struct nft_table *table;
1081 const struct nft_chain *chain;
1082 unsigned int idx = 0, s_idx = cb->args[0];
1083 struct net *net = sock_net(skb->sk);
1084 int family = nfmsg->nfgen_family;
1085
1086 rcu_read_lock();
1087 cb->seq = net->nft.base_seq;
1088
1089 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1090 if (family != NFPROTO_UNSPEC && family != afi->family)
1091 continue;
1092
1093 list_for_each_entry_rcu(table, &afi->tables, list) {
1094 list_for_each_entry_rcu(chain, &table->chains, list) {
1095 if (idx < s_idx)
1096 goto cont;
1097 if (idx > s_idx)
1098 memset(&cb->args[1], 0,
1099 sizeof(cb->args) - sizeof(cb->args[0]));
1100 if (!nft_is_active(net, chain))
1101 continue;
1102 if (nf_tables_fill_chain_info(skb, net,
1103 NETLINK_CB(cb->skb).portid,
1104 cb->nlh->nlmsg_seq,
1105 NFT_MSG_NEWCHAIN,
1106 NLM_F_MULTI,
1107 afi->family, table, chain) < 0)
1108 goto done;
1109
1110 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1111 cont:
1112 idx++;
1113 }
1114 }
1115 }
1116 done:
1117 rcu_read_unlock();
1118 cb->args[0] = idx;
1119 return skb->len;
1120 }
1121
1122 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1123 struct sk_buff *skb, const struct nlmsghdr *nlh,
1124 const struct nlattr * const nla[])
1125 {
1126 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1127 u8 genmask = nft_genmask_cur(net);
1128 const struct nft_af_info *afi;
1129 const struct nft_table *table;
1130 const struct nft_chain *chain;
1131 struct sk_buff *skb2;
1132 int family = nfmsg->nfgen_family;
1133 int err;
1134
1135 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1136 struct netlink_dump_control c = {
1137 .dump = nf_tables_dump_chains,
1138 };
1139 return netlink_dump_start(nlsk, skb, nlh, &c);
1140 }
1141
1142 afi = nf_tables_afinfo_lookup(net, family, false);
1143 if (IS_ERR(afi))
1144 return PTR_ERR(afi);
1145
1146 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1147 if (IS_ERR(table))
1148 return PTR_ERR(table);
1149
1150 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1151 if (IS_ERR(chain))
1152 return PTR_ERR(chain);
1153
1154 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1155 if (!skb2)
1156 return -ENOMEM;
1157
1158 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1159 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1160 family, table, chain);
1161 if (err < 0)
1162 goto err;
1163
1164 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1165
1166 err:
1167 kfree_skb(skb2);
1168 return err;
1169 }
1170
1171 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1172 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1173 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1174 };
1175
1176 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1177 {
1178 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1179 struct nft_stats __percpu *newstats;
1180 struct nft_stats *stats;
1181 int err;
1182
1183 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy);
1184 if (err < 0)
1185 return ERR_PTR(err);
1186
1187 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1188 return ERR_PTR(-EINVAL);
1189
1190 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1191 if (newstats == NULL)
1192 return ERR_PTR(-ENOMEM);
1193
1194 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1195 * are not exposed to userspace.
1196 */
1197 preempt_disable();
1198 stats = this_cpu_ptr(newstats);
1199 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1200 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1201 preempt_enable();
1202
1203 return newstats;
1204 }
1205
1206 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1207 struct nft_stats __percpu *newstats)
1208 {
1209 if (newstats == NULL)
1210 return;
1211
1212 if (chain->stats) {
1213 struct nft_stats __percpu *oldstats =
1214 nft_dereference(chain->stats);
1215
1216 rcu_assign_pointer(chain->stats, newstats);
1217 synchronize_rcu();
1218 free_percpu(oldstats);
1219 } else
1220 rcu_assign_pointer(chain->stats, newstats);
1221 }
1222
1223 static void nf_tables_chain_destroy(struct nft_chain *chain)
1224 {
1225 BUG_ON(chain->use > 0);
1226
1227 if (chain->flags & NFT_BASE_CHAIN) {
1228 struct nft_base_chain *basechain = nft_base_chain(chain);
1229
1230 module_put(basechain->type->owner);
1231 free_percpu(basechain->stats);
1232 if (basechain->ops[0].dev != NULL)
1233 dev_put(basechain->ops[0].dev);
1234 kfree(basechain);
1235 } else {
1236 kfree(chain);
1237 }
1238 }
1239
1240 struct nft_chain_hook {
1241 u32 num;
1242 u32 priority;
1243 const struct nf_chain_type *type;
1244 struct net_device *dev;
1245 };
1246
1247 static int nft_chain_parse_hook(struct net *net,
1248 const struct nlattr * const nla[],
1249 struct nft_af_info *afi,
1250 struct nft_chain_hook *hook, bool create)
1251 {
1252 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1253 const struct nf_chain_type *type;
1254 struct net_device *dev;
1255 int err;
1256
1257 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1258 nft_hook_policy);
1259 if (err < 0)
1260 return err;
1261
1262 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1263 ha[NFTA_HOOK_PRIORITY] == NULL)
1264 return -EINVAL;
1265
1266 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1267 if (hook->num >= afi->nhooks)
1268 return -EINVAL;
1269
1270 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1271
1272 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1273 if (nla[NFTA_CHAIN_TYPE]) {
1274 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1275 create);
1276 if (IS_ERR(type))
1277 return PTR_ERR(type);
1278 }
1279 if (!(type->hook_mask & (1 << hook->num)))
1280 return -EOPNOTSUPP;
1281 if (!try_module_get(type->owner))
1282 return -ENOENT;
1283
1284 hook->type = type;
1285
1286 hook->dev = NULL;
1287 if (afi->flags & NFT_AF_NEEDS_DEV) {
1288 char ifname[IFNAMSIZ];
1289
1290 if (!ha[NFTA_HOOK_DEV]) {
1291 module_put(type->owner);
1292 return -EOPNOTSUPP;
1293 }
1294
1295 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1296 dev = dev_get_by_name(net, ifname);
1297 if (!dev) {
1298 module_put(type->owner);
1299 return -ENOENT;
1300 }
1301 hook->dev = dev;
1302 } else if (ha[NFTA_HOOK_DEV]) {
1303 module_put(type->owner);
1304 return -EOPNOTSUPP;
1305 }
1306
1307 return 0;
1308 }
1309
1310 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1311 {
1312 module_put(hook->type->owner);
1313 if (hook->dev != NULL)
1314 dev_put(hook->dev);
1315 }
1316
1317 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1318 struct sk_buff *skb, const struct nlmsghdr *nlh,
1319 const struct nlattr * const nla[])
1320 {
1321 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1322 const struct nlattr * uninitialized_var(name);
1323 struct nft_af_info *afi;
1324 struct nft_table *table;
1325 struct nft_chain *chain;
1326 struct nft_base_chain *basechain = NULL;
1327 u8 genmask = nft_genmask_next(net);
1328 int family = nfmsg->nfgen_family;
1329 u8 policy = NF_ACCEPT;
1330 u64 handle = 0;
1331 unsigned int i;
1332 struct nft_stats __percpu *stats;
1333 int err;
1334 bool create;
1335 struct nft_ctx ctx;
1336
1337 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1338
1339 afi = nf_tables_afinfo_lookup(net, family, true);
1340 if (IS_ERR(afi))
1341 return PTR_ERR(afi);
1342
1343 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1344 if (IS_ERR(table))
1345 return PTR_ERR(table);
1346
1347 chain = NULL;
1348 name = nla[NFTA_CHAIN_NAME];
1349
1350 if (nla[NFTA_CHAIN_HANDLE]) {
1351 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1352 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1353 if (IS_ERR(chain))
1354 return PTR_ERR(chain);
1355 } else {
1356 chain = nf_tables_chain_lookup(table, name, genmask);
1357 if (IS_ERR(chain)) {
1358 if (PTR_ERR(chain) != -ENOENT)
1359 return PTR_ERR(chain);
1360 chain = NULL;
1361 }
1362 }
1363
1364 if (nla[NFTA_CHAIN_POLICY]) {
1365 if ((chain != NULL &&
1366 !(chain->flags & NFT_BASE_CHAIN)))
1367 return -EOPNOTSUPP;
1368
1369 if (chain == NULL &&
1370 nla[NFTA_CHAIN_HOOK] == NULL)
1371 return -EOPNOTSUPP;
1372
1373 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1374 switch (policy) {
1375 case NF_DROP:
1376 case NF_ACCEPT:
1377 break;
1378 default:
1379 return -EINVAL;
1380 }
1381 }
1382
1383 if (chain != NULL) {
1384 struct nft_stats *stats = NULL;
1385 struct nft_trans *trans;
1386
1387 if (nlh->nlmsg_flags & NLM_F_EXCL)
1388 return -EEXIST;
1389 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1390 return -EOPNOTSUPP;
1391
1392 if (nla[NFTA_CHAIN_HOOK]) {
1393 struct nft_base_chain *basechain;
1394 struct nft_chain_hook hook;
1395 struct nf_hook_ops *ops;
1396
1397 if (!(chain->flags & NFT_BASE_CHAIN))
1398 return -EBUSY;
1399
1400 err = nft_chain_parse_hook(net, nla, afi, &hook,
1401 create);
1402 if (err < 0)
1403 return err;
1404
1405 basechain = nft_base_chain(chain);
1406 if (basechain->type != hook.type) {
1407 nft_chain_release_hook(&hook);
1408 return -EBUSY;
1409 }
1410
1411 for (i = 0; i < afi->nops; i++) {
1412 ops = &basechain->ops[i];
1413 if (ops->hooknum != hook.num ||
1414 ops->priority != hook.priority ||
1415 ops->dev != hook.dev) {
1416 nft_chain_release_hook(&hook);
1417 return -EBUSY;
1418 }
1419 }
1420 nft_chain_release_hook(&hook);
1421 }
1422
1423 if (nla[NFTA_CHAIN_HANDLE] && name) {
1424 struct nft_chain *chain2;
1425
1426 chain2 = nf_tables_chain_lookup(table,
1427 nla[NFTA_CHAIN_NAME],
1428 genmask);
1429 if (IS_ERR(chain2))
1430 return PTR_ERR(chain2);
1431 }
1432
1433 if (nla[NFTA_CHAIN_COUNTERS]) {
1434 if (!(chain->flags & NFT_BASE_CHAIN))
1435 return -EOPNOTSUPP;
1436
1437 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1438 if (IS_ERR(stats))
1439 return PTR_ERR(stats);
1440 }
1441
1442 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1443 trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
1444 sizeof(struct nft_trans_chain));
1445 if (trans == NULL) {
1446 free_percpu(stats);
1447 return -ENOMEM;
1448 }
1449
1450 nft_trans_chain_stats(trans) = stats;
1451 nft_trans_chain_update(trans) = true;
1452
1453 if (nla[NFTA_CHAIN_POLICY])
1454 nft_trans_chain_policy(trans) = policy;
1455 else
1456 nft_trans_chain_policy(trans) = -1;
1457
1458 if (nla[NFTA_CHAIN_HANDLE] && name) {
1459 nla_strlcpy(nft_trans_chain_name(trans), name,
1460 NFT_CHAIN_MAXNAMELEN);
1461 }
1462 list_add_tail(&trans->list, &net->nft.commit_list);
1463 return 0;
1464 }
1465
1466 if (table->use == UINT_MAX)
1467 return -EOVERFLOW;
1468
1469 if (nla[NFTA_CHAIN_HOOK]) {
1470 struct nft_chain_hook hook;
1471 struct nf_hook_ops *ops;
1472 nf_hookfn *hookfn;
1473
1474 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1475 if (err < 0)
1476 return err;
1477
1478 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1479 if (basechain == NULL) {
1480 nft_chain_release_hook(&hook);
1481 return -ENOMEM;
1482 }
1483
1484 if (hook.dev != NULL)
1485 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1486
1487 if (nla[NFTA_CHAIN_COUNTERS]) {
1488 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1489 if (IS_ERR(stats)) {
1490 nft_chain_release_hook(&hook);
1491 kfree(basechain);
1492 return PTR_ERR(stats);
1493 }
1494 basechain->stats = stats;
1495 } else {
1496 stats = netdev_alloc_pcpu_stats(struct nft_stats);
1497 if (stats == NULL) {
1498 nft_chain_release_hook(&hook);
1499 kfree(basechain);
1500 return -ENOMEM;
1501 }
1502 rcu_assign_pointer(basechain->stats, stats);
1503 }
1504
1505 hookfn = hook.type->hooks[hook.num];
1506 basechain->type = hook.type;
1507 chain = &basechain->chain;
1508
1509 for (i = 0; i < afi->nops; i++) {
1510 ops = &basechain->ops[i];
1511 ops->pf = family;
1512 ops->hooknum = hook.num;
1513 ops->priority = hook.priority;
1514 ops->priv = chain;
1515 ops->hook = afi->hooks[ops->hooknum];
1516 ops->dev = hook.dev;
1517 if (hookfn)
1518 ops->hook = hookfn;
1519 if (afi->hook_ops_init)
1520 afi->hook_ops_init(ops, i);
1521 }
1522
1523 chain->flags |= NFT_BASE_CHAIN;
1524 basechain->policy = policy;
1525 } else {
1526 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1527 if (chain == NULL)
1528 return -ENOMEM;
1529 }
1530
1531 INIT_LIST_HEAD(&chain->rules);
1532 chain->handle = nf_tables_alloc_handle(table);
1533 chain->table = table;
1534 nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
1535
1536 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1537 if (err < 0)
1538 goto err1;
1539
1540 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1541 err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
1542 if (err < 0)
1543 goto err2;
1544
1545 table->use++;
1546 list_add_tail_rcu(&chain->list, &table->chains);
1547 return 0;
1548 err2:
1549 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1550 err1:
1551 nf_tables_chain_destroy(chain);
1552 return err;
1553 }
1554
1555 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1556 struct sk_buff *skb, const struct nlmsghdr *nlh,
1557 const struct nlattr * const nla[])
1558 {
1559 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1560 u8 genmask = nft_genmask_next(net);
1561 struct nft_af_info *afi;
1562 struct nft_table *table;
1563 struct nft_chain *chain;
1564 int family = nfmsg->nfgen_family;
1565 struct nft_ctx ctx;
1566
1567 afi = nf_tables_afinfo_lookup(net, family, false);
1568 if (IS_ERR(afi))
1569 return PTR_ERR(afi);
1570
1571 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1572 if (IS_ERR(table))
1573 return PTR_ERR(table);
1574
1575 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1576 if (IS_ERR(chain))
1577 return PTR_ERR(chain);
1578 if (chain->use > 0)
1579 return -EBUSY;
1580
1581 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1582
1583 return nft_delchain(&ctx);
1584 }
1585
1586 /*
1587 * Expressions
1588 */
1589
1590 /**
1591 * nft_register_expr - register nf_tables expr type
1592 * @ops: expr type
1593 *
1594 * Registers the expr type for use with nf_tables. Returns zero on
1595 * success or a negative errno code otherwise.
1596 */
1597 int nft_register_expr(struct nft_expr_type *type)
1598 {
1599 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1600 if (type->family == NFPROTO_UNSPEC)
1601 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1602 else
1603 list_add_rcu(&type->list, &nf_tables_expressions);
1604 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1605 return 0;
1606 }
1607 EXPORT_SYMBOL_GPL(nft_register_expr);
1608
1609 /**
1610 * nft_unregister_expr - unregister nf_tables expr type
1611 * @ops: expr type
1612 *
1613 * Unregisters the expr typefor use with nf_tables.
