]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:


a2a62ccdd5e55dfeeb1327a4419420b602f73213
[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nf_tables_api.c
1 /*
2 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
9 */
10
11 #include <linux/module.h>
12 #include <linux/init.h>
13 #include <linux/list.h>
14 #include <linux/skbuff.h>
15 #include <linux/netlink.h>
16 #include <linux/vmalloc.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nfnetlink.h>
19 #include <linux/netfilter/nf_tables.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/net_namespace.h>
23 #include <net/sock.h>
24
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
27
28 /**
29 * nft_register_afinfo - register nf_tables address family info
30 *
31 * @afi: address family info to register
32 *
33 * Register the address family for use with nf_tables. Returns zero on
34 * success or a negative errno code otherwise.
35 */
36 int nft_register_afinfo(struct net *net, struct nft_af_info *afi)
37 {
38 INIT_LIST_HEAD(&afi->tables);
39 nfnl_lock(NFNL_SUBSYS_NFTABLES);
40 list_add_tail_rcu(&afi->list, &net->nft.af_info);
41 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
42 return 0;
43 }
44 EXPORT_SYMBOL_GPL(nft_register_afinfo);
45
46 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi);
47
48 /**
49 * nft_unregister_afinfo - unregister nf_tables address family info
50 *
51 * @afi: address family info to unregister
52 *
53 * Unregister the address family for use with nf_tables.
54 */
55 void nft_unregister_afinfo(struct net *net, struct nft_af_info *afi)
56 {
57 nfnl_lock(NFNL_SUBSYS_NFTABLES);
58 __nft_release_afinfo(net, afi);
59 list_del_rcu(&afi->list);
60 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
61 }
62 EXPORT_SYMBOL_GPL(nft_unregister_afinfo);
63
64 static struct nft_af_info *nft_afinfo_lookup(struct net *net, int family)
65 {
66 struct nft_af_info *afi;
67
68 list_for_each_entry(afi, &net->nft.af_info, list) {
69 if (afi->family == family)
70 return afi;
71 }
72 return NULL;
73 }
74
75 static struct nft_af_info *
76 nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
77 {
78 struct nft_af_info *afi;
79
80 afi = nft_afinfo_lookup(net, family);
81 if (afi != NULL)
82 return afi;
83 #ifdef CONFIG_MODULES
84 if (autoload) {
85 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
86 request_module("nft-afinfo-%u", family);
87 nfnl_lock(NFNL_SUBSYS_NFTABLES);
88 afi = nft_afinfo_lookup(net, family);
89 if (afi != NULL)
90 return ERR_PTR(-EAGAIN);
91 }
92 #endif
93 return ERR_PTR(-EAFNOSUPPORT);
94 }
95
96 static void nft_ctx_init(struct nft_ctx *ctx,
97 struct net *net,
98 const struct sk_buff *skb,
99 const struct nlmsghdr *nlh,
100 struct nft_af_info *afi,
101 struct nft_table *table,
102 struct nft_chain *chain,
103 const struct nlattr * const *nla)
104 {
105 ctx->net = net;
106 ctx->afi = afi;
107 ctx->table = table;
108 ctx->chain = chain;
109 ctx->nla = nla;
110 ctx->portid = NETLINK_CB(skb).portid;
111 ctx->report = nlmsg_report(nlh);
112 ctx->seq = nlh->nlmsg_seq;
113 }
114
115 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
116 int msg_type, u32 size, gfp_t gfp)
117 {
118 struct nft_trans *trans;
119
120 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
121 if (trans == NULL)
122 return NULL;
123
124 trans->msg_type = msg_type;
125 trans->ctx = *ctx;
126
127 return trans;
128 }
129
130 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
131 int msg_type, u32 size)
132 {
133 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
134 }
135
136 static void nft_trans_destroy(struct nft_trans *trans)
137 {
138 list_del(&trans->list);
139 kfree(trans);
140 }
141
142 static int nf_tables_register_hooks(struct net *net,
143 const struct nft_table *table,
144 struct nft_chain *chain,
145 unsigned int hook_nops)
146 {
147 if (table->flags & NFT_TABLE_F_DORMANT ||
148 !nft_is_base_chain(chain))
149 return 0;
150
151 return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
152 hook_nops);
153 }
154
155 static void nf_tables_unregister_hooks(struct net *net,
156 const struct nft_table *table,
157 struct nft_chain *chain,
158 unsigned int hook_nops)
159 {
160 if (table->flags & NFT_TABLE_F_DORMANT ||
161 !nft_is_base_chain(chain))
162 return;
163
164 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
165 }
166
167 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
168 {
169 struct nft_trans *trans;
170
171 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
172 if (trans == NULL)
173 return -ENOMEM;
174
175 if (msg_type == NFT_MSG_NEWTABLE)
176 nft_activate_next(ctx->net, ctx->table);
177
178 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
179 return 0;
180 }
181
182 static int nft_deltable(struct nft_ctx *ctx)
183 {
184 int err;
185
186 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
187 if (err < 0)
188 return err;
189
190 nft_deactivate_next(ctx->net, ctx->table);
191 return err;
192 }
193
194 static int nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
195 {
196 struct nft_trans *trans;
197
198 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
199 if (trans == NULL)
200 return -ENOMEM;
201
202 if (msg_type == NFT_MSG_NEWCHAIN)
203 nft_activate_next(ctx->net, ctx->chain);
204
205 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
206 return 0;
207 }
208
209 static int nft_delchain(struct nft_ctx *ctx)
210 {
211 int err;
212
213 err = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
214 if (err < 0)
215 return err;
216
217 ctx->table->use--;
218 nft_deactivate_next(ctx->net, ctx->chain);
219
220 return err;
221 }
222
223 /* either expr ops provide both activate/deactivate, or neither */
224 static bool nft_expr_check_ops(const struct nft_expr_ops *ops)
225 {
226 if (!ops)
227 return true;
228
229 if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate)))
230 return false;
231
232 return true;
233 }
234
235 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
236 struct nft_rule *rule)
237 {
238 struct nft_expr *expr;
239
240 expr = nft_expr_first(rule);
241 while (expr != nft_expr_last(rule) && expr->ops) {
242 if (expr->ops->activate)
243 expr->ops->activate(ctx, expr);
244
245 expr = nft_expr_next(expr);
246 }
247 }
248
249 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
250 struct nft_rule *rule)
251 {
252 struct nft_expr *expr;
253
254 expr = nft_expr_first(rule);
255 while (expr != nft_expr_last(rule) && expr->ops) {
256 if (expr->ops->deactivate)
257 expr->ops->deactivate(ctx, expr);
258
259 expr = nft_expr_next(expr);
260 }
261 }
262
263 static int
264 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
265 {
266 /* You cannot delete the same rule twice */
267 if (nft_is_active_next(ctx->net, rule)) {
268 nft_deactivate_next(ctx->net, rule);
269 ctx->chain->use--;
270 return 0;
271 }
272 return -ENOENT;
273 }
274
275 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
276 struct nft_rule *rule)
277 {
278 struct nft_trans *trans;
279
280 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
281 if (trans == NULL)
282 return NULL;
283
284 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
285 nft_trans_rule_id(trans) =
286 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
287 }
288 nft_trans_rule(trans) = rule;
289 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
290
291 return trans;
292 }
293
294 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
295 {
296 struct nft_trans *trans;
297 int err;
298
299 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
300 if (trans == NULL)
301 return -ENOMEM;
302
303 err = nf_tables_delrule_deactivate(ctx, rule);
304 if (err < 0) {
305 nft_trans_destroy(trans);
306 return err;
307 }
308 nft_rule_expr_deactivate(ctx, rule);
309
310 return 0;
311 }
312
313 static int nft_delrule_by_chain(struct nft_ctx *ctx)
314 {
315 struct nft_rule *rule;
316 int err;
317
318 list_for_each_entry(rule, &ctx->chain->rules, list) {
319 if (!nft_is_active_next(ctx->net, rule))
320 continue;
321
322 err = nft_delrule(ctx, rule);
323 if (err < 0)
324 return err;
325 }
326 return 0;
327 }
328
329 static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
330 struct nft_set *set)
331 {
332 struct nft_trans *trans;
333
334 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
335 if (trans == NULL)
336 return -ENOMEM;
337
338 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
339 nft_trans_set_id(trans) =
340 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
341 nft_activate_next(ctx->net, set);
342 }
343 nft_trans_set(trans) = set;
344 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
345
346 return 0;
347 }
348
349 static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
350 {
351 int err;
352
353 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
354 if (err < 0)
355 return err;
356
357 nft_deactivate_next(ctx->net, set);
358 ctx->table->use--;
359
360 return err;
361 }
362
363 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
364 struct nft_object *obj)
365 {
366 struct nft_trans *trans;
367
368 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
369 if (trans == NULL)
370 return -ENOMEM;
371
372 if (msg_type == NFT_MSG_NEWOBJ)
373 nft_activate_next(ctx->net, obj);
374
375 nft_trans_obj(trans) = obj;
376 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
377
378 return 0;
379 }
380
381 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
382 {
383 int err;
384
385 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
386 if (err < 0)
387 return err;
388
389 nft_deactivate_next(ctx->net, obj);
390 ctx->table->use--;
391
392 return err;
393 }
394
395 /*
396 * Tables
397 */
398
399 static struct nft_table *nft_table_lookup(const struct nft_af_info *afi,
400 const struct nlattr *nla,
401 u8 genmask)
402 {
403 struct nft_table *table;
404
405 list_for_each_entry(table, &afi->tables, list) {
406 if (!nla_strcmp(nla, table->name) &&
407 nft_active_genmask(table, genmask))
408 return table;
409 }
410 return NULL;
411 }
412
413 static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
414 const struct nlattr *nla,
415 u8 genmask)
416 {
417 struct nft_table *table;
418
419 if (nla == NULL)
420 return ERR_PTR(-EINVAL);
421
422 table = nft_table_lookup(afi, nla, genmask);
423 if (table != NULL)
424 return table;
425
426 return ERR_PTR(-ENOENT);
427 }
428
429 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
430 {
431 return ++table->hgenerator;
432 }
433
434 static const struct nf_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
435
436 static const struct nf_chain_type *
437 __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
438 {
439 int i;
440
441 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
442 if (chain_type[family][i] != NULL &&
443 !nla_strcmp(nla, chain_type[family][i]->name))
444 return chain_type[family][i];
445 }
446 return NULL;
447 }
448
449 static const struct nf_chain_type *
450 nf_tables_chain_type_lookup(const struct nft_af_info *afi,
451 const struct nlattr *nla,
452 bool autoload)
453 {
454 const struct nf_chain_type *type;
455
456 type = __nf_tables_chain_type_lookup(afi->family, nla);
457 if (type != NULL)
458 return type;
459 #ifdef CONFIG_MODULES
460 if (autoload) {
461 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
462 request_module("nft-chain-%u-%.*s", afi->family,
463 nla_len(nla), (const char *)nla_data(nla));
464 nfnl_lock(NFNL_SUBSYS_NFTABLES);
465 type = __nf_tables_chain_type_lookup(afi->family, nla);
466 if (type != NULL)
467 return ERR_PTR(-EAGAIN);
468 }
469 #endif
470 return ERR_PTR(-ENOENT);
471 }
472
473 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
474 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
475 .len = NFT_TABLE_MAXNAMELEN - 1 },
476 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
477 };
478
479 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
480 u32 portid, u32 seq, int event, u32 flags,
481 int family, const struct nft_table *table)
482 {
483 struct nlmsghdr *nlh;
484 struct nfgenmsg *nfmsg;
485
486 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
487 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
488 if (nlh == NULL)
489 goto nla_put_failure;
490
491 nfmsg = nlmsg_data(nlh);
492 nfmsg->nfgen_family = family;
493 nfmsg->version = NFNETLINK_V0;
494 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
495
496 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
497 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
498 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
499 goto nla_put_failure;
500
501 nlmsg_end(skb, nlh);
502 return 0;
503
504 nla_put_failure:
505 nlmsg_trim(skb, nlh);
506 return -1;
507 }
508
509 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
510 {
511 struct sk_buff *skb;
512 int err;
513
514 if (!ctx->report &&
515 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
516 return;
517
518 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
519 if (skb == NULL)
520 goto err;
521
522 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
523 event, 0, ctx->afi->family, ctx->table);
524 if (err < 0) {
525 kfree_skb(skb);
526 goto err;
527 }
528
529 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
530 ctx->report, GFP_KERNEL);
531 return;
532 err:
533 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
534 }
535
536 static int nf_tables_dump_tables(struct sk_buff *skb,
537 struct netlink_callback *cb)
538 {
539 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
540 const struct nft_af_info *afi;
541 const struct nft_table *table;
542 unsigned int idx = 0, s_idx = cb->args[0];
543 struct net *net = sock_net(skb->sk);
544 int family = nfmsg->nfgen_family;
545
546 rcu_read_lock();
547 cb->seq = net->nft.base_seq;
548
549 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
550 if (family != NFPROTO_UNSPEC && family != afi->family)
551 continue;
552
553 list_for_each_entry_rcu(table, &afi->tables, list) {
554 if (idx < s_idx)
555 goto cont;
556 if (idx > s_idx)
557 memset(&cb->args[1], 0,
558 sizeof(cb->args) - sizeof(cb->args[0]));
559 if (!nft_is_active(net, table))
560 continue;
561 if (nf_tables_fill_table_info(skb, net,
562 NETLINK_CB(cb->skb).portid,
563 cb->nlh->nlmsg_seq,
564 NFT_MSG_NEWTABLE,
565 NLM_F_MULTI,
566 afi->family, table) < 0)
567 goto done;
568
569 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
570 cont:
571 idx++;
572 }
573 }
574 done:
575 rcu_read_unlock();
576 cb->args[0] = idx;
577 return skb->len;
578 }
579
580 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
581 struct sk_buff *skb, const struct nlmsghdr *nlh,
582 const struct nlattr * const nla[],
583 struct netlink_ext_ack *extack)
584 {
585 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
586 u8 genmask = nft_genmask_cur(net);
587 const struct nft_af_info *afi;
588 const struct nft_table *table;
589 struct sk_buff *skb2;
590 int family = nfmsg->nfgen_family;
591 int err;
592
593 if (nlh->nlmsg_flags & NLM_F_DUMP) {
594 struct netlink_dump_control c = {
595 .dump = nf_tables_dump_tables,
596 };
597 return netlink_dump_start(nlsk, skb, nlh, &c);
598 }
599
600 afi = nf_tables_afinfo_lookup(net, family, false);
601 if (IS_ERR(afi))
602 return PTR_ERR(afi);
603
604 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
605 if (IS_ERR(table))
606 return PTR_ERR(table);
607
608 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
609 if (!skb2)
610 return -ENOMEM;
611
612 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
613 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
614 family, table);
615 if (err < 0)
616 goto err;
617
618 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
619
620 err:
621 kfree_skb(skb2);
622 return err;
623 }
624
625 static void _nf_tables_table_disable(struct net *net,
626 const struct nft_af_info *afi,
627 struct nft_table *table,
628 u32 cnt)
629 {
630 struct nft_chain *chain;
631 u32 i = 0;
632
633 list_for_each_entry(chain, &table->chains, list) {
634 if (!nft_is_active_next(net, chain))
635 continue;
636 if (!nft_is_base_chain(chain))
637 continue;
638
639 if (cnt && i++ == cnt)
640 break;
641
642 nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
643 afi->nops);
644 }
645 }
646
647 static int nf_tables_table_enable(struct net *net,
648 const struct nft_af_info *afi,
649 struct nft_table *table)
650 {
651 struct nft_chain *chain;
652 int err, i = 0;
653
654 list_for_each_entry(chain, &table->chains, list) {
655 if (!nft_is_active_next(net, chain))
656 continue;
657 if (!nft_is_base_chain(chain))
658 continue;
659
660 err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
661 afi->nops);
662 if (err < 0)
663 goto err;
664
665 i++;
666 }
667 return 0;
668 err:
669 if (i)
670 _nf_tables_table_disable(net, afi, table, i);
671 return err;
672 }
673
674 static void nf_tables_table_disable(struct net *net,
675 const struct nft_af_info *afi,
676 struct nft_table *table)
677 {
678 _nf_tables_table_disable(net, afi, table, 0);
679 }
680
681 static int nf_tables_updtable(struct nft_ctx *ctx)
682 {
683 struct nft_trans *trans;
684 u32 flags;
685 int ret = 0;
686
687 if (!ctx->nla[NFTA_TABLE_FLAGS])
688 return 0;
689
690 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
691 if (flags & ~NFT_TABLE_F_DORMANT)
692 return -EINVAL;
693
694 if (flags == ctx->table->flags)
695 return 0;
696
697 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
698 sizeof(struct nft_trans_table));
699 if (trans == NULL)
700 return -ENOMEM;
701
702 if ((flags & NFT_TABLE_F_DORMANT) &&
703 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
704 nft_trans_table_enable(trans) = false;
705 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
706 ctx->table->flags & NFT_TABLE_F_DORMANT) {
707 ret = nf_tables_table_enable(ctx->net, ctx->afi, ctx->table);
708 if (ret >= 0) {
709 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
710 nft_trans_table_enable(trans) = true;
711 }
712 }
713 if (ret < 0)
714 goto err;
715
716 nft_trans_table_update(trans) = true;
717 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
718 return 0;
719 err:
720 nft_trans_destroy(trans);
721 return ret;
722 }
723
724 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
725 struct sk_buff *skb, const struct nlmsghdr *nlh,
726 const struct nlattr * const nla[],
727 struct netlink_ext_ack *extack)
728 {
729 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
730 u8 genmask = nft_genmask_next(net);
731 const struct nlattr *name;
732 struct nft_af_info *afi;
733 struct nft_table *table;
734 int family = nfmsg->nfgen_family;
735 u32 flags = 0;
736 struct nft_ctx ctx;
737 int err;
738
739 afi = nf_tables_afinfo_lookup(net, family, true);
740 if (IS_ERR(afi))
741 return PTR_ERR(afi);
742
743 name = nla[NFTA_TABLE_NAME];
744 table = nf_tables_table_lookup(afi, name, genmask);
745 if (IS_ERR(table)) {
746 if (PTR_ERR(table) != -ENOENT)
747 return PTR_ERR(table);
748 } else {
749 if (nlh->nlmsg_flags & NLM_F_EXCL)
750 return -EEXIST;
751 if (nlh->nlmsg_flags & NLM_F_REPLACE)
752 return -EOPNOTSUPP;
753
754 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
755 return nf_tables_updtable(&ctx);
756 }
757
758 if (nla[NFTA_TABLE_FLAGS]) {
759 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
760 if (flags & ~NFT_TABLE_F_DORMANT)
761 return -EINVAL;
762 }
763
764 err = -EAFNOSUPPORT;
765 if (!try_module_get(afi->owner))
766 goto err1;
767
768 err = -ENOMEM;
769 table = kzalloc(sizeof(*table), GFP_KERNEL);
770 if (table == NULL)
771 goto err2;
772
773 table->name = nla_strdup(name, GFP_KERNEL);
774 if (table->name == NULL)
775 goto err3;
776
777 INIT_LIST_HEAD(&table->chains);
778 INIT_LIST_HEAD(&table->sets);
779 INIT_LIST_HEAD(&table->objects);
780 table->flags = flags;
781
782 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
783 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
784 if (err < 0)
785 goto err4;
786
787 list_add_tail_rcu(&table->list, &afi->tables);
788 return 0;
789 err4:
790 kfree(table->name);
791 err3:
792 kfree(table);
793 err2:
794 module_put(afi->owner);
795 err1:
796 return err;
797 }
798
799 static int nft_flush_table(struct nft_ctx *ctx)
800 {
801 int err;
802 struct nft_chain *chain, *nc;
803 struct nft_object *obj, *ne;
804 struct nft_set *set, *ns;
805
806 list_for_each_entry(chain, &ctx->table->chains, list) {
807 if (!nft_is_active_next(ctx->net, chain))
808 continue;
809
810 ctx->chain = chain;
811
812 err = nft_delrule_by_chain(ctx);
813 if (err < 0)
814 goto out;
815 }
816
817 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
818 if (!nft_is_active_next(ctx->net, set))
819 continue;
820
821 if (set->flags & NFT_SET_ANONYMOUS &&
822 !list_empty(&set->bindings))
823 continue;
824
825 err = nft_delset(ctx, set);
826 if (err < 0)
827 goto out;
828 }
829
830 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
831 err = nft_delobj(ctx, obj);
832 if (err < 0)
833 goto out;
834 }
835
836 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
837 if (!nft_is_active_next(ctx->net, chain))
838 continue;
839
840 ctx->chain = chain;
841
842 err = nft_delchain(ctx);
843 if (err < 0)
844 goto out;
845 }
846
847 err = nft_deltable(ctx);
848 out:
849 return err;
850 }
851
852 static int nft_flush(struct nft_ctx *ctx, int family)
853 {
854 struct nft_af_info *afi;
855 struct nft_table *table, *nt;
856 const struct nlattr * const *nla = ctx->nla;
857 int err = 0;
858
859 list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
860 if (family != AF_UNSPEC && afi->family != family)
861 continue;
862
863 ctx->afi = afi;
864 list_for_each_entry_safe(table, nt, &afi->tables, list) {
865 if (!nft_is_active_next(ctx->net, table))
866 continue;
867
868 if (nla[NFTA_TABLE_NAME] &&
869 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
870 continue;
871
872 ctx->table = table;
873
874 err = nft_flush_table(ctx);
875 if (err < 0)
876 goto out;
877 }
878 }
879 out:
880 return err;
881 }
882
883 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
884 struct sk_buff *skb, const struct nlmsghdr *nlh,
885 const struct nlattr * const nla[],
886 struct netlink_ext_ack *extack)
887 {
888 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
889 u8 genmask = nft_genmask_next(net);
890 struct nft_af_info *afi;
891 struct nft_table *table;
892 int family = nfmsg->nfgen_family;
893 struct nft_ctx ctx;
894
895 nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
896 if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
897 return nft_flush(&ctx, family);
898
899 afi = nf_tables_afinfo_lookup(net, family, false);
900 if (IS_ERR(afi))
901 return PTR_ERR(afi);
