]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:


e894d70b5d5f5c4d48b524def1081b9250fd716d
[mirror_ubuntu-jammy-kernel.git] / net / netfilter / nf_tables_api.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
34
35 enum {
36 NFT_VALIDATE_SKIP = 0,
37 NFT_VALIDATE_NEED,
38 NFT_VALIDATE_DO,
39 };
40
41 static struct rhltable nft_objname_ht;
42
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
58 };
59
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
67 };
68
69 struct nft_audit_data {
70 struct nft_table *table;
71 int entries;
72 int op;
73 struct list_head list;
74 };
75
76 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
77 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
78 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
79 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
80 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
81 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
82 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
83 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
84 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
85 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
86 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
87 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
88 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
89 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
90 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
91 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
92 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
93 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
94 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
96 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
98 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
99 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
100 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
102 };
103
104 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
105 {
106 switch (net->nft.validate_state) {
107 case NFT_VALIDATE_SKIP:
108 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
109 break;
110 case NFT_VALIDATE_NEED:
111 break;
112 case NFT_VALIDATE_DO:
113 if (new_validate_state == NFT_VALIDATE_NEED)
114 return;
115 }
116
117 net->nft.validate_state = new_validate_state;
118 }
119 static void nf_tables_trans_destroy_work(struct work_struct *w);
120 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
121
122 static void nft_ctx_init(struct nft_ctx *ctx,
123 struct net *net,
124 const struct sk_buff *skb,
125 const struct nlmsghdr *nlh,
126 u8 family,
127 struct nft_table *table,
128 struct nft_chain *chain,
129 const struct nlattr * const *nla)
130 {
131 ctx->net = net;
132 ctx->family = family;
133 ctx->level = 0;
134 ctx->table = table;
135 ctx->chain = chain;
136 ctx->nla = nla;
137 ctx->portid = NETLINK_CB(skb).portid;
138 ctx->report = nlmsg_report(nlh);
139 ctx->flags = nlh->nlmsg_flags;
140 ctx->seq = nlh->nlmsg_seq;
141 }
142
143 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
144 int msg_type, u32 size, gfp_t gfp)
145 {
146 struct nft_trans *trans;
147
148 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
149 if (trans == NULL)
150 return NULL;
151
152 trans->msg_type = msg_type;
153 trans->ctx = *ctx;
154
155 return trans;
156 }
157
158 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
159 int msg_type, u32 size)
160 {
161 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
162 }
163
164 static void nft_trans_destroy(struct nft_trans *trans)
165 {
166 list_del(&trans->list);
167 kfree(trans);
168 }
169
170 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
171 {
172 struct net *net = ctx->net;
173 struct nft_trans *trans;
174
175 if (!nft_set_is_anonymous(set))
176 return;
177
178 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
179 switch (trans->msg_type) {
180 case NFT_MSG_NEWSET:
181 if (nft_trans_set(trans) == set)
182 nft_trans_set_bound(trans) = true;
183 break;
184 case NFT_MSG_NEWSETELEM:
185 if (nft_trans_elem_set(trans) == set)
186 nft_trans_elem_set_bound(trans) = true;
187 break;
188 }
189 }
190 }
191
192 static int nft_netdev_register_hooks(struct net *net,
193 struct list_head *hook_list)
194 {
195 struct nft_hook *hook;
196 int err, j;
197
198 j = 0;
199 list_for_each_entry(hook, hook_list, list) {
200 err = nf_register_net_hook(net, &hook->ops);
201 if (err < 0)
202 goto err_register;
203
204 j++;
205 }
206 return 0;
207
208 err_register:
209 list_for_each_entry(hook, hook_list, list) {
210 if (j-- <= 0)
211 break;
212
213 nf_unregister_net_hook(net, &hook->ops);
214 }
215 return err;
216 }
217
218 static void nft_netdev_unregister_hooks(struct net *net,
219 struct list_head *hook_list)
220 {
221 struct nft_hook *hook;
222
223 list_for_each_entry(hook, hook_list, list)
224 nf_unregister_net_hook(net, &hook->ops);
225 }
226
227 static int nf_tables_register_hook(struct net *net,
228 const struct nft_table *table,
229 struct nft_chain *chain)
230 {
231 struct nft_base_chain *basechain;
232 const struct nf_hook_ops *ops;
233
234 if (table->flags & NFT_TABLE_F_DORMANT ||
235 !nft_is_base_chain(chain))
236 return 0;
237
238 basechain = nft_base_chain(chain);
239 ops = &basechain->ops;
240
241 if (basechain->type->ops_register)
242 return basechain->type->ops_register(net, ops);
243
244 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
245 return nft_netdev_register_hooks(net, &basechain->hook_list);
246
247 return nf_register_net_hook(net, &basechain->ops);
248 }
249
250 static void nf_tables_unregister_hook(struct net *net,
251 const struct nft_table *table,
252 struct nft_chain *chain)
253 {
254 struct nft_base_chain *basechain;
255 const struct nf_hook_ops *ops;
256
257 if (table->flags & NFT_TABLE_F_DORMANT ||
258 !nft_is_base_chain(chain))
259 return;
260 basechain = nft_base_chain(chain);
261 ops = &basechain->ops;
262
263 if (basechain->type->ops_unregister)
264 return basechain->type->ops_unregister(net, ops);
265
266 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
267 nft_netdev_unregister_hooks(net, &basechain->hook_list);
268 else
269 nf_unregister_net_hook(net, &basechain->ops);
270 }
271
272 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
273 {
274 struct nft_trans *trans;
275
276 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
277 if (trans == NULL)
278 return -ENOMEM;
279
280 if (msg_type == NFT_MSG_NEWTABLE)
281 nft_activate_next(ctx->net, ctx->table);
282
283 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
284 return 0;
285 }
286
287 static int nft_deltable(struct nft_ctx *ctx)
288 {
289 int err;
290
291 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
292 if (err < 0)
293 return err;
294
295 nft_deactivate_next(ctx->net, ctx->table);
296 return err;
297 }
298
299 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
300 {
301 struct nft_trans *trans;
302
303 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
304 if (trans == NULL)
305 return ERR_PTR(-ENOMEM);
306
307 if (msg_type == NFT_MSG_NEWCHAIN) {
308 nft_activate_next(ctx->net, ctx->chain);
309
310 if (ctx->nla[NFTA_CHAIN_ID]) {
311 nft_trans_chain_id(trans) =
312 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
313 }
314 }
315
316 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
317 return trans;
318 }
319
320 static int nft_delchain(struct nft_ctx *ctx)
321 {
322 struct nft_trans *trans;
323
324 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
325 if (IS_ERR(trans))
326 return PTR_ERR(trans);
327
328 ctx->table->use--;
329 nft_deactivate_next(ctx->net, ctx->chain);
330
331 return 0;
332 }
333
334 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
335 struct nft_rule *rule)
336 {
337 struct nft_expr *expr;
338
339 expr = nft_expr_first(rule);
340 while (nft_expr_more(rule, expr)) {
341 if (expr->ops->activate)
342 expr->ops->activate(ctx, expr);
343
344 expr = nft_expr_next(expr);
345 }
346 }
347
348 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
349 struct nft_rule *rule,
350 enum nft_trans_phase phase)
351 {
352 struct nft_expr *expr;
353
354 expr = nft_expr_first(rule);
355 while (nft_expr_more(rule, expr)) {
356 if (expr->ops->deactivate)
357 expr->ops->deactivate(ctx, expr, phase);
358
359 expr = nft_expr_next(expr);
360 }
361 }
362
363 static int
364 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
365 {
366 /* You cannot delete the same rule twice */
367 if (nft_is_active_next(ctx->net, rule)) {
368 nft_deactivate_next(ctx->net, rule);
369 ctx->chain->use--;
370 return 0;
371 }
372 return -ENOENT;
373 }
374
375 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
376 struct nft_rule *rule)
377 {
378 struct nft_trans *trans;
379
380 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
381 if (trans == NULL)
382 return NULL;
383
384 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
385 nft_trans_rule_id(trans) =
386 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
387 }
388 nft_trans_rule(trans) = rule;
389 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
390
391 return trans;
392 }
393
394 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
395 {
396 struct nft_flow_rule *flow;
397 struct nft_trans *trans;
398 int err;
399
400 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
401 if (trans == NULL)
402 return -ENOMEM;
403
404 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
405 flow = nft_flow_rule_create(ctx->net, rule);
406 if (IS_ERR(flow)) {
407 nft_trans_destroy(trans);
408 return PTR_ERR(flow);
409 }
410
411 nft_trans_flow_rule(trans) = flow;
412 }
413
414 err = nf_tables_delrule_deactivate(ctx, rule);
415 if (err < 0) {
416 nft_trans_destroy(trans);
417 return err;
418 }
419 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
420
421 return 0;
422 }
423
424 static int nft_delrule_by_chain(struct nft_ctx *ctx)
425 {
426 struct nft_rule *rule;
427 int err;
428
429 list_for_each_entry(rule, &ctx->chain->rules, list) {
430 if (!nft_is_active_next(ctx->net, rule))
431 continue;
432
433 err = nft_delrule(ctx, rule);
434 if (err < 0)
435 return err;
436 }
437 return 0;
438 }
439
440 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
441 struct nft_set *set)
442 {
443 struct nft_trans *trans;
444
445 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
446 if (trans == NULL)
447 return -ENOMEM;
448
449 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
450 nft_trans_set_id(trans) =
451 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
452 nft_activate_next(ctx->net, set);
453 }
454 nft_trans_set(trans) = set;
455 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
456
457 return 0;
458 }
459
460 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
461 {
462 int err;
463
464 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
465 if (err < 0)
466 return err;
467
468 nft_deactivate_next(ctx->net, set);
469 ctx->table->use--;
470
471 return err;
472 }
473
474 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
475 struct nft_object *obj)
476 {
477 struct nft_trans *trans;
478
479 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
480 if (trans == NULL)
481 return -ENOMEM;
482
483 if (msg_type == NFT_MSG_NEWOBJ)
484 nft_activate_next(ctx->net, obj);
485
486 nft_trans_obj(trans) = obj;
487 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
488
489 return 0;
490 }
491
492 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
493 {
494 int err;
495
496 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
497 if (err < 0)
498 return err;
499
500 nft_deactivate_next(ctx->net, obj);
501 ctx->table->use--;
502
503 return err;
504 }
505
506 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
507 struct nft_flowtable *flowtable)
508 {
509 struct nft_trans *trans;
510
511 trans = nft_trans_alloc(ctx, msg_type,
512 sizeof(struct nft_trans_flowtable));
513 if (trans == NULL)
514 return -ENOMEM;
515
516 if (msg_type == NFT_MSG_NEWFLOWTABLE)
517 nft_activate_next(ctx->net, flowtable);
518
519 nft_trans_flowtable(trans) = flowtable;
520 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
521
522 return 0;
523 }
524
525 static int nft_delflowtable(struct nft_ctx *ctx,
526 struct nft_flowtable *flowtable)
527 {
528 int err;
529
530 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
531 if (err < 0)
532 return err;
533
534 nft_deactivate_next(ctx->net, flowtable);
535 ctx->table->use--;
536
537 return err;
538 }
539
540 /*
541 * Tables
542 */
543
544 static struct nft_table *nft_table_lookup(const struct net *net,
545 const struct nlattr *nla,
546 u8 family, u8 genmask, u32 nlpid)
547 {
548 struct nft_table *table;
549
550 if (nla == NULL)
551 return ERR_PTR(-EINVAL);
552
553 list_for_each_entry_rcu(table, &net->nft.tables, list,
554 lockdep_is_held(&net->nft.commit_mutex)) {
555 if (!nla_strcmp(nla, table->name) &&
556 table->family == family &&
557 nft_active_genmask(table, genmask)) {
558 if (nft_table_has_owner(table) &&
559 table->nlpid != nlpid)
560 return ERR_PTR(-EPERM);
561
562 return table;
563 }
564 }
565
566 return ERR_PTR(-ENOENT);
567 }
568
569 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
570 const struct nlattr *nla,
571 u8 genmask)
572 {
573 struct nft_table *table;
574
575 list_for_each_entry(table, &net->nft.tables, list) {
576 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
577 nft_active_genmask(table, genmask))
578 return table;
579 }
580
581 return ERR_PTR(-ENOENT);
582 }
583
584 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
585 {
586 return ++table->hgenerator;
587 }
588
589 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
590
591 static const struct nft_chain_type *
592 __nft_chain_type_get(u8 family, enum nft_chain_types type)
593 {
594 if (family >= NFPROTO_NUMPROTO ||
595 type >= NFT_CHAIN_T_MAX)
596 return NULL;
597
598 return chain_type[family][type];
599 }
600
601 static const struct nft_chain_type *
602 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
603 {
604 const struct nft_chain_type *type;
605 int i;
606
607 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
608 type = __nft_chain_type_get(family, i);
609 if (!type)
610 continue;
611 if (!nla_strcmp(nla, type->name))
612 return type;
613 }
614 return NULL;
615 }
616
617 struct nft_module_request {
618 struct list_head list;
619 char module[MODULE_NAME_LEN];
620 bool done;
621 };
622
623 #ifdef CONFIG_MODULES
624 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
625 ...)
626 {
627 char module_name[MODULE_NAME_LEN];
628 struct nft_module_request *req;
629 va_list args;
630 int ret;
631
632 va_start(args, fmt);
633 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
634 va_end(args);
635 if (ret >= MODULE_NAME_LEN)
636 return 0;
637
638 list_for_each_entry(req, &net->nft.module_list, list) {
639 if (!strcmp(req->module, module_name)) {
640 if (req->done)
641 return 0;
642
643 /* A request to load this module already exists. */
644 return -EAGAIN;
645 }
646 }
647
648 req = kmalloc(sizeof(*req), GFP_KERNEL);
649 if (!req)
650 return -ENOMEM;
651
652 req->done = false;
653 strlcpy(req->module, module_name, MODULE_NAME_LEN);
654 list_add_tail(&req->list, &net->nft.module_list);
655
656 return -EAGAIN;
657 }
658 EXPORT_SYMBOL_GPL(nft_request_module);
659 #endif
660
661 static void lockdep_nfnl_nft_mutex_not_held(void)
662 {
663 #ifdef CONFIG_PROVE_LOCKING
664 if (debug_locks)
665 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
666 #endif
667 }
668
669 static const struct nft_chain_type *
670 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
671 u8 family, bool autoload)
672 {
673 const struct nft_chain_type *type;
674
675 type = __nf_tables_chain_type_lookup(nla, family);
676 if (type != NULL)
677 return type;
678
679 lockdep_nfnl_nft_mutex_not_held();
680 #ifdef CONFIG_MODULES
681 if (autoload) {
682 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
683 nla_len(nla),
684 (const char *)nla_data(nla)) == -EAGAIN)
685 return ERR_PTR(-EAGAIN);
686 }
687 #endif
688 return ERR_PTR(-ENOENT);
689 }
690
691 static __be16 nft_base_seq(const struct net *net)
692 {
693 return htons(net->nft.base_seq & 0xffff);
694 }
695
696 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
697 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
698 .len = NFT_TABLE_MAXNAMELEN - 1 },
699 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
700 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
701 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
702 .len = NFT_USERDATA_MAXLEN }
703 };
704
705 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
706 u32 portid, u32 seq, int event, u32 flags,
707 int family, const struct nft_table *table)
708 {
709 struct nlmsghdr *nlh;
710 struct nfgenmsg *nfmsg;
711
712 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
713 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
714 if (nlh == NULL)
715 goto nla_put_failure;
716
717 nfmsg = nlmsg_data(nlh);
718 nfmsg->nfgen_family = family;
719 nfmsg->version = NFNETLINK_V0;
720 nfmsg->res_id = nft_base_seq(net);
721
722 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
723 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
724 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
725 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
726 NFTA_TABLE_PAD))
727 goto nla_put_failure;
728 if (nft_table_has_owner(table) &&
729 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
730 goto nla_put_failure;
731
732 if (table->udata) {
733 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
734 goto nla_put_failure;
735 }
736
737 nlmsg_end(skb, nlh);
738 return 0;
739
740 nla_put_failure:
741 nlmsg_trim(skb, nlh);
742 return -1;
743 }
744
745 struct nftnl_skb_parms {
746 bool report;
747 };
748 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
749
750 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
751 struct list_head *notify_list)
752 {
753 NFT_CB(skb).report = report;
754 list_add_tail(&skb->list, notify_list);
755 }
756
757 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
758 {
759 struct sk_buff *skb;
760 int err;
761
762 if (!ctx->report &&
763 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
764 return;
765
766 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
767 if (skb == NULL)
768 goto err;
769
770 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
771 event, 0, ctx->family, ctx->table);
772 if (err < 0) {
773 kfree_skb(skb);
774 goto err;
775 }
776
777 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
778 return;
779 err:
780 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
781 }
782
783 static int nf_tables_dump_tables(struct sk_buff *skb,
784 struct netlink_callback *cb)
785 {
786 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
787 const struct nft_table *table;
788 unsigned int idx = 0, s_idx = cb->args[0];
789 struct net *net = sock_net(skb->sk);
790 int family = nfmsg->nfgen_family;
791
792 rcu_read_lock();
793 cb->seq = net->nft.base_seq;
794
795 list_for_each_entry_rcu(table, &net->nft.tables, list) {
796 if (family != NFPROTO_UNSPEC && family != table->family)
797 continue;
798
799 if (idx < s_idx)
800 goto cont;
801 if (idx > s_idx)
802 memset(&cb->args[1], 0,
803 sizeof(cb->args) - sizeof(cb->args[0]));
804 if (!nft_is_active(net, table))
805 continue;
806 if (nf_tables_fill_table_info(skb, net,
807 NETLINK_CB(cb->skb).portid,
808 cb->nlh->nlmsg_seq,
809 NFT_MSG_NEWTABLE, NLM_F_MULTI,
810 table->family, table) < 0)
811 goto done;
812
813 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
814 cont:
815 idx++;
816 }
817 done:
818 rcu_read_unlock();
819 cb->args[0] = idx;
820 return skb->len;
821 }
822
823 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
824 const struct nlmsghdr *nlh,
825 struct netlink_dump_control *c)
826 {
827 int err;
828
829 if (!try_module_get(THIS_MODULE))
830 return -EINVAL;
831
832 rcu_read_unlock();
833 err = netlink_dump_start(nlsk, skb, nlh, c);
834 rcu_read_lock();
835 module_put(THIS_MODULE);
836
837 return err;
838 }
839
840 /* called with rcu_read_lock held */
841 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
842 struct sk_buff *skb, const struct nlmsghdr *nlh,
843 const struct nlattr * const nla[],
844 struct netlink_ext_ack *extack)
845 {
846 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
847 u8 genmask = nft_genmask_cur(net);
848 const struct nft_table *table;
849 struct sk_buff *skb2;
850 int family = nfmsg->nfgen_family;
851 int err;
852
853 if (nlh->nlmsg_flags & NLM_F_DUMP) {
854 struct netlink_dump_control c = {
855 .dump = nf_tables_dump_tables,
856 .module = THIS_MODULE,
857 };
858
859 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
860 }
861
862 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
863 if (IS_ERR(table)) {
864 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
865 return PTR_ERR(table);
866 }
867
868 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
869 if (!skb2)
870 return -ENOMEM;
871
872 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
873 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
874 family, table);
875 if (err < 0)
876 goto err_fill_table_info;
877
878 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
879
880 err_fill_table_info:
881 kfree_skb(skb2);
882 return err;
883 }
884
885 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
886 {
887 struct nft_chain *chain;
888 u32 i = 0;
889
890 list_for_each_entry(chain, &table->chains, list) {
891 if (!nft_is_active_next(net, chain))
892 continue;
893 if (!nft_is_base_chain(chain))
894 continue;
895
896 if (cnt && i++ == cnt)
897 break;
898
899 nf_tables_unregister_hook(net, table, chain);
900 }
901 }
902
903 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
904 {
905 struct nft_chain *chain;
906 int err, i = 0;
907
908 list_for_each_entry(chain, &table->chains, list) {
909 if (!nft_is_active_next(net, chain))
910 continue;
911 if (!nft_is_base_chain(chain))
912 continue;
913
914 err = nf_tables_register_hook(net, table, chain);
915 if (err < 0)
916 goto err_register_hooks;
917
918 i++;
919 }
920 return 0;
921
922 err_register_hooks:
923 if (i)
924 nft_table_disable(net, table, i);
925 return err;
926 }
927
928 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
929 {
930 nft_table_disable(net, table, 0);
931 }
932
933 enum {
934 NFT_TABLE_STATE_UNCHANGED = 0,
935 NFT_TABLE_STATE_DORMANT,
936 NFT_TABLE_STATE_WAKEUP
937 };
938
939 static int nf_tables_updtable(struct nft_ctx *ctx)
940 {
941 struct nft_trans *trans;
942 u32 flags;
943 int ret = 0;
944
945 if (!ctx->nla[NFTA_TABLE_FLAGS])
946 return 0;
947
948 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
949 if (flags & ~NFT_TABLE_F_MASK)
950 return -EOPNOTSUPP;
951
952 if (flags == ctx->table->flags)
953 return 0;
954
955 if ((nft_table_has_owner(ctx->table) &&
956 !(flags & NFT_TABLE_F_OWNER)) ||
957 (!nft_table_has_owner(ctx->table) &&
958 flags & NFT_TABLE_F_OWNER))
959 return -EOPNOTSUPP;
960
961 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
962 sizeof(struct nft_trans_table));
963 if (trans == NULL)
964 return -ENOMEM;
965
966 if ((flags & NFT_TABLE_F_DORMANT) &&
967 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
968 nft_trans_table_state(trans) = NFT_TABLE_STATE_DORMANT;
969 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
970 ctx->table->flags & NFT_TABLE_F_DORMANT) {
971 ret = nf_tables_table_enable(ctx->net, ctx->table);
972 if (ret >= 0)
973 nft_trans_table_state(trans) = NFT_TABLE_STATE_WAKEUP;
974 }
975 if (ret < 0)
976 goto err;
977
978 nft_trans_table_flags(trans) = flags;
979 nft_trans_table_update(trans) = true;
980 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
981 return 0;
982 err:
983 nft_trans_destroy(trans);
984 return ret;
985 }
986
987 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
988 {
989 const char *name = data;
990
991 return jhash(name, strlen(name), seed);
992 }
993
994 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
995 {
996 const struct nft_chain *chain = data;
997
998 return nft_chain_hash(chain->name, 0, seed);
999 }
1000
1001 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1002 const void *ptr)
1003 {
1004 const struct nft_chain *chain = ptr;
1005 const char *name = arg->key;
1006
1007 return strcmp(chain->name, name);
1008 }
1009
1010 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1011 {
1012 const struct nft_object_hash_key *k = data;
1013
1014 seed ^= hash_ptr(k->table, 32);
1015
1016 return jhash(k->name, strlen(k->name), seed);
1017 }
1018
1019 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1020 {
1021 const struct nft_object *obj = data;
1022
1023 return nft_objname_hash(&obj->key, 0, seed);
1024 }
1025
1026 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1027 const void *ptr)
1028 {
1029 const struct nft_object_hash_key *k = arg->key;
1030 const struct nft_object *obj = ptr;
1031
1032 if (obj->key.table != k->table)
1033 return -1;
1034
1035 return strcmp(obj->key.name, k->name);
1036 }
1037
1038 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
1039 struct sk_buff *skb, const struct nlmsghdr *nlh,
1040 const struct nlattr * const nla[],
1041 struct netlink_ext_ack *extack)
1042 {
1043 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1044 u8 genmask = nft_genmask_next(net);
1045 int family = nfmsg->nfgen_family;
1046 const struct nlattr *attr;
1047 struct nft_table *table;
1048 struct nft_ctx ctx;
1049 u32 flags = 0;
1050 int err;
1051
1052 lockdep_assert_held(&net->nft.commit_mutex);
1053 attr = nla[NFTA_TABLE_NAME];
1054 table = nft_table_lookup(net, attr, family, genmask,
1055 NETLINK_CB(skb).portid);
1056 if (IS_ERR(table)) {
1057 if (PTR_ERR(table) != -ENOENT)
1058 return PTR_ERR(table);
1059 } else {
1060 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1061 NL_SET_BAD_ATTR(extack, attr);
1062 return -EEXIST;
1063 }
1064 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1065 return -EOPNOTSUPP;
1066
1067 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1068 return nf_tables_updtable(&ctx);
1069 }
1070
1071 if (nla[NFTA_TABLE_FLAGS]) {
1072 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1073 if (flags & ~NFT_TABLE_F_MASK)
1074 return -EOPNOTSUPP;
1075 }
1076
1077 err = -ENOMEM;
1078 table = kzalloc(sizeof(*table), GFP_KERNEL);
1079 if (table == NULL)
1080 goto err_kzalloc;
1081
1082 table->name = nla_strdup(attr, GFP_KERNEL);
1083 if (table->name == NULL)
1084 goto err_strdup;
1085
1086 if (nla[NFTA_TABLE_USERDATA]) {
1087 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1088 if (table->udata == NULL)
1089 goto err_table_udata;
1090
1091 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1092 }
1093
1094 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1095 if (err)
1096 goto err_chain_ht;
1097
1098 INIT_LIST_HEAD(&table->chains);
1099 INIT_LIST_HEAD(&table->sets);
1100 INIT_LIST_HEAD(&table->objects);
1101 INIT_LIST_HEAD(&table->flowtables);
1102 table->family = family;
1103 table->flags = flags;
1104 table->handle = ++table_handle;
1105 if (table->flags & NFT_TABLE_F_OWNER)
1106 table->nlpid = NETLINK_CB(skb).portid;
1107
1108 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1109 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1110 if (err < 0)
1111 goto err_trans;
1112
1113 list_add_tail_rcu(&table->list, &net->nft.tables);
1114 return 0;
1115 err_trans:
1116 rhltable_destroy(&table->chains_ht);
1117 err_chain_ht:
1118 kfree(table->udata);
1119 err_table_udata:
1120 kfree(table->name);
1121 err_strdup:
1122 kfree(table);
1123 err_kzalloc:
1124 return err;
1125 }
1126
1127 static int nft_flush_table(struct nft_ctx *ctx)
1128 {
1129 struct nft_flowtable *flowtable, *nft;
1130 struct nft_chain *chain, *nc;
1131 struct nft_object *obj, *ne;
1132 struct nft_set *set, *ns;
1133 int err;
1134
1135 list_for_each_entry(chain, &ctx->table->chains, list) {
1136 if (!nft_is_active_next(ctx->net, chain))
1137 continue;
1138
1139 if (nft_chain_is_bound(chain))
1140 continue;
1141
1142 ctx->chain = chain;
1143
1144 err = nft_delrule_by_chain(ctx);
1145 if (err < 0)
1146 goto out;
1147 }
1148
1149 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1150 if (!nft_is_active_next(ctx->net, set))
1151 continue;
1152
1153 if (nft_set_is_anonymous(set) &&
1154 !list_empty(&set->bindings))
1155 continue;
1156
1157 err = nft_delset(ctx, set);
1158 if (err < 0)
1159 goto out;
1160 }
1161
1162 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1163 if (!nft_is_active_next(ctx->net, flowtable))
1164 continue;
1165
1166 err = nft_delflowtable(ctx, flowtable);
1167 if (err < 0)
1168 goto out;
1169 }
1170
1171 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1172 if (!nft_is_active_next(ctx->net, obj))
1173 continue;
1174
1175 err = nft_delobj(ctx, obj);
1176 if (err < 0)
1177 goto out;
1178 }
1179
1180 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1181 if (!nft_is_active_next(ctx->net, chain))
1182 continue;
1183
1184 if (nft_chain_is_bound(chain))
1185 continue;
1186
1187 ctx->chain = chain;
1188
1189 err = nft_delchain(ctx);
1190 if (err < 0)
1191 goto out;
1192 }
1193
1194 err = nft_deltable(ctx);
1195 out:
1196 return err;
1197 }
1198
1199 static int nft_flush(struct nft_ctx *ctx, int family)
1200 {
1201 struct nft_table *table, *nt;
1202 const struct nlattr * const *nla = ctx->nla;
1203 int err = 0;
1204
1205 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1206 if (family != AF_UNSPEC && table->family != family)
1207 continue;
1208
1209 ctx->family = table->family;
1210
1211 if (!nft_is_active_next(ctx->net, table))
1212 continue;
1213
1214 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1215 continue;
1216
1217 if (nla[NFTA_TABLE_NAME] &&
1218 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1219 continue;
1220
1221 ctx->table = table;
1222
1223 err = nft_flush_table(ctx);
1224 if (err < 0)
1225 goto out;
1226 }
1227 out:
1228 return err;
1229 }
1230
1231 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1232 struct sk_buff *skb, const struct nlmsghdr *nlh,
1233 const struct nlattr * const nla[],
1234 struct netlink_ext_ack *extack)
1235 {
1236 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1237 u8 genmask = nft_genmask_next(net);
1238 int family = nfmsg->nfgen_family;
1239 const struct nlattr *attr;
1240 struct nft_table *table;
1241 struct nft_ctx ctx;
1242
1243 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1244 if (family == AF_UNSPEC ||
1245 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1246 return nft_flush(&ctx, family);
1247
1248 if (nla[NFTA_TABLE_HANDLE]) {
1249 attr = nla[NFTA_TABLE_HANDLE];
1250 table = nft_table_lookup_byhandle(net, attr, genmask);
1251 } else {
1252 attr = nla[NFTA_TABLE_NAME];
1253 table = nft_table_lookup(net, attr, family, genmask,
1254 NETLINK_CB(skb).portid);
1255 }
1256
1257 if (IS_ERR(table)) {
1258 NL_SET_BAD_ATTR(extack, attr);
1259 return PTR_ERR(table);
1260 }
1261
1262 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1263 table->use > 0)
1264 return -EBUSY;
1265
1266 ctx.family = family;
1267 ctx.table = table;
1268
1269 return nft_flush_table(&ctx);
1270 }
1271
1272 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1273 {
1274 if (WARN_ON(ctx->table->use > 0))
1275 return;
1276
1277 rhltable_destroy(&ctx->table->chains_ht);
1278 kfree(ctx->table->name);
1279 kfree(ctx->table->udata);
1280 kfree(ctx->table);
1281 }
1282
1283 void nft_register_chain_type(const struct nft_chain_type *ctype)
1284 {
1285 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1286 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1287 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1288 return;
1289 }
1290 chain_type[ctype->family][ctype->type] = ctype;
1291 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1292 }
1293 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1294
1295 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1296 {
1297 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1298 chain_type[ctype->family][ctype->type] = NULL;
1299 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1300 }
1301 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1302
1303 /*
1304 * Chains
1305 */
1306
1307 static struct nft_chain *
1308 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1309 {
1310 struct nft_chain *chain;
1311
1312 list_for_each_entry(chain, &table->chains, list) {
1313 if (chain->handle == handle &&
1314 nft_active_genmask(chain, genmask))
1315 return chain;
1316 }
1317
1318 return ERR_PTR(-ENOENT);
1319 }
1320
1321 static bool lockdep_commit_lock_is_held(const struct net *net)
1322 {
1323 #ifdef CONFIG_PROVE_LOCKING
1324 return lockdep_is_held(&net->nft.commit_mutex);
1325 #else
1326 return true;
1327 #endif
1328 }
1329
1330 static struct nft_chain *nft_chain_lookup(struct net *net,
1331 struct nft_table *table,
1332 const struct nlattr *nla, u8 genmask)
1333 {
1334 char search[NFT_CHAIN_MAXNAMELEN + 1];
1335 struct rhlist_head *tmp, *list;
1336 struct nft_chain *chain;
1337
1338 if (nla == NULL)
1339 return ERR_PTR(-EINVAL);
1340
1341 nla_strscpy(search, nla, sizeof(search));
1342
1343 WARN_ON(!rcu_read_lock_held() &&
1344 !lockdep_commit_lock_is_held(net));
1345
1346 chain = ERR_PTR(-ENOENT);
1347 rcu_read_lock();
1348 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1349 if (!list)
1350 goto out_unlock;
1351
1352 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1353 if (nft_active_genmask(chain, genmask))
1354 goto out_unlock;
1355 }
1356 chain = ERR_PTR(-ENOENT);
1357 out_unlock:
1358 rcu_read_unlock();
1359 return chain;
1360 }
1361
1362 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1363 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1364 .len = NFT_TABLE_MAXNAMELEN - 1 },
1365 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1366 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1367 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1368 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1369 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1370 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1371 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1372 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1373 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1374 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1375 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1376 .len = NFT_USERDATA_MAXLEN },
1377 };
1378
1379 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1380 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1381 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1382 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1383 .len = IFNAMSIZ - 1 },
1384 };
1385
1386 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1387 {
1388 struct nft_stats *cpu_stats, total;
1389 struct nlattr *nest;
1390 unsigned int seq;
1391 u64 pkts, bytes;
1392 int cpu;
1393
1394 if (!stats)
1395 return 0;
1396
1397 memset(&total, 0, sizeof(total));
1398 for_each_possible_cpu(cpu) {
1399 cpu_stats = per_cpu_ptr(stats, cpu);
1400 do {
1401 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1402 pkts = cpu_stats->pkts;
1403 bytes = cpu_stats->bytes;
1404 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1405 total.pkts += pkts;
1406 total.bytes += bytes;
1407 }
1408 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1409 if (nest == NULL)
1410 goto nla_put_failure;
1411
1412 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1413 NFTA_COUNTER_PAD) ||
1414 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1415 NFTA_COUNTER_PAD))
1416 goto nla_put_failure;
1417
1418 nla_nest_end(skb, nest);
1419 return 0;
1420
1421 nla_put_failure:
1422 return -ENOSPC;
1423 }
1424
1425 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1426 const struct nft_base_chain *basechain)
1427 {
1428 const struct nf_hook_ops *ops = &basechain->ops;
1429 struct nft_hook *hook, *first = NULL;
1430 struct nlattr *nest, *nest_devs;
1431 int n = 0;
1432
1433 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1434 if (nest == NULL)
1435 goto nla_put_failure;
1436 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1437 goto nla_put_failure;
1438 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1439 goto nla_put_failure;
1440
1441 if (nft_base_chain_netdev(family, ops->hooknum)) {
1442 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1443 list_for_each_entry(hook, &basechain->hook_list, list) {
1444 if (!first)
1445 first = hook;
1446
1447 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1448 hook->ops.dev->name))
1449 goto nla_put_failure;
1450 n++;
1451 }
1452 nla_nest_end(skb, nest_devs);
1453
1454 if (n == 1 &&
1455 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1456 goto nla_put_failure;
1457 }
1458 nla_nest_end(skb, nest);
1459
1460 return 0;
1461 nla_put_failure:
1462 return -1;
1463 }
1464
1465 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1466 u32 portid, u32 seq, int event, u32 flags,
1467 int family, const struct nft_table *table,
1468 const struct nft_chain *chain)
1469 {
1470 struct nlmsghdr *nlh;
1471 struct nfgenmsg *nfmsg;
1472
1473 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1474 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1475 if (nlh == NULL)
1476 goto nla_put_failure;
1477
1478 nfmsg = nlmsg_data(nlh);
1479 nfmsg->nfgen_family = family;
1480 nfmsg->version = NFNETLINK_V0;
1481 nfmsg->res_id = nft_base_seq(net);
1482
1483 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1484 goto nla_put_failure;
1485 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1486 NFTA_CHAIN_PAD))
1487 goto nla_put_failure;
1488 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1489 goto nla_put_failure;
1490
1491 if (nft_is_base_chain(chain)) {
1492 const struct nft_base_chain *basechain = nft_base_chain(chain);
1493 struct nft_stats __percpu *stats;
1494
1495 if (nft_dump_basechain_hook(skb, family, basechain))
1496 goto nla_put_failure;
1497
1498 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1499 htonl(basechain->policy)))
1500 goto nla_put_failure;
1501
1502 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1503 goto nla_put_failure;
1504
1505 stats = rcu_dereference_check(basechain->stats,
1506 lockdep_commit_lock_is_held(net));
1507 if (nft_dump_stats(skb, stats))
1508 goto nla_put_failure;
1509 }
1510
1511 if (chain->flags &&
1512 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1513 goto nla_put_failure;
1514
1515 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1516 goto nla_put_failure;
1517
1518 if (chain->udata &&
1519 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1520 goto nla_put_failure;
1521
1522 nlmsg_end(skb, nlh);
1523 return 0;
1524
1525 nla_put_failure:
1526 nlmsg_trim(skb, nlh);
1527 return -1;
1528 }
1529
1530 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1531 {
1532 struct sk_buff *skb;
1533 int err;
1534
1535 if (!ctx->report &&
1536 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1537 return;
1538
1539 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1540 if (skb == NULL)
1541 goto err;
1542
1543 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1544 event, 0, ctx->family, ctx->table,
1545 ctx->chain);
1546 if (err < 0) {
1547 kfree_skb(skb);
1548 goto err;
1549 }
1550
1551 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1552 return;
1553 err:
1554 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1555 }
1556
1557 static int nf_tables_dump_chains(struct sk_buff *skb,
1558 struct netlink_callback *cb)
1559 {
1560 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1561 const struct nft_table *table;
1562 const struct nft_chain *chain;
1563 unsigned int idx = 0, s_idx = cb->args[0];
1564 struct net *net = sock_net(skb->sk);
1565 int family = nfmsg->nfgen_family;
1566
1567 rcu_read_lock();
1568 cb->seq = net->nft.base_seq;
1569
1570 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1571 if (family != NFPROTO_UNSPEC && family != table->family)
1572 continue;
1573
1574 list_for_each_entry_rcu(chain, &table->chains, list) {
1575 if (idx < s_idx)
1576 goto cont;
1577 if (idx > s_idx)
1578 memset(&cb->args[1], 0,
1579 sizeof(cb->args) - sizeof(cb->args[0]));
1580 if (!nft_is_active(net, chain))
1581 continue;
1582 if (nf_tables_fill_chain_info(skb, net,
1583 NETLINK_CB(cb->skb).portid,
1584 cb->nlh->nlmsg_seq,
1585 NFT_MSG_NEWCHAIN,
1586 NLM_F_MULTI,
1587 table->family, table,
1588 chain) < 0)
1589 goto done;
1590
1591 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1592 cont:
1593 idx++;
1594 }
1595 }
1596 done:
1597 rcu_read_unlock();
1598 cb->args[0] = idx;
1599 return skb->len;
1600 }
1601
1602 /* called with rcu_read_lock held */
1603 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1604 struct sk_buff *skb, const struct nlmsghdr *nlh,
1605 const struct nlattr * const nla[],
1606 struct netlink_ext_ack *extack)
1607 {
1608 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1609 u8 genmask = nft_genmask_cur(net);
1610 const struct nft_chain *chain;
1611 struct nft_table *table;
1612 struct sk_buff *skb2;
1613 int family = nfmsg->nfgen_family;
1614 int err;
1615
1616 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1617 struct netlink_dump_control c = {
1618 .dump = nf_tables_dump_chains,
1619 .module = THIS_MODULE,
1620 };
1621
1622 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1623 }
1624
1625 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1626 if (IS_ERR(table)) {
1627 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1628 return PTR_ERR(table);
1629 }
1630
1631 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1632 if (IS_ERR(chain)) {
1633 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1634 return PTR_ERR(chain);
1635 }
1636
1637 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1638 if (!skb2)
1639 return -ENOMEM;
1640
1641 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1642 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1643 family, table, chain);
1644 if (err < 0)
1645 goto err_fill_chain_info;
1646
1647 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1648
1649 err_fill_chain_info:
1650 kfree_skb(skb2);
1651 return err;
1652 }
1653
1654 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1655 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1656 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1657 };
1658
1659 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1660 {
1661 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1662 struct nft_stats __percpu *newstats;
1663 struct nft_stats *stats;
1664 int err;
1665
1666 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1667 nft_counter_policy, NULL);
1668 if (err < 0)
1669 return ERR_PTR(err);
1670
1671 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1672 return ERR_PTR(-EINVAL);
1673
1674 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1675 if (newstats == NULL)
1676 return ERR_PTR(-ENOMEM);
1677
1678 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1679 * are not exposed to userspace.