1614 */
1615 void nft_unregister_expr(struct nft_expr_type *type)
1616 {
1617 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1618 list_del_rcu(&type->list);
1619 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1620 }
1621 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1622
1623 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1624 struct nlattr *nla)
1625 {
1626 const struct nft_expr_type *type;
1627
1628 list_for_each_entry(type, &nf_tables_expressions, list) {
1629 if (!nla_strcmp(nla, type->name) &&
1630 (!type->family || type->family == family))
1631 return type;
1632 }
1633 return NULL;
1634 }
1635
1636 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1637 struct nlattr *nla)
1638 {
1639 const struct nft_expr_type *type;
1640
1641 if (nla == NULL)
1642 return ERR_PTR(-EINVAL);
1643
1644 type = __nft_expr_type_get(family, nla);
1645 if (type != NULL && try_module_get(type->owner))
1646 return type;
1647
1648 #ifdef CONFIG_MODULES
1649 if (type == NULL) {
1650 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1651 request_module("nft-expr-%u-%.*s", family,
1652 nla_len(nla), (char *)nla_data(nla));
1653 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1654 if (__nft_expr_type_get(family, nla))
1655 return ERR_PTR(-EAGAIN);
1656
1657 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1658 request_module("nft-expr-%.*s",
1659 nla_len(nla), (char *)nla_data(nla));
1660 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1661 if (__nft_expr_type_get(family, nla))
1662 return ERR_PTR(-EAGAIN);
1663 }
1664 #endif
1665 return ERR_PTR(-ENOENT);
1666 }
1667
1668 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1669 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1670 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1671 };
1672
1673 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1674 const struct nft_expr *expr)
1675 {
1676 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1677 goto nla_put_failure;
1678
1679 if (expr->ops->dump) {
1680 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1681 if (data == NULL)
1682 goto nla_put_failure;
1683 if (expr->ops->dump(skb, expr) < 0)
1684 goto nla_put_failure;
1685 nla_nest_end(skb, data);
1686 }
1687
1688 return skb->len;
1689
1690 nla_put_failure:
1691 return -1;
1692 };
1693
1694 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1695 const struct nft_expr *expr)
1696 {
1697 struct nlattr *nest;
1698
1699 nest = nla_nest_start(skb, attr);
1700 if (!nest)
1701 goto nla_put_failure;
1702 if (nf_tables_fill_expr_info(skb, expr) < 0)
1703 goto nla_put_failure;
1704 nla_nest_end(skb, nest);
1705 return 0;
1706
1707 nla_put_failure:
1708 return -1;
1709 }
1710
1711 struct nft_expr_info {
1712 const struct nft_expr_ops *ops;
1713 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1714 };
1715
1716 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1717 const struct nlattr *nla,
1718 struct nft_expr_info *info)
1719 {
1720 const struct nft_expr_type *type;
1721 const struct nft_expr_ops *ops;
1722 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1723 int err;
1724
1725 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy);
1726 if (err < 0)
1727 return err;
1728
1729 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1730 if (IS_ERR(type))
1731 return PTR_ERR(type);
1732
1733 if (tb[NFTA_EXPR_DATA]) {
1734 err = nla_parse_nested(info->tb, type->maxattr,
1735 tb[NFTA_EXPR_DATA], type->policy);
1736 if (err < 0)
1737 goto err1;
1738 } else
1739 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1740
1741 if (type->select_ops != NULL) {
1742 ops = type->select_ops(ctx,
1743 (const struct nlattr * const *)info->tb);
1744 if (IS_ERR(ops)) {
1745 err = PTR_ERR(ops);
1746 goto err1;
1747 }
1748 } else
1749 ops = type->ops;
1750
1751 info->ops = ops;
1752 return 0;
1753
1754 err1:
1755 module_put(type->owner);
1756 return err;
1757 }
1758
1759 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1760 const struct nft_expr_info *info,
1761 struct nft_expr *expr)
1762 {
1763 const struct nft_expr_ops *ops = info->ops;
1764 int err;
1765
1766 expr->ops = ops;
1767 if (ops->init) {
1768 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1769 if (err < 0)
1770 goto err1;
1771 }
1772
1773 return 0;
1774
1775 err1:
1776 expr->ops = NULL;
1777 return err;
1778 }
1779
1780 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1781 struct nft_expr *expr)
1782 {
1783 if (expr->ops->destroy)
1784 expr->ops->destroy(ctx, expr);
1785 module_put(expr->ops->type->owner);
1786 }
1787
1788 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1789 const struct nlattr *nla)
1790 {
1791 struct nft_expr_info info;
1792 struct nft_expr *expr;
1793 int err;
1794
1795 err = nf_tables_expr_parse(ctx, nla, &info);
1796 if (err < 0)
1797 goto err1;
1798
1799 err = -ENOMEM;
1800 expr = kzalloc(info.ops->size, GFP_KERNEL);
1801 if (expr == NULL)
1802 goto err2;
1803
1804 err = nf_tables_newexpr(ctx, &info, expr);
1805 if (err < 0)
1806 goto err3;
1807
1808 return expr;
1809 err3:
1810 kfree(expr);
1811 err2:
1812 module_put(info.ops->type->owner);
1813 err1:
1814 return ERR_PTR(err);
1815 }
1816
1817 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1818 {
1819 nf_tables_expr_destroy(ctx, expr);
1820 kfree(expr);
1821 }
1822
1823 /*
1824 * Rules
1825 */
1826
1827 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1828 u64 handle)
1829 {
1830 struct nft_rule *rule;
1831
1832 // FIXME: this sucks
1833 list_for_each_entry(rule, &chain->rules, list) {
1834 if (handle == rule->handle)
1835 return rule;
1836 }
1837
1838 return ERR_PTR(-ENOENT);
1839 }
1840
1841 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
1842 const struct nlattr *nla)
1843 {
1844 if (nla == NULL)
1845 return ERR_PTR(-EINVAL);
1846
1847 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
1848 }
1849
1850 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
1851 [NFTA_RULE_TABLE] = { .type = NLA_STRING },
1852 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
1853 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1854 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
1855 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
1856 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
1857 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
1858 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
1859 .len = NFT_USERDATA_MAXLEN },
1860 };
1861
1862 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
1863 u32 portid, u32 seq, int event,
1864 u32 flags, int family,
1865 const struct nft_table *table,
1866 const struct nft_chain *chain,
1867 const struct nft_rule *rule)
1868 {
1869 struct nlmsghdr *nlh;
1870 struct nfgenmsg *nfmsg;
1871 const struct nft_expr *expr, *next;
1872 struct nlattr *list;
1873 const struct nft_rule *prule;
1874 int type = event | NFNL_SUBSYS_NFTABLES << 8;
1875
1876 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg),
1877 flags);
1878 if (nlh == NULL)
1879 goto nla_put_failure;
1880
1881 nfmsg = nlmsg_data(nlh);
1882 nfmsg->nfgen_family = family;
1883 nfmsg->version = NFNETLINK_V0;
1884 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1885
1886 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
1887 goto nla_put_failure;
1888 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
1889 goto nla_put_failure;
1890 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
1891 NFTA_RULE_PAD))
1892 goto nla_put_failure;
1893
1894 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
1895 prule = list_entry(rule->list.prev, struct nft_rule, list);
1896 if (nla_put_be64(skb, NFTA_RULE_POSITION,
1897 cpu_to_be64(prule->handle),
1898 NFTA_RULE_PAD))
1899 goto nla_put_failure;
1900 }
1901
1902 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
1903 if (list == NULL)
1904 goto nla_put_failure;
1905 nft_rule_for_each_expr(expr, next, rule) {
1906 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
1907 goto nla_put_failure;
1908 }
1909 nla_nest_end(skb, list);
1910
1911 if (rule->udata) {
1912 struct nft_userdata *udata = nft_userdata(rule);
1913 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
1914 udata->data) < 0)
1915 goto nla_put_failure;
1916 }
1917
1918 nlmsg_end(skb, nlh);
1919 return 0;
1920
1921 nla_put_failure:
1922 nlmsg_trim(skb, nlh);
1923 return -1;
1924 }
1925
1926 static int nf_tables_rule_notify(const struct nft_ctx *ctx,
1927 const struct nft_rule *rule,
1928 int event)
1929 {
1930 struct sk_buff *skb;
1931 int err;
1932
1933 if (!ctx->report &&
1934 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1935 return 0;
1936
1937 err = -ENOBUFS;
1938 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1939 if (skb == NULL)
1940 goto err;
1941
1942 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
1943 event, 0, ctx->afi->family, ctx->table,
1944 ctx->chain, rule);
1945 if (err < 0) {
1946 kfree_skb(skb);
1947 goto err;
1948 }
1949
1950 err = nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1951 ctx->report, GFP_KERNEL);
1952 err:
1953 if (err < 0) {
1954 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1955 err);
1956 }
1957 return err;
1958 }
1959
1960 struct nft_rule_dump_ctx {
1961 char table[NFT_TABLE_MAXNAMELEN];
1962 char chain[NFT_CHAIN_MAXNAMELEN];
1963 };
1964
1965 static int nf_tables_dump_rules(struct sk_buff *skb,
1966 struct netlink_callback *cb)
1967 {
1968 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1969 const struct nft_rule_dump_ctx *ctx = cb->data;
1970 const struct nft_af_info *afi;
1971 const struct nft_table *table;
1972 const struct nft_chain *chain;
1973 const struct nft_rule *rule;
1974 unsigned int idx = 0, s_idx = cb->args[0];
1975 struct net *net = sock_net(skb->sk);
1976 int family = nfmsg->nfgen_family;
1977
1978 rcu_read_lock();
1979 cb->seq = net->nft.base_seq;
1980
1981 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1982 if (family != NFPROTO_UNSPEC && family != afi->family)
1983 continue;
1984
1985 list_for_each_entry_rcu(table, &afi->tables, list) {
1986 if (ctx && ctx->table[0] &&
1987 strcmp(ctx->table, table->name) != 0)
1988 continue;
1989
1990 list_for_each_entry_rcu(chain, &table->chains, list) {
1991 if (ctx && ctx->chain[0] &&
1992 strcmp(ctx->chain, chain->name) != 0)
1993 continue;
1994
1995 list_for_each_entry_rcu(rule, &chain->rules, list) {
1996 if (!nft_is_active(net, rule))
1997 goto cont;
1998 if (idx < s_idx)
1999 goto cont;
2000 if (idx > s_idx)
2001 memset(&cb->args[1], 0,
2002 sizeof(cb->args) - sizeof(cb->args[0]));
2003 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2004 cb->nlh->nlmsg_seq,
2005 NFT_MSG_NEWRULE,
2006 NLM_F_MULTI | NLM_F_APPEND,
2007 afi->family, table, chain, rule) < 0)
2008 goto done;
2009
2010 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2011 cont:
2012 idx++;
2013 }
2014 }
2015 }
2016 }
2017 done:
2018 rcu_read_unlock();
2019
2020 cb->args[0] = idx;
2021 return skb->len;
2022 }
2023
2024 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2025 {
2026 kfree(cb->data);
2027 return 0;
2028 }
2029
2030 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2031 struct sk_buff *skb, const struct nlmsghdr *nlh,
2032 const struct nlattr * const nla[])
2033 {
2034 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2035 u8 genmask = nft_genmask_cur(net);
2036 const struct nft_af_info *afi;
2037 const struct nft_table *table;
2038 const struct nft_chain *chain;
2039 const struct nft_rule *rule;
2040 struct sk_buff *skb2;
2041 int family = nfmsg->nfgen_family;
2042 int err;
2043
2044 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2045 struct netlink_dump_control c = {
2046 .dump = nf_tables_dump_rules,
2047 .done = nf_tables_dump_rules_done,
2048 };
2049
2050 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2051 struct nft_rule_dump_ctx *ctx;
2052
2053 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2054 if (!ctx)
2055 return -ENOMEM;
2056
2057 if (nla[NFTA_RULE_TABLE])
2058 nla_strlcpy(ctx->table, nla[NFTA_RULE_TABLE],
2059 sizeof(ctx->table));
2060 if (nla[NFTA_RULE_CHAIN])
2061 nla_strlcpy(ctx->chain, nla[NFTA_RULE_CHAIN],
2062 sizeof(ctx->chain));
2063 c.data = ctx;
2064 }
2065
2066 return netlink_dump_start(nlsk, skb, nlh, &c);
2067 }
2068
2069 afi = nf_tables_afinfo_lookup(net, family, false);
2070 if (IS_ERR(afi))
2071 return PTR_ERR(afi);
2072
2073 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2074 if (IS_ERR(table))
2075 return PTR_ERR(table);
2076
2077 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2078 if (IS_ERR(chain))
2079 return PTR_ERR(chain);
2080
2081 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2082 if (IS_ERR(rule))
2083 return PTR_ERR(rule);
2084
2085 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2086 if (!skb2)
2087 return -ENOMEM;
2088
2089 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2090 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2091 family, table, chain, rule);
2092 if (err < 0)
2093 goto err;
2094
2095 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2096
2097 err:
2098 kfree_skb(skb2);
2099 return err;
2100 }
2101
2102 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2103 struct nft_rule *rule)
2104 {
2105 struct nft_expr *expr;
2106
2107 /*
2108 * Careful: some expressions might not be initialized in case this
2109 * is called on error from nf_tables_newrule().