902
903 table = nf_tables_table_lookup(afi, nla[NFTA_TABLE_NAME], genmask);
904 if (IS_ERR(table))
905 return PTR_ERR(table);
906
907 if (nlh->nlmsg_flags & NLM_F_NONREC &&
908 table->use > 0)
909 return -EBUSY;
910
911 ctx.afi = afi;
912 ctx.table = table;
913
914 return nft_flush_table(&ctx);
915 }
916
917 static void nf_tables_table_destroy(struct nft_ctx *ctx)
918 {
919 if (WARN_ON(ctx->table->use > 0))
920 return;
921
922 kfree(ctx->table->name);
923 kfree(ctx->table);
924 module_put(ctx->afi->owner);
925 }
926
927 int nft_register_chain_type(const struct nf_chain_type *ctype)
928 {
929 int err = 0;
930
931 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
932 return -EINVAL;
933
934 nfnl_lock(NFNL_SUBSYS_NFTABLES);
935 if (chain_type[ctype->family][ctype->type] != NULL) {
936 err = -EBUSY;
937 goto out;
938 }
939 chain_type[ctype->family][ctype->type] = ctype;
940 out:
941 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
942 return err;
943 }
944 EXPORT_SYMBOL_GPL(nft_register_chain_type);
945
946 void nft_unregister_chain_type(const struct nf_chain_type *ctype)
947 {
948 nfnl_lock(NFNL_SUBSYS_NFTABLES);
949 chain_type[ctype->family][ctype->type] = NULL;
950 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
951 }
952 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
953
954 /*
955 * Chains
956 */
957
958 static struct nft_chain *
959 nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle,
960 u8 genmask)
961 {
962 struct nft_chain *chain;
963
964 list_for_each_entry(chain, &table->chains, list) {
965 if (chain->handle == handle &&
966 nft_active_genmask(chain, genmask))
967 return chain;
968 }
969
970 return ERR_PTR(-ENOENT);
971 }
972
973 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
974 const struct nlattr *nla,
975 u8 genmask)
976 {
977 struct nft_chain *chain;
978
979 if (nla == NULL)
980 return ERR_PTR(-EINVAL);
981
982 list_for_each_entry(chain, &table->chains, list) {
983 if (!nla_strcmp(nla, chain->name) &&
984 nft_active_genmask(chain, genmask))
985 return chain;
986 }
987
988 return ERR_PTR(-ENOENT);
989 }
990
991 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
992 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
993 .len = NFT_TABLE_MAXNAMELEN - 1 },
994 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
995 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
996 .len = NFT_CHAIN_MAXNAMELEN - 1 },
997 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
998 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
999 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1000 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1001 };
1002
1003 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1004 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1005 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1006 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1007 .len = IFNAMSIZ - 1 },
1008 };
1009
1010 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1011 {
1012 struct nft_stats *cpu_stats, total;
1013 struct nlattr *nest;
1014 unsigned int seq;
1015 u64 pkts, bytes;
1016 int cpu;
1017
1018 memset(&total, 0, sizeof(total));
1019 for_each_possible_cpu(cpu) {
1020 cpu_stats = per_cpu_ptr(stats, cpu);
1021 do {
1022 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1023 pkts = cpu_stats->pkts;
1024 bytes = cpu_stats->bytes;
1025 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1026 total.pkts += pkts;
1027 total.bytes += bytes;
1028 }
1029 nest = nla_nest_start(skb, NFTA_CHAIN_COUNTERS);
1030 if (nest == NULL)
1031 goto nla_put_failure;
1032
1033 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1034 NFTA_COUNTER_PAD) ||
1035 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1036 NFTA_COUNTER_PAD))
1037 goto nla_put_failure;
1038
1039 nla_nest_end(skb, nest);
1040 return 0;
1041
1042 nla_put_failure:
1043 return -ENOSPC;
1044 }
1045
1046 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1047 u32 portid, u32 seq, int event, u32 flags,
1048 int family, const struct nft_table *table,
1049 const struct nft_chain *chain)
1050 {
1051 struct nlmsghdr *nlh;
1052 struct nfgenmsg *nfmsg;
1053
1054 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1055 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1056 if (nlh == NULL)
1057 goto nla_put_failure;
1058
1059 nfmsg = nlmsg_data(nlh);
1060 nfmsg->nfgen_family = family;
1061 nfmsg->version = NFNETLINK_V0;
1062 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1063
1064 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1065 goto nla_put_failure;
1066 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1067 NFTA_CHAIN_PAD))
1068 goto nla_put_failure;
1069 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1070 goto nla_put_failure;
1071
1072 if (nft_is_base_chain(chain)) {
1073 const struct nft_base_chain *basechain = nft_base_chain(chain);
1074 const struct nf_hook_ops *ops = &basechain->ops[0];
1075 struct nlattr *nest;
1076
1077 nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
1078 if (nest == NULL)
1079 goto nla_put_failure;
1080 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1081 goto nla_put_failure;
1082 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1083 goto nla_put_failure;
1084 if (basechain->dev_name[0] &&
1085 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1086 goto nla_put_failure;
1087 nla_nest_end(skb, nest);
1088
1089 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1090 htonl(basechain->policy)))
1091 goto nla_put_failure;
1092
1093 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1094 goto nla_put_failure;
1095
1096 if (basechain->stats && nft_dump_stats(skb, basechain->stats))
1097 goto nla_put_failure;
1098 }
1099
1100 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1101 goto nla_put_failure;
1102
1103 nlmsg_end(skb, nlh);
1104 return 0;
1105
1106 nla_put_failure:
1107 nlmsg_trim(skb, nlh);
1108 return -1;
1109 }
1110
1111 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1112 {
1113 struct sk_buff *skb;
1114 int err;
1115
1116 if (!ctx->report &&
1117 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1118 return;
1119
1120 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1121 if (skb == NULL)
1122 goto err;
1123
1124 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1125 event, 0, ctx->afi->family, ctx->table,
1126 ctx->chain);
1127 if (err < 0) {
1128 kfree_skb(skb);
1129 goto err;
1130 }
1131
1132 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1133 ctx->report, GFP_KERNEL);
1134 return;
1135 err:
1136 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1137 }
1138
1139 static int nf_tables_dump_chains(struct sk_buff *skb,
1140 struct netlink_callback *cb)
1141 {
1142 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1143 const struct nft_af_info *afi;
1144 const struct nft_table *table;
1145 const struct nft_chain *chain;
1146 unsigned int idx = 0, s_idx = cb->args[0];
1147 struct net *net = sock_net(skb->sk);
1148 int family = nfmsg->nfgen_family;
1149
1150 rcu_read_lock();
1151 cb->seq = net->nft.base_seq;
1152
1153 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
1154 if (family != NFPROTO_UNSPEC && family != afi->family)
1155 continue;
1156
1157 list_for_each_entry_rcu(table, &afi->tables, list) {
1158 list_for_each_entry_rcu(chain, &table->chains, list) {
1159 if (idx < s_idx)
1160 goto cont;
1161 if (idx > s_idx)
1162 memset(&cb->args[1], 0,
1163 sizeof(cb->args) - sizeof(cb->args[0]));
1164 if (!nft_is_active(net, chain))
1165 continue;
1166 if (nf_tables_fill_chain_info(skb, net,
1167 NETLINK_CB(cb->skb).portid,
1168 cb->nlh->nlmsg_seq,
1169 NFT_MSG_NEWCHAIN,
1170 NLM_F_MULTI,
1171 afi->family, table, chain) < 0)
1172 goto done;
1173
1174 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1175 cont:
1176 idx++;
1177 }
1178 }
1179 }
1180 done:
1181 rcu_read_unlock();
1182 cb->args[0] = idx;
1183 return skb->len;
1184 }
1185
1186 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1187 struct sk_buff *skb, const struct nlmsghdr *nlh,
1188 const struct nlattr * const nla[],
1189 struct netlink_ext_ack *extack)
1190 {
1191 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1192 u8 genmask = nft_genmask_cur(net);
1193 const struct nft_af_info *afi;
1194 const struct nft_table *table;
1195 const struct nft_chain *chain;
1196 struct sk_buff *skb2;
1197 int family = nfmsg->nfgen_family;
1198 int err;
1199
1200 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1201 struct netlink_dump_control c = {
1202 .dump = nf_tables_dump_chains,
1203 };
1204 return netlink_dump_start(nlsk, skb, nlh, &c);
1205 }
1206
1207 afi = nf_tables_afinfo_lookup(net, family, false);
1208 if (IS_ERR(afi))
1209 return PTR_ERR(afi);
1210
1211 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1212 if (IS_ERR(table))
1213 return PTR_ERR(table);
1214
1215 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1216 if (IS_ERR(chain))
1217 return PTR_ERR(chain);
1218
1219 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1220 if (!skb2)
1221 return -ENOMEM;
1222
1223 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1224 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1225 family, table, chain);
1226 if (err < 0)
1227 goto err;
1228
1229 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1230
1231 err:
1232 kfree_skb(skb2);
1233 return err;
1234 }
1235
1236 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1237 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1238 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1239 };
1240
1241 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1242 {
1243 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1244 struct nft_stats __percpu *newstats;
1245 struct nft_stats *stats;
1246 int err;
1247
1248 err = nla_parse_nested(tb, NFTA_COUNTER_MAX, attr, nft_counter_policy,
1249 NULL);
1250 if (err < 0)
1251 return ERR_PTR(err);
1252
1253 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1254 return ERR_PTR(-EINVAL);
1255
1256 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1257 if (newstats == NULL)
1258 return ERR_PTR(-ENOMEM);
1259
1260 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1261 * are not exposed to userspace.
1262 */
1263 preempt_disable();
1264 stats = this_cpu_ptr(newstats);
1265 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1266 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1267 preempt_enable();
1268
1269 return newstats;
1270 }
1271
1272 static void nft_chain_stats_replace(struct nft_base_chain *chain,
1273 struct nft_stats __percpu *newstats)
1274 {
1275 if (newstats == NULL)
1276 return;
1277
1278 if (chain->stats) {
1279 struct nft_stats __percpu *oldstats =
1280 nft_dereference(chain->stats);
1281
1282 rcu_assign_pointer(chain->stats, newstats);
1283 synchronize_rcu();
1284 free_percpu(oldstats);
1285 } else {
1286 rcu_assign_pointer(chain->stats, newstats);
1287 static_branch_inc(&nft_counters_enabled);
1288 }
1289 }
1290
1291 static void nf_tables_chain_destroy(struct nft_chain *chain)
1292 {
1293 if (WARN_ON(chain->use > 0))
1294 return;
1295
1296 if (nft_is_base_chain(chain)) {
1297 struct nft_base_chain *basechain = nft_base_chain(chain);
1298
1299 module_put(basechain->type->owner);
1300 free_percpu(basechain->stats);
1301 if (basechain->stats)
1302 static_branch_dec(&nft_counters_enabled);
1303 if (basechain->ops[0].dev != NULL)
1304 dev_put(basechain->ops[0].dev);
1305 kfree(chain->name);
1306 kfree(basechain);
1307 } else {
1308 kfree(chain->name);
1309 kfree(chain);
1310 }
1311 }
1312
1313 struct nft_chain_hook {
1314 u32 num;
1315 u32 priority;
1316 const struct nf_chain_type *type;
1317 struct net_device *dev;
1318 };
1319
1320 static int nft_chain_parse_hook(struct net *net,
1321 const struct nlattr * const nla[],
1322 struct nft_af_info *afi,
1323 struct nft_chain_hook *hook, bool create)
1324 {
1325 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1326 const struct nf_chain_type *type;
1327 struct net_device *dev;
1328 int err;
1329
1330 err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],
1331 nft_hook_policy, NULL);
1332 if (err < 0)
1333 return err;
1334
1335 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1336 ha[NFTA_HOOK_PRIORITY] == NULL)
1337 return -EINVAL;
1338
1339 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1340 if (hook->num >= afi->nhooks)
1341 return -EINVAL;
1342
1343 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1344
1345 type = chain_type[afi->family][NFT_CHAIN_T_DEFAULT];
1346 if (nla[NFTA_CHAIN_TYPE]) {
1347 type = nf_tables_chain_type_lookup(afi, nla[NFTA_CHAIN_TYPE],
1348 create);
1349 if (IS_ERR(type))
1350 return PTR_ERR(type);
1351 }
1352 if (!(type->hook_mask & (1 << hook->num)))
1353 return -EOPNOTSUPP;
1354 if (!try_module_get(type->owner))
1355 return -ENOENT;
1356
1357 hook->type = type;
1358
1359 hook->dev = NULL;
1360 if (afi->flags & NFT_AF_NEEDS_DEV) {
1361 char ifname[IFNAMSIZ];
1362
1363 if (!ha[NFTA_HOOK_DEV]) {
1364 module_put(type->owner);
1365 return -EOPNOTSUPP;
1366 }
1367
1368 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1369 dev = dev_get_by_name(net, ifname);
1370 if (!dev) {
1371 module_put(type->owner);
1372 return -ENOENT;
1373 }
1374 hook->dev = dev;
1375 } else if (ha[NFTA_HOOK_DEV]) {
1376 module_put(type->owner);
1377 return -EOPNOTSUPP;
1378 }
1379
1380 return 0;
1381 }
1382
1383 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1384 {
1385 module_put(hook->type->owner);
1386 if (hook->dev != NULL)
1387 dev_put(hook->dev);
1388 }
1389
1390 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1391 u8 policy, bool create)
1392 {
1393 const struct nlattr * const *nla = ctx->nla;
1394 struct nft_table *table = ctx->table;
1395 struct nft_af_info *afi = ctx->afi;
1396 struct nft_base_chain *basechain;
1397 struct nft_stats __percpu *stats;
1398 struct net *net = ctx->net;
1399 struct nft_chain *chain;
1400 unsigned int i;
1401 int err;
1402
1403 if (table->use == UINT_MAX)
1404 return -EOVERFLOW;
1405
1406 if (nla[NFTA_CHAIN_HOOK]) {
1407 struct nft_chain_hook hook;
1408 struct nf_hook_ops *ops;
1409 nf_hookfn *hookfn;
1410
1411 err = nft_chain_parse_hook(net, nla, afi, &hook, create);
1412 if (err < 0)
1413 return err;
1414
1415 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1416 if (basechain == NULL) {
1417 nft_chain_release_hook(&hook);
1418 return -ENOMEM;
1419 }
1420
1421 if (hook.dev != NULL)
1422 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1423
1424 if (nla[NFTA_CHAIN_COUNTERS]) {
1425 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1426 if (IS_ERR(stats)) {
1427 nft_chain_release_hook(&hook);
1428 kfree(basechain);
1429 return PTR_ERR(stats);
1430 }
1431 basechain->stats = stats;
1432 static_branch_inc(&nft_counters_enabled);
1433 }
1434
1435 hookfn = hook.type->hooks[hook.num];
1436 basechain->type = hook.type;
1437 chain = &basechain->chain;
1438
1439 for (i = 0; i < afi->nops; i++) {
1440 ops = &basechain->ops[i];
1441 ops->pf = family;
1442 ops->hooknum = hook.num;
1443 ops->priority = hook.priority;
1444 ops->priv = chain;
1445 ops->hook = afi->hooks[ops->hooknum];
1446 ops->dev = hook.dev;
1447 if (hookfn)
1448 ops->hook = hookfn;
1449 if (afi->hook_ops_init)
1450 afi->hook_ops_init(ops, i);
1451 }
1452
1453 chain->flags |= NFT_BASE_CHAIN;
1454 basechain->policy = policy;
1455 } else {
1456 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1457 if (chain == NULL)
1458 return -ENOMEM;
1459 }
1460 INIT_LIST_HEAD(&chain->rules);
1461 chain->handle = nf_tables_alloc_handle(table);
1462 chain->table = table;
1463 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1464 if (!chain->name) {
1465 err = -ENOMEM;
1466 goto err1;
1467 }
1468
1469 err = nf_tables_register_hooks(net, table, chain, afi->nops);
1470 if (err < 0)
1471 goto err1;
1472
1473 ctx->chain = chain;
1474 err = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1475 if (err < 0)
1476 goto err2;
1477
1478 table->use++;
1479 list_add_tail_rcu(&chain->list, &table->chains);
1480
1481 return 0;
1482 err2:
1483 nf_tables_unregister_hooks(net, table, chain, afi->nops);
1484 err1:
1485 nf_tables_chain_destroy(chain);
1486
1487 return err;
1488 }
1489
1490 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1491 bool create)
1492 {
1493 const struct nlattr * const *nla = ctx->nla;
1494 struct nft_table *table = ctx->table;
1495 struct nft_chain *chain = ctx->chain;
1496 struct nft_af_info *afi = ctx->afi;
1497 struct nft_base_chain *basechain;
1498 struct nft_stats *stats = NULL;
1499 struct nft_chain_hook hook;
1500 struct nf_hook_ops *ops;
1501 struct nft_trans *trans;
1502 int err, i;
1503
1504 if (nla[NFTA_CHAIN_HOOK]) {
1505 if (!nft_is_base_chain(chain))
1506 return -EBUSY;
1507
1508 err = nft_chain_parse_hook(ctx->net, nla, ctx->afi, &hook,
1509 create);
1510 if (err < 0)
1511 return err;
1512
1513 basechain = nft_base_chain(chain);
1514 if (basechain->type != hook.type) {
1515 nft_chain_release_hook(&hook);
1516 return -EBUSY;
1517 }
1518
1519 for (i = 0; i < afi->nops; i++) {
1520 ops = &basechain->ops[i];
1521 if (ops->hooknum != hook.num ||
1522 ops->priority != hook.priority ||
1523 ops->dev != hook.dev) {
1524 nft_chain_release_hook(&hook);
1525 return -EBUSY;
1526 }
1527 }
1528 nft_chain_release_hook(&hook);
1529 }
1530
1531 if (nla[NFTA_CHAIN_HANDLE] &&
1532 nla[NFTA_CHAIN_NAME]) {
1533 struct nft_chain *chain2;
1534
1535 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
1536 genmask);
1537 if (!IS_ERR(chain2))
1538 return -EEXIST;
1539 }
1540
1541 if (nla[NFTA_CHAIN_COUNTERS]) {
1542 if (!nft_is_base_chain(chain))
1543 return -EOPNOTSUPP;
1544
1545 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1546 if (IS_ERR(stats))
1547 return PTR_ERR(stats);
1548 }
1549
1550 err = -ENOMEM;
1551 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1552 sizeof(struct nft_trans_chain));
1553 if (trans == NULL)
1554 goto err;
1555
1556 nft_trans_chain_stats(trans) = stats;
1557 nft_trans_chain_update(trans) = true;
1558
1559 if (nla[NFTA_CHAIN_POLICY])
1560 nft_trans_chain_policy(trans) = policy;
1561 else
1562 nft_trans_chain_policy(trans) = -1;
1563
1564 if (nla[NFTA_CHAIN_HANDLE] &&
1565 nla[NFTA_CHAIN_NAME]) {
1566 struct nft_trans *tmp;
1567 char *name;
1568
1569 err = -ENOMEM;
1570 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1571 if (!name)
1572 goto err;
1573
1574 err = -EEXIST;
1575 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1576 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1577 tmp->ctx.table == table &&
1578 nft_trans_chain_update(tmp) &&
1579 nft_trans_chain_name(tmp) &&
1580 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1581 kfree(name);
1582 goto err;
1583 }
1584 }
1585
1586 nft_trans_chain_name(trans) = name;
1587 }
1588 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1589
1590 return 0;
1591 err:
1592 free_percpu(stats);
1593 kfree(trans);
1594 return err;
1595 }
1596
1597 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1598 struct sk_buff *skb, const struct nlmsghdr *nlh,
1599 const struct nlattr * const nla[],
1600 struct netlink_ext_ack *extack)
1601 {
1602 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1603 const struct nlattr * uninitialized_var(name);
1604 u8 genmask = nft_genmask_next(net);
1605 int family = nfmsg->nfgen_family;
1606 struct nft_af_info *afi;
1607 struct nft_table *table;
1608 struct nft_chain *chain;
1609 u8 policy = NF_ACCEPT;
1610 struct nft_ctx ctx;
1611 u64 handle = 0;
1612 bool create;
1613
1614 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
1615
1616 afi = nf_tables_afinfo_lookup(net, family, true);
1617 if (IS_ERR(afi))
1618 return PTR_ERR(afi);
1619
1620 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1621 if (IS_ERR(table))
1622 return PTR_ERR(table);
1623
1624 chain = NULL;
1625 name = nla[NFTA_CHAIN_NAME];
1626
1627 if (nla[NFTA_CHAIN_HANDLE]) {
1628 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1629 chain = nf_tables_chain_lookup_byhandle(table, handle, genmask);
1630 if (IS_ERR(chain))
1631 return PTR_ERR(chain);
1632 } else {
1633 chain = nf_tables_chain_lookup(table, name, genmask);
1634 if (IS_ERR(chain)) {
1635 if (PTR_ERR(chain) != -ENOENT)
1636 return PTR_ERR(chain);
1637 chain = NULL;
1638 }
1639 }
1640
1641 if (nla[NFTA_CHAIN_POLICY]) {
1642 if (chain != NULL &&
1643 !nft_is_base_chain(chain))
1644 return -EOPNOTSUPP;
1645
1646 if (chain == NULL &&
1647 nla[NFTA_CHAIN_HOOK] == NULL)
1648 return -EOPNOTSUPP;
1649
1650 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1651 switch (policy) {
1652 case NF_DROP:
1653 case NF_ACCEPT:
1654 break;
1655 default:
1656 return -EINVAL;
1657 }
1658 }
1659
1660 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1661
1662 if (chain != NULL) {
1663 if (nlh->nlmsg_flags & NLM_F_EXCL)
1664 return -EEXIST;
1665 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1666 return -EOPNOTSUPP;
1667
1668 return nf_tables_updchain(&ctx, genmask, policy, create);
1669 }
1670
1671 return nf_tables_addchain(&ctx, family, genmask, policy, create);
1672 }
1673
1674 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1675 struct sk_buff *skb, const struct nlmsghdr *nlh,
1676 const struct nlattr * const nla[],
1677 struct netlink_ext_ack *extack)
1678 {
1679 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1680 u8 genmask = nft_genmask_next(net);
1681 struct nft_af_info *afi;
1682 struct nft_table *table;
1683 struct nft_chain *chain;
1684 struct nft_rule *rule;
1685 int family = nfmsg->nfgen_family;
1686 struct nft_ctx ctx;
1687 u32 use;
1688 int err;
1689
1690 afi = nf_tables_afinfo_lookup(net, family, false);
1691 if (IS_ERR(afi))
1692 return PTR_ERR(afi);
1693
1694 table = nf_tables_table_lookup(afi, nla[NFTA_CHAIN_TABLE], genmask);
1695 if (IS_ERR(table))
1696 return PTR_ERR(table);
1697
1698 chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME], genmask);
1699 if (IS_ERR(chain))
1700 return PTR_ERR(chain);
1701
1702 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1703 chain->use > 0)
1704 return -EBUSY;
1705
1706 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
1707
1708 use = chain->use;
1709 list_for_each_entry(rule, &chain->rules, list) {
1710 if (!nft_is_active_next(net, rule))
1711 continue;
1712 use--;
1713
1714 err = nft_delrule(&ctx, rule);
1715 if (err < 0)
1716 return err;
1717 }
1718
1719 /* There are rules and elements that are still holding references to us,
1720 * we cannot do a recursive removal in this case.