1680 */
1681 preempt_disable();
1682 stats = this_cpu_ptr(newstats);
1683 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1684 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1685 preempt_enable();
1686
1687 return newstats;
1688 }
1689
1690 static void nft_chain_stats_replace(struct nft_trans *trans)
1691 {
1692 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1693
1694 if (!nft_trans_chain_stats(trans))
1695 return;
1696
1697 nft_trans_chain_stats(trans) =
1698 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1699 lockdep_commit_lock_is_held(trans->ctx.net));
1700
1701 if (!nft_trans_chain_stats(trans))
1702 static_branch_inc(&nft_counters_enabled);
1703 }
1704
1705 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1706 {
1707 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1708 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1709
1710 if (g0 != g1)
1711 kvfree(g1);
1712 kvfree(g0);
1713
1714 /* should be NULL either via abort or via successful commit */
1715 WARN_ON_ONCE(chain->rules_next);
1716 kvfree(chain->rules_next);
1717 }
1718
1719 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1720 {
1721 struct nft_chain *chain = ctx->chain;
1722 struct nft_hook *hook, *next;
1723
1724 if (WARN_ON(chain->use > 0))
1725 return;
1726
1727 /* no concurrent access possible anymore */
1728 nf_tables_chain_free_chain_rules(chain);
1729
1730 if (nft_is_base_chain(chain)) {
1731 struct nft_base_chain *basechain = nft_base_chain(chain);
1732
1733 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1734 list_for_each_entry_safe(hook, next,
1735 &basechain->hook_list, list) {
1736 list_del_rcu(&hook->list);
1737 kfree_rcu(hook, rcu);
1738 }
1739 }
1740 module_put(basechain->type->owner);
1741 if (rcu_access_pointer(basechain->stats)) {
1742 static_branch_dec(&nft_counters_enabled);
1743 free_percpu(rcu_dereference_raw(basechain->stats));
1744 }
1745 kfree(chain->name);
1746 kfree(chain->udata);
1747 kfree(basechain);
1748 } else {
1749 kfree(chain->name);
1750 kfree(chain->udata);
1751 kfree(chain);
1752 }
1753 }
1754
1755 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1756 const struct nlattr *attr)
1757 {
1758 struct net_device *dev;
1759 char ifname[IFNAMSIZ];
1760 struct nft_hook *hook;
1761 int err;
1762
1763 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1764 if (!hook) {
1765 err = -ENOMEM;
1766 goto err_hook_alloc;
1767 }
1768
1769 nla_strscpy(ifname, attr, IFNAMSIZ);
1770 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1771 * indirectly serializing all the other holders of the commit_mutex with
1772 * the rtnl_mutex.
1773 */
1774 dev = __dev_get_by_name(net, ifname);
1775 if (!dev) {
1776 err = -ENOENT;
1777 goto err_hook_dev;
1778 }
1779 hook->ops.dev = dev;
1780 hook->inactive = false;
1781
1782 return hook;
1783
1784 err_hook_dev:
1785 kfree(hook);
1786 err_hook_alloc:
1787 return ERR_PTR(err);
1788 }
1789
1790 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1791 const struct nft_hook *this)
1792 {
1793 struct nft_hook *hook;
1794
1795 list_for_each_entry(hook, hook_list, list) {
1796 if (this->ops.dev == hook->ops.dev)
1797 return hook;
1798 }
1799
1800 return NULL;
1801 }
1802
1803 static int nf_tables_parse_netdev_hooks(struct net *net,
1804 const struct nlattr *attr,
1805 struct list_head *hook_list)
1806 {
1807 struct nft_hook *hook, *next;
1808 const struct nlattr *tmp;
1809 int rem, n = 0, err;
1810
1811 nla_for_each_nested(tmp, attr, rem) {
1812 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1813 err = -EINVAL;
1814 goto err_hook;
1815 }
1816
1817 hook = nft_netdev_hook_alloc(net, tmp);
1818 if (IS_ERR(hook)) {
1819 err = PTR_ERR(hook);
1820 goto err_hook;
1821 }
1822 if (nft_hook_list_find(hook_list, hook)) {
1823 kfree(hook);
1824 err = -EEXIST;
1825 goto err_hook;
1826 }
1827 list_add_tail(&hook->list, hook_list);
1828 n++;
1829
1830 if (n == NFT_NETDEVICE_MAX) {
1831 err = -EFBIG;
1832 goto err_hook;
1833 }
1834 }
1835
1836 return 0;
1837
1838 err_hook:
1839 list_for_each_entry_safe(hook, next, hook_list, list) {
1840 list_del(&hook->list);
1841 kfree(hook);
1842 }
1843 return err;
1844 }
1845
1846 struct nft_chain_hook {
1847 u32 num;
1848 s32 priority;
1849 const struct nft_chain_type *type;
1850 struct list_head list;
1851 };
1852
1853 static int nft_chain_parse_netdev(struct net *net,
1854 struct nlattr *tb[],
1855 struct list_head *hook_list)
1856 {
1857 struct nft_hook *hook;
1858 int err;
1859
1860 if (tb[NFTA_HOOK_DEV]) {
1861 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1862 if (IS_ERR(hook))
1863 return PTR_ERR(hook);
1864
1865 list_add_tail(&hook->list, hook_list);
1866 } else if (tb[NFTA_HOOK_DEVS]) {
1867 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1868 hook_list);
1869 if (err < 0)
1870 return err;
1871
1872 if (list_empty(hook_list))
1873 return -EINVAL;
1874 } else {
1875 return -EINVAL;
1876 }
1877
1878 return 0;
1879 }
1880
1881 static int nft_chain_parse_hook(struct net *net,
1882 const struct nlattr * const nla[],
1883 struct nft_chain_hook *hook, u8 family,
1884 bool autoload)
1885 {
1886 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1887 const struct nft_chain_type *type;
1888 int err;
1889
1890 lockdep_assert_held(&net->nft.commit_mutex);
1891 lockdep_nfnl_nft_mutex_not_held();
1892
1893 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1894 nla[NFTA_CHAIN_HOOK],
1895 nft_hook_policy, NULL);
1896 if (err < 0)
1897 return err;
1898
1899 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1900 ha[NFTA_HOOK_PRIORITY] == NULL)
1901 return -EINVAL;
1902
1903 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1904 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1905
1906 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1907 if (!type)
1908 return -EOPNOTSUPP;
1909
1910 if (nla[NFTA_CHAIN_TYPE]) {
1911 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1912 family, autoload);
1913 if (IS_ERR(type))
1914 return PTR_ERR(type);
1915 }
1916 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1917 return -EOPNOTSUPP;
1918
1919 if (type->type == NFT_CHAIN_T_NAT &&
1920 hook->priority <= NF_IP_PRI_CONNTRACK)
1921 return -EOPNOTSUPP;
1922
1923 if (!try_module_get(type->owner))
1924 return -ENOENT;
1925
1926 hook->type = type;
1927
1928 INIT_LIST_HEAD(&hook->list);
1929 if (nft_base_chain_netdev(family, hook->num)) {
1930 err = nft_chain_parse_netdev(net, ha, &hook->list);
1931 if (err < 0) {
1932 module_put(type->owner);
1933 return err;
1934 }
1935 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1936 module_put(type->owner);
1937 return -EOPNOTSUPP;
1938 }
1939
1940 return 0;
1941 }
1942
1943 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1944 {
1945 struct nft_hook *h, *next;
1946
1947 list_for_each_entry_safe(h, next, &hook->list, list) {
1948 list_del(&h->list);
1949 kfree(h);
1950 }
1951 module_put(hook->type->owner);
1952 }
1953
1954 struct nft_rules_old {
1955 struct rcu_head h;
1956 struct nft_rule **start;
1957 };
1958
1959 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1960 unsigned int alloc)
1961 {
1962 if (alloc > INT_MAX)
1963 return NULL;
1964
1965 alloc += 1; /* NULL, ends rules */
1966 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1967 return NULL;
1968
1969 alloc *= sizeof(struct nft_rule *);
1970 alloc += sizeof(struct nft_rules_old);
1971
1972 return kvmalloc(alloc, GFP_KERNEL);
1973 }
1974
1975 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1976 const struct nft_chain_hook *hook,
1977 struct nft_chain *chain)
1978 {
1979 ops->pf = family;
1980 ops->hooknum = hook->num;
1981 ops->priority = hook->priority;
1982 ops->priv = chain;
1983 ops->hook = hook->type->hooks[ops->hooknum];
1984 }
1985
1986 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1987 struct nft_chain_hook *hook, u32 flags)
1988 {
1989 struct nft_chain *chain;
1990 struct nft_hook *h;
1991
1992 basechain->type = hook->type;
1993 INIT_LIST_HEAD(&basechain->hook_list);
1994 chain = &basechain->chain;
1995
1996 if (nft_base_chain_netdev(family, hook->num)) {
1997 list_splice_init(&hook->list, &basechain->hook_list);
1998 list_for_each_entry(h, &basechain->hook_list, list)
1999 nft_basechain_hook_init(&h->ops, family, hook, chain);
2000
2001 basechain->ops.hooknum = hook->num;
2002 basechain->ops.priority = hook->priority;
2003 } else {
2004 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2005 }
2006
2007 chain->flags |= NFT_CHAIN_BASE | flags;
2008 basechain->policy = NF_ACCEPT;
2009 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2010 nft_chain_offload_priority(basechain) < 0)
2011 return -EOPNOTSUPP;
2012
2013 flow_block_init(&basechain->flow_block);
2014
2015 return 0;
2016 }
2017
2018 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2019 {
2020 int err;
2021
2022 err = rhltable_insert_key(&table->chains_ht, chain->name,
2023 &chain->rhlhead, nft_chain_ht_params);
2024 if (err)
2025 return err;
2026
2027 list_add_tail_rcu(&chain->list, &table->chains);
2028
2029 return 0;
2030 }
2031
2032 static u64 chain_id;
2033
2034 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2035 u8 policy, u32 flags)
2036 {
2037 const struct nlattr * const *nla = ctx->nla;
2038 struct nft_table *table = ctx->table;
2039 struct nft_base_chain *basechain;
2040 struct nft_stats __percpu *stats;
2041 struct net *net = ctx->net;
2042 char name[NFT_NAME_MAXLEN];
2043 struct nft_trans *trans;
2044 struct nft_chain *chain;
2045 struct nft_rule **rules;
2046 int err;
2047
2048 if (table->use == UINT_MAX)
2049 return -EOVERFLOW;
2050
2051 if (nla[NFTA_CHAIN_HOOK]) {
2052 struct nft_chain_hook hook;
2053
2054 if (flags & NFT_CHAIN_BINDING)
2055 return -EOPNOTSUPP;
2056
2057 err = nft_chain_parse_hook(net, nla, &hook, family, true);
2058 if (err < 0)
2059 return err;
2060
2061 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2062 if (basechain == NULL) {
2063 nft_chain_release_hook(&hook);
2064 return -ENOMEM;
2065 }
2066 chain = &basechain->chain;
2067
2068 if (nla[NFTA_CHAIN_COUNTERS]) {
2069 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2070 if (IS_ERR(stats)) {
2071 nft_chain_release_hook(&hook);
2072 kfree(basechain);
2073 return PTR_ERR(stats);
2074 }
2075 rcu_assign_pointer(basechain->stats, stats);
2076 static_branch_inc(&nft_counters_enabled);
2077 }
2078
2079 err = nft_basechain_init(basechain, family, &hook, flags);
2080 if (err < 0) {
2081 nft_chain_release_hook(&hook);
2082 kfree(basechain);
2083 return err;
2084 }
2085 } else {
2086 if (flags & NFT_CHAIN_BASE)
2087 return -EINVAL;
2088 if (flags & NFT_CHAIN_HW_OFFLOAD)
2089 return -EOPNOTSUPP;
2090
2091 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2092 if (chain == NULL)
2093 return -ENOMEM;
2094
2095 chain->flags = flags;
2096 }
2097 ctx->chain = chain;
2098
2099 INIT_LIST_HEAD(&chain->rules);
2100 chain->handle = nf_tables_alloc_handle(table);
2101 chain->table = table;
2102
2103 if (nla[NFTA_CHAIN_NAME]) {
2104 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2105 } else {
2106 if (!(flags & NFT_CHAIN_BINDING)) {
2107 err = -EINVAL;
2108 goto err_destroy_chain;
2109 }
2110
2111 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2112 chain->name = kstrdup(name, GFP_KERNEL);
2113 }
2114
2115 if (!chain->name) {
2116 err = -ENOMEM;
2117 goto err_destroy_chain;
2118 }
2119
2120 if (nla[NFTA_CHAIN_USERDATA]) {
2121 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2122 if (chain->udata == NULL) {
2123 err = -ENOMEM;
2124 goto err_destroy_chain;
2125 }
2126 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2127 }
2128
2129 rules = nf_tables_chain_alloc_rules(chain, 0);
2130 if (!rules) {
2131 err = -ENOMEM;
2132 goto err_destroy_chain;
2133 }
2134
2135 *rules = NULL;
2136 rcu_assign_pointer(chain->rules_gen_0, rules);
2137 rcu_assign_pointer(chain->rules_gen_1, rules);
2138
2139 err = nf_tables_register_hook(net, table, chain);
2140 if (err < 0)
2141 goto err_destroy_chain;
2142
2143 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2144 if (IS_ERR(trans)) {
2145 err = PTR_ERR(trans);
2146 goto err_unregister_hook;
2147 }
2148
2149 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2150 if (nft_is_base_chain(chain))
2151 nft_trans_chain_policy(trans) = policy;
2152
2153 err = nft_chain_add(table, chain);
2154 if (err < 0) {
2155 nft_trans_destroy(trans);
2156 goto err_unregister_hook;
2157 }
2158
2159 table->use++;
2160
2161 return 0;
2162 err_unregister_hook:
2163 nf_tables_unregister_hook(net, table, chain);
2164 err_destroy_chain:
2165 nf_tables_chain_destroy(ctx);
2166
2167 return err;
2168 }
2169
2170 static bool nft_hook_list_equal(struct list_head *hook_list1,
2171 struct list_head *hook_list2)
2172 {
2173 struct nft_hook *hook;
2174 int n = 0, m = 0;
2175
2176 n = 0;
2177 list_for_each_entry(hook, hook_list2, list) {
2178 if (!nft_hook_list_find(hook_list1, hook))
2179 return false;
2180
2181 n++;
2182 }
2183 list_for_each_entry(hook, hook_list1, list)
2184 m++;
2185
2186 return n == m;
2187 }
2188
2189 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2190 u32 flags, const struct nlattr *attr,
2191 struct netlink_ext_ack *extack)
2192 {
2193 const struct nlattr * const *nla = ctx->nla;
2194 struct nft_table *table = ctx->table;
2195 struct nft_chain *chain = ctx->chain;
2196 struct nft_base_chain *basechain;
2197 struct nft_stats *stats = NULL;
2198 struct nft_chain_hook hook;
2199 struct nf_hook_ops *ops;
2200 struct nft_trans *trans;
2201 int err;
2202
2203 if (chain->flags ^ flags)
2204 return -EOPNOTSUPP;
2205
2206 if (nla[NFTA_CHAIN_HOOK]) {
2207 if (!nft_is_base_chain(chain)) {
2208 NL_SET_BAD_ATTR(extack, attr);
2209 return -EEXIST;
2210 }
2211 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2212 false);
2213 if (err < 0)
2214 return err;
2215
2216 basechain = nft_base_chain(chain);
2217 if (basechain->type != hook.type) {
2218 nft_chain_release_hook(&hook);
2219 NL_SET_BAD_ATTR(extack, attr);
2220 return -EEXIST;
2221 }
2222
2223 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2224 if (!nft_hook_list_equal(&basechain->hook_list,
2225 &hook.list)) {
2226 nft_chain_release_hook(&hook);
2227 NL_SET_BAD_ATTR(extack, attr);
2228 return -EEXIST;
2229 }
2230 } else {
2231 ops = &basechain->ops;
2232 if (ops->hooknum != hook.num ||
2233 ops->priority != hook.priority) {
2234 nft_chain_release_hook(&hook);
2235 NL_SET_BAD_ATTR(extack, attr);
2236 return -EEXIST;
2237 }
2238 }
2239 nft_chain_release_hook(&hook);
2240 }
2241
2242 if (nla[NFTA_CHAIN_HANDLE] &&
2243 nla[NFTA_CHAIN_NAME]) {
2244 struct nft_chain *chain2;
2245
2246 chain2 = nft_chain_lookup(ctx->net, table,
2247 nla[NFTA_CHAIN_NAME], genmask);
2248 if (!IS_ERR(chain2)) {
2249 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2250 return -EEXIST;
2251 }
2252 }
2253
2254 if (nla[NFTA_CHAIN_COUNTERS]) {
2255 if (!nft_is_base_chain(chain))
2256 return -EOPNOTSUPP;
2257
2258 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2259 if (IS_ERR(stats))
2260 return PTR_ERR(stats);
2261 }
2262
2263 err = -ENOMEM;
2264 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2265 sizeof(struct nft_trans_chain));
2266 if (trans == NULL)
2267 goto err;
2268
2269 nft_trans_chain_stats(trans) = stats;
2270 nft_trans_chain_update(trans) = true;
2271
2272 if (nla[NFTA_CHAIN_POLICY])
2273 nft_trans_chain_policy(trans) = policy;
2274 else
2275 nft_trans_chain_policy(trans) = -1;
2276
2277 if (nla[NFTA_CHAIN_HANDLE] &&
2278 nla[NFTA_CHAIN_NAME]) {
2279 struct nft_trans *tmp;
2280 char *name;
2281
2282 err = -ENOMEM;
2283 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2284 if (!name)
2285 goto err;
2286
2287 err = -EEXIST;
2288 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2289 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2290 tmp->ctx.table == table &&
2291 nft_trans_chain_update(tmp) &&
2292 nft_trans_chain_name(tmp) &&
2293 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2294 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2295 kfree(name);
2296 goto err;
2297 }
2298 }
2299
2300 nft_trans_chain_name(trans) = name;
2301 }
2302 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2303
2304 return 0;
2305 err:
2306 free_percpu(stats);
2307 kfree(trans);
2308 return err;
2309 }
2310
2311 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2312 const struct nlattr *nla)
2313 {
2314 u32 id = ntohl(nla_get_be32(nla));
2315 struct nft_trans *trans;
2316
2317 list_for_each_entry(trans, &net->nft.commit_list, list) {
2318 struct nft_chain *chain = trans->ctx.chain;
2319
2320 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2321 id == nft_trans_chain_id(trans))
2322 return chain;
2323 }
2324 return ERR_PTR(-ENOENT);
2325 }
2326
2327 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2328 struct sk_buff *skb, const struct nlmsghdr *nlh,
2329 const struct nlattr * const nla[],
2330 struct netlink_ext_ack *extack)
2331 {
2332 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2333 u8 genmask = nft_genmask_next(net);
2334 int family = nfmsg->nfgen_family;
2335 struct nft_chain *chain = NULL;
2336 const struct nlattr *attr;
2337 struct nft_table *table;
2338 u8 policy = NF_ACCEPT;
2339 struct nft_ctx ctx;
2340 u64 handle = 0;
2341 u32 flags = 0;
2342
2343 lockdep_assert_held(&net->nft.commit_mutex);
2344
2345 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2346 NETLINK_CB(skb).portid);
2347 if (IS_ERR(table)) {
2348 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2349 return PTR_ERR(table);
2350 }
2351
2352 chain = NULL;
2353 attr = nla[NFTA_CHAIN_NAME];
2354
2355 if (nla[NFTA_CHAIN_HANDLE]) {
2356 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2357 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2358 if (IS_ERR(chain)) {
2359 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2360 return PTR_ERR(chain);
2361 }
2362 attr = nla[NFTA_CHAIN_HANDLE];
2363 } else if (nla[NFTA_CHAIN_NAME]) {
2364 chain = nft_chain_lookup(net, table, attr, genmask);
2365 if (IS_ERR(chain)) {
2366 if (PTR_ERR(chain) != -ENOENT) {
2367 NL_SET_BAD_ATTR(extack, attr);
2368 return PTR_ERR(chain);
2369 }
2370 chain = NULL;
2371 }
2372 } else if (!nla[NFTA_CHAIN_ID]) {
2373 return -EINVAL;
2374 }
2375
2376 if (nla[NFTA_CHAIN_POLICY]) {
2377 if (chain != NULL &&
2378 !nft_is_base_chain(chain)) {
2379 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2380 return -EOPNOTSUPP;
2381 }
2382
2383 if (chain == NULL &&
2384 nla[NFTA_CHAIN_HOOK] == NULL) {
2385 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2386 return -EOPNOTSUPP;
2387 }
2388
2389 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2390 switch (policy) {
2391 case NF_DROP:
2392 case NF_ACCEPT:
2393 break;
2394 default:
2395 return -EINVAL;
2396 }
2397 }
2398
2399 if (nla[NFTA_CHAIN_FLAGS])
2400 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2401 else if (chain)
2402 flags = chain->flags;
2403
2404 if (flags & ~NFT_CHAIN_FLAGS)
2405 return -EOPNOTSUPP;
2406
2407 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2408
2409 if (chain != NULL) {
2410 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2411 NL_SET_BAD_ATTR(extack, attr);
2412 return -EEXIST;
2413 }
2414 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2415 return -EOPNOTSUPP;
2416
2417 flags |= chain->flags & NFT_CHAIN_BASE;
2418 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2419 extack);
2420 }
2421
2422 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2423 }
2424
2425 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2426 struct sk_buff *skb, const struct nlmsghdr *nlh,
2427 const struct nlattr * const nla[],
2428 struct netlink_ext_ack *extack)
2429 {
2430 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2431 u8 genmask = nft_genmask_next(net);
2432 int family = nfmsg->nfgen_family;
2433 const struct nlattr *attr;
2434 struct nft_table *table;
2435 struct nft_chain *chain;
2436 struct nft_rule *rule;
2437 struct nft_ctx ctx;
2438 u64 handle;
2439 u32 use;
2440 int err;
2441
2442 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2443 NETLINK_CB(skb).portid);
2444 if (IS_ERR(table)) {
2445 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2446 return PTR_ERR(table);
2447 }
2448
2449 if (nla[NFTA_CHAIN_HANDLE]) {
2450 attr = nla[NFTA_CHAIN_HANDLE];
2451 handle = be64_to_cpu(nla_get_be64(attr));
2452 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2453 } else {
2454 attr = nla[NFTA_CHAIN_NAME];
2455 chain = nft_chain_lookup(net, table, attr, genmask);
2456 }
2457 if (IS_ERR(chain)) {
2458 NL_SET_BAD_ATTR(extack, attr);
2459 return PTR_ERR(chain);
2460 }
2461
2462 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2463 chain->use > 0)
2464 return -EBUSY;
2465
2466 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2467
2468 use = chain->use;
2469 list_for_each_entry(rule, &chain->rules, list) {
2470 if (!nft_is_active_next(net, rule))
2471 continue;
2472 use--;
2473
2474 err = nft_delrule(&ctx, rule);
2475 if (err < 0)
2476 return err;
2477 }
2478
2479 /* There are rules and elements that are still holding references to us,
2480 * we cannot do a recursive removal in this case.