2110 */
2111 expr = nft_expr_first(rule);
2112 while (expr->ops && expr != nft_expr_last(rule)) {
2113 nf_tables_expr_destroy(ctx, expr);
2114 expr = nft_expr_next(expr);
2115 }
2116 kfree(rule);
2117 }
2118
2119 #define NFT_RULE_MAXEXPRS 128
2120
2121 static struct nft_expr_info *info;
2122
2123 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2124 struct sk_buff *skb, const struct nlmsghdr *nlh,
2125 const struct nlattr * const nla[])
2126 {
2127 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2128 u8 genmask = nft_genmask_next(net);
2129 struct nft_af_info *afi;
2130 struct nft_table *table;
2131 struct nft_chain *chain;
2132 struct nft_rule *rule, *old_rule = NULL;
2133 struct nft_userdata *udata;
2134 struct nft_trans *trans = NULL;
2135 struct nft_expr *expr;
2136 struct nft_ctx ctx;
2137 struct nlattr *tmp;
2138 unsigned int size, i, n, ulen = 0, usize = 0;
2139 int err, rem;
2140 bool create;
2141 u64 handle, pos_handle;
2142
2143 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2144
2145 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2146 if (IS_ERR(afi))
2147 return PTR_ERR(afi);
2148
2149 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2150 if (IS_ERR(table))
2151 return PTR_ERR(table);
2152
2153 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2154 if (IS_ERR(chain))
2155 return PTR_ERR(chain);
2156
2157 if (nla[NFTA_RULE_HANDLE]) {
2158 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2159 rule = __nf_tables_rule_lookup(chain, handle);
2160 if (IS_ERR(rule))
2161 return PTR_ERR(rule);
2162
2163 if (nlh->nlmsg_flags & NLM_F_EXCL)
2164 return -EEXIST;
2165 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2166 old_rule = rule;
2167 else
2168 return -EOPNOTSUPP;
2169 } else {
2170 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2171 return -EINVAL;
2172 handle = nf_tables_alloc_handle(table);
2173
2174 if (chain->use == UINT_MAX)
2175 return -EOVERFLOW;
2176 }
2177
2178 if (nla[NFTA_RULE_POSITION]) {
2179 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2180 return -EOPNOTSUPP;
2181
2182 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2183 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2184 if (IS_ERR(old_rule))
2185 return PTR_ERR(old_rule);
2186 }
2187
2188 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2189
2190 n = 0;
2191 size = 0;
2192 if (nla[NFTA_RULE_EXPRESSIONS]) {
2193 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2194 err = -EINVAL;
2195 if (nla_type(tmp) != NFTA_LIST_ELEM)
2196 goto err1;
2197 if (n == NFT_RULE_MAXEXPRS)
2198 goto err1;
2199 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2200 if (err < 0)
2201 goto err1;
2202 size += info[n].ops->size;
2203 n++;
2204 }
2205 }
2206 /* Check for overflow of dlen field */
2207 err = -EFBIG;
2208 if (size >= 1 << 12)
2209 goto err1;
2210
2211 if (nla[NFTA_RULE_USERDATA]) {
2212 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2213 if (ulen > 0)
2214 usize = sizeof(struct nft_userdata) + ulen;
2215 }
2216
2217 err = -ENOMEM;
2218 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2219 if (rule == NULL)
2220 goto err1;
2221
2222 nft_activate_next(net, rule);
2223
2224 rule->handle = handle;
2225 rule->dlen = size;
2226 rule->udata = ulen ? 1 : 0;
2227
2228 if (ulen) {
2229 udata = nft_userdata(rule);
2230 udata->len = ulen - 1;
2231 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2232 }
2233
2234 expr = nft_expr_first(rule);
2235 for (i = 0; i < n; i++) {
2236 err = nf_tables_newexpr(&ctx, &info[i], expr);
2237 if (err < 0)
2238 goto err2;
2239 info[i].ops = NULL;
2240 expr = nft_expr_next(expr);
2241 }
2242
2243 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2244 if (nft_is_active_next(net, old_rule)) {
2245 trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
2246 old_rule);
2247 if (trans == NULL) {
2248 err = -ENOMEM;
2249 goto err2;
2250 }
2251 nft_deactivate_next(net, old_rule);
2252 chain->use--;
2253 list_add_tail_rcu(&rule->list, &old_rule->list);
2254 } else {
2255 err = -ENOENT;
2256 goto err2;
2257 }
2258 } else if (nlh->nlmsg_flags & NLM_F_APPEND)
2259 if (old_rule)
2260 list_add_rcu(&rule->list, &old_rule->list);
2261 else
2262 list_add_tail_rcu(&rule->list, &chain->rules);
2263 else {
2264 if (old_rule)
2265 list_add_tail_rcu(&rule->list, &old_rule->list);
2266 else
2267 list_add_rcu(&rule->list, &chain->rules);
2268 }
2269
2270 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2271 err = -ENOMEM;
2272 goto err3;
2273 }
2274 chain->use++;
2275 return 0;
2276
2277 err3:
2278 list_del_rcu(&rule->list);
2279 err2:
2280 nf_tables_rule_destroy(&ctx, rule);
2281 err1:
2282 for (i = 0; i < n; i++) {
2283 if (info[i].ops != NULL)
2284 module_put(info[i].ops->type->owner);
2285 }
2286 return err;
2287 }
2288
2289 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2290 struct sk_buff *skb, const struct nlmsghdr *nlh,
2291 const struct nlattr * const nla[])
2292 {
2293 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2294 u8 genmask = nft_genmask_next(net);
2295 struct nft_af_info *afi;
2296 struct nft_table *table;
2297 struct nft_chain *chain = NULL;
2298 struct nft_rule *rule;
2299 int family = nfmsg->nfgen_family, err = 0;
2300 struct nft_ctx ctx;
2301
2302 afi = nf_tables_afinfo_lookup(net, family, false);
2303 if (IS_ERR(afi))
2304 return PTR_ERR(afi);
2305
2306 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2307 if (IS_ERR(table))
2308 return PTR_ERR(table);
2309
2310 if (nla[NFTA_RULE_CHAIN]) {
2311 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2312 genmask);
2313 if (IS_ERR(chain))
2314 return PTR_ERR(chain);
2315 }
2316
2317 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2318
2319 if (chain) {
2320 if (nla[NFTA_RULE_HANDLE]) {
2321 rule = nf_tables_rule_lookup(chain,
2322 nla[NFTA_RULE_HANDLE]);
2323 if (IS_ERR(rule))
2324 return PTR_ERR(rule);
2325
2326 err = nft_delrule(&ctx, rule);
2327 } else {
2328 err = nft_delrule_by_chain(&ctx);
2329 }
2330 } else {
2331 list_for_each_entry(chain, &table->chains, list) {
2332 if (!nft_is_active_next(net, chain))
2333 continue;
2334
2335 ctx.chain = chain;
2336 err = nft_delrule_by_chain(&ctx);
2337 if (err < 0)
2338 break;
2339 }
2340 }
2341
2342 return err;
2343 }
2344
2345 /*
2346 * Sets
2347 */
2348
2349 static LIST_HEAD(nf_tables_set_ops);
2350
2351 int nft_register_set(struct nft_set_ops *ops)
2352 {
2353 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2354 list_add_tail_rcu(&ops->list, &nf_tables_set_ops);
2355 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2356 return 0;
2357 }
2358 EXPORT_SYMBOL_GPL(nft_register_set);
2359
2360 void nft_unregister_set(struct nft_set_ops *ops)
2361 {
2362 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2363 list_del_rcu(&ops->list);
2364 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2365 }
2366 EXPORT_SYMBOL_GPL(nft_unregister_set);
2367
2368 /*
2369 * Select a set implementation based on the data characteristics and the
2370 * given policy. The total memory use might not be known if no size is
2371 * given, in that case the amount of memory per element is used.
2372 */
2373 static const struct nft_set_ops *
2374 nft_select_set_ops(const struct nlattr * const nla[],
2375 const struct nft_set_desc *desc,
2376 enum nft_set_policies policy)
2377 {
2378 const struct nft_set_ops *ops, *bops;
2379 struct nft_set_estimate est, best;
2380 u32 features;
2381
2382 #ifdef CONFIG_MODULES
2383 if (list_empty(&nf_tables_set_ops)) {
2384 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2385 request_module("nft-set");
2386 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2387 if (!list_empty(&nf_tables_set_ops))
2388 return ERR_PTR(-EAGAIN);
2389 }
2390 #endif
2391 features = 0;
2392 if (nla[NFTA_SET_FLAGS] != NULL) {
2393 features = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2394 features &= NFT_SET_INTERVAL | NFT_SET_MAP | NFT_SET_TIMEOUT;
2395 }
2396
2397 bops = NULL;
2398 best.size = ~0;
2399 best.class = ~0;
2400
2401 list_for_each_entry(ops, &nf_tables_set_ops, list) {
2402 if ((ops->features & features) != features)
2403 continue;
2404 if (!ops->estimate(desc, features, &est))
2405 continue;
2406
2407 switch (policy) {
2408 case NFT_SET_POL_PERFORMANCE:
2409 if (est.class < best.class)
2410 break;
2411 if (est.class == best.class && est.size < best.size)
2412 break;
2413 continue;
2414 case NFT_SET_POL_MEMORY:
2415 if (est.size < best.size)
2416 break;
2417 if (est.size == best.size && est.class < best.class)
2418 break;
2419 continue;
2420 default:
2421 break;
2422 }
2423
2424 if (!try_module_get(ops->owner))
2425 continue;
2426 if (bops != NULL)
2427 module_put(bops->owner);
2428
2429 bops = ops;
2430 best = est;
2431 }
2432
2433 if (bops != NULL)
2434 return bops;
2435
2436 return ERR_PTR(-EOPNOTSUPP);
2437 }
2438
2439 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2440 [NFTA_SET_TABLE] = { .type = NLA_STRING },
2441 [NFTA_SET_NAME] = { .type = NLA_STRING,
2442 .len = NFT_SET_MAXNAMELEN - 1 },
2443 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2444 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2445 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2446 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2447 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2448 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2449 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2450 [NFTA_SET_ID] = { .type = NLA_U32 },
2451 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2452 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2453 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2454 .len = NFT_USERDATA_MAXLEN },
2455 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2456 };
2457
2458 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2459 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2460 };
2461
2462 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2463 const struct sk_buff *skb,
2464 const struct nlmsghdr *nlh,
2465 const struct nlattr * const nla[],
2466 u8 genmask)
2467 {
2468 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2469 struct nft_af_info *afi = NULL;
2470 struct nft_table *table = NULL;
2471
2472 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2473 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2474 if (IS_ERR(afi))
2475 return PTR_ERR(afi);
2476 }
2477
2478 if (nla[NFTA_SET_TABLE] != NULL) {
2479 if (afi == NULL)
2480 return -EAFNOSUPPORT;
2481
2482 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2483 genmask);
2484 if (IS_ERR(table))
2485 return PTR_ERR(table);
2486 }
2487
2488 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2489 return 0;
2490 }
2491
2492 struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2493 const struct nlattr *nla, u8 genmask)
2494 {
2495 struct nft_set *set;
2496
2497 if (nla == NULL)
2498 return ERR_PTR(-EINVAL);
2499
2500 list_for_each_entry(set, &table->sets, list) {
2501 if (!nla_strcmp(nla, set->name) &&
2502 nft_active_genmask(set, genmask))
2503 return set;
2504 }
2505 return ERR_PTR(-ENOENT);
2506 }
2507
2508 struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2509 const struct nlattr *nla,
2510 u8 genmask)
2511 {
2512 struct nft_trans *trans;
2513 u32 id = ntohl(nla_get_be32(nla));
2514
2515 list_for_each_entry(trans, &net->nft.commit_list, list) {
2516 struct nft_set *set = nft_trans_set(trans);
2517
2518 if (trans->msg_type == NFT_MSG_NEWSET &&
2519 id == nft_trans_set_id(trans) &&
2520 nft_active_genmask(set, genmask))
2521 return set;
2522 }
2523 return ERR_PTR(-ENOENT);
2524 }
2525
2526 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2527 const char *name)
2528 {
2529 const struct nft_set *i;
2530 const char *p;
2531 unsigned long *inuse;
2532 unsigned int n = 0, min = 0;
2533
2534 p = strnchr(name, NFT_SET_MAXNAMELEN, '%');
2535 if (p != NULL) {
2536 if (p[1] != 'd' || strchr(p + 2, '%'))
2537 return -EINVAL;
2538
2539 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2540 if (inuse == NULL)
2541 return -ENOMEM;
2542 cont:
2543 list_for_each_entry(i, &ctx->table->sets, list) {
2544 int tmp;
2545
2546 if (!nft_is_active_next(ctx->net, set))
2547 continue;
2548 if (!sscanf(i->name, name, &tmp))
2549 continue;
2550 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2551 continue;
2552
2553 set_bit(tmp - min, inuse);
2554 }
2555
2556 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2557 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2558 min += BITS_PER_BYTE * PAGE_SIZE;
2559 memset(inuse, 0, PAGE_SIZE);
2560 goto cont;
2561 }
2562 free_page((unsigned long)inuse);
2563 }
2564
2565 snprintf(set->name, sizeof(set->name), name, min + n);
2566 list_for_each_entry(i, &ctx->table->sets, list) {
2567 if (!nft_is_active_next(ctx->net, i))
2568 continue;
2569 if (!strcmp(set->name, i->name))
2570 return -ENFILE;
2571 }
2572 return 0;
2573 }
2574
2575 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2576 const struct nft_set *set, u16 event, u16 flags)
2577 {
2578 struct nfgenmsg *nfmsg;
2579 struct nlmsghdr *nlh;
2580 struct nlattr *desc;
2581 u32 portid = ctx->portid;
2582 u32 seq = ctx->seq;
2583
2584 event |= NFNL_SUBSYS_NFTABLES << 8;
2585 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2586 flags);
2587 if (nlh == NULL)
2588 goto nla_put_failure;
2589
2590 nfmsg = nlmsg_data(nlh);
2591 nfmsg->nfgen_family = ctx->afi->family;
2592 nfmsg->version = NFNETLINK_V0;
2593 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2594
2595 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2596 goto nla_put_failure;
2597 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2598 goto nla_put_failure;
2599 if (set->flags != 0)
2600 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2601 goto nla_put_failure;
2602
2603 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2604 goto nla_put_failure;
2605 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2606 goto nla_put_failure;
2607 if (set->flags & NFT_SET_MAP) {
2608 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2609 goto nla_put_failure;
2610 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2611 goto nla_put_failure;
2612 }
2613 if (set->flags & NFT_SET_OBJECT &&
2614 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2615 goto nla_put_failure;
2616
2617 if (set->timeout &&
2618 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2619 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2620 NFTA_SET_PAD))
2621 goto nla_put_failure;
2622 if (set->gc_int &&
2623 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2624 goto nla_put_failure;
2625
2626 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2627 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2628 goto nla_put_failure;
2629 }
2630
2631 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2632 goto nla_put_failure;
2633
2634 desc = nla_nest_start(skb, NFTA_SET_DESC);
2635 if (desc == NULL)
2636 goto nla_put_failure;
2637 if (set->size &&
2638 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2639 goto nla_put_failure;
2640 nla_nest_end(skb, desc);
2641
2642 nlmsg_end(skb, nlh);
2643 return 0;
2644
2645 nla_put_failure:
2646 nlmsg_trim(skb, nlh);
2647 return -1;
2648 }
2649
2650 static int nf_tables_set_notify(const struct nft_ctx *ctx,
2651 const struct nft_set *set,
2652 int event, gfp_t gfp_flags)
2653 {
2654 struct sk_buff *skb;
2655 u32 portid = ctx->portid;
2656 int err;
2657
2658 if (!ctx->report &&
2659 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2660 return 0;
2661
2662 err = -ENOBUFS;
2663 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2664 if (skb == NULL)
2665 goto err;
2666
2667 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2668 if (err < 0) {
2669 kfree_skb(skb);
2670 goto err;
2671 }
2672
2673 err = nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES,
2674 ctx->report, gfp_flags);
2675 err:
2676 if (err < 0)
2677 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, err);
2678 return err;
2679 }
2680
2681 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2682 {
2683 const struct nft_set *set;
2684 unsigned int idx, s_idx = cb->args[0];
2685 struct nft_af_info *afi;
2686 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2687 struct net *net = sock_net(skb->sk);
2688 int cur_family = cb->args[3];
2689 struct nft_ctx *ctx = cb->data, ctx_set;
2690
2691 if (cb->args[1])
2692 return skb->len;
2693
2694 rcu_read_lock();
2695 cb->seq = net->nft.base_seq;
2696
2697 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2698 if (ctx->afi && ctx->afi != afi)
2699 continue;
2700
2701 if (cur_family) {
2702 if (afi->family != cur_family)
2703 continue;
2704
2705 cur_family = 0;
2706 }
2707 list_for_each_entry_rcu(table, &afi->tables, list) {
2708 if (ctx->table && ctx->table != table)
2709 continue;
2710
2711 if (cur_table) {
2712 if (cur_table != table)
2713 continue;
2714
2715 cur_table = NULL;
2716 }
2717 idx = 0;
2718 list_for_each_entry_rcu(set, &table->sets, list) {
2719 if (idx < s_idx)
2720 goto cont;
2721 if (!nft_is_active(net, set))
2722 goto cont;
2723