1721 */
1722 if (use > 0)
1723 return -EBUSY;
1724
1725 return nft_delchain(&ctx);
1726 }
1727
1728 /*
1729 * Expressions
1730 */
1731
1732 /**
1733 * nft_register_expr - register nf_tables expr type
1734 * @ops: expr type
1735 *
1736 * Registers the expr type for use with nf_tables. Returns zero on
1737 * success or a negative errno code otherwise.
1738 */
1739 int nft_register_expr(struct nft_expr_type *type)
1740 {
1741 if (!nft_expr_check_ops(type->ops))
1742 return -EINVAL;
1743
1744 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1745 if (type->family == NFPROTO_UNSPEC)
1746 list_add_tail_rcu(&type->list, &nf_tables_expressions);
1747 else
1748 list_add_rcu(&type->list, &nf_tables_expressions);
1749 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1750 return 0;
1751 }
1752 EXPORT_SYMBOL_GPL(nft_register_expr);
1753
1754 /**
1755 * nft_unregister_expr - unregister nf_tables expr type
1756 * @ops: expr type
1757 *
1758 * Unregisters the expr typefor use with nf_tables.
1759 */
1760 void nft_unregister_expr(struct nft_expr_type *type)
1761 {
1762 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1763 list_del_rcu(&type->list);
1764 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1765 }
1766 EXPORT_SYMBOL_GPL(nft_unregister_expr);
1767
1768 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
1769 struct nlattr *nla)
1770 {
1771 const struct nft_expr_type *type;
1772
1773 list_for_each_entry(type, &nf_tables_expressions, list) {
1774 if (!nla_strcmp(nla, type->name) &&
1775 (!type->family || type->family == family))
1776 return type;
1777 }
1778 return NULL;
1779 }
1780
1781 static const struct nft_expr_type *nft_expr_type_get(u8 family,
1782 struct nlattr *nla)
1783 {
1784 const struct nft_expr_type *type;
1785
1786 if (nla == NULL)
1787 return ERR_PTR(-EINVAL);
1788
1789 type = __nft_expr_type_get(family, nla);
1790 if (type != NULL && try_module_get(type->owner))
1791 return type;
1792
1793 #ifdef CONFIG_MODULES
1794 if (type == NULL) {
1795 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1796 request_module("nft-expr-%u-%.*s", family,
1797 nla_len(nla), (char *)nla_data(nla));
1798 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1799 if (__nft_expr_type_get(family, nla))
1800 return ERR_PTR(-EAGAIN);
1801
1802 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1803 request_module("nft-expr-%.*s",
1804 nla_len(nla), (char *)nla_data(nla));
1805 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1806 if (__nft_expr_type_get(family, nla))
1807 return ERR_PTR(-EAGAIN);
1808 }
1809 #endif
1810 return ERR_PTR(-ENOENT);
1811 }
1812
1813 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
1814 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
1815 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
1816 };
1817
1818 static int nf_tables_fill_expr_info(struct sk_buff *skb,
1819 const struct nft_expr *expr)
1820 {
1821 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
1822 goto nla_put_failure;
1823
1824 if (expr->ops->dump) {
1825 struct nlattr *data = nla_nest_start(skb, NFTA_EXPR_DATA);
1826 if (data == NULL)
1827 goto nla_put_failure;
1828 if (expr->ops->dump(skb, expr) < 0)
1829 goto nla_put_failure;
1830 nla_nest_end(skb, data);
1831 }
1832
1833 return skb->len;
1834
1835 nla_put_failure:
1836 return -1;
1837 };
1838
1839 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
1840 const struct nft_expr *expr)
1841 {
1842 struct nlattr *nest;
1843
1844 nest = nla_nest_start(skb, attr);
1845 if (!nest)
1846 goto nla_put_failure;
1847 if (nf_tables_fill_expr_info(skb, expr) < 0)
1848 goto nla_put_failure;
1849 nla_nest_end(skb, nest);
1850 return 0;
1851
1852 nla_put_failure:
1853 return -1;
1854 }
1855
1856 struct nft_expr_info {
1857 const struct nft_expr_ops *ops;
1858 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
1859 };
1860
1861 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
1862 const struct nlattr *nla,
1863 struct nft_expr_info *info)
1864 {
1865 const struct nft_expr_type *type;
1866 const struct nft_expr_ops *ops;
1867 struct nlattr *tb[NFTA_EXPR_MAX + 1];
1868 int err;
1869
1870 err = nla_parse_nested(tb, NFTA_EXPR_MAX, nla, nft_expr_policy, NULL);
1871 if (err < 0)
1872 return err;
1873
1874 type = nft_expr_type_get(ctx->afi->family, tb[NFTA_EXPR_NAME]);
1875 if (IS_ERR(type))
1876 return PTR_ERR(type);
1877
1878 if (tb[NFTA_EXPR_DATA]) {
1879 err = nla_parse_nested(info->tb, type->maxattr,
1880 tb[NFTA_EXPR_DATA], type->policy, NULL);
1881 if (err < 0)
1882 goto err1;
1883 } else
1884 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
1885
1886 if (type->select_ops != NULL) {
1887 ops = type->select_ops(ctx,
1888 (const struct nlattr * const *)info->tb);
1889 if (IS_ERR(ops)) {
1890 err = PTR_ERR(ops);
1891 goto err1;
1892 }
1893 if (!nft_expr_check_ops(ops)) {
1894 err = -EINVAL;
1895 goto err1;
1896 }
1897 } else
1898 ops = type->ops;
1899
1900 info->ops = ops;
1901 return 0;
1902
1903 err1:
1904 module_put(type->owner);
1905 return err;
1906 }
1907
1908 static int nf_tables_newexpr(const struct nft_ctx *ctx,
1909 const struct nft_expr_info *info,
1910 struct nft_expr *expr)
1911 {
1912 const struct nft_expr_ops *ops = info->ops;
1913 int err;
1914
1915 expr->ops = ops;
1916 if (ops->init) {
1917 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
1918 if (err < 0)
1919 goto err1;
1920 }
1921
1922 if (ops->validate) {
1923 const struct nft_data *data = NULL;
1924
1925 err = ops->validate(ctx, expr, &data);
1926 if (err < 0)
1927 goto err2;
1928 }
1929
1930 return 0;
1931
1932 err2:
1933 if (ops->destroy)
1934 ops->destroy(ctx, expr);
1935 err1:
1936 expr->ops = NULL;
1937 return err;
1938 }
1939
1940 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
1941 struct nft_expr *expr)
1942 {
1943 const struct nft_expr_type *type = expr->ops->type;
1944
1945 if (expr->ops->destroy)
1946 expr->ops->destroy(ctx, expr);
1947 module_put(type->owner);
1948 }
1949
1950 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
1951 const struct nlattr *nla)
1952 {
1953 struct nft_expr_info info;
1954 struct nft_expr *expr;
1955 int err;
1956
1957 err = nf_tables_expr_parse(ctx, nla, &info);
1958 if (err < 0)
1959 goto err1;
1960
1961 err = -ENOMEM;
1962 expr = kzalloc(info.ops->size, GFP_KERNEL);
1963 if (expr == NULL)
1964 goto err2;
1965
1966 err = nf_tables_newexpr(ctx, &info, expr);
1967 if (err < 0)
1968 goto err3;
1969
1970 return expr;
1971 err3:
1972 kfree(expr);
1973 err2:
1974 module_put(info.ops->type->owner);
1975 err1:
1976 return ERR_PTR(err);
1977 }
1978
1979 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
1980 {
1981 nf_tables_expr_destroy(ctx, expr);
1982 kfree(expr);
1983 }
1984
1985 /*
1986 * Rules
1987 */
1988
1989 static struct nft_rule *__nf_tables_rule_lookup(const struct nft_chain *chain,
1990 u64 handle)
1991 {
1992 struct nft_rule *rule;
1993
1994 // FIXME: this sucks
1995 list_for_each_entry(rule, &chain->rules, list) {
1996 if (handle == rule->handle)
1997 return rule;
1998 }
1999
2000 return ERR_PTR(-ENOENT);
2001 }
2002
2003 static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
2004 const struct nlattr *nla)
2005 {
2006 if (nla == NULL)
2007 return ERR_PTR(-EINVAL);
2008
2009 return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2010 }
2011
2012 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2013 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2014 .len = NFT_TABLE_MAXNAMELEN - 1 },
2015 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2016 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2017 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2018 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2019 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2020 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2021 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2022 .len = NFT_USERDATA_MAXLEN },
2023 [NFTA_RULE_ID] = { .type = NLA_U32 },
2024 };
2025
2026 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2027 u32 portid, u32 seq, int event,
2028 u32 flags, int family,
2029 const struct nft_table *table,
2030 const struct nft_chain *chain,
2031 const struct nft_rule *rule)
2032 {
2033 struct nlmsghdr *nlh;
2034 struct nfgenmsg *nfmsg;
2035 const struct nft_expr *expr, *next;
2036 struct nlattr *list;
2037 const struct nft_rule *prule;
2038 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2039
2040 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2041 if (nlh == NULL)
2042 goto nla_put_failure;
2043
2044 nfmsg = nlmsg_data(nlh);
2045 nfmsg->nfgen_family = family;
2046 nfmsg->version = NFNETLINK_V0;
2047 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2048
2049 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2050 goto nla_put_failure;
2051 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2052 goto nla_put_failure;
2053 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2054 NFTA_RULE_PAD))
2055 goto nla_put_failure;
2056
2057 if ((event != NFT_MSG_DELRULE) && (rule->list.prev != &chain->rules)) {
2058 prule = list_prev_entry(rule, list);
2059 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2060 cpu_to_be64(prule->handle),
2061 NFTA_RULE_PAD))
2062 goto nla_put_failure;
2063 }
2064
2065 list = nla_nest_start(skb, NFTA_RULE_EXPRESSIONS);
2066 if (list == NULL)
2067 goto nla_put_failure;
2068 nft_rule_for_each_expr(expr, next, rule) {
2069 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2070 goto nla_put_failure;
2071 }
2072 nla_nest_end(skb, list);
2073
2074 if (rule->udata) {
2075 struct nft_userdata *udata = nft_userdata(rule);
2076 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2077 udata->data) < 0)
2078 goto nla_put_failure;
2079 }
2080
2081 nlmsg_end(skb, nlh);
2082 return 0;
2083
2084 nla_put_failure:
2085 nlmsg_trim(skb, nlh);
2086 return -1;
2087 }
2088
2089 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2090 const struct nft_rule *rule, int event)
2091 {
2092 struct sk_buff *skb;
2093 int err;
2094
2095 if (!ctx->report &&
2096 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2097 return;
2098
2099 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2100 if (skb == NULL)
2101 goto err;
2102
2103 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2104 event, 0, ctx->afi->family, ctx->table,
2105 ctx->chain, rule);
2106 if (err < 0) {
2107 kfree_skb(skb);
2108 goto err;
2109 }
2110
2111 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2112 ctx->report, GFP_KERNEL);
2113 return;
2114 err:
2115 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2116 }
2117
2118 struct nft_rule_dump_ctx {
2119 char *table;
2120 char *chain;
2121 };
2122
2123 static int nf_tables_dump_rules(struct sk_buff *skb,
2124 struct netlink_callback *cb)
2125 {
2126 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2127 const struct nft_rule_dump_ctx *ctx = cb->data;
2128 const struct nft_af_info *afi;
2129 const struct nft_table *table;
2130 const struct nft_chain *chain;
2131 const struct nft_rule *rule;
2132 unsigned int idx = 0, s_idx = cb->args[0];
2133 struct net *net = sock_net(skb->sk);
2134 int family = nfmsg->nfgen_family;
2135
2136 rcu_read_lock();
2137 cb->seq = net->nft.base_seq;
2138
2139 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2140 if (family != NFPROTO_UNSPEC && family != afi->family)
2141 continue;
2142
2143 list_for_each_entry_rcu(table, &afi->tables, list) {
2144 if (ctx && ctx->table &&
2145 strcmp(ctx->table, table->name) != 0)
2146 continue;
2147
2148 list_for_each_entry_rcu(chain, &table->chains, list) {
2149 if (ctx && ctx->chain &&
2150 strcmp(ctx->chain, chain->name) != 0)
2151 continue;
2152
2153 list_for_each_entry_rcu(rule, &chain->rules, list) {
2154 if (!nft_is_active(net, rule))
2155 goto cont;
2156 if (idx < s_idx)
2157 goto cont;
2158 if (idx > s_idx)
2159 memset(&cb->args[1], 0,
2160 sizeof(cb->args) - sizeof(cb->args[0]));
2161 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2162 cb->nlh->nlmsg_seq,
2163 NFT_MSG_NEWRULE,
2164 NLM_F_MULTI | NLM_F_APPEND,
2165 afi->family, table, chain, rule) < 0)
2166 goto done;
2167
2168 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2169 cont:
2170 idx++;
2171 }
2172 }
2173 }
2174 }
2175 done:
2176 rcu_read_unlock();
2177
2178 cb->args[0] = idx;
2179 return skb->len;
2180 }
2181
2182 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2183 {
2184 struct nft_rule_dump_ctx *ctx = cb->data;
2185
2186 if (ctx) {
2187 kfree(ctx->table);
2188 kfree(ctx->chain);
2189 kfree(ctx);
2190 }
2191 return 0;
2192 }
2193
2194 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2195 struct sk_buff *skb, const struct nlmsghdr *nlh,
2196 const struct nlattr * const nla[],
2197 struct netlink_ext_ack *extack)
2198 {
2199 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2200 u8 genmask = nft_genmask_cur(net);
2201 const struct nft_af_info *afi;
2202 const struct nft_table *table;
2203 const struct nft_chain *chain;
2204 const struct nft_rule *rule;
2205 struct sk_buff *skb2;
2206 int family = nfmsg->nfgen_family;
2207 int err;
2208
2209 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2210 struct netlink_dump_control c = {
2211 .dump = nf_tables_dump_rules,
2212 .done = nf_tables_dump_rules_done,
2213 };
2214
2215 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2216 struct nft_rule_dump_ctx *ctx;
2217
2218 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
2219 if (!ctx)
2220 return -ENOMEM;
2221
2222 if (nla[NFTA_RULE_TABLE]) {
2223 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2224 GFP_KERNEL);
2225 if (!ctx->table) {
2226 kfree(ctx);
2227 return -ENOMEM;
2228 }
2229 }
2230 if (nla[NFTA_RULE_CHAIN]) {
2231 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2232 GFP_KERNEL);
2233 if (!ctx->chain) {
2234 kfree(ctx->table);
2235 kfree(ctx);
2236 return -ENOMEM;
2237 }
2238 }
2239 c.data = ctx;
2240 }
2241
2242 return netlink_dump_start(nlsk, skb, nlh, &c);
2243 }
2244
2245 afi = nf_tables_afinfo_lookup(net, family, false);
2246 if (IS_ERR(afi))
2247 return PTR_ERR(afi);
2248
2249 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2250 if (IS_ERR(table))
2251 return PTR_ERR(table);
2252
2253 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2254 if (IS_ERR(chain))
2255 return PTR_ERR(chain);
2256
2257 rule = nf_tables_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2258 if (IS_ERR(rule))
2259 return PTR_ERR(rule);
2260
2261 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2262 if (!skb2)
2263 return -ENOMEM;
2264
2265 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2266 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2267 family, table, chain, rule);
2268 if (err < 0)
2269 goto err;
2270
2271 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2272
2273 err:
2274 kfree_skb(skb2);
2275 return err;
2276 }
2277
2278 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2279 struct nft_rule *rule)
2280 {
2281 struct nft_expr *expr, *next;
2282
2283 /*
2284 * Careful: some expressions might not be initialized in case this
2285 * is called on error from nf_tables_newrule().
