]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
[mirror_ubuntu-jammy-kernel.git] / net / netfilter / nf_tables_api.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 unsigned int nf_tables_net_id __read_mostly;
29
30 static LIST_HEAD(nf_tables_expressions);
31 static LIST_HEAD(nf_tables_objects);
32 static LIST_HEAD(nf_tables_flowtables);
33 static LIST_HEAD(nf_tables_destroy_list);
34 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
35 static u64 table_handle;
36
37 enum {
38 NFT_VALIDATE_SKIP = 0,
39 NFT_VALIDATE_NEED,
40 NFT_VALIDATE_DO,
41 };
42
43 static struct rhltable nft_objname_ht;
44
45 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
46 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
47 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
48
49 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
50 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
51 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
52
53 static const struct rhashtable_params nft_chain_ht_params = {
54 .head_offset = offsetof(struct nft_chain, rhlhead),
55 .key_offset = offsetof(struct nft_chain, name),
56 .hashfn = nft_chain_hash,
57 .obj_hashfn = nft_chain_hash_obj,
58 .obj_cmpfn = nft_chain_hash_cmp,
59 .automatic_shrinking = true,
60 };
61
62 static const struct rhashtable_params nft_objname_ht_params = {
63 .head_offset = offsetof(struct nft_object, rhlhead),
64 .key_offset = offsetof(struct nft_object, key),
65 .hashfn = nft_objname_hash,
66 .obj_hashfn = nft_objname_hash_obj,
67 .obj_cmpfn = nft_objname_hash_cmp,
68 .automatic_shrinking = true,
69 };
70
71 struct nft_audit_data {
72 struct nft_table *table;
73 int entries;
74 int op;
75 struct list_head list;
76 };
77
78 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
79 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
80 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
81 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
82 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
83 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
84 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
85 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
86 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
87 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
88 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
89 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
90 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
91 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
92 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
93 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
94 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
95 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
96 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
98 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
100 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
101 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
102 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
103 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
104 };
105
106 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
107 {
108 struct nftables_pernet *nft_net = nft_pernet(net);
109
110 switch (nft_net->validate_state) {
111 case NFT_VALIDATE_SKIP:
112 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
113 break;
114 case NFT_VALIDATE_NEED:
115 break;
116 case NFT_VALIDATE_DO:
117 if (new_validate_state == NFT_VALIDATE_NEED)
118 return;
119 }
120
121 nft_net->validate_state = new_validate_state;
122 }
123 static void nf_tables_trans_destroy_work(struct work_struct *w);
124 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
125
126 static void nft_ctx_init(struct nft_ctx *ctx,
127 struct net *net,
128 const struct sk_buff *skb,
129 const struct nlmsghdr *nlh,
130 u8 family,
131 struct nft_table *table,
132 struct nft_chain *chain,
133 const struct nlattr * const *nla)
134 {
135 ctx->net = net;
136 ctx->family = family;
137 ctx->level = 0;
138 ctx->table = table;
139 ctx->chain = chain;
140 ctx->nla = nla;
141 ctx->portid = NETLINK_CB(skb).portid;
142 ctx->report = nlmsg_report(nlh);
143 ctx->flags = nlh->nlmsg_flags;
144 ctx->seq = nlh->nlmsg_seq;
145 }
146
147 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
148 int msg_type, u32 size, gfp_t gfp)
149 {
150 struct nft_trans *trans;
151
152 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
153 if (trans == NULL)
154 return NULL;
155
156 trans->msg_type = msg_type;
157 trans->ctx = *ctx;
158
159 return trans;
160 }
161
162 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
163 int msg_type, u32 size)
164 {
165 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
166 }
167
168 static void nft_trans_destroy(struct nft_trans *trans)
169 {
170 list_del(&trans->list);
171 kfree(trans);
172 }
173
174 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
175 {
176 struct nftables_pernet *nft_net;
177 struct net *net = ctx->net;
178 struct nft_trans *trans;
179
180 if (!nft_set_is_anonymous(set))
181 return;
182
183 nft_net = nft_pernet(net);
184 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
185 switch (trans->msg_type) {
186 case NFT_MSG_NEWSET:
187 if (nft_trans_set(trans) == set)
188 nft_trans_set_bound(trans) = true;
189 break;
190 case NFT_MSG_NEWSETELEM:
191 if (nft_trans_elem_set(trans) == set)
192 nft_trans_elem_set_bound(trans) = true;
193 break;
194 }
195 }
196 }
197
198 static int nft_netdev_register_hooks(struct net *net,
199 struct list_head *hook_list)
200 {
201 struct nft_hook *hook;
202 int err, j;
203
204 j = 0;
205 list_for_each_entry(hook, hook_list, list) {
206 err = nf_register_net_hook(net, &hook->ops);
207 if (err < 0)
208 goto err_register;
209
210 j++;
211 }
212 return 0;
213
214 err_register:
215 list_for_each_entry(hook, hook_list, list) {
216 if (j-- <= 0)
217 break;
218
219 nf_unregister_net_hook(net, &hook->ops);
220 }
221 return err;
222 }
223
224 static void nft_netdev_unregister_hooks(struct net *net,
225 struct list_head *hook_list)
226 {
227 struct nft_hook *hook;
228
229 list_for_each_entry(hook, hook_list, list)
230 nf_unregister_net_hook(net, &hook->ops);
231 }
232
233 static int nf_tables_register_hook(struct net *net,
234 const struct nft_table *table,
235 struct nft_chain *chain)
236 {
237 struct nft_base_chain *basechain;
238 const struct nf_hook_ops *ops;
239
240 if (table->flags & NFT_TABLE_F_DORMANT ||
241 !nft_is_base_chain(chain))
242 return 0;
243
244 basechain = nft_base_chain(chain);
245 ops = &basechain->ops;
246
247 if (basechain->type->ops_register)
248 return basechain->type->ops_register(net, ops);
249
250 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
251 return nft_netdev_register_hooks(net, &basechain->hook_list);
252
253 return nf_register_net_hook(net, &basechain->ops);
254 }
255
256 static void nf_tables_unregister_hook(struct net *net,
257 const struct nft_table *table,
258 struct nft_chain *chain)
259 {
260 struct nft_base_chain *basechain;
261 const struct nf_hook_ops *ops;
262
263 if (table->flags & NFT_TABLE_F_DORMANT ||
264 !nft_is_base_chain(chain))
265 return;
266 basechain = nft_base_chain(chain);
267 ops = &basechain->ops;
268
269 if (basechain->type->ops_unregister)
270 return basechain->type->ops_unregister(net, ops);
271
272 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
273 nft_netdev_unregister_hooks(net, &basechain->hook_list);
274 else
275 nf_unregister_net_hook(net, &basechain->ops);
276 }
277
278 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
279 {
280 struct nftables_pernet *nft_net = nft_pernet(net);
281
282 list_add_tail(&trans->list, &nft_net->commit_list);
283 }
284
285 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
286 {
287 struct nft_trans *trans;
288
289 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
290 if (trans == NULL)
291 return -ENOMEM;
292
293 if (msg_type == NFT_MSG_NEWTABLE)
294 nft_activate_next(ctx->net, ctx->table);
295
296 nft_trans_commit_list_add_tail(ctx->net, trans);
297 return 0;
298 }
299
300 static int nft_deltable(struct nft_ctx *ctx)
301 {
302 int err;
303
304 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
305 if (err < 0)
306 return err;
307
308 nft_deactivate_next(ctx->net, ctx->table);
309 return err;
310 }
311
312 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
313 {
314 struct nft_trans *trans;
315
316 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
317 if (trans == NULL)
318 return ERR_PTR(-ENOMEM);
319
320 if (msg_type == NFT_MSG_NEWCHAIN) {
321 nft_activate_next(ctx->net, ctx->chain);
322
323 if (ctx->nla[NFTA_CHAIN_ID]) {
324 nft_trans_chain_id(trans) =
325 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
326 }
327 }
328
329 nft_trans_commit_list_add_tail(ctx->net, trans);
330 return trans;
331 }
332
333 static int nft_delchain(struct nft_ctx *ctx)
334 {
335 struct nft_trans *trans;
336
337 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
338 if (IS_ERR(trans))
339 return PTR_ERR(trans);
340
341 ctx->table->use--;
342 nft_deactivate_next(ctx->net, ctx->chain);
343
344 return 0;
345 }
346
347 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
348 struct nft_rule *rule)
349 {
350 struct nft_expr *expr;
351
352 expr = nft_expr_first(rule);
353 while (nft_expr_more(rule, expr)) {
354 if (expr->ops->activate)
355 expr->ops->activate(ctx, expr);
356
357 expr = nft_expr_next(expr);
358 }
359 }
360
361 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
362 struct nft_rule *rule,
363 enum nft_trans_phase phase)
364 {
365 struct nft_expr *expr;
366
367 expr = nft_expr_first(rule);
368 while (nft_expr_more(rule, expr)) {
369 if (expr->ops->deactivate)
370 expr->ops->deactivate(ctx, expr, phase);
371
372 expr = nft_expr_next(expr);
373 }
374 }
375
376 static int
377 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
378 {
379 /* You cannot delete the same rule twice */
380 if (nft_is_active_next(ctx->net, rule)) {
381 nft_deactivate_next(ctx->net, rule);
382 ctx->chain->use--;
383 return 0;
384 }
385 return -ENOENT;
386 }
387
388 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
389 struct nft_rule *rule)
390 {
391 struct nft_trans *trans;
392
393 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
394 if (trans == NULL)
395 return NULL;
396
397 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
398 nft_trans_rule_id(trans) =
399 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
400 }
401 nft_trans_rule(trans) = rule;
402 nft_trans_commit_list_add_tail(ctx->net, trans);
403
404 return trans;
405 }
406
407 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
408 {
409 struct nft_flow_rule *flow;
410 struct nft_trans *trans;
411 int err;
412
413 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
414 if (trans == NULL)
415 return -ENOMEM;
416
417 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
418 flow = nft_flow_rule_create(ctx->net, rule);
419 if (IS_ERR(flow)) {
420 nft_trans_destroy(trans);
421 return PTR_ERR(flow);
422 }
423
424 nft_trans_flow_rule(trans) = flow;
425 }
426
427 err = nf_tables_delrule_deactivate(ctx, rule);
428 if (err < 0) {
429 nft_trans_destroy(trans);
430 return err;
431 }
432 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
433
434 return 0;
435 }
436
437 static int nft_delrule_by_chain(struct nft_ctx *ctx)
438 {
439 struct nft_rule *rule;
440 int err;
441
442 list_for_each_entry(rule, &ctx->chain->rules, list) {
443 if (!nft_is_active_next(ctx->net, rule))
444 continue;
445
446 err = nft_delrule(ctx, rule);
447 if (err < 0)
448 return err;
449 }
450 return 0;
451 }
452
453 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
454 struct nft_set *set)
455 {
456 struct nft_trans *trans;
457
458 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
459 if (trans == NULL)
460 return -ENOMEM;
461
462 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
463 nft_trans_set_id(trans) =
464 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
465 nft_activate_next(ctx->net, set);
466 }
467 nft_trans_set(trans) = set;
468 nft_trans_commit_list_add_tail(ctx->net, trans);
469
470 return 0;
471 }
472
473 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
474 {
475 int err;
476
477 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
478 if (err < 0)
479 return err;
480
481 nft_deactivate_next(ctx->net, set);
482 ctx->table->use--;
483
484 return err;
485 }
486
487 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
488 struct nft_object *obj)
489 {
490 struct nft_trans *trans;
491
492 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
493 if (trans == NULL)
494 return -ENOMEM;
495
496 if (msg_type == NFT_MSG_NEWOBJ)
497 nft_activate_next(ctx->net, obj);
498
499 nft_trans_obj(trans) = obj;
500 nft_trans_commit_list_add_tail(ctx->net, trans);
501
502 return 0;
503 }
504
505 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
506 {
507 int err;
508
509 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
510 if (err < 0)
511 return err;
512
513 nft_deactivate_next(ctx->net, obj);
514 ctx->table->use--;
515
516 return err;
517 }
518
519 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
520 struct nft_flowtable *flowtable)
521 {
522 struct nft_trans *trans;
523
524 trans = nft_trans_alloc(ctx, msg_type,
525 sizeof(struct nft_trans_flowtable));
526 if (trans == NULL)
527 return -ENOMEM;
528
529 if (msg_type == NFT_MSG_NEWFLOWTABLE)
530 nft_activate_next(ctx->net, flowtable);
531
532 nft_trans_flowtable(trans) = flowtable;
533 nft_trans_commit_list_add_tail(ctx->net, trans);
534
535 return 0;
536 }
537
538 static int nft_delflowtable(struct nft_ctx *ctx,
539 struct nft_flowtable *flowtable)
540 {
541 int err;
542
543 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
544 if (err < 0)
545 return err;
546
547 nft_deactivate_next(ctx->net, flowtable);
548 ctx->table->use--;
549
550 return err;
551 }
552
553 /*
554 * Tables
555 */
556
557 static struct nft_table *nft_table_lookup(const struct net *net,
558 const struct nlattr *nla,
559 u8 family, u8 genmask, u32 nlpid)
560 {
561 struct nftables_pernet *nft_net;
562 struct nft_table *table;
563
564 if (nla == NULL)
565 return ERR_PTR(-EINVAL);
566
567 nft_net = nft_pernet(net);
568 list_for_each_entry_rcu(table, &nft_net->tables, list,
569 lockdep_is_held(&nft_net->commit_mutex)) {
570 if (!nla_strcmp(nla, table->name) &&
571 table->family == family &&
572 nft_active_genmask(table, genmask)) {
573 if (nft_table_has_owner(table) &&
574 nlpid && table->nlpid != nlpid)
575 return ERR_PTR(-EPERM);
576
577 return table;
578 }
579 }
580
581 return ERR_PTR(-ENOENT);
582 }
583
584 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
585 const struct nlattr *nla,
586 u8 genmask, u32 nlpid)
587 {
588 struct nftables_pernet *nft_net;
589 struct nft_table *table;
590
591 nft_net = nft_pernet(net);
592 list_for_each_entry(table, &nft_net->tables, list) {
593 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
594 nft_active_genmask(table, genmask)) {
595 if (nft_table_has_owner(table) &&
596 nlpid && table->nlpid != nlpid)
597 return ERR_PTR(-EPERM);
598
599 return table;
600 }
601 }
602
603 return ERR_PTR(-ENOENT);
604 }
605
606 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
607 {
608 return ++table->hgenerator;
609 }
610
611 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
612
613 static const struct nft_chain_type *
614 __nft_chain_type_get(u8 family, enum nft_chain_types type)
615 {
616 if (family >= NFPROTO_NUMPROTO ||
617 type >= NFT_CHAIN_T_MAX)
618 return NULL;
619
620 return chain_type[family][type];
621 }
622
623 static const struct nft_chain_type *
624 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
625 {
626 const struct nft_chain_type *type;
627 int i;
628
629 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
630 type = __nft_chain_type_get(family, i);
631 if (!type)
632 continue;
633 if (!nla_strcmp(nla, type->name))
634 return type;
635 }
636 return NULL;
637 }
638
639 struct nft_module_request {
640 struct list_head list;
641 char module[MODULE_NAME_LEN];
642 bool done;
643 };
644
645 #ifdef CONFIG_MODULES
646 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
647 ...)
648 {
649 char module_name[MODULE_NAME_LEN];
650 struct nftables_pernet *nft_net;
651 struct nft_module_request *req;
652 va_list args;
653 int ret;
654
655 va_start(args, fmt);
656 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
657 va_end(args);
658 if (ret >= MODULE_NAME_LEN)
659 return 0;
660
661 nft_net = nft_pernet(net);
662 list_for_each_entry(req, &nft_net->module_list, list) {
663 if (!strcmp(req->module, module_name)) {
664 if (req->done)
665 return 0;
666
667 /* A request to load this module already exists. */
668 return -EAGAIN;
669 }
670 }
671
672 req = kmalloc(sizeof(*req), GFP_KERNEL);
673 if (!req)
674 return -ENOMEM;
675
676 req->done = false;
677 strlcpy(req->module, module_name, MODULE_NAME_LEN);
678 list_add_tail(&req->list, &nft_net->module_list);
679
680 return -EAGAIN;
681 }
682 EXPORT_SYMBOL_GPL(nft_request_module);
683 #endif
684
685 static void lockdep_nfnl_nft_mutex_not_held(void)
686 {
687 #ifdef CONFIG_PROVE_LOCKING
688 if (debug_locks)
689 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
690 #endif
691 }
692
693 static const struct nft_chain_type *
694 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
695 u8 family, bool autoload)
696 {
697 const struct nft_chain_type *type;
698
699 type = __nf_tables_chain_type_lookup(nla, family);
700 if (type != NULL)
701 return type;
702
703 lockdep_nfnl_nft_mutex_not_held();
704 #ifdef CONFIG_MODULES
705 if (autoload) {
706 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
707 nla_len(nla),
708 (const char *)nla_data(nla)) == -EAGAIN)
709 return ERR_PTR(-EAGAIN);
710 }
711 #endif
712 return ERR_PTR(-ENOENT);
713 }
714
715 static __be16 nft_base_seq(const struct net *net)
716 {
717 struct nftables_pernet *nft_net = nft_pernet(net);
718
719 return htons(nft_net->base_seq & 0xffff);
720 }
721
722 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
723 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
724 .len = NFT_TABLE_MAXNAMELEN - 1 },
725 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
726 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
727 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
728 .len = NFT_USERDATA_MAXLEN }
729 };
730
731 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
732 u32 portid, u32 seq, int event, u32 flags,
733 int family, const struct nft_table *table)
734 {
735 struct nlmsghdr *nlh;
736
737 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
738 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
739 NFNETLINK_V0, nft_base_seq(net));
740 if (!nlh)
741 goto nla_put_failure;
742
743 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
744 nla_put_be32(skb, NFTA_TABLE_FLAGS,
745 htonl(table->flags & NFT_TABLE_F_MASK)) ||
746 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
747 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
748 NFTA_TABLE_PAD))
749 goto nla_put_failure;
750 if (nft_table_has_owner(table) &&
751 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
752 goto nla_put_failure;
753
754 if (table->udata) {
755 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
756 goto nla_put_failure;
757 }
758
759 nlmsg_end(skb, nlh);
760 return 0;
761
762 nla_put_failure:
763 nlmsg_trim(skb, nlh);
764 return -1;
765 }
766
767 struct nftnl_skb_parms {
768 bool report;
769 };
770 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
771
772 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
773 struct list_head *notify_list)
774 {
775 NFT_CB(skb).report = report;
776 list_add_tail(&skb->list, notify_list);
777 }
778
779 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
780 {
781 struct nftables_pernet *nft_net;
782 struct sk_buff *skb;
783 u16 flags = 0;
784 int err;
785
786 if (!ctx->report &&
787 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
788 return;
789
790 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
791 if (skb == NULL)
792 goto err;
793
794 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
795 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
796
797 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
798 event, flags, ctx->family, ctx->table);
799 if (err < 0) {
800 kfree_skb(skb);
801 goto err;
802 }
803
804 nft_net = nft_pernet(ctx->net);
805 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
806 return;
807 err:
808 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
809 }
810
811 static int nf_tables_dump_tables(struct sk_buff *skb,
812 struct netlink_callback *cb)
813 {
814 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
815 struct nftables_pernet *nft_net;
816 const struct nft_table *table;
817 unsigned int idx = 0, s_idx = cb->args[0];
818 struct net *net = sock_net(skb->sk);
819 int family = nfmsg->nfgen_family;
820
821 rcu_read_lock();
822 nft_net = nft_pernet(net);
823 cb->seq = nft_net->base_seq;
824
825 list_for_each_entry_rcu(table, &nft_net->tables, list) {
826 if (family != NFPROTO_UNSPEC && family != table->family)
827 continue;
828
829 if (idx < s_idx)
830 goto cont;
831 if (idx > s_idx)
832 memset(&cb->args[1], 0,
833 sizeof(cb->args) - sizeof(cb->args[0]));
834 if (!nft_is_active(net, table))
835 continue;
836 if (nf_tables_fill_table_info(skb, net,
837 NETLINK_CB(cb->skb).portid,
838 cb->nlh->nlmsg_seq,
839 NFT_MSG_NEWTABLE, NLM_F_MULTI,
840 table->family, table) < 0)
841 goto done;
842
843 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
844 cont:
845 idx++;
846 }
847 done:
848 rcu_read_unlock();
849 cb->args[0] = idx;
850 return skb->len;
851 }
852
853 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
854 const struct nlmsghdr *nlh,
855 struct netlink_dump_control *c)
856 {
857 int err;
858
859 if (!try_module_get(THIS_MODULE))
860 return -EINVAL;
861
862 rcu_read_unlock();
863 err = netlink_dump_start(nlsk, skb, nlh, c);
864 rcu_read_lock();
865 module_put(THIS_MODULE);
866
867 return err;
868 }
869
870 /* called with rcu_read_lock held */
871 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
872 const struct nlattr * const nla[])
873 {
874 struct netlink_ext_ack *extack = info->extack;
875 u8 genmask = nft_genmask_cur(info->net);
876 u8 family = info->nfmsg->nfgen_family;
877 const struct nft_table *table;
878 struct net *net = info->net;
879 struct sk_buff *skb2;
880 int err;
881
882 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
883 struct netlink_dump_control c = {
884 .dump = nf_tables_dump_tables,
885 .module = THIS_MODULE,
886 };
887
888 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
889 }
890
891 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
892 if (IS_ERR(table)) {
893 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
894 return PTR_ERR(table);
895 }
896
897 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
898 if (!skb2)
899 return -ENOMEM;
900
901 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
902 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
903 0, family, table);
904 if (err < 0)
905 goto err_fill_table_info;
906
907 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
908
909 err_fill_table_info:
910 kfree_skb(skb2);
911 return err;
912 }
913
914 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
915 {
916 struct nft_chain *chain;
917 u32 i = 0;
918
919 list_for_each_entry(chain, &table->chains, list) {
920 if (!nft_is_active_next(net, chain))
921 continue;
922 if (!nft_is_base_chain(chain))
923 continue;
924
925 if (cnt && i++ == cnt)
926 break;
927
928 nf_tables_unregister_hook(net, table, chain);
929 }
930 }
931
932 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
933 {
934 struct nft_chain *chain;
935 int err, i = 0;
936
937 list_for_each_entry(chain, &table->chains, list) {
938 if (!nft_is_active_next(net, chain))
939 continue;
940 if (!nft_is_base_chain(chain))
941 continue;
942
943 err = nf_tables_register_hook(net, table, chain);
944 if (err < 0)
945 goto err_register_hooks;
946
947 i++;
948 }
949 return 0;
950
951 err_register_hooks:
952 if (i)
953 nft_table_disable(net, table, i);
954 return err;
955 }
956
957 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
958 {
959 table->flags &= ~NFT_TABLE_F_DORMANT;
960 nft_table_disable(net, table, 0);
961 table->flags |= NFT_TABLE_F_DORMANT;
962 }
963
964 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
965 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
966 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
967 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
968 __NFT_TABLE_F_WAS_AWAKEN)
969
970 static int nf_tables_updtable(struct nft_ctx *ctx)
971 {
972 struct nft_trans *trans;
973 u32 flags;
974 int ret;
975
976 if (!ctx->nla[NFTA_TABLE_FLAGS])
977 return 0;
978
979 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
980 if (flags & ~NFT_TABLE_F_MASK)
981 return -EOPNOTSUPP;
982
983 if (flags == ctx->table->flags)
984 return 0;
985
986 if ((nft_table_has_owner(ctx->table) &&
987 !(flags & NFT_TABLE_F_OWNER)) ||
988 (!nft_table_has_owner(ctx->table) &&
989 flags & NFT_TABLE_F_OWNER))
990 return -EOPNOTSUPP;
991
992 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
993 sizeof(struct nft_trans_table));
994 if (trans == NULL)
995 return -ENOMEM;
996
997 if ((flags & NFT_TABLE_F_DORMANT) &&
998 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
999 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1000 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1001 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1002 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1003 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1004 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1005 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1006 ret = nf_tables_table_enable(ctx->net, ctx->table);
1007 if (ret < 0)
1008 goto err_register_hooks;
1009
1010 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1011 }
1012 }
1013
1014 nft_trans_table_update(trans) = true;
1015 nft_trans_commit_list_add_tail(ctx->net, trans);
1016
1017 return 0;
1018
1019 err_register_hooks:
1020 nft_trans_destroy(trans);
1021 return ret;
1022 }
1023
1024 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1025 {
1026 const char *name = data;
1027
1028 return jhash(name, strlen(name), seed);
1029 }
1030
1031 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1032 {
1033 const struct nft_chain *chain = data;
1034
1035 return nft_chain_hash(chain->name, 0, seed);
1036 }
1037
1038 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1039 const void *ptr)
1040 {
1041 const struct nft_chain *chain = ptr;
1042 const char *name = arg->key;
1043
1044 return strcmp(chain->name, name);
1045 }
1046
1047 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1048 {
1049 const struct nft_object_hash_key *k = data;
1050
1051 seed ^= hash_ptr(k->table, 32);
1052
1053 return jhash(k->name, strlen(k->name), seed);
1054 }
1055
1056 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1057 {
1058 const struct nft_object *obj = data;
1059
1060 return nft_objname_hash(&obj->key, 0, seed);
1061 }
1062
1063 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1064 const void *ptr)
1065 {
1066 const struct nft_object_hash_key *k = arg->key;
1067 const struct nft_object *obj = ptr;
1068
1069 if (obj->key.table != k->table)
1070 return -1;
1071
1072 return strcmp(obj->key.name, k->name);
1073 }
1074
1075 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1076 const struct nlattr * const nla[])
1077 {
1078 struct nftables_pernet *nft_net = nft_pernet(info->net);
1079 struct netlink_ext_ack *extack = info->extack;
1080 u8 genmask = nft_genmask_next(info->net);
1081 u8 family = info->nfmsg->nfgen_family;
1082 struct net *net = info->net;
1083 const struct nlattr *attr;
1084 struct nft_table *table;
1085 struct nft_ctx ctx;
1086 u32 flags = 0;
1087 int err;
1088
1089 lockdep_assert_held(&nft_net->commit_mutex);
1090 attr = nla[NFTA_TABLE_NAME];
1091 table = nft_table_lookup(net, attr, family, genmask,
1092 NETLINK_CB(skb).portid);
1093 if (IS_ERR(table)) {
1094 if (PTR_ERR(table) != -ENOENT)
1095 return PTR_ERR(table);
1096 } else {
1097 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1098 NL_SET_BAD_ATTR(extack, attr);