2724 ctx_set = *ctx;
2725 ctx_set.table = table;
2726 ctx_set.afi = afi;
2727 if (nf_tables_fill_set(skb, &ctx_set, set,
2728 NFT_MSG_NEWSET,
2729 NLM_F_MULTI) < 0) {
2730 cb->args[0] = idx;
2731 cb->args[2] = (unsigned long) table;
2732 cb->args[3] = afi->family;
2733 goto done;
2734 }
2735 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2736 cont:
2737 idx++;
2738 }
2739 if (s_idx)
2740 s_idx = 0;
2741 }
2742 }
2743 cb->args[1] = 1;
2744 done:
2745 rcu_read_unlock();
2746 return skb->len;
2747 }
2748
2749 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2750 {
2751 kfree(cb->data);
2752 return 0;
2753 }
2754
2755 static int nf_tables_getset(struct net *net, struct sock *nlsk,
2756 struct sk_buff *skb, const struct nlmsghdr *nlh,
2757 const struct nlattr * const nla[])
2758 {
2759 u8 genmask = nft_genmask_cur(net);
2760 const struct nft_set *set;
2761 struct nft_ctx ctx;
2762 struct sk_buff *skb2;
2763 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2764 int err;
2765
2766 /* Verify existence before starting dump */
2767 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
2768 if (err < 0)
2769 return err;
2770
2771 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2772 struct netlink_dump_control c = {
2773 .dump = nf_tables_dump_sets,
2774 .done = nf_tables_dump_sets_done,
2775 };
2776 struct nft_ctx *ctx_dump;
2777
2778 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
2779 if (ctx_dump == NULL)
2780 return -ENOMEM;
2781
2782 *ctx_dump = ctx;
2783 c.data = ctx_dump;
2784
2785 return netlink_dump_start(nlsk, skb, nlh, &c);
2786 }
2787
2788 /* Only accept unspec with dump */
2789 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
2790 return -EAFNOSUPPORT;
2791 if (!nla[NFTA_SET_TABLE])
2792 return -EINVAL;
2793
2794 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
2795 if (IS_ERR(set))
2796 return PTR_ERR(set);
2797
2798 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2799 if (skb2 == NULL)
2800 return -ENOMEM;
2801
2802 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
2803 if (err < 0)
2804 goto err;
2805
2806 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2807
2808 err:
2809 kfree_skb(skb2);
2810 return err;
2811 }
2812
2813 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
2814 struct nft_set_desc *desc,
2815 const struct nlattr *nla)
2816 {
2817 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
2818 int err;
2819
2820 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla, nft_set_desc_policy);
2821 if (err < 0)
2822 return err;
2823
2824 if (da[NFTA_SET_DESC_SIZE] != NULL)
2825 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
2826
2827 return 0;
2828 }
2829
2830 static int nf_tables_newset(struct net *net, struct sock *nlsk,
2831 struct sk_buff *skb, const struct nlmsghdr *nlh,
2832 const struct nlattr * const nla[])
2833 {
2834 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2835 u8 genmask = nft_genmask_next(net);
2836 const struct nft_set_ops *ops;
2837 struct nft_af_info *afi;
2838 struct nft_table *table;
2839 struct nft_set *set;
2840 struct nft_ctx ctx;
2841 char name[NFT_SET_MAXNAMELEN];
2842 unsigned int size;
2843 bool create;
2844 u64 timeout;
2845 u32 ktype, dtype, flags, policy, gc_int, objtype;
2846 struct nft_set_desc desc;
2847 unsigned char *udata;
2848 u16 udlen;
2849 int err;
2850
2851 if (nla[NFTA_SET_TABLE] == NULL ||
2852 nla[NFTA_SET_NAME] == NULL ||
2853 nla[NFTA_SET_KEY_LEN] == NULL ||
2854 nla[NFTA_SET_ID] == NULL)
2855 return -EINVAL;
2856
2857 memset(&desc, 0, sizeof(desc));
2858
2859 ktype = NFT_DATA_VALUE;
2860 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
2861 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
2862 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
2863 return -EINVAL;
2864 }
2865
2866 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
2867 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
2868 return -EINVAL;
2869
2870 flags = 0;
2871 if (nla[NFTA_SET_FLAGS] != NULL) {
2872 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2873 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
2874 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
2875 NFT_SET_MAP | NFT_SET_EVAL |
2876 NFT_SET_OBJECT))
2877 return -EINVAL;
2878 /* Only one of these operations is supported */
2879 if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
2880 (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
2881 return -EOPNOTSUPP;
2882 }
2883
2884 dtype = 0;
2885 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
2886 if (!(flags & NFT_SET_MAP))
2887 return -EINVAL;
2888
2889 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
2890 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
2891 dtype != NFT_DATA_VERDICT)
2892 return -EINVAL;
2893
2894 if (dtype != NFT_DATA_VERDICT) {
2895 if (nla[NFTA_SET_DATA_LEN] == NULL)
2896 return -EINVAL;
2897 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
2898 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
2899 return -EINVAL;
2900 } else
2901 desc.dlen = sizeof(struct nft_verdict);
2902 } else if (flags & NFT_SET_MAP)
2903 return -EINVAL;
2904
2905 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
2906 if (!(flags & NFT_SET_OBJECT))
2907 return -EINVAL;
2908
2909 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
2910 if (objtype == NFT_OBJECT_UNSPEC ||
2911 objtype > NFT_OBJECT_MAX)
2912 return -EINVAL;
2913 } else if (flags & NFT_SET_OBJECT)
2914 return -EINVAL;
2915 else
2916 objtype = NFT_OBJECT_UNSPEC;
2917
2918 timeout = 0;
2919 if (nla[NFTA_SET_TIMEOUT] != NULL) {
2920 if (!(flags & NFT_SET_TIMEOUT))
2921 return -EINVAL;
2922 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
2923 nla[NFTA_SET_TIMEOUT])));
2924 }
2925 gc_int = 0;
2926 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
2927 if (!(flags & NFT_SET_TIMEOUT))
2928 return -EINVAL;
2929 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
2930 }
2931
2932 policy = NFT_SET_POL_PERFORMANCE;
2933 if (nla[NFTA_SET_POLICY] != NULL)
2934 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
2935
2936 if (nla[NFTA_SET_DESC] != NULL) {
2937 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
2938 if (err < 0)
2939 return err;
2940 }
2941
2942 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2943
2944 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2945 if (IS_ERR(afi))
2946 return PTR_ERR(afi);
2947
2948 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
2949 if (IS_ERR(table))
2950 return PTR_ERR(table);
2951
2952 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
2953
2954 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
2955 if (IS_ERR(set)) {
2956 if (PTR_ERR(set) != -ENOENT)
2957 return PTR_ERR(set);
2958 set = NULL;
2959 }
2960
2961 if (set != NULL) {
2962 if (nlh->nlmsg_flags & NLM_F_EXCL)
2963 return -EEXIST;
2964 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2965 return -EOPNOTSUPP;
2966 return 0;
2967 }
2968
2969 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
2970 return -ENOENT;
2971
2972 ops = nft_select_set_ops(nla, &desc, policy);
2973 if (IS_ERR(ops))
2974 return PTR_ERR(ops);
2975
2976 udlen = 0;
2977 if (nla[NFTA_SET_USERDATA])
2978 udlen = nla_len(nla[NFTA_SET_USERDATA]);
2979
2980 size = 0;
2981 if (ops->privsize != NULL)
2982 size = ops->privsize(nla);
2983
2984 err = -ENOMEM;
2985 set = kzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
2986 if (set == NULL)
2987 goto err1;
2988
2989 nla_strlcpy(name, nla[NFTA_SET_NAME], sizeof(set->name));
2990 err = nf_tables_set_alloc_name(&ctx, set, name);
2991 if (err < 0)
2992 goto err2;
2993
2994 udata = NULL;
2995 if (udlen) {
2996 udata = set->data + size;
2997 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
2998 }
2999
3000 INIT_LIST_HEAD(&set->bindings);
3001 set->ops = ops;
3002 set->ktype = ktype;
3003 set->klen = desc.klen;
3004 set->dtype = dtype;
3005 set->objtype = objtype;
3006 set->dlen = desc.dlen;
3007 set->flags = flags;
3008 set->size = desc.size;
3009 set->policy = policy;
3010 set->udlen = udlen;
3011 set->udata = udata;
3012 set->timeout = timeout;
3013 set->gc_int = gc_int;
3014
3015 err = ops->init(set, &desc, nla);
3016 if (err < 0)
3017 goto err2;
3018
3019 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3020 if (err < 0)
3021 goto err3;
3022
3023 list_add_tail_rcu(&set->list, &table->sets);
3024 table->use++;
3025 return 0;
3026
3027 err3:
3028 ops->destroy(set);
3029 err2:
3030 kfree(set);
3031 err1:
3032 module_put(ops->owner);
3033 return err;
3034 }
3035
3036 static void nft_set_destroy(struct nft_set *set)
3037 {
3038 set->ops->destroy(set);
3039 module_put(set->ops->owner);
3040 kfree(set);
3041 }
3042
3043 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3044 {
3045 list_del_rcu(&set->list);
3046 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3047 nft_set_destroy(set);
3048 }
3049
3050 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3051 struct sk_buff *skb, const struct nlmsghdr *nlh,
3052 const struct nlattr * const nla[])
3053 {
3054 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3055 u8 genmask = nft_genmask_next(net);
3056 struct nft_set *set;
3057 struct nft_ctx ctx;
3058 int err;
3059
3060 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3061 return -EAFNOSUPPORT;
3062 if (nla[NFTA_SET_TABLE] == NULL)
3063 return -EINVAL;
3064
3065 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3066 if (err < 0)
3067 return err;
3068
3069 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3070 if (IS_ERR(set))
3071 return PTR_ERR(set);
3072 if (!list_empty(&set->bindings))
3073 return -EBUSY;
3074
3075 return nft_delset(&ctx, set);
3076 }
3077
3078 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3079 const struct nft_set *set,
3080 const struct nft_set_iter *iter,
3081 const struct nft_set_elem *elem)
3082 {
3083 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3084 enum nft_registers dreg;
3085
3086 dreg = nft_type_to_reg(set->dtype);
3087 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3088 set->dtype == NFT_DATA_VERDICT ?
3089 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3090 set->dlen);
3091 }
3092
3093 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3094 struct nft_set_binding *binding)
3095 {
3096 struct nft_set_binding *i;
3097 struct nft_set_iter iter;
3098
3099 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3100 return -EBUSY;
3101
3102 if (binding->flags & NFT_SET_MAP) {
3103 /* If the set is already bound to the same chain all
3104 * jumps are already validated for that chain.
3105 */
3106 list_for_each_entry(i, &set->bindings, list) {
3107 if (i->flags & NFT_SET_MAP &&
3108 i->chain == binding->chain)
3109 goto bind;
3110 }
3111
3112 iter.genmask = nft_genmask_next(ctx->net);
3113 iter.skip = 0;
3114 iter.count = 0;
3115 iter.err = 0;
3116 iter.fn = nf_tables_bind_check_setelem;
3117
3118 set->ops->walk(ctx, set, &iter);
3119 if (iter.err < 0)
3120 return iter.err;
3121 }
3122 bind:
3123 binding->chain = ctx->chain;
3124 list_add_tail_rcu(&binding->list, &set->bindings);
3125 return 0;
3126 }
3127
3128 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3129 struct nft_set_binding *binding)
3130 {
3131 list_del_rcu(&binding->list);
3132
3133 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3134 nft_is_active(ctx->net, set))
3135 nf_tables_set_destroy(ctx, set);
3136 }
3137
3138 const struct nft_set_ext_type nft_set_ext_types[] = {
3139 [NFT_SET_EXT_KEY] = {
3140 .align = __alignof__(u32),
3141 },
3142 [NFT_SET_EXT_DATA] = {
3143 .align = __alignof__(u32),
3144 },
3145 [NFT_SET_EXT_EXPR] = {
3146 .align = __alignof__(struct nft_expr),
3147 },
3148 [NFT_SET_EXT_OBJREF] = {
3149 .len = sizeof(struct nft_object *),
3150 .align = __alignof__(struct nft_object *),
3151 },
3152 [NFT_SET_EXT_FLAGS] = {
3153 .len = sizeof(u8),
3154 .align = __alignof__(u8),
3155 },
3156 [NFT_SET_EXT_TIMEOUT] = {
3157 .len = sizeof(u64),
3158 .align = __alignof__(u64),
3159 },
3160 [NFT_SET_EXT_EXPIRATION] = {
3161 .len = sizeof(unsigned long),
3162 .align = __alignof__(unsigned long),
3163 },
3164 [NFT_SET_EXT_USERDATA] = {
3165 .len = sizeof(struct nft_userdata),
3166 .align = __alignof__(struct nft_userdata),
3167 },
3168 };
3169 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3170
3171 /*
3172 * Set elements
3173 */
3174
3175 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3176 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3177 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3178 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3179 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3180 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3181 .len = NFT_USERDATA_MAXLEN },
3182 };
3183
3184 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3185 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING },
3186 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING },
3187 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3188 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3189 };
3190
3191 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3192 const struct sk_buff *skb,
3193 const struct nlmsghdr *nlh,
3194 const struct nlattr * const nla[],
3195 u8 genmask)
3196 {
3197 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3198 struct nft_af_info *afi;
3199 struct nft_table *table;
3200
3201 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3202 if (IS_ERR(afi))
3203 return PTR_ERR(afi);
3204
3205 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3206 genmask);
3207 if (IS_ERR(table))
3208 return PTR_ERR(table);
3209
3210 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3211 return 0;
3212 }
3213
3214 static int nf_tables_fill_setelem(struct sk_buff *skb,
3215 const struct nft_set *set,
3216 const struct nft_set_elem *elem)
3217 {
3218 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3219 unsigned char *b = skb_tail_pointer(skb);
3220 struct nlattr *nest;
3221
3222 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3223 if (nest == NULL)
3224 goto nla_put_failure;
3225
3226 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3227 NFT_DATA_VALUE, set->klen) < 0)
3228 goto nla_put_failure;
3229
3230 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3231 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3232 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3233 set->dlen) < 0)
3234 goto nla_put_failure;
3235
3236 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3237 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3238 goto nla_put_failure;
3239
3240 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3241 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3242 (*nft_set_ext_obj(ext))->name) < 0)
3243 goto nla_put_failure;
3244
3245 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3246 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3247 htonl(*nft_set_ext_flags(ext))))
3248 goto nla_put_failure;
3249
3250 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3251 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3252 cpu_to_be64(jiffies_to_msecs(
3253 *nft_set_ext_timeout(ext))),
3254 NFTA_SET_ELEM_PAD))
3255 goto nla_put_failure;
3256
3257 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3258 unsigned long expires, now = jiffies;
3259
3260 expires = *nft_set_ext_expiration(ext);
3261 if (time_before(now, expires))
3262 expires -= now;
3263 else
3264 expires = 0;
3265
3266 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3267 cpu_to_be64(jiffies_to_msecs(expires)),
3268 NFTA_SET_ELEM_PAD))
3269 goto nla_put_failure;
3270 }
3271
3272 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3273 struct nft_userdata *udata;
3274
3275 udata = nft_set_ext_userdata(ext);
3276 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3277 udata->len + 1, udata->data))
3278 goto nla_put_failure;
3279 }
3280
3281 nla_nest_end(skb, nest);
3282 return 0;
3283
3284 nla_put_failure:
3285 nlmsg_trim(skb, b);
3286 return -EMSGSIZE;
3287 }
3288
3289 struct nft_set_dump_args {
3290 const struct netlink_callback *cb;
3291 struct nft_set_iter iter;
3292 struct sk_buff *skb;
3293 };
3294
3295 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3296 const struct nft_set *set,
3297 const struct nft_set_iter *iter,
3298 const struct nft_set_elem *elem)
3299 {
3300 struct nft_set_dump_args *args;
3301
3302 args = container_of(iter, struct nft_set_dump_args, iter);
3303 return nf_tables_fill_setelem(args->skb, set, elem);
3304 }
3305
3306 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3307 {
3308 struct net *net = sock_net(skb->sk);
3309 u8 genmask = nft_genmask_cur(net);
3310 const struct nft_set *set;
3311 struct nft_set_dump_args args;
3312 struct nft_ctx ctx;
3313 struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
3314 struct nfgenmsg *nfmsg;
3315 struct nlmsghdr *nlh;
3316 struct nlattr *nest;
3317 u32 portid, seq;
3318 int event, err;
3319
3320 err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
3321 NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy);
3322 if (err < 0)