2286 */
2287 expr = nft_expr_first(rule);
2288 while (expr != nft_expr_last(rule) && expr->ops) {
2289 next = nft_expr_next(expr);
2290 nf_tables_expr_destroy(ctx, expr);
2291 expr = next;
2292 }
2293 kfree(rule);
2294 }
2295
2296 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2297 struct nft_rule *rule)
2298 {
2299 nft_rule_expr_deactivate(ctx, rule);
2300 nf_tables_rule_destroy(ctx, rule);
2301 }
2302
2303 #define NFT_RULE_MAXEXPRS 128
2304
2305 static struct nft_expr_info *info;
2306
2307 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2308 struct sk_buff *skb, const struct nlmsghdr *nlh,
2309 const struct nlattr * const nla[],
2310 struct netlink_ext_ack *extack)
2311 {
2312 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2313 u8 genmask = nft_genmask_next(net);
2314 struct nft_af_info *afi;
2315 struct nft_table *table;
2316 struct nft_chain *chain;
2317 struct nft_rule *rule, *old_rule = NULL;
2318 struct nft_userdata *udata;
2319 struct nft_trans *trans = NULL;
2320 struct nft_expr *expr;
2321 struct nft_ctx ctx;
2322 struct nlattr *tmp;
2323 unsigned int size, i, n, ulen = 0, usize = 0;
2324 int err, rem;
2325 bool create;
2326 u64 handle, pos_handle;
2327
2328 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
2329
2330 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
2331 if (IS_ERR(afi))
2332 return PTR_ERR(afi);
2333
2334 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2335 if (IS_ERR(table))
2336 return PTR_ERR(table);
2337
2338 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN], genmask);
2339 if (IS_ERR(chain))
2340 return PTR_ERR(chain);
2341
2342 if (nla[NFTA_RULE_HANDLE]) {
2343 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2344 rule = __nf_tables_rule_lookup(chain, handle);
2345 if (IS_ERR(rule))
2346 return PTR_ERR(rule);
2347
2348 if (nlh->nlmsg_flags & NLM_F_EXCL)
2349 return -EEXIST;
2350 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2351 old_rule = rule;
2352 else
2353 return -EOPNOTSUPP;
2354 } else {
2355 if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
2356 return -EINVAL;
2357 handle = nf_tables_alloc_handle(table);
2358
2359 if (chain->use == UINT_MAX)
2360 return -EOVERFLOW;
2361
2362 if (nla[NFTA_RULE_POSITION]) {
2363 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2364 old_rule = __nf_tables_rule_lookup(chain, pos_handle);
2365 if (IS_ERR(old_rule))
2366 return PTR_ERR(old_rule);
2367 }
2368 }
2369
2370 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2371
2372 n = 0;
2373 size = 0;
2374 if (nla[NFTA_RULE_EXPRESSIONS]) {
2375 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2376 err = -EINVAL;
2377 if (nla_type(tmp) != NFTA_LIST_ELEM)
2378 goto err1;
2379 if (n == NFT_RULE_MAXEXPRS)
2380 goto err1;
2381 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2382 if (err < 0)
2383 goto err1;
2384 size += info[n].ops->size;
2385 n++;
2386 }
2387 }
2388 /* Check for overflow of dlen field */
2389 err = -EFBIG;
2390 if (size >= 1 << 12)
2391 goto err1;
2392
2393 if (nla[NFTA_RULE_USERDATA]) {
2394 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2395 if (ulen > 0)
2396 usize = sizeof(struct nft_userdata) + ulen;
2397 }
2398
2399 err = -ENOMEM;
2400 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2401 if (rule == NULL)
2402 goto err1;
2403
2404 nft_activate_next(net, rule);
2405
2406 rule->handle = handle;
2407 rule->dlen = size;
2408 rule->udata = ulen ? 1 : 0;
2409
2410 if (ulen) {
2411 udata = nft_userdata(rule);
2412 udata->len = ulen - 1;
2413 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2414 }
2415
2416 expr = nft_expr_first(rule);
2417 for (i = 0; i < n; i++) {
2418 err = nf_tables_newexpr(&ctx, &info[i], expr);
2419 if (err < 0)
2420 goto err2;
2421 info[i].ops = NULL;
2422 expr = nft_expr_next(expr);
2423 }
2424
2425 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2426 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2427 if (trans == NULL) {
2428 err = -ENOMEM;
2429 goto err2;
2430 }
2431 err = nft_delrule(&ctx, old_rule);
2432 if (err < 0) {
2433 nft_trans_destroy(trans);
2434 goto err2;
2435 }
2436
2437 list_add_tail_rcu(&rule->list, &old_rule->list);
2438 } else {
2439 if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
2440 err = -ENOMEM;
2441 goto err2;
2442 }
2443
2444 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2445 if (old_rule)
2446 list_add_rcu(&rule->list, &old_rule->list);
2447 else
2448 list_add_tail_rcu(&rule->list, &chain->rules);
2449 } else {
2450 if (old_rule)
2451 list_add_tail_rcu(&rule->list, &old_rule->list);
2452 else
2453 list_add_rcu(&rule->list, &chain->rules);
2454 }
2455 }
2456 chain->use++;
2457 return 0;
2458
2459 err2:
2460 nf_tables_rule_release(&ctx, rule);
2461 err1:
2462 for (i = 0; i < n; i++) {
2463 if (info[i].ops != NULL)
2464 module_put(info[i].ops->type->owner);
2465 }
2466 return err;
2467 }
2468
2469 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2470 const struct nlattr *nla)
2471 {
2472 u32 id = ntohl(nla_get_be32(nla));
2473 struct nft_trans *trans;
2474
2475 list_for_each_entry(trans, &net->nft.commit_list, list) {
2476 struct nft_rule *rule = nft_trans_rule(trans);
2477
2478 if (trans->msg_type == NFT_MSG_NEWRULE &&
2479 id == nft_trans_rule_id(trans))
2480 return rule;
2481 }
2482 return ERR_PTR(-ENOENT);
2483 }
2484
2485 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2486 struct sk_buff *skb, const struct nlmsghdr *nlh,
2487 const struct nlattr * const nla[],
2488 struct netlink_ext_ack *extack)
2489 {
2490 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2491 u8 genmask = nft_genmask_next(net);
2492 struct nft_af_info *afi;
2493 struct nft_table *table;
2494 struct nft_chain *chain = NULL;
2495 struct nft_rule *rule;
2496 int family = nfmsg->nfgen_family, err = 0;
2497 struct nft_ctx ctx;
2498
2499 afi = nf_tables_afinfo_lookup(net, family, false);
2500 if (IS_ERR(afi))
2501 return PTR_ERR(afi);
2502
2503 table = nf_tables_table_lookup(afi, nla[NFTA_RULE_TABLE], genmask);
2504 if (IS_ERR(table))
2505 return PTR_ERR(table);
2506
2507 if (nla[NFTA_RULE_CHAIN]) {
2508 chain = nf_tables_chain_lookup(table, nla[NFTA_RULE_CHAIN],
2509 genmask);
2510 if (IS_ERR(chain))
2511 return PTR_ERR(chain);
2512 }
2513
2514 nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
2515
2516 if (chain) {
2517 if (nla[NFTA_RULE_HANDLE]) {
2518 rule = nf_tables_rule_lookup(chain,
2519 nla[NFTA_RULE_HANDLE]);
2520 if (IS_ERR(rule))
2521 return PTR_ERR(rule);
2522
2523 err = nft_delrule(&ctx, rule);
2524 } else if (nla[NFTA_RULE_ID]) {
2525 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2526 if (IS_ERR(rule))
2527 return PTR_ERR(rule);
2528
2529 err = nft_delrule(&ctx, rule);
2530 } else {
2531 err = nft_delrule_by_chain(&ctx);
2532 }
2533 } else {
2534 list_for_each_entry(chain, &table->chains, list) {
2535 if (!nft_is_active_next(net, chain))
2536 continue;
2537
2538 ctx.chain = chain;
2539 err = nft_delrule_by_chain(&ctx);
2540 if (err < 0)
2541 break;
2542 }
2543 }
2544
2545 return err;
2546 }
2547
2548 /*
2549 * Sets
2550 */
2551
2552 static LIST_HEAD(nf_tables_set_types);
2553
2554 int nft_register_set(struct nft_set_type *type)
2555 {
2556 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2557 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2558 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2559 return 0;
2560 }
2561 EXPORT_SYMBOL_GPL(nft_register_set);
2562
2563 void nft_unregister_set(struct nft_set_type *type)
2564 {
2565 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2566 list_del_rcu(&type->list);
2567 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2568 }
2569 EXPORT_SYMBOL_GPL(nft_unregister_set);
2570
2571 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2572 NFT_SET_TIMEOUT | NFT_SET_OBJECT)
2573
2574 static bool nft_set_ops_candidate(const struct nft_set_ops *ops, u32 flags)
2575 {
2576 return (flags & ops->features) == (flags & NFT_SET_FEATURES);
2577 }
2578
2579 /*
2580 * Select a set implementation based on the data characteristics and the
2581 * given policy. The total memory use might not be known if no size is
2582 * given, in that case the amount of memory per element is used.
2583 */
2584 static const struct nft_set_ops *
2585 nft_select_set_ops(const struct nft_ctx *ctx,
2586 const struct nlattr * const nla[],
2587 const struct nft_set_desc *desc,
2588 enum nft_set_policies policy)
2589 {
2590 const struct nft_set_ops *ops, *bops;
2591 struct nft_set_estimate est, best;
2592 const struct nft_set_type *type;
2593 u32 flags = 0;
2594
2595 #ifdef CONFIG_MODULES
2596 if (list_empty(&nf_tables_set_types)) {
2597 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2598 request_module("nft-set");
2599 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2600 if (!list_empty(&nf_tables_set_types))
2601 return ERR_PTR(-EAGAIN);
2602 }
2603 #endif
2604 if (nla[NFTA_SET_FLAGS] != NULL)
2605 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
2606
2607 bops = NULL;
2608 best.size = ~0;
2609 best.lookup = ~0;
2610 best.space = ~0;
2611
2612 list_for_each_entry(type, &nf_tables_set_types, list) {
2613 if (!type->select_ops)
2614 ops = type->ops;
2615 else
2616 ops = type->select_ops(ctx, desc, flags);
2617 if (!ops)
2618 continue;
2619
2620 if (!nft_set_ops_candidate(ops, flags))
2621 continue;
2622 if (!ops->estimate(desc, flags, &est))
2623 continue;
2624
2625 switch (policy) {
2626 case NFT_SET_POL_PERFORMANCE:
2627 if (est.lookup < best.lookup)
2628 break;
2629 if (est.lookup == best.lookup &&
2630 est.space < best.space)
2631 break;
2632 continue;
2633 case NFT_SET_POL_MEMORY:
2634 if (!desc->size) {
2635 if (est.space < best.space)
2636 break;
2637 if (est.space == best.space &&
2638 est.lookup < best.lookup)
2639 break;
2640 } else if (est.size < best.size) {
2641 break;
2642 }
2643 continue;
2644 default:
2645 break;
2646 }
2647
2648 if (!try_module_get(type->owner))
2649 continue;
2650 if (bops != NULL)
2651 module_put(bops->type->owner);
2652
2653 bops = ops;
2654 best = est;
2655 }
2656
2657 if (bops != NULL)
2658 return bops;
2659
2660 return ERR_PTR(-EOPNOTSUPP);
2661 }
2662
2663 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
2664 [NFTA_SET_TABLE] = { .type = NLA_STRING,
2665 .len = NFT_TABLE_MAXNAMELEN - 1 },
2666 [NFTA_SET_NAME] = { .type = NLA_STRING,
2667 .len = NFT_SET_MAXNAMELEN - 1 },
2668 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
2669 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
2670 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
2671 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
2672 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
2673 [NFTA_SET_POLICY] = { .type = NLA_U32 },
2674 [NFTA_SET_DESC] = { .type = NLA_NESTED },
2675 [NFTA_SET_ID] = { .type = NLA_U32 },
2676 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
2677 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
2678 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
2679 .len = NFT_USERDATA_MAXLEN },
2680 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
2681 };
2682
2683 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
2684 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
2685 };
2686
2687 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
2688 const struct sk_buff *skb,
2689 const struct nlmsghdr *nlh,
2690 const struct nlattr * const nla[],
2691 u8 genmask)
2692 {
2693 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2694 struct nft_af_info *afi = NULL;
2695 struct nft_table *table = NULL;
2696
2697 if (nfmsg->nfgen_family != NFPROTO_UNSPEC) {
2698 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
2699 if (IS_ERR(afi))
2700 return PTR_ERR(afi);
2701 }
2702
2703 if (nla[NFTA_SET_TABLE] != NULL) {
2704 if (afi == NULL)
2705 return -EAFNOSUPPORT;
2706
2707 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE],
2708 genmask);
2709 if (IS_ERR(table))
2710 return PTR_ERR(table);
2711 }
2712
2713 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
2714 return 0;
2715 }
2716
2717 static struct nft_set *nf_tables_set_lookup(const struct nft_table *table,
2718 const struct nlattr *nla, u8 genmask)
2719 {
2720 struct nft_set *set;
2721
2722 if (nla == NULL)
2723 return ERR_PTR(-EINVAL);
2724
2725 list_for_each_entry(set, &table->sets, list) {
2726 if (!nla_strcmp(nla, set->name) &&
2727 nft_active_genmask(set, genmask))
2728 return set;
2729 }
2730 return ERR_PTR(-ENOENT);
2731 }
2732
2733 static struct nft_set *nf_tables_set_lookup_byid(const struct net *net,
2734 const struct nlattr *nla,
2735 u8 genmask)
2736 {
2737 struct nft_trans *trans;
2738 u32 id = ntohl(nla_get_be32(nla));
2739
2740 list_for_each_entry(trans, &net->nft.commit_list, list) {
2741 if (trans->msg_type == NFT_MSG_NEWSET) {
2742 struct nft_set *set = nft_trans_set(trans);
2743
2744 if (id == nft_trans_set_id(trans) &&
2745 nft_active_genmask(set, genmask))
2746 return set;
2747 }
2748 }
2749 return ERR_PTR(-ENOENT);
2750 }
2751
2752 struct nft_set *nft_set_lookup(const struct net *net,
2753 const struct nft_table *table,
2754 const struct nlattr *nla_set_name,
2755 const struct nlattr *nla_set_id,
2756 u8 genmask)
2757 {
2758 struct nft_set *set;
2759
2760 set = nf_tables_set_lookup(table, nla_set_name, genmask);
2761 if (IS_ERR(set)) {
2762 if (!nla_set_id)
2763 return set;
2764
2765 set = nf_tables_set_lookup_byid(net, nla_set_id, genmask);
2766 }
2767 return set;
2768 }
2769 EXPORT_SYMBOL_GPL(nft_set_lookup);
2770
2771 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
2772 const char *name)
2773 {
2774 const struct nft_set *i;
2775 const char *p;
2776 unsigned long *inuse;
2777 unsigned int n = 0, min = 0;
2778
2779 p = strchr(name, '%');
2780 if (p != NULL) {
2781 if (p[1] != 'd' || strchr(p + 2, '%'))
2782 return -EINVAL;
2783
2784 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
2785 if (inuse == NULL)
2786 return -ENOMEM;
2787 cont:
2788 list_for_each_entry(i, &ctx->table->sets, list) {
2789 int tmp;
2790
2791 if (!nft_is_active_next(ctx->net, set))
2792 continue;
2793 if (!sscanf(i->name, name, &tmp))
2794 continue;
2795 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
2796 continue;
2797
2798 set_bit(tmp - min, inuse);
2799 }
2800
2801 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
2802 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
2803 min += BITS_PER_BYTE * PAGE_SIZE;
2804 memset(inuse, 0, PAGE_SIZE);
2805 goto cont;
2806 }
2807 free_page((unsigned long)inuse);
2808 }
2809
2810 set->name = kasprintf(GFP_KERNEL, name, min + n);
2811 if (!set->name)
2812 return -ENOMEM;
2813
2814 list_for_each_entry(i, &ctx->table->sets, list) {
2815 if (!nft_is_active_next(ctx->net, i))
2816 continue;
2817 if (!strcmp(set->name, i->name)) {
2818 kfree(set->name);
2819 return -ENFILE;
2820 }
2821 }
2822 return 0;
2823 }
2824
2825 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
2826 const struct nft_set *set, u16 event, u16 flags)
2827 {
2828 struct nfgenmsg *nfmsg;
2829 struct nlmsghdr *nlh;
2830 struct nlattr *desc;
2831 u32 portid = ctx->portid;
2832 u32 seq = ctx->seq;
2833
2834 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2835 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
2836 flags);
2837 if (nlh == NULL)
2838 goto nla_put_failure;
2839
2840 nfmsg = nlmsg_data(nlh);
2841 nfmsg->nfgen_family = ctx->afi->family;
2842 nfmsg->version = NFNETLINK_V0;
2843 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
2844
2845 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
2846 goto nla_put_failure;
2847 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
2848 goto nla_put_failure;
2849 if (set->flags != 0)
2850 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
2851 goto nla_put_failure;
2852
2853 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
2854 goto nla_put_failure;
2855 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
2856 goto nla_put_failure;
2857 if (set->flags & NFT_SET_MAP) {
2858 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
2859 goto nla_put_failure;
2860 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
2861 goto nla_put_failure;
2862 }
2863 if (set->flags & NFT_SET_OBJECT &&
2864 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
2865 goto nla_put_failure;
2866
2867 if (set->timeout &&
2868 nla_put_be64(skb, NFTA_SET_TIMEOUT,
2869 cpu_to_be64(jiffies_to_msecs(set->timeout)),
2870 NFTA_SET_PAD))
2871 goto nla_put_failure;
2872 if (set->gc_int &&
2873 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
2874 goto nla_put_failure;
2875
2876 if (set->policy != NFT_SET_POL_PERFORMANCE) {
2877 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
2878 goto nla_put_failure;
2879 }
2880
2881 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
2882 goto nla_put_failure;
2883
2884 desc = nla_nest_start(skb, NFTA_SET_DESC);
2885 if (desc == NULL)
2886 goto nla_put_failure;
2887 if (set->size &&
2888 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
2889 goto nla_put_failure;
2890 nla_nest_end(skb, desc);
2891
2892 nlmsg_end(skb, nlh);
2893 return 0;
2894
2895 nla_put_failure:
2896 nlmsg_trim(skb, nlh);
2897 return -1;
2898 }
2899
2900 static void nf_tables_set_notify(const struct nft_ctx *ctx,
2901 const struct nft_set *set, int event,
2902 gfp_t gfp_flags)
2903 {
2904 struct sk_buff *skb;
2905 u32 portid = ctx->portid;
2906 int err;
2907
2908 if (!ctx->report &&
2909 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2910 return;
2911
2912 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
2913 if (skb == NULL)
2914 goto err;
2915
2916 err = nf_tables_fill_set(skb, ctx, set, event, 0);
2917 if (err < 0) {
2918 kfree_skb(skb);
2919 goto err;
2920 }
2921
2922 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
2923 gfp_flags);
2924 return;
2925 err:
2926 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
2927 }
2928
2929 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
2930 {
2931 const struct nft_set *set;
2932 unsigned int idx, s_idx = cb->args[0];
2933 struct nft_af_info *afi;
2934 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
2935 struct net *net = sock_net(skb->sk);
2936 int cur_family = cb->args[3];
2937 struct nft_ctx *ctx = cb->data, ctx_set;
2938
2939 if (cb->args[1])
2940 return skb->len;
2941
2942 rcu_read_lock();
2943 cb->seq = net->nft.base_seq;
2944
2945 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
2946 if (ctx->afi && ctx->afi != afi)
2947 continue;
2948
2949 if (cur_family) {
2950 if (afi->family != cur_family)
2951 continue;
2952
2953 cur_family = 0;
2954 }
2955 list_for_each_entry_rcu(table, &afi->tables, list) {
2956 if (ctx->table && ctx->table != table)
2957 continue;
2958
2959 if (cur_table) {
2960 if (cur_table != table)
2961 continue;
2962
2963 cur_table = NULL;
2964 }
2965 idx = 0;
2966 list_for_each_entry_rcu(set, &table->sets, list) {
2967 if (idx < s_idx)
2968 goto cont;
2969 if (!nft_is_active(net, set))
2970 goto cont;
2971
2972 ctx_set = *ctx;
2973 ctx_set.table = table;
2974 ctx_set.afi = afi;
2975 if (nf_tables_fill_set(skb, &ctx_set, set,
2976 NFT_MSG_NEWSET,
2977 NLM_F_MULTI) < 0) {
2978 cb->args[0] = idx;
2979 cb->args[2] = (unsigned long) table;
2980 cb->args[3] = afi->family;
2981 goto done;
2982 }
2983 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2984 cont:
2985 idx++;
2986 }
2987 if (s_idx)
2988 s_idx = 0;
2989 }
2990 }
2991 cb->args[1] = 1;
2992 done:
2993 rcu_read_unlock();
2994 return skb->len;
2995 }
2996
2997 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
2998 {
2999 kfree(cb->data);
3000 return 0;
3001 }
3002
3003 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3004 struct sk_buff *skb, const struct nlmsghdr *nlh,
3005 const struct nlattr * const nla[],
3006 struct netlink_ext_ack *extack)
3007 {
3008 u8 genmask = nft_genmask_cur(net);
3009 const struct nft_set *set;
3010 struct nft_ctx ctx;
3011 struct sk_buff *skb2;
3012 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3013 int err;
3014
3015 /* Verify existence before starting dump */
3016 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3017 if (err < 0)
3018 return err;
3019
3020 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3021 struct netlink_dump_control c = {
3022 .dump = nf_tables_dump_sets,
3023 .done = nf_tables_dump_sets_done,
3024 };
3025 struct nft_ctx *ctx_dump;
3026
3027 ctx_dump = kmalloc(sizeof(*ctx_dump), GFP_KERNEL);
3028 if (ctx_dump == NULL)
3029 return -ENOMEM;
3030
3031 *ctx_dump = ctx;
3032 c.data = ctx_dump;
3033
3034 return netlink_dump_start(nlsk, skb, nlh, &c);
3035 }
3036
3037 /* Only accept unspec with dump */
3038 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3039 return -EAFNOSUPPORT;
3040 if (!nla[NFTA_SET_TABLE])
3041 return -EINVAL;
3042
3043 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3044 if (IS_ERR(set))
3045 return PTR_ERR(set);
3046
3047 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
3048 if (skb2 == NULL)
3049 return -ENOMEM;
3050
3051 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3052 if (err < 0)
3053 goto err;
3054
3055 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3056
3057 err:
3058 kfree_skb(skb2);
3059 return err;
3060 }
3061
3062 static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
3063 struct nft_set_desc *desc,
3064 const struct nlattr *nla)
3065 {
3066 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3067 int err;
3068
3069 err = nla_parse_nested(da, NFTA_SET_DESC_MAX, nla,
3070 nft_set_desc_policy, NULL);
3071 if (err < 0)
3072 return err;
3073
3074 if (da[NFTA_SET_DESC_SIZE] != NULL)
3075 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3076
3077 return 0;
3078 }
3079
3080 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3081 struct sk_buff *skb, const struct nlmsghdr *nlh,
3082 const struct nlattr * const nla[],
3083 struct netlink_ext_ack *extack)
3084 {
3085 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3086 u8 genmask = nft_genmask_next(net);
3087 const struct nft_set_ops *ops;
3088 struct nft_af_info *afi;
3089 struct nft_table *table;
3090 struct nft_set *set;
3091 struct nft_ctx ctx;
3092 char *name;
3093 unsigned int size;
3094 bool create;
3095 u64 timeout;
3096 u32 ktype, dtype, flags, policy, gc_int, objtype;
3097 struct nft_set_desc desc;
3098 unsigned char *udata;
3099 u16 udlen;
3100 int err;
3101
3102 if (nla[NFTA_SET_TABLE] == NULL ||
3103 nla[NFTA_SET_NAME] == NULL ||
3104 nla[NFTA_SET_KEY_LEN] == NULL ||
3105 nla[NFTA_SET_ID] == NULL)
3106 return -EINVAL;
3107
3108 memset(&desc, 0, sizeof(desc));
3109
3110 ktype = NFT_DATA_VALUE;
3111 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3112 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3113 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3114 return -EINVAL;
3115 }
3116
3117 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3118 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3119 return -EINVAL;
3120
3121 flags = 0;
3122 if (nla[NFTA_SET_FLAGS] != NULL) {