1099 return -EEXIST;
1100 }
1101 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1102 return -EOPNOTSUPP;
1103
1104 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1105
1106 return nf_tables_updtable(&ctx);
1107 }
1108
1109 if (nla[NFTA_TABLE_FLAGS]) {
1110 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1111 if (flags & ~NFT_TABLE_F_MASK)
1112 return -EOPNOTSUPP;
1113 }
1114
1115 err = -ENOMEM;
1116 table = kzalloc(sizeof(*table), GFP_KERNEL);
1117 if (table == NULL)
1118 goto err_kzalloc;
1119
1120 table->name = nla_strdup(attr, GFP_KERNEL);
1121 if (table->name == NULL)
1122 goto err_strdup;
1123
1124 if (nla[NFTA_TABLE_USERDATA]) {
1125 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1126 if (table->udata == NULL)
1127 goto err_table_udata;
1128
1129 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1130 }
1131
1132 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1133 if (err)
1134 goto err_chain_ht;
1135
1136 INIT_LIST_HEAD(&table->chains);
1137 INIT_LIST_HEAD(&table->sets);
1138 INIT_LIST_HEAD(&table->objects);
1139 INIT_LIST_HEAD(&table->flowtables);
1140 table->family = family;
1141 table->flags = flags;
1142 table->handle = ++table_handle;
1143 if (table->flags & NFT_TABLE_F_OWNER)
1144 table->nlpid = NETLINK_CB(skb).portid;
1145
1146 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1147 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1148 if (err < 0)
1149 goto err_trans;
1150
1151 list_add_tail_rcu(&table->list, &nft_net->tables);
1152 return 0;
1153 err_trans:
1154 rhltable_destroy(&table->chains_ht);
1155 err_chain_ht:
1156 kfree(table->udata);
1157 err_table_udata:
1158 kfree(table->name);
1159 err_strdup:
1160 kfree(table);
1161 err_kzalloc:
1162 return err;
1163 }
1164
1165 static int nft_flush_table(struct nft_ctx *ctx)
1166 {
1167 struct nft_flowtable *flowtable, *nft;
1168 struct nft_chain *chain, *nc;
1169 struct nft_object *obj, *ne;
1170 struct nft_set *set, *ns;
1171 int err;
1172
1173 list_for_each_entry(chain, &ctx->table->chains, list) {
1174 if (!nft_is_active_next(ctx->net, chain))
1175 continue;
1176
1177 if (nft_chain_is_bound(chain))
1178 continue;
1179
1180 ctx->chain = chain;
1181
1182 err = nft_delrule_by_chain(ctx);
1183 if (err < 0)
1184 goto out;
1185 }
1186
1187 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1188 if (!nft_is_active_next(ctx->net, set))
1189 continue;
1190
1191 if (nft_set_is_anonymous(set) &&
1192 !list_empty(&set->bindings))
1193 continue;
1194
1195 err = nft_delset(ctx, set);
1196 if (err < 0)
1197 goto out;
1198 }
1199
1200 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1201 if (!nft_is_active_next(ctx->net, flowtable))
1202 continue;
1203
1204 err = nft_delflowtable(ctx, flowtable);
1205 if (err < 0)
1206 goto out;
1207 }
1208
1209 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1210 if (!nft_is_active_next(ctx->net, obj))
1211 continue;
1212
1213 err = nft_delobj(ctx, obj);
1214 if (err < 0)
1215 goto out;
1216 }
1217
1218 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1219 if (!nft_is_active_next(ctx->net, chain))
1220 continue;
1221
1222 if (nft_chain_is_bound(chain))
1223 continue;
1224
1225 ctx->chain = chain;
1226
1227 err = nft_delchain(ctx);
1228 if (err < 0)
1229 goto out;
1230 }
1231
1232 err = nft_deltable(ctx);
1233 out:
1234 return err;
1235 }
1236
1237 static int nft_flush(struct nft_ctx *ctx, int family)
1238 {
1239 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1240 const struct nlattr * const *nla = ctx->nla;
1241 struct nft_table *table, *nt;
1242 int err = 0;
1243
1244 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1245 if (family != AF_UNSPEC && table->family != family)
1246 continue;
1247
1248 ctx->family = table->family;
1249
1250 if (!nft_is_active_next(ctx->net, table))
1251 continue;
1252
1253 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1254 continue;
1255
1256 if (nla[NFTA_TABLE_NAME] &&
1257 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1258 continue;
1259
1260 ctx->table = table;
1261
1262 err = nft_flush_table(ctx);
1263 if (err < 0)
1264 goto out;
1265 }
1266 out:
1267 return err;
1268 }
1269
1270 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1271 const struct nlattr * const nla[])
1272 {
1273 struct netlink_ext_ack *extack = info->extack;
1274 u8 genmask = nft_genmask_next(info->net);
1275 u8 family = info->nfmsg->nfgen_family;
1276 struct net *net = info->net;
1277 const struct nlattr *attr;
1278 struct nft_table *table;
1279 struct nft_ctx ctx;
1280
1281 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1282 if (family == AF_UNSPEC ||
1283 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1284 return nft_flush(&ctx, family);
1285
1286 if (nla[NFTA_TABLE_HANDLE]) {
1287 attr = nla[NFTA_TABLE_HANDLE];
1288 table = nft_table_lookup_byhandle(net, attr, genmask,
1289 NETLINK_CB(skb).portid);
1290 } else {
1291 attr = nla[NFTA_TABLE_NAME];
1292 table = nft_table_lookup(net, attr, family, genmask,
1293 NETLINK_CB(skb).portid);
1294 }
1295
1296 if (IS_ERR(table)) {
1297 NL_SET_BAD_ATTR(extack, attr);
1298 return PTR_ERR(table);
1299 }
1300
1301 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1302 table->use > 0)
1303 return -EBUSY;
1304
1305 ctx.family = family;
1306 ctx.table = table;
1307
1308 return nft_flush_table(&ctx);
1309 }
1310
1311 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1312 {
1313 if (WARN_ON(ctx->table->use > 0))
1314 return;
1315
1316 rhltable_destroy(&ctx->table->chains_ht);
1317 kfree(ctx->table->name);
1318 kfree(ctx->table->udata);
1319 kfree(ctx->table);
1320 }
1321
1322 void nft_register_chain_type(const struct nft_chain_type *ctype)
1323 {
1324 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1325 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1326 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1327 return;
1328 }
1329 chain_type[ctype->family][ctype->type] = ctype;
1330 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1331 }
1332 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1333
1334 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1335 {
1336 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1337 chain_type[ctype->family][ctype->type] = NULL;
1338 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1339 }
1340 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1341
1342 /*
1343 * Chains
1344 */
1345
1346 static struct nft_chain *
1347 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1348 {
1349 struct nft_chain *chain;
1350
1351 list_for_each_entry(chain, &table->chains, list) {
1352 if (chain->handle == handle &&
1353 nft_active_genmask(chain, genmask))
1354 return chain;
1355 }
1356
1357 return ERR_PTR(-ENOENT);
1358 }
1359
1360 static bool lockdep_commit_lock_is_held(const struct net *net)
1361 {
1362 #ifdef CONFIG_PROVE_LOCKING
1363 struct nftables_pernet *nft_net = nft_pernet(net);
1364
1365 return lockdep_is_held(&nft_net->commit_mutex);
1366 #else
1367 return true;
1368 #endif
1369 }
1370
1371 static struct nft_chain *nft_chain_lookup(struct net *net,
1372 struct nft_table *table,
1373 const struct nlattr *nla, u8 genmask)
1374 {
1375 char search[NFT_CHAIN_MAXNAMELEN + 1];
1376 struct rhlist_head *tmp, *list;
1377 struct nft_chain *chain;
1378
1379 if (nla == NULL)
1380 return ERR_PTR(-EINVAL);
1381
1382 nla_strscpy(search, nla, sizeof(search));
1383
1384 WARN_ON(!rcu_read_lock_held() &&
1385 !lockdep_commit_lock_is_held(net));
1386
1387 chain = ERR_PTR(-ENOENT);
1388 rcu_read_lock();
1389 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1390 if (!list)
1391 goto out_unlock;
1392
1393 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1394 if (nft_active_genmask(chain, genmask))
1395 goto out_unlock;
1396 }
1397 chain = ERR_PTR(-ENOENT);
1398 out_unlock:
1399 rcu_read_unlock();
1400 return chain;
1401 }
1402
1403 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1404 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1405 .len = NFT_TABLE_MAXNAMELEN - 1 },
1406 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1407 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1408 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1409 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1410 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1411 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1412 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1413 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1414 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1415 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1416 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1417 .len = NFT_USERDATA_MAXLEN },
1418 };
1419
1420 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1421 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1422 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1423 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1424 .len = IFNAMSIZ - 1 },
1425 };
1426
1427 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1428 {
1429 struct nft_stats *cpu_stats, total;
1430 struct nlattr *nest;
1431 unsigned int seq;
1432 u64 pkts, bytes;
1433 int cpu;
1434
1435 if (!stats)
1436 return 0;
1437
1438 memset(&total, 0, sizeof(total));
1439 for_each_possible_cpu(cpu) {
1440 cpu_stats = per_cpu_ptr(stats, cpu);
1441 do {
1442 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1443 pkts = cpu_stats->pkts;
1444 bytes = cpu_stats->bytes;
1445 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1446 total.pkts += pkts;
1447 total.bytes += bytes;
1448 }
1449 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1450 if (nest == NULL)
1451 goto nla_put_failure;
1452
1453 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1454 NFTA_COUNTER_PAD) ||
1455 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1456 NFTA_COUNTER_PAD))
1457 goto nla_put_failure;
1458
1459 nla_nest_end(skb, nest);
1460 return 0;
1461
1462 nla_put_failure:
1463 return -ENOSPC;
1464 }
1465
1466 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1467 const struct nft_base_chain *basechain)
1468 {
1469 const struct nf_hook_ops *ops = &basechain->ops;
1470 struct nft_hook *hook, *first = NULL;
1471 struct nlattr *nest, *nest_devs;
1472 int n = 0;
1473
1474 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1475 if (nest == NULL)
1476 goto nla_put_failure;
1477 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1478 goto nla_put_failure;
1479 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1480 goto nla_put_failure;
1481
1482 if (nft_base_chain_netdev(family, ops->hooknum)) {
1483 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1484 list_for_each_entry(hook, &basechain->hook_list, list) {
1485 if (!first)
1486 first = hook;
1487
1488 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1489 hook->ops.dev->name))
1490 goto nla_put_failure;
1491 n++;
1492 }
1493 nla_nest_end(skb, nest_devs);
1494
1495 if (n == 1 &&
1496 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1497 goto nla_put_failure;
1498 }
1499 nla_nest_end(skb, nest);
1500
1501 return 0;
1502 nla_put_failure:
1503 return -1;
1504 }
1505
1506 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1507 u32 portid, u32 seq, int event, u32 flags,
1508 int family, const struct nft_table *table,
1509 const struct nft_chain *chain)
1510 {
1511 struct nlmsghdr *nlh;
1512
1513 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1514 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1515 NFNETLINK_V0, nft_base_seq(net));
1516 if (!nlh)
1517 goto nla_put_failure;
1518
1519 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1520 goto nla_put_failure;
1521 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1522 NFTA_CHAIN_PAD))
1523 goto nla_put_failure;
1524 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1525 goto nla_put_failure;
1526
1527 if (nft_is_base_chain(chain)) {
1528 const struct nft_base_chain *basechain = nft_base_chain(chain);
1529 struct nft_stats __percpu *stats;
1530
1531 if (nft_dump_basechain_hook(skb, family, basechain))
1532 goto nla_put_failure;
1533
1534 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1535 htonl(basechain->policy)))
1536 goto nla_put_failure;
1537
1538 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1539 goto nla_put_failure;
1540
1541 stats = rcu_dereference_check(basechain->stats,
1542 lockdep_commit_lock_is_held(net));
1543 if (nft_dump_stats(skb, stats))
1544 goto nla_put_failure;
1545 }
1546
1547 if (chain->flags &&
1548 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1549 goto nla_put_failure;
1550
1551 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1552 goto nla_put_failure;
1553
1554 if (chain->udata &&
1555 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1556 goto nla_put_failure;
1557
1558 nlmsg_end(skb, nlh);
1559 return 0;
1560
1561 nla_put_failure:
1562 nlmsg_trim(skb, nlh);
1563 return -1;
1564 }
1565
1566 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1567 {
1568 struct nftables_pernet *nft_net;
1569 struct sk_buff *skb;
1570 u16 flags = 0;
1571 int err;
1572
1573 if (!ctx->report &&
1574 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1575 return;
1576
1577 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1578 if (skb == NULL)
1579 goto err;
1580
1581 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1582 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1583
1584 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1585 event, flags, ctx->family, ctx->table,
1586 ctx->chain);
1587 if (err < 0) {
1588 kfree_skb(skb);
1589 goto err;
1590 }
1591
1592 nft_net = nft_pernet(ctx->net);
1593 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1594 return;
1595 err:
1596 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1597 }
1598
1599 static int nf_tables_dump_chains(struct sk_buff *skb,
1600 struct netlink_callback *cb)
1601 {
1602 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1603 unsigned int idx = 0, s_idx = cb->args[0];
1604 struct net *net = sock_net(skb->sk);
1605 int family = nfmsg->nfgen_family;
1606 struct nftables_pernet *nft_net;
1607 const struct nft_table *table;
1608 const struct nft_chain *chain;
1609
1610 rcu_read_lock();
1611 nft_net = nft_pernet(net);
1612 cb->seq = nft_net->base_seq;
1613
1614 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1615 if (family != NFPROTO_UNSPEC && family != table->family)
1616 continue;
1617
1618 list_for_each_entry_rcu(chain, &table->chains, list) {
1619 if (idx < s_idx)
1620 goto cont;
1621 if (idx > s_idx)
1622 memset(&cb->args[1], 0,
1623 sizeof(cb->args) - sizeof(cb->args[0]));
1624 if (!nft_is_active(net, chain))
1625 continue;
1626 if (nf_tables_fill_chain_info(skb, net,
1627 NETLINK_CB(cb->skb).portid,
1628 cb->nlh->nlmsg_seq,
1629 NFT_MSG_NEWCHAIN,
1630 NLM_F_MULTI,
1631 table->family, table,
1632 chain) < 0)
1633 goto done;
1634
1635 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1636 cont:
1637 idx++;
1638 }
1639 }
1640 done:
1641 rcu_read_unlock();
1642 cb->args[0] = idx;
1643 return skb->len;
1644 }
1645
1646 /* called with rcu_read_lock held */
1647 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1648 const struct nlattr * const nla[])
1649 {
1650 struct netlink_ext_ack *extack = info->extack;
1651 u8 genmask = nft_genmask_cur(info->net);
1652 u8 family = info->nfmsg->nfgen_family;
1653 const struct nft_chain *chain;
1654 struct net *net = info->net;
1655 struct nft_table *table;
1656 struct sk_buff *skb2;
1657 int err;
1658
1659 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1660 struct netlink_dump_control c = {
1661 .dump = nf_tables_dump_chains,
1662 .module = THIS_MODULE,
1663 };
1664
1665 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1666 }
1667
1668 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1669 if (IS_ERR(table)) {
1670 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1671 return PTR_ERR(table);
1672 }
1673
1674 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1675 if (IS_ERR(chain)) {
1676 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1677 return PTR_ERR(chain);
1678 }
1679
1680 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1681 if (!skb2)
1682 return -ENOMEM;
1683
1684 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1685 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1686 0, family, table, chain);
1687 if (err < 0)
1688 goto err_fill_chain_info;
1689
1690 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1691
1692 err_fill_chain_info:
1693 kfree_skb(skb2);
1694 return err;
1695 }
1696
1697 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1698 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1699 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1700 };
1701
1702 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1703 {
1704 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1705 struct nft_stats __percpu *newstats;
1706 struct nft_stats *stats;
1707 int err;
1708
1709 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1710 nft_counter_policy, NULL);
1711 if (err < 0)
1712 return ERR_PTR(err);
1713
1714 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1715 return ERR_PTR(-EINVAL);
1716
1717 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1718 if (newstats == NULL)
1719 return ERR_PTR(-ENOMEM);
1720
1721 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1722 * are not exposed to userspace.
1723 */
1724 preempt_disable();
1725 stats = this_cpu_ptr(newstats);
1726 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1727 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1728 preempt_enable();
1729
1730 return newstats;
1731 }
1732
1733 static void nft_chain_stats_replace(struct nft_trans *trans)
1734 {
1735 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1736
1737 if (!nft_trans_chain_stats(trans))
1738 return;
1739
1740 nft_trans_chain_stats(trans) =
1741 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1742 lockdep_commit_lock_is_held(trans->ctx.net));
1743
1744 if (!nft_trans_chain_stats(trans))
1745 static_branch_inc(&nft_counters_enabled);
1746 }
1747
1748 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1749 {
1750 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1751 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1752
1753 if (g0 != g1)
1754 kvfree(g1);
1755 kvfree(g0);
1756
1757 /* should be NULL either via abort or via successful commit */
1758 WARN_ON_ONCE(chain->rules_next);
1759 kvfree(chain->rules_next);
1760 }
1761
1762 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1763 {
1764 struct nft_chain *chain = ctx->chain;
1765 struct nft_hook *hook, *next;
1766
1767 if (WARN_ON(chain->use > 0))
1768 return;
1769
1770 /* no concurrent access possible anymore */
1771 nf_tables_chain_free_chain_rules(chain);
1772
1773 if (nft_is_base_chain(chain)) {
1774 struct nft_base_chain *basechain = nft_base_chain(chain);
1775
1776 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1777 list_for_each_entry_safe(hook, next,
1778 &basechain->hook_list, list) {
1779 list_del_rcu(&hook->list);
1780 kfree_rcu(hook, rcu);
1781 }
1782 }
1783 module_put(basechain->type->owner);
1784 if (rcu_access_pointer(basechain->stats)) {
1785 static_branch_dec(&nft_counters_enabled);
1786 free_percpu(rcu_dereference_raw(basechain->stats));
1787 }
1788 kfree(chain->name);
1789 kfree(chain->udata);
1790 kfree(basechain);
1791 } else {
1792 kfree(chain->name);
1793 kfree(chain->udata);
1794 kfree(chain);
1795 }
1796 }
1797
1798 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1799 const struct nlattr *attr)
1800 {
1801 struct net_device *dev;
1802 char ifname[IFNAMSIZ];
1803 struct nft_hook *hook;
1804 int err;
1805
1806 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1807 if (!hook) {
1808 err = -ENOMEM;
1809 goto err_hook_alloc;
1810 }
1811
1812 nla_strscpy(ifname, attr, IFNAMSIZ);
1813 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1814 * indirectly serializing all the other holders of the commit_mutex with
1815 * the rtnl_mutex.
1816 */
1817 dev = __dev_get_by_name(net, ifname);
1818 if (!dev) {
1819 err = -ENOENT;
1820 goto err_hook_dev;
1821 }
1822 hook->ops.dev = dev;
1823 hook->inactive = false;
1824
1825 return hook;
1826
1827 err_hook_dev:
1828 kfree(hook);
1829 err_hook_alloc:
1830 return ERR_PTR(err);
1831 }
1832
1833 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1834 const struct nft_hook *this)
1835 {
1836 struct nft_hook *hook;
1837
1838 list_for_each_entry(hook, hook_list, list) {
1839 if (this->ops.dev == hook->ops.dev)
1840 return hook;
1841 }
1842
1843 return NULL;
1844 }
1845
1846 static int nf_tables_parse_netdev_hooks(struct net *net,
1847 const struct nlattr *attr,
1848 struct list_head *hook_list)
1849 {
1850 struct nft_hook *hook, *next;
1851 const struct nlattr *tmp;
1852 int rem, n = 0, err;
1853
1854 nla_for_each_nested(tmp, attr, rem) {
1855 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1856 err = -EINVAL;
1857 goto err_hook;
1858 }
1859
1860 hook = nft_netdev_hook_alloc(net, tmp);
1861 if (IS_ERR(hook)) {
1862 err = PTR_ERR(hook);
1863 goto err_hook;
1864 }
1865 if (nft_hook_list_find(hook_list, hook)) {
1866 kfree(hook);
1867 err = -EEXIST;
1868 goto err_hook;
1869 }
1870 list_add_tail(&hook->list, hook_list);
1871 n++;
1872
1873 if (n == NFT_NETDEVICE_MAX) {
1874 err = -EFBIG;
1875 goto err_hook;
1876 }
1877 }
1878
1879 return 0;
1880
1881 err_hook:
1882 list_for_each_entry_safe(hook, next, hook_list, list) {
1883 list_del(&hook->list);
1884 kfree(hook);
1885 }
1886 return err;
1887 }
1888
1889 struct nft_chain_hook {
1890 u32 num;
1891 s32 priority;
1892 const struct nft_chain_type *type;
1893 struct list_head list;
1894 };
1895
1896 static int nft_chain_parse_netdev(struct net *net,
1897 struct nlattr *tb[],
1898 struct list_head *hook_list)
1899 {
1900 struct nft_hook *hook;
1901 int err;
1902
1903 if (tb[NFTA_HOOK_DEV]) {
1904 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1905 if (IS_ERR(hook))
1906 return PTR_ERR(hook);
1907
1908 list_add_tail(&hook->list, hook_list);
1909 } else if (tb[NFTA_HOOK_DEVS]) {
1910 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1911 hook_list);
1912 if (err < 0)
1913 return err;
1914
1915 if (list_empty(hook_list))
1916 return -EINVAL;
1917 } else {
1918 return -EINVAL;
1919 }
1920
1921 return 0;
1922 }
1923
1924 static int nft_chain_parse_hook(struct net *net,
1925 const struct nlattr * const nla[],
1926 struct nft_chain_hook *hook, u8 family,
1927 struct netlink_ext_ack *extack, bool autoload)
1928 {
1929 struct nftables_pernet *nft_net = nft_pernet(net);
1930 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1931 const struct nft_chain_type *type;
1932 int err;
1933
1934 lockdep_assert_held(&nft_net->commit_mutex);
1935 lockdep_nfnl_nft_mutex_not_held();
1936
1937 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1938 nla[NFTA_CHAIN_HOOK],
1939 nft_hook_policy, NULL);
1940 if (err < 0)
1941 return err;
1942
1943 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1944 ha[NFTA_HOOK_PRIORITY] == NULL)
1945 return -EINVAL;
1946
1947 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1948 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1949
1950 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1951 if (!type)
1952 return -EOPNOTSUPP;
1953
1954 if (nla[NFTA_CHAIN_TYPE]) {
1955 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1956 family, autoload);
1957 if (IS_ERR(type)) {
1958 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
1959 return PTR_ERR(type);
1960 }
1961 }
1962 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1963 return -EOPNOTSUPP;
1964
1965 if (type->type == NFT_CHAIN_T_NAT &&
1966 hook->priority <= NF_IP_PRI_CONNTRACK)
1967 return -EOPNOTSUPP;
1968
1969 if (!try_module_get(type->owner)) {
1970 if (nla[NFTA_CHAIN_TYPE])
1971 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
1972 return -ENOENT;
1973 }
1974
1975 hook->type = type;
1976
1977 INIT_LIST_HEAD(&hook->list);
1978 if (nft_base_chain_netdev(family, hook->num)) {
1979 err = nft_chain_parse_netdev(net, ha, &hook->list);
1980 if (err < 0) {
1981 module_put(type->owner);
1982 return err;
1983 }
1984 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1985 module_put(type->owner);
1986 return -EOPNOTSUPP;
1987 }
1988
1989 return 0;
1990 }
1991
1992 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1993 {
1994 struct nft_hook *h, *next;
1995
1996 list_for_each_entry_safe(h, next, &hook->list, list) {
1997 list_del(&h->list);
1998 kfree(h);
1999 }
2000 module_put(hook->type->owner);
2001 }
2002
2003 struct nft_rules_old {
2004 struct rcu_head h;
2005 struct nft_rule **start;
2006 };
2007
2008 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2009 unsigned int alloc)
2010 {
2011 if (alloc > INT_MAX)
2012 return NULL;
2013
2014 alloc += 1; /* NULL, ends rules */
2015 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
2016 return NULL;
2017
2018 alloc *= sizeof(struct nft_rule *);
2019 alloc += sizeof(struct nft_rules_old);
2020
2021 return kvmalloc(alloc, GFP_KERNEL);
2022 }
2023
2024 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2025 const struct nft_chain_hook *hook,
2026 struct nft_chain *chain)
2027 {
2028 ops->pf = family;
2029 ops->hooknum = hook->num;
2030 ops->priority = hook->priority;
2031 ops->priv = chain;
2032 ops->hook = hook->type->hooks[ops->hooknum];
2033 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2034 }
2035
2036 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2037 struct nft_chain_hook *hook, u32 flags)
2038 {
2039 struct nft_chain *chain;
2040 struct nft_hook *h;
2041
2042 basechain->type = hook->type;
2043 INIT_LIST_HEAD(&basechain->hook_list);
2044 chain = &basechain->chain;
2045
2046 if (nft_base_chain_netdev(family, hook->num)) {
2047 list_splice_init(&hook->list, &basechain->hook_list);
2048 list_for_each_entry(h, &basechain->hook_list, list)
2049 nft_basechain_hook_init(&h->ops, family, hook, chain);
2050
2051 basechain->ops.hooknum = hook->num;
2052 basechain->ops.priority = hook->priority;
2053 } else {
2054 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2055 }
2056
2057 chain->flags |= NFT_CHAIN_BASE | flags;
2058 basechain->policy = NF_ACCEPT;
2059 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2060 nft_chain_offload_priority(basechain) < 0)
2061 return -EOPNOTSUPP;
2062
2063 flow_block_init(&basechain->flow_block);
2064
2065 return 0;
2066 }
2067
2068 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2069 {
2070 int err;
2071
2072 err = rhltable_insert_key(&table->chains_ht, chain->name,
2073 &chain->rhlhead, nft_chain_ht_params);
2074 if (err)
2075 return err;
2076
2077 list_add_tail_rcu(&chain->list, &table->chains);
2078
2079 return 0;
2080 }
2081
2082 static u64 chain_id;
2083
2084 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2085 u8 policy, u32 flags,
2086 struct netlink_ext_ack *extack)
2087 {
2088 const struct nlattr * const *nla = ctx->nla;
2089 struct nft_table *table = ctx->table;
2090 struct nft_base_chain *basechain;
2091 struct nft_stats __percpu *stats;
2092 struct net *net = ctx->net;
2093 char name[NFT_NAME_MAXLEN];
2094 struct nft_trans *trans;
2095 struct nft_chain *chain;
2096 struct nft_rule **rules;
2097 int err;
2098
2099 if (table->use == UINT_MAX)
2100 return -EOVERFLOW;
2101
2102 if (nla[NFTA_CHAIN_HOOK]) {
2103 struct nft_chain_hook hook;
2104
2105 if (flags & NFT_CHAIN_BINDING)
2106 return -EOPNOTSUPP;
2107
2108 err = nft_chain_parse_hook(net, nla, &hook, family, extack,
2109 true);
2110 if (err < 0)
2111 return err;
2112
2113 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2114 if (basechain == NULL) {
2115 nft_chain_release_hook(&hook);
2116 return -ENOMEM;
2117 }
2118 chain = &basechain->chain;
2119
2120 if (nla[NFTA_CHAIN_COUNTERS]) {
2121 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2122 if (IS_ERR(stats)) {
2123 nft_chain_release_hook(&hook);
2124 kfree(basechain);
2125 return PTR_ERR(stats);
2126 }
2127 rcu_assign_pointer(basechain->stats, stats);
2128 static_branch_inc(&nft_counters_enabled);
2129 }
2130
2131 err = nft_basechain_init(basechain, family, &hook, flags);
2132 if (err < 0) {
2133 nft_chain_release_hook(&hook);
2134 kfree(basechain);
2135 return err;
2136 }