3323 return err;
3324
3325 err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
3326 (void *)nla, genmask);
3327 if (err < 0)
3328 return err;
3329
3330 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3331 genmask);
3332 if (IS_ERR(set))
3333 return PTR_ERR(set);
3334
3335 event = NFT_MSG_NEWSETELEM;
3336 event |= NFNL_SUBSYS_NFTABLES << 8;
3337 portid = NETLINK_CB(cb->skb).portid;
3338 seq = cb->nlh->nlmsg_seq;
3339
3340 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3341 NLM_F_MULTI);
3342 if (nlh == NULL)
3343 goto nla_put_failure;
3344
3345 nfmsg = nlmsg_data(nlh);
3346 nfmsg->nfgen_family = ctx.afi->family;
3347 nfmsg->version = NFNETLINK_V0;
3348 nfmsg->res_id = htons(ctx.net->nft.base_seq & 0xffff);
3349
3350 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
3351 goto nla_put_failure;
3352 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3353 goto nla_put_failure;
3354
3355 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3356 if (nest == NULL)
3357 goto nla_put_failure;
3358
3359 args.cb = cb;
3360 args.skb = skb;
3361 args.iter.genmask = nft_genmask_cur(ctx.net);
3362 args.iter.skip = cb->args[0];
3363 args.iter.count = 0;
3364 args.iter.err = 0;
3365 args.iter.fn = nf_tables_dump_setelem;
3366 set->ops->walk(&ctx, set, &args.iter);
3367
3368 nla_nest_end(skb, nest);
3369 nlmsg_end(skb, nlh);
3370
3371 if (args.iter.err && args.iter.err != -EMSGSIZE)
3372 return args.iter.err;
3373 if (args.iter.count == cb->args[0])
3374 return 0;
3375
3376 cb->args[0] = args.iter.count;
3377 return skb->len;
3378
3379 nla_put_failure:
3380 return -ENOSPC;
3381 }
3382
3383 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3384 struct sk_buff *skb, const struct nlmsghdr *nlh,
3385 const struct nlattr * const nla[])
3386 {
3387 u8 genmask = nft_genmask_cur(net);
3388 const struct nft_set *set;
3389 struct nft_ctx ctx;
3390 int err;
3391
3392 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3393 if (err < 0)
3394 return err;
3395
3396 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3397 genmask);
3398 if (IS_ERR(set))
3399 return PTR_ERR(set);
3400
3401 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3402 struct netlink_dump_control c = {
3403 .dump = nf_tables_dump_set,
3404 };
3405 return netlink_dump_start(nlsk, skb, nlh, &c);
3406 }
3407 return -EOPNOTSUPP;
3408 }
3409
3410 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3411 const struct nft_ctx *ctx, u32 seq,
3412 u32 portid, int event, u16 flags,
3413 const struct nft_set *set,
3414 const struct nft_set_elem *elem)
3415 {
3416 struct nfgenmsg *nfmsg;
3417 struct nlmsghdr *nlh;
3418 struct nlattr *nest;
3419 int err;
3420
3421 event |= NFNL_SUBSYS_NFTABLES << 8;
3422 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3423 flags);
3424 if (nlh == NULL)
3425 goto nla_put_failure;
3426
3427 nfmsg = nlmsg_data(nlh);
3428 nfmsg->nfgen_family = ctx->afi->family;
3429 nfmsg->version = NFNETLINK_V0;
3430 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3431
3432 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3433 goto nla_put_failure;
3434 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3435 goto nla_put_failure;
3436
3437 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3438 if (nest == NULL)
3439 goto nla_put_failure;
3440
3441 err = nf_tables_fill_setelem(skb, set, elem);
3442 if (err < 0)
3443 goto nla_put_failure;
3444
3445 nla_nest_end(skb, nest);
3446
3447 nlmsg_end(skb, nlh);
3448 return 0;
3449
3450 nla_put_failure:
3451 nlmsg_trim(skb, nlh);
3452 return -1;
3453 }
3454
3455 static int nf_tables_setelem_notify(const struct nft_ctx *ctx,
3456 const struct nft_set *set,
3457 const struct nft_set_elem *elem,
3458 int event, u16 flags)
3459 {
3460 struct net *net = ctx->net;
3461 u32 portid = ctx->portid;
3462 struct sk_buff *skb;
3463 int err;
3464
3465 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3466 return 0;
3467
3468 err = -ENOBUFS;
3469 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3470 if (skb == NULL)
3471 goto err;
3472
3473 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3474 set, elem);
3475 if (err < 0) {
3476 kfree_skb(skb);
3477 goto err;
3478 }
3479
3480 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3481 GFP_KERNEL);
3482 err:
3483 if (err < 0)
3484 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
3485 return err;
3486 }
3487
3488 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3489 int msg_type,
3490 struct nft_set *set)
3491 {
3492 struct nft_trans *trans;
3493
3494 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3495 if (trans == NULL)
3496 return NULL;
3497
3498 nft_trans_elem_set(trans) = set;
3499 return trans;
3500 }
3501
3502 void *nft_set_elem_init(const struct nft_set *set,
3503 const struct nft_set_ext_tmpl *tmpl,
3504 const u32 *key, const u32 *data,
3505 u64 timeout, gfp_t gfp)
3506 {
3507 struct nft_set_ext *ext;
3508 void *elem;
3509
3510 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3511 if (elem == NULL)
3512 return NULL;
3513
3514 ext = nft_set_elem_ext(set, elem);
3515 nft_set_ext_init(ext, tmpl);
3516
3517 memcpy(nft_set_ext_key(ext), key, set->klen);
3518 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3519 memcpy(nft_set_ext_data(ext), data, set->dlen);
3520 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3521 *nft_set_ext_expiration(ext) =
3522 jiffies + timeout;
3523 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3524 *nft_set_ext_timeout(ext) = timeout;
3525
3526 return elem;
3527 }
3528
3529 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3530 bool destroy_expr)
3531 {
3532 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3533
3534 nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
3535 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3536 nft_data_uninit(nft_set_ext_data(ext), set->dtype);
3537 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3538 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3539 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3540 (*nft_set_ext_obj(ext))->use--;
3541 kfree(elem);
3542 }
3543 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3544
3545 static int nft_setelem_parse_flags(const struct nft_set *set,
3546 const struct nlattr *attr, u32 *flags)
3547 {
3548 if (attr == NULL)
3549 return 0;
3550
3551 *flags = ntohl(nla_get_be32(attr));
3552 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3553 return -EINVAL;
3554 if (!(set->flags & NFT_SET_INTERVAL) &&
3555 *flags & NFT_SET_ELEM_INTERVAL_END)
3556 return -EINVAL;
3557
3558 return 0;
3559 }
3560
3561 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3562 const struct nlattr *attr, u32 nlmsg_flags)
3563 {
3564 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3565 u8 genmask = nft_genmask_next(ctx->net);
3566 struct nft_data_desc d1, d2;
3567 struct nft_set_ext_tmpl tmpl;
3568 struct nft_set_ext *ext, *ext2;
3569 struct nft_set_elem elem;
3570 struct nft_set_binding *binding;
3571 struct nft_object *obj = NULL;
3572 struct nft_userdata *udata;
3573 struct nft_data data;
3574 enum nft_registers dreg;
3575 struct nft_trans *trans;
3576 u32 flags = 0;
3577 u64 timeout;
3578 u8 ulen;
3579 int err;
3580
3581 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3582 nft_set_elem_policy);
3583 if (err < 0)
3584 return err;
3585
3586 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3587 return -EINVAL;
3588
3589 nft_set_ext_prepare(&tmpl);
3590
3591 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3592 if (err < 0)
3593 return err;
3594 if (flags != 0)
3595 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3596
3597 if (set->flags & NFT_SET_MAP) {
3598 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3599 !(flags & NFT_SET_ELEM_INTERVAL_END))
3600 return -EINVAL;
3601 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3602 flags & NFT_SET_ELEM_INTERVAL_END)
3603 return -EINVAL;
3604 } else {
3605 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3606 return -EINVAL;
3607 }
3608
3609 timeout = 0;
3610 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
3611 if (!(set->flags & NFT_SET_TIMEOUT))
3612 return -EINVAL;
3613 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3614 nla[NFTA_SET_ELEM_TIMEOUT])));
3615 } else if (set->flags & NFT_SET_TIMEOUT) {
3616 timeout = set->timeout;
3617 }
3618
3619 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
3620 nla[NFTA_SET_ELEM_KEY]);
3621 if (err < 0)
3622 goto err1;
3623 err = -EINVAL;
3624 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
3625 goto err2;
3626
3627 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
3628 if (timeout > 0) {
3629 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
3630 if (timeout != set->timeout)
3631 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
3632 }
3633
3634 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
3635 if (!(set->flags & NFT_SET_OBJECT)) {
3636 err = -EINVAL;
3637 goto err2;
3638 }
3639 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
3640 set->objtype, genmask);
3641 if (IS_ERR(obj)) {
3642 err = PTR_ERR(obj);
3643 goto err2;
3644 }
3645 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
3646 }
3647
3648 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
3649 err = nft_data_init(ctx, &data, sizeof(data), &d2,
3650 nla[NFTA_SET_ELEM_DATA]);
3651 if (err < 0)
3652 goto err2;
3653
3654 err = -EINVAL;
3655 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
3656 goto err3;
3657
3658 dreg = nft_type_to_reg(set->dtype);
3659 list_for_each_entry(binding, &set->bindings, list) {
3660 struct nft_ctx bind_ctx = {
3661 .net = ctx->net,
3662 .afi = ctx->afi,
3663 .table = ctx->table,
3664 .chain = (struct nft_chain *)binding->chain,
3665 };
3666
3667 if (!(binding->flags & NFT_SET_MAP))
3668 continue;
3669
3670 err = nft_validate_register_store(&bind_ctx, dreg,
3671 &data,
3672 d2.type, d2.len);
3673 if (err < 0)
3674 goto err3;
3675 }
3676
3677 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
3678 }
3679
3680 /* The full maximum length of userdata can exceed the maximum
3681 * offset value (U8_MAX) for following extensions, therefor it
3682 * must be the last extension added.
3683 */
3684 ulen = 0;
3685 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
3686 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
3687 if (ulen > 0)
3688 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
3689 ulen);
3690 }
3691
3692 err = -ENOMEM;
3693 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
3694 timeout, GFP_KERNEL);
3695 if (elem.priv == NULL)
3696 goto err3;
3697
3698 ext = nft_set_elem_ext(set, elem.priv);
3699 if (flags)
3700 *nft_set_ext_flags(ext) = flags;
3701 if (ulen > 0) {
3702 udata = nft_set_ext_userdata(ext);
3703 udata->len = ulen - 1;
3704 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
3705 }
3706 if (obj) {
3707 *nft_set_ext_obj(ext) = obj;
3708 obj->use++;
3709 }
3710
3711 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
3712 if (trans == NULL)
3713 goto err4;
3714
3715 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
3716 err = set->ops->insert(ctx->net, set, &elem, &ext2);
3717 if (err) {
3718 if (err == -EEXIST) {
3719 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3720 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
3721 memcmp(nft_set_ext_data(ext),
3722 nft_set_ext_data(ext2), set->dlen) != 0) ||
3723 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3724 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
3725 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
3726 err = -EBUSY;
3727 else if (!(nlmsg_flags & NLM_F_EXCL))
3728 err = 0;
3729 }
3730 goto err5;
3731 }
3732
3733 nft_trans_elem(trans) = elem;
3734 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3735 return 0;
3736
3737 err5:
3738 kfree(trans);
3739 err4:
3740 kfree(elem.priv);
3741 err3:
3742 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3743 nft_data_uninit(&data, d2.type);
3744 err2:
3745 nft_data_uninit(&elem.key.val, d1.type);
3746 err1:
3747 return err;
3748 }
3749
3750 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
3751 struct sk_buff *skb, const struct nlmsghdr *nlh,
3752 const struct nlattr * const nla[])
3753 {
3754 u8 genmask = nft_genmask_next(net);
3755 const struct nlattr *attr;
3756 struct nft_set *set;
3757 struct nft_ctx ctx;
3758 int rem, err = 0;
3759
3760 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3761 return -EINVAL;
3762
3763 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3764 if (err < 0)
3765 return err;
3766
3767 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3768 genmask);
3769 if (IS_ERR(set)) {
3770 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
3771 set = nf_tables_set_lookup_byid(net,
3772 nla[NFTA_SET_ELEM_LIST_SET_ID],
3773 genmask);
3774 }
3775 if (IS_ERR(set))
3776 return PTR_ERR(set);
3777 }
3778
3779 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3780 return -EBUSY;
3781
3782 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3783 if (set->size &&
3784 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact))
3785 return -ENFILE;
3786
3787 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
3788 if (err < 0) {
3789 atomic_dec(&set->nelems);
3790 break;
3791 }
3792 }
3793 return err;
3794 }
3795
3796 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
3797 const struct nlattr *attr)
3798 {
3799 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3800 struct nft_set_ext_tmpl tmpl;
3801 struct nft_data_desc desc;
3802 struct nft_set_elem elem;
3803 struct nft_set_ext *ext;
3804 struct nft_trans *trans;
3805 u32 flags = 0;
3806 void *priv;
3807 int err;
3808
3809 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3810 nft_set_elem_policy);
3811 if (err < 0)
3812 goto err1;
3813
3814 err = -EINVAL;
3815 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3816 goto err1;
3817
3818 nft_set_ext_prepare(&tmpl);
3819
3820 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3821 if (err < 0)
3822 return err;
3823 if (flags != 0)
3824 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3825
3826 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3827 nla[NFTA_SET_ELEM_KEY]);
3828 if (err < 0)
3829 goto err1;
3830
3831 err = -EINVAL;
3832 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3833 goto err2;
3834
3835 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
3836
3837 err = -ENOMEM;
3838 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
3839 GFP_KERNEL);
3840 if (elem.priv == NULL)
3841 goto err2;
3842
3843 ext = nft_set_elem_ext(set, elem.priv);
3844 if (flags)
3845 *nft_set_ext_flags(ext) = flags;
3846
3847 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
3848 if (trans == NULL) {
3849 err = -ENOMEM;
3850 goto err3;
3851 }
3852
3853 priv = set->ops->deactivate(ctx->net, set, &elem);
3854 if (priv == NULL) {
3855 err = -ENOENT;
3856 goto err4;
3857 }
3858 kfree(elem.priv);
3859 elem.priv = priv;
3860
3861 nft_trans_elem(trans) = elem;
3862 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
3863 return 0;
3864
3865 err4:
3866 kfree(trans);
3867 err3:
3868 kfree(elem.priv);
3869 err2:
3870 nft_data_uninit(&elem.key.val, desc.type);
3871 err1:
3872 return err;
3873 }
3874
3875 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
3876 struct sk_buff *skb, const struct nlmsghdr *nlh,
3877 const struct nlattr * const nla[])
3878 {
3879 u8 genmask = nft_genmask_next(net);
3880 const struct nlattr *attr;
3881 struct nft_set *set;
3882 struct nft_ctx ctx;
3883 int rem, err = 0;
3884
3885 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
3886 return -EINVAL;
3887
3888 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3889 if (err < 0)
3890 return err;
3891
3892 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3893 genmask);
3894 if (IS_ERR(set))
3895 return PTR_ERR(set);
3896 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
3897 return -EBUSY;
3898
3899 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3900 err = nft_del_setelem(&ctx, set, attr);
3901 if (err < 0)
3902 break;
3903
3904 set->ndeact++;
3905 }
3906 return err;
3907 }
3908
3909 void nft_set_gc_batch_release(struct rcu_head *rcu)
3910 {
3911 struct nft_set_gc_batch *gcb;
3912 unsigned int i;
3913
3914 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
3915 for (i = 0; i < gcb->head.cnt; i++)
3916 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
3917 kfree(gcb);
3918 }
3919 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
3920
3921 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
3922 gfp_t gfp)
3923 {
3924 struct nft_set_gc_batch *gcb;
3925
3926 gcb = kzalloc(sizeof(*gcb), gfp);
3927 if (gcb == NULL)
3928 return gcb;
3929 gcb->head.set = set;
3930 return gcb;
3931 }
3932 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
3933
3934 /*
3935 * Stateful objects
3936 */
3937
3938 /**
3939 * nft_register_obj- register nf_tables stateful object type
3940 * @obj: object type
3941 *
3942 * Registers the object type for use with nf_tables. Returns zero on
3943 * success or a negative errno code otherwise.