2481 */
2482 if (use > 0) {
2483 NL_SET_BAD_ATTR(extack, attr);
2484 return -EBUSY;
2485 }
2486
2487 return nft_delchain(&ctx);
2488 }
2489
2490 /*
2491 * Expressions
2492 */
2493
2494 /**
2495 * nft_register_expr - register nf_tables expr type
2496 * @type: expr type
2497 *
2498 * Registers the expr type for use with nf_tables. Returns zero on
2499 * success or a negative errno code otherwise.
2500 */
2501 int nft_register_expr(struct nft_expr_type *type)
2502 {
2503 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2504 if (type->family == NFPROTO_UNSPEC)
2505 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2506 else
2507 list_add_rcu(&type->list, &nf_tables_expressions);
2508 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2509 return 0;
2510 }
2511 EXPORT_SYMBOL_GPL(nft_register_expr);
2512
2513 /**
2514 * nft_unregister_expr - unregister nf_tables expr type
2515 * @type: expr type
2516 *
2517 * Unregisters the expr typefor use with nf_tables.
2518 */
2519 void nft_unregister_expr(struct nft_expr_type *type)
2520 {
2521 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2522 list_del_rcu(&type->list);
2523 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2524 }
2525 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2526
2527 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2528 struct nlattr *nla)
2529 {
2530 const struct nft_expr_type *type, *candidate = NULL;
2531
2532 list_for_each_entry(type, &nf_tables_expressions, list) {
2533 if (!nla_strcmp(nla, type->name)) {
2534 if (!type->family && !candidate)
2535 candidate = type;
2536 else if (type->family == family)
2537 candidate = type;
2538 }
2539 }
2540 return candidate;
2541 }
2542
2543 #ifdef CONFIG_MODULES
2544 static int nft_expr_type_request_module(struct net *net, u8 family,
2545 struct nlattr *nla)
2546 {
2547 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2548 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2549 return -EAGAIN;
2550
2551 return 0;
2552 }
2553 #endif
2554
2555 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2556 u8 family,
2557 struct nlattr *nla)
2558 {
2559 const struct nft_expr_type *type;
2560
2561 if (nla == NULL)
2562 return ERR_PTR(-EINVAL);
2563
2564 type = __nft_expr_type_get(family, nla);
2565 if (type != NULL && try_module_get(type->owner))
2566 return type;
2567
2568 lockdep_nfnl_nft_mutex_not_held();
2569 #ifdef CONFIG_MODULES
2570 if (type == NULL) {
2571 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2572 return ERR_PTR(-EAGAIN);
2573
2574 if (nft_request_module(net, "nft-expr-%.*s",
2575 nla_len(nla),
2576 (char *)nla_data(nla)) == -EAGAIN)
2577 return ERR_PTR(-EAGAIN);
2578 }
2579 #endif
2580 return ERR_PTR(-ENOENT);
2581 }
2582
2583 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2584 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2585 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2586 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2587 };
2588
2589 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2590 const struct nft_expr *expr)
2591 {
2592 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2593 goto nla_put_failure;
2594
2595 if (expr->ops->dump) {
2596 struct nlattr *data = nla_nest_start_noflag(skb,
2597 NFTA_EXPR_DATA);
2598 if (data == NULL)
2599 goto nla_put_failure;
2600 if (expr->ops->dump(skb, expr) < 0)
2601 goto nla_put_failure;
2602 nla_nest_end(skb, data);
2603 }
2604
2605 return skb->len;
2606
2607 nla_put_failure:
2608 return -1;
2609 };
2610
2611 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2612 const struct nft_expr *expr)
2613 {
2614 struct nlattr *nest;
2615
2616 nest = nla_nest_start_noflag(skb, attr);
2617 if (!nest)
2618 goto nla_put_failure;
2619 if (nf_tables_fill_expr_info(skb, expr) < 0)
2620 goto nla_put_failure;
2621 nla_nest_end(skb, nest);
2622 return 0;
2623
2624 nla_put_failure:
2625 return -1;
2626 }
2627
2628 struct nft_expr_info {
2629 const struct nft_expr_ops *ops;
2630 const struct nlattr *attr;
2631 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2632 };
2633
2634 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2635 const struct nlattr *nla,
2636 struct nft_expr_info *info)
2637 {
2638 const struct nft_expr_type *type;
2639 const struct nft_expr_ops *ops;
2640 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2641 int err;
2642
2643 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2644 nft_expr_policy, NULL);
2645 if (err < 0)
2646 return err;
2647
2648 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2649 if (IS_ERR(type))
2650 return PTR_ERR(type);
2651
2652 if (tb[NFTA_EXPR_DATA]) {
2653 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2654 tb[NFTA_EXPR_DATA],
2655 type->policy, NULL);
2656 if (err < 0)
2657 goto err1;
2658 } else
2659 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2660
2661 if (type->select_ops != NULL) {
2662 ops = type->select_ops(ctx,
2663 (const struct nlattr * const *)info->tb);
2664 if (IS_ERR(ops)) {
2665 err = PTR_ERR(ops);
2666 #ifdef CONFIG_MODULES
2667 if (err == -EAGAIN)
2668 if (nft_expr_type_request_module(ctx->net,
2669 ctx->family,
2670 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2671 err = -ENOENT;
2672 #endif
2673 goto err1;
2674 }
2675 } else
2676 ops = type->ops;
2677
2678 info->attr = nla;
2679 info->ops = ops;
2680
2681 return 0;
2682
2683 err1:
2684 module_put(type->owner);
2685 return err;
2686 }
2687
2688 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2689 const struct nft_expr_info *info,
2690 struct nft_expr *expr)
2691 {
2692 const struct nft_expr_ops *ops = info->ops;
2693 int err;
2694
2695 expr->ops = ops;
2696 if (ops->init) {
2697 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2698 if (err < 0)
2699 goto err1;
2700 }
2701
2702 return 0;
2703 err1:
2704 expr->ops = NULL;
2705 return err;
2706 }
2707
2708 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2709 struct nft_expr *expr)
2710 {
2711 const struct nft_expr_type *type = expr->ops->type;
2712
2713 if (expr->ops->destroy)
2714 expr->ops->destroy(ctx, expr);
2715 module_put(type->owner);
2716 }
2717
2718 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2719 const struct nlattr *nla)
2720 {
2721 struct nft_expr_info info;
2722 struct nft_expr *expr;
2723 struct module *owner;
2724 int err;
2725
2726 err = nf_tables_expr_parse(ctx, nla, &info);
2727 if (err < 0)
2728 goto err1;
2729
2730 err = -ENOMEM;
2731 expr = kzalloc(info.ops->size, GFP_KERNEL);
2732 if (expr == NULL)
2733 goto err2;
2734
2735 err = nf_tables_newexpr(ctx, &info, expr);
2736 if (err < 0)
2737 goto err3;
2738
2739 return expr;
2740 err3:
2741 kfree(expr);
2742 err2:
2743 owner = info.ops->type->owner;
2744 if (info.ops->type->release_ops)
2745 info.ops->type->release_ops(info.ops);
2746
2747 module_put(owner);
2748 err1:
2749 return ERR_PTR(err);
2750 }
2751
2752 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2753 {
2754 int err;
2755
2756 if (src->ops->clone) {
2757 dst->ops = src->ops;
2758 err = src->ops->clone(dst, src);
2759 if (err < 0)
2760 return err;
2761 } else {
2762 memcpy(dst, src, src->ops->size);
2763 }
2764
2765 __module_get(src->ops->type->owner);
2766
2767 return 0;
2768 }
2769
2770 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2771 {
2772 nf_tables_expr_destroy(ctx, expr);
2773 kfree(expr);
2774 }
2775
2776 /*
2777 * Rules
2778 */
2779
2780 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2781 u64 handle)
2782 {
2783 struct nft_rule *rule;
2784
2785 // FIXME: this sucks
2786 list_for_each_entry_rcu(rule, &chain->rules, list) {
2787 if (handle == rule->handle)
2788 return rule;
2789 }
2790
2791 return ERR_PTR(-ENOENT);
2792 }
2793
2794 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2795 const struct nlattr *nla)
2796 {
2797 if (nla == NULL)
2798 return ERR_PTR(-EINVAL);
2799
2800 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2801 }
2802
2803 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2804 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2805 .len = NFT_TABLE_MAXNAMELEN - 1 },
2806 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2807 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2808 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2809 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2810 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2811 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2812 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2813 .len = NFT_USERDATA_MAXLEN },
2814 [NFTA_RULE_ID] = { .type = NLA_U32 },
2815 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2816 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2817 };
2818
2819 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2820 u32 portid, u32 seq, int event,
2821 u32 flags, int family,
2822 const struct nft_table *table,
2823 const struct nft_chain *chain,
2824 const struct nft_rule *rule,
2825 const struct nft_rule *prule)
2826 {
2827 struct nlmsghdr *nlh;
2828 struct nfgenmsg *nfmsg;
2829 const struct nft_expr *expr, *next;
2830 struct nlattr *list;
2831 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2832
2833 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2834 if (nlh == NULL)
2835 goto nla_put_failure;
2836
2837 nfmsg = nlmsg_data(nlh);
2838 nfmsg->nfgen_family = family;
2839 nfmsg->version = NFNETLINK_V0;
2840 nfmsg->res_id = nft_base_seq(net);
2841
2842 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2843 goto nla_put_failure;
2844 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2845 goto nla_put_failure;
2846 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2847 NFTA_RULE_PAD))
2848 goto nla_put_failure;
2849
2850 if (event != NFT_MSG_DELRULE && prule) {
2851 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2852 cpu_to_be64(prule->handle),
2853 NFTA_RULE_PAD))
2854 goto nla_put_failure;
2855 }
2856
2857 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2858 if (list == NULL)
2859 goto nla_put_failure;
2860 nft_rule_for_each_expr(expr, next, rule) {
2861 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2862 goto nla_put_failure;
2863 }
2864 nla_nest_end(skb, list);
2865
2866 if (rule->udata) {
2867 struct nft_userdata *udata = nft_userdata(rule);
2868 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2869 udata->data) < 0)
2870 goto nla_put_failure;
2871 }
2872
2873 nlmsg_end(skb, nlh);
2874 return 0;
2875
2876 nla_put_failure:
2877 nlmsg_trim(skb, nlh);
2878 return -1;
2879 }
2880
2881 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2882 const struct nft_rule *rule, int event)
2883 {
2884 struct sk_buff *skb;
2885 int err;
2886
2887 if (!ctx->report &&
2888 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2889 return;
2890
2891 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2892 if (skb == NULL)
2893 goto err;
2894
2895 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2896 event, 0, ctx->family, ctx->table,
2897 ctx->chain, rule, NULL);
2898 if (err < 0) {
2899 kfree_skb(skb);
2900 goto err;
2901 }
2902
2903 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2904 return;
2905 err:
2906 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2907 }
2908
2909 struct nft_rule_dump_ctx {
2910 char *table;
2911 char *chain;
2912 };
2913
2914 static int __nf_tables_dump_rules(struct sk_buff *skb,
2915 unsigned int *idx,
2916 struct netlink_callback *cb,
2917 const struct nft_table *table,
2918 const struct nft_chain *chain)
2919 {
2920 struct net *net = sock_net(skb->sk);
2921 const struct nft_rule *rule, *prule;
2922 unsigned int s_idx = cb->args[0];
2923
2924 prule = NULL;
2925 list_for_each_entry_rcu(rule, &chain->rules, list) {
2926 if (!nft_is_active(net, rule))
2927 goto cont_skip;
2928 if (*idx < s_idx)
2929 goto cont;
2930 if (*idx > s_idx) {
2931 memset(&cb->args[1], 0,
2932 sizeof(cb->args) - sizeof(cb->args[0]));
2933 }
2934 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2935 cb->nlh->nlmsg_seq,
2936 NFT_MSG_NEWRULE,
2937 NLM_F_MULTI | NLM_F_APPEND,
2938 table->family,
2939 table, chain, rule, prule) < 0)
2940 return 1;
2941
2942 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2943 cont:
2944 prule = rule;
2945 cont_skip:
2946 (*idx)++;
2947 }
2948 return 0;
2949 }
2950
2951 static int nf_tables_dump_rules(struct sk_buff *skb,
2952 struct netlink_callback *cb)
2953 {
2954 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2955 const struct nft_rule_dump_ctx *ctx = cb->data;
2956 struct nft_table *table;
2957 const struct nft_chain *chain;
2958 unsigned int idx = 0;
2959 struct net *net = sock_net(skb->sk);
2960 int family = nfmsg->nfgen_family;
2961
2962 rcu_read_lock();
2963 cb->seq = net->nft.base_seq;
2964
2965 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2966 if (family != NFPROTO_UNSPEC && family != table->family)
2967 continue;
2968
2969 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2970 continue;
2971
2972 if (ctx && ctx->table && ctx->chain) {
2973 struct rhlist_head *list, *tmp;
2974
2975 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2976 nft_chain_ht_params);
2977 if (!list)
2978 goto done;
2979
2980 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2981 if (!nft_is_active(net, chain))
2982 continue;
2983 __nf_tables_dump_rules(skb, &idx,
2984 cb, table, chain);
2985 break;
2986 }
2987 goto done;
2988 }
2989
2990 list_for_each_entry_rcu(chain, &table->chains, list) {
2991 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2992 goto done;
2993 }
2994
2995 if (ctx && ctx->table)
2996 break;
2997 }
2998 done:
2999 rcu_read_unlock();
3000
3001 cb->args[0] = idx;
3002 return skb->len;
3003 }
3004
3005 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3006 {
3007 const struct nlattr * const *nla = cb->data;
3008 struct nft_rule_dump_ctx *ctx = NULL;
3009
3010 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3011 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3012 if (!ctx)
3013 return -ENOMEM;
3014
3015 if (nla[NFTA_RULE_TABLE]) {
3016 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3017 GFP_ATOMIC);
3018 if (!ctx->table) {
3019 kfree(ctx);
3020 return -ENOMEM;
3021 }
3022 }
3023 if (nla[NFTA_RULE_CHAIN]) {
3024 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3025 GFP_ATOMIC);
3026 if (!ctx->chain) {
3027 kfree(ctx->table);
3028 kfree(ctx);
3029 return -ENOMEM;
3030 }
3031 }
3032 }
3033
3034 cb->data = ctx;
3035 return 0;
3036 }
3037
3038 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3039 {
3040 struct nft_rule_dump_ctx *ctx = cb->data;
3041
3042 if (ctx) {
3043 kfree(ctx->table);
3044 kfree(ctx->chain);
3045 kfree(ctx);
3046 }
3047 return 0;
3048 }
3049
3050 /* called with rcu_read_lock held */
3051 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3052 struct sk_buff *skb, const struct nlmsghdr *nlh,
3053 const struct nlattr * const nla[],
3054 struct netlink_ext_ack *extack)
3055 {
3056 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3057 u8 genmask = nft_genmask_cur(net);
3058 const struct nft_chain *chain;
3059 const struct nft_rule *rule;
3060 struct nft_table *table;
3061 struct sk_buff *skb2;
3062 int family = nfmsg->nfgen_family;
3063 int err;
3064
3065 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3066 struct netlink_dump_control c = {
3067 .start= nf_tables_dump_rules_start,
3068 .dump = nf_tables_dump_rules,
3069 .done = nf_tables_dump_rules_done,
3070 .module = THIS_MODULE,
3071 .data = (void *)nla,
3072 };
3073
3074 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3075 }
3076
3077 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3078 if (IS_ERR(table)) {
3079 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3080 return PTR_ERR(table);
3081 }
3082
3083 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3084 if (IS_ERR(chain)) {
3085 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3086 return PTR_ERR(chain);
3087 }
3088
3089 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3090 if (IS_ERR(rule)) {
3091 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3092 return PTR_ERR(rule);
3093 }
3094
3095 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3096 if (!skb2)
3097 return -ENOMEM;
3098
3099 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3100 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3101 family, table, chain, rule, NULL);
3102 if (err < 0)
3103 goto err_fill_rule_info;
3104
3105 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3106
3107 err_fill_rule_info:
3108 kfree_skb(skb2);
3109 return err;
3110 }
3111
3112 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3113 struct nft_rule *rule)
3114 {
3115 struct nft_expr *expr, *next;
3116
3117 /*
3118 * Careful: some expressions might not be initialized in case this
3119 * is called on error from nf_tables_newrule().
3120 */
3121 expr = nft_expr_first(rule);
3122 while (nft_expr_more(rule, expr)) {
3123 next = nft_expr_next(expr);
3124 nf_tables_expr_destroy(ctx, expr);
3125 expr = next;
3126 }
3127 kfree(rule);
3128 }
3129
3130 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3131 {
3132 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3133 nf_tables_rule_destroy(ctx, rule);
3134 }
3135
3136 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3137 {
3138 struct nft_expr *expr, *last;
3139 const struct nft_data *data;
3140 struct nft_rule *rule;
3141 int err;
3142
3143 if (ctx->level == NFT_JUMP_STACK_SIZE)
3144 return -EMLINK;
3145
3146 list_for_each_entry(rule, &chain->rules, list) {
3147 if (!nft_is_active_next(ctx->net, rule))
3148 continue;
3149
3150 nft_rule_for_each_expr(expr, last, rule) {
3151 if (!expr->ops->validate)
3152 continue;
3153
3154 err = expr->ops->validate(ctx, expr, &data);
3155 if (err < 0)
3156 return err;
3157 }
3158 }
3159
3160 return 0;
3161 }
3162 EXPORT_SYMBOL_GPL(nft_chain_validate);
3163
3164 static int nft_table_validate(struct net *net, const struct nft_table *table)
3165 {
3166 struct nft_chain *chain;
3167 struct nft_ctx ctx = {
3168 .net = net,
3169 .family = table->family,
3170 };
3171 int err;
3172
3173 list_for_each_entry(chain, &table->chains, list) {
3174 if (!nft_is_base_chain(chain))
3175 continue;
3176
3177 ctx.chain = chain;
3178 err = nft_chain_validate(&ctx, chain);
3179 if (err < 0)
3180 return err;
3181 }
3182
3183 return 0;
3184 }
3185
3186 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3187 const struct nlattr *nla);
3188
3189 #define NFT_RULE_MAXEXPRS 128
3190
3191 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3192 struct sk_buff *skb, const struct nlmsghdr *nlh,
3193 const struct nlattr * const nla[],
3194 struct netlink_ext_ack *extack)
3195 {
3196 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3197 u8 genmask = nft_genmask_next(net);
3198 struct nft_expr_info *info = NULL;
3199 int family = nfmsg->nfgen_family;
3200 struct nft_flow_rule *flow;
3201 struct nft_table *table;
3202 struct nft_chain *chain;
3203 struct nft_rule *rule, *old_rule = NULL;
3204 struct nft_userdata *udata;
3205 struct nft_trans *trans = NULL;
3206 struct nft_expr *expr;
3207 struct nft_ctx ctx;
3208 struct nlattr *tmp;
3209 unsigned int size, i, n, ulen = 0, usize = 0;
3210 int err, rem;
3211 u64 handle, pos_handle;
3212
3213 lockdep_assert_held(&net->nft.commit_mutex);
3214
3215 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3216 NETLINK_CB(skb).portid);
3217 if (IS_ERR(table)) {
3218 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3219 return PTR_ERR(table);
3220 }
3221
3222 if (nla[NFTA_RULE_CHAIN]) {
3223 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3224 genmask);
3225 if (IS_ERR(chain)) {
3226 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3227 return PTR_ERR(chain);
3228 }
3229 if (nft_chain_is_bound(chain))
3230 return -EOPNOTSUPP;
3231
3232 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3233 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3234 if (IS_ERR(chain)) {
3235 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3236 return PTR_ERR(chain);
3237 }
3238 } else {
3239 return -EINVAL;
3240 }
3241
3242 if (nla[NFTA_RULE_HANDLE]) {
3243 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3244 rule = __nft_rule_lookup(chain, handle);
3245 if (IS_ERR(rule)) {
3246 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3247 return PTR_ERR(rule);
3248 }
3249
3250 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3251 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3252 return -EEXIST;
3253 }
3254 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3255 old_rule = rule;
3256 else
3257 return -EOPNOTSUPP;
3258 } else {
3259 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3260 nlh->nlmsg_flags & NLM_F_REPLACE)
3261 return -EINVAL;
3262 handle = nf_tables_alloc_handle(table);
3263
3264 if (chain->use == UINT_MAX)
3265 return -EOVERFLOW;
3266
3267 if (nla[NFTA_RULE_POSITION]) {
3268 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3269 old_rule = __nft_rule_lookup(chain, pos_handle);
3270 if (IS_ERR(old_rule)) {
3271 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3272 return PTR_ERR(old_rule);
3273 }
3274 } else if (nla[NFTA_RULE_POSITION_ID]) {
3275 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3276 if (IS_ERR(old_rule)) {
3277 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3278 return PTR_ERR(old_rule);
3279 }
3280 }
3281 }
3282
3283 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3284
3285 n = 0;
3286 size = 0;
3287 if (nla[NFTA_RULE_EXPRESSIONS]) {
3288 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3289 sizeof(struct nft_expr_info),
3290 GFP_KERNEL);
3291 if (!info)
3292 return -ENOMEM;
3293
3294 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3295 err = -EINVAL;
3296 if (nla_type(tmp) != NFTA_LIST_ELEM)
3297 goto err1;
3298 if (n == NFT_RULE_MAXEXPRS)
3299 goto err1;
3300 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3301 if (err < 0)
3302 goto err1;
3303 size += info[n].ops->size;
3304 n++;
3305 }
3306 }
3307 /* Check for overflow of dlen field */
3308 err = -EFBIG;
3309 if (size >= 1 << 12)
3310 goto err1;
3311
3312 if (nla[NFTA_RULE_USERDATA]) {
3313 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3314 if (ulen > 0)
3315 usize = sizeof(struct nft_userdata) + ulen;
3316 }
3317
3318 err = -ENOMEM;
3319 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3320 if (rule == NULL)
3321 goto err1;
3322
3323 nft_activate_next(net, rule);
3324
3325 rule->handle = handle;
3326 rule->dlen = size;
3327 rule->udata = ulen ? 1 : 0;
3328
3329 if (ulen) {
3330 udata = nft_userdata(rule);
3331 udata->len = ulen - 1;
3332 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3333 }
3334
3335 expr = nft_expr_first(rule);
3336 for (i = 0; i < n; i++) {
3337 err = nf_tables_newexpr(&ctx, &info[i], expr);
3338 if (err < 0) {
3339 NL_SET_BAD_ATTR(extack, info[i].attr);
3340 goto err2;
3341 }
3342
3343 if (info[i].ops->validate)
3344 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3345
3346 info[i].ops = NULL;
3347 expr = nft_expr_next(expr);
3348 }
3349
3350 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3351 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3352 if (trans == NULL) {
3353 err = -ENOMEM;
3354 goto err2;
3355 }
3356 err = nft_delrule(&ctx, old_rule);
3357 if (err < 0) {
3358 nft_trans_destroy(trans);
3359 goto err2;
3360 }
3361
3362 list_add_tail_rcu(&rule->list, &old_rule->list);
3363 } else {
3364 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3365 if (!trans) {
3366 err = -ENOMEM;
3367 goto err2;
3368 }
3369
3370 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3371 if (old_rule)
3372 list_add_rcu(&rule->list, &old_rule->list);
3373 else
3374 list_add_tail_rcu(&rule->list, &chain->rules);
3375 } else {
3376 if (old_rule)
3377 list_add_tail_rcu(&rule->list, &old_rule->list);
3378 else
3379 list_add_rcu(&rule->list, &chain->rules);
3380 }
3381 }
3382 kvfree(info);
3383 chain->use++;
3384
3385 if (net->nft.validate_state == NFT_VALIDATE_DO)
3386 return nft_table_validate(net, table);
3387
3388 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3389 flow = nft_flow_rule_create(net, rule);
3390 if (IS_ERR(flow))
3391 return PTR_ERR(flow);
3392
3393 nft_trans_flow_rule(trans) = flow;
3394 }
3395
3396 return 0;
3397 err2:
3398 nf_tables_rule_release(&ctx, rule);
3399 err1:
3400 for (i = 0; i < n; i++) {
3401 if (info[i].ops) {
3402 module_put(info[i].ops->type->owner);
3403 if (info[i].ops->type->release_ops)
3404 info[i].ops->type->release_ops(info[i].ops);
3405 }
3406 }
3407 kvfree(info);
3408 return err;
3409 }
3410
3411 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3412 const struct nlattr *nla)
3413 {
3414 u32 id = ntohl(nla_get_be32(nla));
3415 struct nft_trans *trans;
3416
3417 list_for_each_entry(trans, &net->nft.commit_list, list) {
3418 struct nft_rule *rule = nft_trans_rule(trans);
3419
3420 if (trans->msg_type == NFT_MSG_NEWRULE &&
3421 id == nft_trans_rule_id(trans))
3422 return rule;
3423 }
3424 return ERR_PTR(-ENOENT);
3425 }
3426
3427 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3428 struct sk_buff *skb, const struct nlmsghdr *nlh,
3429 const struct nlattr * const nla[],
3430 struct netlink_ext_ack *extack)
3431 {
3432 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3433 u8 genmask = nft_genmask_next(net);
3434 struct nft_table *table;
3435 struct nft_chain *chain = NULL;
3436 struct nft_rule *rule;
3437 int family = nfmsg->nfgen_family, err = 0;
3438 struct nft_ctx ctx;
3439
3440 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3441 NETLINK_CB(skb).portid);
3442 if (IS_ERR(table)) {
3443 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3444 return PTR_ERR(table);
3445 }
3446
3447 if (nla[NFTA_RULE_CHAIN]) {
3448 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3449 genmask);
3450 if (IS_ERR(chain)) {
3451 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3452 return PTR_ERR(chain);
3453 }
3454 if (nft_chain_is_bound(chain))
3455 return -EOPNOTSUPP;
3456 }
3457
3458 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3459
3460 if (chain) {
3461 if (nla[NFTA_RULE_HANDLE]) {
3462 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3463 if (IS_ERR(rule)) {
3464 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3465 return PTR_ERR(rule);
3466 }
3467
3468 err = nft_delrule(&ctx, rule);
3469 } else if (nla[NFTA_RULE_ID]) {
3470 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3471 if (IS_ERR(rule)) {
3472 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3473 return PTR_ERR(rule);
3474 }
3475
3476 err = nft_delrule(&ctx, rule);
3477 } else {
3478 err = nft_delrule_by_chain(&ctx);
3479 }
3480 } else {
3481 list_for_each_entry(chain, &table->chains, list) {
3482 if (!nft_is_active_next(net, chain))
3483 continue;
3484
3485 ctx.chain = chain;
3486 err = nft_delrule_by_chain(&ctx);
3487 if (err < 0)
3488 break;
3489 }
3490 }
3491
3492 return err;
3493 }
3494
3495 /*
3496 * Sets
3497 */
3498 static const struct nft_set_type *nft_set_types[] = {
3499 &nft_set_hash_fast_type,
3500 &nft_set_hash_type,
3501 &nft_set_rhash_type,
3502 &nft_set_bitmap_type,
3503 &nft_set_rbtree_type,
3504 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3505 &nft_set_pipapo_avx2_type,
3506 #endif
3507 &nft_set_pipapo_type,
3508 };
3509
3510 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3511 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3512 NFT_SET_EVAL)
3513
3514 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3515 {
3516 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3517 }
3518
3519 /*
3520 * Select a set implementation based on the data characteristics and the
3521 * given policy. The total memory use might not be known if no size is
3522 * given, in that case the amount of memory per element is used.