2137 } else {
2138 if (flags & NFT_CHAIN_BASE)
2139 return -EINVAL;
2140 if (flags & NFT_CHAIN_HW_OFFLOAD)
2141 return -EOPNOTSUPP;
2142
2143 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2144 if (chain == NULL)
2145 return -ENOMEM;
2146
2147 chain->flags = flags;
2148 }
2149 ctx->chain = chain;
2150
2151 INIT_LIST_HEAD(&chain->rules);
2152 chain->handle = nf_tables_alloc_handle(table);
2153 chain->table = table;
2154
2155 if (nla[NFTA_CHAIN_NAME]) {
2156 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2157 } else {
2158 if (!(flags & NFT_CHAIN_BINDING)) {
2159 err = -EINVAL;
2160 goto err_destroy_chain;
2161 }
2162
2163 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2164 chain->name = kstrdup(name, GFP_KERNEL);
2165 }
2166
2167 if (!chain->name) {
2168 err = -ENOMEM;
2169 goto err_destroy_chain;
2170 }
2171
2172 if (nla[NFTA_CHAIN_USERDATA]) {
2173 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2174 if (chain->udata == NULL) {
2175 err = -ENOMEM;
2176 goto err_destroy_chain;
2177 }
2178 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2179 }
2180
2181 rules = nf_tables_chain_alloc_rules(chain, 0);
2182 if (!rules) {
2183 err = -ENOMEM;
2184 goto err_destroy_chain;
2185 }
2186
2187 *rules = NULL;
2188 rcu_assign_pointer(chain->rules_gen_0, rules);
2189 rcu_assign_pointer(chain->rules_gen_1, rules);
2190
2191 err = nf_tables_register_hook(net, table, chain);
2192 if (err < 0)
2193 goto err_destroy_chain;
2194
2195 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2196 if (IS_ERR(trans)) {
2197 err = PTR_ERR(trans);
2198 goto err_unregister_hook;
2199 }
2200
2201 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2202 if (nft_is_base_chain(chain))
2203 nft_trans_chain_policy(trans) = policy;
2204
2205 err = nft_chain_add(table, chain);
2206 if (err < 0) {
2207 nft_trans_destroy(trans);
2208 goto err_unregister_hook;
2209 }
2210
2211 table->use++;
2212
2213 return 0;
2214 err_unregister_hook:
2215 nf_tables_unregister_hook(net, table, chain);
2216 err_destroy_chain:
2217 nf_tables_chain_destroy(ctx);
2218
2219 return err;
2220 }
2221
2222 static bool nft_hook_list_equal(struct list_head *hook_list1,
2223 struct list_head *hook_list2)
2224 {
2225 struct nft_hook *hook;
2226 int n = 0, m = 0;
2227
2228 n = 0;
2229 list_for_each_entry(hook, hook_list2, list) {
2230 if (!nft_hook_list_find(hook_list1, hook))
2231 return false;
2232
2233 n++;
2234 }
2235 list_for_each_entry(hook, hook_list1, list)
2236 m++;
2237
2238 return n == m;
2239 }
2240
2241 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2242 u32 flags, const struct nlattr *attr,
2243 struct netlink_ext_ack *extack)
2244 {
2245 const struct nlattr * const *nla = ctx->nla;
2246 struct nft_table *table = ctx->table;
2247 struct nft_chain *chain = ctx->chain;
2248 struct nft_base_chain *basechain;
2249 struct nft_stats *stats = NULL;
2250 struct nft_chain_hook hook;
2251 struct nf_hook_ops *ops;
2252 struct nft_trans *trans;
2253 int err;
2254
2255 if (chain->flags ^ flags)
2256 return -EOPNOTSUPP;
2257
2258 if (nla[NFTA_CHAIN_HOOK]) {
2259 if (!nft_is_base_chain(chain)) {
2260 NL_SET_BAD_ATTR(extack, attr);
2261 return -EEXIST;
2262 }
2263 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2264 extack, false);
2265 if (err < 0)
2266 return err;
2267
2268 basechain = nft_base_chain(chain);
2269 if (basechain->type != hook.type) {
2270 nft_chain_release_hook(&hook);
2271 NL_SET_BAD_ATTR(extack, attr);
2272 return -EEXIST;
2273 }
2274
2275 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2276 if (!nft_hook_list_equal(&basechain->hook_list,
2277 &hook.list)) {
2278 nft_chain_release_hook(&hook);
2279 NL_SET_BAD_ATTR(extack, attr);
2280 return -EEXIST;
2281 }
2282 } else {
2283 ops = &basechain->ops;
2284 if (ops->hooknum != hook.num ||
2285 ops->priority != hook.priority) {
2286 nft_chain_release_hook(&hook);
2287 NL_SET_BAD_ATTR(extack, attr);
2288 return -EEXIST;
2289 }
2290 }
2291 nft_chain_release_hook(&hook);
2292 }
2293
2294 if (nla[NFTA_CHAIN_HANDLE] &&
2295 nla[NFTA_CHAIN_NAME]) {
2296 struct nft_chain *chain2;
2297
2298 chain2 = nft_chain_lookup(ctx->net, table,
2299 nla[NFTA_CHAIN_NAME], genmask);
2300 if (!IS_ERR(chain2)) {
2301 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2302 return -EEXIST;
2303 }
2304 }
2305
2306 if (nla[NFTA_CHAIN_COUNTERS]) {
2307 if (!nft_is_base_chain(chain))
2308 return -EOPNOTSUPP;
2309
2310 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2311 if (IS_ERR(stats))
2312 return PTR_ERR(stats);
2313 }
2314
2315 err = -ENOMEM;
2316 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2317 sizeof(struct nft_trans_chain));
2318 if (trans == NULL)
2319 goto err;
2320
2321 nft_trans_chain_stats(trans) = stats;
2322 nft_trans_chain_update(trans) = true;
2323
2324 if (nla[NFTA_CHAIN_POLICY])
2325 nft_trans_chain_policy(trans) = policy;
2326 else
2327 nft_trans_chain_policy(trans) = -1;
2328
2329 if (nla[NFTA_CHAIN_HANDLE] &&
2330 nla[NFTA_CHAIN_NAME]) {
2331 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2332 struct nft_trans *tmp;
2333 char *name;
2334
2335 err = -ENOMEM;
2336 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2337 if (!name)
2338 goto err;
2339
2340 err = -EEXIST;
2341 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2342 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2343 tmp->ctx.table == table &&
2344 nft_trans_chain_update(tmp) &&
2345 nft_trans_chain_name(tmp) &&
2346 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2347 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2348 kfree(name);
2349 goto err;
2350 }
2351 }
2352
2353 nft_trans_chain_name(trans) = name;
2354 }
2355 nft_trans_commit_list_add_tail(ctx->net, trans);
2356
2357 return 0;
2358 err:
2359 free_percpu(stats);
2360 kfree(trans);
2361 return err;
2362 }
2363
2364 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2365 const struct nlattr *nla)
2366 {
2367 struct nftables_pernet *nft_net = nft_pernet(net);
2368 u32 id = ntohl(nla_get_be32(nla));
2369 struct nft_trans *trans;
2370
2371 list_for_each_entry(trans, &nft_net->commit_list, list) {
2372 struct nft_chain *chain = trans->ctx.chain;
2373
2374 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2375 id == nft_trans_chain_id(trans))
2376 return chain;
2377 }
2378 return ERR_PTR(-ENOENT);
2379 }
2380
2381 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2382 const struct nlattr * const nla[])
2383 {
2384 struct nftables_pernet *nft_net = nft_pernet(info->net);
2385 struct netlink_ext_ack *extack = info->extack;
2386 u8 genmask = nft_genmask_next(info->net);
2387 u8 family = info->nfmsg->nfgen_family;
2388 struct nft_chain *chain = NULL;
2389 struct net *net = info->net;
2390 const struct nlattr *attr;
2391 struct nft_table *table;
2392 u8 policy = NF_ACCEPT;
2393 struct nft_ctx ctx;
2394 u64 handle = 0;
2395 u32 flags = 0;
2396
2397 lockdep_assert_held(&nft_net->commit_mutex);
2398
2399 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2400 NETLINK_CB(skb).portid);
2401 if (IS_ERR(table)) {
2402 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2403 return PTR_ERR(table);
2404 }
2405
2406 chain = NULL;
2407 attr = nla[NFTA_CHAIN_NAME];
2408
2409 if (nla[NFTA_CHAIN_HANDLE]) {
2410 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2411 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2412 if (IS_ERR(chain)) {
2413 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2414 return PTR_ERR(chain);
2415 }
2416 attr = nla[NFTA_CHAIN_HANDLE];
2417 } else if (nla[NFTA_CHAIN_NAME]) {
2418 chain = nft_chain_lookup(net, table, attr, genmask);
2419 if (IS_ERR(chain)) {
2420 if (PTR_ERR(chain) != -ENOENT) {
2421 NL_SET_BAD_ATTR(extack, attr);
2422 return PTR_ERR(chain);
2423 }
2424 chain = NULL;
2425 }
2426 } else if (!nla[NFTA_CHAIN_ID]) {
2427 return -EINVAL;
2428 }
2429
2430 if (nla[NFTA_CHAIN_POLICY]) {
2431 if (chain != NULL &&
2432 !nft_is_base_chain(chain)) {
2433 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2434 return -EOPNOTSUPP;
2435 }
2436
2437 if (chain == NULL &&
2438 nla[NFTA_CHAIN_HOOK] == NULL) {
2439 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2440 return -EOPNOTSUPP;
2441 }
2442
2443 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2444 switch (policy) {
2445 case NF_DROP:
2446 case NF_ACCEPT:
2447 break;
2448 default:
2449 return -EINVAL;
2450 }
2451 }
2452
2453 if (nla[NFTA_CHAIN_FLAGS])
2454 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2455 else if (chain)
2456 flags = chain->flags;
2457
2458 if (flags & ~NFT_CHAIN_FLAGS)
2459 return -EOPNOTSUPP;
2460
2461 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2462
2463 if (chain != NULL) {
2464 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2465 NL_SET_BAD_ATTR(extack, attr);
2466 return -EEXIST;
2467 }
2468 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2469 return -EOPNOTSUPP;
2470
2471 flags |= chain->flags & NFT_CHAIN_BASE;
2472 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2473 extack);
2474 }
2475
2476 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2477 }
2478
2479 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2480 const struct nlattr * const nla[])
2481 {
2482 struct netlink_ext_ack *extack = info->extack;
2483 u8 genmask = nft_genmask_next(info->net);
2484 u8 family = info->nfmsg->nfgen_family;
2485 struct net *net = info->net;
2486 const struct nlattr *attr;
2487 struct nft_table *table;
2488 struct nft_chain *chain;
2489 struct nft_rule *rule;
2490 struct nft_ctx ctx;
2491 u64 handle;
2492 u32 use;
2493 int err;
2494
2495 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2496 NETLINK_CB(skb).portid);
2497 if (IS_ERR(table)) {
2498 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2499 return PTR_ERR(table);
2500 }
2501
2502 if (nla[NFTA_CHAIN_HANDLE]) {
2503 attr = nla[NFTA_CHAIN_HANDLE];
2504 handle = be64_to_cpu(nla_get_be64(attr));
2505 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2506 } else {
2507 attr = nla[NFTA_CHAIN_NAME];
2508 chain = nft_chain_lookup(net, table, attr, genmask);
2509 }
2510 if (IS_ERR(chain)) {
2511 NL_SET_BAD_ATTR(extack, attr);
2512 return PTR_ERR(chain);
2513 }
2514
2515 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2516 chain->use > 0)
2517 return -EBUSY;
2518
2519 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2520
2521 use = chain->use;
2522 list_for_each_entry(rule, &chain->rules, list) {
2523 if (!nft_is_active_next(net, rule))
2524 continue;
2525 use--;
2526
2527 err = nft_delrule(&ctx, rule);
2528 if (err < 0)
2529 return err;
2530 }
2531
2532 /* There are rules and elements that are still holding references to us,
2533 * we cannot do a recursive removal in this case.
2534 */
2535 if (use > 0) {
2536 NL_SET_BAD_ATTR(extack, attr);
2537 return -EBUSY;
2538 }
2539
2540 return nft_delchain(&ctx);
2541 }
2542
2543 /*
2544 * Expressions
2545 */
2546
2547 /**
2548 * nft_register_expr - register nf_tables expr type
2549 * @type: expr type
2550 *
2551 * Registers the expr type for use with nf_tables. Returns zero on
2552 * success or a negative errno code otherwise.
2553 */
2554 int nft_register_expr(struct nft_expr_type *type)
2555 {
2556 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2557 if (type->family == NFPROTO_UNSPEC)
2558 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2559 else
2560 list_add_rcu(&type->list, &nf_tables_expressions);
2561 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2562 return 0;
2563 }
2564 EXPORT_SYMBOL_GPL(nft_register_expr);
2565
2566 /**
2567 * nft_unregister_expr - unregister nf_tables expr type
2568 * @type: expr type
2569 *
2570 * Unregisters the expr typefor use with nf_tables.
2571 */
2572 void nft_unregister_expr(struct nft_expr_type *type)
2573 {
2574 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2575 list_del_rcu(&type->list);
2576 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2577 }
2578 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2579
2580 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2581 struct nlattr *nla)
2582 {
2583 const struct nft_expr_type *type, *candidate = NULL;
2584
2585 list_for_each_entry(type, &nf_tables_expressions, list) {
2586 if (!nla_strcmp(nla, type->name)) {
2587 if (!type->family && !candidate)
2588 candidate = type;
2589 else if (type->family == family)
2590 candidate = type;
2591 }
2592 }
2593 return candidate;
2594 }
2595
2596 #ifdef CONFIG_MODULES
2597 static int nft_expr_type_request_module(struct net *net, u8 family,
2598 struct nlattr *nla)
2599 {
2600 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2601 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2602 return -EAGAIN;
2603
2604 return 0;
2605 }
2606 #endif
2607
2608 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2609 u8 family,
2610 struct nlattr *nla)
2611 {
2612 const struct nft_expr_type *type;
2613
2614 if (nla == NULL)
2615 return ERR_PTR(-EINVAL);
2616
2617 type = __nft_expr_type_get(family, nla);
2618 if (type != NULL && try_module_get(type->owner))
2619 return type;
2620
2621 lockdep_nfnl_nft_mutex_not_held();
2622 #ifdef CONFIG_MODULES
2623 if (type == NULL) {
2624 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2625 return ERR_PTR(-EAGAIN);
2626
2627 if (nft_request_module(net, "nft-expr-%.*s",
2628 nla_len(nla),
2629 (char *)nla_data(nla)) == -EAGAIN)
2630 return ERR_PTR(-EAGAIN);
2631 }
2632 #endif
2633 return ERR_PTR(-ENOENT);
2634 }
2635
2636 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2637 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2638 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2639 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2640 };
2641
2642 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2643 const struct nft_expr *expr)
2644 {
2645 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2646 goto nla_put_failure;
2647
2648 if (expr->ops->dump) {
2649 struct nlattr *data = nla_nest_start_noflag(skb,
2650 NFTA_EXPR_DATA);
2651 if (data == NULL)
2652 goto nla_put_failure;
2653 if (expr->ops->dump(skb, expr) < 0)
2654 goto nla_put_failure;
2655 nla_nest_end(skb, data);
2656 }
2657
2658 return skb->len;
2659
2660 nla_put_failure:
2661 return -1;
2662 };
2663
2664 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2665 const struct nft_expr *expr)
2666 {
2667 struct nlattr *nest;
2668
2669 nest = nla_nest_start_noflag(skb, attr);
2670 if (!nest)
2671 goto nla_put_failure;
2672 if (nf_tables_fill_expr_info(skb, expr) < 0)
2673 goto nla_put_failure;
2674 nla_nest_end(skb, nest);
2675 return 0;
2676
2677 nla_put_failure:
2678 return -1;
2679 }
2680
2681 struct nft_expr_info {
2682 const struct nft_expr_ops *ops;
2683 const struct nlattr *attr;
2684 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2685 };
2686
2687 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2688 const struct nlattr *nla,
2689 struct nft_expr_info *info)
2690 {
2691 const struct nft_expr_type *type;
2692 const struct nft_expr_ops *ops;
2693 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2694 int err;
2695
2696 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2697 nft_expr_policy, NULL);
2698 if (err < 0)
2699 return err;
2700
2701 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2702 if (IS_ERR(type))
2703 return PTR_ERR(type);
2704
2705 if (tb[NFTA_EXPR_DATA]) {
2706 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2707 tb[NFTA_EXPR_DATA],
2708 type->policy, NULL);
2709 if (err < 0)
2710 goto err1;
2711 } else
2712 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2713
2714 if (type->select_ops != NULL) {
2715 ops = type->select_ops(ctx,
2716 (const struct nlattr * const *)info->tb);
2717 if (IS_ERR(ops)) {
2718 err = PTR_ERR(ops);
2719 #ifdef CONFIG_MODULES
2720 if (err == -EAGAIN)
2721 if (nft_expr_type_request_module(ctx->net,
2722 ctx->family,
2723 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2724 err = -ENOENT;
2725 #endif
2726 goto err1;
2727 }
2728 } else
2729 ops = type->ops;
2730
2731 info->attr = nla;
2732 info->ops = ops;
2733
2734 return 0;
2735
2736 err1:
2737 module_put(type->owner);
2738 return err;
2739 }
2740
2741 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2742 const struct nft_expr_info *expr_info,
2743 struct nft_expr *expr)
2744 {
2745 const struct nft_expr_ops *ops = expr_info->ops;
2746 int err;
2747
2748 expr->ops = ops;
2749 if (ops->init) {
2750 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
2751 if (err < 0)
2752 goto err1;
2753 }
2754
2755 return 0;
2756 err1:
2757 expr->ops = NULL;
2758 return err;
2759 }
2760
2761 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2762 struct nft_expr *expr)
2763 {
2764 const struct nft_expr_type *type = expr->ops->type;
2765
2766 if (expr->ops->destroy)
2767 expr->ops->destroy(ctx, expr);
2768 module_put(type->owner);
2769 }
2770
2771 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2772 const struct nlattr *nla)
2773 {
2774 struct nft_expr_info expr_info;
2775 struct nft_expr *expr;
2776 struct module *owner;
2777 int err;
2778
2779 err = nf_tables_expr_parse(ctx, nla, &expr_info);
2780 if (err < 0)
2781 goto err_expr_parse;
2782
2783 err = -EOPNOTSUPP;
2784 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
2785 goto err_expr_stateful;
2786
2787 err = -ENOMEM;
2788 expr = kzalloc(expr_info.ops->size, GFP_KERNEL);
2789 if (expr == NULL)
2790 goto err_expr_stateful;
2791
2792 err = nf_tables_newexpr(ctx, &expr_info, expr);
2793 if (err < 0)
2794 goto err_expr_new;
2795
2796 return expr;
2797 err_expr_new:
2798 kfree(expr);
2799 err_expr_stateful:
2800 owner = expr_info.ops->type->owner;
2801 if (expr_info.ops->type->release_ops)
2802 expr_info.ops->type->release_ops(expr_info.ops);
2803
2804 module_put(owner);
2805 err_expr_parse:
2806 return ERR_PTR(err);
2807 }
2808
2809 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2810 {
2811 int err;
2812
2813 if (src->ops->clone) {
2814 dst->ops = src->ops;
2815 err = src->ops->clone(dst, src);
2816 if (err < 0)
2817 return err;
2818 } else {
2819 memcpy(dst, src, src->ops->size);
2820 }
2821
2822 __module_get(src->ops->type->owner);
2823
2824 return 0;
2825 }
2826
2827 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2828 {
2829 nf_tables_expr_destroy(ctx, expr);
2830 kfree(expr);
2831 }
2832
2833 /*
2834 * Rules
2835 */
2836
2837 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2838 u64 handle)
2839 {
2840 struct nft_rule *rule;
2841
2842 // FIXME: this sucks
2843 list_for_each_entry_rcu(rule, &chain->rules, list) {
2844 if (handle == rule->handle)
2845 return rule;
2846 }
2847
2848 return ERR_PTR(-ENOENT);
2849 }
2850
2851 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2852 const struct nlattr *nla)
2853 {
2854 if (nla == NULL)
2855 return ERR_PTR(-EINVAL);
2856
2857 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2858 }
2859
2860 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2861 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2862 .len = NFT_TABLE_MAXNAMELEN - 1 },
2863 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2864 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2865 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2866 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2867 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2868 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2869 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2870 .len = NFT_USERDATA_MAXLEN },
2871 [NFTA_RULE_ID] = { .type = NLA_U32 },
2872 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2873 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2874 };
2875
2876 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2877 u32 portid, u32 seq, int event,
2878 u32 flags, int family,
2879 const struct nft_table *table,
2880 const struct nft_chain *chain,
2881 const struct nft_rule *rule, u64 handle)
2882 {
2883 struct nlmsghdr *nlh;
2884 const struct nft_expr *expr, *next;
2885 struct nlattr *list;
2886 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2887
2888 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
2889 nft_base_seq(net));
2890 if (!nlh)
2891 goto nla_put_failure;
2892
2893 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2894 goto nla_put_failure;
2895 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2896 goto nla_put_failure;
2897 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2898 NFTA_RULE_PAD))
2899 goto nla_put_failure;
2900
2901 if (event != NFT_MSG_DELRULE && handle) {
2902 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
2903 NFTA_RULE_PAD))
2904 goto nla_put_failure;
2905 }
2906
2907 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2908 nft_flow_rule_stats(chain, rule);
2909
2910 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2911 if (list == NULL)
2912 goto nla_put_failure;
2913 nft_rule_for_each_expr(expr, next, rule) {
2914 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2915 goto nla_put_failure;
2916 }
2917 nla_nest_end(skb, list);
2918
2919 if (rule->udata) {
2920 struct nft_userdata *udata = nft_userdata(rule);
2921 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2922 udata->data) < 0)
2923 goto nla_put_failure;
2924 }
2925
2926 nlmsg_end(skb, nlh);
2927 return 0;
2928
2929 nla_put_failure:
2930 nlmsg_trim(skb, nlh);
2931 return -1;
2932 }
2933
2934 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2935 const struct nft_rule *rule, int event)
2936 {
2937 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2938 const struct nft_rule *prule;
2939 struct sk_buff *skb;
2940 u64 handle = 0;
2941 u16 flags = 0;
2942 int err;
2943
2944 if (!ctx->report &&
2945 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2946 return;
2947
2948 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2949 if (skb == NULL)
2950 goto err;
2951
2952 if (event == NFT_MSG_NEWRULE &&
2953 !list_is_first(&rule->list, &ctx->chain->rules) &&
2954 !list_is_last(&rule->list, &ctx->chain->rules)) {
2955 prule = list_prev_entry(rule, list);
2956 handle = prule->handle;
2957 }
2958 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
2959 flags |= NLM_F_APPEND;
2960 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
2961 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
2962
2963 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2964 event, flags, ctx->family, ctx->table,
2965 ctx->chain, rule, handle);
2966 if (err < 0) {
2967 kfree_skb(skb);
2968 goto err;
2969 }
2970
2971 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
2972 return;
2973 err:
2974 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2975 }
2976
2977 struct nft_rule_dump_ctx {
2978 char *table;
2979 char *chain;
2980 };
2981
2982 static int __nf_tables_dump_rules(struct sk_buff *skb,
2983 unsigned int *idx,
2984 struct netlink_callback *cb,
2985 const struct nft_table *table,
2986 const struct nft_chain *chain)
2987 {
2988 struct net *net = sock_net(skb->sk);
2989 const struct nft_rule *rule, *prule;
2990 unsigned int s_idx = cb->args[0];
2991 u64 handle;
2992
2993 prule = NULL;
2994 list_for_each_entry_rcu(rule, &chain->rules, list) {
2995 if (!nft_is_active(net, rule))
2996 goto cont_skip;
2997 if (*idx < s_idx)
2998 goto cont;
2999 if (*idx > s_idx) {
3000 memset(&cb->args[1], 0,
3001 sizeof(cb->args) - sizeof(cb->args[0]));
3002 }
3003 if (prule)
3004 handle = prule->handle;
3005 else
3006 handle = 0;
3007
3008 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3009 cb->nlh->nlmsg_seq,
3010 NFT_MSG_NEWRULE,
3011 NLM_F_MULTI | NLM_F_APPEND,
3012 table->family,
3013 table, chain, rule, handle) < 0)
3014 return 1;
3015
3016 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3017 cont:
3018 prule = rule;
3019 cont_skip:
3020 (*idx)++;
3021 }
3022 return 0;
3023 }
3024
3025 static int nf_tables_dump_rules(struct sk_buff *skb,
3026 struct netlink_callback *cb)
3027 {
3028 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3029 const struct nft_rule_dump_ctx *ctx = cb->data;
3030 struct nft_table *table;
3031 const struct nft_chain *chain;
3032 unsigned int idx = 0;
3033 struct net *net = sock_net(skb->sk);
3034 int family = nfmsg->nfgen_family;
3035 struct nftables_pernet *nft_net;
3036
3037 rcu_read_lock();
3038 nft_net = nft_pernet(net);
3039 cb->seq = nft_net->base_seq;
3040
3041 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3042 if (family != NFPROTO_UNSPEC && family != table->family)
3043 continue;
3044
3045 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3046 continue;
3047
3048 if (ctx && ctx->table && ctx->chain) {
3049 struct rhlist_head *list, *tmp;
3050
3051 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3052 nft_chain_ht_params);
3053 if (!list)
3054 goto done;
3055
3056 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3057 if (!nft_is_active(net, chain))
3058 continue;
3059 __nf_tables_dump_rules(skb, &idx,
3060 cb, table, chain);
3061 break;
3062 }
3063 goto done;
3064 }
3065
3066 list_for_each_entry_rcu(chain, &table->chains, list) {
3067 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
3068 goto done;
3069 }
3070
3071 if (ctx && ctx->table)
3072 break;
3073 }
3074 done:
3075 rcu_read_unlock();
3076
3077 cb->args[0] = idx;
3078 return skb->len;
3079 }
3080
3081 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3082 {
3083 const struct nlattr * const *nla = cb->data;
3084 struct nft_rule_dump_ctx *ctx = NULL;
3085
3086 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3087 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3088 if (!ctx)
3089 return -ENOMEM;
3090
3091 if (nla[NFTA_RULE_TABLE]) {
3092 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3093 GFP_ATOMIC);
3094 if (!ctx->table) {
3095 kfree(ctx);
3096 return -ENOMEM;
3097 }
3098 }
3099 if (nla[NFTA_RULE_CHAIN]) {
3100 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3101 GFP_ATOMIC);
3102 if (!ctx->chain) {
3103 kfree(ctx->table);
3104 kfree(ctx);
3105 return -ENOMEM;
3106 }
3107 }
3108 }
3109
3110 cb->data = ctx;
3111 return 0;
3112 }
3113
3114 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3115 {
3116 struct nft_rule_dump_ctx *ctx = cb->data;
3117
3118 if (ctx) {
3119 kfree(ctx->table);
3120 kfree(ctx->chain);
3121 kfree(ctx);
3122 }
3123 return 0;
3124 }
3125
3126 /* called with rcu_read_lock held */
3127 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3128 const struct nlattr * const nla[])
3129 {
3130 struct netlink_ext_ack *extack = info->extack;
3131 u8 genmask = nft_genmask_cur(info->net);
3132 u8 family = info->nfmsg->nfgen_family;
3133 const struct nft_chain *chain;
3134 const struct nft_rule *rule;
3135 struct net *net = info->net;
3136 struct nft_table *table;
3137 struct sk_buff *skb2;
3138 int err;
3139
3140 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3141 struct netlink_dump_control c = {
3142 .start= nf_tables_dump_rules_start,
3143 .dump = nf_tables_dump_rules,
3144 .done = nf_tables_dump_rules_done,
3145 .module = THIS_MODULE,
3146 .data = (void *)nla,
3147 };
3148
3149 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3150 }
3151
3152 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3153 if (IS_ERR(table)) {
3154 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3155 return PTR_ERR(table);
3156 }
3157
3158 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3159 if (IS_ERR(chain)) {
3160 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3161 return PTR_ERR(chain);
3162 }
3163
3164 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3165 if (IS_ERR(rule)) {
3166 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3167 return PTR_ERR(rule);
3168 }
3169
3170 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3171 if (!skb2)
3172 return -ENOMEM;
3173
3174 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3175 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3176 family, table, chain, rule, 0);
3177 if (err < 0)
3178 goto err_fill_rule_info;
3179
3180 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3181
3182 err_fill_rule_info:
3183 kfree_skb(skb2);
3184 return err;
3185 }
3186
3187 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3188 struct nft_rule *rule)
3189 {
3190 struct nft_expr *expr, *next;
3191
3192 /*
3193 * Careful: some expressions might not be initialized in case this
3194 * is called on error from nf_tables_newrule().