3944 */
3945 int nft_register_obj(struct nft_object_type *obj_type)
3946 {
3947 if (obj_type->type == NFT_OBJECT_UNSPEC)
3948 return -EINVAL;
3949
3950 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3951 list_add_rcu(&obj_type->list, &nf_tables_objects);
3952 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3953 return 0;
3954 }
3955 EXPORT_SYMBOL_GPL(nft_register_obj);
3956
3957 /**
3958 * nft_unregister_obj - unregister nf_tables object type
3959 * @obj: object type
3960 *
3961 * Unregisters the object type for use with nf_tables.
3962 */
3963 void nft_unregister_obj(struct nft_object_type *obj_type)
3964 {
3965 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3966 list_del_rcu(&obj_type->list);
3967 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3968 }
3969 EXPORT_SYMBOL_GPL(nft_unregister_obj);
3970
3971 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
3972 const struct nlattr *nla,
3973 u32 objtype, u8 genmask)
3974 {
3975 struct nft_object *obj;
3976
3977 list_for_each_entry(obj, &table->objects, list) {
3978 if (!nla_strcmp(nla, obj->name) &&
3979 objtype == obj->type->type &&
3980 nft_active_genmask(obj, genmask))
3981 return obj;
3982 }
3983 return ERR_PTR(-ENOENT);
3984 }
3985 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
3986
3987 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
3988 [NFTA_OBJ_TABLE] = { .type = NLA_STRING },
3989 [NFTA_OBJ_NAME] = { .type = NLA_STRING },
3990 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
3991 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
3992 };
3993
3994 static struct nft_object *nft_obj_init(const struct nft_object_type *type,
3995 const struct nlattr *attr)
3996 {
3997 struct nlattr *tb[type->maxattr + 1];
3998 struct nft_object *obj;
3999 int err;
4000
4001 if (attr) {
4002 err = nla_parse_nested(tb, type->maxattr, attr, type->policy);
4003 if (err < 0)
4004 goto err1;
4005 } else {
4006 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4007 }
4008
4009 err = -ENOMEM;
4010 obj = kzalloc(sizeof(struct nft_object) + type->size, GFP_KERNEL);
4011 if (obj == NULL)
4012 goto err1;
4013
4014 err = type->init((const struct nlattr * const *)tb, obj);
4015 if (err < 0)
4016 goto err2;
4017
4018 obj->type = type;
4019 return obj;
4020 err2:
4021 kfree(obj);
4022 err1:
4023 return ERR_PTR(err);
4024 }
4025
4026 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4027 struct nft_object *obj, bool reset)
4028 {
4029 struct nlattr *nest;
4030
4031 nest = nla_nest_start(skb, attr);
4032 if (!nest)
4033 goto nla_put_failure;
4034 if (obj->type->dump(skb, obj, reset) < 0)
4035 goto nla_put_failure;
4036 nla_nest_end(skb, nest);
4037 return 0;
4038
4039 nla_put_failure:
4040 return -1;
4041 }
4042
4043 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4044 {
4045 const struct nft_object_type *type;
4046
4047 list_for_each_entry(type, &nf_tables_objects, list) {
4048 if (objtype == type->type)
4049 return type;
4050 }
4051 return NULL;
4052 }
4053
4054 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4055 {
4056 const struct nft_object_type *type;
4057
4058 type = __nft_obj_type_get(objtype);
4059 if (type != NULL && try_module_get(type->owner))
4060 return type;
4061
4062 #ifdef CONFIG_MODULES
4063 if (type == NULL) {
4064 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4065 request_module("nft-obj-%u", objtype);
4066 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4067 if (__nft_obj_type_get(objtype))
4068 return ERR_PTR(-EAGAIN);
4069 }
4070 #endif
4071 return ERR_PTR(-ENOENT);
4072 }
4073
4074 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4075 struct sk_buff *skb, const struct nlmsghdr *nlh,
4076 const struct nlattr * const nla[])
4077 {
4078 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4079 const struct nft_object_type *type;
4080 u8 genmask = nft_genmask_next(net);
4081 int family = nfmsg->nfgen_family;
4082 struct nft_af_info *afi;
4083 struct nft_table *table;
4084 struct nft_object *obj;
4085 struct nft_ctx ctx;
4086 u32 objtype;
4087 int err;
4088
4089 if (!nla[NFTA_OBJ_TYPE] ||
4090 !nla[NFTA_OBJ_NAME] ||
4091 !nla[NFTA_OBJ_DATA])
4092 return -EINVAL;
4093
4094 afi = nf_tables_afinfo_lookup(net, family, true);
4095 if (IS_ERR(afi))
4096 return PTR_ERR(afi);
4097
4098 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4099 if (IS_ERR(table))
4100 return PTR_ERR(table);
4101
4102 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4103 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4104 if (IS_ERR(obj)) {
4105 err = PTR_ERR(obj);
4106 if (err != -ENOENT)
4107 return err;
4108
4109 obj = NULL;
4110 }
4111
4112 if (obj != NULL) {
4113 if (nlh->nlmsg_flags & NLM_F_EXCL)
4114 return -EEXIST;
4115
4116 return 0;
4117 }
4118
4119 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4120
4121 type = nft_obj_type_get(objtype);
4122 if (IS_ERR(type))
4123 return PTR_ERR(type);
4124
4125 obj = nft_obj_init(type, nla[NFTA_OBJ_DATA]);
4126 if (IS_ERR(obj)) {
4127 err = PTR_ERR(obj);
4128 goto err1;
4129 }
4130 obj->table = table;
4131 nla_strlcpy(obj->name, nla[NFTA_OBJ_NAME], NFT_OBJ_MAXNAMELEN);
4132
4133 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4134 if (err < 0)
4135 goto err2;
4136
4137 list_add_tail_rcu(&obj->list, &table->objects);
4138 table->use++;
4139 return 0;
4140 err2:
4141 if (obj->type->destroy)
4142 obj->type->destroy(obj);
4143 kfree(obj);
4144 err1:
4145 module_put(type->owner);
4146 return err;
4147 }
4148
4149 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4150 u32 portid, u32 seq, int event, u32 flags,
4151 int family, const struct nft_table *table,
4152 struct nft_object *obj, bool reset)
4153 {
4154 struct nfgenmsg *nfmsg;
4155 struct nlmsghdr *nlh;
4156
4157 event |= NFNL_SUBSYS_NFTABLES << 8;
4158 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4159 if (nlh == NULL)
4160 goto nla_put_failure;
4161
4162 nfmsg = nlmsg_data(nlh);
4163 nfmsg->nfgen_family = family;
4164 nfmsg->version = NFNETLINK_V0;
4165 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4166
4167 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4168 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4169 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->type->type)) ||
4170 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4171 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4172 goto nla_put_failure;
4173
4174 nlmsg_end(skb, nlh);
4175 return 0;
4176
4177 nla_put_failure:
4178 nlmsg_trim(skb, nlh);
4179 return -1;
4180 }
4181
4182 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4183 {
4184 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4185 const struct nft_af_info *afi;
4186 const struct nft_table *table;
4187 unsigned int idx = 0, s_idx = cb->args[0];
4188 struct net *net = sock_net(skb->sk);
4189 int family = nfmsg->nfgen_family;
4190 struct nft_object *obj;
4191 bool reset = false;
4192
4193 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4194 reset = true;
4195
4196 rcu_read_lock();
4197 cb->seq = net->nft.base_seq;
4198
4199 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4200 if (family != NFPROTO_UNSPEC && family != afi->family)
4201 continue;
4202
4203 list_for_each_entry_rcu(table, &afi->tables, list) {
4204 list_for_each_entry_rcu(obj, &table->objects, list) {
4205 if (!nft_is_active(net, obj))
4206 goto cont;
4207 if (idx < s_idx)
4208 goto cont;
4209 if (idx > s_idx)
4210 memset(&cb->args[1], 0,
4211 sizeof(cb->args) - sizeof(cb->args[0]));
4212 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4213 cb->nlh->nlmsg_seq,
4214 NFT_MSG_NEWOBJ,
4215 NLM_F_MULTI | NLM_F_APPEND,
4216 afi->family, table, obj, reset) < 0)
4217 goto done;
4218
4219 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4220 cont:
4221 idx++;
4222 }
4223 }
4224 }
4225 done:
4226 rcu_read_unlock();
4227
4228 cb->args[0] = idx;
4229 return skb->len;
4230 }
4231
4232 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4233 struct sk_buff *skb, const struct nlmsghdr *nlh,
4234 const struct nlattr * const nla[])
4235 {
4236 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4237 u8 genmask = nft_genmask_cur(net);
4238 int family = nfmsg->nfgen_family;
4239 const struct nft_af_info *afi;
4240 const struct nft_table *table;
4241 struct nft_object *obj;
4242 struct sk_buff *skb2;
4243 bool reset = false;
4244 u32 objtype;
4245 int err;
4246
4247 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4248 struct netlink_dump_control c = {
4249 .dump = nf_tables_dump_obj,
4250 };
4251 return netlink_dump_start(nlsk, skb, nlh, &c);
4252 }
4253
4254 if (!nla[NFTA_OBJ_NAME] ||
4255 !nla[NFTA_OBJ_TYPE])
4256 return -EINVAL;
4257
4258 afi = nf_tables_afinfo_lookup(net, family, false);
4259 if (IS_ERR(afi))
4260 return PTR_ERR(afi);
4261
4262 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4263 if (IS_ERR(table))
4264 return PTR_ERR(table);
4265
4266 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4267 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4268 if (IS_ERR(obj))
4269 return PTR_ERR(obj);
4270
4271 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4272 if (!skb2)
4273 return -ENOMEM;
4274
4275 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4276 reset = true;
4277
4278 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4279 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4280 family, table, obj, reset);
4281 if (err < 0)
4282 goto err;
4283
4284 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4285 err:
4286 kfree_skb(skb2);
4287 return err;
4288
4289 return 0;
4290 }
4291
4292 static void nft_obj_destroy(struct nft_object *obj)
4293 {
4294 if (obj->type->destroy)
4295 obj->type->destroy(obj);
4296
4297 module_put(obj->type->owner);
4298 kfree(obj);
4299 }
4300
4301 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4302 struct sk_buff *skb, const struct nlmsghdr *nlh,
4303 const struct nlattr * const nla[])
4304 {
4305 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4306 u8 genmask = nft_genmask_next(net);
4307 int family = nfmsg->nfgen_family;
4308 struct nft_af_info *afi;
4309 struct nft_table *table;
4310 struct nft_object *obj;
4311 struct nft_ctx ctx;
4312 u32 objtype;
4313
4314 if (!nla[NFTA_OBJ_TYPE] ||
4315 !nla[NFTA_OBJ_NAME])
4316 return -EINVAL;
4317
4318 afi = nf_tables_afinfo_lookup(net, family, true);
4319 if (IS_ERR(afi))
4320 return PTR_ERR(afi);
4321
4322 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4323 if (IS_ERR(table))
4324 return PTR_ERR(table);
4325
4326 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4327 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4328 if (IS_ERR(obj))
4329 return PTR_ERR(obj);
4330 if (obj->use > 0)
4331 return -EBUSY;
4332
4333 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4334
4335 return nft_delobj(&ctx, obj);
4336 }
4337
4338 int nft_obj_notify(struct net *net, struct nft_table *table,
4339 struct nft_object *obj, u32 portid, u32 seq, int event,
4340 int family, int report, gfp_t gfp)
4341 {
4342 struct sk_buff *skb;
4343 int err;
4344
4345 if (!report &&
4346 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4347 return 0;
4348
4349 err = -ENOBUFS;
4350 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4351 if (skb == NULL)
4352 goto err;
4353
4354 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4355 table, obj, false);
4356 if (err < 0) {
4357 kfree_skb(skb);
4358 goto err;
4359 }
4360
4361 err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4362 err:
4363 if (err < 0) {
4364 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
4365 }
4366 return err;
4367 }
4368 EXPORT_SYMBOL_GPL(nft_obj_notify);
4369
4370 static int nf_tables_obj_notify(const struct nft_ctx *ctx,
4371 struct nft_object *obj, int event)
4372 {
4373 return nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
4374 ctx->seq, event, ctx->afi->family, ctx->report,
4375 GFP_KERNEL);
4376 }
4377
4378 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
4379 u32 portid, u32 seq)
4380 {
4381 struct nlmsghdr *nlh;
4382 struct nfgenmsg *nfmsg;
4383 int event = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWGEN;
4384
4385 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
4386 if (nlh == NULL)
4387 goto nla_put_failure;
4388
4389 nfmsg = nlmsg_data(nlh);
4390 nfmsg->nfgen_family = AF_UNSPEC;
4391 nfmsg->version = NFNETLINK_V0;
4392 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4393
4394 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)))
4395 goto nla_put_failure;
4396
4397 nlmsg_end(skb, nlh);
4398 return 0;
4399
4400 nla_put_failure:
4401 nlmsg_trim(skb, nlh);
4402 return -EMSGSIZE;
4403 }
4404
4405 static int nf_tables_gen_notify(struct net *net, struct sk_buff *skb, int event)
4406 {
4407 struct nlmsghdr *nlh = nlmsg_hdr(skb);
4408 struct sk_buff *skb2;
4409 int err;
4410
4411 if (nlmsg_report(nlh) &&
4412 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4413 return 0;
4414
4415 err = -ENOBUFS;
4416 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4417 if (skb2 == NULL)
4418 goto err;
4419
4420 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4421 nlh->nlmsg_seq);
4422 if (err < 0) {
4423 kfree_skb(skb2);
4424 goto err;
4425 }
4426
4427 err = nfnetlink_send(skb2, net, NETLINK_CB(skb).portid,
4428 NFNLGRP_NFTABLES, nlmsg_report(nlh), GFP_KERNEL);
4429 err:
4430 if (err < 0) {
4431 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4432 err);
4433 }
4434 return err;
4435 }
4436