3523 */
3524 static const struct nft_set_ops *
3525 nft_select_set_ops(const struct nft_ctx *ctx,
3526 const struct nlattr * const nla[],
3527 const struct nft_set_desc *desc,
3528 enum nft_set_policies policy)
3529 {
3530 const struct nft_set_ops *ops, *bops;
3531 struct nft_set_estimate est, best;
3532 const struct nft_set_type *type;
3533 u32 flags = 0;
3534 int i;
3535
3536 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3537 lockdep_nfnl_nft_mutex_not_held();
3538
3539 if (nla[NFTA_SET_FLAGS] != NULL)
3540 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3541
3542 bops = NULL;
3543 best.size = ~0;
3544 best.lookup = ~0;
3545 best.space = ~0;
3546
3547 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3548 type = nft_set_types[i];
3549 ops = &type->ops;
3550
3551 if (!nft_set_ops_candidate(type, flags))
3552 continue;
3553 if (!ops->estimate(desc, flags, &est))
3554 continue;
3555
3556 switch (policy) {
3557 case NFT_SET_POL_PERFORMANCE:
3558 if (est.lookup < best.lookup)
3559 break;
3560 if (est.lookup == best.lookup &&
3561 est.space < best.space)
3562 break;
3563 continue;
3564 case NFT_SET_POL_MEMORY:
3565 if (!desc->size) {
3566 if (est.space < best.space)
3567 break;
3568 if (est.space == best.space &&
3569 est.lookup < best.lookup)
3570 break;
3571 } else if (est.size < best.size || !bops) {
3572 break;
3573 }
3574 continue;
3575 default:
3576 break;
3577 }
3578
3579 bops = ops;
3580 best = est;
3581 }
3582
3583 if (bops != NULL)
3584 return bops;
3585
3586 return ERR_PTR(-EOPNOTSUPP);
3587 }
3588
3589 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3590 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3591 .len = NFT_TABLE_MAXNAMELEN - 1 },
3592 [NFTA_SET_NAME] = { .type = NLA_STRING,
3593 .len = NFT_SET_MAXNAMELEN - 1 },
3594 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3595 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3596 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3597 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3598 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3599 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3600 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3601 [NFTA_SET_ID] = { .type = NLA_U32 },
3602 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3603 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3604 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3605 .len = NFT_USERDATA_MAXLEN },
3606 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3607 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3608 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3609 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3610 };
3611
3612 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3613 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3614 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3615 };
3616
3617 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3618 const struct sk_buff *skb,
3619 const struct nlmsghdr *nlh,
3620 const struct nlattr * const nla[],
3621 struct netlink_ext_ack *extack,
3622 u8 genmask, u32 nlpid)
3623 {
3624 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3625 int family = nfmsg->nfgen_family;
3626 struct nft_table *table = NULL;
3627
3628 if (nla[NFTA_SET_TABLE] != NULL) {
3629 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3630 genmask, nlpid);
3631 if (IS_ERR(table)) {
3632 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3633 return PTR_ERR(table);
3634 }
3635 }
3636
3637 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3638 return 0;
3639 }
3640
3641 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3642 const struct nlattr *nla, u8 genmask)
3643 {
3644 struct nft_set *set;
3645
3646 if (nla == NULL)
3647 return ERR_PTR(-EINVAL);
3648
3649 list_for_each_entry_rcu(set, &table->sets, list) {
3650 if (!nla_strcmp(nla, set->name) &&
3651 nft_active_genmask(set, genmask))
3652 return set;
3653 }
3654 return ERR_PTR(-ENOENT);
3655 }
3656
3657 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3658 const struct nlattr *nla,
3659 u8 genmask)
3660 {
3661 struct nft_set *set;
3662
3663 list_for_each_entry(set, &table->sets, list) {
3664 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3665 nft_active_genmask(set, genmask))
3666 return set;
3667 }
3668 return ERR_PTR(-ENOENT);
3669 }
3670
3671 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3672 const struct nlattr *nla, u8 genmask)
3673 {
3674 struct nft_trans *trans;
3675 u32 id = ntohl(nla_get_be32(nla));
3676
3677 list_for_each_entry(trans, &net->nft.commit_list, list) {
3678 if (trans->msg_type == NFT_MSG_NEWSET) {
3679 struct nft_set *set = nft_trans_set(trans);
3680
3681 if (id == nft_trans_set_id(trans) &&
3682 nft_active_genmask(set, genmask))
3683 return set;
3684 }
3685 }
3686 return ERR_PTR(-ENOENT);
3687 }
3688
3689 struct nft_set *nft_set_lookup_global(const struct net *net,
3690 const struct nft_table *table,
3691 const struct nlattr *nla_set_name,
3692 const struct nlattr *nla_set_id,
3693 u8 genmask)
3694 {
3695 struct nft_set *set;
3696
3697 set = nft_set_lookup(table, nla_set_name, genmask);
3698 if (IS_ERR(set)) {
3699 if (!nla_set_id)
3700 return set;
3701
3702 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3703 }
3704 return set;
3705 }
3706 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3707
3708 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3709 const char *name)
3710 {
3711 const struct nft_set *i;
3712 const char *p;
3713 unsigned long *inuse;
3714 unsigned int n = 0, min = 0;
3715
3716 p = strchr(name, '%');
3717 if (p != NULL) {
3718 if (p[1] != 'd' || strchr(p + 2, '%'))
3719 return -EINVAL;
3720
3721 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3722 if (inuse == NULL)
3723 return -ENOMEM;
3724 cont:
3725 list_for_each_entry(i, &ctx->table->sets, list) {
3726 int tmp;
3727
3728 if (!nft_is_active_next(ctx->net, set))
3729 continue;
3730 if (!sscanf(i->name, name, &tmp))
3731 continue;
3732 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3733 continue;
3734
3735 set_bit(tmp - min, inuse);
3736 }
3737
3738 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3739 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3740 min += BITS_PER_BYTE * PAGE_SIZE;
3741 memset(inuse, 0, PAGE_SIZE);
3742 goto cont;
3743 }
3744 free_page((unsigned long)inuse);
3745 }
3746
3747 set->name = kasprintf(GFP_KERNEL, name, min + n);
3748 if (!set->name)
3749 return -ENOMEM;
3750
3751 list_for_each_entry(i, &ctx->table->sets, list) {
3752 if (!nft_is_active_next(ctx->net, i))
3753 continue;
3754 if (!strcmp(set->name, i->name)) {
3755 kfree(set->name);
3756 set->name = NULL;
3757 return -ENFILE;
3758 }
3759 }
3760 return 0;
3761 }
3762
3763 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3764 {
3765 u64 ms = be64_to_cpu(nla_get_be64(nla));
3766 u64 max = (u64)(~((u64)0));
3767
3768 max = div_u64(max, NSEC_PER_MSEC);
3769 if (ms >= max)
3770 return -ERANGE;
3771
3772 ms *= NSEC_PER_MSEC;
3773 *result = nsecs_to_jiffies64(ms);
3774 return 0;
3775 }
3776
3777 __be64 nf_jiffies64_to_msecs(u64 input)
3778 {
3779 return cpu_to_be64(jiffies64_to_msecs(input));
3780 }
3781
3782 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3783 const struct nft_set *set)
3784 {
3785 struct nlattr *concat, *field;
3786 int i;
3787
3788 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3789 if (!concat)
3790 return -ENOMEM;
3791
3792 for (i = 0; i < set->field_count; i++) {
3793 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3794 if (!field)
3795 return -ENOMEM;
3796
3797 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3798 htonl(set->field_len[i])))
3799 return -ENOMEM;
3800
3801 nla_nest_end(skb, field);
3802 }
3803
3804 nla_nest_end(skb, concat);
3805
3806 return 0;
3807 }
3808
3809 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3810 const struct nft_set *set, u16 event, u16 flags)
3811 {
3812 struct nfgenmsg *nfmsg;
3813 struct nlmsghdr *nlh;
3814 u32 portid = ctx->portid;
3815 struct nlattr *nest;
3816 u32 seq = ctx->seq;
3817 int i;
3818
3819 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3820 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3821 flags);
3822 if (nlh == NULL)
3823 goto nla_put_failure;
3824
3825 nfmsg = nlmsg_data(nlh);
3826 nfmsg->nfgen_family = ctx->family;
3827 nfmsg->version = NFNETLINK_V0;
3828 nfmsg->res_id = nft_base_seq(ctx->net);
3829
3830 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3831 goto nla_put_failure;
3832 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3833 goto nla_put_failure;
3834 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3835 NFTA_SET_PAD))
3836 goto nla_put_failure;
3837 if (set->flags != 0)
3838 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3839 goto nla_put_failure;
3840
3841 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3842 goto nla_put_failure;
3843 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3844 goto nla_put_failure;
3845 if (set->flags & NFT_SET_MAP) {
3846 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3847 goto nla_put_failure;
3848 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3849 goto nla_put_failure;
3850 }
3851 if (set->flags & NFT_SET_OBJECT &&
3852 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3853 goto nla_put_failure;
3854
3855 if (set->timeout &&
3856 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3857 nf_jiffies64_to_msecs(set->timeout),
3858 NFTA_SET_PAD))
3859 goto nla_put_failure;
3860 if (set->gc_int &&
3861 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3862 goto nla_put_failure;
3863
3864 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3865 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3866 goto nla_put_failure;
3867 }
3868
3869 if (set->udata &&
3870 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3871 goto nla_put_failure;
3872
3873 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3874 if (!nest)
3875 goto nla_put_failure;
3876 if (set->size &&
3877 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3878 goto nla_put_failure;
3879
3880 if (set->field_count > 1 &&
3881 nf_tables_fill_set_concat(skb, set))
3882 goto nla_put_failure;
3883
3884 nla_nest_end(skb, nest);
3885
3886 if (set->num_exprs == 1) {
3887 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3888 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
3889 goto nla_put_failure;
3890
3891 nla_nest_end(skb, nest);
3892 } else if (set->num_exprs > 1) {
3893 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
3894 if (nest == NULL)
3895 goto nla_put_failure;
3896
3897 for (i = 0; i < set->num_exprs; i++) {
3898 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
3899 set->exprs[i]) < 0)
3900 goto nla_put_failure;
3901 }
3902 nla_nest_end(skb, nest);
3903 }
3904
3905 nlmsg_end(skb, nlh);
3906 return 0;
3907
3908 nla_put_failure:
3909 nlmsg_trim(skb, nlh);
3910 return -1;
3911 }
3912
3913 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3914 const struct nft_set *set, int event,
3915 gfp_t gfp_flags)
3916 {
3917 struct sk_buff *skb;
3918 u32 portid = ctx->portid;
3919 int err;
3920
3921 if (!ctx->report &&
3922 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3923 return;
3924
3925 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3926 if (skb == NULL)
3927 goto err;
3928
3929 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3930 if (err < 0) {
3931 kfree_skb(skb);
3932 goto err;
3933 }
3934
3935 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3936 return;
3937 err:
3938 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3939 }
3940
3941 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3942 {
3943 const struct nft_set *set;
3944 unsigned int idx, s_idx = cb->args[0];
3945 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3946 struct net *net = sock_net(skb->sk);
3947 struct nft_ctx *ctx = cb->data, ctx_set;
3948
3949 if (cb->args[1])
3950 return skb->len;
3951
3952 rcu_read_lock();
3953 cb->seq = net->nft.base_seq;
3954
3955 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3956 if (ctx->family != NFPROTO_UNSPEC &&
3957 ctx->family != table->family)
3958 continue;
3959
3960 if (ctx->table && ctx->table != table)
3961 continue;
3962
3963 if (cur_table) {
3964 if (cur_table != table)
3965 continue;
3966
3967 cur_table = NULL;
3968 }
3969 idx = 0;
3970 list_for_each_entry_rcu(set, &table->sets, list) {
3971 if (idx < s_idx)
3972 goto cont;
3973 if (!nft_is_active(net, set))
3974 goto cont;
3975
3976 ctx_set = *ctx;
3977 ctx_set.table = table;
3978 ctx_set.family = table->family;
3979
3980 if (nf_tables_fill_set(skb, &ctx_set, set,
3981 NFT_MSG_NEWSET,
3982 NLM_F_MULTI) < 0) {
3983 cb->args[0] = idx;
3984 cb->args[2] = (unsigned long) table;
3985 goto done;
3986 }
3987 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3988 cont:
3989 idx++;
3990 }
3991 if (s_idx)
3992 s_idx = 0;
3993 }
3994 cb->args[1] = 1;
3995 done:
3996 rcu_read_unlock();
3997 return skb->len;
3998 }
3999
4000 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4001 {
4002 struct nft_ctx *ctx_dump = NULL;
4003
4004 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4005 if (ctx_dump == NULL)
4006 return -ENOMEM;
4007
4008 cb->data = ctx_dump;
4009 return 0;
4010 }
4011
4012 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4013 {
4014 kfree(cb->data);
4015 return 0;
4016 }
4017
4018 /* called with rcu_read_lock held */
4019 static int nf_tables_getset(struct net *net, struct sock *nlsk,
4020 struct sk_buff *skb, const struct nlmsghdr *nlh,
4021 const struct nlattr * const nla[],
4022 struct netlink_ext_ack *extack)
4023 {
4024 u8 genmask = nft_genmask_cur(net);
4025 const struct nft_set *set;
4026 struct nft_ctx ctx;
4027 struct sk_buff *skb2;
4028 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4029 int err;
4030
4031 /* Verify existence before starting dump */
4032 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4033 genmask, 0);
4034 if (err < 0)
4035 return err;
4036
4037 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4038 struct netlink_dump_control c = {
4039 .start = nf_tables_dump_sets_start,
4040 .dump = nf_tables_dump_sets,
4041 .done = nf_tables_dump_sets_done,
4042 .data = &ctx,
4043 .module = THIS_MODULE,
4044 };
4045
4046 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4047 }
4048
4049 /* Only accept unspec with dump */
4050 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4051 return -EAFNOSUPPORT;
4052 if (!nla[NFTA_SET_TABLE])
4053 return -EINVAL;
4054
4055 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4056 if (IS_ERR(set))
4057 return PTR_ERR(set);
4058
4059 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4060 if (skb2 == NULL)
4061 return -ENOMEM;
4062
4063 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4064 if (err < 0)
4065 goto err_fill_set_info;
4066
4067 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4068
4069 err_fill_set_info:
4070 kfree_skb(skb2);
4071 return err;
4072 }
4073
4074 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4075 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4076 };
4077
4078 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4079 struct nft_set_desc *desc)
4080 {
4081 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4082 u32 len;
4083 int err;
4084
4085 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4086 nft_concat_policy, NULL);
4087 if (err < 0)
4088 return err;
4089
4090 if (!tb[NFTA_SET_FIELD_LEN])
4091 return -EINVAL;
4092
4093 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4094
4095 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4096 return -E2BIG;
4097
4098 desc->field_len[desc->field_count++] = len;
4099
4100 return 0;
4101 }
4102
4103 static int nft_set_desc_concat(struct nft_set_desc *desc,
4104 const struct nlattr *nla)
4105 {
4106 struct nlattr *attr;
4107 int rem, err;
4108
4109 nla_for_each_nested(attr, nla, rem) {
4110 if (nla_type(attr) != NFTA_LIST_ELEM)
4111 return -EINVAL;
4112
4113 err = nft_set_desc_concat_parse(attr, desc);
4114 if (err < 0)
4115 return err;
4116 }
4117
4118 return 0;
4119 }
4120
4121 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4122 const struct nlattr *nla)
4123 {
4124 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4125 int err;
4126
4127 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4128 nft_set_desc_policy, NULL);
4129 if (err < 0)
4130 return err;
4131
4132 if (da[NFTA_SET_DESC_SIZE] != NULL)
4133 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4134 if (da[NFTA_SET_DESC_CONCAT])
4135 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4136
4137 return err;
4138 }
4139
4140 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4141 struct sk_buff *skb, const struct nlmsghdr *nlh,
4142 const struct nlattr * const nla[],
4143 struct netlink_ext_ack *extack)
4144 {
4145 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4146 u8 genmask = nft_genmask_next(net);
4147 int family = nfmsg->nfgen_family;
4148 const struct nft_set_ops *ops;
4149 struct nft_expr *expr = NULL;
4150 struct nft_table *table;
4151 struct nft_set *set;
4152 struct nft_ctx ctx;
4153 char *name;
4154 u64 size;
4155 u64 timeout;
4156 u32 ktype, dtype, flags, policy, gc_int, objtype;
4157 struct nft_set_desc desc;
4158 unsigned char *udata;
4159 u16 udlen;
4160 int err;
4161 int i;
4162
4163 if (nla[NFTA_SET_TABLE] == NULL ||
4164 nla[NFTA_SET_NAME] == NULL ||
4165 nla[NFTA_SET_KEY_LEN] == NULL ||
4166 nla[NFTA_SET_ID] == NULL)
4167 return -EINVAL;
4168
4169 memset(&desc, 0, sizeof(desc));
4170
4171 ktype = NFT_DATA_VALUE;
4172 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4173 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4174 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4175 return -EINVAL;
4176 }
4177
4178 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4179 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4180 return -EINVAL;
4181
4182 flags = 0;
4183 if (nla[NFTA_SET_FLAGS] != NULL) {
4184 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4185 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4186 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4187 NFT_SET_MAP | NFT_SET_EVAL |
4188 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4189 return -EOPNOTSUPP;
4190 /* Only one of these operations is supported */
4191 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4192 (NFT_SET_MAP | NFT_SET_OBJECT))
4193 return -EOPNOTSUPP;
4194 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4195 (NFT_SET_EVAL | NFT_SET_OBJECT))
4196 return -EOPNOTSUPP;
4197 }
4198
4199 dtype = 0;
4200 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4201 if (!(flags & NFT_SET_MAP))
4202 return -EINVAL;
4203
4204 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4205 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4206 dtype != NFT_DATA_VERDICT)
4207 return -EINVAL;
4208
4209 if (dtype != NFT_DATA_VERDICT) {
4210 if (nla[NFTA_SET_DATA_LEN] == NULL)
4211 return -EINVAL;
4212 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4213 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4214 return -EINVAL;
4215 } else
4216 desc.dlen = sizeof(struct nft_verdict);
4217 } else if (flags & NFT_SET_MAP)
4218 return -EINVAL;
4219
4220 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4221 if (!(flags & NFT_SET_OBJECT))
4222 return -EINVAL;
4223
4224 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4225 if (objtype == NFT_OBJECT_UNSPEC ||
4226 objtype > NFT_OBJECT_MAX)
4227 return -EOPNOTSUPP;
4228 } else if (flags & NFT_SET_OBJECT)
4229 return -EINVAL;
4230 else
4231 objtype = NFT_OBJECT_UNSPEC;
4232
4233 timeout = 0;
4234 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4235 if (!(flags & NFT_SET_TIMEOUT))
4236 return -EINVAL;
4237
4238 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4239 if (err)
4240 return err;
4241 }
4242 gc_int = 0;
4243 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4244 if (!(flags & NFT_SET_TIMEOUT))
4245 return -EINVAL;
4246 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4247 }
4248
4249 policy = NFT_SET_POL_PERFORMANCE;
4250 if (nla[NFTA_SET_POLICY] != NULL)
4251 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4252
4253 if (nla[NFTA_SET_DESC] != NULL) {
4254 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4255 if (err < 0)
4256 return err;
4257 }
4258
4259 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4260 desc.expr = true;
4261
4262 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4263 NETLINK_CB(skb).portid);
4264 if (IS_ERR(table)) {
4265 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4266 return PTR_ERR(table);
4267 }
4268
4269 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4270
4271 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4272 if (IS_ERR(set)) {
4273 if (PTR_ERR(set) != -ENOENT) {
4274 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4275 return PTR_ERR(set);
4276 }
4277 } else {
4278 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4279 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4280 return -EEXIST;
4281 }
4282 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4283 return -EOPNOTSUPP;
4284
4285 return 0;
4286 }
4287
4288 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4289 return -ENOENT;
4290
4291 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4292 if (IS_ERR(ops))
4293 return PTR_ERR(ops);
4294
4295 udlen = 0;
4296 if (nla[NFTA_SET_USERDATA])
4297 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4298
4299 size = 0;
4300 if (ops->privsize != NULL)
4301 size = ops->privsize(nla, &desc);
4302
4303 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4304 if (!set)
4305 return -ENOMEM;
4306
4307 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4308 if (!name) {
4309 err = -ENOMEM;
4310 goto err_set_name;
4311 }
4312
4313 err = nf_tables_set_alloc_name(&ctx, set, name);
4314 kfree(name);
4315 if (err < 0)
4316 goto err_set_alloc_name;
4317
4318 if (nla[NFTA_SET_EXPR]) {
4319 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4320 if (IS_ERR(expr)) {
4321 err = PTR_ERR(expr);
4322 goto err_set_alloc_name;
4323 }
4324 set->exprs[0] = expr;
4325 set->num_exprs++;
4326 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4327 struct nft_expr *expr;
4328 struct nlattr *tmp;
4329 int left;
4330
4331 if (!(flags & NFT_SET_EXPR)) {
4332 err = -EINVAL;
4333 goto err_set_alloc_name;
4334 }
4335 i = 0;
4336 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4337 if (i == NFT_SET_EXPR_MAX) {
4338 err = -E2BIG;
4339 goto err_set_init;
4340 }
4341 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4342 err = -EINVAL;
4343 goto err_set_init;
4344 }
4345 expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4346 if (IS_ERR(expr)) {
4347 err = PTR_ERR(expr);
4348 goto err_set_init;
4349 }
4350 set->exprs[i++] = expr;
4351 set->num_exprs++;
4352 }
4353 }
4354
4355 udata = NULL;
4356 if (udlen) {
4357 udata = set->data + size;
4358 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4359 }
4360
4361 INIT_LIST_HEAD(&set->bindings);
4362 set->table = table;
4363 write_pnet(&set->net, net);
4364 set->ops = ops;
4365 set->ktype = ktype;
4366 set->klen = desc.klen;
4367 set->dtype = dtype;
4368 set->objtype = objtype;
4369 set->dlen = desc.dlen;
4370 set->flags = flags;
4371 set->size = desc.size;
4372 set->policy = policy;
4373 set->udlen = udlen;
4374 set->udata = udata;
4375 set->timeout = timeout;
4376 set->gc_int = gc_int;
4377 set->handle = nf_tables_alloc_handle(table);
4378
4379 set->field_count = desc.field_count;
4380 for (i = 0; i < desc.field_count; i++)
4381 set->field_len[i] = desc.field_len[i];
4382
4383 err = ops->init(set, &desc, nla);
4384 if (err < 0)
4385 goto err_set_init;
4386
4387 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4388 if (err < 0)
4389 goto err_set_trans;
4390
4391 list_add_tail_rcu(&set->list, &table->sets);
4392 table->use++;
4393 return 0;
4394
4395 err_set_trans:
4396 ops->destroy(set);
4397 err_set_init:
4398 for (i = 0; i < set->num_exprs; i++)
4399 nft_expr_destroy(&ctx, set->exprs[i]);
4400 err_set_alloc_name:
4401 kfree(set->name);
4402 err_set_name:
4403 kvfree(set);
4404 return err;
4405 }
4406
4407 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4408 {
4409 int i;
4410
4411 if (WARN_ON(set->use > 0))
4412 return;
4413
4414 for (i = 0; i < set->num_exprs; i++)
4415 nft_expr_destroy(ctx, set->exprs[i]);
4416
4417 set->ops->destroy(set);
4418 kfree(set->name);
4419 kvfree(set);
4420 }
4421
4422 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4423 struct sk_buff *skb, const struct nlmsghdr *nlh,
4424 const struct nlattr * const nla[],
4425 struct netlink_ext_ack *extack)
4426 {
4427 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4428 u8 genmask = nft_genmask_next(net);
4429 const struct nlattr *attr;
4430 struct nft_set *set;
4431 struct nft_ctx ctx;
4432 int err;
4433
4434 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4435 return -EAFNOSUPPORT;
4436 if (nla[NFTA_SET_TABLE] == NULL)
4437 return -EINVAL;
4438
4439 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4440 genmask, NETLINK_CB(skb).portid);
4441 if (err < 0)
4442 return err;
4443
4444 if (nla[NFTA_SET_HANDLE]) {
4445 attr = nla[NFTA_SET_HANDLE];
4446 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4447 } else {
4448 attr = nla[NFTA_SET_NAME];
4449 set = nft_set_lookup(ctx.table, attr, genmask);
4450 }
4451
4452 if (IS_ERR(set)) {
4453 NL_SET_BAD_ATTR(extack, attr);
4454 return PTR_ERR(set);
4455 }
4456 if (set->use ||
4457 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4458 NL_SET_BAD_ATTR(extack, attr);
4459 return -EBUSY;
4460 }
4461
4462 return nft_delset(&ctx, set);
4463 }
4464
4465 static int nft_validate_register_store(const struct nft_ctx *ctx,
4466 enum nft_registers reg,
4467 const struct nft_data *data,
4468 enum nft_data_types type,
4469 unsigned int len);
4470
4471 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4472 struct nft_set *set,
4473 const struct nft_set_iter *iter,
4474 struct nft_set_elem *elem)
4475 {
4476 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4477 enum nft_registers dreg;
4478
4479 dreg = nft_type_to_reg(set->dtype);
4480 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4481 set->dtype == NFT_DATA_VERDICT ?
4482 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4483 set->dlen);
4484 }
4485
4486 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4487 struct nft_set_binding *binding)
4488 {
4489 struct nft_set_binding *i;
4490 struct nft_set_iter iter;
4491
4492 if (set->use == UINT_MAX)
4493 return -EOVERFLOW;
4494
4495 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4496 return -EBUSY;
4497
4498 if (binding->flags & NFT_SET_MAP) {
4499 /* If the set is already bound to the same chain all
4500 * jumps are already validated for that chain.
4501 */
4502 list_for_each_entry(i, &set->bindings, list) {
4503 if (i->flags & NFT_SET_MAP &&
4504 i->chain == binding->chain)
4505 goto bind;
4506 }
4507
4508 iter.genmask = nft_genmask_next(ctx->net);
4509 iter.skip = 0;
4510 iter.count = 0;
4511 iter.err = 0;
4512 iter.fn = nf_tables_bind_check_setelem;
4513
4514 set->ops->walk(ctx, set, &iter);
4515 if (iter.err < 0)
4516 return iter.err;
4517 }
4518 bind:
4519 binding->chain = ctx->chain;
4520 list_add_tail_rcu(&binding->list, &set->bindings);
4521 nft_set_trans_bind(ctx, set);
4522 set->use++;
4523
4524 return 0;
4525 }
4526 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4527
4528 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4529 struct nft_set_binding *binding, bool event)
4530 {
4531 list_del_rcu(&binding->list);
4532
4533 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4534 list_del_rcu(&set->list);
4535 if (event)
4536 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4537 GFP_KERNEL);
4538 }
4539 }
4540
4541 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4542 struct nft_set_binding *binding,
4543 enum nft_trans_phase phase)
4544 {
4545 switch (phase) {
4546 case NFT_TRANS_PREPARE:
4547 set->use--;
4548 return;
4549 case NFT_TRANS_ABORT:
4550 case NFT_TRANS_RELEASE:
4551 set->use--;
4552 fallthrough;
4553 default:
4554 nf_tables_unbind_set(ctx, set, binding,
4555 phase == NFT_TRANS_COMMIT);
4556 }
4557 }
4558 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4559
4560 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4561 {
4562 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4563 nft_set_destroy(ctx, set);
4564 }
4565 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4566
4567 const struct nft_set_ext_type nft_set_ext_types[] = {
4568 [NFT_SET_EXT_KEY] = {
4569 .align = __alignof__(u32),
4570 },
4571 [NFT_SET_EXT_DATA] = {
4572 .align = __alignof__(u32),
4573 },
4574 [NFT_SET_EXT_EXPRESSIONS] = {
4575 .align = __alignof__(struct nft_set_elem_expr),
4576 },
4577 [NFT_SET_EXT_OBJREF] = {
4578 .len = sizeof(struct nft_object *),
4579 .align = __alignof__(struct nft_object *),
4580 },
4581 [NFT_SET_EXT_FLAGS] = {
4582 .len = sizeof(u8),
4583 .align = __alignof__(u8),
4584 },
4585 [NFT_SET_EXT_TIMEOUT] = {
4586 .len = sizeof(u64),
4587 .align = __alignof__(u64),
4588 },
4589 [NFT_SET_EXT_EXPIRATION] = {
4590 .len = sizeof(u64),
4591 .align = __alignof__(u64),
4592 },
4593 [NFT_SET_EXT_USERDATA] = {
4594 .len = sizeof(struct nft_userdata),
4595 .align = __alignof__(struct nft_userdata),
4596 },
4597 [NFT_SET_EXT_KEY_END] = {
4598 .align = __alignof__(u32),
4599 },
4600 };
4601
4602 /*
4603 * Set elements
4604 */
4605
4606 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4607 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4608 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4609 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4610 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4611 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4612 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4613 .len = NFT_USERDATA_MAXLEN },
4614 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4615 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4616 .len = NFT_OBJ_MAXNAMELEN - 1 },
4617 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4618 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4619 };
4620
4621 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4622 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4623 .len = NFT_TABLE_MAXNAMELEN - 1 },
4624 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4625 .len = NFT_SET_MAXNAMELEN - 1 },
4626 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4627 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4628 };
4629
4630 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4631 const struct sk_buff *skb,
4632 const struct nlmsghdr *nlh,
4633 const struct nlattr * const nla[],
4634 struct netlink_ext_ack *extack,
4635 u8 genmask, u32 nlpid)
4636 {
4637 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4638 int family = nfmsg->nfgen_family;
4639 struct nft_table *table;
4640
4641 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4642 genmask, nlpid);
4643 if (IS_ERR(table)) {
4644 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4645 return PTR_ERR(table);
4646 }
4647
4648 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4649 return 0;
4650 }
4651
4652 static int nft_set_elem_expr_dump(struct sk_buff *skb,
4653 const struct nft_set *set,
4654 const struct nft_set_ext *ext)
4655 {
4656 struct nft_set_elem_expr *elem_expr;
4657 u32 size, num_exprs = 0;
4658 struct nft_expr *expr;
4659 struct nlattr *nest;
4660
4661 elem_expr = nft_set_ext_expr(ext);
4662 nft_setelem_expr_foreach(expr, elem_expr, size)
4663 num_exprs++;
4664
4665 if (num_exprs == 1) {
4666 expr = nft_setelem_expr_at(elem_expr, 0);
4667 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4668 return -1;
4669
4670 return 0;
4671 } else if (num_exprs > 1) {
4672 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4673 if (nest == NULL)
4674 goto nla_put_failure;
4675
4676 nft_setelem_expr_foreach(expr, elem_expr, size) {
4677 expr = nft_setelem_expr_at(elem_expr, size);
4678 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4679 goto nla_put_failure;
4680 }
4681 nla_nest_end(skb, nest);
4682 }
4683 return 0;
4684
4685 nla_put_failure:
4686 return -1;
4687 }
4688
4689 static int nf_tables_fill_setelem(struct sk_buff *skb,
4690 const struct nft_set *set,
4691 const struct nft_set_elem *elem)
4692 {
4693 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4694 unsigned char *b = skb_tail_pointer(skb);
4695 struct nlattr *nest;
4696
4697 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4698 if (nest == NULL)
4699 goto nla_put_failure;
4700
4701 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4702 NFT_DATA_VALUE, set->klen) < 0)
4703 goto nla_put_failure;
4704
4705 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4706 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4707 NFT_DATA_VALUE, set->klen) < 0)
4708 goto nla_put_failure;
4709
4710 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4711 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4712 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4713 set->dlen) < 0)