3195 */
3196 expr = nft_expr_first(rule);
3197 while (nft_expr_more(rule, expr)) {
3198 next = nft_expr_next(expr);
3199 nf_tables_expr_destroy(ctx, expr);
3200 expr = next;
3201 }
3202 kfree(rule);
3203 }
3204
3205 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3206 {
3207 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3208 nf_tables_rule_destroy(ctx, rule);
3209 }
3210
3211 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3212 {
3213 struct nft_expr *expr, *last;
3214 const struct nft_data *data;
3215 struct nft_rule *rule;
3216 int err;
3217
3218 if (ctx->level == NFT_JUMP_STACK_SIZE)
3219 return -EMLINK;
3220
3221 list_for_each_entry(rule, &chain->rules, list) {
3222 if (!nft_is_active_next(ctx->net, rule))
3223 continue;
3224
3225 nft_rule_for_each_expr(expr, last, rule) {
3226 if (!expr->ops->validate)
3227 continue;
3228
3229 err = expr->ops->validate(ctx, expr, &data);
3230 if (err < 0)
3231 return err;
3232 }
3233 }
3234
3235 return 0;
3236 }
3237 EXPORT_SYMBOL_GPL(nft_chain_validate);
3238
3239 static int nft_table_validate(struct net *net, const struct nft_table *table)
3240 {
3241 struct nft_chain *chain;
3242 struct nft_ctx ctx = {
3243 .net = net,
3244 .family = table->family,
3245 };
3246 int err;
3247
3248 list_for_each_entry(chain, &table->chains, list) {
3249 if (!nft_is_base_chain(chain))
3250 continue;
3251
3252 ctx.chain = chain;
3253 err = nft_chain_validate(&ctx, chain);
3254 if (err < 0)
3255 return err;
3256 }
3257
3258 return 0;
3259 }
3260
3261 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3262 const struct nlattr *nla);
3263
3264 #define NFT_RULE_MAXEXPRS 128
3265
3266 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3267 const struct nlattr * const nla[])
3268 {
3269 struct nftables_pernet *nft_net = nft_pernet(info->net);
3270 struct netlink_ext_ack *extack = info->extack;
3271 unsigned int size, i, n, ulen = 0, usize = 0;
3272 u8 genmask = nft_genmask_next(info->net);
3273 struct nft_rule *rule, *old_rule = NULL;
3274 struct nft_expr_info *expr_info = NULL;
3275 u8 family = info->nfmsg->nfgen_family;
3276 struct nft_flow_rule *flow = NULL;
3277 struct net *net = info->net;
3278 struct nft_userdata *udata;
3279 struct nft_table *table;
3280 struct nft_chain *chain;
3281 struct nft_trans *trans;
3282 u64 handle, pos_handle;
3283 struct nft_expr *expr;
3284 struct nft_ctx ctx;
3285 struct nlattr *tmp;
3286 int err, rem;
3287
3288 lockdep_assert_held(&nft_net->commit_mutex);
3289
3290 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3291 NETLINK_CB(skb).portid);
3292 if (IS_ERR(table)) {
3293 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3294 return PTR_ERR(table);
3295 }
3296
3297 if (nla[NFTA_RULE_CHAIN]) {
3298 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3299 genmask);
3300 if (IS_ERR(chain)) {
3301 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3302 return PTR_ERR(chain);
3303 }
3304 if (nft_chain_is_bound(chain))
3305 return -EOPNOTSUPP;
3306
3307 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3308 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3309 if (IS_ERR(chain)) {
3310 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3311 return PTR_ERR(chain);
3312 }
3313 } else {
3314 return -EINVAL;
3315 }
3316
3317 if (nla[NFTA_RULE_HANDLE]) {
3318 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3319 rule = __nft_rule_lookup(chain, handle);
3320 if (IS_ERR(rule)) {
3321 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3322 return PTR_ERR(rule);
3323 }
3324
3325 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3326 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3327 return -EEXIST;
3328 }
3329 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3330 old_rule = rule;
3331 else
3332 return -EOPNOTSUPP;
3333 } else {
3334 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3335 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3336 return -EINVAL;
3337 handle = nf_tables_alloc_handle(table);
3338
3339 if (chain->use == UINT_MAX)
3340 return -EOVERFLOW;
3341
3342 if (nla[NFTA_RULE_POSITION]) {
3343 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3344 old_rule = __nft_rule_lookup(chain, pos_handle);
3345 if (IS_ERR(old_rule)) {
3346 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3347 return PTR_ERR(old_rule);
3348 }
3349 } else if (nla[NFTA_RULE_POSITION_ID]) {
3350 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3351 if (IS_ERR(old_rule)) {
3352 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3353 return PTR_ERR(old_rule);
3354 }
3355 }
3356 }
3357
3358 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3359
3360 n = 0;
3361 size = 0;
3362 if (nla[NFTA_RULE_EXPRESSIONS]) {
3363 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3364 sizeof(struct nft_expr_info),
3365 GFP_KERNEL);
3366 if (!expr_info)
3367 return -ENOMEM;
3368
3369 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3370 err = -EINVAL;
3371 if (nla_type(tmp) != NFTA_LIST_ELEM)
3372 goto err_release_expr;
3373 if (n == NFT_RULE_MAXEXPRS)
3374 goto err_release_expr;
3375 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
3376 if (err < 0) {
3377 NL_SET_BAD_ATTR(extack, tmp);
3378 goto err_release_expr;
3379 }
3380 size += expr_info[n].ops->size;
3381 n++;
3382 }
3383 }
3384 /* Check for overflow of dlen field */
3385 err = -EFBIG;
3386 if (size >= 1 << 12)
3387 goto err_release_expr;
3388
3389 if (nla[NFTA_RULE_USERDATA]) {
3390 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3391 if (ulen > 0)
3392 usize = sizeof(struct nft_userdata) + ulen;
3393 }
3394
3395 err = -ENOMEM;
3396 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3397 if (rule == NULL)
3398 goto err_release_expr;
3399
3400 nft_activate_next(net, rule);
3401
3402 rule->handle = handle;
3403 rule->dlen = size;
3404 rule->udata = ulen ? 1 : 0;
3405
3406 if (ulen) {
3407 udata = nft_userdata(rule);
3408 udata->len = ulen - 1;
3409 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3410 }
3411
3412 expr = nft_expr_first(rule);
3413 for (i = 0; i < n; i++) {
3414 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
3415 if (err < 0) {
3416 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
3417 goto err_release_rule;
3418 }
3419
3420 if (expr_info[i].ops->validate)
3421 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3422
3423 expr_info[i].ops = NULL;
3424 expr = nft_expr_next(expr);
3425 }
3426
3427 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3428 flow = nft_flow_rule_create(net, rule);
3429 if (IS_ERR(flow)) {
3430 err = PTR_ERR(flow);
3431 goto err_release_rule;
3432 }
3433 }
3434
3435 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
3436 err = nft_delrule(&ctx, old_rule);
3437 if (err < 0)
3438 goto err_destroy_flow_rule;
3439
3440 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3441 if (trans == NULL) {
3442 err = -ENOMEM;
3443 goto err_destroy_flow_rule;
3444 }
3445 list_add_tail_rcu(&rule->list, &old_rule->list);
3446 } else {
3447 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3448 if (!trans) {
3449 err = -ENOMEM;
3450 goto err_destroy_flow_rule;
3451 }
3452
3453 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
3454 if (old_rule)
3455 list_add_rcu(&rule->list, &old_rule->list);
3456 else
3457 list_add_tail_rcu(&rule->list, &chain->rules);
3458 } else {
3459 if (old_rule)
3460 list_add_tail_rcu(&rule->list, &old_rule->list);
3461 else
3462 list_add_rcu(&rule->list, &chain->rules);
3463 }
3464 }
3465 kvfree(expr_info);
3466 chain->use++;
3467
3468 if (flow)
3469 nft_trans_flow_rule(trans) = flow;
3470
3471 if (nft_net->validate_state == NFT_VALIDATE_DO)
3472 return nft_table_validate(net, table);
3473
3474 return 0;
3475
3476 err_destroy_flow_rule:
3477 if (flow)
3478 nft_flow_rule_destroy(flow);
3479 err_release_rule:
3480 nf_tables_rule_release(&ctx, rule);
3481 err_release_expr:
3482 for (i = 0; i < n; i++) {
3483 if (expr_info[i].ops) {
3484 module_put(expr_info[i].ops->type->owner);
3485 if (expr_info[i].ops->type->release_ops)
3486 expr_info[i].ops->type->release_ops(expr_info[i].ops);
3487 }
3488 }
3489 kvfree(expr_info);
3490
3491 return err;
3492 }
3493
3494 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3495 const struct nlattr *nla)
3496 {
3497 struct nftables_pernet *nft_net = nft_pernet(net);
3498 u32 id = ntohl(nla_get_be32(nla));
3499 struct nft_trans *trans;
3500
3501 list_for_each_entry(trans, &nft_net->commit_list, list) {
3502 struct nft_rule *rule = nft_trans_rule(trans);
3503
3504 if (trans->msg_type == NFT_MSG_NEWRULE &&
3505 id == nft_trans_rule_id(trans))
3506 return rule;
3507 }
3508 return ERR_PTR(-ENOENT);
3509 }
3510
3511 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
3512 const struct nlattr * const nla[])
3513 {
3514 struct netlink_ext_ack *extack = info->extack;
3515 u8 genmask = nft_genmask_next(info->net);
3516 u8 family = info->nfmsg->nfgen_family;
3517 struct nft_chain *chain = NULL;
3518 struct net *net = info->net;
3519 struct nft_table *table;
3520 struct nft_rule *rule;
3521 struct nft_ctx ctx;
3522 int err = 0;
3523
3524 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3525 NETLINK_CB(skb).portid);
3526 if (IS_ERR(table)) {
3527 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3528 return PTR_ERR(table);
3529 }
3530
3531 if (nla[NFTA_RULE_CHAIN]) {
3532 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3533 genmask);
3534 if (IS_ERR(chain)) {
3535 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3536 return PTR_ERR(chain);
3537 }
3538 if (nft_chain_is_bound(chain))
3539 return -EOPNOTSUPP;
3540 }
3541
3542 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3543
3544 if (chain) {
3545 if (nla[NFTA_RULE_HANDLE]) {
3546 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3547 if (IS_ERR(rule)) {
3548 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3549 return PTR_ERR(rule);
3550 }
3551
3552 err = nft_delrule(&ctx, rule);
3553 } else if (nla[NFTA_RULE_ID]) {
3554 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3555 if (IS_ERR(rule)) {
3556 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3557 return PTR_ERR(rule);
3558 }
3559
3560 err = nft_delrule(&ctx, rule);
3561 } else {
3562 err = nft_delrule_by_chain(&ctx);
3563 }
3564 } else {
3565 list_for_each_entry(chain, &table->chains, list) {
3566 if (!nft_is_active_next(net, chain))
3567 continue;
3568
3569 ctx.chain = chain;
3570 err = nft_delrule_by_chain(&ctx);
3571 if (err < 0)
3572 break;
3573 }
3574 }
3575
3576 return err;
3577 }
3578
3579 /*
3580 * Sets
3581 */
3582 static const struct nft_set_type *nft_set_types[] = {
3583 &nft_set_hash_fast_type,
3584 &nft_set_hash_type,
3585 &nft_set_rhash_type,
3586 &nft_set_bitmap_type,
3587 &nft_set_rbtree_type,
3588 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3589 &nft_set_pipapo_avx2_type,
3590 #endif
3591 &nft_set_pipapo_type,
3592 };
3593
3594 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3595 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3596 NFT_SET_EVAL)
3597
3598 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3599 {
3600 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3601 }
3602
3603 /*
3604 * Select a set implementation based on the data characteristics and the
3605 * given policy. The total memory use might not be known if no size is
3606 * given, in that case the amount of memory per element is used.
3607 */
3608 static const struct nft_set_ops *
3609 nft_select_set_ops(const struct nft_ctx *ctx,
3610 const struct nlattr * const nla[],
3611 const struct nft_set_desc *desc,
3612 enum nft_set_policies policy)
3613 {
3614 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3615 const struct nft_set_ops *ops, *bops;
3616 struct nft_set_estimate est, best;
3617 const struct nft_set_type *type;
3618 u32 flags = 0;
3619 int i;
3620
3621 lockdep_assert_held(&nft_net->commit_mutex);
3622 lockdep_nfnl_nft_mutex_not_held();
3623
3624 if (nla[NFTA_SET_FLAGS] != NULL)
3625 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3626
3627 bops = NULL;
3628 best.size = ~0;
3629 best.lookup = ~0;
3630 best.space = ~0;
3631
3632 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3633 type = nft_set_types[i];
3634 ops = &type->ops;
3635
3636 if (!nft_set_ops_candidate(type, flags))
3637 continue;
3638 if (!ops->estimate(desc, flags, &est))
3639 continue;
3640
3641 switch (policy) {
3642 case NFT_SET_POL_PERFORMANCE:
3643 if (est.lookup < best.lookup)
3644 break;
3645 if (est.lookup == best.lookup &&
3646 est.space < best.space)
3647 break;
3648 continue;
3649 case NFT_SET_POL_MEMORY:
3650 if (!desc->size) {
3651 if (est.space < best.space)
3652 break;
3653 if (est.space == best.space &&
3654 est.lookup < best.lookup)
3655 break;
3656 } else if (est.size < best.size || !bops) {
3657 break;
3658 }
3659 continue;
3660 default:
3661 break;
3662 }
3663
3664 bops = ops;
3665 best = est;
3666 }
3667
3668 if (bops != NULL)
3669 return bops;
3670
3671 return ERR_PTR(-EOPNOTSUPP);
3672 }
3673
3674 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3675 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3676 .len = NFT_TABLE_MAXNAMELEN - 1 },
3677 [NFTA_SET_NAME] = { .type = NLA_STRING,
3678 .len = NFT_SET_MAXNAMELEN - 1 },
3679 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3680 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3681 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3682 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3683 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3684 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3685 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3686 [NFTA_SET_ID] = { .type = NLA_U32 },
3687 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3688 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3689 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3690 .len = NFT_USERDATA_MAXLEN },
3691 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3692 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3693 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3694 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3695 };
3696
3697 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3698 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3699 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3700 };
3701
3702 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3703 const struct nlattr *nla, u8 genmask)
3704 {
3705 struct nft_set *set;
3706
3707 if (nla == NULL)
3708 return ERR_PTR(-EINVAL);
3709
3710 list_for_each_entry_rcu(set, &table->sets, list) {
3711 if (!nla_strcmp(nla, set->name) &&
3712 nft_active_genmask(set, genmask))
3713 return set;
3714 }
3715 return ERR_PTR(-ENOENT);
3716 }
3717
3718 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3719 const struct nlattr *nla,
3720 u8 genmask)
3721 {
3722 struct nft_set *set;
3723
3724 list_for_each_entry(set, &table->sets, list) {
3725 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3726 nft_active_genmask(set, genmask))
3727 return set;
3728 }
3729 return ERR_PTR(-ENOENT);
3730 }
3731
3732 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3733 const struct nlattr *nla, u8 genmask)
3734 {
3735 struct nftables_pernet *nft_net = nft_pernet(net);
3736 u32 id = ntohl(nla_get_be32(nla));
3737 struct nft_trans *trans;
3738
3739 list_for_each_entry(trans, &nft_net->commit_list, list) {
3740 if (trans->msg_type == NFT_MSG_NEWSET) {
3741 struct nft_set *set = nft_trans_set(trans);
3742
3743 if (id == nft_trans_set_id(trans) &&
3744 nft_active_genmask(set, genmask))
3745 return set;
3746 }
3747 }
3748 return ERR_PTR(-ENOENT);
3749 }
3750
3751 struct nft_set *nft_set_lookup_global(const struct net *net,
3752 const struct nft_table *table,
3753 const struct nlattr *nla_set_name,
3754 const struct nlattr *nla_set_id,
3755 u8 genmask)
3756 {
3757 struct nft_set *set;
3758
3759 set = nft_set_lookup(table, nla_set_name, genmask);
3760 if (IS_ERR(set)) {
3761 if (!nla_set_id)
3762 return set;
3763
3764 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3765 }
3766 return set;
3767 }
3768 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3769
3770 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3771 const char *name)
3772 {
3773 const struct nft_set *i;
3774 const char *p;
3775 unsigned long *inuse;
3776 unsigned int n = 0, min = 0;
3777
3778 p = strchr(name, '%');
3779 if (p != NULL) {
3780 if (p[1] != 'd' || strchr(p + 2, '%'))
3781 return -EINVAL;
3782
3783 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3784 if (inuse == NULL)
3785 return -ENOMEM;
3786 cont:
3787 list_for_each_entry(i, &ctx->table->sets, list) {
3788 int tmp;
3789
3790 if (!nft_is_active_next(ctx->net, set))
3791 continue;
3792 if (!sscanf(i->name, name, &tmp))
3793 continue;
3794 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3795 continue;
3796
3797 set_bit(tmp - min, inuse);
3798 }
3799
3800 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3801 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3802 min += BITS_PER_BYTE * PAGE_SIZE;
3803 memset(inuse, 0, PAGE_SIZE);
3804 goto cont;
3805 }
3806 free_page((unsigned long)inuse);
3807 }
3808
3809 set->name = kasprintf(GFP_KERNEL, name, min + n);
3810 if (!set->name)
3811 return -ENOMEM;
3812
3813 list_for_each_entry(i, &ctx->table->sets, list) {
3814 if (!nft_is_active_next(ctx->net, i))
3815 continue;
3816 if (!strcmp(set->name, i->name)) {
3817 kfree(set->name);
3818 set->name = NULL;
3819 return -ENFILE;
3820 }
3821 }
3822 return 0;
3823 }
3824
3825 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3826 {
3827 u64 ms = be64_to_cpu(nla_get_be64(nla));
3828 u64 max = (u64)(~((u64)0));
3829
3830 max = div_u64(max, NSEC_PER_MSEC);
3831 if (ms >= max)
3832 return -ERANGE;
3833
3834 ms *= NSEC_PER_MSEC;
3835 *result = nsecs_to_jiffies64(ms);
3836 return 0;
3837 }
3838
3839 __be64 nf_jiffies64_to_msecs(u64 input)
3840 {
3841 return cpu_to_be64(jiffies64_to_msecs(input));
3842 }
3843
3844 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3845 const struct nft_set *set)
3846 {
3847 struct nlattr *concat, *field;
3848 int i;
3849
3850 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3851 if (!concat)
3852 return -ENOMEM;
3853
3854 for (i = 0; i < set->field_count; i++) {
3855 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3856 if (!field)
3857 return -ENOMEM;
3858
3859 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3860 htonl(set->field_len[i])))
3861 return -ENOMEM;
3862
3863 nla_nest_end(skb, field);
3864 }
3865
3866 nla_nest_end(skb, concat);
3867
3868 return 0;
3869 }
3870
3871 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3872 const struct nft_set *set, u16 event, u16 flags)
3873 {
3874 struct nlmsghdr *nlh;
3875 u32 portid = ctx->portid;
3876 struct nlattr *nest;
3877 u32 seq = ctx->seq;
3878 int i;
3879
3880 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3881 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
3882 NFNETLINK_V0, nft_base_seq(ctx->net));
3883 if (!nlh)
3884 goto nla_put_failure;
3885
3886 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3887 goto nla_put_failure;
3888 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3889 goto nla_put_failure;
3890 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3891 NFTA_SET_PAD))
3892 goto nla_put_failure;
3893 if (set->flags != 0)
3894 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3895 goto nla_put_failure;
3896
3897 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3898 goto nla_put_failure;
3899 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3900 goto nla_put_failure;
3901 if (set->flags & NFT_SET_MAP) {
3902 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3903 goto nla_put_failure;
3904 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3905 goto nla_put_failure;
3906 }
3907 if (set->flags & NFT_SET_OBJECT &&
3908 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3909 goto nla_put_failure;
3910
3911 if (set->timeout &&
3912 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3913 nf_jiffies64_to_msecs(set->timeout),
3914 NFTA_SET_PAD))
3915 goto nla_put_failure;
3916 if (set->gc_int &&
3917 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3918 goto nla_put_failure;
3919
3920 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3921 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3922 goto nla_put_failure;
3923 }
3924
3925 if (set->udata &&
3926 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3927 goto nla_put_failure;
3928
3929 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3930 if (!nest)
3931 goto nla_put_failure;
3932 if (set->size &&
3933 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3934 goto nla_put_failure;
3935
3936 if (set->field_count > 1 &&
3937 nf_tables_fill_set_concat(skb, set))
3938 goto nla_put_failure;
3939
3940 nla_nest_end(skb, nest);
3941
3942 if (set->num_exprs == 1) {
3943 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3944 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
3945 goto nla_put_failure;
3946
3947 nla_nest_end(skb, nest);
3948 } else if (set->num_exprs > 1) {
3949 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
3950 if (nest == NULL)
3951 goto nla_put_failure;
3952
3953 for (i = 0; i < set->num_exprs; i++) {
3954 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
3955 set->exprs[i]) < 0)
3956 goto nla_put_failure;
3957 }
3958 nla_nest_end(skb, nest);
3959 }
3960
3961 nlmsg_end(skb, nlh);
3962 return 0;
3963
3964 nla_put_failure:
3965 nlmsg_trim(skb, nlh);
3966 return -1;
3967 }
3968
3969 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3970 const struct nft_set *set, int event,
3971 gfp_t gfp_flags)
3972 {
3973 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3974 u32 portid = ctx->portid;
3975 struct sk_buff *skb;
3976 u16 flags = 0;
3977 int err;
3978
3979 if (!ctx->report &&
3980 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3981 return;
3982
3983 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3984 if (skb == NULL)
3985 goto err;
3986
3987 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3988 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3989
3990 err = nf_tables_fill_set(skb, ctx, set, event, flags);
3991 if (err < 0) {
3992 kfree_skb(skb);
3993 goto err;
3994 }
3995
3996 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3997 return;
3998 err:
3999 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4000 }
4001
4002 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4003 {
4004 const struct nft_set *set;
4005 unsigned int idx, s_idx = cb->args[0];
4006 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4007 struct net *net = sock_net(skb->sk);
4008 struct nft_ctx *ctx = cb->data, ctx_set;
4009 struct nftables_pernet *nft_net;
4010
4011 if (cb->args[1])
4012 return skb->len;
4013
4014 rcu_read_lock();
4015 nft_net = nft_pernet(net);
4016 cb->seq = nft_net->base_seq;
4017
4018 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4019 if (ctx->family != NFPROTO_UNSPEC &&
4020 ctx->family != table->family)
4021 continue;
4022
4023 if (ctx->table && ctx->table != table)
4024 continue;
4025
4026 if (cur_table) {
4027 if (cur_table != table)
4028 continue;
4029
4030 cur_table = NULL;
4031 }
4032 idx = 0;
4033 list_for_each_entry_rcu(set, &table->sets, list) {
4034 if (idx < s_idx)
4035 goto cont;
4036 if (!nft_is_active(net, set))
4037 goto cont;
4038
4039 ctx_set = *ctx;
4040 ctx_set.table = table;
4041 ctx_set.family = table->family;
4042
4043 if (nf_tables_fill_set(skb, &ctx_set, set,
4044 NFT_MSG_NEWSET,
4045 NLM_F_MULTI) < 0) {
4046 cb->args[0] = idx;
4047 cb->args[2] = (unsigned long) table;
4048 goto done;
4049 }
4050 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4051 cont:
4052 idx++;
4053 }
4054 if (s_idx)
4055 s_idx = 0;
4056 }
4057 cb->args[1] = 1;
4058 done:
4059 rcu_read_unlock();
4060 return skb->len;
4061 }
4062
4063 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4064 {
4065 struct nft_ctx *ctx_dump = NULL;
4066
4067 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4068 if (ctx_dump == NULL)
4069 return -ENOMEM;
4070
4071 cb->data = ctx_dump;
4072 return 0;
4073 }
4074
4075 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4076 {
4077 kfree(cb->data);
4078 return 0;
4079 }
4080
4081 /* called with rcu_read_lock held */
4082 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4083 const struct nlattr * const nla[])
4084 {
4085 struct netlink_ext_ack *extack = info->extack;
4086 u8 genmask = nft_genmask_cur(info->net);
4087 u8 family = info->nfmsg->nfgen_family;
4088 struct nft_table *table = NULL;
4089 struct net *net = info->net;
4090 const struct nft_set *set;
4091 struct sk_buff *skb2;
4092 struct nft_ctx ctx;
4093 int err;
4094
4095 if (nla[NFTA_SET_TABLE]) {
4096 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4097 genmask, 0);
4098 if (IS_ERR(table)) {
4099 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4100 return PTR_ERR(table);
4101 }
4102 }
4103
4104 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4105
4106 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4107 struct netlink_dump_control c = {
4108 .start = nf_tables_dump_sets_start,
4109 .dump = nf_tables_dump_sets,
4110 .done = nf_tables_dump_sets_done,
4111 .data = &ctx,
4112 .module = THIS_MODULE,
4113 };
4114
4115 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4116 }
4117
4118 /* Only accept unspec with dump */
4119 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4120 return -EAFNOSUPPORT;
4121 if (!nla[NFTA_SET_TABLE])
4122 return -EINVAL;
4123
4124 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4125 if (IS_ERR(set))
4126 return PTR_ERR(set);
4127
4128 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4129 if (skb2 == NULL)
4130 return -ENOMEM;
4131
4132 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4133 if (err < 0)
4134 goto err_fill_set_info;
4135
4136 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4137
4138 err_fill_set_info:
4139 kfree_skb(skb2);
4140 return err;
4141 }
4142
4143 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4144 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4145 };
4146
4147 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4148 struct nft_set_desc *desc)
4149 {
4150 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4151 u32 len;
4152 int err;
4153
4154 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4155 return -E2BIG;
4156
4157 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4158 nft_concat_policy, NULL);
4159 if (err < 0)
4160 return err;
4161