3123 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3124 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3125 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3126 NFT_SET_MAP | NFT_SET_EVAL |
3127 NFT_SET_OBJECT))
3128 return -EINVAL;
3129 /* Only one of these operations is supported */
3130 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3131 (NFT_SET_MAP | NFT_SET_OBJECT))
3132 return -EOPNOTSUPP;
3133 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3134 (NFT_SET_EVAL | NFT_SET_OBJECT))
3135 return -EOPNOTSUPP;
3136 }
3137
3138 dtype = 0;
3139 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3140 if (!(flags & NFT_SET_MAP))
3141 return -EINVAL;
3142
3143 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3144 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3145 dtype != NFT_DATA_VERDICT)
3146 return -EINVAL;
3147
3148 if (dtype != NFT_DATA_VERDICT) {
3149 if (nla[NFTA_SET_DATA_LEN] == NULL)
3150 return -EINVAL;
3151 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3152 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3153 return -EINVAL;
3154 } else
3155 desc.dlen = sizeof(struct nft_verdict);
3156 } else if (flags & NFT_SET_MAP)
3157 return -EINVAL;
3158
3159 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3160 if (!(flags & NFT_SET_OBJECT))
3161 return -EINVAL;
3162
3163 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3164 if (objtype == NFT_OBJECT_UNSPEC ||
3165 objtype > NFT_OBJECT_MAX)
3166 return -EINVAL;
3167 } else if (flags & NFT_SET_OBJECT)
3168 return -EINVAL;
3169 else
3170 objtype = NFT_OBJECT_UNSPEC;
3171
3172 timeout = 0;
3173 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3174 if (!(flags & NFT_SET_TIMEOUT))
3175 return -EINVAL;
3176 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
3177 nla[NFTA_SET_TIMEOUT])));
3178 }
3179 gc_int = 0;
3180 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3181 if (!(flags & NFT_SET_TIMEOUT))
3182 return -EINVAL;
3183 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3184 }
3185
3186 policy = NFT_SET_POL_PERFORMANCE;
3187 if (nla[NFTA_SET_POLICY] != NULL)
3188 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3189
3190 if (nla[NFTA_SET_DESC] != NULL) {
3191 err = nf_tables_set_desc_parse(&ctx, &desc, nla[NFTA_SET_DESC]);
3192 if (err < 0)
3193 return err;
3194 }
3195
3196 create = nlh->nlmsg_flags & NLM_F_CREATE ? true : false;
3197
3198 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, create);
3199 if (IS_ERR(afi))
3200 return PTR_ERR(afi);
3201
3202 table = nf_tables_table_lookup(afi, nla[NFTA_SET_TABLE], genmask);
3203 if (IS_ERR(table))
3204 return PTR_ERR(table);
3205
3206 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
3207
3208 set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3209 if (IS_ERR(set)) {
3210 if (PTR_ERR(set) != -ENOENT)
3211 return PTR_ERR(set);
3212 } else {
3213 if (nlh->nlmsg_flags & NLM_F_EXCL)
3214 return -EEXIST;
3215 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3216 return -EOPNOTSUPP;
3217 return 0;
3218 }
3219
3220 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3221 return -ENOENT;
3222
3223 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3224 if (IS_ERR(ops))
3225 return PTR_ERR(ops);
3226
3227 udlen = 0;
3228 if (nla[NFTA_SET_USERDATA])
3229 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3230
3231 size = 0;
3232 if (ops->privsize != NULL)
3233 size = ops->privsize(nla, &desc);
3234
3235 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3236 if (!set) {
3237 err = -ENOMEM;
3238 goto err1;
3239 }
3240
3241 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3242 if (!name) {
3243 err = -ENOMEM;
3244 goto err2;
3245 }
3246
3247 err = nf_tables_set_alloc_name(&ctx, set, name);
3248 kfree(name);
3249 if (err < 0)
3250 goto err2;
3251
3252 udata = NULL;
3253 if (udlen) {
3254 udata = set->data + size;
3255 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3256 }
3257
3258 INIT_LIST_HEAD(&set->bindings);
3259 set->ops = ops;
3260 set->ktype = ktype;
3261 set->klen = desc.klen;
3262 set->dtype = dtype;
3263 set->objtype = objtype;
3264 set->dlen = desc.dlen;
3265 set->flags = flags;
3266 set->size = desc.size;
3267 set->policy = policy;
3268 set->udlen = udlen;
3269 set->udata = udata;
3270 set->timeout = timeout;
3271 set->gc_int = gc_int;
3272
3273 err = ops->init(set, &desc, nla);
3274 if (err < 0)
3275 goto err3;
3276
3277 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3278 if (err < 0)
3279 goto err4;
3280
3281 list_add_tail_rcu(&set->list, &table->sets);
3282 table->use++;
3283 return 0;
3284
3285 err4:
3286 ops->destroy(set);
3287 err3:
3288 kfree(set->name);
3289 err2:
3290 kvfree(set);
3291 err1:
3292 module_put(ops->type->owner);
3293 return err;
3294 }
3295
3296 static void nft_set_destroy(struct nft_set *set)
3297 {
3298 set->ops->destroy(set);
3299 module_put(set->ops->type->owner);
3300 kfree(set->name);
3301 kvfree(set);
3302 }
3303
3304 static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
3305 {
3306 list_del_rcu(&set->list);
3307 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
3308 nft_set_destroy(set);
3309 }
3310
3311 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3312 struct sk_buff *skb, const struct nlmsghdr *nlh,
3313 const struct nlattr * const nla[],
3314 struct netlink_ext_ack *extack)
3315 {
3316 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3317 u8 genmask = nft_genmask_next(net);
3318 struct nft_set *set;
3319 struct nft_ctx ctx;
3320 int err;
3321
3322 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3323 return -EAFNOSUPPORT;
3324 if (nla[NFTA_SET_TABLE] == NULL)
3325 return -EINVAL;
3326
3327 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, genmask);
3328 if (err < 0)
3329 return err;
3330
3331 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3332 if (IS_ERR(set))
3333 return PTR_ERR(set);
3334
3335 if (!list_empty(&set->bindings) ||
3336 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0))
3337 return -EBUSY;
3338
3339 return nft_delset(&ctx, set);
3340 }
3341
3342 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3343 struct nft_set *set,
3344 const struct nft_set_iter *iter,
3345 struct nft_set_elem *elem)
3346 {
3347 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3348 enum nft_registers dreg;
3349
3350 dreg = nft_type_to_reg(set->dtype);
3351 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3352 set->dtype == NFT_DATA_VERDICT ?
3353 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3354 set->dlen);
3355 }
3356
3357 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3358 struct nft_set_binding *binding)
3359 {
3360 struct nft_set_binding *i;
3361 struct nft_set_iter iter;
3362
3363 if (!list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS)
3364 return -EBUSY;
3365
3366 if (binding->flags & NFT_SET_MAP) {
3367 /* If the set is already bound to the same chain all
3368 * jumps are already validated for that chain.
3369 */
3370 list_for_each_entry(i, &set->bindings, list) {
3371 if (i->flags & NFT_SET_MAP &&
3372 i->chain == binding->chain)
3373 goto bind;
3374 }
3375
3376 iter.genmask = nft_genmask_next(ctx->net);
3377 iter.skip = 0;
3378 iter.count = 0;
3379 iter.err = 0;
3380 iter.fn = nf_tables_bind_check_setelem;
3381
3382 set->ops->walk(ctx, set, &iter);
3383 if (iter.err < 0)
3384 return iter.err;
3385 }
3386 bind:
3387 binding->chain = ctx->chain;
3388 list_add_tail_rcu(&binding->list, &set->bindings);
3389 return 0;
3390 }
3391 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3392
3393 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3394 struct nft_set_binding *binding)
3395 {
3396 list_del_rcu(&binding->list);
3397
3398 if (list_empty(&set->bindings) && set->flags & NFT_SET_ANONYMOUS &&
3399 nft_is_active(ctx->net, set))
3400 nf_tables_set_destroy(ctx, set);
3401 }
3402 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
3403
3404 const struct nft_set_ext_type nft_set_ext_types[] = {
3405 [NFT_SET_EXT_KEY] = {
3406 .align = __alignof__(u32),
3407 },
3408 [NFT_SET_EXT_DATA] = {
3409 .align = __alignof__(u32),
3410 },
3411 [NFT_SET_EXT_EXPR] = {
3412 .align = __alignof__(struct nft_expr),
3413 },
3414 [NFT_SET_EXT_OBJREF] = {
3415 .len = sizeof(struct nft_object *),
3416 .align = __alignof__(struct nft_object *),
3417 },
3418 [NFT_SET_EXT_FLAGS] = {
3419 .len = sizeof(u8),
3420 .align = __alignof__(u8),
3421 },
3422 [NFT_SET_EXT_TIMEOUT] = {
3423 .len = sizeof(u64),
3424 .align = __alignof__(u64),
3425 },
3426 [NFT_SET_EXT_EXPIRATION] = {
3427 .len = sizeof(unsigned long),
3428 .align = __alignof__(unsigned long),
3429 },
3430 [NFT_SET_EXT_USERDATA] = {
3431 .len = sizeof(struct nft_userdata),
3432 .align = __alignof__(struct nft_userdata),
3433 },
3434 };
3435 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3436
3437 /*
3438 * Set elements
3439 */
3440
3441 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3442 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3443 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3444 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3445 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3446 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3447 .len = NFT_USERDATA_MAXLEN },
3448 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3449 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3450 };
3451
3452 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3453 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3454 .len = NFT_TABLE_MAXNAMELEN - 1 },
3455 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3456 .len = NFT_SET_MAXNAMELEN - 1 },
3457 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3458 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3459 };
3460
3461 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3462 const struct sk_buff *skb,
3463 const struct nlmsghdr *nlh,
3464 const struct nlattr * const nla[],
3465 u8 genmask)
3466 {
3467 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3468 struct nft_af_info *afi;
3469 struct nft_table *table;
3470
3471 afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
3472 if (IS_ERR(afi))
3473 return PTR_ERR(afi);
3474
3475 table = nf_tables_table_lookup(afi, nla[NFTA_SET_ELEM_LIST_TABLE],
3476 genmask);
3477 if (IS_ERR(table))
3478 return PTR_ERR(table);
3479
3480 nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
3481 return 0;
3482 }
3483
3484 static int nf_tables_fill_setelem(struct sk_buff *skb,
3485 const struct nft_set *set,
3486 const struct nft_set_elem *elem)
3487 {
3488 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3489 unsigned char *b = skb_tail_pointer(skb);
3490 struct nlattr *nest;
3491
3492 nest = nla_nest_start(skb, NFTA_LIST_ELEM);
3493 if (nest == NULL)
3494 goto nla_put_failure;
3495
3496 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3497 NFT_DATA_VALUE, set->klen) < 0)
3498 goto nla_put_failure;
3499
3500 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3501 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3502 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3503 set->dlen) < 0)
3504 goto nla_put_failure;
3505
3506 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3507 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3508 goto nla_put_failure;
3509
3510 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3511 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3512 (*nft_set_ext_obj(ext))->name) < 0)
3513 goto nla_put_failure;
3514
3515 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3516 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
3517 htonl(*nft_set_ext_flags(ext))))
3518 goto nla_put_failure;
3519
3520 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
3521 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
3522 cpu_to_be64(jiffies_to_msecs(
3523 *nft_set_ext_timeout(ext))),
3524 NFTA_SET_ELEM_PAD))
3525 goto nla_put_failure;
3526
3527 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
3528 unsigned long expires, now = jiffies;
3529
3530 expires = *nft_set_ext_expiration(ext);
3531 if (time_before(now, expires))
3532 expires -= now;
3533 else
3534 expires = 0;
3535
3536 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
3537 cpu_to_be64(jiffies_to_msecs(expires)),
3538 NFTA_SET_ELEM_PAD))
3539 goto nla_put_failure;
3540 }
3541
3542 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
3543 struct nft_userdata *udata;
3544
3545 udata = nft_set_ext_userdata(ext);
3546 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
3547 udata->len + 1, udata->data))
3548 goto nla_put_failure;
3549 }
3550
3551 nla_nest_end(skb, nest);
3552 return 0;
3553
3554 nla_put_failure:
3555 nlmsg_trim(skb, b);
3556 return -EMSGSIZE;
3557 }
3558
3559 struct nft_set_dump_args {
3560 const struct netlink_callback *cb;
3561 struct nft_set_iter iter;
3562 struct sk_buff *skb;
3563 };
3564
3565 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
3566 struct nft_set *set,
3567 const struct nft_set_iter *iter,
3568 struct nft_set_elem *elem)
3569 {
3570 struct nft_set_dump_args *args;
3571
3572 args = container_of(iter, struct nft_set_dump_args, iter);
3573 return nf_tables_fill_setelem(args->skb, set, elem);
3574 }
3575
3576 struct nft_set_dump_ctx {
3577 const struct nft_set *set;
3578 struct nft_ctx ctx;
3579 };
3580
3581 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
3582 {
3583 struct nft_set_dump_ctx *dump_ctx = cb->data;
3584 struct net *net = sock_net(skb->sk);
3585 struct nft_af_info *afi;
3586 struct nft_table *table;
3587 struct nft_set *set;
3588 struct nft_set_dump_args args;
3589 bool set_found = false;
3590 struct nfgenmsg *nfmsg;
3591 struct nlmsghdr *nlh;
3592 struct nlattr *nest;
3593 u32 portid, seq;
3594 int event;
3595
3596 rcu_read_lock();
3597 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
3598 if (afi != dump_ctx->ctx.afi)
3599 continue;
3600
3601 list_for_each_entry_rcu(table, &afi->tables, list) {
3602 if (table != dump_ctx->ctx.table)
3603 continue;
3604
3605 list_for_each_entry_rcu(set, &table->sets, list) {
3606 if (set == dump_ctx->set) {
3607 set_found = true;
3608 break;
3609 }
3610 }
3611 break;
3612 }
3613 break;
3614 }
3615
3616 if (!set_found) {
3617 rcu_read_unlock();
3618 return -ENOENT;
3619 }
3620
3621 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
3622 portid = NETLINK_CB(cb->skb).portid;
3623 seq = cb->nlh->nlmsg_seq;
3624
3625 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3626 NLM_F_MULTI);
3627 if (nlh == NULL)
3628 goto nla_put_failure;
3629
3630 nfmsg = nlmsg_data(nlh);
3631 nfmsg->nfgen_family = afi->family;
3632 nfmsg->version = NFNETLINK_V0;
3633 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
3634
3635 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
3636 goto nla_put_failure;
3637 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
3638 goto nla_put_failure;
3639
3640 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3641 if (nest == NULL)
3642 goto nla_put_failure;
3643
3644 args.cb = cb;
3645 args.skb = skb;
3646 args.iter.genmask = nft_genmask_cur(net);
3647 args.iter.skip = cb->args[0];
3648 args.iter.count = 0;
3649 args.iter.err = 0;
3650 args.iter.fn = nf_tables_dump_setelem;
3651 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
3652 rcu_read_unlock();
3653
3654 nla_nest_end(skb, nest);
3655 nlmsg_end(skb, nlh);
3656
3657 if (args.iter.err && args.iter.err != -EMSGSIZE)
3658 return args.iter.err;
3659 if (args.iter.count == cb->args[0])
3660 return 0;
3661
3662 cb->args[0] = args.iter.count;
3663 return skb->len;
3664
3665 nla_put_failure:
3666 rcu_read_unlock();
3667 return -ENOSPC;
3668 }
3669
3670 static int nf_tables_dump_set_done(struct netlink_callback *cb)
3671 {
3672 kfree(cb->data);
3673 return 0;
3674 }
3675
3676 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
3677 const struct nft_ctx *ctx, u32 seq,
3678 u32 portid, int event, u16 flags,
3679 const struct nft_set *set,
3680 const struct nft_set_elem *elem)
3681 {
3682 struct nfgenmsg *nfmsg;
3683 struct nlmsghdr *nlh;
3684 struct nlattr *nest;
3685 int err;
3686
3687 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3688 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3689 flags);
3690 if (nlh == NULL)
3691 goto nla_put_failure;
3692
3693 nfmsg = nlmsg_data(nlh);
3694 nfmsg->nfgen_family = ctx->afi->family;
3695 nfmsg->version = NFNETLINK_V0;
3696 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3697
3698 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3699 goto nla_put_failure;
3700 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3701 goto nla_put_failure;
3702
3703 nest = nla_nest_start(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
3704 if (nest == NULL)
3705 goto nla_put_failure;
3706
3707 err = nf_tables_fill_setelem(skb, set, elem);
3708 if (err < 0)
3709 goto nla_put_failure;
3710
3711 nla_nest_end(skb, nest);
3712
3713 nlmsg_end(skb, nlh);
3714 return 0;
3715
3716 nla_put_failure:
3717 nlmsg_trim(skb, nlh);
3718 return -1;
3719 }
3720
3721 static int nft_setelem_parse_flags(const struct nft_set *set,
3722 const struct nlattr *attr, u32 *flags)
3723 {
3724 if (attr == NULL)
3725 return 0;
3726
3727 *flags = ntohl(nla_get_be32(attr));
3728 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
3729 return -EINVAL;
3730 if (!(set->flags & NFT_SET_INTERVAL) &&
3731 *flags & NFT_SET_ELEM_INTERVAL_END)
3732 return -EINVAL;
3733
3734 return 0;
3735 }
3736
3737 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3738 const struct nlattr *attr)
3739 {
3740 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3741 const struct nft_set_ext *ext;
3742 struct nft_data_desc desc;
3743 struct nft_set_elem elem;
3744 struct sk_buff *skb;
3745 uint32_t flags = 0;
3746 void *priv;
3747 int err;
3748
3749 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3750 nft_set_elem_policy, NULL);
3751 if (err < 0)
3752 return err;
3753
3754 if (!nla[NFTA_SET_ELEM_KEY])
3755 return -EINVAL;
3756
3757 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3758 if (err < 0)
3759 return err;
3760
3761 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
3762 nla[NFTA_SET_ELEM_KEY]);
3763 if (err < 0)
3764 return err;
3765
3766 err = -EINVAL;
3767 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
3768 return err;
3769
3770 priv = set->ops->get(ctx->net, set, &elem, flags);
3771 if (IS_ERR(priv))
3772 return PTR_ERR(priv);
3773
3774 elem.priv = priv;
3775 ext = nft_set_elem_ext(set, &elem);
3776
3777 err = -ENOMEM;
3778 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3779 if (skb == NULL)
3780 goto err1;
3781
3782 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3783 NFT_MSG_NEWSETELEM, 0, set, &elem);
3784 if (err < 0)
3785 goto err2;
3786
3787 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3788 /* This avoids a loop in nfnetlink. */
3789 if (err < 0)
3790 goto err1;
3791
3792 return 0;
3793 err2:
3794 kfree_skb(skb);
3795 err1:
3796 /* this avoids a loop in nfnetlink. */
3797 return err == -EAGAIN ? -ENOBUFS : err;
3798 }
3799
3800 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
3801 struct sk_buff *skb, const struct nlmsghdr *nlh,
3802 const struct nlattr * const nla[],
3803 struct netlink_ext_ack *extack)
3804 {
3805 u8 genmask = nft_genmask_cur(net);
3806 struct nft_set *set;
3807 struct nlattr *attr;
3808 struct nft_ctx ctx;
3809 int rem, err = 0;
3810
3811 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
3812 if (err < 0)
3813 return err;
3814
3815 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
3816 genmask);
3817 if (IS_ERR(set))
3818 return PTR_ERR(set);
3819
3820 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3821 struct netlink_dump_control c = {
3822 .dump = nf_tables_dump_set,
3823 .done = nf_tables_dump_set_done,
3824 };
3825 struct nft_set_dump_ctx *dump_ctx;
3826
3827 dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
3828 if (!dump_ctx)
3829 return -ENOMEM;
3830
3831 dump_ctx->set = set;
3832 dump_ctx->ctx = ctx;
3833
3834 c.data = dump_ctx;
3835 return netlink_dump_start(nlsk, skb, nlh, &c);
3836 }
3837
3838 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
3839 return -EINVAL;
3840
3841 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
3842 err = nft_get_set_elem(&ctx, set, attr);
3843 if (err < 0)
3844 break;
3845 }
3846
3847 return err;
3848 }
3849
3850 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
3851 const struct nft_set *set,
3852 const struct nft_set_elem *elem,
3853 int event, u16 flags)
3854 {
3855 struct net *net = ctx->net;
3856 u32 portid = ctx->portid;
3857 struct sk_buff *skb;
3858 int err;
3859
3860 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
3861 return;
3862
3863 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3864 if (skb == NULL)
3865 goto err;
3866
3867 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
3868 set, elem);
3869 if (err < 0) {
3870 kfree_skb(skb);
3871 goto err;
3872 }
3873
3874 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
3875 GFP_KERNEL);
3876 return;
3877 err:
3878 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3879 }
3880
3881 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
3882 int msg_type,
3883 struct nft_set *set)
3884 {
3885 struct nft_trans *trans;
3886
3887 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
3888 if (trans == NULL)
3889 return NULL;
3890
3891 nft_trans_elem_set(trans) = set;
3892 return trans;
3893 }
3894
3895 void *nft_set_elem_init(const struct nft_set *set,
3896 const struct nft_set_ext_tmpl *tmpl,
3897 const u32 *key, const u32 *data,
3898 u64 timeout, gfp_t gfp)
3899 {
3900 struct nft_set_ext *ext;
3901 void *elem;
3902
3903 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
3904 if (elem == NULL)
3905 return NULL;
3906
3907 ext = nft_set_elem_ext(set, elem);
3908 nft_set_ext_init(ext, tmpl);
3909
3910 memcpy(nft_set_ext_key(ext), key, set->klen);
3911 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3912 memcpy(nft_set_ext_data(ext), data, set->dlen);
3913 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION))
3914 *nft_set_ext_expiration(ext) =
3915 jiffies + timeout;
3916 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
3917 *nft_set_ext_timeout(ext) = timeout;
3918
3919 return elem;
3920 }
3921
3922 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
3923 bool destroy_expr)
3924 {
3925 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3926
3927 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
3928 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
3929 nft_data_release(nft_set_ext_data(ext), set->dtype);
3930 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3931 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3932 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
3933 (*nft_set_ext_obj(ext))->use--;
3934 kfree(elem);
3935 }
3936 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
3937
3938 /* Only called from commit path, nft_set_elem_deactivate() already deals with
3939 * the refcounting from the preparation phase.