4714 goto nla_put_failure;
4715
4716 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4717 nft_set_elem_expr_dump(skb, set, ext))
4718 goto nla_put_failure;
4719
4720 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4721 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4722 (*nft_set_ext_obj(ext))->key.name) < 0)
4723 goto nla_put_failure;
4724
4725 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4726 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4727 htonl(*nft_set_ext_flags(ext))))
4728 goto nla_put_failure;
4729
4730 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4731 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4732 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4733 NFTA_SET_ELEM_PAD))
4734 goto nla_put_failure;
4735
4736 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4737 u64 expires, now = get_jiffies_64();
4738
4739 expires = *nft_set_ext_expiration(ext);
4740 if (time_before64(now, expires))
4741 expires -= now;
4742 else
4743 expires = 0;
4744
4745 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4746 nf_jiffies64_to_msecs(expires),
4747 NFTA_SET_ELEM_PAD))
4748 goto nla_put_failure;
4749 }
4750
4751 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4752 struct nft_userdata *udata;
4753
4754 udata = nft_set_ext_userdata(ext);
4755 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4756 udata->len + 1, udata->data))
4757 goto nla_put_failure;
4758 }
4759
4760 nla_nest_end(skb, nest);
4761 return 0;
4762
4763 nla_put_failure:
4764 nlmsg_trim(skb, b);
4765 return -EMSGSIZE;
4766 }
4767
4768 struct nft_set_dump_args {
4769 const struct netlink_callback *cb;
4770 struct nft_set_iter iter;
4771 struct sk_buff *skb;
4772 };
4773
4774 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4775 struct nft_set *set,
4776 const struct nft_set_iter *iter,
4777 struct nft_set_elem *elem)
4778 {
4779 struct nft_set_dump_args *args;
4780
4781 args = container_of(iter, struct nft_set_dump_args, iter);
4782 return nf_tables_fill_setelem(args->skb, set, elem);
4783 }
4784
4785 struct nft_set_dump_ctx {
4786 const struct nft_set *set;
4787 struct nft_ctx ctx;
4788 };
4789
4790 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4791 {
4792 struct nft_set_dump_ctx *dump_ctx = cb->data;
4793 struct net *net = sock_net(skb->sk);
4794 struct nft_table *table;
4795 struct nft_set *set;
4796 struct nft_set_dump_args args;
4797 bool set_found = false;
4798 struct nfgenmsg *nfmsg;
4799 struct nlmsghdr *nlh;
4800 struct nlattr *nest;
4801 u32 portid, seq;
4802 int event;
4803
4804 rcu_read_lock();
4805 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4806 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4807 dump_ctx->ctx.family != table->family)
4808 continue;
4809
4810 if (table != dump_ctx->ctx.table)
4811 continue;
4812
4813 list_for_each_entry_rcu(set, &table->sets, list) {
4814 if (set == dump_ctx->set) {
4815 set_found = true;
4816 break;
4817 }
4818 }
4819 break;
4820 }
4821
4822 if (!set_found) {
4823 rcu_read_unlock();
4824 return -ENOENT;
4825 }
4826
4827 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4828 portid = NETLINK_CB(cb->skb).portid;
4829 seq = cb->nlh->nlmsg_seq;
4830
4831 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4832 NLM_F_MULTI);
4833 if (nlh == NULL)
4834 goto nla_put_failure;
4835
4836 nfmsg = nlmsg_data(nlh);
4837 nfmsg->nfgen_family = table->family;
4838 nfmsg->version = NFNETLINK_V0;
4839 nfmsg->res_id = nft_base_seq(net);
4840
4841 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4842 goto nla_put_failure;
4843 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4844 goto nla_put_failure;
4845
4846 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4847 if (nest == NULL)
4848 goto nla_put_failure;
4849
4850 args.cb = cb;
4851 args.skb = skb;
4852 args.iter.genmask = nft_genmask_cur(net);
4853 args.iter.skip = cb->args[0];
4854 args.iter.count = 0;
4855 args.iter.err = 0;
4856 args.iter.fn = nf_tables_dump_setelem;
4857 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4858 rcu_read_unlock();
4859
4860 nla_nest_end(skb, nest);
4861 nlmsg_end(skb, nlh);
4862
4863 if (args.iter.err && args.iter.err != -EMSGSIZE)
4864 return args.iter.err;
4865 if (args.iter.count == cb->args[0])
4866 return 0;
4867
4868 cb->args[0] = args.iter.count;
4869 return skb->len;
4870
4871 nla_put_failure:
4872 rcu_read_unlock();
4873 return -ENOSPC;
4874 }
4875
4876 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4877 {
4878 struct nft_set_dump_ctx *dump_ctx = cb->data;
4879
4880 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4881
4882 return cb->data ? 0 : -ENOMEM;
4883 }
4884
4885 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4886 {
4887 kfree(cb->data);
4888 return 0;
4889 }
4890
4891 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4892 const struct nft_ctx *ctx, u32 seq,
4893 u32 portid, int event, u16 flags,
4894 const struct nft_set *set,
4895 const struct nft_set_elem *elem)
4896 {
4897 struct nfgenmsg *nfmsg;
4898 struct nlmsghdr *nlh;
4899 struct nlattr *nest;
4900 int err;
4901
4902 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4903 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4904 flags);
4905 if (nlh == NULL)
4906 goto nla_put_failure;
4907
4908 nfmsg = nlmsg_data(nlh);
4909 nfmsg->nfgen_family = ctx->family;
4910 nfmsg->version = NFNETLINK_V0;
4911 nfmsg->res_id = nft_base_seq(ctx->net);
4912
4913 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4914 goto nla_put_failure;
4915 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4916 goto nla_put_failure;
4917
4918 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4919 if (nest == NULL)
4920 goto nla_put_failure;
4921
4922 err = nf_tables_fill_setelem(skb, set, elem);
4923 if (err < 0)
4924 goto nla_put_failure;
4925
4926 nla_nest_end(skb, nest);
4927
4928 nlmsg_end(skb, nlh);
4929 return 0;
4930
4931 nla_put_failure:
4932 nlmsg_trim(skb, nlh);
4933 return -1;
4934 }
4935
4936 static int nft_setelem_parse_flags(const struct nft_set *set,
4937 const struct nlattr *attr, u32 *flags)
4938 {
4939 if (attr == NULL)
4940 return 0;
4941
4942 *flags = ntohl(nla_get_be32(attr));
4943 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4944 return -EINVAL;
4945 if (!(set->flags & NFT_SET_INTERVAL) &&
4946 *flags & NFT_SET_ELEM_INTERVAL_END)
4947 return -EINVAL;
4948
4949 return 0;
4950 }
4951
4952 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4953 struct nft_data *key, struct nlattr *attr)
4954 {
4955 struct nft_data_desc desc;
4956 int err;
4957
4958 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4959 if (err < 0)
4960 return err;
4961
4962 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4963 nft_data_release(key, desc.type);
4964 return -EINVAL;
4965 }
4966
4967 return 0;
4968 }
4969
4970 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4971 struct nft_data_desc *desc,
4972 struct nft_data *data,
4973 struct nlattr *attr)
4974 {
4975 int err;
4976
4977 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4978 if (err < 0)
4979 return err;
4980
4981 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4982 nft_data_release(data, desc->type);
4983 return -EINVAL;
4984 }
4985
4986 return 0;
4987 }
4988
4989 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4990 const struct nlattr *attr)
4991 {
4992 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4993 struct nft_set_elem elem;
4994 struct sk_buff *skb;
4995 uint32_t flags = 0;
4996 void *priv;
4997 int err;
4998
4999 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5000 nft_set_elem_policy, NULL);
5001 if (err < 0)
5002 return err;
5003
5004 if (!nla[NFTA_SET_ELEM_KEY])
5005 return -EINVAL;
5006
5007 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5008 if (err < 0)
5009 return err;
5010
5011 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5012 nla[NFTA_SET_ELEM_KEY]);
5013 if (err < 0)
5014 return err;
5015
5016 if (nla[NFTA_SET_ELEM_KEY_END]) {
5017 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5018 nla[NFTA_SET_ELEM_KEY_END]);
5019 if (err < 0)
5020 return err;
5021 }
5022
5023 priv = set->ops->get(ctx->net, set, &elem, flags);
5024 if (IS_ERR(priv))
5025 return PTR_ERR(priv);
5026
5027 elem.priv = priv;
5028
5029 err = -ENOMEM;
5030 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5031 if (skb == NULL)
5032 return err;
5033
5034 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5035 NFT_MSG_NEWSETELEM, 0, set, &elem);
5036 if (err < 0)
5037 goto err_fill_setelem;
5038
5039 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5040
5041 err_fill_setelem:
5042 kfree_skb(skb);
5043 return err;
5044 }
5045
5046 /* called with rcu_read_lock held */
5047 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
5048 struct sk_buff *skb, const struct nlmsghdr *nlh,
5049 const struct nlattr * const nla[],
5050 struct netlink_ext_ack *extack)
5051 {
5052 u8 genmask = nft_genmask_cur(net);
5053 struct nft_set *set;
5054 struct nlattr *attr;
5055 struct nft_ctx ctx;
5056 int rem, err = 0;
5057
5058 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5059 genmask, NETLINK_CB(skb).portid);
5060 if (err < 0)
5061 return err;
5062
5063 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5064 if (IS_ERR(set))
5065 return PTR_ERR(set);
5066
5067 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5068 struct netlink_dump_control c = {
5069 .start = nf_tables_dump_set_start,
5070 .dump = nf_tables_dump_set,
5071 .done = nf_tables_dump_set_done,
5072 .module = THIS_MODULE,
5073 };
5074 struct nft_set_dump_ctx dump_ctx = {
5075 .set = set,
5076 .ctx = ctx,
5077 };
5078
5079 c.data = &dump_ctx;
5080 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5081 }
5082
5083 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5084 return -EINVAL;
5085
5086 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5087 err = nft_get_set_elem(&ctx, set, attr);
5088 if (err < 0)
5089 break;
5090 }
5091
5092 return err;
5093 }
5094
5095 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5096 const struct nft_set *set,
5097 const struct nft_set_elem *elem,
5098 int event, u16 flags)
5099 {
5100 struct net *net = ctx->net;
5101 u32 portid = ctx->portid;
5102 struct sk_buff *skb;
5103 int err;
5104
5105 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5106 return;
5107
5108 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5109 if (skb == NULL)
5110 goto err;
5111
5112 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5113 set, elem);
5114 if (err < 0) {
5115 kfree_skb(skb);
5116 goto err;
5117 }
5118
5119 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5120 return;
5121 err:
5122 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5123 }
5124
5125 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5126 int msg_type,
5127 struct nft_set *set)
5128 {
5129 struct nft_trans *trans;
5130
5131 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5132 if (trans == NULL)
5133 return NULL;
5134
5135 nft_trans_elem_set(trans) = set;
5136 return trans;
5137 }
5138
5139 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5140 const struct nft_set *set,
5141 const struct nlattr *attr)
5142 {
5143 struct nft_expr *expr;
5144 int err;
5145
5146 expr = nft_expr_init(ctx, attr);
5147 if (IS_ERR(expr))
5148 return expr;
5149
5150 err = -EOPNOTSUPP;
5151 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5152 goto err_set_elem_expr;
5153
5154 if (expr->ops->type->flags & NFT_EXPR_GC) {
5155 if (set->flags & NFT_SET_TIMEOUT)
5156 goto err_set_elem_expr;
5157 if (!set->ops->gc_init)
5158 goto err_set_elem_expr;
5159 set->ops->gc_init(set);
5160 }
5161
5162 return expr;
5163
5164 err_set_elem_expr:
5165 nft_expr_destroy(ctx, expr);
5166 return ERR_PTR(err);
5167 }
5168
5169 void *nft_set_elem_init(const struct nft_set *set,
5170 const struct nft_set_ext_tmpl *tmpl,
5171 const u32 *key, const u32 *key_end,
5172 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5173 {
5174 struct nft_set_ext *ext;
5175 void *elem;
5176
5177 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5178 if (elem == NULL)
5179 return NULL;
5180
5181 ext = nft_set_elem_ext(set, elem);
5182 nft_set_ext_init(ext, tmpl);
5183
5184 memcpy(nft_set_ext_key(ext), key, set->klen);
5185 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5186 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5187 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5188 memcpy(nft_set_ext_data(ext), data, set->dlen);
5189 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5190 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5191 if (expiration == 0)
5192 *nft_set_ext_expiration(ext) += timeout;
5193 }
5194 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5195 *nft_set_ext_timeout(ext) = timeout;
5196
5197 return elem;
5198 }
5199
5200 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5201 struct nft_expr *expr)
5202 {
5203 if (expr->ops->destroy_clone) {
5204 expr->ops->destroy_clone(ctx, expr);
5205 module_put(expr->ops->type->owner);
5206 } else {
5207 nf_tables_expr_destroy(ctx, expr);
5208 }
5209 }
5210
5211 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5212 struct nft_set_elem_expr *elem_expr)
5213 {
5214 struct nft_expr *expr;
5215 u32 size;
5216
5217 nft_setelem_expr_foreach(expr, elem_expr, size)
5218 __nft_set_elem_expr_destroy(ctx, expr);
5219 }
5220
5221 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5222 bool destroy_expr)
5223 {
5224 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5225 struct nft_ctx ctx = {
5226 .net = read_pnet(&set->net),
5227 .family = set->table->family,
5228 };
5229
5230 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5231 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5232 nft_data_release(nft_set_ext_data(ext), set->dtype);
5233 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5234 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5235
5236 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5237 (*nft_set_ext_obj(ext))->use--;
5238 kfree(elem);
5239 }
5240 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5241
5242 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5243 * the refcounting from the preparation phase.
5244 */
5245 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5246 const struct nft_set *set, void *elem)
5247 {
5248 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5249
5250 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5251 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5252
5253 kfree(elem);
5254 }
5255
5256 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5257 struct nft_expr *expr_array[])
5258 {
5259 struct nft_expr *expr;
5260 int err, i, k;
5261
5262 for (i = 0; i < set->num_exprs; i++) {
5263 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
5264 if (!expr)
5265 goto err_expr;
5266
5267 err = nft_expr_clone(expr, set->exprs[i]);
5268 if (err < 0) {
5269 nft_expr_destroy(ctx, expr);
5270 goto err_expr;
5271 }
5272 expr_array[i] = expr;
5273 }
5274
5275 return 0;
5276
5277 err_expr:
5278 for (k = i - 1; k >= 0; k--)
5279 nft_expr_destroy(ctx, expr_array[k]);
5280
5281 return -ENOMEM;
5282 }
5283
5284 static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i,
5285 struct nft_expr *expr_array[])
5286 {
5287 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5288 struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5289
5290 memcpy(expr, expr_array[i], expr_array[i]->ops->size);
5291 elem_expr->size += expr_array[i]->ops->size;
5292 kfree(expr_array[i]);
5293 expr_array[i] = NULL;
5294 }
5295
5296 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5297 const struct nlattr *attr, u32 nlmsg_flags)
5298 {
5299 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5300 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5301 u8 genmask = nft_genmask_next(ctx->net);
5302 u32 flags = 0, size = 0, num_exprs = 0;
5303 struct nft_set_ext_tmpl tmpl;
5304 struct nft_set_ext *ext, *ext2;
5305 struct nft_set_elem elem;
5306 struct nft_set_binding *binding;
5307 struct nft_object *obj = NULL;
5308 struct nft_userdata *udata;
5309 struct nft_data_desc desc;
5310 enum nft_registers dreg;
5311 struct nft_trans *trans;
5312 u64 timeout;
5313 u64 expiration;
5314 int err, i;
5315 u8 ulen;
5316
5317 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5318 nft_set_elem_policy, NULL);
5319 if (err < 0)
5320 return err;
5321
5322 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5323 return -EINVAL;
5324
5325 nft_set_ext_prepare(&tmpl);
5326
5327 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5328 if (err < 0)
5329 return err;
5330 if (flags != 0)
5331 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5332
5333 if (set->flags & NFT_SET_MAP) {
5334 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5335 !(flags & NFT_SET_ELEM_INTERVAL_END))
5336 return -EINVAL;
5337 } else {
5338 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5339 return -EINVAL;
5340 }
5341
5342 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5343 (nla[NFTA_SET_ELEM_DATA] ||
5344 nla[NFTA_SET_ELEM_OBJREF] ||
5345 nla[NFTA_SET_ELEM_TIMEOUT] ||
5346 nla[NFTA_SET_ELEM_EXPIRATION] ||
5347 nla[NFTA_SET_ELEM_USERDATA] ||
5348 nla[NFTA_SET_ELEM_EXPR] ||
5349 nla[NFTA_SET_ELEM_EXPRESSIONS]))
5350 return -EINVAL;
5351
5352 timeout = 0;
5353 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5354 if (!(set->flags & NFT_SET_TIMEOUT))
5355 return -EINVAL;
5356 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5357 &timeout);
5358 if (err)
5359 return err;
5360 } else if (set->flags & NFT_SET_TIMEOUT) {
5361 timeout = set->timeout;
5362 }
5363
5364 expiration = 0;
5365 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5366 if (!(set->flags & NFT_SET_TIMEOUT))
5367 return -EINVAL;
5368 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5369 &expiration);
5370 if (err)
5371 return err;
5372 }
5373
5374 if (nla[NFTA_SET_ELEM_EXPR]) {
5375 struct nft_expr *expr;
5376
5377 if (set->num_exprs && set->num_exprs != 1)
5378 return -EOPNOTSUPP;
5379
5380 expr = nft_set_elem_expr_alloc(ctx, set,
5381 nla[NFTA_SET_ELEM_EXPR]);
5382 if (IS_ERR(expr))
5383 return PTR_ERR(expr);
5384
5385 expr_array[0] = expr;
5386 num_exprs = 1;
5387
5388 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5389 err = -EOPNOTSUPP;
5390 goto err_set_elem_expr;
5391 }
5392 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5393 struct nft_expr *expr;
5394 struct nlattr *tmp;
5395 int left;
5396
5397 i = 0;
5398 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5399 if (i == NFT_SET_EXPR_MAX ||
5400 (set->num_exprs && set->num_exprs == i)) {
5401 err = -E2BIG;
5402 goto err_set_elem_expr;
5403 }
5404 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5405 err = -EINVAL;
5406 goto err_set_elem_expr;
5407 }
5408 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5409 if (IS_ERR(expr)) {
5410 err = PTR_ERR(expr);
5411 goto err_set_elem_expr;
5412 }
5413 expr_array[i] = expr;
5414 num_exprs++;
5415
5416 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5417 err = -EOPNOTSUPP;
5418 goto err_set_elem_expr;
5419 }
5420 i++;
5421 }
5422 if (set->num_exprs && set->num_exprs != i) {
5423 err = -EOPNOTSUPP;
5424 goto err_set_elem_expr;
5425 }
5426 } else if (set->num_exprs > 0) {
5427 err = nft_set_elem_expr_clone(ctx, set, expr_array);
5428 if (err < 0)
5429 goto err_set_elem_expr_clone;
5430
5431 num_exprs = set->num_exprs;
5432 }
5433
5434 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5435 nla[NFTA_SET_ELEM_KEY]);
5436 if (err < 0)
5437 goto err_set_elem_expr;
5438
5439 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5440
5441 if (nla[NFTA_SET_ELEM_KEY_END]) {
5442 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5443 nla[NFTA_SET_ELEM_KEY_END]);
5444 if (err < 0)
5445 goto err_parse_key;
5446
5447 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5448 }
5449
5450 if (timeout > 0) {
5451 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5452 if (timeout != set->timeout)
5453 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5454 }
5455
5456 if (num_exprs) {
5457 for (i = 0; i < num_exprs; i++)
5458 size += expr_array[i]->ops->size;
5459
5460 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5461 sizeof(struct nft_set_elem_expr) +
5462 size);
5463 }
5464
5465 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5466 if (!(set->flags & NFT_SET_OBJECT)) {
5467 err = -EINVAL;
5468 goto err_parse_key_end;
5469 }
5470 obj = nft_obj_lookup(ctx->net, ctx->table,
5471 nla[NFTA_SET_ELEM_OBJREF],
5472 set->objtype, genmask);
5473 if (IS_ERR(obj)) {
5474 err = PTR_ERR(obj);
5475 goto err_parse_key_end;
5476 }
5477 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5478 }
5479
5480 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5481 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5482 nla[NFTA_SET_ELEM_DATA]);
5483 if (err < 0)
5484 goto err_parse_key_end;
5485
5486 dreg = nft_type_to_reg(set->dtype);
5487 list_for_each_entry(binding, &set->bindings, list) {
5488 struct nft_ctx bind_ctx = {
5489 .net = ctx->net,
5490 .family = ctx->family,
5491 .table = ctx->table,
5492 .chain = (struct nft_chain *)binding->chain,
5493 };
5494
5495 if (!(binding->flags & NFT_SET_MAP))
5496 continue;
5497
5498 err = nft_validate_register_store(&bind_ctx, dreg,
5499 &elem.data.val,
5500 desc.type, desc.len);
5501 if (err < 0)
5502 goto err_parse_data;
5503
5504 if (desc.type == NFT_DATA_VERDICT &&
5505 (elem.data.val.verdict.code == NFT_GOTO ||
5506 elem.data.val.verdict.code == NFT_JUMP))
5507 nft_validate_state_update(ctx->net,
5508 NFT_VALIDATE_NEED);
5509 }
5510
5511 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5512 }
5513
5514 /* The full maximum length of userdata can exceed the maximum
5515 * offset value (U8_MAX) for following extensions, therefor it
5516 * must be the last extension added.
5517 */
5518 ulen = 0;
5519 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5520 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5521 if (ulen > 0)
5522 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5523 ulen);
5524 }
5525
5526 err = -ENOMEM;
5527 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5528 elem.key_end.val.data, elem.data.val.data,
5529 timeout, expiration, GFP_KERNEL);
5530 if (elem.priv == NULL)
5531 goto err_parse_data;
5532
5533 ext = nft_set_elem_ext(set, elem.priv);
5534 if (flags)
5535 *nft_set_ext_flags(ext) = flags;
5536 if (ulen > 0) {
5537 udata = nft_set_ext_userdata(ext);
5538 udata->len = ulen - 1;
5539 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5540 }
5541 if (obj) {
5542 *nft_set_ext_obj(ext) = obj;
5543 obj->use++;
5544 }
5545 for (i = 0; i < num_exprs; i++)
5546 nft_set_elem_expr_setup(ext, i, expr_array);
5547
5548 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5549 if (trans == NULL)
5550 goto err_trans;
5551
5552 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5553 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5554 if (err) {
5555 if (err == -EEXIST) {
5556 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5557 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5558 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5559 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5560 goto err_element_clash;
5561 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5562 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5563 memcmp(nft_set_ext_data(ext),
5564 nft_set_ext_data(ext2), set->dlen) != 0) ||
5565 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5566 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5567 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5568 goto err_element_clash;
5569 else if (!(nlmsg_flags & NLM_F_EXCL))
5570 err = 0;
5571 } else if (err == -ENOTEMPTY) {
5572 /* ENOTEMPTY reports overlapping between this element
5573 * and an existing one.
5574 */
5575 err = -EEXIST;
5576 }
5577 goto err_element_clash;
5578 }
5579
5580 if (set->size &&
5581 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5582 err = -ENFILE;
5583 goto err_set_full;
5584 }
5585
5586 nft_trans_elem(trans) = elem;
5587 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5588 return 0;
5589
5590 err_set_full:
5591 set->ops->remove(ctx->net, set, &elem);
5592 err_element_clash:
5593 kfree(trans);
5594 err_trans:
5595 if (obj)
5596 obj->use--;
5597
5598 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5599 err_parse_data:
5600 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5601 nft_data_release(&elem.data.val, desc.type);
5602 err_parse_key_end:
5603 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5604 err_parse_key:
5605 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5606 err_set_elem_expr:
5607 for (i = 0; i < num_exprs && expr_array[i]; i++)
5608 nft_expr_destroy(ctx, expr_array[i]);
5609 err_set_elem_expr_clone:
5610 return err;
5611 }
5612
5613 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5614 struct sk_buff *skb, const struct nlmsghdr *nlh,
5615 const struct nlattr * const nla[],
5616 struct netlink_ext_ack *extack)
5617 {
5618 u8 genmask = nft_genmask_next(net);
5619 const struct nlattr *attr;
5620 struct nft_set *set;
5621 struct nft_ctx ctx;
5622 int rem, err;
5623
5624 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5625 return -EINVAL;
5626
5627 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5628 genmask, NETLINK_CB(skb).portid);
5629 if (err < 0)
5630 return err;
5631
5632 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5633 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5634 if (IS_ERR(set))
5635 return PTR_ERR(set);
5636
5637 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5638 return -EBUSY;
5639
5640 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5641 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5642 if (err < 0)
5643 return err;
5644 }
5645
5646 if (net->nft.validate_state == NFT_VALIDATE_DO)
5647 return nft_table_validate(net, ctx.table);
5648
5649 return 0;
5650 }
5651
5652 /**
5653 * nft_data_hold - hold a nft_data item
5654 *
5655 * @data: struct nft_data to release
5656 * @type: type of data
5657 *
5658 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5659 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5660 * NFT_GOTO verdicts. This function must be called on active data objects
5661 * from the second phase of the commit protocol.
5662 */
5663 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5664 {
5665 struct nft_chain *chain;
5666 struct nft_rule *rule;
5667
5668 if (type == NFT_DATA_VERDICT) {
5669 switch (data->verdict.code) {
5670 case NFT_JUMP:
5671 case NFT_GOTO:
5672 chain = data->verdict.chain;
5673 chain->use++;
5674
5675 if (!nft_chain_is_bound(chain))
5676 break;
5677
5678 chain->table->use++;
5679 list_for_each_entry(rule, &chain->rules, list)
5680 chain->use++;
5681
5682 nft_chain_add(chain->table, chain);
5683 break;
5684 }
5685 }
5686 }
5687
5688 static void nft_set_elem_activate(const struct net *net,
5689 const struct nft_set *set,
5690 struct nft_set_elem *elem)
5691 {
5692 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5693
5694 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5695 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5696 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5697 (*nft_set_ext_obj(ext))->use++;
5698 }
5699
5700 static void nft_set_elem_deactivate(const struct net *net,
5701 const struct nft_set *set,
5702 struct nft_set_elem *elem)
5703 {
5704 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5705
5706 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5707 nft_data_release(nft_set_ext_data(ext), set->dtype);
5708 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5709 (*nft_set_ext_obj(ext))->use--;
5710 }
5711
5712 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5713 const struct nlattr *attr)
5714 {
5715 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5716 struct nft_set_ext_tmpl tmpl;
5717 struct nft_set_elem elem;
5718 struct nft_set_ext *ext;
5719 struct nft_trans *trans;
5720 u32 flags = 0;
5721 void *priv;
5722 int err;
5723
5724 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5725 nft_set_elem_policy, NULL);
5726 if (err < 0)
5727 return err;
5728
5729 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5730 return -EINVAL;
5731
5732 nft_set_ext_prepare(&tmpl);
5733
5734 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5735 if (err < 0)
5736 return err;
5737 if (flags != 0)
5738 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5739
5740 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5741 nla[NFTA_SET_ELEM_KEY]);
5742 if (err < 0)
5743 return err;
5744
5745 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5746
5747 if (nla[NFTA_SET_ELEM_KEY_END]) {
5748 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5749 nla[NFTA_SET_ELEM_KEY_END]);
5750 if (err < 0)
5751 return err;
5752
5753 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5754 }
5755
5756 err = -ENOMEM;
5757 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5758 elem.key_end.val.data, NULL, 0, 0,
5759 GFP_KERNEL);
5760 if (elem.priv == NULL)
5761 goto fail_elem;
5762
5763 ext = nft_set_elem_ext(set, elem.priv);
5764 if (flags)
5765 *nft_set_ext_flags(ext) = flags;
5766
5767 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5768 if (trans == NULL)
5769 goto fail_trans;
5770
5771 priv = set->ops->deactivate(ctx->net, set, &elem);
5772 if (priv == NULL) {
5773 err = -ENOENT;
5774 goto fail_ops;
5775 }
5776 kfree(elem.priv);
5777 elem.priv = priv;
5778
5779 nft_set_elem_deactivate(ctx->net, set, &elem);
5780
5781 nft_trans_elem(trans) = elem;
5782 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5783 return 0;
5784
5785 fail_ops:
5786 kfree(trans);
5787 fail_trans:
5788 kfree(elem.priv);
5789 fail_elem:
5790 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5791 return err;
5792 }
5793
5794 static int nft_flush_set(const struct nft_ctx *ctx,
5795 struct nft_set *set,
5796 const struct nft_set_iter *iter,
5797 struct nft_set_elem *elem)
5798 {
5799 struct nft_trans *trans;
5800 int err;
5801
5802 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5803 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5804 if (!trans)
5805 return -ENOMEM;
5806
5807 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5808 err = -ENOENT;
5809 goto err1;
5810 }
5811 set->ndeact++;
5812
5813 nft_set_elem_deactivate(ctx->net, set, elem);
5814 nft_trans_elem_set(trans) = set;
5815 nft_trans_elem(trans) = *elem;
5816 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5817
5818 return 0;
5819 err1:
5820 kfree(trans);
5821 return err;
5822 }
5823
5824 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5825 struct sk_buff *skb, const struct nlmsghdr *nlh,
5826 const struct nlattr * const nla[],
5827 struct netlink_ext_ack *extack)
5828 {
5829 u8 genmask = nft_genmask_next(net);
5830 const struct nlattr *attr;
5831 struct nft_set *set;
5832 struct nft_ctx ctx;
5833 int rem, err = 0;
5834
5835 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5836 genmask, NETLINK_CB(skb).portid);
5837 if (err < 0)
5838 return err;
5839
5840 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5841 if (IS_ERR(set))
5842 return PTR_ERR(set);
5843 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5844 return -EBUSY;
5845
5846 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5847 struct nft_set_iter iter = {
5848 .genmask = genmask,
5849 .fn = nft_flush_set,
5850 };
5851 set->ops->walk(&ctx, set, &iter);
5852
5853 return iter.err;
5854 }
5855
5856 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5857 err = nft_del_setelem(&ctx, set, attr);
5858 if (err < 0)
5859 break;
5860
5861 set->ndeact++;
5862 }
5863 return err;
5864 }
5865
5866 void nft_set_gc_batch_release(struct rcu_head *rcu)
5867 {
5868 struct nft_set_gc_batch *gcb;
5869 unsigned int i;
5870
5871 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5872 for (i = 0; i < gcb->head.cnt; i++)
5873 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5874 kfree(gcb);
5875 }
5876
5877 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5878 gfp_t gfp)
5879 {
5880 struct nft_set_gc_batch *gcb;
5881
5882 gcb = kzalloc(sizeof(*gcb), gfp);
5883 if (gcb == NULL)
5884 return gcb;
5885 gcb->head.set = set;
5886 return gcb;
5887 }
5888
5889 /*
5890 * Stateful objects
5891 */
5892
5893 /**
5894 * nft_register_obj- register nf_tables stateful object type
5895 * @obj_type: object type
5896 *
5897 * Registers the object type for use with nf_tables. Returns zero on
5898 * success or a negative errno code otherwise.
5899 */
5900 int nft_register_obj(struct nft_object_type *obj_type)
5901 {
5902 if (obj_type->type == NFT_OBJECT_UNSPEC)
5903 return -EINVAL;
5904
5905 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5906 list_add_rcu(&obj_type->list, &nf_tables_objects);
5907 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5908 return 0;
5909 }
5910 EXPORT_SYMBOL_GPL(nft_register_obj);
5911
5912 /**
5913 * nft_unregister_obj - unregister nf_tables object type
5914 * @obj_type: object type
5915 *
5916 * Unregisters the object type for use with nf_tables.