4162 if (!tb[NFTA_SET_FIELD_LEN])
4163 return -EINVAL;
4164
4165 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4166 if (!len || len > U8_MAX)
4167 return -EINVAL;
4168
4169 desc->field_len[desc->field_count++] = len;
4170
4171 return 0;
4172 }
4173
4174 static int nft_set_desc_concat(struct nft_set_desc *desc,
4175 const struct nlattr *nla)
4176 {
4177 struct nlattr *attr;
4178 u32 num_regs = 0;
4179 int rem, err, i;
4180
4181 nla_for_each_nested(attr, nla, rem) {
4182 if (nla_type(attr) != NFTA_LIST_ELEM)
4183 return -EINVAL;
4184
4185 err = nft_set_desc_concat_parse(attr, desc);
4186 if (err < 0)
4187 return err;
4188 }
4189
4190 for (i = 0; i < desc->field_count; i++)
4191 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4192
4193 if (num_regs > NFT_REG32_COUNT)
4194 return -E2BIG;
4195
4196 return 0;
4197 }
4198
4199 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4200 const struct nlattr *nla)
4201 {
4202 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4203 int err;
4204
4205 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4206 nft_set_desc_policy, NULL);
4207 if (err < 0)
4208 return err;
4209
4210 if (da[NFTA_SET_DESC_SIZE] != NULL)
4211 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4212 if (da[NFTA_SET_DESC_CONCAT])
4213 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4214
4215 return err;
4216 }
4217
4218 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
4219 const struct nlattr * const nla[])
4220 {
4221 u32 ktype, dtype, flags, policy, gc_int, objtype;
4222 struct netlink_ext_ack *extack = info->extack;
4223 u8 genmask = nft_genmask_next(info->net);
4224 u8 family = info->nfmsg->nfgen_family;
4225 const struct nft_set_ops *ops;
4226 struct nft_expr *expr = NULL;
4227 struct net *net = info->net;
4228 struct nft_set_desc desc;
4229 struct nft_table *table;
4230 unsigned char *udata;
4231 struct nft_set *set;
4232 struct nft_ctx ctx;
4233 size_t alloc_size;
4234 u64 timeout;
4235 char *name;
4236 int err, i;
4237 u16 udlen;
4238 u64 size;
4239
4240 if (nla[NFTA_SET_TABLE] == NULL ||
4241 nla[NFTA_SET_NAME] == NULL ||
4242 nla[NFTA_SET_KEY_LEN] == NULL ||
4243 nla[NFTA_SET_ID] == NULL)
4244 return -EINVAL;
4245
4246 memset(&desc, 0, sizeof(desc));
4247
4248 ktype = NFT_DATA_VALUE;
4249 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4250 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4251 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4252 return -EINVAL;
4253 }
4254
4255 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4256 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4257 return -EINVAL;
4258
4259 flags = 0;
4260 if (nla[NFTA_SET_FLAGS] != NULL) {
4261 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4262 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4263 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4264 NFT_SET_MAP | NFT_SET_EVAL |
4265 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4266 return -EOPNOTSUPP;
4267 /* Only one of these operations is supported */
4268 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4269 (NFT_SET_MAP | NFT_SET_OBJECT))
4270 return -EOPNOTSUPP;
4271 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4272 (NFT_SET_EVAL | NFT_SET_OBJECT))
4273 return -EOPNOTSUPP;
4274 }
4275
4276 dtype = 0;
4277 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4278 if (!(flags & NFT_SET_MAP))
4279 return -EINVAL;
4280
4281 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4282 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4283 dtype != NFT_DATA_VERDICT)
4284 return -EINVAL;
4285
4286 if (dtype != NFT_DATA_VERDICT) {
4287 if (nla[NFTA_SET_DATA_LEN] == NULL)
4288 return -EINVAL;
4289 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4290 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4291 return -EINVAL;
4292 } else
4293 desc.dlen = sizeof(struct nft_verdict);
4294 } else if (flags & NFT_SET_MAP)
4295 return -EINVAL;
4296
4297 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4298 if (!(flags & NFT_SET_OBJECT))
4299 return -EINVAL;
4300
4301 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4302 if (objtype == NFT_OBJECT_UNSPEC ||
4303 objtype > NFT_OBJECT_MAX)
4304 return -EOPNOTSUPP;
4305 } else if (flags & NFT_SET_OBJECT)
4306 return -EINVAL;
4307 else
4308 objtype = NFT_OBJECT_UNSPEC;
4309
4310 timeout = 0;
4311 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4312 if (!(flags & NFT_SET_TIMEOUT))
4313 return -EINVAL;
4314
4315 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4316 if (err)
4317 return err;
4318 }
4319 gc_int = 0;
4320 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4321 if (!(flags & NFT_SET_TIMEOUT))
4322 return -EINVAL;
4323 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4324 }
4325
4326 policy = NFT_SET_POL_PERFORMANCE;
4327 if (nla[NFTA_SET_POLICY] != NULL)
4328 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4329
4330 if (nla[NFTA_SET_DESC] != NULL) {
4331 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4332 if (err < 0)
4333 return err;
4334 }
4335
4336 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4337 desc.expr = true;
4338
4339 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4340 NETLINK_CB(skb).portid);
4341 if (IS_ERR(table)) {
4342 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4343 return PTR_ERR(table);
4344 }
4345
4346 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4347
4348 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4349 if (IS_ERR(set)) {
4350 if (PTR_ERR(set) != -ENOENT) {
4351 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4352 return PTR_ERR(set);
4353 }
4354 } else {
4355 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4356 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4357 return -EEXIST;
4358 }
4359 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4360 return -EOPNOTSUPP;
4361
4362 return 0;
4363 }
4364
4365 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
4366 return -ENOENT;
4367
4368 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4369 if (IS_ERR(ops))
4370 return PTR_ERR(ops);
4371
4372 udlen = 0;
4373 if (nla[NFTA_SET_USERDATA])
4374 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4375
4376 size = 0;
4377 if (ops->privsize != NULL)
4378 size = ops->privsize(nla, &desc);
4379 alloc_size = sizeof(*set) + size + udlen;
4380 if (alloc_size < size || alloc_size > INT_MAX)
4381 return -ENOMEM;
4382 set = kvzalloc(alloc_size, GFP_KERNEL);
4383 if (!set)
4384 return -ENOMEM;
4385
4386 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4387 if (!name) {
4388 err = -ENOMEM;
4389 goto err_set_name;
4390 }
4391
4392 err = nf_tables_set_alloc_name(&ctx, set, name);
4393 kfree(name);
4394 if (err < 0)
4395 goto err_set_name;
4396
4397 udata = NULL;
4398 if (udlen) {
4399 udata = set->data + size;
4400 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4401 }
4402
4403 INIT_LIST_HEAD(&set->bindings);
4404 INIT_LIST_HEAD(&set->catchall_list);
4405 set->table = table;
4406 write_pnet(&set->net, net);
4407 set->ops = ops;
4408 set->ktype = ktype;
4409 set->klen = desc.klen;
4410 set->dtype = dtype;
4411 set->objtype = objtype;
4412 set->dlen = desc.dlen;
4413 set->flags = flags;
4414 set->size = desc.size;
4415 set->policy = policy;
4416 set->udlen = udlen;
4417 set->udata = udata;
4418 set->timeout = timeout;
4419 set->gc_int = gc_int;
4420
4421 set->field_count = desc.field_count;
4422 for (i = 0; i < desc.field_count; i++)
4423 set->field_len[i] = desc.field_len[i];
4424
4425 err = ops->init(set, &desc, nla);
4426 if (err < 0)
4427 goto err_set_init;
4428
4429 if (nla[NFTA_SET_EXPR]) {
4430 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4431 if (IS_ERR(expr)) {
4432 err = PTR_ERR(expr);
4433 goto err_set_expr_alloc;
4434 }
4435 set->exprs[0] = expr;
4436 set->num_exprs++;
4437 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4438 struct nft_expr *expr;
4439 struct nlattr *tmp;
4440 int left;
4441
4442 if (!(flags & NFT_SET_EXPR)) {
4443 err = -EINVAL;
4444 goto err_set_expr_alloc;
4445 }
4446 i = 0;
4447 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4448 if (i == NFT_SET_EXPR_MAX) {
4449 err = -E2BIG;
4450 goto err_set_expr_alloc;
4451 }
4452 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4453 err = -EINVAL;
4454 goto err_set_expr_alloc;
4455 }
4456 expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4457 if (IS_ERR(expr)) {
4458 err = PTR_ERR(expr);
4459 goto err_set_expr_alloc;
4460 }
4461 set->exprs[i++] = expr;
4462 set->num_exprs++;
4463 }
4464 }
4465
4466 set->handle = nf_tables_alloc_handle(table);
4467
4468 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4469 if (err < 0)
4470 goto err_set_expr_alloc;
4471
4472 list_add_tail_rcu(&set->list, &table->sets);
4473 table->use++;
4474 return 0;
4475
4476 err_set_expr_alloc:
4477 for (i = 0; i < set->num_exprs; i++)
4478 nft_expr_destroy(&ctx, set->exprs[i]);
4479
4480 ops->destroy(set);
4481 err_set_init:
4482 kfree(set->name);
4483 err_set_name:
4484 kvfree(set);
4485 return err;
4486 }
4487
4488 struct nft_set_elem_catchall {
4489 struct list_head list;
4490 struct rcu_head rcu;
4491 void *elem;
4492 };
4493
4494 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
4495 struct nft_set *set)
4496 {
4497 struct nft_set_elem_catchall *next, *catchall;
4498
4499 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
4500 list_del_rcu(&catchall->list);
4501 nft_set_elem_destroy(set, catchall->elem, true);
4502 kfree_rcu(catchall, rcu);
4503 }
4504 }
4505
4506 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4507 {
4508 int i;
4509
4510 if (WARN_ON(set->use > 0))
4511 return;
4512
4513 for (i = 0; i < set->num_exprs; i++)
4514 nft_expr_destroy(ctx, set->exprs[i]);
4515
4516 set->ops->destroy(set);
4517 nft_set_catchall_destroy(ctx, set);
4518 kfree(set->name);
4519 kvfree(set);
4520 }
4521
4522 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
4523 const struct nlattr * const nla[])
4524 {
4525 struct netlink_ext_ack *extack = info->extack;
4526 u8 genmask = nft_genmask_next(info->net);
4527 u8 family = info->nfmsg->nfgen_family;
4528 struct net *net = info->net;
4529 const struct nlattr *attr;
4530 struct nft_table *table;
4531 struct nft_set *set;
4532 struct nft_ctx ctx;
4533
4534 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4535 return -EAFNOSUPPORT;
4536
4537 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4538 genmask, NETLINK_CB(skb).portid);
4539 if (IS_ERR(table)) {
4540 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4541 return PTR_ERR(table);
4542 }
4543
4544 if (nla[NFTA_SET_HANDLE]) {
4545 attr = nla[NFTA_SET_HANDLE];
4546 set = nft_set_lookup_byhandle(table, attr, genmask);
4547 } else {
4548 attr = nla[NFTA_SET_NAME];
4549 set = nft_set_lookup(table, attr, genmask);
4550 }
4551
4552 if (IS_ERR(set)) {
4553 NL_SET_BAD_ATTR(extack, attr);
4554 return PTR_ERR(set);
4555 }
4556 if (set->use ||
4557 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
4558 atomic_read(&set->nelems) > 0)) {
4559 NL_SET_BAD_ATTR(extack, attr);
4560 return -EBUSY;
4561 }
4562
4563 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4564
4565 return nft_delset(&ctx, set);
4566 }
4567
4568 static int nft_validate_register_store(const struct nft_ctx *ctx,
4569 enum nft_registers reg,
4570 const struct nft_data *data,
4571 enum nft_data_types type,
4572 unsigned int len);
4573
4574 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
4575 struct nft_set *set,
4576 struct nft_set_elem *elem)
4577 {
4578 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4579 enum nft_registers dreg;
4580
4581 dreg = nft_type_to_reg(set->dtype);
4582 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4583 set->dtype == NFT_DATA_VERDICT ?
4584 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4585 set->dlen);
4586 }
4587
4588 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4589 struct nft_set *set,
4590 const struct nft_set_iter *iter,
4591 struct nft_set_elem *elem)
4592 {
4593 return nft_setelem_data_validate(ctx, set, elem);
4594 }
4595
4596 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
4597 struct nft_set *set)
4598 {
4599 u8 genmask = nft_genmask_next(ctx->net);
4600 struct nft_set_elem_catchall *catchall;
4601 struct nft_set_elem elem;
4602 struct nft_set_ext *ext;
4603 int ret = 0;
4604
4605 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4606 ext = nft_set_elem_ext(set, catchall->elem);
4607 if (!nft_set_elem_active(ext, genmask))
4608 continue;
4609
4610 elem.priv = catchall->elem;
4611 ret = nft_setelem_data_validate(ctx, set, &elem);
4612 if (ret < 0)
4613 break;
4614 }
4615
4616 return ret;
4617 }
4618
4619 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4620 struct nft_set_binding *binding)
4621 {
4622 struct nft_set_binding *i;
4623 struct nft_set_iter iter;
4624
4625 if (set->use == UINT_MAX)
4626 return -EOVERFLOW;
4627
4628 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4629 return -EBUSY;
4630
4631 if (binding->flags & NFT_SET_MAP) {
4632 /* If the set is already bound to the same chain all
4633 * jumps are already validated for that chain.
4634 */
4635 list_for_each_entry(i, &set->bindings, list) {
4636 if (i->flags & NFT_SET_MAP &&
4637 i->chain == binding->chain)
4638 goto bind;
4639 }
4640
4641 iter.genmask = nft_genmask_next(ctx->net);
4642 iter.skip = 0;
4643 iter.count = 0;
4644 iter.err = 0;
4645 iter.fn = nf_tables_bind_check_setelem;
4646
4647 set->ops->walk(ctx, set, &iter);
4648 if (!iter.err)
4649 iter.err = nft_set_catchall_bind_check(ctx, set);
4650
4651 if (iter.err < 0)
4652 return iter.err;
4653 }
4654 bind:
4655 binding->chain = ctx->chain;
4656 list_add_tail_rcu(&binding->list, &set->bindings);
4657 nft_set_trans_bind(ctx, set);
4658 set->use++;
4659
4660 return 0;
4661 }
4662 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4663
4664 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4665 struct nft_set_binding *binding, bool event)
4666 {
4667 list_del_rcu(&binding->list);
4668
4669 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4670 list_del_rcu(&set->list);
4671 if (event)
4672 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4673 GFP_KERNEL);
4674 }
4675 }
4676
4677 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4678 struct nft_set_binding *binding,
4679 enum nft_trans_phase phase)
4680 {
4681 switch (phase) {
4682 case NFT_TRANS_PREPARE:
4683 set->use--;
4684 return;
4685 case NFT_TRANS_ABORT:
4686 case NFT_TRANS_RELEASE:
4687 set->use--;
4688 fallthrough;
4689 default:
4690 nf_tables_unbind_set(ctx, set, binding,
4691 phase == NFT_TRANS_COMMIT);
4692 }
4693 }
4694 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4695
4696 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4697 {
4698 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4699 nft_set_destroy(ctx, set);
4700 }
4701 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4702
4703 const struct nft_set_ext_type nft_set_ext_types[] = {
4704 [NFT_SET_EXT_KEY] = {
4705 .align = __alignof__(u32),
4706 },
4707 [NFT_SET_EXT_DATA] = {
4708 .align = __alignof__(u32),
4709 },
4710 [NFT_SET_EXT_EXPRESSIONS] = {
4711 .align = __alignof__(struct nft_set_elem_expr),
4712 },
4713 [NFT_SET_EXT_OBJREF] = {
4714 .len = sizeof(struct nft_object *),
4715 .align = __alignof__(struct nft_object *),
4716 },
4717 [NFT_SET_EXT_FLAGS] = {
4718 .len = sizeof(u8),
4719 .align = __alignof__(u8),
4720 },
4721 [NFT_SET_EXT_TIMEOUT] = {
4722 .len = sizeof(u64),
4723 .align = __alignof__(u64),
4724 },
4725 [NFT_SET_EXT_EXPIRATION] = {
4726 .len = sizeof(u64),
4727 .align = __alignof__(u64),
4728 },
4729 [NFT_SET_EXT_USERDATA] = {
4730 .len = sizeof(struct nft_userdata),
4731 .align = __alignof__(struct nft_userdata),
4732 },
4733 [NFT_SET_EXT_KEY_END] = {
4734 .align = __alignof__(u32),
4735 },
4736 };
4737
4738 /*
4739 * Set elements
4740 */
4741
4742 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4743 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4744 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4745 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4746 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4747 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4748 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4749 .len = NFT_USERDATA_MAXLEN },
4750 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4751 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4752 .len = NFT_OBJ_MAXNAMELEN - 1 },
4753 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4754 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4755 };
4756
4757 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4758 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4759 .len = NFT_TABLE_MAXNAMELEN - 1 },
4760 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4761 .len = NFT_SET_MAXNAMELEN - 1 },
4762 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4763 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4764 };
4765
4766 static int nft_set_elem_expr_dump(struct sk_buff *skb,
4767 const struct nft_set *set,
4768 const struct nft_set_ext *ext)
4769 {
4770 struct nft_set_elem_expr *elem_expr;
4771 u32 size, num_exprs = 0;
4772 struct nft_expr *expr;
4773 struct nlattr *nest;
4774
4775 elem_expr = nft_set_ext_expr(ext);
4776 nft_setelem_expr_foreach(expr, elem_expr, size)
4777 num_exprs++;
4778
4779 if (num_exprs == 1) {
4780 expr = nft_setelem_expr_at(elem_expr, 0);
4781 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4782 return -1;
4783
4784 return 0;
4785 } else if (num_exprs > 1) {
4786 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4787 if (nest == NULL)
4788 goto nla_put_failure;
4789
4790 nft_setelem_expr_foreach(expr, elem_expr, size) {
4791 expr = nft_setelem_expr_at(elem_expr, size);
4792 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4793 goto nla_put_failure;
4794 }
4795 nla_nest_end(skb, nest);
4796 }
4797 return 0;
4798
4799 nla_put_failure:
4800 return -1;
4801 }
4802
4803 static int nf_tables_fill_setelem(struct sk_buff *skb,
4804 const struct nft_set *set,
4805 const struct nft_set_elem *elem)
4806 {
4807 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4808 unsigned char *b = skb_tail_pointer(skb);
4809 struct nlattr *nest;
4810
4811 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4812 if (nest == NULL)
4813 goto nla_put_failure;
4814
4815 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
4816 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4817 NFT_DATA_VALUE, set->klen) < 0)
4818 goto nla_put_failure;
4819
4820 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4821 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4822 NFT_DATA_VALUE, set->klen) < 0)
4823 goto nla_put_failure;
4824
4825 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4826 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4827 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4828 set->dlen) < 0)
4829 goto nla_put_failure;
4830
4831 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4832 nft_set_elem_expr_dump(skb, set, ext))
4833 goto nla_put_failure;
4834
4835 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4836 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4837 (*nft_set_ext_obj(ext))->key.name) < 0)
4838 goto nla_put_failure;
4839
4840 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4841 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4842 htonl(*nft_set_ext_flags(ext))))
4843 goto nla_put_failure;
4844
4845 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4846 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4847 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4848 NFTA_SET_ELEM_PAD))
4849 goto nla_put_failure;
4850
4851 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4852 u64 expires, now = get_jiffies_64();
4853
4854 expires = *nft_set_ext_expiration(ext);
4855 if (time_before64(now, expires))
4856 expires -= now;
4857 else
4858 expires = 0;
4859
4860 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4861 nf_jiffies64_to_msecs(expires),
4862 NFTA_SET_ELEM_PAD))
4863 goto nla_put_failure;
4864 }
4865
4866 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4867 struct nft_userdata *udata;
4868
4869 udata = nft_set_ext_userdata(ext);
4870 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4871 udata->len + 1, udata->data))
4872 goto nla_put_failure;
4873 }
4874
4875 nla_nest_end(skb, nest);
4876 return 0;
4877
4878 nla_put_failure:
4879 nlmsg_trim(skb, b);
4880 return -EMSGSIZE;
4881 }
4882
4883 struct nft_set_dump_args {
4884 const struct netlink_callback *cb;
4885 struct nft_set_iter iter;
4886 struct sk_buff *skb;
4887 };
4888
4889 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4890 struct nft_set *set,
4891 const struct nft_set_iter *iter,
4892 struct nft_set_elem *elem)
4893 {
4894 struct nft_set_dump_args *args;
4895
4896 args = container_of(iter, struct nft_set_dump_args, iter);
4897 return nf_tables_fill_setelem(args->skb, set, elem);
4898 }
4899
4900 struct nft_set_dump_ctx {
4901 const struct nft_set *set;
4902 struct nft_ctx ctx;
4903 };
4904
4905 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
4906 const struct nft_set *set)
4907 {
4908 struct nft_set_elem_catchall *catchall;
4909 u8 genmask = nft_genmask_cur(net);
4910 struct nft_set_elem elem;
4911 struct nft_set_ext *ext;
4912 int ret = 0;
4913
4914 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
4915 ext = nft_set_elem_ext(set, catchall->elem);
4916 if (!nft_set_elem_active(ext, genmask) ||
4917 nft_set_elem_expired(ext))
4918 continue;
4919
4920 elem.priv = catchall->elem;
4921 ret = nf_tables_fill_setelem(skb, set, &elem);
4922 break;
4923 }
4924
4925 return ret;
4926 }
4927
4928 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4929 {
4930 struct nft_set_dump_ctx *dump_ctx = cb->data;
4931 struct net *net = sock_net(skb->sk);
4932 struct nftables_pernet *nft_net;
4933 struct nft_table *table;
4934 struct nft_set *set;
4935 struct nft_set_dump_args args;
4936 bool set_found = false;
4937 struct nlmsghdr *nlh;
4938 struct nlattr *nest;
4939 u32 portid, seq;
4940 int event;
4941
4942 rcu_read_lock();
4943 nft_net = nft_pernet(net);
4944 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4945 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4946 dump_ctx->ctx.family != table->family)
4947 continue;
4948
4949 if (table != dump_ctx->ctx.table)
4950 continue;
4951
4952 list_for_each_entry_rcu(set, &table->sets, list) {
4953 if (set == dump_ctx->set) {
4954 set_found = true;
4955 break;
4956 }
4957 }
4958 break;
4959 }
4960
4961 if (!set_found) {
4962 rcu_read_unlock();
4963 return -ENOENT;
4964 }
4965
4966 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4967 portid = NETLINK_CB(cb->skb).portid;
4968 seq = cb->nlh->nlmsg_seq;
4969
4970 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
4971 table->family, NFNETLINK_V0, nft_base_seq(net));
4972 if (!nlh)
4973 goto nla_put_failure;
4974
4975 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4976 goto nla_put_failure;
4977 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4978 goto nla_put_failure;
4979
4980 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4981 if (nest == NULL)
4982 goto nla_put_failure;
4983
4984 args.cb = cb;
4985 args.skb = skb;
4986 args.iter.genmask = nft_genmask_cur(net);
4987 args.iter.skip = cb->args[0];
4988 args.iter.count = 0;
4989 args.iter.err = 0;
4990 args.iter.fn = nf_tables_dump_setelem;
4991 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4992
4993 if (!args.iter.err && args.iter.count == cb->args[0])
4994 args.iter.err = nft_set_catchall_dump(net, skb, set);
4995 rcu_read_unlock();
4996
4997 nla_nest_end(skb, nest);
4998 nlmsg_end(skb, nlh);
4999
5000 if (args.iter.err && args.iter.err != -EMSGSIZE)
5001 return args.iter.err;
5002 if (args.iter.count == cb->args[0])
5003 return 0;
5004
5005 cb->args[0] = args.iter.count;
5006 return skb->len;
5007
5008 nla_put_failure:
5009 rcu_read_unlock();
5010 return -ENOSPC;
5011 }
5012
5013 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5014 {
5015 struct nft_set_dump_ctx *dump_ctx = cb->data;
5016
5017 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5018
5019 return cb->data ? 0 : -ENOMEM;
5020 }
5021
5022 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5023 {
5024 kfree(cb->data);
5025 return 0;
5026 }
5027
5028 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5029 const struct nft_ctx *ctx, u32 seq,
5030 u32 portid, int event, u16 flags,
5031 const struct nft_set *set,
5032 const struct nft_set_elem *elem)
5033 {
5034 struct nlmsghdr *nlh;
5035 struct nlattr *nest;
5036 int err;
5037
5038 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5039 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
5040 NFNETLINK_V0, nft_base_seq(ctx->net));
5041 if (!nlh)
5042 goto nla_put_failure;
5043
5044 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
5045 goto nla_put_failure;
5046 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
5047 goto nla_put_failure;
5048
5049 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5050 if (nest == NULL)
5051 goto nla_put_failure;
5052
5053 err = nf_tables_fill_setelem(skb, set, elem);
5054 if (err < 0)
5055 goto nla_put_failure;
5056
5057 nla_nest_end(skb, nest);
5058
5059 nlmsg_end(skb, nlh);
5060 return 0;
5061
5062 nla_put_failure:
5063 nlmsg_trim(skb, nlh);
5064 return -1;
5065 }
5066
5067 static int nft_setelem_parse_flags(const struct nft_set *set,
5068 const struct nlattr *attr, u32 *flags)
5069 {
5070 if (attr == NULL)
5071 return 0;
5072
5073 *flags = ntohl(nla_get_be32(attr));
5074 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
5075 return -EOPNOTSUPP;
5076 if (!(set->flags & NFT_SET_INTERVAL) &&
5077 *flags & NFT_SET_ELEM_INTERVAL_END)
5078 return -EINVAL;
5079
5080 return 0;
5081 }
5082
5083 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
5084 struct nft_data *key, struct nlattr *attr)
5085 {
5086 struct nft_data_desc desc;
5087 int err;
5088
5089 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
5090 if (err < 0)
5091 return err;
5092
5093 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
5094 nft_data_release(key, desc.type);
5095 return -EINVAL;
5096 }
5097
5098 return 0;
5099 }
5100
5101 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
5102 struct nft_data_desc *desc,
5103 struct nft_data *data,
5104 struct nlattr *attr)
5105 {
5106 int err;
5107
5108 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
5109 if (err < 0)
5110 return err;
5111