3940 */
3941 static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
3942 {
3943 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
3944
3945 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
3946 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
3947 kfree(elem);
3948 }
3949
3950 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3951 const struct nlattr *attr, u32 nlmsg_flags)
3952 {
3953 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
3954 u8 genmask = nft_genmask_next(ctx->net);
3955 struct nft_data_desc d1, d2;
3956 struct nft_set_ext_tmpl tmpl;
3957 struct nft_set_ext *ext, *ext2;
3958 struct nft_set_elem elem;
3959 struct nft_set_binding *binding;
3960 struct nft_object *obj = NULL;
3961 struct nft_userdata *udata;
3962 struct nft_data data;
3963 enum nft_registers dreg;
3964 struct nft_trans *trans;
3965 u32 flags = 0;
3966 u64 timeout;
3967 u8 ulen;
3968 int err;
3969
3970 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
3971 nft_set_elem_policy, NULL);
3972 if (err < 0)
3973 return err;
3974
3975 if (nla[NFTA_SET_ELEM_KEY] == NULL)
3976 return -EINVAL;
3977
3978 nft_set_ext_prepare(&tmpl);
3979
3980 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
3981 if (err < 0)
3982 return err;
3983 if (flags != 0)
3984 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
3985
3986 if (set->flags & NFT_SET_MAP) {
3987 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
3988 !(flags & NFT_SET_ELEM_INTERVAL_END))
3989 return -EINVAL;
3990 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
3991 flags & NFT_SET_ELEM_INTERVAL_END)
3992 return -EINVAL;
3993 } else {
3994 if (nla[NFTA_SET_ELEM_DATA] != NULL)
3995 return -EINVAL;
3996 }
3997
3998 timeout = 0;
3999 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4000 if (!(set->flags & NFT_SET_TIMEOUT))
4001 return -EINVAL;
4002 timeout = msecs_to_jiffies(be64_to_cpu(nla_get_be64(
4003 nla[NFTA_SET_ELEM_TIMEOUT])));
4004 } else if (set->flags & NFT_SET_TIMEOUT) {
4005 timeout = set->timeout;
4006 }
4007
4008 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4009 nla[NFTA_SET_ELEM_KEY]);
4010 if (err < 0)
4011 goto err1;
4012 err = -EINVAL;
4013 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4014 goto err2;
4015
4016 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4017 if (timeout > 0) {
4018 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4019 if (timeout != set->timeout)
4020 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4021 }
4022
4023 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4024 if (!(set->flags & NFT_SET_OBJECT)) {
4025 err = -EINVAL;
4026 goto err2;
4027 }
4028 obj = nf_tables_obj_lookup(ctx->table, nla[NFTA_SET_ELEM_OBJREF],
4029 set->objtype, genmask);
4030 if (IS_ERR(obj)) {
4031 err = PTR_ERR(obj);
4032 goto err2;
4033 }
4034 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4035 }
4036
4037 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4038 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4039 nla[NFTA_SET_ELEM_DATA]);
4040 if (err < 0)
4041 goto err2;
4042
4043 err = -EINVAL;
4044 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4045 goto err3;
4046
4047 dreg = nft_type_to_reg(set->dtype);
4048 list_for_each_entry(binding, &set->bindings, list) {
4049 struct nft_ctx bind_ctx = {
4050 .net = ctx->net,
4051 .afi = ctx->afi,
4052 .table = ctx->table,
4053 .chain = (struct nft_chain *)binding->chain,
4054 };
4055
4056 if (!(binding->flags & NFT_SET_MAP))
4057 continue;
4058
4059 err = nft_validate_register_store(&bind_ctx, dreg,
4060 &data,
4061 d2.type, d2.len);
4062 if (err < 0)
4063 goto err3;
4064 }
4065
4066 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4067 }
4068
4069 /* The full maximum length of userdata can exceed the maximum
4070 * offset value (U8_MAX) for following extensions, therefor it
4071 * must be the last extension added.
4072 */
4073 ulen = 0;
4074 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4075 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4076 if (ulen > 0)
4077 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4078 ulen);
4079 }
4080
4081 err = -ENOMEM;
4082 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4083 timeout, GFP_KERNEL);
4084 if (elem.priv == NULL)
4085 goto err3;
4086
4087 ext = nft_set_elem_ext(set, elem.priv);
4088 if (flags)
4089 *nft_set_ext_flags(ext) = flags;
4090 if (ulen > 0) {
4091 udata = nft_set_ext_userdata(ext);
4092 udata->len = ulen - 1;
4093 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4094 }
4095 if (obj) {
4096 *nft_set_ext_obj(ext) = obj;
4097 obj->use++;
4098 }
4099
4100 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4101 if (trans == NULL)
4102 goto err4;
4103
4104 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4105 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4106 if (err) {
4107 if (err == -EEXIST) {
4108 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4109 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4110 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4111 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4112 err = -EBUSY;
4113 goto err5;
4114 }
4115 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4116 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4117 memcmp(nft_set_ext_data(ext),
4118 nft_set_ext_data(ext2), set->dlen) != 0) ||
4119 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4120 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4121 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4122 err = -EBUSY;
4123 else if (!(nlmsg_flags & NLM_F_EXCL))
4124 err = 0;
4125 }
4126 goto err5;
4127 }
4128
4129 if (set->size &&
4130 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4131 err = -ENFILE;
4132 goto err6;
4133 }
4134
4135 nft_trans_elem(trans) = elem;
4136 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4137 return 0;
4138
4139 err6:
4140 set->ops->remove(ctx->net, set, &elem);
4141 err5:
4142 kfree(trans);
4143 err4:
4144 if (obj)
4145 obj->use--;
4146 kfree(elem.priv);
4147 err3:
4148 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4149 nft_data_release(&data, d2.type);
4150 err2:
4151 nft_data_release(&elem.key.val, d1.type);
4152 err1:
4153 return err;
4154 }
4155
4156 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4157 struct sk_buff *skb, const struct nlmsghdr *nlh,
4158 const struct nlattr * const nla[],
4159 struct netlink_ext_ack *extack)
4160 {
4161 u8 genmask = nft_genmask_next(net);
4162 const struct nlattr *attr;
4163 struct nft_set *set;
4164 struct nft_ctx ctx;
4165 int rem, err = 0;
4166
4167 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4168 return -EINVAL;
4169
4170 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4171 if (err < 0)
4172 return err;
4173
4174 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4175 genmask);
4176 if (IS_ERR(set)) {
4177 if (nla[NFTA_SET_ELEM_LIST_SET_ID]) {
4178 set = nf_tables_set_lookup_byid(net,
4179 nla[NFTA_SET_ELEM_LIST_SET_ID],
4180 genmask);
4181 }
4182 if (IS_ERR(set))
4183 return PTR_ERR(set);
4184 }
4185
4186 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4187 return -EBUSY;
4188
4189 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4190 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4191 if (err < 0)
4192 break;
4193 }
4194 return err;
4195 }
4196
4197 /**
4198 * nft_data_hold - hold a nft_data item
4199 *
4200 * @data: struct nft_data to release
4201 * @type: type of data
4202 *
4203 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4204 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4205 * NFT_GOTO verdicts. This function must be called on active data objects
4206 * from the second phase of the commit protocol.
4207 */
4208 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4209 {
4210 if (type == NFT_DATA_VERDICT) {
4211 switch (data->verdict.code) {
4212 case NFT_JUMP:
4213 case NFT_GOTO:
4214 data->verdict.chain->use++;
4215 break;
4216 }
4217 }
4218 }
4219
4220 static void nft_set_elem_activate(const struct net *net,
4221 const struct nft_set *set,
4222 struct nft_set_elem *elem)
4223 {
4224 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4225
4226 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4227 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4228 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4229 (*nft_set_ext_obj(ext))->use++;
4230 }
4231
4232 static void nft_set_elem_deactivate(const struct net *net,
4233 const struct nft_set *set,
4234 struct nft_set_elem *elem)
4235 {
4236 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4237
4238 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4239 nft_data_release(nft_set_ext_data(ext), set->dtype);
4240 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4241 (*nft_set_ext_obj(ext))->use--;
4242 }
4243
4244 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4245 const struct nlattr *attr)
4246 {
4247 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4248 struct nft_set_ext_tmpl tmpl;
4249 struct nft_data_desc desc;
4250 struct nft_set_elem elem;
4251 struct nft_set_ext *ext;
4252 struct nft_trans *trans;
4253 u32 flags = 0;
4254 void *priv;
4255 int err;
4256
4257 err = nla_parse_nested(nla, NFTA_SET_ELEM_MAX, attr,
4258 nft_set_elem_policy, NULL);
4259 if (err < 0)
4260 goto err1;
4261
4262 err = -EINVAL;
4263 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4264 goto err1;
4265
4266 nft_set_ext_prepare(&tmpl);
4267
4268 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4269 if (err < 0)
4270 return err;
4271 if (flags != 0)
4272 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4273
4274 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4275 nla[NFTA_SET_ELEM_KEY]);
4276 if (err < 0)
4277 goto err1;
4278
4279 err = -EINVAL;
4280 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4281 goto err2;
4282
4283 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4284
4285 err = -ENOMEM;
4286 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4287 GFP_KERNEL);
4288 if (elem.priv == NULL)
4289 goto err2;
4290
4291 ext = nft_set_elem_ext(set, elem.priv);
4292 if (flags)
4293 *nft_set_ext_flags(ext) = flags;
4294
4295 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4296 if (trans == NULL) {
4297 err = -ENOMEM;
4298 goto err3;
4299 }
4300
4301 priv = set->ops->deactivate(ctx->net, set, &elem);
4302 if (priv == NULL) {
4303 err = -ENOENT;
4304 goto err4;
4305 }
4306 kfree(elem.priv);
4307 elem.priv = priv;
4308
4309 nft_set_elem_deactivate(ctx->net, set, &elem);
4310
4311 nft_trans_elem(trans) = elem;
4312 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4313 return 0;
4314
4315 err4:
4316 kfree(trans);
4317 err3:
4318 kfree(elem.priv);
4319 err2:
4320 nft_data_release(&elem.key.val, desc.type);
4321 err1:
4322 return err;
4323 }
4324
4325 static int nft_flush_set(const struct nft_ctx *ctx,
4326 struct nft_set *set,
4327 const struct nft_set_iter *iter,
4328 struct nft_set_elem *elem)
4329 {
4330 struct nft_trans *trans;
4331 int err;
4332
4333 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4334 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4335 if (!trans)
4336 return -ENOMEM;
4337
4338 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4339 err = -ENOENT;
4340 goto err1;
4341 }
4342 set->ndeact++;
4343
4344 nft_set_elem_deactivate(ctx->net, set, elem);
4345 nft_trans_elem_set(trans) = set;
4346 nft_trans_elem(trans) = *elem;
4347 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4348
4349 return 0;
4350 err1:
4351 kfree(trans);
4352 return err;
4353 }
4354
4355 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4356 struct sk_buff *skb, const struct nlmsghdr *nlh,
4357 const struct nlattr * const nla[],
4358 struct netlink_ext_ack *extack)
4359 {
4360 u8 genmask = nft_genmask_next(net);
4361 const struct nlattr *attr;
4362 struct nft_set *set;
4363 struct nft_ctx ctx;
4364 int rem, err = 0;
4365
4366 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, genmask);
4367 if (err < 0)
4368 return err;
4369
4370 set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4371 genmask);
4372 if (IS_ERR(set))
4373 return PTR_ERR(set);
4374 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4375 return -EBUSY;
4376
4377 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4378 struct nft_set_iter iter = {
4379 .genmask = genmask,
4380 .fn = nft_flush_set,
4381 };
4382 set->ops->walk(&ctx, set, &iter);
4383
4384 return iter.err;
4385 }
4386
4387 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4388 err = nft_del_setelem(&ctx, set, attr);
4389 if (err < 0)
4390 break;
4391
4392 set->ndeact++;
4393 }
4394 return err;
4395 }
4396
4397 void nft_set_gc_batch_release(struct rcu_head *rcu)
4398 {
4399 struct nft_set_gc_batch *gcb;
4400 unsigned int i;
4401
4402 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4403 for (i = 0; i < gcb->head.cnt; i++)
4404 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4405 kfree(gcb);
4406 }
4407 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4408
4409 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4410 gfp_t gfp)
4411 {
4412 struct nft_set_gc_batch *gcb;
4413
4414 gcb = kzalloc(sizeof(*gcb), gfp);
4415 if (gcb == NULL)
4416 return gcb;
4417 gcb->head.set = set;
4418 return gcb;
4419 }
4420 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4421
4422 /*
4423 * Stateful objects
4424 */
4425
4426 /**
4427 * nft_register_obj- register nf_tables stateful object type
4428 * @obj: object type
4429 *
4430 * Registers the object type for use with nf_tables. Returns zero on
4431 * success or a negative errno code otherwise.
4432 */
4433 int nft_register_obj(struct nft_object_type *obj_type)
4434 {
4435 if (obj_type->type == NFT_OBJECT_UNSPEC)
4436 return -EINVAL;
4437
4438 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4439 list_add_rcu(&obj_type->list, &nf_tables_objects);
4440 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4441 return 0;
4442 }
4443 EXPORT_SYMBOL_GPL(nft_register_obj);
4444
4445 /**
4446 * nft_unregister_obj - unregister nf_tables object type
4447 * @obj: object type
4448 *
4449 * Unregisters the object type for use with nf_tables.
4450 */
4451 void nft_unregister_obj(struct nft_object_type *obj_type)
4452 {
4453 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4454 list_del_rcu(&obj_type->list);
4455 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4456 }
4457 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4458
4459 struct nft_object *nf_tables_obj_lookup(const struct nft_table *table,
4460 const struct nlattr *nla,
4461 u32 objtype, u8 genmask)
4462 {
4463 struct nft_object *obj;
4464
4465 list_for_each_entry(obj, &table->objects, list) {
4466 if (!nla_strcmp(nla, obj->name) &&
4467 objtype == obj->ops->type->type &&
4468 nft_active_genmask(obj, genmask))
4469 return obj;
4470 }
4471 return ERR_PTR(-ENOENT);
4472 }
4473 EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
4474
4475 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
4476 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
4477 .len = NFT_TABLE_MAXNAMELEN - 1 },
4478 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
4479 .len = NFT_OBJ_MAXNAMELEN - 1 },
4480 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
4481 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
4482 };
4483
4484 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
4485 const struct nft_object_type *type,
4486 const struct nlattr *attr)
4487 {
4488 struct nlattr *tb[type->maxattr + 1];
4489 const struct nft_object_ops *ops;
4490 struct nft_object *obj;
4491 int err;
4492
4493 if (attr) {
4494 err = nla_parse_nested(tb, type->maxattr, attr, type->policy,
4495 NULL);
4496 if (err < 0)
4497 goto err1;
4498 } else {
4499 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
4500 }
4501
4502 if (type->select_ops) {
4503 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
4504 if (IS_ERR(ops)) {
4505 err = PTR_ERR(ops);
4506 goto err1;
4507 }
4508 } else {
4509 ops = type->ops;
4510 }
4511
4512 err = -ENOMEM;
4513 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
4514 if (obj == NULL)
4515 goto err1;
4516
4517 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
4518 if (err < 0)
4519 goto err2;
4520
4521 obj->ops = ops;
4522
4523 return obj;
4524 err2:
4525 kfree(obj);
4526 err1:
4527 return ERR_PTR(err);
4528 }
4529
4530 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
4531 struct nft_object *obj, bool reset)
4532 {
4533 struct nlattr *nest;
4534
4535 nest = nla_nest_start(skb, attr);
4536 if (!nest)
4537 goto nla_put_failure;
4538 if (obj->ops->dump(skb, obj, reset) < 0)
4539 goto nla_put_failure;
4540 nla_nest_end(skb, nest);
4541 return 0;
4542
4543 nla_put_failure:
4544 return -1;
4545 }
4546
4547 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
4548 {
4549 const struct nft_object_type *type;
4550
4551 list_for_each_entry(type, &nf_tables_objects, list) {
4552 if (objtype == type->type)
4553 return type;
4554 }
4555 return NULL;
4556 }
4557
4558 static const struct nft_object_type *nft_obj_type_get(u32 objtype)
4559 {
4560 const struct nft_object_type *type;
4561
4562 type = __nft_obj_type_get(objtype);
4563 if (type != NULL && try_module_get(type->owner))
4564 return type;
4565
4566 #ifdef CONFIG_MODULES
4567 if (type == NULL) {
4568 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4569 request_module("nft-obj-%u", objtype);
4570 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4571 if (__nft_obj_type_get(objtype))
4572 return ERR_PTR(-EAGAIN);
4573 }
4574 #endif
4575 return ERR_PTR(-ENOENT);
4576 }
4577
4578 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
4579 struct sk_buff *skb, const struct nlmsghdr *nlh,
4580 const struct nlattr * const nla[],
4581 struct netlink_ext_ack *extack)
4582 {
4583 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4584 const struct nft_object_type *type;
4585 u8 genmask = nft_genmask_next(net);
4586 int family = nfmsg->nfgen_family;
4587 struct nft_af_info *afi;
4588 struct nft_table *table;
4589 struct nft_object *obj;
4590 struct nft_ctx ctx;
4591 u32 objtype;
4592 int err;
4593
4594 if (!nla[NFTA_OBJ_TYPE] ||
4595 !nla[NFTA_OBJ_NAME] ||
4596 !nla[NFTA_OBJ_DATA])
4597 return -EINVAL;
4598
4599 afi = nf_tables_afinfo_lookup(net, family, true);
4600 if (IS_ERR(afi))
4601 return PTR_ERR(afi);
4602
4603 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4604 if (IS_ERR(table))
4605 return PTR_ERR(table);
4606
4607 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4608 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4609 if (IS_ERR(obj)) {
4610 err = PTR_ERR(obj);
4611 if (err != -ENOENT)
4612 return err;
4613
4614 } else {
4615 if (nlh->nlmsg_flags & NLM_F_EXCL)
4616 return -EEXIST;
4617
4618 return 0;
4619 }
4620
4621 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4622
4623 type = nft_obj_type_get(objtype);
4624 if (IS_ERR(type))
4625 return PTR_ERR(type);
4626
4627 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
4628 if (IS_ERR(obj)) {
4629 err = PTR_ERR(obj);
4630 goto err1;
4631 }
4632 obj->table = table;
4633 obj->name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
4634 if (!obj->name) {
4635 err = -ENOMEM;
4636 goto err2;
4637 }
4638
4639 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
4640 if (err < 0)
4641 goto err3;
4642
4643 list_add_tail_rcu(&obj->list, &table->objects);
4644 table->use++;
4645 return 0;
4646 err3:
4647 kfree(obj->name);
4648 err2:
4649 if (obj->ops->destroy)
4650 obj->ops->destroy(obj);
4651 kfree(obj);
4652 err1:
4653 module_put(type->owner);
4654 return err;
4655 }
4656
4657 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
4658 u32 portid, u32 seq, int event, u32 flags,
4659 int family, const struct nft_table *table,
4660 struct nft_object *obj, bool reset)
4661 {
4662 struct nfgenmsg *nfmsg;
4663 struct nlmsghdr *nlh;
4664
4665 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4666 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
4667 if (nlh == NULL)
4668 goto nla_put_failure;
4669
4670 nfmsg = nlmsg_data(nlh);
4671 nfmsg->nfgen_family = family;
4672 nfmsg->version = NFNETLINK_V0;
4673 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4674
4675 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
4676 nla_put_string(skb, NFTA_OBJ_NAME, obj->name) ||
4677 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
4678 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
4679 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
4680 goto nla_put_failure;
4681
4682 nlmsg_end(skb, nlh);
4683 return 0;
4684
4685 nla_put_failure:
4686 nlmsg_trim(skb, nlh);
4687 return -1;
4688 }
4689
4690 struct nft_obj_filter {
4691 char *table;
4692 u32 type;
4693 };
4694
4695 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
4696 {
4697 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
4698 const struct nft_af_info *afi;
4699 const struct nft_table *table;
4700 unsigned int idx = 0, s_idx = cb->args[0];
4701 struct nft_obj_filter *filter = cb->data;
4702 struct net *net = sock_net(skb->sk);
4703 int family = nfmsg->nfgen_family;
4704 struct nft_object *obj;
4705 bool reset = false;
4706
4707 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4708 reset = true;
4709
4710 rcu_read_lock();
4711 cb->seq = net->nft.base_seq;
4712
4713 list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
4714 if (family != NFPROTO_UNSPEC && family != afi->family)
4715 continue;
4716
4717 list_for_each_entry_rcu(table, &afi->tables, list) {