5917 */
5918 void nft_unregister_obj(struct nft_object_type *obj_type)
5919 {
5920 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5921 list_del_rcu(&obj_type->list);
5922 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5923 }
5924 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5925
5926 struct nft_object *nft_obj_lookup(const struct net *net,
5927 const struct nft_table *table,
5928 const struct nlattr *nla, u32 objtype,
5929 u8 genmask)
5930 {
5931 struct nft_object_hash_key k = { .table = table };
5932 char search[NFT_OBJ_MAXNAMELEN];
5933 struct rhlist_head *tmp, *list;
5934 struct nft_object *obj;
5935
5936 nla_strscpy(search, nla, sizeof(search));
5937 k.name = search;
5938
5939 WARN_ON_ONCE(!rcu_read_lock_held() &&
5940 !lockdep_commit_lock_is_held(net));
5941
5942 rcu_read_lock();
5943 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5944 if (!list)
5945 goto out;
5946
5947 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5948 if (objtype == obj->ops->type->type &&
5949 nft_active_genmask(obj, genmask)) {
5950 rcu_read_unlock();
5951 return obj;
5952 }
5953 }
5954 out:
5955 rcu_read_unlock();
5956 return ERR_PTR(-ENOENT);
5957 }
5958 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5959
5960 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5961 const struct nlattr *nla,
5962 u32 objtype, u8 genmask)
5963 {
5964 struct nft_object *obj;
5965
5966 list_for_each_entry(obj, &table->objects, list) {
5967 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5968 objtype == obj->ops->type->type &&
5969 nft_active_genmask(obj, genmask))
5970 return obj;
5971 }
5972 return ERR_PTR(-ENOENT);
5973 }
5974
5975 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5976 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5977 .len = NFT_TABLE_MAXNAMELEN - 1 },
5978 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5979 .len = NFT_OBJ_MAXNAMELEN - 1 },
5980 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5981 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5982 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5983 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
5984 .len = NFT_USERDATA_MAXLEN },
5985 };
5986
5987 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5988 const struct nft_object_type *type,
5989 const struct nlattr *attr)
5990 {
5991 struct nlattr **tb;
5992 const struct nft_object_ops *ops;
5993 struct nft_object *obj;
5994 int err = -ENOMEM;
5995
5996 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5997 if (!tb)
5998 goto err1;
5999
6000 if (attr) {
6001 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6002 type->policy, NULL);
6003 if (err < 0)
6004 goto err2;
6005 } else {
6006 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6007 }
6008
6009 if (type->select_ops) {
6010 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6011 if (IS_ERR(ops)) {
6012 err = PTR_ERR(ops);
6013 goto err2;
6014 }
6015 } else {
6016 ops = type->ops;
6017 }
6018
6019 err = -ENOMEM;
6020 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6021 if (!obj)
6022 goto err2;
6023
6024 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6025 if (err < 0)
6026 goto err3;
6027
6028 obj->ops = ops;
6029
6030 kfree(tb);
6031 return obj;
6032 err3:
6033 kfree(obj);
6034 err2:
6035 kfree(tb);
6036 err1:
6037 return ERR_PTR(err);
6038 }
6039
6040 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6041 struct nft_object *obj, bool reset)
6042 {
6043 struct nlattr *nest;
6044
6045 nest = nla_nest_start_noflag(skb, attr);
6046 if (!nest)
6047 goto nla_put_failure;
6048 if (obj->ops->dump(skb, obj, reset) < 0)
6049 goto nla_put_failure;
6050 nla_nest_end(skb, nest);
6051 return 0;
6052
6053 nla_put_failure:
6054 return -1;
6055 }
6056
6057 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6058 {
6059 const struct nft_object_type *type;
6060
6061 list_for_each_entry(type, &nf_tables_objects, list) {
6062 if (objtype == type->type)
6063 return type;
6064 }
6065 return NULL;
6066 }
6067
6068 static const struct nft_object_type *
6069 nft_obj_type_get(struct net *net, u32 objtype)
6070 {
6071 const struct nft_object_type *type;
6072
6073 type = __nft_obj_type_get(objtype);
6074 if (type != NULL && try_module_get(type->owner))
6075 return type;
6076
6077 lockdep_nfnl_nft_mutex_not_held();
6078 #ifdef CONFIG_MODULES
6079 if (type == NULL) {
6080 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6081 return ERR_PTR(-EAGAIN);
6082 }
6083 #endif
6084 return ERR_PTR(-ENOENT);
6085 }
6086
6087 static int nf_tables_updobj(const struct nft_ctx *ctx,
6088 const struct nft_object_type *type,
6089 const struct nlattr *attr,
6090 struct nft_object *obj)
6091 {
6092 struct nft_object *newobj;
6093 struct nft_trans *trans;
6094 int err;
6095
6096 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6097 sizeof(struct nft_trans_obj));
6098 if (!trans)
6099 return -ENOMEM;
6100
6101 newobj = nft_obj_init(ctx, type, attr);
6102 if (IS_ERR(newobj)) {
6103 err = PTR_ERR(newobj);
6104 goto err_free_trans;
6105 }
6106
6107 nft_trans_obj(trans) = obj;
6108 nft_trans_obj_update(trans) = true;
6109 nft_trans_obj_newobj(trans) = newobj;
6110 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6111
6112 return 0;
6113
6114 err_free_trans:
6115 kfree(trans);
6116 return err;
6117 }
6118
6119 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
6120 struct sk_buff *skb, const struct nlmsghdr *nlh,
6121 const struct nlattr * const nla[],
6122 struct netlink_ext_ack *extack)
6123 {
6124 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6125 const struct nft_object_type *type;
6126 u8 genmask = nft_genmask_next(net);
6127 int family = nfmsg->nfgen_family;
6128 struct nft_table *table;
6129 struct nft_object *obj;
6130 struct nft_ctx ctx;
6131 u32 objtype;
6132 int err;
6133
6134 if (!nla[NFTA_OBJ_TYPE] ||
6135 !nla[NFTA_OBJ_NAME] ||
6136 !nla[NFTA_OBJ_DATA])
6137 return -EINVAL;
6138
6139 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6140 NETLINK_CB(skb).portid);
6141 if (IS_ERR(table)) {
6142 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6143 return PTR_ERR(table);
6144 }
6145
6146 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6147 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6148 if (IS_ERR(obj)) {
6149 err = PTR_ERR(obj);
6150 if (err != -ENOENT) {
6151 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6152 return err;
6153 }
6154 } else {
6155 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6156 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6157 return -EEXIST;
6158 }
6159 if (nlh->nlmsg_flags & NLM_F_REPLACE)
6160 return -EOPNOTSUPP;
6161
6162 type = __nft_obj_type_get(objtype);
6163 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6164
6165 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6166 }
6167
6168 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6169
6170 type = nft_obj_type_get(net, objtype);
6171 if (IS_ERR(type))
6172 return PTR_ERR(type);
6173
6174 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6175 if (IS_ERR(obj)) {
6176 err = PTR_ERR(obj);
6177 goto err_init;
6178 }
6179 obj->key.table = table;
6180 obj->handle = nf_tables_alloc_handle(table);
6181
6182 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6183 if (!obj->key.name) {
6184 err = -ENOMEM;
6185 goto err_strdup;
6186 }
6187
6188 if (nla[NFTA_OBJ_USERDATA]) {
6189 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6190 if (obj->udata == NULL)
6191 goto err_userdata;
6192
6193 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6194 }
6195
6196 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6197 if (err < 0)
6198 goto err_trans;
6199
6200 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6201 nft_objname_ht_params);
6202 if (err < 0)
6203 goto err_obj_ht;
6204
6205 list_add_tail_rcu(&obj->list, &table->objects);
6206 table->use++;
6207 return 0;
6208 err_obj_ht:
6209 /* queued in transaction log */
6210 INIT_LIST_HEAD(&obj->list);
6211 return err;
6212 err_trans:
6213 kfree(obj->key.name);
6214 err_userdata:
6215 kfree(obj->udata);
6216 err_strdup:
6217 if (obj->ops->destroy)
6218 obj->ops->destroy(&ctx, obj);
6219 kfree(obj);
6220 err_init:
6221 module_put(type->owner);
6222 return err;
6223 }
6224
6225 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6226 u32 portid, u32 seq, int event, u32 flags,
6227 int family, const struct nft_table *table,
6228 struct nft_object *obj, bool reset)
6229 {
6230 struct nfgenmsg *nfmsg;
6231 struct nlmsghdr *nlh;
6232
6233 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6234 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6235 if (nlh == NULL)
6236 goto nla_put_failure;
6237
6238 nfmsg = nlmsg_data(nlh);
6239 nfmsg->nfgen_family = family;
6240 nfmsg->version = NFNETLINK_V0;
6241 nfmsg->res_id = nft_base_seq(net);
6242
6243 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6244 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6245 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6246 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6247 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6248 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6249 NFTA_OBJ_PAD))
6250 goto nla_put_failure;
6251
6252 if (obj->udata &&
6253 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6254 goto nla_put_failure;
6255
6256 nlmsg_end(skb, nlh);
6257 return 0;
6258
6259 nla_put_failure:
6260 nlmsg_trim(skb, nlh);
6261 return -1;
6262 }
6263
6264 struct nft_obj_filter {
6265 char *table;
6266 u32 type;
6267 };
6268
6269 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6270 {
6271 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6272 const struct nft_table *table;
6273 unsigned int idx = 0, s_idx = cb->args[0];
6274 struct nft_obj_filter *filter = cb->data;
6275 struct net *net = sock_net(skb->sk);
6276 int family = nfmsg->nfgen_family;
6277 struct nft_object *obj;
6278 bool reset = false;
6279
6280 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6281 reset = true;
6282
6283 rcu_read_lock();
6284 cb->seq = net->nft.base_seq;
6285
6286 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6287 if (family != NFPROTO_UNSPEC && family != table->family)
6288 continue;
6289
6290 list_for_each_entry_rcu(obj, &table->objects, list) {
6291 if (!nft_is_active(net, obj))
6292 goto cont;
6293 if (idx < s_idx)
6294 goto cont;
6295 if (idx > s_idx)
6296 memset(&cb->args[1], 0,
6297 sizeof(cb->args) - sizeof(cb->args[0]));
6298 if (filter && filter->table &&
6299 strcmp(filter->table, table->name))
6300 goto cont;
6301 if (filter &&
6302 filter->type != NFT_OBJECT_UNSPEC &&
6303 obj->ops->type->type != filter->type)
6304 goto cont;
6305 if (reset) {
6306 char *buf = kasprintf(GFP_ATOMIC,
6307 "%s:%u",
6308 table->name,
6309 net->nft.base_seq);
6310
6311 audit_log_nfcfg(buf,
6312 family,
6313 obj->handle,
6314 AUDIT_NFT_OP_OBJ_RESET,
6315 GFP_ATOMIC);
6316 kfree(buf);
6317 }
6318
6319 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6320 cb->nlh->nlmsg_seq,
6321 NFT_MSG_NEWOBJ,
6322 NLM_F_MULTI | NLM_F_APPEND,
6323 table->family, table,
6324 obj, reset) < 0)
6325 goto done;
6326
6327 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6328 cont:
6329 idx++;
6330 }
6331 }
6332 done:
6333 rcu_read_unlock();
6334
6335 cb->args[0] = idx;
6336 return skb->len;
6337 }
6338
6339 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6340 {
6341 const struct nlattr * const *nla = cb->data;
6342 struct nft_obj_filter *filter = NULL;
6343
6344 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6345 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6346 if (!filter)
6347 return -ENOMEM;
6348
6349 if (nla[NFTA_OBJ_TABLE]) {
6350 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6351 if (!filter->table) {
6352 kfree(filter);
6353 return -ENOMEM;
6354 }
6355 }
6356
6357 if (nla[NFTA_OBJ_TYPE])
6358 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6359 }
6360
6361 cb->data = filter;
6362 return 0;
6363 }
6364
6365 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6366 {
6367 struct nft_obj_filter *filter = cb->data;
6368
6369 if (filter) {
6370 kfree(filter->table);
6371 kfree(filter);
6372 }
6373
6374 return 0;
6375 }
6376
6377 /* called with rcu_read_lock held */
6378 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6379 struct sk_buff *skb, const struct nlmsghdr *nlh,
6380 const struct nlattr * const nla[],
6381 struct netlink_ext_ack *extack)
6382 {
6383 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6384 u8 genmask = nft_genmask_cur(net);
6385 int family = nfmsg->nfgen_family;
6386 const struct nft_table *table;
6387 struct nft_object *obj;
6388 struct sk_buff *skb2;
6389 bool reset = false;
6390 u32 objtype;
6391 int err;
6392
6393 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6394 struct netlink_dump_control c = {
6395 .start = nf_tables_dump_obj_start,
6396 .dump = nf_tables_dump_obj,
6397 .done = nf_tables_dump_obj_done,
6398 .module = THIS_MODULE,
6399 .data = (void *)nla,
6400 };
6401
6402 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6403 }
6404
6405 if (!nla[NFTA_OBJ_NAME] ||
6406 !nla[NFTA_OBJ_TYPE])
6407 return -EINVAL;
6408
6409 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6410 if (IS_ERR(table)) {
6411 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6412 return PTR_ERR(table);
6413 }
6414
6415 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6416 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6417 if (IS_ERR(obj)) {
6418 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6419 return PTR_ERR(obj);
6420 }
6421
6422 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6423 if (!skb2)
6424 return -ENOMEM;
6425
6426 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6427 reset = true;
6428
6429 if (reset) {
6430 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
6431 table->name, net->nft.base_seq);
6432
6433 audit_log_nfcfg(buf,
6434 family,
6435 obj->handle,
6436 AUDIT_NFT_OP_OBJ_RESET,
6437 GFP_ATOMIC);
6438 kfree(buf);
6439 }
6440
6441 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6442 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6443 family, table, obj, reset);
6444 if (err < 0)
6445 goto err_fill_obj_info;
6446
6447 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6448
6449 err_fill_obj_info:
6450 kfree_skb(skb2);
6451 return err;
6452 }
6453
6454 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6455 {
6456 if (obj->ops->destroy)
6457 obj->ops->destroy(ctx, obj);
6458
6459 module_put(obj->ops->type->owner);
6460 kfree(obj->key.name);
6461 kfree(obj->udata);
6462 kfree(obj);
6463 }
6464
6465 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6466 struct sk_buff *skb, const struct nlmsghdr *nlh,
6467 const struct nlattr * const nla[],
6468 struct netlink_ext_ack *extack)
6469 {
6470 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6471 u8 genmask = nft_genmask_next(net);
6472 int family = nfmsg->nfgen_family;
6473 const struct nlattr *attr;
6474 struct nft_table *table;
6475 struct nft_object *obj;
6476 struct nft_ctx ctx;
6477 u32 objtype;
6478
6479 if (!nla[NFTA_OBJ_TYPE] ||
6480 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6481 return -EINVAL;
6482
6483 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6484 NETLINK_CB(skb).portid);
6485 if (IS_ERR(table)) {
6486 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6487 return PTR_ERR(table);
6488 }
6489
6490 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6491 if (nla[NFTA_OBJ_HANDLE]) {
6492 attr = nla[NFTA_OBJ_HANDLE];
6493 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6494 } else {
6495 attr = nla[NFTA_OBJ_NAME];
6496 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6497 }
6498
6499 if (IS_ERR(obj)) {
6500 NL_SET_BAD_ATTR(extack, attr);
6501 return PTR_ERR(obj);
6502 }
6503 if (obj->use > 0) {
6504 NL_SET_BAD_ATTR(extack, attr);
6505 return -EBUSY;
6506 }
6507
6508 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6509
6510 return nft_delobj(&ctx, obj);
6511 }
6512
6513 void nft_obj_notify(struct net *net, const struct nft_table *table,
6514 struct nft_object *obj, u32 portid, u32 seq, int event,
6515 int family, int report, gfp_t gfp)
6516 {
6517 struct sk_buff *skb;
6518 int err;
6519 char *buf = kasprintf(gfp, "%s:%u",
6520 table->name, net->nft.base_seq);
6521
6522 audit_log_nfcfg(buf,
6523 family,
6524 obj->handle,
6525 event == NFT_MSG_NEWOBJ ?
6526 AUDIT_NFT_OP_OBJ_REGISTER :
6527 AUDIT_NFT_OP_OBJ_UNREGISTER,
6528 gfp);
6529 kfree(buf);
6530
6531 if (!report &&
6532 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6533 return;
6534
6535 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6536 if (skb == NULL)
6537 goto err;
6538
6539 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6540 table, obj, false);
6541 if (err < 0) {
6542 kfree_skb(skb);
6543 goto err;
6544 }
6545
6546 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6547 return;
6548 err:
6549 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6550 }
6551 EXPORT_SYMBOL_GPL(nft_obj_notify);
6552
6553 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6554 struct nft_object *obj, int event)
6555 {
6556 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6557 ctx->family, ctx->report, GFP_KERNEL);
6558 }
6559
6560 /*
6561 * Flow tables
6562 */
6563 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6564 {
6565 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6566 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6567 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6568 }
6569 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6570
6571 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6572 {
6573 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6574 list_del_rcu(&type->list);
6575 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6576 }
6577 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6578
6579 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6580 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6581 .len = NFT_NAME_MAXLEN - 1 },
6582 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6583 .len = NFT_NAME_MAXLEN - 1 },
6584 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6585 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6586 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6587 };
6588
6589 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6590 const struct nlattr *nla, u8 genmask)
6591 {
6592 struct nft_flowtable *flowtable;
6593
6594 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6595 if (!nla_strcmp(nla, flowtable->name) &&
6596 nft_active_genmask(flowtable, genmask))
6597 return flowtable;
6598 }
6599 return ERR_PTR(-ENOENT);
6600 }
6601 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6602
6603 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6604 struct nft_flowtable *flowtable,
6605 enum nft_trans_phase phase)
6606 {
6607 switch (phase) {
6608 case NFT_TRANS_PREPARE:
6609 case NFT_TRANS_ABORT:
6610 case NFT_TRANS_RELEASE:
6611 flowtable->use--;
6612 fallthrough;
6613 default:
6614 return;
6615 }
6616 }
6617 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6618
6619 static struct nft_flowtable *
6620 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6621 const struct nlattr *nla, u8 genmask)
6622 {
6623 struct nft_flowtable *flowtable;
6624
6625 list_for_each_entry(flowtable, &table->flowtables, list) {
6626 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6627 nft_active_genmask(flowtable, genmask))
6628 return flowtable;
6629 }
6630 return ERR_PTR(-ENOENT);
6631 }
6632
6633 struct nft_flowtable_hook {
6634 u32 num;
6635 int priority;
6636 struct list_head list;
6637 };
6638
6639 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6640 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6641 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6642 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6643 };
6644
6645 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6646 const struct nlattr *attr,
6647 struct nft_flowtable_hook *flowtable_hook,
6648 struct nft_flowtable *flowtable, bool add)
6649 {
6650 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6651 struct nft_hook *hook;
6652 int hooknum, priority;
6653 int err;
6654
6655 INIT_LIST_HEAD(&flowtable_hook->list);
6656
6657 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6658 nft_flowtable_hook_policy, NULL);
6659 if (err < 0)
6660 return err;
6661
6662 if (add) {
6663 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6664 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6665 return -EINVAL;
6666
6667 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6668 if (hooknum != NF_NETDEV_INGRESS)
6669 return -EOPNOTSUPP;
6670
6671 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6672
6673 flowtable_hook->priority = priority;
6674 flowtable_hook->num = hooknum;
6675 } else {
6676 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6677 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6678 if (hooknum != flowtable->hooknum)
6679 return -EOPNOTSUPP;
6680 }
6681
6682 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6683 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6684 if (priority != flowtable->data.priority)
6685 return -EOPNOTSUPP;
6686 }
6687
6688 flowtable_hook->priority = flowtable->data.priority;
6689 flowtable_hook->num = flowtable->hooknum;
6690 }
6691
6692 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6693 err = nf_tables_parse_netdev_hooks(ctx->net,
6694 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6695 &flowtable_hook->list);
6696 if (err < 0)
6697 return err;
6698 }
6699
6700 list_for_each_entry(hook, &flowtable_hook->list, list) {
6701 hook->ops.pf = NFPROTO_NETDEV;
6702 hook->ops.hooknum = flowtable_hook->num;
6703 hook->ops.priority = flowtable_hook->priority;
6704 hook->ops.priv = &flowtable->data;
6705 hook->ops.hook = flowtable->data.type->hook;
6706 }
6707
6708 return err;
6709 }
6710
6711 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6712 {
6713 const struct nf_flowtable_type *type;
6714
6715 list_for_each_entry(type, &nf_tables_flowtables, list) {
6716 if (family == type->family)
6717 return type;
6718 }
6719 return NULL;
6720 }
6721
6722 static const struct nf_flowtable_type *
6723 nft_flowtable_type_get(struct net *net, u8 family)
6724 {
6725 const struct nf_flowtable_type *type;
6726
6727 type = __nft_flowtable_type_get(family);
6728 if (type != NULL && try_module_get(type->owner))
6729 return type;
6730
6731 lockdep_nfnl_nft_mutex_not_held();
6732 #ifdef CONFIG_MODULES
6733 if (type == NULL) {
6734 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6735 return ERR_PTR(-EAGAIN);
6736 }
6737 #endif
6738 return ERR_PTR(-ENOENT);
6739 }
6740
6741 /* Only called from error and netdev event paths. */
6742 static void nft_unregister_flowtable_hook(struct net *net,
6743 struct nft_flowtable *flowtable,
6744 struct nft_hook *hook)
6745 {
6746 nf_unregister_net_hook(net, &hook->ops);
6747 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6748 FLOW_BLOCK_UNBIND);
6749 }
6750
6751 static void nft_unregister_flowtable_net_hooks(struct net *net,
6752 struct list_head *hook_list)
6753 {
6754 struct nft_hook *hook;
6755
6756 list_for_each_entry(hook, hook_list, list)
6757 nf_unregister_net_hook(net, &hook->ops);
6758 }
6759
6760 static int nft_register_flowtable_net_hooks(struct net *net,
6761 struct nft_table *table,
6762 struct list_head *hook_list,
6763 struct nft_flowtable *flowtable)
6764 {
6765 struct nft_hook *hook, *hook2, *next;
6766 struct nft_flowtable *ft;
6767 int err, i = 0;
6768
6769 list_for_each_entry(hook, hook_list, list) {
6770 list_for_each_entry(ft, &table->flowtables, list) {
6771 if (!nft_is_active_next(net, ft))
6772 continue;
6773
6774 list_for_each_entry(hook2, &ft->hook_list, list) {
6775 if (hook->ops.dev == hook2->ops.dev &&
6776 hook->ops.pf == hook2->ops.pf) {
6777 err = -EEXIST;
6778 goto err_unregister_net_hooks;
6779 }
6780 }
6781 }
6782
6783 err = flowtable->data.type->setup(&flowtable->data,
6784 hook->ops.dev,
6785 FLOW_BLOCK_BIND);
6786 if (err < 0)
6787 goto err_unregister_net_hooks;
6788
6789 err = nf_register_net_hook(net, &hook->ops);
6790 if (err < 0) {
6791 flowtable->data.type->setup(&flowtable->data,
6792 hook->ops.dev,
6793 FLOW_BLOCK_UNBIND);
6794 goto err_unregister_net_hooks;
6795 }
6796
6797 i++;
6798 }
6799
6800 return 0;
6801
6802 err_unregister_net_hooks:
6803 list_for_each_entry_safe(hook, next, hook_list, list) {
6804 if (i-- <= 0)
6805 break;
6806
6807 nft_unregister_flowtable_hook(net, flowtable, hook);
6808 list_del_rcu(&hook->list);
6809 kfree_rcu(hook, rcu);
6810 }
6811
6812 return err;
6813 }
6814
6815 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6816 {
6817 struct nft_hook *hook, *next;
6818
6819 list_for_each_entry_safe(hook, next, hook_list, list) {
6820 list_del_rcu(&hook->list);
6821 kfree_rcu(hook, rcu);
6822 }
6823 }
6824
6825 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6826 struct nft_flowtable *flowtable)
6827 {
6828 const struct nlattr * const *nla = ctx->nla;
6829 struct nft_flowtable_hook flowtable_hook;
6830 struct nft_hook *hook, *next;
6831 struct nft_trans *trans;
6832 bool unregister = false;
6833 u32 flags;
6834 int err;
6835
6836 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6837 &flowtable_hook, flowtable, false);
6838 if (err < 0)
6839 return err;
6840
6841 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6842 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6843 list_del(&hook->list);
6844 kfree(hook);
6845 }
6846 }
6847
6848 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6849 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6850 if (flags & ~NFT_FLOWTABLE_MASK)
6851 return -EOPNOTSUPP;
6852 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
6853 (flags & NFT_FLOWTABLE_HW_OFFLOAD))
6854 return -EOPNOTSUPP;
6855 } else {
6856 flags = flowtable->data.flags;
6857 }
6858
6859 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6860 &flowtable_hook.list, flowtable);
6861 if (err < 0)
6862 goto err_flowtable_update_hook;
6863
6864 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6865 sizeof(struct nft_trans_flowtable));
6866 if (!trans) {
6867 unregister = true;
6868 err = -ENOMEM;
6869 goto err_flowtable_update_hook;
6870 }
6871
6872 nft_trans_flowtable_flags(trans) = flags;
6873 nft_trans_flowtable(trans) = flowtable;
6874 nft_trans_flowtable_update(trans) = true;
6875 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6876 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6877
6878 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6879
6880 return 0;
6881
6882 err_flowtable_update_hook:
6883 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6884 if (unregister)
6885 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6886 list_del_rcu(&hook->list);
6887 kfree_rcu(hook, rcu);
6888 }
6889
6890 return err;
6891
6892 }
6893
6894 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6895 struct sk_buff *skb,
6896 const struct nlmsghdr *nlh,
6897 const struct nlattr * const nla[],
6898 struct netlink_ext_ack *extack)
6899 {
6900 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6901 struct nft_flowtable_hook flowtable_hook;
6902 const struct nf_flowtable_type *type;
6903 u8 genmask = nft_genmask_next(net);
6904 int family = nfmsg->nfgen_family;
6905 struct nft_flowtable *flowtable;
6906 struct nft_hook *hook, *next;
6907 struct nft_table *table;
6908 struct nft_ctx ctx;
6909 int err;
6910
6911 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6912 !nla[NFTA_FLOWTABLE_NAME] ||
6913 !nla[NFTA_FLOWTABLE_HOOK])
6914 return -EINVAL;
6915
6916 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6917 genmask, NETLINK_CB(skb).portid);
6918 if (IS_ERR(table)) {
6919 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6920 return PTR_ERR(table);
6921 }
6922
6923 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6924 genmask);
6925 if (IS_ERR(flowtable)) {
6926 err = PTR_ERR(flowtable);
6927 if (err != -ENOENT) {
6928 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6929 return err;
6930 }
6931 } else {
6932 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6933 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6934 return -EEXIST;
6935 }
6936
6937 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6938
6939 return nft_flowtable_update(&ctx, nlh, flowtable);
6940 }
6941
6942 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6943
6944 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6945 if (!flowtable)
6946 return -ENOMEM;
6947
6948 flowtable->table = table;
6949 flowtable->handle = nf_tables_alloc_handle(table);
6950 INIT_LIST_HEAD(&flowtable->hook_list);
6951
6952 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6953 if (!flowtable->name) {
6954 err = -ENOMEM;
6955 goto err1;
6956 }
6957
6958 type = nft_flowtable_type_get(net, family);
6959 if (IS_ERR(type)) {
6960 err = PTR_ERR(type);
6961 goto err2;
6962 }
6963
6964 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6965 flowtable->data.flags =
6966 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6967 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
6968 err = -EOPNOTSUPP;
6969 goto err3;
6970 }
6971 }
6972
6973 write_pnet(&flowtable->data.net, net);
6974 flowtable->data.type = type;
6975 err = type->init(&flowtable->data);
6976 if (err < 0)
6977 goto err3;
6978
6979 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6980 &flowtable_hook, flowtable, true);
6981 if (err < 0)
6982 goto err4;
6983
6984 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6985 flowtable->data.priority = flowtable_hook.priority;
6986 flowtable->hooknum = flowtable_hook.num;
6987
6988 err = nft_register_flowtable_net_hooks(ctx.net, table,
6989 &flowtable->hook_list,
6990 flowtable);
6991 if (err < 0) {
6992 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6993 goto err4;
6994 }
6995
6996 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6997 if (err < 0)
6998 goto err5;
6999
7000 list_add_tail_rcu(&flowtable->list, &table->flowtables);
7001 table->use++;
7002
7003 return 0;
7004 err5:
7005 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7006 nft_unregister_flowtable_hook(net, flowtable, hook);
7007 list_del_rcu(&hook->list);
7008 kfree_rcu(hook, rcu);
7009 }
7010 err4:
7011 flowtable->data.type->free(&flowtable->data);
7012 err3:
7013 module_put(type->owner);
7014 err2:
7015 kfree(flowtable->name);
7016 err1:
7017 kfree(flowtable);
7018 return err;
7019 }
7020
7021 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7022 {
7023 struct nft_hook *this, *next;
7024
7025 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7026 list_del(&this->list);
7027 kfree(this);
7028 }
7029 }
7030
7031 static int nft_delflowtable_hook(struct nft_ctx *ctx,
7032 struct nft_flowtable *flowtable)
7033 {
7034 const struct nlattr * const *nla = ctx->nla;
7035 struct nft_flowtable_hook flowtable_hook;
7036 struct nft_hook *this, *hook;
7037 struct nft_trans *trans;
7038 int err;
7039
7040 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7041 &flowtable_hook, flowtable, false);
7042 if (err < 0)
7043 return err;
7044
7045 list_for_each_entry(this, &flowtable_hook.list, list) {
7046 hook = nft_hook_list_find(&flowtable->hook_list, this);