5112 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
5113 nft_data_release(data, desc->type);
5114 return -EINVAL;
5115 }
5116
5117 return 0;
5118 }
5119
5120 static void *nft_setelem_catchall_get(const struct net *net,
5121 const struct nft_set *set)
5122 {
5123 struct nft_set_elem_catchall *catchall;
5124 u8 genmask = nft_genmask_cur(net);
5125 struct nft_set_ext *ext;
5126 void *priv = NULL;
5127
5128 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5129 ext = nft_set_elem_ext(set, catchall->elem);
5130 if (!nft_set_elem_active(ext, genmask) ||
5131 nft_set_elem_expired(ext))
5132 continue;
5133
5134 priv = catchall->elem;
5135 break;
5136 }
5137
5138 return priv;
5139 }
5140
5141 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
5142 struct nft_set_elem *elem, u32 flags)
5143 {
5144 void *priv;
5145
5146 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
5147 priv = set->ops->get(ctx->net, set, elem, flags);
5148 if (IS_ERR(priv))
5149 return PTR_ERR(priv);
5150 } else {
5151 priv = nft_setelem_catchall_get(ctx->net, set);
5152 if (!priv)
5153 return -ENOENT;
5154 }
5155 elem->priv = priv;
5156
5157 return 0;
5158 }
5159
5160 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5161 const struct nlattr *attr)
5162 {
5163 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5164 struct nft_set_elem elem;
5165 struct sk_buff *skb;
5166 uint32_t flags = 0;
5167 int err;
5168
5169 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5170 nft_set_elem_policy, NULL);
5171 if (err < 0)
5172 return err;
5173
5174 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5175 if (err < 0)
5176 return err;
5177
5178 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5179 return -EINVAL;
5180
5181 if (nla[NFTA_SET_ELEM_KEY]) {
5182 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5183 nla[NFTA_SET_ELEM_KEY]);
5184 if (err < 0)
5185 return err;
5186 }
5187
5188 if (nla[NFTA_SET_ELEM_KEY_END]) {
5189 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5190 nla[NFTA_SET_ELEM_KEY_END]);
5191 if (err < 0)
5192 return err;
5193 }
5194
5195 err = nft_setelem_get(ctx, set, &elem, flags);
5196 if (err < 0)
5197 return err;
5198
5199 err = -ENOMEM;
5200 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5201 if (skb == NULL)
5202 return err;
5203
5204 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5205 NFT_MSG_NEWSETELEM, 0, set, &elem);
5206 if (err < 0)
5207 goto err_fill_setelem;
5208
5209 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5210
5211 err_fill_setelem:
5212 kfree_skb(skb);
5213 return err;
5214 }
5215
5216 /* called with rcu_read_lock held */
5217 static int nf_tables_getsetelem(struct sk_buff *skb,
5218 const struct nfnl_info *info,
5219 const struct nlattr * const nla[])
5220 {
5221 struct netlink_ext_ack *extack = info->extack;
5222 u8 genmask = nft_genmask_cur(info->net);
5223 u8 family = info->nfmsg->nfgen_family;
5224 struct net *net = info->net;
5225 struct nft_table *table;
5226 struct nft_set *set;
5227 struct nlattr *attr;
5228 struct nft_ctx ctx;
5229 int rem, err = 0;
5230
5231 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
5232 genmask, NETLINK_CB(skb).portid);
5233 if (IS_ERR(table)) {
5234 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
5235 return PTR_ERR(table);
5236 }
5237
5238 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5239 if (IS_ERR(set))
5240 return PTR_ERR(set);
5241
5242 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5243
5244 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
5245 struct netlink_dump_control c = {
5246 .start = nf_tables_dump_set_start,
5247 .dump = nf_tables_dump_set,
5248 .done = nf_tables_dump_set_done,
5249 .module = THIS_MODULE,
5250 };
5251 struct nft_set_dump_ctx dump_ctx = {
5252 .set = set,
5253 .ctx = ctx,
5254 };
5255
5256 c.data = &dump_ctx;
5257 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
5258 }
5259
5260 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5261 return -EINVAL;
5262
5263 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5264 err = nft_get_set_elem(&ctx, set, attr);
5265 if (err < 0)
5266 break;
5267 }
5268
5269 return err;
5270 }
5271
5272 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5273 const struct nft_set *set,
5274 const struct nft_set_elem *elem,
5275 int event)
5276 {
5277 struct nftables_pernet *nft_net;
5278 struct net *net = ctx->net;
5279 u32 portid = ctx->portid;
5280 struct sk_buff *skb;
5281 u16 flags = 0;
5282 int err;
5283
5284 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5285 return;
5286
5287 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5288 if (skb == NULL)
5289 goto err;
5290
5291 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
5292 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
5293
5294 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5295 set, elem);
5296 if (err < 0) {
5297 kfree_skb(skb);
5298 goto err;
5299 }
5300
5301 nft_net = nft_pernet(net);
5302 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
5303 return;
5304 err:
5305 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5306 }
5307
5308 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5309 int msg_type,
5310 struct nft_set *set)
5311 {
5312 struct nft_trans *trans;
5313
5314 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5315 if (trans == NULL)
5316 return NULL;
5317
5318 nft_trans_elem_set(trans) = set;
5319 return trans;
5320 }
5321
5322 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5323 const struct nft_set *set,
5324 const struct nlattr *attr)
5325 {
5326 struct nft_expr *expr;
5327 int err;
5328
5329 expr = nft_expr_init(ctx, attr);
5330 if (IS_ERR(expr))
5331 return expr;
5332
5333 err = -EOPNOTSUPP;
5334 if (expr->ops->type->flags & NFT_EXPR_GC) {
5335 if (set->flags & NFT_SET_TIMEOUT)
5336 goto err_set_elem_expr;
5337 if (!set->ops->gc_init)
5338 goto err_set_elem_expr;
5339 set->ops->gc_init(set);
5340 }
5341
5342 return expr;
5343
5344 err_set_elem_expr:
5345 nft_expr_destroy(ctx, expr);
5346 return ERR_PTR(err);
5347 }
5348
5349 void *nft_set_elem_init(const struct nft_set *set,
5350 const struct nft_set_ext_tmpl *tmpl,
5351 const u32 *key, const u32 *key_end,
5352 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5353 {
5354 struct nft_set_ext *ext;
5355 void *elem;
5356
5357 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5358 if (elem == NULL)
5359 return NULL;
5360
5361 ext = nft_set_elem_ext(set, elem);
5362 nft_set_ext_init(ext, tmpl);
5363
5364 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY))
5365 memcpy(nft_set_ext_key(ext), key, set->klen);
5366 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5367 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5368 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5369 memcpy(nft_set_ext_data(ext), data, set->dlen);
5370 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5371 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5372 if (expiration == 0)
5373 *nft_set_ext_expiration(ext) += timeout;
5374 }
5375 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5376 *nft_set_ext_timeout(ext) = timeout;
5377
5378 return elem;
5379 }
5380
5381 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5382 struct nft_expr *expr)
5383 {
5384 if (expr->ops->destroy_clone) {
5385 expr->ops->destroy_clone(ctx, expr);
5386 module_put(expr->ops->type->owner);
5387 } else {
5388 nf_tables_expr_destroy(ctx, expr);
5389 }
5390 }
5391
5392 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5393 struct nft_set_elem_expr *elem_expr)
5394 {
5395 struct nft_expr *expr;
5396 u32 size;
5397
5398 nft_setelem_expr_foreach(expr, elem_expr, size)
5399 __nft_set_elem_expr_destroy(ctx, expr);
5400 }
5401
5402 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5403 bool destroy_expr)
5404 {
5405 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5406 struct nft_ctx ctx = {
5407 .net = read_pnet(&set->net),
5408 .family = set->table->family,
5409 };
5410
5411 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5412 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5413 nft_data_release(nft_set_ext_data(ext), set->dtype);
5414 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5415 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5416
5417 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5418 (*nft_set_ext_obj(ext))->use--;
5419 kfree(elem);
5420 }
5421 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5422
5423 /* Only called from commit path, nft_setelem_data_deactivate() already deals
5424 * with the refcounting from the preparation phase.
5425 */
5426 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5427 const struct nft_set *set, void *elem)
5428 {
5429 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5430
5431 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5432 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5433
5434 kfree(elem);
5435 }
5436
5437 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5438 struct nft_expr *expr_array[])
5439 {
5440 struct nft_expr *expr;
5441 int err, i, k;
5442
5443 for (i = 0; i < set->num_exprs; i++) {
5444 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
5445 if (!expr)
5446 goto err_expr;
5447
5448 err = nft_expr_clone(expr, set->exprs[i]);
5449 if (err < 0) {
5450 nft_expr_destroy(ctx, expr);
5451 goto err_expr;
5452 }
5453 expr_array[i] = expr;
5454 }
5455
5456 return 0;
5457
5458 err_expr:
5459 for (k = i - 1; k >= 0; k--)
5460 nft_expr_destroy(ctx, expr_array[k]);
5461
5462 return -ENOMEM;
5463 }
5464
5465 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
5466 const struct nft_set_ext *ext,
5467 struct nft_expr *expr_array[],
5468 u32 num_exprs)
5469 {
5470 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5471 struct nft_expr *expr;
5472 int i, err;
5473
5474 for (i = 0; i < num_exprs; i++) {
5475 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5476 err = nft_expr_clone(expr, expr_array[i]);
5477 if (err < 0)
5478 goto err_elem_expr_setup;
5479
5480 elem_expr->size += expr_array[i]->ops->size;
5481 nft_expr_destroy(ctx, expr_array[i]);
5482 expr_array[i] = NULL;
5483 }
5484
5485 return 0;
5486
5487 err_elem_expr_setup:
5488 for (; i < num_exprs; i++) {
5489 nft_expr_destroy(ctx, expr_array[i]);
5490 expr_array[i] = NULL;
5491 }
5492
5493 return -ENOMEM;
5494 }
5495
5496 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
5497 const struct nft_set *set)
5498 {
5499 struct nft_set_elem_catchall *catchall;
5500 u8 genmask = nft_genmask_cur(net);
5501 struct nft_set_ext *ext;
5502
5503 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5504 ext = nft_set_elem_ext(set, catchall->elem);
5505 if (nft_set_elem_active(ext, genmask) &&
5506 !nft_set_elem_expired(ext))
5507 return ext;
5508 }
5509
5510 return NULL;
5511 }
5512 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
5513
5514 void *nft_set_catchall_gc(const struct nft_set *set)
5515 {
5516 struct nft_set_elem_catchall *catchall, *next;
5517 struct nft_set_ext *ext;
5518 void *elem = NULL;
5519
5520 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5521 ext = nft_set_elem_ext(set, catchall->elem);
5522
5523 if (!nft_set_elem_expired(ext) ||
5524 nft_set_elem_mark_busy(ext))
5525 continue;
5526
5527 elem = catchall->elem;
5528 list_del_rcu(&catchall->list);
5529 kfree_rcu(catchall, rcu);
5530 break;
5531 }
5532
5533 return elem;
5534 }
5535 EXPORT_SYMBOL_GPL(nft_set_catchall_gc);
5536
5537 static int nft_setelem_catchall_insert(const struct net *net,
5538 struct nft_set *set,
5539 const struct nft_set_elem *elem,
5540 struct nft_set_ext **pext)
5541 {
5542 struct nft_set_elem_catchall *catchall;
5543 u8 genmask = nft_genmask_next(net);
5544 struct nft_set_ext *ext;
5545
5546 list_for_each_entry(catchall, &set->catchall_list, list) {
5547 ext = nft_set_elem_ext(set, catchall->elem);
5548 if (nft_set_elem_active(ext, genmask)) {
5549 *pext = ext;
5550 return -EEXIST;
5551 }
5552 }
5553
5554 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
5555 if (!catchall)
5556 return -ENOMEM;
5557
5558 catchall->elem = elem->priv;
5559 list_add_tail_rcu(&catchall->list, &set->catchall_list);
5560
5561 return 0;
5562 }
5563
5564 static int nft_setelem_insert(const struct net *net,
5565 struct nft_set *set,
5566 const struct nft_set_elem *elem,
5567 struct nft_set_ext **ext, unsigned int flags)
5568 {
5569 int ret;
5570
5571 if (flags & NFT_SET_ELEM_CATCHALL)
5572 ret = nft_setelem_catchall_insert(net, set, elem, ext);
5573 else
5574 ret = set->ops->insert(net, set, elem, ext);
5575
5576 return ret;
5577 }
5578
5579 static bool nft_setelem_is_catchall(const struct nft_set *set,
5580 const struct nft_set_elem *elem)
5581 {
5582 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5583
5584 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5585 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
5586 return true;
5587
5588 return false;
5589 }
5590
5591 static void nft_setelem_activate(struct net *net, struct nft_set *set,
5592 struct nft_set_elem *elem)
5593 {
5594 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5595
5596 if (nft_setelem_is_catchall(set, elem)) {
5597 nft_set_elem_change_active(net, set, ext);
5598 nft_set_elem_clear_busy(ext);
5599 } else {
5600 set->ops->activate(net, set, elem);
5601 }
5602 }
5603
5604 static int nft_setelem_catchall_deactivate(const struct net *net,
5605 struct nft_set *set,
5606 struct nft_set_elem *elem)
5607 {
5608 struct nft_set_elem_catchall *catchall;
5609 struct nft_set_ext *ext;
5610
5611 list_for_each_entry(catchall, &set->catchall_list, list) {
5612 ext = nft_set_elem_ext(set, catchall->elem);
5613 if (!nft_is_active(net, ext) ||
5614 nft_set_elem_mark_busy(ext))
5615 continue;
5616
5617 kfree(elem->priv);
5618 elem->priv = catchall->elem;
5619 nft_set_elem_change_active(net, set, ext);
5620 return 0;
5621 }
5622
5623 return -ENOENT;
5624 }
5625
5626 static int __nft_setelem_deactivate(const struct net *net,
5627 struct nft_set *set,
5628 struct nft_set_elem *elem)
5629 {
5630 void *priv;
5631
5632 priv = set->ops->deactivate(net, set, elem);
5633 if (!priv)
5634 return -ENOENT;
5635
5636 kfree(elem->priv);
5637 elem->priv = priv;
5638 set->ndeact++;
5639
5640 return 0;
5641 }
5642
5643 static int nft_setelem_deactivate(const struct net *net,
5644 struct nft_set *set,
5645 struct nft_set_elem *elem, u32 flags)
5646 {
5647 int ret;
5648
5649 if (flags & NFT_SET_ELEM_CATCHALL)
5650 ret = nft_setelem_catchall_deactivate(net, set, elem);
5651 else
5652 ret = __nft_setelem_deactivate(net, set, elem);
5653
5654 return ret;
5655 }
5656
5657 static void nft_setelem_catchall_remove(const struct net *net,
5658 const struct nft_set *set,
5659 const struct nft_set_elem *elem)
5660 {
5661 struct nft_set_elem_catchall *catchall, *next;
5662
5663 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5664 if (catchall->elem == elem->priv) {
5665 list_del_rcu(&catchall->list);
5666 kfree_rcu(catchall, rcu);
5667 break;
5668 }
5669 }
5670 }
5671
5672 static void nft_setelem_remove(const struct net *net,
5673 const struct nft_set *set,
5674 const struct nft_set_elem *elem)
5675 {
5676 if (nft_setelem_is_catchall(set, elem))
5677 nft_setelem_catchall_remove(net, set, elem);
5678 else
5679 set->ops->remove(net, set, elem);
5680 }
5681
5682 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5683 const struct nlattr *attr, u32 nlmsg_flags)
5684 {
5685 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5686 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5687 u8 genmask = nft_genmask_next(ctx->net);
5688 u32 flags = 0, size = 0, num_exprs = 0;
5689 struct nft_set_ext_tmpl tmpl;
5690 struct nft_set_ext *ext, *ext2;
5691 struct nft_set_elem elem;
5692 struct nft_set_binding *binding;
5693 struct nft_object *obj = NULL;
5694 struct nft_userdata *udata;
5695 struct nft_data_desc desc;
5696 enum nft_registers dreg;
5697 struct nft_trans *trans;
5698 u64 timeout;
5699 u64 expiration;
5700 int err, i;
5701 u8 ulen;
5702
5703 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5704 nft_set_elem_policy, NULL);
5705 if (err < 0)
5706 return err;
5707
5708 nft_set_ext_prepare(&tmpl);
5709
5710 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5711 if (err < 0)
5712 return err;
5713
5714 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
5715 return -EINVAL;
5716
5717 if (flags != 0)
5718 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5719
5720 if (set->flags & NFT_SET_MAP) {
5721 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5722 !(flags & NFT_SET_ELEM_INTERVAL_END))
5723 return -EINVAL;
5724 } else {
5725 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5726 return -EINVAL;
5727 }
5728
5729 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5730 (nla[NFTA_SET_ELEM_DATA] ||
5731 nla[NFTA_SET_ELEM_OBJREF] ||
5732 nla[NFTA_SET_ELEM_TIMEOUT] ||
5733 nla[NFTA_SET_ELEM_EXPIRATION] ||
5734 nla[NFTA_SET_ELEM_USERDATA] ||
5735 nla[NFTA_SET_ELEM_EXPR] ||
5736 nla[NFTA_SET_ELEM_EXPRESSIONS]))
5737 return -EINVAL;
5738
5739 timeout = 0;
5740 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5741 if (!(set->flags & NFT_SET_TIMEOUT))
5742 return -EINVAL;
5743 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5744 &timeout);
5745 if (err)
5746 return err;
5747 } else if (set->flags & NFT_SET_TIMEOUT) {
5748 timeout = set->timeout;
5749 }
5750
5751 expiration = 0;
5752 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5753 if (!(set->flags & NFT_SET_TIMEOUT))
5754 return -EINVAL;
5755 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5756 &expiration);
5757 if (err)
5758 return err;
5759 }
5760
5761 if (nla[NFTA_SET_ELEM_EXPR]) {
5762 struct nft_expr *expr;
5763
5764 if (set->num_exprs && set->num_exprs != 1)
5765 return -EOPNOTSUPP;
5766
5767 expr = nft_set_elem_expr_alloc(ctx, set,
5768 nla[NFTA_SET_ELEM_EXPR]);
5769 if (IS_ERR(expr))
5770 return PTR_ERR(expr);
5771
5772 expr_array[0] = expr;
5773 num_exprs = 1;
5774
5775 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5776 err = -EOPNOTSUPP;
5777 goto err_set_elem_expr;
5778 }
5779 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5780 struct nft_expr *expr;
5781 struct nlattr *tmp;
5782 int left;
5783
5784 i = 0;
5785 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5786 if (i == NFT_SET_EXPR_MAX ||
5787 (set->num_exprs && set->num_exprs == i)) {
5788 err = -E2BIG;
5789 goto err_set_elem_expr;
5790 }
5791 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5792 err = -EINVAL;
5793 goto err_set_elem_expr;
5794 }
5795 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5796 if (IS_ERR(expr)) {
5797 err = PTR_ERR(expr);
5798 goto err_set_elem_expr;
5799 }
5800 expr_array[i] = expr;
5801 num_exprs++;
5802
5803 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5804 err = -EOPNOTSUPP;
5805 goto err_set_elem_expr;
5806 }
5807 i++;
5808 }
5809 if (set->num_exprs && set->num_exprs != i) {
5810 err = -EOPNOTSUPP;
5811 goto err_set_elem_expr;
5812 }
5813 } else if (set->num_exprs > 0) {
5814 err = nft_set_elem_expr_clone(ctx, set, expr_array);
5815 if (err < 0)
5816 goto err_set_elem_expr_clone;
5817
5818 num_exprs = set->num_exprs;
5819 }
5820
5821 if (nla[NFTA_SET_ELEM_KEY]) {
5822 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5823 nla[NFTA_SET_ELEM_KEY]);
5824 if (err < 0)
5825 goto err_set_elem_expr;
5826
5827 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5828 }
5829
5830 if (nla[NFTA_SET_ELEM_KEY_END]) {
5831 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5832 nla[NFTA_SET_ELEM_KEY_END]);
5833 if (err < 0)
5834 goto err_parse_key;
5835
5836 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5837 }
5838
5839 if (timeout > 0) {
5840 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5841 if (timeout != set->timeout)
5842 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5843 }
5844
5845 if (num_exprs) {
5846 for (i = 0; i < num_exprs; i++)
5847 size += expr_array[i]->ops->size;
5848
5849 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5850 sizeof(struct nft_set_elem_expr) +
5851 size);
5852 }
5853
5854 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5855 if (!(set->flags & NFT_SET_OBJECT)) {
5856 err = -EINVAL;
5857 goto err_parse_key_end;
5858 }
5859 obj = nft_obj_lookup(ctx->net, ctx->table,
5860 nla[NFTA_SET_ELEM_OBJREF],
5861 set->objtype, genmask);
5862 if (IS_ERR(obj)) {
5863 err = PTR_ERR(obj);
5864 goto err_parse_key_end;
5865 }
5866 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5867 }
5868
5869 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5870 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5871 nla[NFTA_SET_ELEM_DATA]);
5872 if (err < 0)
5873 goto err_parse_key_end;
5874
5875 dreg = nft_type_to_reg(set->dtype);
5876 list_for_each_entry(binding, &set->bindings, list) {
5877 struct nft_ctx bind_ctx = {
5878 .net = ctx->net,
5879 .family = ctx->family,
5880 .table = ctx->table,
5881 .chain = (struct nft_chain *)binding->chain,
5882 };
5883
5884 if (!(binding->flags & NFT_SET_MAP))
5885 continue;
5886
5887 err = nft_validate_register_store(&bind_ctx, dreg,
5888 &elem.data.val,
5889 desc.type, desc.len);
5890 if (err < 0)
5891 goto err_parse_data;
5892
5893 if (desc.type == NFT_DATA_VERDICT &&
5894 (elem.data.val.verdict.code == NFT_GOTO ||
5895 elem.data.val.verdict.code == NFT_JUMP))
5896 nft_validate_state_update(ctx->net,
5897 NFT_VALIDATE_NEED);
5898 }
5899
5900 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5901 }
5902
5903 /* The full maximum length of userdata can exceed the maximum
5904 * offset value (U8_MAX) for following extensions, therefor it
5905 * must be the last extension added.
5906 */
5907 ulen = 0;
5908 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5909 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5910 if (ulen > 0)
5911 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5912 ulen);
5913 }
5914
5915 err = -ENOMEM;
5916 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5917 elem.key_end.val.data, elem.data.val.data,
5918 timeout, expiration, GFP_KERNEL);
5919 if (elem.priv == NULL)
5920 goto err_parse_data;
5921
5922 ext = nft_set_elem_ext(set, elem.priv);
5923 if (flags)
5924 *nft_set_ext_flags(ext) = flags;
5925 if (ulen > 0) {
5926 udata = nft_set_ext_userdata(ext);
5927 udata->len = ulen - 1;
5928 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5929 }
5930 if (obj) {
5931 *nft_set_ext_obj(ext) = obj;
5932 obj->use++;
5933 }
5934 err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs);
5935 if (err < 0)
5936 goto err_elem_expr;
5937
5938 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5939 if (trans == NULL) {
5940 err = -ENOMEM;
5941 goto err_elem_expr;
5942 }
5943
5944 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5945
5946 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
5947 if (err) {
5948 if (err == -EEXIST) {
5949 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5950 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5951 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5952 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5953 goto err_element_clash;
5954 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5955 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5956 memcmp(nft_set_ext_data(ext),
5957 nft_set_ext_data(ext2), set->dlen) != 0) ||
5958 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5959 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5960 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5961 goto err_element_clash;
5962 else if (!(nlmsg_flags & NLM_F_EXCL))
5963 err = 0;
5964 } else if (err == -ENOTEMPTY) {
5965 /* ENOTEMPTY reports overlapping between this element
5966 * and an existing one.
5967 */
5968 err = -EEXIST;
5969 }
5970 goto err_element_clash;
5971 }
5972
5973 if (!(flags & NFT_SET_ELEM_CATCHALL) && set->size &&
5974 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5975 err = -ENFILE;
5976 goto err_set_full;
5977 }
5978
5979 nft_trans_elem(trans) = elem;
5980 nft_trans_commit_list_add_tail(ctx->net, trans);
5981 return 0;
5982
5983 err_set_full:
5984 nft_setelem_remove(ctx->net, set, &elem);
5985 err_element_clash:
5986 kfree(trans);
5987 err_elem_expr:
5988 if (obj)
5989 obj->use--;
5990
5991 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5992 err_parse_data:
5993 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5994 nft_data_release(&elem.data.val, desc.type);
5995 err_parse_key_end:
5996 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5997 err_parse_key:
5998 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5999 err_set_elem_expr:
6000 for (i = 0; i < num_exprs && expr_array[i]; i++)
6001 nft_expr_destroy(ctx, expr_array[i]);
6002 err_set_elem_expr_clone:
6003 return err;
6004 }
6005
6006 static int nf_tables_newsetelem(struct sk_buff *skb,
6007 const struct nfnl_info *info,
6008 const struct nlattr * const nla[])
6009 {
6010 struct nftables_pernet *nft_net = nft_pernet(info->net);
6011 struct netlink_ext_ack *extack = info->extack;
6012 u8 genmask = nft_genmask_next(info->net);
6013 u8 family = info->nfmsg->nfgen_family;
6014 struct net *net = info->net;
6015 const struct nlattr *attr;
6016 struct nft_table *table;
6017 struct nft_set *set;
6018 struct nft_ctx ctx;
6019 int rem, err;
6020
6021 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
6022 return -EINVAL;
6023
6024 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6025 genmask, NETLINK_CB(skb).portid);
6026 if (IS_ERR(table)) {
6027 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6028 return PTR_ERR(table);
6029 }
6030
6031 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
6032 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
6033 if (IS_ERR(set))
6034 return PTR_ERR(set);
6035
6036 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6037 return -EBUSY;
6038
6039 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6040
6041 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6042 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
6043 if (err < 0)
6044 return err;
6045 }
6046
6047 if (nft_net->validate_state == NFT_VALIDATE_DO)
6048 return nft_table_validate(net, table);
6049
6050 return 0;
6051 }
6052
6053 /**
6054 * nft_data_hold - hold a nft_data item
6055 *
6056 * @data: struct nft_data to release
6057 * @type: type of data
6058 *
6059 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
6060 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
6061 * NFT_GOTO verdicts. This function must be called on active data objects
6062 * from the second phase of the commit protocol.