4718 list_for_each_entry_rcu(obj, &table->objects, list) {
4719 if (!nft_is_active(net, obj))
4720 goto cont;
4721 if (idx < s_idx)
4722 goto cont;
4723 if (idx > s_idx)
4724 memset(&cb->args[1], 0,
4725 sizeof(cb->args) - sizeof(cb->args[0]));
4726 if (filter && filter->table &&
4727 strcmp(filter->table, table->name))
4728 goto cont;
4729 if (filter &&
4730 filter->type != NFT_OBJECT_UNSPEC &&
4731 obj->ops->type->type != filter->type)
4732 goto cont;
4733
4734 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
4735 cb->nlh->nlmsg_seq,
4736 NFT_MSG_NEWOBJ,
4737 NLM_F_MULTI | NLM_F_APPEND,
4738 afi->family, table, obj, reset) < 0)
4739 goto done;
4740
4741 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4742 cont:
4743 idx++;
4744 }
4745 }
4746 }
4747 done:
4748 rcu_read_unlock();
4749
4750 cb->args[0] = idx;
4751 return skb->len;
4752 }
4753
4754 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
4755 {
4756 struct nft_obj_filter *filter = cb->data;
4757
4758 if (filter) {
4759 kfree(filter->table);
4760 kfree(filter);
4761 }
4762
4763 return 0;
4764 }
4765
4766 static struct nft_obj_filter *
4767 nft_obj_filter_alloc(const struct nlattr * const nla[])
4768 {
4769 struct nft_obj_filter *filter;
4770
4771 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
4772 if (!filter)
4773 return ERR_PTR(-ENOMEM);
4774
4775 if (nla[NFTA_OBJ_TABLE]) {
4776 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_KERNEL);
4777 if (!filter->table) {
4778 kfree(filter);
4779 return ERR_PTR(-ENOMEM);
4780 }
4781 }
4782 if (nla[NFTA_OBJ_TYPE])
4783 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4784
4785 return filter;
4786 }
4787
4788 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4789 struct sk_buff *skb, const struct nlmsghdr *nlh,
4790 const struct nlattr * const nla[],
4791 struct netlink_ext_ack *extack)
4792 {
4793 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4794 u8 genmask = nft_genmask_cur(net);
4795 int family = nfmsg->nfgen_family;
4796 const struct nft_af_info *afi;
4797 const struct nft_table *table;
4798 struct nft_object *obj;
4799 struct sk_buff *skb2;
4800 bool reset = false;
4801 u32 objtype;
4802 int err;
4803
4804 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4805 struct netlink_dump_control c = {
4806 .dump = nf_tables_dump_obj,
4807 .done = nf_tables_dump_obj_done,
4808 };
4809
4810 if (nla[NFTA_OBJ_TABLE] ||
4811 nla[NFTA_OBJ_TYPE]) {
4812 struct nft_obj_filter *filter;
4813
4814 filter = nft_obj_filter_alloc(nla);
4815 if (IS_ERR(filter))
4816 return -ENOMEM;
4817
4818 c.data = filter;
4819 }
4820 return netlink_dump_start(nlsk, skb, nlh, &c);
4821 }
4822
4823 if (!nla[NFTA_OBJ_NAME] ||
4824 !nla[NFTA_OBJ_TYPE])
4825 return -EINVAL;
4826
4827 afi = nf_tables_afinfo_lookup(net, family, false);
4828 if (IS_ERR(afi))
4829 return PTR_ERR(afi);
4830
4831 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4832 if (IS_ERR(table))
4833 return PTR_ERR(table);
4834
4835 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4836 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4837 if (IS_ERR(obj))
4838 return PTR_ERR(obj);
4839
4840 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
4841 if (!skb2)
4842 return -ENOMEM;
4843
4844 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
4845 reset = true;
4846
4847 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
4848 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4849 family, table, obj, reset);
4850 if (err < 0)
4851 goto err;
4852
4853 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4854 err:
4855 kfree_skb(skb2);
4856 return err;
4857 }
4858
4859 static void nft_obj_destroy(struct nft_object *obj)
4860 {
4861 if (obj->ops->destroy)
4862 obj->ops->destroy(obj);
4863
4864 module_put(obj->ops->type->owner);
4865 kfree(obj->name);
4866 kfree(obj);
4867 }
4868
4869 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
4870 struct sk_buff *skb, const struct nlmsghdr *nlh,
4871 const struct nlattr * const nla[],
4872 struct netlink_ext_ack *extack)
4873 {
4874 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4875 u8 genmask = nft_genmask_next(net);
4876 int family = nfmsg->nfgen_family;
4877 struct nft_af_info *afi;
4878 struct nft_table *table;
4879 struct nft_object *obj;
4880 struct nft_ctx ctx;
4881 u32 objtype;
4882
4883 if (!nla[NFTA_OBJ_TYPE] ||
4884 !nla[NFTA_OBJ_NAME])
4885 return -EINVAL;
4886
4887 afi = nf_tables_afinfo_lookup(net, family, true);
4888 if (IS_ERR(afi))
4889 return PTR_ERR(afi);
4890
4891 table = nf_tables_table_lookup(afi, nla[NFTA_OBJ_TABLE], genmask);
4892 if (IS_ERR(table))
4893 return PTR_ERR(table);
4894
4895 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
4896 obj = nf_tables_obj_lookup(table, nla[NFTA_OBJ_NAME], objtype, genmask);
4897 if (IS_ERR(obj))
4898 return PTR_ERR(obj);
4899 if (obj->use > 0)
4900 return -EBUSY;
4901
4902 nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
4903
4904 return nft_delobj(&ctx, obj);
4905 }
4906
4907 void nft_obj_notify(struct net *net, struct nft_table *table,
4908 struct nft_object *obj, u32 portid, u32 seq, int event,
4909 int family, int report, gfp_t gfp)
4910 {
4911 struct sk_buff *skb;
4912 int err;
4913
4914 if (!report &&
4915 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4916 return;
4917
4918 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
4919 if (skb == NULL)
4920 goto err;
4921
4922 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
4923 table, obj, false);
4924 if (err < 0) {
4925 kfree_skb(skb);
4926 goto err;
4927 }
4928
4929 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
4930 return;
4931 err:
4932 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4933 }
4934 EXPORT_SYMBOL_GPL(nft_obj_notify);
4935
4936 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
4937 struct nft_object *obj, int event)
4938 {
4939 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
4940 ctx->afi->family, ctx->report, GFP_KERNEL);
4941 }
4942
4943 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
4944 u32 portid, u32 seq)
4945 {
4946 struct nlmsghdr *nlh;
4947 struct nfgenmsg *nfmsg;
4948 char buf[TASK_COMM_LEN];
4949 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
4950
4951 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
4952 if (nlh == NULL)
4953 goto nla_put_failure;
4954
4955 nfmsg = nlmsg_data(nlh);
4956 nfmsg->nfgen_family = AF_UNSPEC;
4957 nfmsg->version = NFNETLINK_V0;
4958 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4959
4960 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
4961 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
4962 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
4963 goto nla_put_failure;
4964
4965 nlmsg_end(skb, nlh);
4966 return 0;
4967
4968 nla_put_failure:
4969 nlmsg_trim(skb, nlh);
4970 return -EMSGSIZE;
4971 }
4972
4973 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
4974 int event)
4975 {
4976 struct nlmsghdr *nlh = nlmsg_hdr(skb);
4977 struct sk_buff *skb2;
4978 int err;
4979
4980 if (nlmsg_report(nlh) &&
4981 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4982 return;
4983
4984 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4985 if (skb2 == NULL)
4986 goto err;
4987
4988 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4989 nlh->nlmsg_seq);
4990 if (err < 0) {
4991 kfree_skb(skb2);
4992 goto err;
4993 }
4994
4995 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
4996 nlmsg_report(nlh), GFP_KERNEL);
4997 return;
4998 err:
4999 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
5000 -ENOBUFS);
5001 }
5002
5003 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
5004 struct sk_buff *skb, const struct nlmsghdr *nlh,
5005 const struct nlattr * const nla[],
5006 struct netlink_ext_ack *extack)
5007 {
5008 struct sk_buff *skb2;
5009 int err;
5010
5011 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
5012 if (skb2 == NULL)
5013 return -ENOMEM;
5014
5015 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
5016 nlh->nlmsg_seq);
5017 if (err < 0)
5018 goto err;
5019
5020 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5021 err:
5022 kfree_skb(skb2);
5023 return err;
5024 }
5025
5026 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
5027 [NFT_MSG_NEWTABLE] = {
5028 .call_batch = nf_tables_newtable,
5029 .attr_count = NFTA_TABLE_MAX,
5030 .policy = nft_table_policy,
5031 },
5032 [NFT_MSG_GETTABLE] = {
5033 .call = nf_tables_gettable,
5034 .attr_count = NFTA_TABLE_MAX,
5035 .policy = nft_table_policy,
5036 },
5037 [NFT_MSG_DELTABLE] = {
5038 .call_batch = nf_tables_deltable,
5039 .attr_count = NFTA_TABLE_MAX,
5040 .policy = nft_table_policy,
5041 },
5042 [NFT_MSG_NEWCHAIN] = {
5043 .call_batch = nf_tables_newchain,
5044 .attr_count = NFTA_CHAIN_MAX,
5045 .policy = nft_chain_policy,
5046 },
5047 [NFT_MSG_GETCHAIN] = {
5048 .call = nf_tables_getchain,
5049 .attr_count = NFTA_CHAIN_MAX,
5050 .policy = nft_chain_policy,
5051 },
5052 [NFT_MSG_DELCHAIN] = {
5053 .call_batch = nf_tables_delchain,
5054 .attr_count = NFTA_CHAIN_MAX,
5055 .policy = nft_chain_policy,
5056 },
5057 [NFT_MSG_NEWRULE] = {
5058 .call_batch = nf_tables_newrule,
5059 .attr_count = NFTA_RULE_MAX,
5060 .policy = nft_rule_policy,
5061 },
5062 [NFT_MSG_GETRULE] = {
5063 .call = nf_tables_getrule,
5064 .attr_count = NFTA_RULE_MAX,
5065 .policy = nft_rule_policy,
5066 },
5067 [NFT_MSG_DELRULE] = {
5068 .call_batch = nf_tables_delrule,
5069 .attr_count = NFTA_RULE_MAX,
5070 .policy = nft_rule_policy,
5071 },
5072 [NFT_MSG_NEWSET] = {
5073 .call_batch = nf_tables_newset,
5074 .attr_count = NFTA_SET_MAX,
5075 .policy = nft_set_policy,
5076 },
5077 [NFT_MSG_GETSET] = {
5078 .call = nf_tables_getset,
5079 .attr_count = NFTA_SET_MAX,
5080 .policy = nft_set_policy,
5081 },
5082 [NFT_MSG_DELSET] = {
5083 .call_batch = nf_tables_delset,
5084 .attr_count = NFTA_SET_MAX,
5085 .policy = nft_set_policy,
5086 },
5087 [NFT_MSG_NEWSETELEM] = {
5088 .call_batch = nf_tables_newsetelem,
5089 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5090 .policy = nft_set_elem_list_policy,
5091 },
5092 [NFT_MSG_GETSETELEM] = {
5093 .call = nf_tables_getsetelem,
5094 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5095 .policy = nft_set_elem_list_policy,
5096 },
5097 [NFT_MSG_DELSETELEM] = {
5098 .call_batch = nf_tables_delsetelem,
5099 .attr_count = NFTA_SET_ELEM_LIST_MAX,
5100 .policy = nft_set_elem_list_policy,
5101 },
5102 [NFT_MSG_GETGEN] = {
5103 .call = nf_tables_getgen,
5104 },
5105 [NFT_MSG_NEWOBJ] = {
5106 .call_batch = nf_tables_newobj,
5107 .attr_count = NFTA_OBJ_MAX,
5108 .policy = nft_obj_policy,
5109 },
5110 [NFT_MSG_GETOBJ] = {
5111 .call = nf_tables_getobj,
5112 .attr_count = NFTA_OBJ_MAX,
5113 .policy = nft_obj_policy,
5114 },
5115 [NFT_MSG_DELOBJ] = {
5116 .call_batch = nf_tables_delobj,
5117 .attr_count = NFTA_OBJ_MAX,
5118 .policy = nft_obj_policy,
5119 },
5120 [NFT_MSG_GETOBJ_RESET] = {
5121 .call = nf_tables_getobj,
5122 .attr_count = NFTA_OBJ_MAX,
5123 .policy = nft_obj_policy,
5124 },
5125 };
5126
5127 static void nft_chain_commit_update(struct nft_trans *trans)
5128 {
5129 struct nft_base_chain *basechain;
5130
5131 if (nft_trans_chain_name(trans))
5132 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
5133
5134 if (!nft_is_base_chain(trans->ctx.chain))
5135 return;
5136
5137 basechain = nft_base_chain(trans->ctx.chain);
5138 nft_chain_stats_replace(basechain, nft_trans_chain_stats(trans));
5139
5140 switch (nft_trans_chain_policy(trans)) {
5141 case NF_DROP:
5142 case NF_ACCEPT:
5143 basechain->policy = nft_trans_chain_policy(trans);
5144 break;
5145 }
5146 }
5147
5148 static void nf_tables_commit_release(struct nft_trans *trans)
5149 {
5150 switch (trans->msg_type) {
5151 case NFT_MSG_DELTABLE:
5152 nf_tables_table_destroy(&trans->ctx);
5153 break;
5154 case NFT_MSG_NEWCHAIN:
5155 kfree(nft_trans_chain_name(trans));
5156 break;
5157 case NFT_MSG_DELCHAIN:
5158 nf_tables_chain_destroy(trans->ctx.chain);
5159 break;
5160 case NFT_MSG_DELRULE:
5161 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5162 break;
5163 case NFT_MSG_DELSET:
5164 nft_set_destroy(nft_trans_set(trans));
5165 break;
5166 case NFT_MSG_DELSETELEM:
5167 nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
5168 nft_trans_elem(trans).priv);
5169 break;
5170 case NFT_MSG_DELOBJ:
5171 nft_obj_destroy(nft_trans_obj(trans));
5172 break;
5173 }
5174 kfree(trans);
5175 }
5176
5177 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5178 {
5179 struct nft_trans *trans, *next;
5180 struct nft_trans_elem *te;
5181
5182 /* Bump generation counter, invalidate any dump in progress */
5183 while (++net->nft.base_seq == 0);
5184
5185 /* A new generation has just started */
5186 net->nft.gencursor = nft_gencursor_next(net);
5187
5188 /* Make sure all packets have left the previous generation before
5189 * purging old rules.
5190 */
5191 synchronize_rcu();
5192
5193 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5194 switch (trans->msg_type) {
5195 case NFT_MSG_NEWTABLE:
5196 if (nft_trans_table_update(trans)) {
5197 if (!nft_trans_table_enable(trans)) {
5198 nf_tables_table_disable(net,
5199 trans->ctx.afi,
5200 trans->ctx.table);
5201 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5202 }
5203 } else {
5204 nft_clear(net, trans->ctx.table);
5205 }
5206 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
5207 nft_trans_destroy(trans);
5208 break;
5209 case NFT_MSG_DELTABLE:
5210 list_del_rcu(&trans->ctx.table->list);
5211 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
5212 break;
5213 case NFT_MSG_NEWCHAIN:
5214 if (nft_trans_chain_update(trans)) {
5215 nft_chain_commit_update(trans);
5216 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5217 /* trans destroyed after rcu grace period */
5218 } else {
5219 nft_clear(net, trans->ctx.chain);
5220 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
5221 nft_trans_destroy(trans);
5222 }
5223 break;
5224 case NFT_MSG_DELCHAIN:
5225 list_del_rcu(&trans->ctx.chain->list);
5226 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
5227 nf_tables_unregister_hooks(trans->ctx.net,
5228 trans->ctx.table,
5229 trans->ctx.chain,
5230 trans->ctx.afi->nops);
5231 break;
5232 case NFT_MSG_NEWRULE:
5233 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5234 nf_tables_rule_notify(&trans->ctx,
5235 nft_trans_rule(trans),
5236 NFT_MSG_NEWRULE);
5237 nft_trans_destroy(trans);
5238 break;
5239 case NFT_MSG_DELRULE:
5240 list_del_rcu(&nft_trans_rule(trans)->list);
5241 nf_tables_rule_notify(&trans->ctx,
5242 nft_trans_rule(trans),
5243 NFT_MSG_DELRULE);
5244 break;
5245 case NFT_MSG_NEWSET:
5246 nft_clear(net, nft_trans_set(trans));
5247 /* This avoids hitting -EBUSY when deleting the table
5248 * from the transaction.
5249 */
5250 if (nft_trans_set(trans)->flags & NFT_SET_ANONYMOUS &&
5251 !list_empty(&nft_trans_set(trans)->bindings))
5252 trans->ctx.table->use--;
5253
5254 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5255 NFT_MSG_NEWSET, GFP_KERNEL);
5256 nft_trans_destroy(trans);
5257 break;
5258 case NFT_MSG_DELSET:
5259 list_del_rcu(&nft_trans_set(trans)->list);
5260 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
5261 NFT_MSG_DELSET, GFP_KERNEL);
5262 break;
5263 case NFT_MSG_NEWSETELEM:
5264 te = (struct nft_trans_elem *)trans->data;
5265
5266 te->set->ops->activate(net, te->set, &te->elem);
5267 nf_tables_setelem_notify(&trans->ctx, te->set,
5268 &te->elem,
5269 NFT_MSG_NEWSETELEM, 0);
5270 nft_trans_destroy(trans);
5271 break;
5272 case NFT_MSG_DELSETELEM:
5273 te = (struct nft_trans_elem *)trans->data;
5274
5275 nf_tables_setelem_notify(&trans->ctx, te->set,
5276 &te->elem,
5277 NFT_MSG_DELSETELEM, 0);
5278 te->set->ops->remove(net, te->set, &te->elem);
5279 atomic_dec(&te->set->nelems);
5280 te->set->ndeact--;
5281 break;
5282 case NFT_MSG_NEWOBJ:
5283 nft_clear(net, nft_trans_obj(trans));
5284 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5285 NFT_MSG_NEWOBJ);
5286 nft_trans_destroy(trans);
5287 break;
5288 case NFT_MSG_DELOBJ:
5289 list_del_rcu(&nft_trans_obj(trans)->list);
5290 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
5291 NFT_MSG_DELOBJ);
5292 break;
5293 }
5294 }
5295
5296 synchronize_rcu();
5297
5298 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
5299 list_del(&trans->list);
5300 nf_tables_commit_release(trans);
5301 }
5302
5303 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
5304
5305 return 0;
5306 }
5307
5308 static void nf_tables_abort_release(struct nft_trans *trans)
5309 {
5310 switch (trans->msg_type) {
5311 case NFT_MSG_NEWTABLE:
5312 nf_tables_table_destroy(&trans->ctx);
5313 break;
5314 case NFT_MSG_NEWCHAIN:
5315 nf_tables_chain_destroy(trans->ctx.chain);
5316 break;
5317 case NFT_MSG_NEWRULE:
5318 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
5319 break;
5320 case NFT_MSG_NEWSET:
5321 nft_set_destroy(nft_trans_set(trans));
5322 break;
5323 case NFT_MSG_NEWSETELEM:
5324 nft_set_elem_destroy(nft_trans_elem_set(trans),
5325 nft_trans_elem(trans).priv, true);
5326 break;
5327 case NFT_MSG_NEWOBJ:
5328 nft_obj_destroy(nft_trans_obj(trans));
5329 break;
5330 }
5331 kfree(trans);
5332 }
5333
5334 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5335 {
5336 struct nft_trans *trans, *next;
5337 struct nft_trans_elem *te;
5338
5339 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
5340 list) {
5341 switch (trans->msg_type) {
5342 case NFT_MSG_NEWTABLE:
5343 if (nft_trans_table_update(trans)) {
5344 if (nft_trans_table_enable(trans)) {
5345 nf_tables_table_disable(net,
5346 trans->ctx.afi,
5347 trans->ctx.table);
5348 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
5349 }
5350 nft_trans_destroy(trans);
5351 } else {
5352 list_del_rcu(&trans->ctx.table->list);
5353 }
5354 break;
5355 case NFT_MSG_DELTABLE:
5356 nft_clear(trans->ctx.net, trans->ctx.table);
5357 nft_trans_destroy(trans);
5358 break;
5359 case NFT_MSG_NEWCHAIN:
5360 if (nft_trans_chain_update(trans)) {
5361 free_percpu(nft_trans_chain_stats(trans));
5362 kfree(nft_trans_chain_name(trans));
5363 nft_trans_destroy(trans);
5364 } else {
5365 trans->ctx.table->use--;
5366 list_del_rcu(&trans->ctx.chain->list);
5367 nf_tables_unregister_hooks(trans->ctx.net,
5368 trans->ctx.table,
5369 trans->ctx.chain,
5370 trans->ctx.afi->nops);
5371 }
5372 break;
5373 case NFT_MSG_DELCHAIN:
5374 trans->ctx.table->use++;
5375 nft_clear(trans->ctx.net, trans->ctx.chain);
5376 nft_trans_destroy(trans);
5377 break;
5378 case NFT_MSG_NEWRULE:
5379 trans->ctx.chain->use--;
5380 list_del_rcu(&nft_trans_rule(trans)->list);
5381 nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
5382 break;
5383 case NFT_MSG_DELRULE:
5384 trans->ctx.chain->use++;
5385 nft_clear(trans->ctx.net, nft_trans_rule(trans));
5386 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
5387 nft_trans_destroy(trans);
5388 break;
5389 case NFT_MSG_NEWSET:
5390 trans->ctx.table->use--;
5391 list_del_rcu(&nft_trans_set(trans)->list);
5392 break;
5393 case NFT_MSG_DELSET:
5394 trans->ctx.table->use++;
5395 nft_clear(trans->ctx.net, nft_trans_set(trans));
5396 nft_trans_destroy(trans);
5397 break;
5398 case NFT_MSG_NEWSETELEM:
5399 te = (struct nft_trans_elem *)trans->data;
5400
5401 te->set->ops->remove(net, te->set, &te->elem);
5402 atomic_dec(&te->set->nelems);
5403 break;
5404 case NFT_MSG_DELSETELEM:
5405 te = (struct nft_trans_elem *)trans->data;
5406
5407 nft_set_elem_activate(net, te->set, &te->elem);
5408 te->set->ops->activate(net, te->set, &te->elem);
5409 te->set->ndeact--;
5410
5411 nft_trans_destroy(trans);
5412 break;
5413 case NFT_MSG_NEWOBJ:
5414 trans->ctx.table->use--;
5415 list_del_rcu(&nft_trans_obj(trans)->list);
5416 break;
5417 case NFT_MSG_DELOBJ:
5418 trans->ctx.table->use++;
5419 nft_clear(trans->ctx.net, nft_trans_obj(trans));
5420 nft_trans_destroy(trans);
5421 break;
5422 }
5423 }
5424
5425 synchronize_rcu();
5426
5427 list_for_each_entry_safe_reverse(trans, next,
5428 &net->nft.commit_list, list) {
5429 list_del(&trans->list);
5430 nf_tables_abort_release(trans);
5431 }
5432
5433 return 0;
5434 }
5435
5436 static bool nf_tables_valid_genid(struct net *net, u32 genid)
5437 {
5438 return net->nft.base_seq == genid;
5439 }
5440
5441 static const struct nfnetlink_subsystem nf_tables_subsys = {
5442 .name = "nf_tables",
5443 .subsys_id = NFNL_SUBSYS_NFTABLES,
5444 .cb_count = NFT_MSG_MAX,
5445 .cb = nf_tables_cb,
5446 .commit = nf_tables_commit,
5447 .abort = nf_tables_abort,
5448 .valid_genid = nf_tables_valid_genid,
5449 };
5450
5451 int nft_chain_validate_dependency(const struct nft_chain *chain,
5452 enum nft_chain_type type)
5453 {
5454 const struct nft_base_chain *basechain;
5455
5456 if (nft_is_base_chain(chain)) {
5457 basechain = nft_base_chain(chain);
5458 if (basechain->type->type != type)
5459 return -EOPNOTSUPP;
5460 }
5461 return 0;
5462 }
5463 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
5464
5465 int nft_chain_validate_hooks(const struct nft_chain *chain,
5466 unsigned int hook_flags)
5467 {
5468 struct nft_base_chain *basechain;
5469
5470 if (nft_is_base_chain(chain)) {
5471 basechain = nft_base_chain(chain);
5472
5473 if ((1 << basechain->ops[0].hooknum) & hook_flags)
5474 return 0;
5475
5476 return -EOPNOTSUPP;
5477 }
5478
5479 return 0;
5480 }
5481 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
5482
5483 /*
5484 * Loop detection - walk through the ruleset beginning at the destination chain
5485 * of a new jump until either the source chain is reached (loop) or all
5486 * reachable chains have been traversed.