4437 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
4438 struct sk_buff *skb, const struct nlmsghdr *nlh,
4439 const struct nlattr * const nla[])
4440 {
4441 struct sk_buff *skb2;
4442 int err;
4443
4444 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4445 if (skb2 == NULL)
4446 return -ENOMEM;
4447
4448 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4449 nlh->nlmsg_seq);
4450 if (err < 0)
4451 goto err;
4452
4453 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4454 err:
4455 kfree_skb(skb2);
4456 return err;
4457 }
4458
4459 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
4460 [NFT_MSG_NEWTABLE] = {
4461 .call_batch = nf_tables_newtable,
4462 .attr_count = NFTA_TABLE_MAX,
4463 .policy = nft_table_policy,
4464 },
4465 [NFT_MSG_GETTABLE] = {
4466 .call = nf_tables_gettable,
4467 .attr_count = NFTA_TABLE_MAX,
4468 .policy = nft_table_policy,
4469 },
4470 [NFT_MSG_DELTABLE] = {
4471 .call_batch = nf_tables_deltable,
4472 .attr_count = NFTA_TABLE_MAX,
4473 .policy = nft_table_policy,
4474 },
4475 [NFT_MSG_NEWCHAIN] = {
4476 .call_batch = nf_tables_newchain,
4477 .attr_count = NFTA_CHAIN_MAX,
4478 .policy = nft_chain_policy,
4479 },
4480 [NFT_MSG_GETCHAIN] = {
4481 .call = nf_tables_getchain,
4482 .attr_count = NFTA_CHAIN_MAX,
4483 .policy = nft_chain_policy,
4484 },
4485 [NFT_MSG_DELCHAIN] = {
4486 .call_batch = nf_tables_delchain,
4487 .attr_count = NFTA_CHAIN_MAX,
4488 .policy = nft_chain_policy,
4489 },
4490 [NFT_MSG_NEWRULE] = {
4491 .call_batch = nf_tables_newrule,
4492 .attr_count = NFTA_RULE_MAX,
4493 .policy = nft_rule_policy,
4494 },
4495 [NFT_MSG_GETRULE] = {
4496 .call = nf_tables_getrule,
4497 .attr_count = NFTA_RULE_MAX,
4498 .policy = nft_rule_policy,
4499 },
4500 [NFT_MSG_DELRULE] = {
4501 .call_batch = nf_tables_delrule,
4502 .attr_count = NFTA_RULE_MAX,
4503 .policy = nft_rule_policy,
4504 },
4505 [NFT_MSG_NEWSET] = {
4506 .call_batch = nf_tables_newset,
4507 .attr_count = NFTA_SET_MAX,
4508 .policy = nft_set_policy,
4509 },
4510 [NFT_MSG_GETSET] = {
4511 .call = nf_tables_getset,
4512 .attr_count = NFTA_SET_MAX,
4513 .policy = nft_set_policy,
4514 },
4515 [NFT_MSG_DELSET] = {
4516 .call_batch = nf_tables_delset,
4517 .attr_count = NFTA_SET_MAX,
4518 .policy = nft_set_policy,
4519 },
4520 [NFT_MSG_NEWSETELEM] = {
4521 .call_batch = nf_tables_newsetelem,
4522 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4523 .policy = nft_set_elem_list_policy,
4524 },
4525 [NFT_MSG_GETSETELEM] = {
4526 .call = nf_tables_getsetelem,
4527 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4528 .policy = nft_set_elem_list_policy,
4529 },
4530 [NFT_MSG_DELSETELEM] = {
4531 .call_batch = nf_tables_delsetelem,
4532 .attr_count = NFTA_SET_ELEM_LIST_MAX,
4533 .policy = nft_set_elem_list_policy,
4534 },
4535 [NFT_MSG_GETGEN] = {
4536 .call = nf_tables_getgen,
4537 },
4538 [NFT_MSG_NEWOBJ] = {
4539 .call_batch = nf_tables_newobj,
4540 .attr_count = NFTA_OBJ_MAX,
4541 .policy = nft_obj_policy,
4542 },
4543 [NFT_MSG_GETOBJ] = {
4544 .call = nf_tables_getobj,
4545 .attr_count = NFTA_OBJ_MAX,
4546 .policy = nft_obj_policy,
4547 },
4548 [NFT_MSG_DELOBJ] = {
4549 .call_batch = nf_tables_delobj,
4550 .attr_count = NFTA_OBJ_MAX,
4551 .policy = nft_obj_policy,
4552 },
4553 [NFT_MSG_GETOBJ_RESET] = {
4554 .call = nf_tables_getobj,
4555 .attr_count = NFTA_OBJ_MAX,
4556 .policy = nft_obj_policy,
4557 },
4558 };
4559
4560 static void nft_chain_commit_update(struct nft_trans *trans)
4561 {
4562 struct nft_base_chain *basechain;
4563
4564 if (nft_trans_chain_name(trans)[0])
4565 strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans));
4566
4567 if (!(trans->ctx.chain->flags & NFT_BASE_CHAIN))
4568 return;
4569
4570 basechain = nft_base_chain(trans->ctx.chain);
4571 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
4572
4573 switch (nft_trans_chain_policy(trans)) {
4574 case NF_DROP:
4575 case NF_ACCEPT:
4576 basechain->policy = nft_trans_chain_policy(trans);
4577 break;
4578 }
4579 }
4580
4581 static void nf_tables_commit_release(struct nft_trans *trans)
4582 {
4583 switch (trans->msg_type) {
4584 case NFT_MSG_DELTABLE:
4585 nf_tables_table_destroy(&trans->ctx);
4586 break;
4587 case NFT_MSG_DELCHAIN:
4588 nf_tables_chain_destroy(trans->ctx.chain);
4589 break;
4590 case NFT_MSG_DELRULE:
4591 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4592 break;
4593 case NFT_MSG_DELSET:
4594 nft_set_destroy(nft_trans_set(trans));
4595 break;
4596 case NFT_MSG_DELSETELEM:
4597 nft_set_elem_destroy(nft_trans_elem_set(trans),
4598 nft_trans_elem(trans).priv, true);
4599 break;
4600 case NFT_MSG_DELOBJ:
4601 nft_obj_destroy(nft_trans_obj(trans));
4602 break;
4603 }
4604 kfree(trans);
4605 }
4606
4607 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
4608 {
4609 struct nft_trans *trans, *next;
4610 struct nft_trans_elem *te;
4611
4612 /* Bump generation counter, invalidate any dump in progress */
4613 while (++net->nft.base_seq == 0);
4614
4615 /* A new generation has just started */
4616 net->nft.gencursor = nft_gencursor_next(net);
4617
4618 /* Make sure all packets have left the previous generation before
4619 * purging old rules.
4620 */
4621 synchronize_rcu();
4622
4623 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4624 switch (trans->msg_type) {
4625 case NFT_MSG_NEWTABLE:
4626 if (nft_trans_table_update(trans)) {
4627 if (!nft_trans_table_enable(trans)) {
4628 nf_tables_table_disable(net,
4629 trans->ctx.afi,
4630 trans->ctx.table);
4631 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4632 }
4633 } else {
4634 nft_clear(net, trans->ctx.table);
4635 }
4636 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
4637 nft_trans_destroy(trans);
4638 break;
4639 case NFT_MSG_DELTABLE:
4640 list_del_rcu(&trans->ctx.table->list);
4641 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
4642 break;
4643 case NFT_MSG_NEWCHAIN:
4644 if (nft_trans_chain_update(trans))
4645 nft_chain_commit_update(trans);
4646 else
4647 nft_clear(net, trans->ctx.chain);
4648
4649 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
4650 nft_trans_destroy(trans);
4651 break;
4652 case NFT_MSG_DELCHAIN:
4653 list_del_rcu(&trans->ctx.chain->list);
4654 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
4655 nf_tables_unregister_hooks(trans->ctx.net,
4656 trans->ctx.table,
4657 trans->ctx.chain,
4658 trans->ctx.afi->nops);
4659 break;
4660 case NFT_MSG_NEWRULE:
4661 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4662 nf_tables_rule_notify(&trans->ctx,
4663 nft_trans_rule(trans),
4664 NFT_MSG_NEWRULE);
4665 nft_trans_destroy(trans);
4666 break;
4667 case NFT_MSG_DELRULE:
4668 list_del_rcu(&nft_trans_rule(trans)->list);
4669 nf_tables_rule_notify(&trans->ctx,
4670 nft_trans_rule(trans),
4671 NFT_MSG_DELRULE);
4672 break;
4673 case NFT_MSG_NEWSET:
4674 nft_clear(net, nft_trans_set(trans));
4675 /* This avoids hitting -EBUSY when deleting the table
4676 * from the transaction.
4677 */
4678 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
4679 !list_empty(&nft_trans_set(trans)->bindings))
4680 trans->ctx.table->use--;
4681
4682 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4683 NFT_MSG_NEWSET, GFP_KERNEL);
4684 nft_trans_destroy(trans);
4685 break;
4686 case NFT_MSG_DELSET:
4687 list_del_rcu(&nft_trans_set(trans)->list);
4688 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
4689 NFT_MSG_DELSET, GFP_KERNEL);
4690 break;
4691 case NFT_MSG_NEWSETELEM:
4692 te = (struct nft_trans_elem *)trans->data;
4693
4694 te->set->ops->activate(net, te->set, &te->elem);
4695 nf_tables_setelem_notify(&trans->ctx, te->set,
4696 &te->elem,
4697 NFT_MSG_NEWSETELEM, 0);
4698 nft_trans_destroy(trans);
4699 break;
4700 case NFT_MSG_DELSETELEM:
4701 te = (struct nft_trans_elem *)trans->data;
4702
4703 nf_tables_setelem_notify(&trans->ctx, te->set,
4704 &te->elem,
4705 NFT_MSG_DELSETELEM, 0);
4706 te->set->ops->remove(te->set, &te->elem);
4707 atomic_dec(&te->set->nelems);
4708 te->set->ndeact--;
4709 break;
4710 case NFT_MSG_NEWOBJ:
4711 nft_clear(net, nft_trans_obj(trans));
4712 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
4713 NFT_MSG_NEWOBJ);
4714 nft_trans_destroy(trans);
4715 break;
4716 case NFT_MSG_DELOBJ:
4717 list_del_rcu(&nft_trans_obj(trans)->list);
4718 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
4719 NFT_MSG_DELOBJ);
4720 break;
4721 }
4722 }
4723
4724 synchronize_rcu();
4725
4726 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
4727 list_del(&trans->list);
4728 nf_tables_commit_release(trans);
4729 }
4730
4731 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
4732
4733 return 0;
4734 }
4735
4736 static void nf_tables_abort_release(struct nft_trans *trans)
4737 {
4738 switch (trans->msg_type) {
4739 case NFT_MSG_NEWTABLE:
4740 nf_tables_table_destroy(&trans->ctx);
4741 break;
4742 case NFT_MSG_NEWCHAIN:
4743 nf_tables_chain_destroy(trans->ctx.chain);
4744 break;
4745 case NFT_MSG_NEWRULE:
4746 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
4747 break;
4748 case NFT_MSG_NEWSET:
4749 nft_set_destroy(nft_trans_set(trans));
4750 break;
4751 case NFT_MSG_NEWSETELEM:
4752 nft_set_elem_destroy(nft_trans_elem_set(trans),
4753 nft_trans_elem(trans).priv, true);
4754 break;
4755 case NFT_MSG_NEWOBJ:
4756 nft_obj_destroy(nft_trans_obj(trans));
4757 break;
4758 }
4759 kfree(trans);
4760 }
4761
4762 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
4763 {
4764 struct nft_trans *trans, *next;
4765 struct nft_trans_elem *te;
4766
4767 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
4768 list) {
4769 switch (trans->msg_type) {
4770 case NFT_MSG_NEWTABLE:
4771 if (nft_trans_table_update(trans)) {
4772 if (nft_trans_table_enable(trans)) {
4773 nf_tables_table_disable(net,
4774 trans->ctx.afi,
4775 trans->ctx.table);
4776 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
4777 }
4778 nft_trans_destroy(trans);
4779 } else {
4780 list_del_rcu(&trans->ctx.table->list);
4781 }
4782 break;
4783 case NFT_MSG_DELTABLE:
4784 nft_clear(trans->ctx.net, trans->ctx.table);
4785 nft_trans_destroy(trans);
4786 break;
4787 case NFT_MSG_NEWCHAIN:
4788 if (nft_trans_chain_update(trans)) {
4789 free_percpu(nft_trans_chain_stats(trans));
4790
4791 nft_trans_destroy(trans);
4792 } else {
4793 trans->ctx.table->use--;
4794 list_del_rcu(&trans->ctx.chain->list);
4795 nf_tables_unregister_hooks(trans->ctx.net,
4796 trans->ctx.table,
4797 trans->ctx.chain,
4798 trans->ctx.afi->nops);
4799 }
4800 break;
4801 case NFT_MSG_DELCHAIN:
4802 trans->ctx.table->use++;
4803 nft_clear(trans->ctx.net, trans->ctx.chain);
4804 nft_trans_destroy(trans);
4805 break;
4806 case NFT_MSG_NEWRULE:
4807 trans->ctx.chain->use--;
4808 list_del_rcu(&nft_trans_rule(trans)->list);
4809 break;
4810 case NFT_MSG_DELRULE:
4811 trans->ctx.chain->use++;
4812 nft_clear(trans->ctx.net, nft_trans_rule(trans));
4813 nft_trans_destroy(trans);
4814 break;
4815 case NFT_MSG_NEWSET:
4816 trans->ctx.table->use--;
4817 list_del_rcu(&nft_trans_set(trans)->list);
4818 break;
4819 case NFT_MSG_DELSET:
4820 trans->ctx.table->use++;
4821 nft_clear(trans->ctx.net, nft_trans_set(trans));
4822 nft_trans_destroy(trans);
4823 break;
4824 case NFT_MSG_NEWSETELEM:
4825 te = (struct nft_trans_elem *)trans->data;
4826
4827 te->set->ops->remove(te->set, &te->elem);
4828 atomic_dec(&te->set->nelems);
4829 break;
4830 case NFT_MSG_DELSETELEM:
4831 te = (struct nft_trans_elem *)trans->data;
4832
4833 te->set->ops->activate(net, te->set, &te->elem);
4834 te->set->ndeact--;
4835
4836 nft_trans_destroy(trans);
4837 break;
4838 case NFT_MSG_NEWOBJ:
4839 trans->ctx.table->use--;
4840 list_del_rcu(&nft_trans_obj(trans)->list);
4841 break;
4842 case NFT_MSG_DELOBJ:
4843 trans->ctx.table->use++;
4844 nft_clear(trans->ctx.net, nft_trans_obj(trans));
4845 nft_trans_destroy(trans);
4846 break;
4847 }
4848 }
4849
4850 synchronize_rcu();
4851
4852 list_for_each_entry_safe_reverse(trans, next,
4853 &net->nft.commit_list, list) {
4854 list_del(&trans->list);
4855 nf_tables_abort_release(trans);
4856 }
4857
4858 return 0;
4859 }
4860
4861 static const struct nfnetlink_subsystem nf_tables_subsys = {
4862 .name = "nf_tables",
4863 .subsys_id = NFNL_SUBSYS_NFTABLES,
4864 .cb_count = NFT_MSG_MAX,
4865 .cb = nf_tables_cb,
4866 .commit = nf_tables_commit,
4867 .abort = nf_tables_abort,
4868 };
4869
4870 int nft_chain_validate_dependency(const struct nft_chain *chain,
4871 enum nft_chain_type type)
4872 {
4873 const struct nft_base_chain *basechain;
4874
4875 if (chain->flags & NFT_BASE_CHAIN) {
4876 basechain = nft_base_chain(chain);
4877 if (basechain->type->type != type)
4878 return -EOPNOTSUPP;
4879 }
4880 return 0;
4881 }
4882 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
4883
4884 int nft_chain_validate_hooks(const struct nft_chain *chain,
4885 unsigned int hook_flags)
4886 {
4887 struct nft_base_chain *basechain;
4888
4889 if (chain->flags & NFT_BASE_CHAIN) {
4890 basechain = nft_base_chain(chain);
4891
4892 if ((1 << basechain->ops[0].hooknum) & hook_flags)
4893 return 0;
4894
4895 return -EOPNOTSUPP;
4896 }
4897
4898 return 0;
4899 }
4900 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
4901
4902 /*
4903 * Loop detection - walk through the ruleset beginning at the destination chain
4904 * of a new jump until either the source chain is reached (loop) or all
4905 * reachable chains have been traversed.
4906 *
4907 * The loop check is performed whenever a new jump verdict is added to an
4908 * expression or verdict map or a verdict map is bound to a new chain.