6063 */
6064 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6065 {
6066 struct nft_chain *chain;
6067 struct nft_rule *rule;
6068
6069 if (type == NFT_DATA_VERDICT) {
6070 switch (data->verdict.code) {
6071 case NFT_JUMP:
6072 case NFT_GOTO:
6073 chain = data->verdict.chain;
6074 chain->use++;
6075
6076 if (!nft_chain_is_bound(chain))
6077 break;
6078
6079 chain->table->use++;
6080 list_for_each_entry(rule, &chain->rules, list)
6081 chain->use++;
6082
6083 nft_chain_add(chain->table, chain);
6084 break;
6085 }
6086 }
6087 }
6088
6089 static void nft_setelem_data_activate(const struct net *net,
6090 const struct nft_set *set,
6091 struct nft_set_elem *elem)
6092 {
6093 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6094
6095 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6096 nft_data_hold(nft_set_ext_data(ext), set->dtype);
6097 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6098 (*nft_set_ext_obj(ext))->use++;
6099 }
6100
6101 static void nft_setelem_data_deactivate(const struct net *net,
6102 const struct nft_set *set,
6103 struct nft_set_elem *elem)
6104 {
6105 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6106
6107 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6108 nft_data_release(nft_set_ext_data(ext), set->dtype);
6109 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6110 (*nft_set_ext_obj(ext))->use--;
6111 }
6112
6113 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
6114 const struct nlattr *attr)
6115 {
6116 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6117 struct nft_set_ext_tmpl tmpl;
6118 struct nft_set_elem elem;
6119 struct nft_set_ext *ext;
6120 struct nft_trans *trans;
6121 u32 flags = 0;
6122 int err;
6123
6124 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6125 nft_set_elem_policy, NULL);
6126 if (err < 0)
6127 return err;
6128
6129 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6130 if (err < 0)
6131 return err;
6132
6133 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6134 return -EINVAL;
6135
6136 nft_set_ext_prepare(&tmpl);
6137
6138 if (flags != 0)
6139 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6140
6141 if (nla[NFTA_SET_ELEM_KEY]) {
6142 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6143 nla[NFTA_SET_ELEM_KEY]);
6144 if (err < 0)
6145 return err;
6146
6147 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6148 }
6149
6150 if (nla[NFTA_SET_ELEM_KEY_END]) {
6151 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6152 nla[NFTA_SET_ELEM_KEY_END]);
6153 if (err < 0)
6154 return err;
6155
6156 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6157 }
6158
6159 err = -ENOMEM;
6160 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6161 elem.key_end.val.data, NULL, 0, 0,
6162 GFP_KERNEL);
6163 if (elem.priv == NULL)
6164 goto fail_elem;
6165
6166 ext = nft_set_elem_ext(set, elem.priv);
6167 if (flags)
6168 *nft_set_ext_flags(ext) = flags;
6169
6170 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
6171 if (trans == NULL)
6172 goto fail_trans;
6173
6174 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
6175 if (err < 0)
6176 goto fail_ops;
6177
6178 nft_setelem_data_deactivate(ctx->net, set, &elem);
6179
6180 nft_trans_elem(trans) = elem;
6181 nft_trans_commit_list_add_tail(ctx->net, trans);
6182 return 0;
6183
6184 fail_ops:
6185 kfree(trans);
6186 fail_trans:
6187 kfree(elem.priv);
6188 fail_elem:
6189 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
6190 return err;
6191 }
6192
6193 static int nft_setelem_flush(const struct nft_ctx *ctx,
6194 struct nft_set *set,
6195 const struct nft_set_iter *iter,
6196 struct nft_set_elem *elem)
6197 {
6198 struct nft_trans *trans;
6199 int err;
6200
6201 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6202 sizeof(struct nft_trans_elem), GFP_ATOMIC);
6203 if (!trans)
6204 return -ENOMEM;
6205
6206 if (!set->ops->flush(ctx->net, set, elem->priv)) {
6207 err = -ENOENT;
6208 goto err1;
6209 }
6210 set->ndeact++;
6211
6212 nft_setelem_data_deactivate(ctx->net, set, elem);
6213 nft_trans_elem_set(trans) = set;
6214 nft_trans_elem(trans) = *elem;
6215 nft_trans_commit_list_add_tail(ctx->net, trans);
6216
6217 return 0;
6218 err1:
6219 kfree(trans);
6220 return err;
6221 }
6222
6223 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
6224 struct nft_set *set,
6225 struct nft_set_elem *elem)
6226 {
6227 struct nft_trans *trans;
6228
6229 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
6230 sizeof(struct nft_trans_elem), GFP_KERNEL);
6231 if (!trans)
6232 return -ENOMEM;
6233
6234 nft_setelem_data_deactivate(ctx->net, set, elem);
6235 nft_trans_elem_set(trans) = set;
6236 nft_trans_elem(trans) = *elem;
6237 nft_trans_commit_list_add_tail(ctx->net, trans);
6238
6239 return 0;
6240 }
6241
6242 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
6243 struct nft_set *set)
6244 {
6245 u8 genmask = nft_genmask_next(ctx->net);
6246 struct nft_set_elem_catchall *catchall;
6247 struct nft_set_elem elem;
6248 struct nft_set_ext *ext;
6249 int ret = 0;
6250
6251 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6252 ext = nft_set_elem_ext(set, catchall->elem);
6253 if (!nft_set_elem_active(ext, genmask) ||
6254 nft_set_elem_mark_busy(ext))
6255 continue;
6256
6257 elem.priv = catchall->elem;
6258 ret = __nft_set_catchall_flush(ctx, set, &elem);
6259 if (ret < 0)
6260 break;
6261 }
6262
6263 return ret;
6264 }
6265
6266 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
6267 {
6268 struct nft_set_iter iter = {
6269 .genmask = genmask,
6270 .fn = nft_setelem_flush,
6271 };
6272
6273 set->ops->walk(ctx, set, &iter);
6274 if (!iter.err)
6275 iter.err = nft_set_catchall_flush(ctx, set);
6276
6277 return iter.err;
6278 }
6279
6280 static int nf_tables_delsetelem(struct sk_buff *skb,
6281 const struct nfnl_info *info,
6282 const struct nlattr * const nla[])
6283 {
6284 struct netlink_ext_ack *extack = info->extack;
6285 u8 genmask = nft_genmask_next(info->net);
6286 u8 family = info->nfmsg->nfgen_family;
6287 struct net *net = info->net;
6288 const struct nlattr *attr;
6289 struct nft_table *table;
6290 struct nft_set *set;
6291 struct nft_ctx ctx;
6292 int rem, err = 0;
6293
6294 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6295 genmask, NETLINK_CB(skb).portid);
6296 if (IS_ERR(table)) {
6297 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6298 return PTR_ERR(table);
6299 }
6300
6301 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6302 if (IS_ERR(set))
6303 return PTR_ERR(set);
6304 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6305 return -EBUSY;
6306
6307 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6308
6309 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6310 return nft_set_flush(&ctx, set, genmask);
6311
6312 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6313 err = nft_del_setelem(&ctx, set, attr);
6314 if (err < 0)
6315 break;
6316 }
6317 return err;
6318 }
6319
6320 void nft_set_gc_batch_release(struct rcu_head *rcu)
6321 {
6322 struct nft_set_gc_batch *gcb;
6323 unsigned int i;
6324
6325 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
6326 for (i = 0; i < gcb->head.cnt; i++)
6327 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
6328 kfree(gcb);
6329 }
6330
6331 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
6332 gfp_t gfp)
6333 {
6334 struct nft_set_gc_batch *gcb;
6335
6336 gcb = kzalloc(sizeof(*gcb), gfp);
6337 if (gcb == NULL)
6338 return gcb;
6339 gcb->head.set = set;
6340 return gcb;
6341 }
6342
6343 /*
6344 * Stateful objects
6345 */
6346
6347 /**
6348 * nft_register_obj- register nf_tables stateful object type
6349 * @obj_type: object type
6350 *
6351 * Registers the object type for use with nf_tables. Returns zero on
6352 * success or a negative errno code otherwise.
6353 */
6354 int nft_register_obj(struct nft_object_type *obj_type)
6355 {
6356 if (obj_type->type == NFT_OBJECT_UNSPEC)
6357 return -EINVAL;
6358
6359 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6360 list_add_rcu(&obj_type->list, &nf_tables_objects);
6361 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6362 return 0;
6363 }
6364 EXPORT_SYMBOL_GPL(nft_register_obj);
6365
6366 /**
6367 * nft_unregister_obj - unregister nf_tables object type
6368 * @obj_type: object type
6369 *
6370 * Unregisters the object type for use with nf_tables.
6371 */
6372 void nft_unregister_obj(struct nft_object_type *obj_type)
6373 {
6374 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6375 list_del_rcu(&obj_type->list);
6376 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6377 }
6378 EXPORT_SYMBOL_GPL(nft_unregister_obj);
6379
6380 struct nft_object *nft_obj_lookup(const struct net *net,
6381 const struct nft_table *table,
6382 const struct nlattr *nla, u32 objtype,
6383 u8 genmask)
6384 {
6385 struct nft_object_hash_key k = { .table = table };
6386 char search[NFT_OBJ_MAXNAMELEN];
6387 struct rhlist_head *tmp, *list;
6388 struct nft_object *obj;
6389
6390 nla_strscpy(search, nla, sizeof(search));
6391 k.name = search;
6392
6393 WARN_ON_ONCE(!rcu_read_lock_held() &&
6394 !lockdep_commit_lock_is_held(net));
6395
6396 rcu_read_lock();
6397 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
6398 if (!list)
6399 goto out;
6400
6401 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
6402 if (objtype == obj->ops->type->type &&
6403 nft_active_genmask(obj, genmask)) {
6404 rcu_read_unlock();
6405 return obj;
6406 }
6407 }
6408 out:
6409 rcu_read_unlock();
6410 return ERR_PTR(-ENOENT);
6411 }
6412 EXPORT_SYMBOL_GPL(nft_obj_lookup);
6413
6414 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
6415 const struct nlattr *nla,
6416 u32 objtype, u8 genmask)
6417 {
6418 struct nft_object *obj;
6419
6420 list_for_each_entry(obj, &table->objects, list) {
6421 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
6422 objtype == obj->ops->type->type &&
6423 nft_active_genmask(obj, genmask))
6424 return obj;
6425 }
6426 return ERR_PTR(-ENOENT);
6427 }
6428
6429 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
6430 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
6431 .len = NFT_TABLE_MAXNAMELEN - 1 },
6432 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
6433 .len = NFT_OBJ_MAXNAMELEN - 1 },
6434 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
6435 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
6436 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
6437 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
6438 .len = NFT_USERDATA_MAXLEN },
6439 };
6440
6441 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
6442 const struct nft_object_type *type,
6443 const struct nlattr *attr)
6444 {
6445 struct nlattr **tb;
6446 const struct nft_object_ops *ops;
6447 struct nft_object *obj;
6448 int err = -ENOMEM;
6449
6450 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6451 if (!tb)
6452 goto err1;
6453
6454 if (attr) {
6455 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6456 type->policy, NULL);
6457 if (err < 0)
6458 goto err2;
6459 } else {
6460 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6461 }
6462
6463 if (type->select_ops) {
6464 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6465 if (IS_ERR(ops)) {
6466 err = PTR_ERR(ops);
6467 goto err2;
6468 }
6469 } else {
6470 ops = type->ops;
6471 }
6472
6473 err = -ENOMEM;
6474 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6475 if (!obj)
6476 goto err2;
6477
6478 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6479 if (err < 0)
6480 goto err3;
6481
6482 obj->ops = ops;
6483
6484 kfree(tb);
6485 return obj;
6486 err3:
6487 kfree(obj);
6488 err2:
6489 kfree(tb);
6490 err1:
6491 return ERR_PTR(err);
6492 }
6493
6494 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6495 struct nft_object *obj, bool reset)
6496 {
6497 struct nlattr *nest;
6498
6499 nest = nla_nest_start_noflag(skb, attr);
6500 if (!nest)
6501 goto nla_put_failure;
6502 if (obj->ops->dump(skb, obj, reset) < 0)
6503 goto nla_put_failure;
6504 nla_nest_end(skb, nest);
6505 return 0;
6506
6507 nla_put_failure:
6508 return -1;
6509 }
6510
6511 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6512 {
6513 const struct nft_object_type *type;
6514
6515 list_for_each_entry(type, &nf_tables_objects, list) {
6516 if (objtype == type->type)
6517 return type;
6518 }
6519 return NULL;
6520 }
6521
6522 static const struct nft_object_type *
6523 nft_obj_type_get(struct net *net, u32 objtype)
6524 {
6525 const struct nft_object_type *type;
6526
6527 type = __nft_obj_type_get(objtype);
6528 if (type != NULL && try_module_get(type->owner))
6529 return type;
6530
6531 lockdep_nfnl_nft_mutex_not_held();
6532 #ifdef CONFIG_MODULES
6533 if (type == NULL) {
6534 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6535 return ERR_PTR(-EAGAIN);
6536 }
6537 #endif
6538 return ERR_PTR(-ENOENT);
6539 }
6540
6541 static int nf_tables_updobj(const struct nft_ctx *ctx,
6542 const struct nft_object_type *type,
6543 const struct nlattr *attr,
6544 struct nft_object *obj)
6545 {
6546 struct nft_object *newobj;
6547 struct nft_trans *trans;
6548 int err = -ENOMEM;
6549
6550 if (!try_module_get(type->owner))
6551 return -ENOENT;
6552
6553 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6554 sizeof(struct nft_trans_obj));
6555 if (!trans)
6556 goto err_trans;
6557
6558 newobj = nft_obj_init(ctx, type, attr);
6559 if (IS_ERR(newobj)) {
6560 err = PTR_ERR(newobj);
6561 goto err_free_trans;
6562 }
6563
6564 nft_trans_obj(trans) = obj;
6565 nft_trans_obj_update(trans) = true;
6566 nft_trans_obj_newobj(trans) = newobj;
6567 nft_trans_commit_list_add_tail(ctx->net, trans);
6568
6569 return 0;
6570
6571 err_free_trans:
6572 kfree(trans);
6573 err_trans:
6574 module_put(type->owner);
6575 return err;
6576 }
6577
6578 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
6579 const struct nlattr * const nla[])
6580 {
6581 struct netlink_ext_ack *extack = info->extack;
6582 u8 genmask = nft_genmask_next(info->net);
6583 u8 family = info->nfmsg->nfgen_family;
6584 const struct nft_object_type *type;
6585 struct net *net = info->net;
6586 struct nft_table *table;
6587 struct nft_object *obj;
6588 struct nft_ctx ctx;
6589 u32 objtype;
6590 int err;
6591
6592 if (!nla[NFTA_OBJ_TYPE] ||
6593 !nla[NFTA_OBJ_NAME] ||
6594 !nla[NFTA_OBJ_DATA])
6595 return -EINVAL;
6596
6597 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6598 NETLINK_CB(skb).portid);
6599 if (IS_ERR(table)) {
6600 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6601 return PTR_ERR(table);
6602 }
6603
6604 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6605 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6606 if (IS_ERR(obj)) {
6607 err = PTR_ERR(obj);
6608 if (err != -ENOENT) {
6609 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6610 return err;
6611 }
6612 } else {
6613 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
6614 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6615 return -EEXIST;
6616 }
6617 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
6618 return -EOPNOTSUPP;
6619
6620 type = __nft_obj_type_get(objtype);
6621 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6622
6623 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6624 }
6625
6626 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6627
6628 type = nft_obj_type_get(net, objtype);
6629 if (IS_ERR(type))
6630 return PTR_ERR(type);
6631
6632 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6633 if (IS_ERR(obj)) {
6634 err = PTR_ERR(obj);
6635 goto err_init;
6636 }
6637 obj->key.table = table;
6638 obj->handle = nf_tables_alloc_handle(table);
6639
6640 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6641 if (!obj->key.name) {
6642 err = -ENOMEM;
6643 goto err_strdup;
6644 }
6645
6646 if (nla[NFTA_OBJ_USERDATA]) {
6647 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6648 if (obj->udata == NULL)
6649 goto err_userdata;
6650
6651 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6652 }
6653
6654 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6655 if (err < 0)
6656 goto err_trans;
6657
6658 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6659 nft_objname_ht_params);
6660 if (err < 0)
6661 goto err_obj_ht;
6662
6663 list_add_tail_rcu(&obj->list, &table->objects);
6664 table->use++;
6665 return 0;
6666 err_obj_ht:
6667 /* queued in transaction log */
6668 INIT_LIST_HEAD(&obj->list);
6669 return err;
6670 err_trans:
6671 kfree(obj->udata);
6672 err_userdata:
6673 kfree(obj->key.name);
6674 err_strdup:
6675 if (obj->ops->destroy)
6676 obj->ops->destroy(&ctx, obj);
6677 kfree(obj);
6678 err_init:
6679 module_put(type->owner);
6680 return err;
6681 }
6682
6683 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6684 u32 portid, u32 seq, int event, u32 flags,
6685 int family, const struct nft_table *table,
6686 struct nft_object *obj, bool reset)
6687 {
6688 struct nlmsghdr *nlh;
6689
6690 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6691 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
6692 NFNETLINK_V0, nft_base_seq(net));
6693 if (!nlh)
6694 goto nla_put_failure;
6695
6696 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6697 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6698 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6699 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6700 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6701 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6702 NFTA_OBJ_PAD))
6703 goto nla_put_failure;
6704
6705 if (obj->udata &&
6706 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6707 goto nla_put_failure;
6708
6709 nlmsg_end(skb, nlh);
6710 return 0;
6711
6712 nla_put_failure:
6713 nlmsg_trim(skb, nlh);
6714 return -1;
6715 }
6716
6717 struct nft_obj_filter {
6718 char *table;
6719 u32 type;
6720 };
6721
6722 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6723 {
6724 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6725 const struct nft_table *table;
6726 unsigned int idx = 0, s_idx = cb->args[0];
6727 struct nft_obj_filter *filter = cb->data;
6728 struct net *net = sock_net(skb->sk);
6729 int family = nfmsg->nfgen_family;
6730 struct nftables_pernet *nft_net;
6731 struct nft_object *obj;
6732 bool reset = false;
6733
6734 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6735 reset = true;
6736
6737 rcu_read_lock();
6738 nft_net = nft_pernet(net);
6739 cb->seq = nft_net->base_seq;
6740
6741 list_for_each_entry_rcu(table, &nft_net->tables, list) {
6742 if (family != NFPROTO_UNSPEC && family != table->family)
6743 continue;
6744
6745 list_for_each_entry_rcu(obj, &table->objects, list) {
6746 if (!nft_is_active(net, obj))
6747 goto cont;
6748 if (idx < s_idx)
6749 goto cont;
6750 if (idx > s_idx)
6751 memset(&cb->args[1], 0,
6752 sizeof(cb->args) - sizeof(cb->args[0]));
6753 if (filter && filter->table &&
6754 strcmp(filter->table, table->name))
6755 goto cont;
6756 if (filter &&
6757 filter->type != NFT_OBJECT_UNSPEC &&
6758 obj->ops->type->type != filter->type)
6759 goto cont;
6760 if (reset) {
6761 char *buf = kasprintf(GFP_ATOMIC,
6762 "%s:%u",
6763 table->name,
6764 nft_net->base_seq);
6765
6766 audit_log_nfcfg(buf,
6767 family,
6768 obj->handle,
6769 AUDIT_NFT_OP_OBJ_RESET,
6770 GFP_ATOMIC);
6771 kfree(buf);
6772 }
6773
6774 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6775 cb->nlh->nlmsg_seq,
6776 NFT_MSG_NEWOBJ,
6777 NLM_F_MULTI | NLM_F_APPEND,
6778 table->family, table,
6779 obj, reset) < 0)
6780 goto done;
6781
6782 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6783 cont:
6784 idx++;
6785 }
6786 }
6787 done:
6788 rcu_read_unlock();
6789
6790 cb->args[0] = idx;
6791 return skb->len;
6792 }
6793
6794 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6795 {
6796 const struct nlattr * const *nla = cb->data;
6797 struct nft_obj_filter *filter = NULL;
6798
6799 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6800 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6801 if (!filter)
6802 return -ENOMEM;
6803
6804 if (nla[NFTA_OBJ_TABLE]) {
6805 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6806 if (!filter->table) {
6807 kfree(filter);
6808 return -ENOMEM;
6809 }
6810 }
6811
6812 if (nla[NFTA_OBJ_TYPE])
6813 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6814 }
6815
6816 cb->data = filter;
6817 return 0;
6818 }
6819
6820 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6821 {
6822 struct nft_obj_filter *filter = cb->data;
6823
6824 if (filter) {
6825 kfree(filter->table);
6826 kfree(filter);
6827 }
6828
6829 return 0;
6830 }
6831
6832 /* called with rcu_read_lock held */
6833 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
6834 const struct nlattr * const nla[])
6835 {
6836 struct netlink_ext_ack *extack = info->extack;
6837 u8 genmask = nft_genmask_cur(info->net);
6838 u8 family = info->nfmsg->nfgen_family;
6839 const struct nft_table *table;
6840 struct net *net = info->net;
6841 struct nft_object *obj;
6842 struct sk_buff *skb2;
6843 bool reset = false;
6844 u32 objtype;
6845 int err;
6846
6847 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6848 struct netlink_dump_control c = {
6849 .start = nf_tables_dump_obj_start,
6850 .dump = nf_tables_dump_obj,
6851 .done = nf_tables_dump_obj_done,
6852 .module = THIS_MODULE,
6853 .data = (void *)nla,
6854 };
6855
6856 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6857 }
6858
6859 if (!nla[NFTA_OBJ_NAME] ||
6860 !nla[NFTA_OBJ_TYPE])
6861 return -EINVAL;
6862
6863 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6864 if (IS_ERR(table)) {
6865 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6866 return PTR_ERR(table);
6867 }
6868
6869 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6870 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6871 if (IS_ERR(obj)) {
6872 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6873 return PTR_ERR(obj);
6874 }
6875
6876 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6877 if (!skb2)
6878 return -ENOMEM;
6879
6880 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6881 reset = true;
6882
6883 if (reset) {
6884 const struct nftables_pernet *nft_net;
6885 char *buf;
6886
6887 nft_net = nft_pernet(net);
6888 buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq);
6889
6890 audit_log_nfcfg(buf,
6891 family,
6892 obj->handle,
6893 AUDIT_NFT_OP_OBJ_RESET,
6894 GFP_ATOMIC);
6895 kfree(buf);
6896 }
6897
6898 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6899 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6900 family, table, obj, reset);
6901 if (err < 0)
6902 goto err_fill_obj_info;
6903
6904 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6905
6906 err_fill_obj_info:
6907 kfree_skb(skb2);
6908 return err;
6909 }
6910
6911 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6912 {
6913 if (obj->ops->destroy)
6914 obj->ops->destroy(ctx, obj);
6915
6916 module_put(obj->ops->type->owner);
6917 kfree(obj->key.name);
6918 kfree(obj->udata);
6919 kfree(obj);
6920 }
6921
6922 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
6923 const struct nlattr * const nla[])
6924 {
6925 struct netlink_ext_ack *extack = info->extack;
6926 u8 genmask = nft_genmask_next(info->net);
6927 u8 family = info->nfmsg->nfgen_family;
6928 struct net *net = info->net;
6929 const struct nlattr *attr;
6930 struct nft_table *table;
6931 struct nft_object *obj;
6932 struct nft_ctx ctx;
6933 u32 objtype;
6934
6935 if (!nla[NFTA_OBJ_TYPE] ||
6936 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6937 return -EINVAL;
6938
6939 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6940 NETLINK_CB(skb).portid);
6941 if (IS_ERR(table)) {
6942 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6943 return PTR_ERR(table);
6944 }
6945
6946 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6947 if (nla[NFTA_OBJ_HANDLE]) {
6948 attr = nla[NFTA_OBJ_HANDLE];
6949 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6950 } else {
6951 attr = nla[NFTA_OBJ_NAME];
6952 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6953 }
6954
6955 if (IS_ERR(obj)) {
6956 NL_SET_BAD_ATTR(extack, attr);
6957 return PTR_ERR(obj);
6958 }
6959 if (obj->use > 0) {
6960 NL_SET_BAD_ATTR(extack, attr);
6961 return -EBUSY;
6962 }
6963
6964 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6965
6966 return nft_delobj(&ctx, obj);
6967 }
6968
6969 void nft_obj_notify(struct net *net, const struct nft_table *table,
6970 struct nft_object *obj, u32 portid, u32 seq, int event,
6971 u16 flags, int family, int report, gfp_t gfp)
6972 {
6973 struct nftables_pernet *nft_net = nft_pernet(net);
6974 struct sk_buff *skb;
6975 int err;
6976 char *buf = kasprintf(gfp, "%s:%u",
6977 table->name, nft_net->base_seq);
6978
6979 audit_log_nfcfg(buf,
6980 family,
6981 obj->handle,
6982 event == NFT_MSG_NEWOBJ ?