5487 *
5488 * The loop check is performed whenever a new jump verdict is added to an
5489 * expression or verdict map or a verdict map is bound to a new chain.
5490 */
5491
5492 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5493 const struct nft_chain *chain);
5494
5495 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
5496 struct nft_set *set,
5497 const struct nft_set_iter *iter,
5498 struct nft_set_elem *elem)
5499 {
5500 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5501 const struct nft_data *data;
5502
5503 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5504 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
5505 return 0;
5506
5507 data = nft_set_ext_data(ext);
5508 switch (data->verdict.code) {
5509 case NFT_JUMP:
5510 case NFT_GOTO:
5511 return nf_tables_check_loops(ctx, data->verdict.chain);
5512 default:
5513 return 0;
5514 }
5515 }
5516
5517 static int nf_tables_check_loops(const struct nft_ctx *ctx,
5518 const struct nft_chain *chain)
5519 {
5520 const struct nft_rule *rule;
5521 const struct nft_expr *expr, *last;
5522 struct nft_set *set;
5523 struct nft_set_binding *binding;
5524 struct nft_set_iter iter;
5525
5526 if (ctx->chain == chain)
5527 return -ELOOP;
5528
5529 list_for_each_entry(rule, &chain->rules, list) {
5530 nft_rule_for_each_expr(expr, last, rule) {
5531 const struct nft_data *data = NULL;
5532 int err;
5533
5534 if (!expr->ops->validate)
5535 continue;
5536
5537 err = expr->ops->validate(ctx, expr, &data);
5538 if (err < 0)
5539 return err;
5540
5541 if (data == NULL)
5542 continue;
5543
5544 switch (data->verdict.code) {
5545 case NFT_JUMP:
5546 case NFT_GOTO:
5547 err = nf_tables_check_loops(ctx,
5548 data->verdict.chain);
5549 if (err < 0)
5550 return err;
5551 default:
5552 break;
5553 }
5554 }
5555 }
5556
5557 list_for_each_entry(set, &ctx->table->sets, list) {
5558 if (!nft_is_active_next(ctx->net, set))
5559 continue;
5560 if (!(set->flags & NFT_SET_MAP) ||
5561 set->dtype != NFT_DATA_VERDICT)
5562 continue;
5563
5564 list_for_each_entry(binding, &set->bindings, list) {
5565 if (!(binding->flags & NFT_SET_MAP) ||
5566 binding->chain != chain)
5567 continue;
5568
5569 iter.genmask = nft_genmask_next(ctx->net);
5570 iter.skip = 0;
5571 iter.count = 0;
5572 iter.err = 0;
5573 iter.fn = nf_tables_loop_check_setelem;
5574
5575 set->ops->walk(ctx, set, &iter);
5576 if (iter.err < 0)
5577 return iter.err;
5578 }
5579 }
5580
5581 return 0;
5582 }
5583
5584 /**
5585 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
5586 *
5587 * @attr: netlink attribute to fetch value from
5588 * @max: maximum value to be stored in dest
5589 * @dest: pointer to the variable
5590 *
5591 * Parse, check and store a given u32 netlink attribute into variable.
5592 * This function returns -ERANGE if the value goes over maximum value.
5593 * Otherwise a 0 is returned and the attribute value is stored in the
5594 * destination variable.
5595 */
5596 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
5597 {
5598 u32 val;
5599
5600 val = ntohl(nla_get_be32(attr));
5601 if (val > max)
5602 return -ERANGE;
5603
5604 *dest = val;
5605 return 0;
5606 }
5607 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
5608
5609 /**
5610 * nft_parse_register - parse a register value from a netlink attribute
5611 *
5612 * @attr: netlink attribute
5613 *
5614 * Parse and translate a register value from a netlink attribute.
5615 * Registers used to be 128 bit wide, these register numbers will be
5616 * mapped to the corresponding 32 bit register numbers.
5617 */
5618 unsigned int nft_parse_register(const struct nlattr *attr)
5619 {
5620 unsigned int reg;
5621
5622 reg = ntohl(nla_get_be32(attr));
5623 switch (reg) {
5624 case NFT_REG_VERDICT...NFT_REG_4:
5625 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
5626 default:
5627 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
5628 }
5629 }
5630 EXPORT_SYMBOL_GPL(nft_parse_register);
5631
5632 /**
5633 * nft_dump_register - dump a register value to a netlink attribute
5634 *
5635 * @skb: socket buffer
5636 * @attr: attribute number
5637 * @reg: register number
5638 *
5639 * Construct a netlink attribute containing the register number. For
5640 * compatibility reasons, register numbers being a multiple of 4 are
5641 * translated to the corresponding 128 bit register numbers.
5642 */
5643 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
5644 {
5645 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
5646 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
5647 else
5648 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
5649
5650 return nla_put_be32(skb, attr, htonl(reg));
5651 }
5652 EXPORT_SYMBOL_GPL(nft_dump_register);
5653
5654 /**
5655 * nft_validate_register_load - validate a load from a register
5656 *
5657 * @reg: the register number
5658 * @len: the length of the data
5659 *
5660 * Validate that the input register is one of the general purpose
5661 * registers and that the length of the load is within the bounds.
5662 */
5663 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
5664 {
5665 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5666 return -EINVAL;
5667 if (len == 0)
5668 return -EINVAL;
5669 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
5670 return -ERANGE;
5671
5672 return 0;
5673 }
5674 EXPORT_SYMBOL_GPL(nft_validate_register_load);
5675
5676 /**
5677 * nft_validate_register_store - validate an expressions' register store
5678 *
5679 * @ctx: context of the expression performing the load
5680 * @reg: the destination register number
5681 * @data: the data to load
5682 * @type: the data type
5683 * @len: the length of the data
5684 *
5685 * Validate that a data load uses the appropriate data type for
5686 * the destination register and the length is within the bounds.
5687 * A value of NULL for the data means that its runtime gathered
5688 * data.
5689 */
5690 int nft_validate_register_store(const struct nft_ctx *ctx,
5691 enum nft_registers reg,
5692 const struct nft_data *data,
5693 enum nft_data_types type, unsigned int len)
5694 {
5695 int err;
5696
5697 switch (reg) {
5698 case NFT_REG_VERDICT:
5699 if (type != NFT_DATA_VERDICT)
5700 return -EINVAL;
5701
5702 if (data != NULL &&
5703 (data->verdict.code == NFT_GOTO ||
5704 data->verdict.code == NFT_JUMP)) {
5705 err = nf_tables_check_loops(ctx, data->verdict.chain);
5706 if (err < 0)
5707 return err;
5708
5709 if (ctx->chain->level + 1 >
5710 data->verdict.chain->level) {
5711 if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
5712 return -EMLINK;
5713 data->verdict.chain->level = ctx->chain->level + 1;
5714 }
5715 }
5716
5717 return 0;
5718 default:
5719 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
5720 return -EINVAL;
5721 if (len == 0)
5722 return -EINVAL;
5723 if (reg * NFT_REG32_SIZE + len >
5724 FIELD_SIZEOF(struct nft_regs, data))
5725 return -ERANGE;
5726
5727 if (data != NULL && type != NFT_DATA_VALUE)
5728 return -EINVAL;
5729 return 0;
5730 }
5731 }
5732 EXPORT_SYMBOL_GPL(nft_validate_register_store);
5733
5734 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
5735 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
5736 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
5737 .len = NFT_CHAIN_MAXNAMELEN - 1 },
5738 };
5739
5740 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
5741 struct nft_data_desc *desc, const struct nlattr *nla)
5742 {
5743 u8 genmask = nft_genmask_next(ctx->net);
5744 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
5745 struct nft_chain *chain;
5746 int err;
5747
5748 err = nla_parse_nested(tb, NFTA_VERDICT_MAX, nla, nft_verdict_policy,
5749 NULL);
5750 if (err < 0)
5751 return err;
5752
5753 if (!tb[NFTA_VERDICT_CODE])
5754 return -EINVAL;
5755 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
5756
5757 switch (data->verdict.code) {
5758 default:
5759 switch (data->verdict.code & NF_VERDICT_MASK) {
5760 case NF_ACCEPT:
5761 case NF_DROP:
5762 case NF_QUEUE:
5763 break;
5764 default:
5765 return -EINVAL;
5766 }
5767 /* fall through */
5768 case NFT_CONTINUE:
5769 case NFT_BREAK:
5770 case NFT_RETURN:
5771 break;
5772 case NFT_JUMP:
5773 case NFT_GOTO:
5774 if (!tb[NFTA_VERDICT_CHAIN])
5775 return -EINVAL;
5776 chain = nf_tables_chain_lookup(ctx->table,
5777 tb[NFTA_VERDICT_CHAIN], genmask);
5778 if (IS_ERR(chain))
5779 return PTR_ERR(chain);
5780 if (nft_is_base_chain(chain))
5781 return -EOPNOTSUPP;
5782
5783 chain->use++;
5784 data->verdict.chain = chain;
5785 break;
5786 }
5787
5788 desc->len = sizeof(data->verdict);
5789 desc->type = NFT_DATA_VERDICT;
5790 return 0;
5791 }
5792
5793 static void nft_verdict_uninit(const struct nft_data *data)
5794 {
5795 switch (data->verdict.code) {
5796 case NFT_JUMP:
5797 case NFT_GOTO:
5798 data->verdict.chain->use--;
5799 break;
5800 }
5801 }
5802
5803 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
5804 {
5805 struct nlattr *nest;
5806
5807 nest = nla_nest_start(skb, type);
5808 if (!nest)
5809 goto nla_put_failure;
5810
5811 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
5812 goto nla_put_failure;
5813
5814 switch (v->code) {
5815 case NFT_JUMP:
5816 case NFT_GOTO:
5817 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
5818 v->chain->name))
5819 goto nla_put_failure;
5820 }
5821 nla_nest_end(skb, nest);
5822 return 0;
5823
5824 nla_put_failure:
5825 return -1;
5826 }
5827
5828 static int nft_value_init(const struct nft_ctx *ctx,
5829 struct nft_data *data, unsigned int size,
5830 struct nft_data_desc *desc, const struct nlattr *nla)
5831 {
5832 unsigned int len;
5833
5834 len = nla_len(nla);
5835 if (len == 0)
5836 return -EINVAL;
5837 if (len > size)
5838 return -EOVERFLOW;
5839
5840 nla_memcpy(data->data, nla, len);
5841 desc->type = NFT_DATA_VALUE;
5842 desc->len = len;
5843 return 0;
5844 }
5845
5846 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
5847 unsigned int len)
5848 {
5849 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
5850 }
5851
5852 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
5853 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
5854 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
5855 };
5856
5857 /**
5858 * nft_data_init - parse nf_tables data netlink attributes
5859 *
5860 * @ctx: context of the expression using the data
5861 * @data: destination struct nft_data
5862 * @size: maximum data length
5863 * @desc: data description
5864 * @nla: netlink attribute containing data
5865 *
5866 * Parse the netlink data attributes and initialize a struct nft_data.
5867 * The type and length of data are returned in the data description.
5868 *
5869 * The caller can indicate that it only wants to accept data of type
5870 * NFT_DATA_VALUE by passing NULL for the ctx argument.
5871 */
5872 int nft_data_init(const struct nft_ctx *ctx,
5873 struct nft_data *data, unsigned int size,
5874 struct nft_data_desc *desc, const struct nlattr *nla)
5875 {
5876 struct nlattr *tb[NFTA_DATA_MAX + 1];
5877 int err;
5878
5879 err = nla_parse_nested(tb, NFTA_DATA_MAX, nla, nft_data_policy, NULL);
5880 if (err < 0)
5881 return err;
5882
5883 if (tb[NFTA_DATA_VALUE])
5884 return nft_value_init(ctx, data, size, desc,
5885 tb[NFTA_DATA_VALUE]);
5886 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
5887 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
5888 return -EINVAL;
5889 }
5890 EXPORT_SYMBOL_GPL(nft_data_init);
5891
5892 /**
5893 * nft_data_release - release a nft_data item
5894 *
5895 * @data: struct nft_data to release
5896 * @type: type of data
5897 *
5898 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5899 * all others need to be released by calling this function.
5900 */
5901 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
5902 {
5903 if (type < NFT_DATA_VERDICT)
5904 return;
5905 switch (type) {
5906 case NFT_DATA_VERDICT:
5907 return nft_verdict_uninit(data);
5908 default:
5909 WARN_ON(1);
5910 }
5911 }
5912 EXPORT_SYMBOL_GPL(nft_data_release);
5913
5914 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
5915 enum nft_data_types type, unsigned int len)
5916 {
5917 struct nlattr *nest;
5918 int err;
5919
5920 nest = nla_nest_start(skb, attr);
5921 if (nest == NULL)
5922 return -1;
5923
5924 switch (type) {
5925 case NFT_DATA_VALUE:
5926 err = nft_value_dump(skb, data, len);
5927 break;
5928 case NFT_DATA_VERDICT:
5929 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
5930 break;
5931 default:
5932 err = -EINVAL;
5933 WARN_ON(1);
5934 }
5935
5936 nla_nest_end(skb, nest);
5937 return err;
5938 }
5939 EXPORT_SYMBOL_GPL(nft_data_dump);
5940
5941 static int __net_init nf_tables_init_net(struct net *net)
5942 {
5943 INIT_LIST_HEAD(&net->nft.af_info);
5944 INIT_LIST_HEAD(&net->nft.commit_list);
5945 net->nft.base_seq = 1;
5946 return 0;
5947 }
5948
5949 static void __net_exit nf_tables_exit_net(struct net *net)
5950 {
5951 WARN_ON_ONCE(!list_empty(&net->nft.af_info));
5952 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
5953 }
5954
5955 int __nft_release_basechain(struct nft_ctx *ctx)
5956 {
5957 struct nft_rule *rule, *nr;
5958
5959 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
5960 return 0;
5961
5962 nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
5963 ctx->afi->nops);
5964 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
5965 list_del(&rule->list);
5966 ctx->chain->use--;
5967 nf_tables_rule_release(ctx, rule);
5968 }
5969 list_del(&ctx->chain->list);
5970 ctx->table->use--;
5971 nf_tables_chain_destroy(ctx->chain);
5972
5973 return 0;
5974 }
5975 EXPORT_SYMBOL_GPL(__nft_release_basechain);
5976
5977 /* Called by nft_unregister_afinfo() from __net_exit path, nfnl_lock is held. */
5978 static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
5979 {
5980 struct nft_table *table, *nt;
5981 struct nft_chain *chain, *nc;
5982 struct nft_object *obj, *ne;
5983 struct nft_rule *rule, *nr;
5984 struct nft_set *set, *ns;
5985 struct nft_ctx ctx = {
5986 .net = net,
5987 .afi = afi,
5988 };
5989
5990 list_for_each_entry_safe(table, nt, &afi->tables, list) {
5991 list_for_each_entry(chain, &table->chains, list)
5992 nf_tables_unregister_hooks(net, table, chain,
5993 afi->nops);
5994 /* No packets are walking on these chains anymore. */
5995 ctx.table = table;
5996 list_for_each_entry(chain, &table->chains, list) {
5997 ctx.chain = chain;
5998 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
5999 list_del(&rule->list);
6000 chain->use--;
6001 nf_tables_rule_release(&ctx, rule);
6002 }
6003 }
6004 list_for_each_entry_safe(set, ns, &table->sets, list) {
6005 list_del(&set->list);
6006 table->use--;
6007 nft_set_destroy(set);
6008 }
6009 list_for_each_entry_safe(obj, ne, &table->objects, list) {
6010 list_del(&obj->list);
6011 table->use--;
6012 nft_obj_destroy(obj);
6013 }
6014 list_for_each_entry_safe(chain, nc, &table->chains, list) {
6015 list_del(&chain->list);
6016 table->use--;
6017 nf_tables_chain_destroy(chain);
6018 }
6019 list_del(&table->list);
6020 nf_tables_table_destroy(&ctx);
6021 }
6022 }
6023
6024 static struct pernet_operations nf_tables_net_ops = {
6025 .init = nf_tables_init_net,
6026 .exit = nf_tables_exit_net,
6027 };
6028
6029 static int __init nf_tables_module_init(void)
6030 {
6031 int err;
6032
6033 info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS,
6034 GFP_KERNEL);
6035 if (info == NULL) {
6036 err = -ENOMEM;
6037 goto err1;
6038 }
6039
6040 err = nf_tables_core_module_init();
6041 if (err < 0)
6042 goto err2;
6043
6044 err = nfnetlink_subsys_register(&nf_tables_subsys);
6045 if (err < 0)
6046 goto err3;
6047
6048 pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
6049 return register_pernet_subsys(&nf_tables_net_ops);
6050 err3:
6051 nf_tables_core_module_exit();
6052 err2:
6053 kfree(info);
6054 err1:
6055 return err;
6056 }
6057
6058 static void __exit nf_tables_module_exit(void)
6059 {
6060 unregister_pernet_subsys(&nf_tables_net_ops);
6061 nfnetlink_subsys_unregister(&nf_tables_subsys);
6062 rcu_barrier();
6063 nf_tables_core_module_exit();
6064 kfree(info);
6065 }
6066
6067 module_init(nf_tables_module_init);
6068 module_exit(nf_tables_module_exit);
6069
6070 MODULE_LICENSE("GPL");
6071 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
6072 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
ubuntu-bionic-kernel mirror