7047 if (!hook) {
7048 err = -ENOENT;
7049 goto err_flowtable_del_hook;
7050 }
7051 hook->inactive = true;
7052 }
7053
7054 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7055 sizeof(struct nft_trans_flowtable));
7056 if (!trans) {
7057 err = -ENOMEM;
7058 goto err_flowtable_del_hook;
7059 }
7060
7061 nft_trans_flowtable(trans) = flowtable;
7062 nft_trans_flowtable_update(trans) = true;
7063 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7064 nft_flowtable_hook_release(&flowtable_hook);
7065
7066 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
7067
7068 return 0;
7069
7070 err_flowtable_del_hook:
7071 list_for_each_entry(this, &flowtable_hook.list, list) {
7072 hook = nft_hook_list_find(&flowtable->hook_list, this);
7073 if (!hook)
7074 break;
7075
7076 hook->inactive = false;
7077 }
7078 nft_flowtable_hook_release(&flowtable_hook);
7079
7080 return err;
7081 }
7082
7083 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
7084 struct sk_buff *skb,
7085 const struct nlmsghdr *nlh,
7086 const struct nlattr * const nla[],
7087 struct netlink_ext_ack *extack)
7088 {
7089 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7090 u8 genmask = nft_genmask_next(net);
7091 int family = nfmsg->nfgen_family;
7092 struct nft_flowtable *flowtable;
7093 const struct nlattr *attr;
7094 struct nft_table *table;
7095 struct nft_ctx ctx;
7096
7097 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7098 (!nla[NFTA_FLOWTABLE_NAME] &&
7099 !nla[NFTA_FLOWTABLE_HANDLE]))
7100 return -EINVAL;
7101
7102 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7103 genmask, NETLINK_CB(skb).portid);
7104 if (IS_ERR(table)) {
7105 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7106 return PTR_ERR(table);
7107 }
7108
7109 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7110 attr = nla[NFTA_FLOWTABLE_HANDLE];
7111 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7112 } else {
7113 attr = nla[NFTA_FLOWTABLE_NAME];
7114 flowtable = nft_flowtable_lookup(table, attr, genmask);
7115 }
7116
7117 if (IS_ERR(flowtable)) {
7118 NL_SET_BAD_ATTR(extack, attr);
7119 return PTR_ERR(flowtable);
7120 }
7121
7122 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
7123
7124 if (nla[NFTA_FLOWTABLE_HOOK])
7125 return nft_delflowtable_hook(&ctx, flowtable);
7126
7127 if (flowtable->use > 0) {
7128 NL_SET_BAD_ATTR(extack, attr);
7129 return -EBUSY;
7130 }
7131
7132 return nft_delflowtable(&ctx, flowtable);
7133 }
7134
7135 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7136 u32 portid, u32 seq, int event,
7137 u32 flags, int family,
7138 struct nft_flowtable *flowtable,
7139 struct list_head *hook_list)
7140 {
7141 struct nlattr *nest, *nest_devs;
7142 struct nfgenmsg *nfmsg;
7143 struct nft_hook *hook;
7144 struct nlmsghdr *nlh;
7145
7146 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7147 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
7148 if (nlh == NULL)
7149 goto nla_put_failure;
7150
7151 nfmsg = nlmsg_data(nlh);
7152 nfmsg->nfgen_family = family;
7153 nfmsg->version = NFNETLINK_V0;
7154 nfmsg->res_id = nft_base_seq(net);
7155
7156 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7157 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7158 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7159 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7160 NFTA_FLOWTABLE_PAD) ||
7161 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7162 goto nla_put_failure;
7163
7164 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7165 if (!nest)
7166 goto nla_put_failure;
7167 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7168 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7169 goto nla_put_failure;
7170
7171 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7172 if (!nest_devs)
7173 goto nla_put_failure;
7174
7175 list_for_each_entry_rcu(hook, hook_list, list) {
7176 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7177 goto nla_put_failure;
7178 }
7179 nla_nest_end(skb, nest_devs);
7180 nla_nest_end(skb, nest);
7181
7182 nlmsg_end(skb, nlh);
7183 return 0;
7184
7185 nla_put_failure:
7186 nlmsg_trim(skb, nlh);
7187 return -1;
7188 }
7189
7190 struct nft_flowtable_filter {
7191 char *table;
7192 };
7193
7194 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7195 struct netlink_callback *cb)
7196 {
7197 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7198 struct nft_flowtable_filter *filter = cb->data;
7199 unsigned int idx = 0, s_idx = cb->args[0];
7200 struct net *net = sock_net(skb->sk);
7201 int family = nfmsg->nfgen_family;
7202 struct nft_flowtable *flowtable;
7203 const struct nft_table *table;
7204
7205 rcu_read_lock();
7206 cb->seq = net->nft.base_seq;
7207
7208 list_for_each_entry_rcu(table, &net->nft.tables, list) {
7209 if (family != NFPROTO_UNSPEC && family != table->family)
7210 continue;
7211
7212 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7213 if (!nft_is_active(net, flowtable))
7214 goto cont;
7215 if (idx < s_idx)
7216 goto cont;
7217 if (idx > s_idx)
7218 memset(&cb->args[1], 0,
7219 sizeof(cb->args) - sizeof(cb->args[0]));
7220 if (filter && filter->table &&
7221 strcmp(filter->table, table->name))
7222 goto cont;
7223
7224 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7225 cb->nlh->nlmsg_seq,
7226 NFT_MSG_NEWFLOWTABLE,
7227 NLM_F_MULTI | NLM_F_APPEND,
7228 table->family,
7229 flowtable,
7230 &flowtable->hook_list) < 0)
7231 goto done;
7232
7233 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7234 cont:
7235 idx++;
7236 }
7237 }
7238 done:
7239 rcu_read_unlock();
7240
7241 cb->args[0] = idx;
7242 return skb->len;
7243 }
7244
7245 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7246 {
7247 const struct nlattr * const *nla = cb->data;
7248 struct nft_flowtable_filter *filter = NULL;
7249
7250 if (nla[NFTA_FLOWTABLE_TABLE]) {
7251 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7252 if (!filter)
7253 return -ENOMEM;
7254
7255 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7256 GFP_ATOMIC);
7257 if (!filter->table) {
7258 kfree(filter);
7259 return -ENOMEM;
7260 }
7261 }
7262
7263 cb->data = filter;
7264 return 0;
7265 }
7266
7267 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7268 {
7269 struct nft_flowtable_filter *filter = cb->data;
7270
7271 if (!filter)
7272 return 0;
7273
7274 kfree(filter->table);
7275 kfree(filter);
7276
7277 return 0;
7278 }
7279
7280 /* called with rcu_read_lock held */
7281 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7282 struct sk_buff *skb,
7283 const struct nlmsghdr *nlh,
7284 const struct nlattr * const nla[],
7285 struct netlink_ext_ack *extack)
7286 {
7287 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7288 u8 genmask = nft_genmask_cur(net);
7289 int family = nfmsg->nfgen_family;
7290 struct nft_flowtable *flowtable;
7291 const struct nft_table *table;
7292 struct sk_buff *skb2;
7293 int err;
7294
7295 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7296 struct netlink_dump_control c = {
7297 .start = nf_tables_dump_flowtable_start,
7298 .dump = nf_tables_dump_flowtable,
7299 .done = nf_tables_dump_flowtable_done,
7300 .module = THIS_MODULE,
7301 .data = (void *)nla,
7302 };
7303
7304 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7305 }
7306
7307 if (!nla[NFTA_FLOWTABLE_NAME])
7308 return -EINVAL;
7309
7310 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7311 genmask, 0);
7312 if (IS_ERR(table))
7313 return PTR_ERR(table);
7314
7315 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7316 genmask);
7317 if (IS_ERR(flowtable))
7318 return PTR_ERR(flowtable);
7319
7320 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7321 if (!skb2)
7322 return -ENOMEM;
7323
7324 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7325 nlh->nlmsg_seq,
7326 NFT_MSG_NEWFLOWTABLE, 0, family,
7327 flowtable, &flowtable->hook_list);
7328 if (err < 0)
7329 goto err_fill_flowtable_info;
7330
7331 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7332
7333 err_fill_flowtable_info:
7334 kfree_skb(skb2);
7335 return err;
7336 }
7337
7338 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7339 struct nft_flowtable *flowtable,
7340 struct list_head *hook_list,
7341 int event)
7342 {
7343 struct sk_buff *skb;
7344 int err;
7345
7346 if (!ctx->report &&
7347 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7348 return;
7349
7350 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7351 if (skb == NULL)
7352 goto err;
7353
7354 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7355 ctx->seq, event, 0,
7356 ctx->family, flowtable, hook_list);
7357 if (err < 0) {
7358 kfree_skb(skb);
7359 goto err;
7360 }
7361
7362 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7363 return;
7364 err:
7365 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7366 }
7367
7368 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7369 {
7370 struct nft_hook *hook, *next;
7371
7372 flowtable->data.type->free(&flowtable->data);
7373 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7374 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7375 FLOW_BLOCK_UNBIND);
7376 list_del_rcu(&hook->list);
7377 kfree(hook);
7378 }
7379 kfree(flowtable->name);
7380 module_put(flowtable->data.type->owner);
7381 kfree(flowtable);
7382 }
7383
7384 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7385 u32 portid, u32 seq)
7386 {
7387 struct nlmsghdr *nlh;
7388 struct nfgenmsg *nfmsg;
7389 char buf[TASK_COMM_LEN];
7390 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7391
7392 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7393 if (nlh == NULL)
7394 goto nla_put_failure;
7395
7396 nfmsg = nlmsg_data(nlh);
7397 nfmsg->nfgen_family = AF_UNSPEC;
7398 nfmsg->version = NFNETLINK_V0;
7399 nfmsg->res_id = nft_base_seq(net);
7400
7401 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7402 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7403 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7404 goto nla_put_failure;
7405
7406 nlmsg_end(skb, nlh);
7407 return 0;
7408
7409 nla_put_failure:
7410 nlmsg_trim(skb, nlh);
7411 return -EMSGSIZE;
7412 }
7413
7414 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7415 struct nft_flowtable *flowtable)
7416 {
7417 struct nft_hook *hook;
7418
7419 list_for_each_entry(hook, &flowtable->hook_list, list) {
7420 if (hook->ops.dev != dev)
7421 continue;
7422
7423 /* flow_offload_netdev_event() cleans up entries for us. */
7424 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7425 list_del_rcu(&hook->list);
7426 kfree_rcu(hook, rcu);
7427 break;
7428 }
7429 }
7430
7431 static int nf_tables_flowtable_event(struct notifier_block *this,
7432 unsigned long event, void *ptr)
7433 {
7434 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7435 struct nft_flowtable *flowtable;
7436 struct nft_table *table;
7437 struct net *net;
7438
7439 if (event != NETDEV_UNREGISTER)
7440 return 0;
7441
7442 net = dev_net(dev);
7443 mutex_lock(&net->nft.commit_mutex);
7444 list_for_each_entry(table, &net->nft.tables, list) {
7445 list_for_each_entry(flowtable, &table->flowtables, list) {
7446 nft_flowtable_event(event, dev, flowtable);
7447 }
7448 }
7449 mutex_unlock(&net->nft.commit_mutex);
7450
7451 return NOTIFY_DONE;
7452 }
7453
7454 static struct notifier_block nf_tables_flowtable_notifier = {
7455 .notifier_call = nf_tables_flowtable_event,
7456 };
7457
7458 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7459 int event)
7460 {
7461 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7462 struct sk_buff *skb2;
7463 int err;
7464
7465 if (!nlmsg_report(nlh) &&
7466 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7467 return;
7468
7469 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7470 if (skb2 == NULL)
7471 goto err;
7472
7473 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7474 nlh->nlmsg_seq);
7475 if (err < 0) {
7476 kfree_skb(skb2);
7477 goto err;
7478 }
7479
7480 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7481 nlmsg_report(nlh), GFP_KERNEL);
7482 return;
7483 err:
7484 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7485 -ENOBUFS);
7486 }
7487
7488 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7489 struct sk_buff *skb, const struct nlmsghdr *nlh,
7490 const struct nlattr * const nla[],
7491 struct netlink_ext_ack *extack)
7492 {
7493 struct sk_buff *skb2;
7494 int err;
7495
7496 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7497 if (skb2 == NULL)
7498 return -ENOMEM;
7499
7500 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7501 nlh->nlmsg_seq);
7502 if (err < 0)
7503 goto err_fill_gen_info;
7504
7505 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7506
7507 err_fill_gen_info:
7508 kfree_skb(skb2);
7509 return err;
7510 }
7511
7512 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7513 [NFT_MSG_NEWTABLE] = {
7514 .call_batch = nf_tables_newtable,
7515 .attr_count = NFTA_TABLE_MAX,
7516 .policy = nft_table_policy,
7517 },
7518 [NFT_MSG_GETTABLE] = {
7519 .call_rcu = nf_tables_gettable,
7520 .attr_count = NFTA_TABLE_MAX,
7521 .policy = nft_table_policy,
7522 },
7523 [NFT_MSG_DELTABLE] = {
7524 .call_batch = nf_tables_deltable,
7525 .attr_count = NFTA_TABLE_MAX,
7526 .policy = nft_table_policy,
7527 },
7528 [NFT_MSG_NEWCHAIN] = {
7529 .call_batch = nf_tables_newchain,
7530 .attr_count = NFTA_CHAIN_MAX,
7531 .policy = nft_chain_policy,
7532 },
7533 [NFT_MSG_GETCHAIN] = {
7534 .call_rcu = nf_tables_getchain,
7535 .attr_count = NFTA_CHAIN_MAX,
7536 .policy = nft_chain_policy,
7537 },
7538 [NFT_MSG_DELCHAIN] = {
7539 .call_batch = nf_tables_delchain,
7540 .attr_count = NFTA_CHAIN_MAX,
7541 .policy = nft_chain_policy,
7542 },
7543 [NFT_MSG_NEWRULE] = {
7544 .call_batch = nf_tables_newrule,
7545 .attr_count = NFTA_RULE_MAX,
7546 .policy = nft_rule_policy,
7547 },
7548 [NFT_MSG_GETRULE] = {
7549 .call_rcu = nf_tables_getrule,
7550 .attr_count = NFTA_RULE_MAX,
7551 .policy = nft_rule_policy,
7552 },
7553 [NFT_MSG_DELRULE] = {
7554 .call_batch = nf_tables_delrule,
7555 .attr_count = NFTA_RULE_MAX,
7556 .policy = nft_rule_policy,
7557 },
7558 [NFT_MSG_NEWSET] = {
7559 .call_batch = nf_tables_newset,
7560 .attr_count = NFTA_SET_MAX,
7561 .policy = nft_set_policy,
7562 },
7563 [NFT_MSG_GETSET] = {
7564 .call_rcu = nf_tables_getset,
7565 .attr_count = NFTA_SET_MAX,
7566 .policy = nft_set_policy,
7567 },
7568 [NFT_MSG_DELSET] = {
7569 .call_batch = nf_tables_delset,
7570 .attr_count = NFTA_SET_MAX,
7571 .policy = nft_set_policy,
7572 },
7573 [NFT_MSG_NEWSETELEM] = {
7574 .call_batch = nf_tables_newsetelem,
7575 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7576 .policy = nft_set_elem_list_policy,
7577 },
7578 [NFT_MSG_GETSETELEM] = {
7579 .call_rcu = nf_tables_getsetelem,
7580 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7581 .policy = nft_set_elem_list_policy,
7582 },
7583 [NFT_MSG_DELSETELEM] = {
7584 .call_batch = nf_tables_delsetelem,
7585 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7586 .policy = nft_set_elem_list_policy,
7587 },
7588 [NFT_MSG_GETGEN] = {
7589 .call_rcu = nf_tables_getgen,
7590 },
7591 [NFT_MSG_NEWOBJ] = {
7592 .call_batch = nf_tables_newobj,
7593 .attr_count = NFTA_OBJ_MAX,
7594 .policy = nft_obj_policy,
7595 },
7596 [NFT_MSG_GETOBJ] = {
7597 .call_rcu = nf_tables_getobj,
7598 .attr_count = NFTA_OBJ_MAX,
7599 .policy = nft_obj_policy,
7600 },
7601 [NFT_MSG_DELOBJ] = {
7602 .call_batch = nf_tables_delobj,
7603 .attr_count = NFTA_OBJ_MAX,
7604 .policy = nft_obj_policy,
7605 },
7606 [NFT_MSG_GETOBJ_RESET] = {
7607 .call_rcu = nf_tables_getobj,
7608 .attr_count = NFTA_OBJ_MAX,
7609 .policy = nft_obj_policy,
7610 },
7611 [NFT_MSG_NEWFLOWTABLE] = {
7612 .call_batch = nf_tables_newflowtable,
7613 .attr_count = NFTA_FLOWTABLE_MAX,
7614 .policy = nft_flowtable_policy,
7615 },
7616 [NFT_MSG_GETFLOWTABLE] = {
7617 .call_rcu = nf_tables_getflowtable,
7618 .attr_count = NFTA_FLOWTABLE_MAX,
7619 .policy = nft_flowtable_policy,
7620 },
7621 [NFT_MSG_DELFLOWTABLE] = {
7622 .call_batch = nf_tables_delflowtable,
7623 .attr_count = NFTA_FLOWTABLE_MAX,
7624 .policy = nft_flowtable_policy,
7625 },
7626 };
7627
7628 static int nf_tables_validate(struct net *net)
7629 {
7630 struct nft_table *table;
7631
7632 switch (net->nft.validate_state) {
7633 case NFT_VALIDATE_SKIP:
7634 break;
7635 case NFT_VALIDATE_NEED:
7636 nft_validate_state_update(net, NFT_VALIDATE_DO);
7637 fallthrough;
7638 case NFT_VALIDATE_DO:
7639 list_for_each_entry(table, &net->nft.tables, list) {
7640 if (nft_table_validate(net, table) < 0)
7641 return -EAGAIN;
7642 }
7643 break;
7644 }
7645
7646 return 0;
7647 }
7648
7649 /* a drop policy has to be deferred until all rules have been activated,
7650 * otherwise a large ruleset that contains a drop-policy base chain will
7651 * cause all packets to get dropped until the full transaction has been
7652 * processed.
7653 *
7654 * We defer the drop policy until the transaction has been finalized.
7655 */
7656 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7657 {
7658 struct nft_base_chain *basechain;
7659
7660 if (nft_trans_chain_policy(trans) != NF_DROP)
7661 return;
7662
7663 if (!nft_is_base_chain(trans->ctx.chain))
7664 return;
7665
7666 basechain = nft_base_chain(trans->ctx.chain);
7667 basechain->policy = NF_DROP;
7668 }
7669
7670 static void nft_chain_commit_update(struct nft_trans *trans)
7671 {
7672 struct nft_base_chain *basechain;
7673
7674 if (nft_trans_chain_name(trans)) {
7675 rhltable_remove(&trans->ctx.table->chains_ht,
7676 &trans->ctx.chain->rhlhead,
7677 nft_chain_ht_params);
7678 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7679 rhltable_insert_key(&trans->ctx.table->chains_ht,
7680 trans->ctx.chain->name,
7681 &trans->ctx.chain->rhlhead,
7682 nft_chain_ht_params);
7683 }
7684
7685 if (!nft_is_base_chain(trans->ctx.chain))
7686 return;
7687
7688 nft_chain_stats_replace(trans);
7689
7690 basechain = nft_base_chain(trans->ctx.chain);
7691
7692 switch (nft_trans_chain_policy(trans)) {
7693 case NF_DROP:
7694 case NF_ACCEPT:
7695 basechain->policy = nft_trans_chain_policy(trans);
7696 break;
7697 }
7698 }
7699
7700 static void nft_obj_commit_update(struct nft_trans *trans)
7701 {
7702 struct nft_object *newobj;
7703 struct nft_object *obj;
7704
7705 obj = nft_trans_obj(trans);
7706 newobj = nft_trans_obj_newobj(trans);
7707
7708 if (obj->ops->update)
7709 obj->ops->update(obj, newobj);
7710
7711 kfree(newobj);
7712 }
7713
7714 static void nft_commit_release(struct nft_trans *trans)
7715 {
7716 switch (trans->msg_type) {
7717 case NFT_MSG_DELTABLE:
7718 nf_tables_table_destroy(&trans->ctx);
7719 break;
7720 case NFT_MSG_NEWCHAIN:
7721 free_percpu(nft_trans_chain_stats(trans));
7722 kfree(nft_trans_chain_name(trans));
7723 break;
7724 case NFT_MSG_DELCHAIN:
7725 nf_tables_chain_destroy(&trans->ctx);
7726 break;
7727 case NFT_MSG_DELRULE:
7728 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7729 break;
7730 case NFT_MSG_DELSET:
7731 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7732 break;
7733 case NFT_MSG_DELSETELEM:
7734 nf_tables_set_elem_destroy(&trans->ctx,
7735 nft_trans_elem_set(trans),
7736 nft_trans_elem(trans).priv);
7737 break;
7738 case NFT_MSG_DELOBJ:
7739 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7740 break;
7741 case NFT_MSG_DELFLOWTABLE:
7742 if (nft_trans_flowtable_update(trans))
7743 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7744 else
7745 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7746 break;
7747 }
7748
7749 if (trans->put_net)
7750 put_net(trans->ctx.net);
7751
7752 kfree(trans);
7753 }
7754
7755 static void nf_tables_trans_destroy_work(struct work_struct *w)
7756 {
7757 struct nft_trans *trans, *next;
7758 LIST_HEAD(head);
7759
7760 spin_lock(&nf_tables_destroy_list_lock);
7761 list_splice_init(&nf_tables_destroy_list, &head);
7762 spin_unlock(&nf_tables_destroy_list_lock);
7763
7764 if (list_empty(&head))
7765 return;
7766
7767 synchronize_rcu();
7768
7769 list_for_each_entry_safe(trans, next, &head, list) {
7770 list_del(&trans->list);
7771 nft_commit_release(trans);
7772 }
7773 }
7774
7775 void nf_tables_trans_destroy_flush_work(void)
7776 {
7777 flush_work(&trans_destroy_work);
7778 }
7779 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7780
7781 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7782 {
7783 struct nft_rule *rule;
7784 unsigned int alloc = 0;
7785 int i;
7786
7787 /* already handled or inactive chain? */
7788 if (chain->rules_next || !nft_is_active_next(net, chain))
7789 return 0;
7790
7791 rule = list_entry(&chain->rules, struct nft_rule, list);
7792 i = 0;
7793
7794 list_for_each_entry_continue(rule, &chain->rules, list) {
7795 if (nft_is_active_next(net, rule))
7796 alloc++;
7797 }
7798
7799 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7800 if (!chain->rules_next)
7801 return -ENOMEM;
7802
7803 list_for_each_entry_continue(rule, &chain->rules, list) {
7804 if (nft_is_active_next(net, rule))
7805 chain->rules_next[i++] = rule;
7806 }
7807
7808 chain->rules_next[i] = NULL;
7809 return 0;
7810 }
7811
7812 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7813 {
7814 struct nft_trans *trans, *next;
7815
7816 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7817 struct nft_chain *chain = trans->ctx.chain;
7818
7819 if (trans->msg_type == NFT_MSG_NEWRULE ||
7820 trans->msg_type == NFT_MSG_DELRULE) {
7821 kvfree(chain->rules_next);
7822 chain->rules_next = NULL;
7823 }
7824 }
7825 }
7826
7827 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7828 {
7829 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7830
7831 kvfree(o->start);
7832 }
7833
7834 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7835 {
7836 struct nft_rule **r = rules;
7837 struct nft_rules_old *old;
7838
7839 while (*r)
7840 r++;
7841
7842 r++; /* rcu_head is after end marker */
7843 old = (void *) r;
7844 old->start = rules;
7845
7846 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7847 }
7848
7849 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7850 {
7851 struct nft_rule **g0, **g1;
7852 bool next_genbit;
7853
7854 next_genbit = nft_gencursor_next(net);
7855
7856 g0 = rcu_dereference_protected(chain->rules_gen_0,
7857 lockdep_commit_lock_is_held(net));
7858 g1 = rcu_dereference_protected(chain->rules_gen_1,
7859 lockdep_commit_lock_is_held(net));
7860
7861 /* No changes to this chain? */
7862 if (chain->rules_next == NULL) {
7863 /* chain had no change in last or next generation */
7864 if (g0 == g1)
7865 return;
7866 /*
7867 * chain had no change in this generation; make sure next
7868 * one uses same rules as current generation.
7869 */
7870 if (next_genbit) {
7871 rcu_assign_pointer(chain->rules_gen_1, g0);
7872 nf_tables_commit_chain_free_rules_old(g1);
7873 } else {
7874 rcu_assign_pointer(chain->rules_gen_0, g1);
7875 nf_tables_commit_chain_free_rules_old(g0);
7876 }
7877
7878 return;
7879 }
7880
7881 if (next_genbit)
7882 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7883 else
7884 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7885
7886 chain->rules_next = NULL;
7887
7888 if (g0 == g1)
7889 return;
7890
7891 if (next_genbit)
7892 nf_tables_commit_chain_free_rules_old(g1);
7893 else
7894 nf_tables_commit_chain_free_rules_old(g0);
7895 }
7896
7897 static void nft_obj_del(struct nft_object *obj)
7898 {
7899 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7900 list_del_rcu(&obj->list);
7901 }
7902
7903 void nft_chain_del(struct nft_chain *chain)
7904 {
7905 struct nft_table *table = chain->table;
7906
7907 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7908 nft_chain_ht_params));
7909 list_del_rcu(&chain->list);
7910 }
7911
7912 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7913 struct list_head *hook_list)
7914 {
7915 struct nft_hook *hook, *next;
7916
7917 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7918 if (hook->inactive)
7919 list_move(&hook->list, hook_list);
7920 }
7921 }
7922
7923 static void nf_tables_module_autoload_cleanup(struct net *net)
7924 {
7925 struct nft_module_request *req, *next;
7926
7927 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7928 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7929 WARN_ON_ONCE(!req->done);
7930 list_del(&req->list);
7931 kfree(req);
7932 }
7933 }
7934
7935 static void nf_tables_commit_release(struct net *net)
7936 {
7937 struct nft_trans *trans;
7938
7939 /* all side effects have to be made visible.
7940 * For example, if a chain named 'foo' has been deleted, a
7941 * new transaction must not find it anymore.
7942 *
7943 * Memory reclaim happens asynchronously from work queue
7944 * to prevent expensive synchronize_rcu() in commit phase.
7945 */
7946 if (list_empty(&net->nft.commit_list)) {
7947 nf_tables_module_autoload_cleanup(net);
7948 mutex_unlock(&net->nft.commit_mutex);
7949 return;
7950 }
7951
7952 trans = list_last_entry(&net->nft.commit_list,
7953 struct nft_trans, list);
7954 get_net(trans->ctx.net);
7955 WARN_ON_ONCE(trans->put_net);
7956
7957 trans->put_net = true;
7958 spin_lock(&nf_tables_destroy_list_lock);
7959 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7960 spin_unlock(&nf_tables_destroy_list_lock);
7961
7962 nf_tables_module_autoload_cleanup(net);
7963 schedule_work(&trans_destroy_work);
7964
7965 mutex_unlock(&net->nft.commit_mutex);
7966 }
7967
7968 static void nft_commit_notify(struct net *net, u32 portid)
7969 {
7970 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7971 unsigned char *data;
7972 int len;
7973
7974 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7975 if (!batch_skb) {
7976 new_batch:
7977 batch_skb = skb;
7978 len = NLMSG_GOODSIZE - skb->len;
7979 list_del(&skb->list);
7980 continue;
7981 }
7982 len -= skb->len;
7983 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7984 data = skb_put(batch_skb, skb->len);
7985 memcpy(data, skb->data, skb->len);
7986 list_del(&skb->list);
7987 kfree_skb(skb);
7988 continue;
7989 }
7990 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7991 NFT_CB(batch_skb).report, GFP_KERNEL);
7992 goto new_batch;
7993 }
7994
7995 if (batch_skb) {
7996 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7997 NFT_CB(batch_skb).report, GFP_KERNEL);
7998 }
7999
8000 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8001 }
8002
8003 static int nf_tables_commit_audit_alloc(struct list_head *adl,
8004 struct nft_table *table)
8005 {
8006 struct nft_audit_data *adp;
8007
8008 list_for_each_entry(adp, adl, list) {
8009 if (adp->table == table)
8010 return 0;
8011 }
8012 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
8013 if (!adp)
8014 return -ENOMEM;
8015 adp->table = table;
8016 list_add(&adp->list, adl);
8017 return 0;
8018 }
8019
8020 static void nf_tables_commit_audit_collect(struct list_head *adl,
8021 struct nft_table *table, u32 op)
8022 {
8023 struct nft_audit_data *adp;
8024
8025 list_for_each_entry(adp, adl, list) {
8026 if (adp->table == table)
8027 goto found;
8028 }
8029 WARN_ONCE("table=%s not expected in commit list", table->name);
8030 return;
8031 found:
8032 adp->entries++;
8033 if (!adp->op || adp->op > op)
8034 adp->op = op;
8035 }
8036
8037 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
8038
8039 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
8040 {
8041 struct nft_audit_data *adp, *adn;
8042 char aubuf[AUNFTABLENAMELEN];
8043
8044 list_for_each_entry_safe(adp, adn, adl, list) {
8045 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
8046 generation);
8047 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
8048 nft2audit_op[adp->op], GFP_KERNEL);
8049 list_del(&adp->list);
8050 kfree(adp);
8051 }
8052 }
8053
8054 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8055 {
8056 struct nft_trans *trans, *next;
8057 struct nft_trans_elem *te;
8058 struct nft_chain *chain;
8059 struct nft_table *table;
8060 LIST_HEAD(adl);
8061 int err;
8062
8063 if (list_empty(&net->nft.commit_list)) {
8064 mutex_unlock(&net->nft.commit_mutex);
8065 return 0;
8066 }
8067
8068 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8069 if (nf_tables_validate(net) < 0)
8070 return -EAGAIN;
8071
8072 err = nft_flow_rule_offload_commit(net);
8073 if (err < 0)
8074 return err;
8075
8076 /* 1. Allocate space for next generation rules_gen_X[] */
8077 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8078 int ret;
8079
8080 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
8081 if (ret) {
8082 nf_tables_commit_chain_prepare_cancel(net);
8083 return ret;
8084 }
8085 if (trans->msg_type == NFT_MSG_NEWRULE ||
8086 trans->msg_type == NFT_MSG_DELRULE) {
8087 chain = trans->ctx.chain;
8088
8089 ret = nf_tables_commit_chain_prepare(net, chain);
8090 if (ret < 0) {
8091 nf_tables_commit_chain_prepare_cancel(net);
8092 return ret;
8093 }
8094 }
8095 }
8096
8097 /* step 2. Make rules_gen_X visible to packet path */
8098 list_for_each_entry(table, &net->nft.tables, list) {
8099 list_for_each_entry(chain, &table->chains, list)
8100 nf_tables_commit_chain(net, chain);
8101 }
8102
8103 /*
8104 * Bump generation counter, invalidate any dump in progress.
8105 * Cannot fail after this point.
8106 */
8107 while (++net->nft.base_seq == 0);
8108
8109 /* step 3. Start new generation, rules_gen_X now in use. */
8110 net->nft.gencursor = nft_gencursor_next(net);
8111
8112 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8113 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8114 trans->msg_type);
8115 switch (trans->msg_type) {
8116 case NFT_MSG_NEWTABLE:
8117 if (nft_trans_table_update(trans)) {
8118 if (nft_trans_table_state(trans) == NFT_TABLE_STATE_DORMANT)
8119 nf_tables_table_disable(net, trans->ctx.table);
8120
8121 trans->ctx.table->flags = nft_trans_table_flags(trans);
8122 } else {
8123 nft_clear(net, trans->ctx.table);
8124 }
8125 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8126 nft_trans_destroy(trans);
8127 break;
8128 case NFT_MSG_DELTABLE:
8129 list_del_rcu(&trans->ctx.table->list);
8130 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8131 break;
8132 case NFT_MSG_NEWCHAIN:
8133 if (nft_trans_chain_update(trans)) {
8134 nft_chain_commit_update(trans);
8135 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8136 /* trans destroyed after rcu grace period */
8137 } else {
8138 nft_chain_commit_drop_policy(trans);
8139 nft_clear(net, trans->ctx.chain);
8140 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8141 nft_trans_destroy(trans);
8142 }
8143 break;
8144 case NFT_MSG_DELCHAIN:
8145 nft_chain_del(trans->ctx.chain);
8146 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8147 nf_tables_unregister_hook(trans->ctx.net,
8148 trans->ctx.table,
8149 trans->ctx.chain);
8150 break;
8151 case NFT_MSG_NEWRULE:
8152 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8153 nf_tables_rule_notify(&trans->ctx,
8154 nft_trans_rule(trans),
8155 NFT_MSG_NEWRULE);
8156 nft_trans_destroy(trans);
8157 break;
8158 case NFT_MSG_DELRULE:
8159 list_del_rcu(&nft_trans_rule(trans)->list);
8160 nf_tables_rule_notify(&trans->ctx,
8161 nft_trans_rule(trans),
8162 NFT_MSG_DELRULE);
8163 nft_rule_expr_deactivate(&trans->ctx,
8164 nft_trans_rule(trans),
8165 NFT_TRANS_COMMIT);
8166 break;
8167 case NFT_MSG_NEWSET:
8168 nft_clear(net, nft_trans_set(trans));
8169 /* This avoids hitting -EBUSY when deleting the table
8170 * from the transaction.