4909 */
4910
4911 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4912 const struct nft_chain *chain);
4913
4914 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
4915 const struct nft_set *set,
4916 const struct nft_set_iter *iter,
4917 const struct nft_set_elem *elem)
4918 {
4919 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4920 const struct nft_data *data;
4921
4922 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4923 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
4924 return 0;
4925
4926 data = nft_set_ext_data(ext);
4927 switch (data->verdict.code) {
4928 case NFT_JUMP:
4929 case NFT_GOTO:
4930 return nf_tables_check_loops(ctx, data->verdict.chain);
4931 default:
4932 return 0;
4933 }
4934 }
4935
4936 static int nf_tables_check_loops(const struct nft_ctx *ctx,
4937 const struct nft_chain *chain)
4938 {
4939 const struct nft_rule *rule;
4940 const struct nft_expr *expr, *last;
4941 const struct nft_set *set;
4942 struct nft_set_binding *binding;
4943 struct nft_set_iter iter;
4944
4945 if (ctx->chain == chain)
4946 return -ELOOP;
4947
4948 list_for_each_entry(rule, &chain->rules, list) {
4949 nft_rule_for_each_expr(expr, last, rule) {
4950 const struct nft_data *data = NULL;
4951 int err;
4952
4953 if (!expr->ops->validate)
4954 continue;
4955
4956 err = expr->ops->validate(ctx, expr, &data);
4957 if (err < 0)
4958 return err;
4959
4960 if (data == NULL)
4961 continue;
4962
4963 switch (data->verdict.code) {
4964 case NFT_JUMP:
4965 case NFT_GOTO:
4966 err = nf_tables_check_loops(ctx,
4967 data->verdict.chain);
4968 if (err < 0)
4969 return err;
4970 default:
4971 break;
4972 }
4973 }
4974 }
4975
4976 list_for_each_entry(set, &ctx->table->sets, list) {
4977 if (!nft_is_active_next(ctx->net, set))
4978 continue;
4979 if (!(set->flags & NFT_SET_MAP) ||
4980 set->dtype != NFT_DATA_VERDICT)
4981 continue;
4982
4983 list_for_each_entry(binding, &set->bindings, list) {
4984 if (!(binding->flags & NFT_SET_MAP) ||
4985 binding->chain != chain)
4986 continue;
4987
4988 iter.genmask = nft_genmask_next(ctx->net);
4989 iter.skip = 0;
4990 iter.count = 0;
4991 iter.err = 0;
4992 iter.fn = nf_tables_loop_check_setelem;
4993
4994 set->ops->walk(ctx, set, &iter);
4995 if (iter.err < 0)
4996 return iter.err;
4997 }
4998 }
4999
5000 return 0;
5001 }
5002
5003 /**
5004 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
5005 *
5006 * @attr: netlink attribute to fetch value from
5007 * @max: maximum value to be stored in dest
5008 * @dest: pointer to the variable
5009 *
5010 * Parse, check and store a given u32 netlink attribute into variable.
5011 * This function returns -ERANGE if the value goes over maximum value.
5012 * Otherwise a 0 is returned and the attribute value is stored in the
5013 * destination variable.
5014 */
5015 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5016 {
5017 u32 val;
5018
5019 val = ntohl(nla_get_be32(attr));
5020 if (val > max)
5021 return -ERANGE;
5022
5023 *dest = val;
5024 return 0;
5025 }
5026 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5027
5028 /**
5029 * nft_parse_register - parse a register value from a netlink attribute
5030 *
5031 * @attr: netlink attribute
5032 *
5033 * Parse and translate a register value from a netlink attribute.
5034 * Registers used to be 128 bit wide, these register numbers will be
5035 * mapped to the corresponding 32 bit register numbers.
5036 */
5037 unsigned int nft_parse_register(const struct nlattr *attr)
5038 {
5039 unsigned int reg;
5040
5041 reg = ntohl(nla_get_be32(attr));
5042 switch (reg) {
5043 case NFT_REG_VERDICT...NFT_REG_4:
5044 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5045 default:
5046 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5047 }
5048 }
5049 EXPORT_SYMBOL_GPL(nft_parse_register);
5050
5051 /**
5052 * nft_dump_register - dump a register value to a netlink attribute
5053 *
5054 * @skb: socket buffer
5055 * @attr: attribute number
5056 * @reg: register number
5057 *
5058 * Construct a netlink attribute containing the register number. For
5059 * compatibility reasons, register numbers being a multiple of 4 are
5060 * translated to the corresponding 128 bit register numbers.
5061 */
5062 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5063 {
5064 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5065 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5066 else
5067 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5068
5069 return nla_put_be32(skb, attr, htonl(reg));
5070 }
5071 EXPORT_SYMBOL_GPL(nft_dump_register);
5072
5073 /**
5074 * nft_validate_register_load - validate a load from a register
5075 *
5076 * @reg: the register number
5077 * @len: the length of the data
5078 *
5079 * Validate that the input register is one of the general purpose
5080 * registers and that the length of the load is within the bounds.
5081 */
5082 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5083 {
5084 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5085 return -EINVAL;
5086 if (len == 0)
5087 return -EINVAL;
5088 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5089 return -ERANGE;
5090
5091 return 0;
5092 }
5093 EXPORT_SYMBOL_GPL(nft_validate_register_load);
5094
5095 /**
5096 * nft_validate_register_store - validate an expressions' register store
5097 *
5098 * @ctx: context of the expression performing the load
5099 * @reg: the destination register number
5100 * @data: the data to load
5101 * @type: the data type
5102 * @len: the length of the data
5103 *
5104 * Validate that a data load uses the appropriate data type for
5105 * the destination register and the length is within the bounds.
5106 * A value of NULL for the data means that its runtime gathered
5107 * data.
5108 */
5109 int nft_validate_register_store(const struct nft_ctx *ctx,
5110 enum nft_registers reg,
5111 const struct nft_data *data,
5112 enum nft_data_types type, unsigned int len)
5113 {
5114 int err;
5115
5116 switch (reg) {
5117 case NFT_REG_VERDICT:
5118 if (type != NFT_DATA_VERDICT)
5119 return -EINVAL;
5120
5121 if (data != NULL &&
5122 (data->verdict.code == NFT_GOTO ||
5123 data->verdict.code == NFT_JUMP)) {
5124 err = nf_tables_check_loops(ctx, data->verdict.chain);
5125 if (err < 0)
5126 return err;
5127
5128 if (ctx->chain->level + 1 >
5129 data->verdict.chain->level) {
5130 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5131 return -EMLINK;
5132 data->verdict.chain->level = ctx->chain->level + 1;
5133 }
5134 }
5135
5136 return 0;
5137 default:
5138 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5139 return -EINVAL;
5140 if (len == 0)
5141 return -EINVAL;
5142 if (reg * NFT_REG32_SIZE + len >
5143 FIELD_SIZEOF(struct nft_regs, data))
5144 return -ERANGE;
5145
5146 if (data != NULL && type != NFT_DATA_VALUE)
5147 return -EINVAL;
5148 return 0;
5149 }
5150 }
5151 EXPORT_SYMBOL_GPL(nft_validate_register_store);
5152
5153 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5154 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5155 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5156 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5157 };
5158
5159 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5160 struct nft_data_desc *desc, const struct nlattr *nla)
5161 {
5162 u8 genmask = nft_genmask_next(ctx->net);
5163 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5164 struct nft_chain *chain;
5165 int err;
5166
5167 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy);
5168 if (err < 0)
5169 return err;
5170
5171 if (!tb[NFTA_VERDICT_CODE])
5172 return -EINVAL;
5173 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5174
5175 switch (data->verdict.code) {
5176 default:
5177 switch (data->verdict.code & NF_VERDICT_MASK) {
5178 case NF_ACCEPT:
5179 case NF_DROP:
5180 case NF_QUEUE:
5181 break;
5182 default:
5183 return -EINVAL;
5184 }
5185 /* fall through */
5186 case NFT_CONTINUE:
5187 case NFT_BREAK:
5188 case NFT_RETURN:
5189 break;
5190 case NFT_JUMP:
5191 case NFT_GOTO:
5192 if (!tb[NFTA_VERDICT_CHAIN])
5193 return -EINVAL;
5194 chain = nf_tables_chain_lookup(ctx->table,
5195 tb[NFTA_VERDICT_CHAIN], genmask);
5196 if (IS_ERR(chain))
5197 return PTR_ERR(chain);
5198 if (chain->flags & NFT_BASE_CHAIN)
5199 return -EOPNOTSUPP;
5200
5201 chain->use++;
5202 data->verdict.chain = chain;
5203 break;
5204 }
5205
5206 desc->len = sizeof(data->verdict);
5207 desc->type = NFT_DATA_VERDICT;
5208 return 0;
5209 }
5210
5211 static void nft_verdict_uninit(const struct nft_data *data)
5212 {
5213 switch (data->verdict.code) {
5214 case NFT_JUMP:
5215 case NFT_GOTO:
5216 data->verdict.chain->use--;
5217 break;
5218 }
5219 }
5220
5221 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5222 {
5223 struct nlattr *nest;
5224
5225 nest = nla_nest_start(skb, type);
5226 if (!nest)
5227 goto nla_put_failure;
5228
5229 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5230 goto nla_put_failure;
5231
5232 switch (v->code) {
5233 case NFT_JUMP:
5234 case NFT_GOTO:
5235 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5236 v->chain->name))
5237 goto nla_put_failure;
5238 }
5239 nla_nest_end(skb, nest);
5240 return 0;
5241
5242 nla_put_failure:
5243 return -1;
5244 }
5245
5246 static int nft_value_init(const struct nft_ctx *ctx,
5247 struct nft_data *data, unsigned int size,
5248 struct nft_data_desc *desc, const struct nlattr *nla)
5249 {
5250 unsigned int len;
5251
5252 len = nla_len(nla);
5253 if (len == 0)
5254 return -EINVAL;
5255 if (len > size)
5256 return -EOVERFLOW;
5257
5258 nla_memcpy(data->data, nla, len);
5259 desc->type = NFT_DATA_VALUE;
5260 desc->len = len;
5261 return 0;
5262 }
5263
5264 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5265 unsigned int len)
5266 {
5267 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5268 }
5269
5270 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5271 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5272 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5273 };
5274
5275 /**
5276 * nft_data_init - parse nf_tables data netlink attributes
5277 *
5278 * @ctx: context of the expression using the data
5279 * @data: destination struct nft_data
5280 * @size: maximum data length
5281 * @desc: data description
5282 * @nla: netlink attribute containing data
5283 *
5284 * Parse the netlink data attributes and initialize a struct nft_data.
5285 * The type and length of data are returned in the data description.
5286 *
5287 * The caller can indicate that it only wants to accept data of type
5288 * NFT_DATA_VALUE by passing NULL for the ctx argument.
5289 */
5290 int nft_data_init(const struct nft_ctx *ctx,
5291 struct nft_data *data, unsigned int size,
5292 struct nft_data_desc *desc, const struct nlattr *nla)
5293 {
5294 struct nlattr *tb[NFTA_DATA_MAX + 1];
5295 int err;
5296
5297 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy);
5298 if (err < 0)
5299 return err;
5300
5301 if (tb[NFTA_DATA_VALUE])
5302 return nft_value_init(ctx, data, size, desc,
5303 tb[NFTA_DATA_VALUE]);
5304 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
5305 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
5306 return -EINVAL;
5307 }
5308 EXPORT_SYMBOL_GPL(nft_data_init);
5309
5310 /**
5311 * nft_data_uninit - release a nft_data item
5312 *
5313 * @data: struct nft_data to release
5314 * @type: type of data
5315 *
5316 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5317 * all others need to be released by calling this function.
5318 */
5319 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
5320 {
5321 if (type < NFT_DATA_VERDICT)
5322 return;
5323 switch (type) {
5324 case NFT_DATA_VERDICT:
5325 return nft_verdict_uninit(data);
5326 default:
5327 WARN_ON(1);
5328 }
5329 }
5330 EXPORT_SYMBOL_GPL(nft_data_uninit);
5331
5332 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
5333 enum nft_data_types type, unsigned int len)
5334 {
5335 struct nlattr *nest;
5336 int err;
5337
5338 nest = nla_nest_start(skb, attr);
5339 if (nest == NULL)
5340 return -1;
5341
5342 switch (type) {
5343 case NFT_DATA_VALUE:
5344 err = nft_value_dump(skb, data, len);
5345 break;
5346 case NFT_DATA_VERDICT:
5347 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
5348 break;
5349 default:
5350 err = -EINVAL;
5351 WARN_ON(1);
5352 }
5353
5354 nla_nest_end(skb, nest);
5355 return err;
5356 }
5357 EXPORT_SYMBOL_GPL(nft_data_dump);
5358
5359 static int __net_init nf_tables_init_net(struct net *net)
5360 {
5361 INIT_LIST_HEAD(&net->nft.af_info);
5362 INIT_LIST_HEAD(&net->nft.commit_list);
5363 net->nft.base_seq = 1;
5364 return 0;
5365 }
5366
5367 int __nft_release_basechain(struct nft_ctx *ctx)
5368 {
5369 struct nft_rule *rule, *nr;
5370
5371 BUG_ON(!(ctx->chain->flags & NFT_BASE_CHAIN));
5372
5373 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
5374 ctx->afi->nops);
5375 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
5376 list_del(&rule->list);
5377 ctx->chain->use--;
5378 nf_tables_rule_destroy(ctx, rule);
5379 }
5380 list_del(&ctx->chain->list);
5381 ctx->table->use--;
5382 nf_tables_chain_destroy(ctx->chain);
5383
5384 return 0;
5385 }
5386 EXPORT_SYMBOL_GPL(__nft_release_basechain);
5387
5388 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
5389 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
5390 {
5391 struct nft_table *table, *nt;
5392 struct nft_chain *chain, *nc;
5393 struct nft_object *obj, *ne;
5394 struct nft_rule *rule, *nr;
5395 struct nft_set *set, *ns;
5396 struct nft_ctx ctx = {
5397 .net = net,
5398 .afi = afi,
5399 };
5400
5401 list_for_each_entry_safe(table, nt, &afi->tables, list) {
5402 list_for_each_entry(chain, &table->chains, list)
5403 nf_tables_unregister_hooks(net, table, chain,
5404 afi->nops);
5405 /* No packets are walking on these chains anymore. */
5406 ctx.table = table;
5407 list_for_each_entry(chain, &table->chains, list) {
5408 ctx.chain = chain;
5409 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
5410 list_del(&rule->list);
5411 chain->use--;
5412 nf_tables_rule_destroy(&ctx, rule);
5413 }
5414 }
5415 list_for_each_entry_safe(set, ns, &table->sets, list) {
5416 list_del(&set->list);
5417 table->use--;
5418 nft_set_destroy(set);
5419 }
5420 list_for_each_entry_safe(obj, ne, &table->objects, list) {
5421 list_del(&obj->list);
5422 table->use--;
5423 nft_obj_destroy(obj);
5424 }
5425 list_for_each_entry_safe(chain, nc, &table->chains, list) {
5426 list_del(&chain->list);
5427 table->use--;
5428 nf_tables_chain_destroy(chain);
5429 }
5430 list_del(&table->list);
5431 nf_tables_table_destroy(&ctx);
5432 }
5433 }
5434
5435 static struct pernet_operations nf_tables_net_ops = {
5436 .init = nf_tables_init_net,
5437 };
5438
5439 static int __init nf_tables_module_init(void)
5440 {
5441 int err;
5442
5443 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
5444 GFP_KERNEL);
5445 if (info == NULL) {
5446 err = -ENOMEM;
5447 goto err1;
5448 }
5449
5450 err = nf_tables_core_module_init();
5451 if (err < 0)
5452 goto err2;
5453
5454 err = nfnetlink_subsys_register(&nf_tables_subsys);
5455 if (err < 0)
5456 goto err3;
5457
5458 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
5459 return register_pernet_subsys(&nf_tables_net_ops);
5460 err3:
5461 nf_tables_core_module_exit();
5462 err2:
5463 kfree(info);
5464 err1:
5465 return err;
5466 }
5467
5468 static void __exit nf_tables_module_exit(void)
5469 {
5470 unregister_pernet_subsys(&nf_tables_net_ops);
5471 nfnetlink_subsys_unregister(&nf_tables_subsys);
5472 rcu_barrier();
5473 nf_tables_core_module_exit();
5474 kfree(info);
5475 }
5476
5477 module_init(nf_tables_module_init);
5478 module_exit(nf_tables_module_exit);
5479
5480 MODULE_LICENSE("GPL");
5481 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
5482 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
Ubuntu Artful kernel mirror