8171 */
8172 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8173 !list_empty(&nft_trans_set(trans)->bindings))
8174 trans->ctx.table->use--;
8175
8176 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8177 NFT_MSG_NEWSET, GFP_KERNEL);
8178 nft_trans_destroy(trans);
8179 break;
8180 case NFT_MSG_DELSET:
8181 list_del_rcu(&nft_trans_set(trans)->list);
8182 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8183 NFT_MSG_DELSET, GFP_KERNEL);
8184 break;
8185 case NFT_MSG_NEWSETELEM:
8186 te = (struct nft_trans_elem *)trans->data;
8187
8188 te->set->ops->activate(net, te->set, &te->elem);
8189 nf_tables_setelem_notify(&trans->ctx, te->set,
8190 &te->elem,
8191 NFT_MSG_NEWSETELEM, 0);
8192 nft_trans_destroy(trans);
8193 break;
8194 case NFT_MSG_DELSETELEM:
8195 te = (struct nft_trans_elem *)trans->data;
8196
8197 nf_tables_setelem_notify(&trans->ctx, te->set,
8198 &te->elem,
8199 NFT_MSG_DELSETELEM, 0);
8200 te->set->ops->remove(net, te->set, &te->elem);
8201 atomic_dec(&te->set->nelems);
8202 te->set->ndeact--;
8203 break;
8204 case NFT_MSG_NEWOBJ:
8205 if (nft_trans_obj_update(trans)) {
8206 nft_obj_commit_update(trans);
8207 nf_tables_obj_notify(&trans->ctx,
8208 nft_trans_obj(trans),
8209 NFT_MSG_NEWOBJ);
8210 } else {
8211 nft_clear(net, nft_trans_obj(trans));
8212 nf_tables_obj_notify(&trans->ctx,
8213 nft_trans_obj(trans),
8214 NFT_MSG_NEWOBJ);
8215 nft_trans_destroy(trans);
8216 }
8217 break;
8218 case NFT_MSG_DELOBJ:
8219 nft_obj_del(nft_trans_obj(trans));
8220 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8221 NFT_MSG_DELOBJ);
8222 break;
8223 case NFT_MSG_NEWFLOWTABLE:
8224 if (nft_trans_flowtable_update(trans)) {
8225 nft_trans_flowtable(trans)->data.flags =
8226 nft_trans_flowtable_flags(trans);
8227 nf_tables_flowtable_notify(&trans->ctx,
8228 nft_trans_flowtable(trans),
8229 &nft_trans_flowtable_hooks(trans),
8230 NFT_MSG_NEWFLOWTABLE);
8231 list_splice(&nft_trans_flowtable_hooks(trans),
8232 &nft_trans_flowtable(trans)->hook_list);
8233 } else {
8234 nft_clear(net, nft_trans_flowtable(trans));
8235 nf_tables_flowtable_notify(&trans->ctx,
8236 nft_trans_flowtable(trans),
8237 &nft_trans_flowtable(trans)->hook_list,
8238 NFT_MSG_NEWFLOWTABLE);
8239 }
8240 nft_trans_destroy(trans);
8241 break;
8242 case NFT_MSG_DELFLOWTABLE:
8243 if (nft_trans_flowtable_update(trans)) {
8244 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8245 &nft_trans_flowtable_hooks(trans));
8246 nf_tables_flowtable_notify(&trans->ctx,
8247 nft_trans_flowtable(trans),
8248 &nft_trans_flowtable_hooks(trans),
8249 NFT_MSG_DELFLOWTABLE);
8250 nft_unregister_flowtable_net_hooks(net,
8251 &nft_trans_flowtable_hooks(trans));
8252 } else {
8253 list_del_rcu(&nft_trans_flowtable(trans)->list);
8254 nf_tables_flowtable_notify(&trans->ctx,
8255 nft_trans_flowtable(trans),
8256 &nft_trans_flowtable(trans)->hook_list,
8257 NFT_MSG_DELFLOWTABLE);
8258 nft_unregister_flowtable_net_hooks(net,
8259 &nft_trans_flowtable(trans)->hook_list);
8260 }
8261 break;
8262 }
8263 }
8264
8265 nft_commit_notify(net, NETLINK_CB(skb).portid);
8266 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8267 nf_tables_commit_audit_log(&adl, net->nft.base_seq);
8268 nf_tables_commit_release(net);
8269
8270 return 0;
8271 }
8272
8273 static void nf_tables_module_autoload(struct net *net)
8274 {
8275 struct nft_module_request *req, *next;
8276 LIST_HEAD(module_list);
8277
8278 list_splice_init(&net->nft.module_list, &module_list);
8279 mutex_unlock(&net->nft.commit_mutex);
8280 list_for_each_entry_safe(req, next, &module_list, list) {
8281 request_module("%s", req->module);
8282 req->done = true;
8283 }
8284 mutex_lock(&net->nft.commit_mutex);
8285 list_splice(&module_list, &net->nft.module_list);
8286 }
8287
8288 static void nf_tables_abort_release(struct nft_trans *trans)
8289 {
8290 switch (trans->msg_type) {
8291 case NFT_MSG_NEWTABLE:
8292 nf_tables_table_destroy(&trans->ctx);
8293 break;
8294 case NFT_MSG_NEWCHAIN:
8295 nf_tables_chain_destroy(&trans->ctx);
8296 break;
8297 case NFT_MSG_NEWRULE:
8298 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8299 break;
8300 case NFT_MSG_NEWSET:
8301 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8302 break;
8303 case NFT_MSG_NEWSETELEM:
8304 nft_set_elem_destroy(nft_trans_elem_set(trans),
8305 nft_trans_elem(trans).priv, true);
8306 break;
8307 case NFT_MSG_NEWOBJ:
8308 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8309 break;
8310 case NFT_MSG_NEWFLOWTABLE:
8311 if (nft_trans_flowtable_update(trans))
8312 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8313 else
8314 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8315 break;
8316 }
8317 kfree(trans);
8318 }
8319
8320 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8321 {
8322 struct nft_trans *trans, *next;
8323 struct nft_trans_elem *te;
8324 struct nft_hook *hook;
8325
8326 if (action == NFNL_ABORT_VALIDATE &&
8327 nf_tables_validate(net) < 0)
8328 return -EAGAIN;
8329
8330 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8331 list) {
8332 switch (trans->msg_type) {
8333 case NFT_MSG_NEWTABLE:
8334 if (nft_trans_table_update(trans)) {
8335 if (nft_trans_table_state(trans) == NFT_TABLE_STATE_WAKEUP)
8336 nf_tables_table_disable(net, trans->ctx.table);
8337
8338 nft_trans_destroy(trans);
8339 } else {
8340 list_del_rcu(&trans->ctx.table->list);
8341 }
8342 break;
8343 case NFT_MSG_DELTABLE:
8344 nft_clear(trans->ctx.net, trans->ctx.table);
8345 nft_trans_destroy(trans);
8346 break;
8347 case NFT_MSG_NEWCHAIN:
8348 if (nft_trans_chain_update(trans)) {
8349 free_percpu(nft_trans_chain_stats(trans));
8350 kfree(nft_trans_chain_name(trans));
8351 nft_trans_destroy(trans);
8352 } else {
8353 if (nft_chain_is_bound(trans->ctx.chain)) {
8354 nft_trans_destroy(trans);
8355 break;
8356 }
8357 trans->ctx.table->use--;
8358 nft_chain_del(trans->ctx.chain);
8359 nf_tables_unregister_hook(trans->ctx.net,
8360 trans->ctx.table,
8361 trans->ctx.chain);
8362 }
8363 break;
8364 case NFT_MSG_DELCHAIN:
8365 trans->ctx.table->use++;
8366 nft_clear(trans->ctx.net, trans->ctx.chain);
8367 nft_trans_destroy(trans);
8368 break;
8369 case NFT_MSG_NEWRULE:
8370 trans->ctx.chain->use--;
8371 list_del_rcu(&nft_trans_rule(trans)->list);
8372 nft_rule_expr_deactivate(&trans->ctx,
8373 nft_trans_rule(trans),
8374 NFT_TRANS_ABORT);
8375 break;
8376 case NFT_MSG_DELRULE:
8377 trans->ctx.chain->use++;
8378 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8379 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8380 nft_trans_destroy(trans);
8381 break;
8382 case NFT_MSG_NEWSET:
8383 trans->ctx.table->use--;
8384 if (nft_trans_set_bound(trans)) {
8385 nft_trans_destroy(trans);
8386 break;
8387 }
8388 list_del_rcu(&nft_trans_set(trans)->list);
8389 break;
8390 case NFT_MSG_DELSET:
8391 trans->ctx.table->use++;
8392 nft_clear(trans->ctx.net, nft_trans_set(trans));
8393 nft_trans_destroy(trans);
8394 break;
8395 case NFT_MSG_NEWSETELEM:
8396 if (nft_trans_elem_set_bound(trans)) {
8397 nft_trans_destroy(trans);
8398 break;
8399 }
8400 te = (struct nft_trans_elem *)trans->data;
8401 te->set->ops->remove(net, te->set, &te->elem);
8402 atomic_dec(&te->set->nelems);
8403 break;
8404 case NFT_MSG_DELSETELEM:
8405 te = (struct nft_trans_elem *)trans->data;
8406
8407 nft_set_elem_activate(net, te->set, &te->elem);
8408 te->set->ops->activate(net, te->set, &te->elem);
8409 te->set->ndeact--;
8410
8411 nft_trans_destroy(trans);
8412 break;
8413 case NFT_MSG_NEWOBJ:
8414 if (nft_trans_obj_update(trans)) {
8415 kfree(nft_trans_obj_newobj(trans));
8416 nft_trans_destroy(trans);
8417 } else {
8418 trans->ctx.table->use--;
8419 nft_obj_del(nft_trans_obj(trans));
8420 }
8421 break;
8422 case NFT_MSG_DELOBJ:
8423 trans->ctx.table->use++;
8424 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8425 nft_trans_destroy(trans);
8426 break;
8427 case NFT_MSG_NEWFLOWTABLE:
8428 if (nft_trans_flowtable_update(trans)) {
8429 nft_unregister_flowtable_net_hooks(net,
8430 &nft_trans_flowtable_hooks(trans));
8431 } else {
8432 trans->ctx.table->use--;
8433 list_del_rcu(&nft_trans_flowtable(trans)->list);
8434 nft_unregister_flowtable_net_hooks(net,
8435 &nft_trans_flowtable(trans)->hook_list);
8436 }
8437 break;
8438 case NFT_MSG_DELFLOWTABLE:
8439 if (nft_trans_flowtable_update(trans)) {
8440 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8441 hook->inactive = false;
8442 } else {
8443 trans->ctx.table->use++;
8444 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8445 }
8446 nft_trans_destroy(trans);
8447 break;
8448 }
8449 }
8450
8451 synchronize_rcu();
8452
8453 list_for_each_entry_safe_reverse(trans, next,
8454 &net->nft.commit_list, list) {
8455 list_del(&trans->list);
8456 nf_tables_abort_release(trans);
8457 }
8458
8459 if (action == NFNL_ABORT_AUTOLOAD)
8460 nf_tables_module_autoload(net);
8461 else
8462 nf_tables_module_autoload_cleanup(net);
8463
8464 return 0;
8465 }
8466
8467 static void nf_tables_cleanup(struct net *net)
8468 {
8469 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8470 }
8471
8472 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8473 enum nfnl_abort_action action)
8474 {
8475 int ret = __nf_tables_abort(net, action);
8476
8477 mutex_unlock(&net->nft.commit_mutex);
8478
8479 return ret;
8480 }
8481
8482 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8483 {
8484 bool genid_ok;
8485
8486 mutex_lock(&net->nft.commit_mutex);
8487
8488 genid_ok = genid == 0 || net->nft.base_seq == genid;
8489 if (!genid_ok)
8490 mutex_unlock(&net->nft.commit_mutex);
8491
8492 /* else, commit mutex has to be released by commit or abort function */
8493 return genid_ok;
8494 }
8495
8496 static const struct nfnetlink_subsystem nf_tables_subsys = {
8497 .name = "nf_tables",
8498 .subsys_id = NFNL_SUBSYS_NFTABLES,
8499 .cb_count = NFT_MSG_MAX,
8500 .cb = nf_tables_cb,
8501 .commit = nf_tables_commit,
8502 .abort = nf_tables_abort,
8503 .cleanup = nf_tables_cleanup,
8504 .valid_genid = nf_tables_valid_genid,
8505 .owner = THIS_MODULE,
8506 };
8507
8508 int nft_chain_validate_dependency(const struct nft_chain *chain,
8509 enum nft_chain_types type)
8510 {
8511 const struct nft_base_chain *basechain;
8512
8513 if (nft_is_base_chain(chain)) {
8514 basechain = nft_base_chain(chain);
8515 if (basechain->type->type != type)
8516 return -EOPNOTSUPP;
8517 }
8518 return 0;
8519 }
8520 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8521
8522 int nft_chain_validate_hooks(const struct nft_chain *chain,
8523 unsigned int hook_flags)
8524 {
8525 struct nft_base_chain *basechain;
8526
8527 if (nft_is_base_chain(chain)) {
8528 basechain = nft_base_chain(chain);
8529
8530 if ((1 << basechain->ops.hooknum) & hook_flags)
8531 return 0;
8532
8533 return -EOPNOTSUPP;
8534 }
8535
8536 return 0;
8537 }
8538 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8539
8540 /*
8541 * Loop detection - walk through the ruleset beginning at the destination chain
8542 * of a new jump until either the source chain is reached (loop) or all
8543 * reachable chains have been traversed.
8544 *
8545 * The loop check is performed whenever a new jump verdict is added to an
8546 * expression or verdict map or a verdict map is bound to a new chain.
8547 */
8548
8549 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8550 const struct nft_chain *chain);
8551
8552 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8553 struct nft_set *set,
8554 const struct nft_set_iter *iter,
8555 struct nft_set_elem *elem)
8556 {
8557 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8558 const struct nft_data *data;
8559
8560 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8561 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8562 return 0;
8563
8564 data = nft_set_ext_data(ext);
8565 switch (data->verdict.code) {
8566 case NFT_JUMP:
8567 case NFT_GOTO:
8568 return nf_tables_check_loops(ctx, data->verdict.chain);
8569 default:
8570 return 0;
8571 }
8572 }
8573
8574 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8575 const struct nft_chain *chain)
8576 {
8577 const struct nft_rule *rule;
8578 const struct nft_expr *expr, *last;
8579 struct nft_set *set;
8580 struct nft_set_binding *binding;
8581 struct nft_set_iter iter;
8582
8583 if (ctx->chain == chain)
8584 return -ELOOP;
8585
8586 list_for_each_entry(rule, &chain->rules, list) {
8587 nft_rule_for_each_expr(expr, last, rule) {
8588 struct nft_immediate_expr *priv;
8589 const struct nft_data *data;
8590 int err;
8591
8592 if (strcmp(expr->ops->type->name, "immediate"))
8593 continue;
8594
8595 priv = nft_expr_priv(expr);
8596 if (priv->dreg != NFT_REG_VERDICT)
8597 continue;
8598
8599 data = &priv->data;
8600 switch (data->verdict.code) {
8601 case NFT_JUMP:
8602 case NFT_GOTO:
8603 err = nf_tables_check_loops(ctx,
8604 data->verdict.chain);
8605 if (err < 0)
8606 return err;
8607 break;
8608 default:
8609 break;
8610 }
8611 }
8612 }
8613
8614 list_for_each_entry(set, &ctx->table->sets, list) {
8615 if (!nft_is_active_next(ctx->net, set))
8616 continue;
8617 if (!(set->flags & NFT_SET_MAP) ||
8618 set->dtype != NFT_DATA_VERDICT)
8619 continue;
8620
8621 list_for_each_entry(binding, &set->bindings, list) {
8622 if (!(binding->flags & NFT_SET_MAP) ||
8623 binding->chain != chain)
8624 continue;
8625
8626 iter.genmask = nft_genmask_next(ctx->net);
8627 iter.skip = 0;
8628 iter.count = 0;
8629 iter.err = 0;
8630 iter.fn = nf_tables_loop_check_setelem;
8631
8632 set->ops->walk(ctx, set, &iter);
8633 if (iter.err < 0)
8634 return iter.err;
8635 }
8636 }
8637
8638 return 0;
8639 }
8640
8641 /**
8642 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8643 *
8644 * @attr: netlink attribute to fetch value from
8645 * @max: maximum value to be stored in dest
8646 * @dest: pointer to the variable
8647 *
8648 * Parse, check and store a given u32 netlink attribute into variable.
8649 * This function returns -ERANGE if the value goes over maximum value.
8650 * Otherwise a 0 is returned and the attribute value is stored in the
8651 * destination variable.
8652 */
8653 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8654 {
8655 u32 val;
8656
8657 val = ntohl(nla_get_be32(attr));
8658 if (val > max)
8659 return -ERANGE;
8660
8661 *dest = val;
8662 return 0;
8663 }
8664 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8665
8666 /**
8667 * nft_parse_register - parse a register value from a netlink attribute
8668 *
8669 * @attr: netlink attribute
8670 *
8671 * Parse and translate a register value from a netlink attribute.
8672 * Registers used to be 128 bit wide, these register numbers will be
8673 * mapped to the corresponding 32 bit register numbers.
8674 */
8675 static unsigned int nft_parse_register(const struct nlattr *attr)
8676 {
8677 unsigned int reg;
8678
8679 reg = ntohl(nla_get_be32(attr));
8680 switch (reg) {
8681 case NFT_REG_VERDICT...NFT_REG_4:
8682 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8683 default:
8684 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8685 }
8686 }
8687
8688 /**
8689 * nft_dump_register - dump a register value to a netlink attribute
8690 *
8691 * @skb: socket buffer
8692 * @attr: attribute number
8693 * @reg: register number
8694 *
8695 * Construct a netlink attribute containing the register number. For
8696 * compatibility reasons, register numbers being a multiple of 4 are
8697 * translated to the corresponding 128 bit register numbers.
8698 */
8699 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8700 {
8701 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8702 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8703 else
8704 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8705
8706 return nla_put_be32(skb, attr, htonl(reg));
8707 }
8708 EXPORT_SYMBOL_GPL(nft_dump_register);
8709
8710 /**
8711 * nft_validate_register_load - validate a load from a register
8712 *
8713 * @reg: the register number
8714 * @len: the length of the data
8715 *
8716 * Validate that the input register is one of the general purpose
8717 * registers and that the length of the load is within the bounds.
8718 */
8719 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8720 {
8721 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8722 return -EINVAL;
8723 if (len == 0)
8724 return -EINVAL;
8725 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8726 return -ERANGE;
8727
8728 return 0;
8729 }
8730
8731 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
8732 {
8733 u32 reg;
8734 int err;
8735
8736 reg = nft_parse_register(attr);
8737 err = nft_validate_register_load(reg, len);
8738 if (err < 0)
8739 return err;
8740
8741 *sreg = reg;
8742 return 0;
8743 }
8744 EXPORT_SYMBOL_GPL(nft_parse_register_load);
8745
8746 /**
8747 * nft_validate_register_store - validate an expressions' register store
8748 *
8749 * @ctx: context of the expression performing the load
8750 * @reg: the destination register number
8751 * @data: the data to load
8752 * @type: the data type
8753 * @len: the length of the data
8754 *
8755 * Validate that a data load uses the appropriate data type for
8756 * the destination register and the length is within the bounds.
8757 * A value of NULL for the data means that its runtime gathered
8758 * data.
8759 */
8760 static int nft_validate_register_store(const struct nft_ctx *ctx,
8761 enum nft_registers reg,
8762 const struct nft_data *data,
8763 enum nft_data_types type,
8764 unsigned int len)
8765 {
8766 int err;
8767
8768 switch (reg) {
8769 case NFT_REG_VERDICT:
8770 if (type != NFT_DATA_VERDICT)
8771 return -EINVAL;
8772
8773 if (data != NULL &&
8774 (data->verdict.code == NFT_GOTO ||
8775 data->verdict.code == NFT_JUMP)) {
8776 err = nf_tables_check_loops(ctx, data->verdict.chain);
8777 if (err < 0)
8778 return err;
8779 }
8780
8781 return 0;
8782 default:
8783 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8784 return -EINVAL;
8785 if (len == 0)
8786 return -EINVAL;
8787 if (reg * NFT_REG32_SIZE + len >
8788 sizeof_field(struct nft_regs, data))
8789 return -ERANGE;
8790
8791 if (data != NULL && type != NFT_DATA_VALUE)
8792 return -EINVAL;
8793 return 0;
8794 }
8795 }
8796
8797 int nft_parse_register_store(const struct nft_ctx *ctx,
8798 const struct nlattr *attr, u8 *dreg,
8799 const struct nft_data *data,
8800 enum nft_data_types type, unsigned int len)
8801 {
8802 int err;
8803 u32 reg;
8804
8805 reg = nft_parse_register(attr);
8806 err = nft_validate_register_store(ctx, reg, data, type, len);
8807 if (err < 0)
8808 return err;
8809
8810 *dreg = reg;
8811 return 0;
8812 }
8813 EXPORT_SYMBOL_GPL(nft_parse_register_store);
8814
8815 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8816 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8817 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8818 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8819 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8820 };
8821
8822 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8823 struct nft_data_desc *desc, const struct nlattr *nla)
8824 {
8825 u8 genmask = nft_genmask_next(ctx->net);
8826 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8827 struct nft_chain *chain;
8828 int err;
8829
8830 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8831 nft_verdict_policy, NULL);
8832 if (err < 0)
8833 return err;
8834
8835 if (!tb[NFTA_VERDICT_CODE])
8836 return -EINVAL;
8837 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8838
8839 switch (data->verdict.code) {
8840 default:
8841 switch (data->verdict.code & NF_VERDICT_MASK) {
8842 case NF_ACCEPT:
8843 case NF_DROP:
8844 case NF_QUEUE:
8845 break;
8846 default:
8847 return -EINVAL;
8848 }
8849 fallthrough;
8850 case NFT_CONTINUE:
8851 case NFT_BREAK:
8852 case NFT_RETURN:
8853 break;
8854 case NFT_JUMP:
8855 case NFT_GOTO:
8856 if (tb[NFTA_VERDICT_CHAIN]) {
8857 chain = nft_chain_lookup(ctx->net, ctx->table,
8858 tb[NFTA_VERDICT_CHAIN],
8859 genmask);
8860 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8861 chain = nft_chain_lookup_byid(ctx->net,
8862 tb[NFTA_VERDICT_CHAIN_ID]);
8863 if (IS_ERR(chain))
8864 return PTR_ERR(chain);
8865 } else {
8866 return -EINVAL;
8867 }
8868
8869 if (IS_ERR(chain))
8870 return PTR_ERR(chain);
8871 if (nft_is_base_chain(chain))
8872 return -EOPNOTSUPP;
8873
8874 chain->use++;
8875 data->verdict.chain = chain;
8876 break;
8877 }
8878
8879 desc->len = sizeof(data->verdict);
8880 desc->type = NFT_DATA_VERDICT;
8881 return 0;
8882 }
8883
8884 static void nft_verdict_uninit(const struct nft_data *data)
8885 {
8886 struct nft_chain *chain;
8887 struct nft_rule *rule;
8888
8889 switch (data->verdict.code) {
8890 case NFT_JUMP:
8891 case NFT_GOTO:
8892 chain = data->verdict.chain;
8893 chain->use--;
8894
8895 if (!nft_chain_is_bound(chain))
8896 break;
8897
8898 chain->table->use--;
8899 list_for_each_entry(rule, &chain->rules, list)
8900 chain->use--;
8901
8902 nft_chain_del(chain);
8903 break;
8904 }
8905 }
8906
8907 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8908 {
8909 struct nlattr *nest;
8910
8911 nest = nla_nest_start_noflag(skb, type);
8912 if (!nest)
8913 goto nla_put_failure;
8914
8915 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8916 goto nla_put_failure;
8917
8918 switch (v->code) {
8919 case NFT_JUMP:
8920 case NFT_GOTO:
8921 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8922 v->chain->name))
8923 goto nla_put_failure;
8924 }
8925 nla_nest_end(skb, nest);
8926 return 0;
8927
8928 nla_put_failure:
8929 return -1;
8930 }
8931
8932 static int nft_value_init(const struct nft_ctx *ctx,
8933 struct nft_data *data, unsigned int size,
8934 struct nft_data_desc *desc, const struct nlattr *nla)
8935 {
8936 unsigned int len;
8937
8938 len = nla_len(nla);
8939 if (len == 0)
8940 return -EINVAL;
8941 if (len > size)
8942 return -EOVERFLOW;
8943
8944 nla_memcpy(data->data, nla, len);
8945 desc->type = NFT_DATA_VALUE;
8946 desc->len = len;
8947 return 0;
8948 }
8949
8950 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8951 unsigned int len)
8952 {
8953 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8954 }
8955
8956 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8957 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8958 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8959 };
8960
8961 /**
8962 * nft_data_init - parse nf_tables data netlink attributes
8963 *
8964 * @ctx: context of the expression using the data
8965 * @data: destination struct nft_data
8966 * @size: maximum data length
8967 * @desc: data description
8968 * @nla: netlink attribute containing data
8969 *
8970 * Parse the netlink data attributes and initialize a struct nft_data.
8971 * The type and length of data are returned in the data description.
8972 *
8973 * The caller can indicate that it only wants to accept data of type
8974 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8975 */
8976 int nft_data_init(const struct nft_ctx *ctx,
8977 struct nft_data *data, unsigned int size,
8978 struct nft_data_desc *desc, const struct nlattr *nla)
8979 {
8980 struct nlattr *tb[NFTA_DATA_MAX + 1];
8981 int err;
8982
8983 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8984 nft_data_policy, NULL);
8985 if (err < 0)
8986 return err;
8987
8988 if (tb[NFTA_DATA_VALUE])
8989 return nft_value_init(ctx, data, size, desc,
8990 tb[NFTA_DATA_VALUE]);
8991 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8992 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8993 return -EINVAL;
8994 }
8995 EXPORT_SYMBOL_GPL(nft_data_init);
8996
8997 /**
8998 * nft_data_release - release a nft_data item
8999 *
9000 * @data: struct nft_data to release
9001 * @type: type of data
9002 *
9003 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
9004 * all others need to be released by calling this function.
9005 */
9006 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
9007 {
9008 if (type < NFT_DATA_VERDICT)
9009 return;
9010 switch (type) {
9011 case NFT_DATA_VERDICT:
9012 return nft_verdict_uninit(data);
9013 default:
9014 WARN_ON(1);
9015 }
9016 }
9017 EXPORT_SYMBOL_GPL(nft_data_release);
9018
9019 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
9020 enum nft_data_types type, unsigned int len)
9021 {
9022 struct nlattr *nest;
9023 int err;
9024
9025 nest = nla_nest_start_noflag(skb, attr);
9026 if (nest == NULL)
9027 return -1;
9028
9029 switch (type) {
9030 case NFT_DATA_VALUE:
9031 err = nft_value_dump(skb, data, len);
9032 break;
9033 case NFT_DATA_VERDICT:
9034 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
9035 break;
9036 default:
9037 err = -EINVAL;
9038 WARN_ON(1);
9039 }
9040
9041 nla_nest_end(skb, nest);
9042 return err;
9043 }
9044 EXPORT_SYMBOL_GPL(nft_data_dump);
9045
9046 int __nft_release_basechain(struct nft_ctx *ctx)
9047 {
9048 struct nft_rule *rule, *nr;
9049
9050 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
9051 return 0;
9052
9053 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9054 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9055 list_del(&rule->list);
9056 ctx->chain->use--;
9057 nf_tables_rule_release(ctx, rule);
9058 }
9059 nft_chain_del(ctx->chain);
9060 ctx->table->use--;
9061 nf_tables_chain_destroy(ctx);
9062
9063 return 0;
9064 }
9065 EXPORT_SYMBOL_GPL(__nft_release_basechain);
9066
9067 static void __nft_release_hook(struct net *net, struct nft_table *table)
9068 {
9069 struct nft_chain *chain;
9070
9071 list_for_each_entry(chain, &table->chains, list)
9072 nf_tables_unregister_hook(net, table, chain);
9073 }
9074
9075 static void __nft_release_hooks(struct net *net)
9076 {
9077 struct nft_table *table;
9078
9079 list_for_each_entry(table, &net->nft.tables, list) {
9080 if (nft_table_has_owner(table))
9081 continue;
9082
9083 __nft_release_hook(net, table);
9084 }
9085 }
9086
9087 static void __nft_release_table(struct net *net, struct nft_table *table)
9088 {
9089 struct nft_flowtable *flowtable, *nf;
9090 struct nft_chain *chain, *nc;
9091 struct nft_object *obj, *ne;
9092 struct nft_rule *rule, *nr;
9093 struct nft_set *set, *ns;
9094 struct nft_ctx ctx = {
9095 .net = net,
9096 .family = NFPROTO_NETDEV,
9097 };
9098
9099 ctx.family = table->family;
9100 ctx.table = table;
9101 list_for_each_entry(chain, &table->chains, list) {
9102 ctx.chain = chain;
9103 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9104 list_del(&rule->list);
9105 chain->use--;
9106 nf_tables_rule_release(&ctx, rule);
9107 }
9108 }
9109 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9110 list_del(&flowtable->list);
9111 table->use--;
9112 nf_tables_flowtable_destroy(flowtable);
9113 }
9114 list_for_each_entry_safe(set, ns, &table->sets, list) {
9115 list_del(&set->list);
9116 table->use--;
9117 nft_set_destroy(&ctx, set);
9118 }
9119 list_for_each_entry_safe(obj, ne, &table->objects, list) {
9120 nft_obj_del(obj);
9121 table->use--;
9122 nft_obj_destroy(&ctx, obj);
9123 }
9124 list_for_each_entry_safe(chain, nc, &table->chains, list) {
9125 ctx.chain = chain;
9126 nft_chain_del(chain);
9127 table->use--;
9128 nf_tables_chain_destroy(&ctx);
9129 }
9130 list_del(&table->list);
9131 nf_tables_table_destroy(&ctx);
9132 }
9133
9134 static void __nft_release_tables(struct net *net)
9135 {
9136 struct nft_table *table, *nt;
9137
9138 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9139 if (nft_table_has_owner(table))
9140 continue;
9141
9142 __nft_release_table(net, table);
9143 }
9144 }
9145
9146 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9147 void *ptr)
9148 {
9149 struct netlink_notify *n = ptr;
9150 struct nft_table *table, *nt;
9151 struct net *net = n->net;
9152 bool release = false;
9153
9154 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9155 return NOTIFY_DONE;
9156
9157 mutex_lock(&net->nft.commit_mutex);
9158 list_for_each_entry(table, &net->nft.tables, list) {
9159 if (nft_table_has_owner(table) &&
9160 n->portid == table->nlpid) {
9161 __nft_release_hook(net, table);
9162 release = true;
9163 }
9164 }
9165 if (release) {
9166 synchronize_rcu();
9167 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9168 if (nft_table_has_owner(table) &&
9169 n->portid == table->nlpid)
9170 __nft_release_table(net, table);
9171 }
9172 }
9173 mutex_unlock(&net->nft.commit_mutex);
9174
9175 return NOTIFY_DONE;
9176 }
9177
9178 static struct notifier_block nft_nl_notifier = {
9179 .notifier_call = nft_rcv_nl_event,
9180 };
9181
9182 static int __net_init nf_tables_init_net(struct net *net)
9183 {
9184 INIT_LIST_HEAD(&net->nft.tables);
9185 INIT_LIST_HEAD(&net->nft.commit_list);
9186 INIT_LIST_HEAD(&net->nft.module_list);
9187 INIT_LIST_HEAD(&net->nft.notify_list);
9188 mutex_init(&net->nft.commit_mutex);
9189 net->nft.base_seq = 1;
9190 net->nft.validate_state = NFT_VALIDATE_SKIP;
9191
9192 return 0;
9193 }
9194
9195 static void __net_exit nf_tables_pre_exit_net(struct net *net)
9196 {
9197 __nft_release_hooks(net);
9198 }
9199
9200 static void __net_exit nf_tables_exit_net(struct net *net)
9201 {
9202 mutex_lock(&net->nft.commit_mutex);
9203 if (!list_empty(&net->nft.commit_list))
9204 __nf_tables_abort(net, NFNL_ABORT_NONE);
9205 __nft_release_tables(net);
9206 mutex_unlock(&net->nft.commit_mutex);
9207 WARN_ON_ONCE(!list_empty(&net->nft.tables));
9208 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
9209 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
9210 }
9211
9212 static struct pernet_operations nf_tables_net_ops = {
9213 .init = nf_tables_init_net,
9214 .pre_exit = nf_tables_pre_exit_net,
9215 .exit = nf_tables_exit_net,
9216 };
9217
9218 static int __init nf_tables_module_init(void)
9219 {
9220 int err;
9221
9222 err = register_pernet_subsys(&nf_tables_net_ops);
9223 if (err < 0)
9224 return err;
9225
9226 err = nft_chain_filter_init();
9227 if (err < 0)
9228 goto err_chain_filter;
9229
9230 err = nf_tables_core_module_init();
9231 if (err < 0)
9232 goto err_core_module;
9233
9234 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9235 if (err < 0)
9236 goto err_netdev_notifier;
9237
9238 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9239 if (err < 0)
9240 goto err_rht_objname;
9241
9242 err = nft_offload_init();
9243 if (err < 0)
9244 goto err_offload;
9245
9246 err = netlink_register_notifier(&nft_nl_notifier);
9247 if (err < 0)
9248 goto err_netlink_notifier;
9249
9250 /* must be last */
9251 err = nfnetlink_subsys_register(&nf_tables_subsys);
9252 if (err < 0)
9253 goto err_nfnl_subsys;
9254
9255 nft_chain_route_init();
9256
9257 return err;
9258
9259 err_nfnl_subsys:
9260 netlink_unregister_notifier(&nft_nl_notifier);
9261 err_netlink_notifier:
9262 nft_offload_exit();
9263 err_offload:
9264 rhltable_destroy(&nft_objname_ht);
9265 err_rht_objname:
9266 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9267 err_netdev_notifier:
9268 nf_tables_core_module_exit();
9269 err_core_module:
9270 nft_chain_filter_fini();
9271 err_chain_filter:
9272 unregister_pernet_subsys(&nf_tables_net_ops);
9273 return err;
9274 }
9275
9276 static void __exit nf_tables_module_exit(void)
9277 {
9278 nfnetlink_subsys_unregister(&nf_tables_subsys);
9279 netlink_unregister_notifier(&nft_nl_notifier);
9280 nft_offload_exit();
9281 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9282 nft_chain_filter_fini();
9283 nft_chain_route_fini();
9284 unregister_pernet_subsys(&nf_tables_net_ops);
9285 cancel_work_sync(&trans_destroy_work);
9286 rcu_barrier();
9287 rhltable_destroy(&nft_objname_ht);
9288 nf_tables_core_module_exit();
9289 }
9290
9291 module_init(nf_tables_module_init);
9292 module_exit(nf_tables_module_exit);
9293
9294 MODULE_LICENSE("GPL");
9295 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9296 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
Ubuntu Jammy Linux kernel mirror