6983 AUDIT_NFT_OP_OBJ_REGISTER :
6984 AUDIT_NFT_OP_OBJ_UNREGISTER,
6985 gfp);
6986 kfree(buf);
6987
6988 if (!report &&
6989 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6990 return;
6991
6992 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6993 if (skb == NULL)
6994 goto err;
6995
6996 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
6997 flags & (NLM_F_CREATE | NLM_F_EXCL),
6998 family, table, obj, false);
6999 if (err < 0) {
7000 kfree_skb(skb);
7001 goto err;
7002 }
7003
7004 nft_notify_enqueue(skb, report, &nft_net->notify_list);
7005 return;
7006 err:
7007 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
7008 }
7009 EXPORT_SYMBOL_GPL(nft_obj_notify);
7010
7011 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
7012 struct nft_object *obj, int event)
7013 {
7014 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
7015 ctx->flags, ctx->family, ctx->report, GFP_KERNEL);
7016 }
7017
7018 /*
7019 * Flow tables
7020 */
7021 void nft_register_flowtable_type(struct nf_flowtable_type *type)
7022 {
7023 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7024 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
7025 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7026 }
7027 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
7028
7029 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
7030 {
7031 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7032 list_del_rcu(&type->list);
7033 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7034 }
7035 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
7036
7037 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
7038 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
7039 .len = NFT_NAME_MAXLEN - 1 },
7040 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
7041 .len = NFT_NAME_MAXLEN - 1 },
7042 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
7043 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
7044 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
7045 };
7046
7047 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
7048 const struct nlattr *nla, u8 genmask)
7049 {
7050 struct nft_flowtable *flowtable;
7051
7052 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7053 if (!nla_strcmp(nla, flowtable->name) &&
7054 nft_active_genmask(flowtable, genmask))
7055 return flowtable;
7056 }
7057 return ERR_PTR(-ENOENT);
7058 }
7059 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
7060
7061 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
7062 struct nft_flowtable *flowtable,
7063 enum nft_trans_phase phase)
7064 {
7065 switch (phase) {
7066 case NFT_TRANS_PREPARE:
7067 case NFT_TRANS_ABORT:
7068 case NFT_TRANS_RELEASE:
7069 flowtable->use--;
7070 fallthrough;
7071 default:
7072 return;
7073 }
7074 }
7075 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
7076
7077 static struct nft_flowtable *
7078 nft_flowtable_lookup_byhandle(const struct nft_table *table,
7079 const struct nlattr *nla, u8 genmask)
7080 {
7081 struct nft_flowtable *flowtable;
7082
7083 list_for_each_entry(flowtable, &table->flowtables, list) {
7084 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
7085 nft_active_genmask(flowtable, genmask))
7086 return flowtable;
7087 }
7088 return ERR_PTR(-ENOENT);
7089 }
7090
7091 struct nft_flowtable_hook {
7092 u32 num;
7093 int priority;
7094 struct list_head list;
7095 };
7096
7097 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
7098 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
7099 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
7100 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
7101 };
7102
7103 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
7104 const struct nlattr *attr,
7105 struct nft_flowtable_hook *flowtable_hook,
7106 struct nft_flowtable *flowtable, bool add)
7107 {
7108 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
7109 struct nft_hook *hook;
7110 int hooknum, priority;
7111 int err;
7112
7113 INIT_LIST_HEAD(&flowtable_hook->list);
7114
7115 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
7116 nft_flowtable_hook_policy, NULL);
7117 if (err < 0)
7118 return err;
7119
7120 if (add) {
7121 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
7122 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
7123 return -EINVAL;
7124
7125 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7126 if (hooknum != NF_NETDEV_INGRESS)
7127 return -EOPNOTSUPP;
7128
7129 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7130
7131 flowtable_hook->priority = priority;
7132 flowtable_hook->num = hooknum;
7133 } else {
7134 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
7135 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
7136 if (hooknum != flowtable->hooknum)
7137 return -EOPNOTSUPP;
7138 }
7139
7140 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
7141 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
7142 if (priority != flowtable->data.priority)
7143 return -EOPNOTSUPP;
7144 }
7145
7146 flowtable_hook->priority = flowtable->data.priority;
7147 flowtable_hook->num = flowtable->hooknum;
7148 }
7149
7150 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
7151 err = nf_tables_parse_netdev_hooks(ctx->net,
7152 tb[NFTA_FLOWTABLE_HOOK_DEVS],
7153 &flowtable_hook->list);
7154 if (err < 0)
7155 return err;
7156 }
7157
7158 list_for_each_entry(hook, &flowtable_hook->list, list) {
7159 hook->ops.pf = NFPROTO_NETDEV;
7160 hook->ops.hooknum = flowtable_hook->num;
7161 hook->ops.priority = flowtable_hook->priority;
7162 hook->ops.priv = &flowtable->data;
7163 hook->ops.hook = flowtable->data.type->hook;
7164 }
7165
7166 return err;
7167 }
7168
7169 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
7170 {
7171 const struct nf_flowtable_type *type;
7172
7173 list_for_each_entry(type, &nf_tables_flowtables, list) {
7174 if (family == type->family)
7175 return type;
7176 }
7177 return NULL;
7178 }
7179
7180 static const struct nf_flowtable_type *
7181 nft_flowtable_type_get(struct net *net, u8 family)
7182 {
7183 const struct nf_flowtable_type *type;
7184
7185 type = __nft_flowtable_type_get(family);
7186 if (type != NULL && try_module_get(type->owner))
7187 return type;
7188
7189 lockdep_nfnl_nft_mutex_not_held();
7190 #ifdef CONFIG_MODULES
7191 if (type == NULL) {
7192 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
7193 return ERR_PTR(-EAGAIN);
7194 }
7195 #endif
7196 return ERR_PTR(-ENOENT);
7197 }
7198
7199 /* Only called from error and netdev event paths. */
7200 static void nft_unregister_flowtable_hook(struct net *net,
7201 struct nft_flowtable *flowtable,
7202 struct nft_hook *hook)
7203 {
7204 nf_unregister_net_hook(net, &hook->ops);
7205 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7206 FLOW_BLOCK_UNBIND);
7207 }
7208
7209 static void nft_unregister_flowtable_net_hooks(struct net *net,
7210 struct list_head *hook_list)
7211 {
7212 struct nft_hook *hook;
7213
7214 list_for_each_entry(hook, hook_list, list)
7215 nf_unregister_net_hook(net, &hook->ops);
7216 }
7217
7218 static int nft_register_flowtable_net_hooks(struct net *net,
7219 struct nft_table *table,
7220 struct list_head *hook_list,
7221 struct nft_flowtable *flowtable)
7222 {
7223 struct nft_hook *hook, *hook2, *next;
7224 struct nft_flowtable *ft;
7225 int err, i = 0;
7226
7227 list_for_each_entry(hook, hook_list, list) {
7228 list_for_each_entry(ft, &table->flowtables, list) {
7229 if (!nft_is_active_next(net, ft))
7230 continue;
7231
7232 list_for_each_entry(hook2, &ft->hook_list, list) {
7233 if (hook->ops.dev == hook2->ops.dev &&
7234 hook->ops.pf == hook2->ops.pf) {
7235 err = -EEXIST;
7236 goto err_unregister_net_hooks;
7237 }
7238 }
7239 }
7240
7241 err = flowtable->data.type->setup(&flowtable->data,
7242 hook->ops.dev,
7243 FLOW_BLOCK_BIND);
7244 if (err < 0)
7245 goto err_unregister_net_hooks;
7246
7247 err = nf_register_net_hook(net, &hook->ops);
7248 if (err < 0) {
7249 flowtable->data.type->setup(&flowtable->data,
7250 hook->ops.dev,
7251 FLOW_BLOCK_UNBIND);
7252 goto err_unregister_net_hooks;
7253 }
7254
7255 i++;
7256 }
7257
7258 return 0;
7259
7260 err_unregister_net_hooks:
7261 list_for_each_entry_safe(hook, next, hook_list, list) {
7262 if (i-- <= 0)
7263 break;
7264
7265 nft_unregister_flowtable_hook(net, flowtable, hook);
7266 list_del_rcu(&hook->list);
7267 kfree_rcu(hook, rcu);
7268 }
7269
7270 return err;
7271 }
7272
7273 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
7274 {
7275 struct nft_hook *hook, *next;
7276
7277 list_for_each_entry_safe(hook, next, hook_list, list) {
7278 list_del_rcu(&hook->list);
7279 kfree_rcu(hook, rcu);
7280 }
7281 }
7282
7283 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
7284 struct nft_flowtable *flowtable)
7285 {
7286 const struct nlattr * const *nla = ctx->nla;
7287 struct nft_flowtable_hook flowtable_hook;
7288 struct nft_hook *hook, *next;
7289 struct nft_trans *trans;
7290 bool unregister = false;
7291 u32 flags;
7292 int err;
7293
7294 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7295 &flowtable_hook, flowtable, false);
7296 if (err < 0)
7297 return err;
7298
7299 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7300 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
7301 list_del(&hook->list);
7302 kfree(hook);
7303 }
7304 }
7305
7306 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7307 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7308 if (flags & ~NFT_FLOWTABLE_MASK)
7309 return -EOPNOTSUPP;
7310 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
7311 (flags & NFT_FLOWTABLE_HW_OFFLOAD))
7312 return -EOPNOTSUPP;
7313 } else {
7314 flags = flowtable->data.flags;
7315 }
7316
7317 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
7318 &flowtable_hook.list, flowtable);
7319 if (err < 0)
7320 goto err_flowtable_update_hook;
7321
7322 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
7323 sizeof(struct nft_trans_flowtable));
7324 if (!trans) {
7325 unregister = true;
7326 err = -ENOMEM;
7327 goto err_flowtable_update_hook;
7328 }
7329
7330 nft_trans_flowtable_flags(trans) = flags;
7331 nft_trans_flowtable(trans) = flowtable;
7332 nft_trans_flowtable_update(trans) = true;
7333 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7334 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
7335
7336 nft_trans_commit_list_add_tail(ctx->net, trans);
7337
7338 return 0;
7339
7340 err_flowtable_update_hook:
7341 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
7342 if (unregister)
7343 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
7344 list_del_rcu(&hook->list);
7345 kfree_rcu(hook, rcu);
7346 }
7347
7348 return err;
7349
7350 }
7351
7352 static int nf_tables_newflowtable(struct sk_buff *skb,
7353 const struct nfnl_info *info,
7354 const struct nlattr * const nla[])
7355 {
7356 struct netlink_ext_ack *extack = info->extack;
7357 struct nft_flowtable_hook flowtable_hook;
7358 u8 genmask = nft_genmask_next(info->net);
7359 u8 family = info->nfmsg->nfgen_family;
7360 const struct nf_flowtable_type *type;
7361 struct nft_flowtable *flowtable;
7362 struct nft_hook *hook, *next;
7363 struct net *net = info->net;
7364 struct nft_table *table;
7365 struct nft_ctx ctx;
7366 int err;
7367
7368 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7369 !nla[NFTA_FLOWTABLE_NAME] ||
7370 !nla[NFTA_FLOWTABLE_HOOK])
7371 return -EINVAL;
7372
7373 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7374 genmask, NETLINK_CB(skb).portid);
7375 if (IS_ERR(table)) {
7376 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7377 return PTR_ERR(table);
7378 }
7379
7380 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7381 genmask);
7382 if (IS_ERR(flowtable)) {
7383 err = PTR_ERR(flowtable);
7384 if (err != -ENOENT) {
7385 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7386 return err;
7387 }
7388 } else {
7389 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7390 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
7391 return -EEXIST;
7392 }
7393
7394 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7395
7396 return nft_flowtable_update(&ctx, info->nlh, flowtable);
7397 }
7398
7399 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7400
7401 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
7402 if (!flowtable)
7403 return -ENOMEM;
7404
7405 flowtable->table = table;
7406 flowtable->handle = nf_tables_alloc_handle(table);
7407 INIT_LIST_HEAD(&flowtable->hook_list);
7408
7409 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
7410 if (!flowtable->name) {
7411 err = -ENOMEM;
7412 goto err1;
7413 }
7414
7415 type = nft_flowtable_type_get(net, family);
7416 if (IS_ERR(type)) {
7417 err = PTR_ERR(type);
7418 goto err2;
7419 }
7420
7421 if (nla[NFTA_FLOWTABLE_FLAGS]) {
7422 flowtable->data.flags =
7423 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
7424 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
7425 err = -EOPNOTSUPP;
7426 goto err3;
7427 }
7428 }
7429
7430 write_pnet(&flowtable->data.net, net);
7431 flowtable->data.type = type;
7432 err = type->init(&flowtable->data);
7433 if (err < 0)
7434 goto err3;
7435
7436 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
7437 &flowtable_hook, flowtable, true);
7438 if (err < 0)
7439 goto err4;
7440
7441 list_splice(&flowtable_hook.list, &flowtable->hook_list);
7442 flowtable->data.priority = flowtable_hook.priority;
7443 flowtable->hooknum = flowtable_hook.num;
7444
7445 err = nft_register_flowtable_net_hooks(ctx.net, table,
7446 &flowtable->hook_list,
7447 flowtable);
7448 if (err < 0) {
7449 nft_flowtable_hooks_destroy(&flowtable->hook_list);
7450 goto err4;
7451 }
7452
7453 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
7454 if (err < 0)
7455 goto err5;
7456
7457 list_add_tail_rcu(&flowtable->list, &table->flowtables);
7458 table->use++;
7459
7460 return 0;
7461 err5:
7462 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7463 nft_unregister_flowtable_hook(net, flowtable, hook);
7464 list_del_rcu(&hook->list);
7465 kfree_rcu(hook, rcu);
7466 }
7467 err4:
7468 flowtable->data.type->free(&flowtable->data);
7469 err3:
7470 module_put(type->owner);
7471 err2:
7472 kfree(flowtable->name);
7473 err1:
7474 kfree(flowtable);
7475 return err;
7476 }
7477
7478 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7479 {
7480 struct nft_hook *this, *next;
7481
7482 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7483 list_del(&this->list);
7484 kfree(this);
7485 }
7486 }
7487
7488 static int nft_delflowtable_hook(struct nft_ctx *ctx,
7489 struct nft_flowtable *flowtable)
7490 {
7491 const struct nlattr * const *nla = ctx->nla;
7492 struct nft_flowtable_hook flowtable_hook;
7493 struct nft_hook *this, *hook;
7494 struct nft_trans *trans;
7495 int err;
7496
7497 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7498 &flowtable_hook, flowtable, false);
7499 if (err < 0)
7500 return err;
7501
7502 list_for_each_entry(this, &flowtable_hook.list, list) {
7503 hook = nft_hook_list_find(&flowtable->hook_list, this);
7504 if (!hook) {
7505 err = -ENOENT;
7506 goto err_flowtable_del_hook;
7507 }
7508 hook->inactive = true;
7509 }
7510
7511 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7512 sizeof(struct nft_trans_flowtable));
7513 if (!trans) {
7514 err = -ENOMEM;
7515 goto err_flowtable_del_hook;
7516 }
7517
7518 nft_trans_flowtable(trans) = flowtable;
7519 nft_trans_flowtable_update(trans) = true;
7520 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7521 nft_flowtable_hook_release(&flowtable_hook);
7522
7523 nft_trans_commit_list_add_tail(ctx->net, trans);
7524
7525 return 0;
7526
7527 err_flowtable_del_hook:
7528 list_for_each_entry(this, &flowtable_hook.list, list) {
7529 hook = nft_hook_list_find(&flowtable->hook_list, this);
7530 if (!hook)
7531 break;
7532
7533 hook->inactive = false;
7534 }
7535 nft_flowtable_hook_release(&flowtable_hook);
7536
7537 return err;
7538 }
7539
7540 static int nf_tables_delflowtable(struct sk_buff *skb,
7541 const struct nfnl_info *info,
7542 const struct nlattr * const nla[])
7543 {
7544 struct netlink_ext_ack *extack = info->extack;
7545 u8 genmask = nft_genmask_next(info->net);
7546 u8 family = info->nfmsg->nfgen_family;
7547 struct nft_flowtable *flowtable;
7548 struct net *net = info->net;
7549 const struct nlattr *attr;
7550 struct nft_table *table;
7551 struct nft_ctx ctx;
7552
7553 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7554 (!nla[NFTA_FLOWTABLE_NAME] &&
7555 !nla[NFTA_FLOWTABLE_HANDLE]))
7556 return -EINVAL;
7557
7558 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7559 genmask, NETLINK_CB(skb).portid);
7560 if (IS_ERR(table)) {
7561 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7562 return PTR_ERR(table);
7563 }
7564
7565 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7566 attr = nla[NFTA_FLOWTABLE_HANDLE];
7567 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7568 } else {
7569 attr = nla[NFTA_FLOWTABLE_NAME];
7570 flowtable = nft_flowtable_lookup(table, attr, genmask);
7571 }
7572
7573 if (IS_ERR(flowtable)) {
7574 NL_SET_BAD_ATTR(extack, attr);
7575 return PTR_ERR(flowtable);
7576 }
7577
7578 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7579
7580 if (nla[NFTA_FLOWTABLE_HOOK])
7581 return nft_delflowtable_hook(&ctx, flowtable);
7582
7583 if (flowtable->use > 0) {
7584 NL_SET_BAD_ATTR(extack, attr);
7585 return -EBUSY;
7586 }
7587
7588 return nft_delflowtable(&ctx, flowtable);
7589 }
7590
7591 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7592 u32 portid, u32 seq, int event,
7593 u32 flags, int family,
7594 struct nft_flowtable *flowtable,
7595 struct list_head *hook_list)
7596 {
7597 struct nlattr *nest, *nest_devs;
7598 struct nft_hook *hook;
7599 struct nlmsghdr *nlh;
7600
7601 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7602 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7603 NFNETLINK_V0, nft_base_seq(net));
7604 if (!nlh)
7605 goto nla_put_failure;
7606
7607 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7608 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7609 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7610 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7611 NFTA_FLOWTABLE_PAD) ||
7612 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7613 goto nla_put_failure;
7614
7615 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7616 if (!nest)
7617 goto nla_put_failure;
7618 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7619 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7620 goto nla_put_failure;
7621
7622 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7623 if (!nest_devs)
7624 goto nla_put_failure;
7625
7626 list_for_each_entry_rcu(hook, hook_list, list) {
7627 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7628 goto nla_put_failure;
7629 }
7630 nla_nest_end(skb, nest_devs);
7631 nla_nest_end(skb, nest);
7632
7633 nlmsg_end(skb, nlh);
7634 return 0;
7635
7636 nla_put_failure:
7637 nlmsg_trim(skb, nlh);
7638 return -1;
7639 }
7640
7641 struct nft_flowtable_filter {
7642 char *table;
7643 };
7644
7645 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7646 struct netlink_callback *cb)
7647 {
7648 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7649 struct nft_flowtable_filter *filter = cb->data;
7650 unsigned int idx = 0, s_idx = cb->args[0];
7651 struct net *net = sock_net(skb->sk);
7652 int family = nfmsg->nfgen_family;
7653 struct nft_flowtable *flowtable;
7654 struct nftables_pernet *nft_net;
7655 const struct nft_table *table;
7656
7657 rcu_read_lock();
7658 nft_net = nft_pernet(net);
7659 cb->seq = nft_net->base_seq;
7660
7661 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7662 if (family != NFPROTO_UNSPEC && family != table->family)
7663 continue;
7664
7665 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7666 if (!nft_is_active(net, flowtable))
7667 goto cont;
7668 if (idx < s_idx)
7669 goto cont;
7670 if (idx > s_idx)
7671 memset(&cb->args[1], 0,
7672 sizeof(cb->args) - sizeof(cb->args[0]));
7673 if (filter && filter->table &&
7674 strcmp(filter->table, table->name))
7675 goto cont;
7676
7677 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7678 cb->nlh->nlmsg_seq,
7679 NFT_MSG_NEWFLOWTABLE,
7680 NLM_F_MULTI | NLM_F_APPEND,
7681 table->family,
7682 flowtable,
7683 &flowtable->hook_list) < 0)
7684 goto done;
7685
7686 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7687 cont:
7688 idx++;
7689 }
7690 }
7691 done:
7692 rcu_read_unlock();
7693
7694 cb->args[0] = idx;
7695 return skb->len;
7696 }
7697
7698 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7699 {
7700 const struct nlattr * const *nla = cb->data;
7701 struct nft_flowtable_filter *filter = NULL;
7702
7703 if (nla[NFTA_FLOWTABLE_TABLE]) {
7704 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7705 if (!filter)
7706 return -ENOMEM;
7707
7708 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7709 GFP_ATOMIC);
7710 if (!filter->table) {
7711 kfree(filter);
7712 return -ENOMEM;
7713 }
7714 }
7715
7716 cb->data = filter;
7717 return 0;
7718 }
7719
7720 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7721 {
7722 struct nft_flowtable_filter *filter = cb->data;
7723
7724 if (!filter)
7725 return 0;
7726
7727 kfree(filter->table);
7728 kfree(filter);
7729
7730 return 0;
7731 }
7732
7733 /* called with rcu_read_lock held */
7734 static int nf_tables_getflowtable(struct sk_buff *skb,
7735 const struct nfnl_info *info,
7736 const struct nlattr * const nla[])
7737 {
7738 u8 genmask = nft_genmask_cur(info->net);
7739 u8 family = info->nfmsg->nfgen_family;
7740 struct nft_flowtable *flowtable;
7741 const struct nft_table *table;
7742 struct net *net = info->net;
7743 struct sk_buff *skb2;
7744 int err;
7745
7746 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
7747 struct netlink_dump_control c = {
7748 .start = nf_tables_dump_flowtable_start,
7749 .dump = nf_tables_dump_flowtable,
7750 .done = nf_tables_dump_flowtable_done,
7751 .module = THIS_MODULE,
7752 .data = (void *)nla,
7753 };
7754
7755 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
7756 }
7757
7758 if (!nla[NFTA_FLOWTABLE_NAME])
7759 return -EINVAL;
7760
7761 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7762 genmask, 0);
7763 if (IS_ERR(table))
7764 return PTR_ERR(table);
7765
7766 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7767 genmask);
7768 if (IS_ERR(flowtable))
7769 return PTR_ERR(flowtable);
7770
7771 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7772 if (!skb2)
7773 return -ENOMEM;
7774
7775 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7776 info->nlh->nlmsg_seq,
7777 NFT_MSG_NEWFLOWTABLE, 0, family,
7778 flowtable, &flowtable->hook_list);
7779 if (err < 0)
7780 goto err_fill_flowtable_info;
7781
7782 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7783
7784 err_fill_flowtable_info:
7785 kfree_skb(skb2);
7786 return err;
7787 }
7788
7789 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7790 struct nft_flowtable *flowtable,
7791 struct list_head *hook_list,
7792 int event)
7793 {
7794 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
7795 struct sk_buff *skb;
7796 u16 flags = 0;
7797 int err;
7798
7799 if (!ctx->report &&
7800 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7801 return;
7802
7803 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7804 if (skb == NULL)
7805 goto err;
7806
7807 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
7808 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
7809
7810 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7811 ctx->seq, event, flags,
7812 ctx->family, flowtable, hook_list);
7813 if (err < 0) {
7814 kfree_skb(skb);
7815 goto err;
7816 }
7817
7818 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
7819 return;
7820 err:
7821 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7822 }
7823
7824 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7825 {
7826 struct nft_hook *hook, *next;
7827
7828 flowtable->data.type->free(&flowtable->data);
7829 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7830 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7831 FLOW_BLOCK_UNBIND);
7832 list_del_rcu(&hook->list);
7833 kfree(hook);
7834 }
7835 kfree(flowtable->name);
7836 module_put(flowtable->data.type->owner);
7837 kfree(flowtable);
7838 }
7839
7840 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7841 u32 portid, u32 seq)
7842 {
7843 struct nftables_pernet *nft_net = nft_pernet(net);
7844 struct nlmsghdr *nlh;
7845 char buf[TASK_COMM_LEN];
7846 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7847
7848 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
7849 NFNETLINK_V0, nft_base_seq(net));
7850 if (!nlh)
7851 goto nla_put_failure;
7852
7853 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
7854 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7855 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7856 goto nla_put_failure;
7857
7858 nlmsg_end(skb, nlh);
7859 return 0;
7860
7861 nla_put_failure:
7862 nlmsg_trim(skb, nlh);
7863 return -EMSGSIZE;
7864 }
7865
7866 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7867 struct nft_flowtable *flowtable)
7868 {
7869 struct nft_hook *hook;
7870
7871 list_for_each_entry(hook, &flowtable->hook_list, list) {
7872 if (hook->ops.dev != dev)
7873 continue;
7874
7875 /* flow_offload_netdev_event() cleans up entries for us. */
7876 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7877 list_del_rcu(&hook->list);
7878 kfree_rcu(hook, rcu);
7879 break;
7880 }
7881 }
7882
7883 static int nf_tables_flowtable_event(struct notifier_block *this,
7884 unsigned long event, void *ptr)
7885 {
7886 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7887 struct nft_flowtable *flowtable;
7888 struct nftables_pernet *nft_net;
7889 struct nft_table *table;
7890 struct net *net;
7891
7892 if (event != NETDEV_UNREGISTER)
7893 return 0;
7894
7895 net = dev_net(dev);
7896 nft_net = nft_pernet(net);
7897 mutex_lock(&nft_net->commit_mutex);
7898 list_for_each_entry(table, &nft_net->tables, list) {
7899 list_for_each_entry(flowtable, &table->flowtables, list) {
7900 nft_flowtable_event(event, dev, flowtable);
7901 }
7902 }
7903 mutex_unlock(&nft_net->commit_mutex);
7904
7905 return NOTIFY_DONE;
7906 }
7907
7908 static struct notifier_block nf_tables_flowtable_notifier = {
7909 .notifier_call = nf_tables_flowtable_event,
7910 };
7911
7912 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7913 int event)
7914 {
7915 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7916 struct sk_buff *skb2;
7917 int err;
7918
7919 if (!nlmsg_report(nlh) &&
7920 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7921 return;
7922
7923 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7924 if (skb2 == NULL)
7925 goto err;
7926
7927 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7928 nlh->nlmsg_seq);
7929 if (err < 0) {
7930 kfree_skb(skb2);
7931 goto err;
7932 }
7933
7934 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7935 nlmsg_report(nlh), GFP_KERNEL);
7936 return;
7937 err:
7938 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7939 -ENOBUFS);
7940 }
7941
7942 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
7943 const struct nlattr * const nla[])
7944 {
7945 struct sk_buff *skb2;
7946 int err;
7947
7948 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7949 if (skb2 == NULL)
7950 return -ENOMEM;
7951
7952 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
7953 info->nlh->nlmsg_seq);
7954 if (err < 0)
7955 goto err_fill_gen_info;
7956
7957 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
7958
7959 err_fill_gen_info:
7960 kfree_skb(skb2);
7961 return err;
7962 }
7963
7964 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7965 [NFT_MSG_NEWTABLE] = {
7966 .call = nf_tables_newtable,
7967 .type = NFNL_CB_BATCH,
7968 .attr_count = NFTA_TABLE_MAX,
7969 .policy = nft_table_policy,
7970 },
7971 [NFT_MSG_GETTABLE] = {
7972 .call = nf_tables_gettable,
7973 .type = NFNL_CB_RCU,
7974 .attr_count = NFTA_TABLE_MAX,
7975 .policy = nft_table_policy,
7976 },
7977 [NFT_MSG_DELTABLE] = {
7978 .call = nf_tables_deltable,
7979 .type = NFNL_CB_BATCH,
7980 .attr_count = NFTA_TABLE_MAX,
7981 .policy = nft_table_policy,
7982 },
7983 [NFT_MSG_NEWCHAIN] = {
7984 .call = nf_tables_newchain,
7985 .type = NFNL_CB_BATCH,
7986 .attr_count = NFTA_CHAIN_MAX,
7987 .policy = nft_chain_policy,
7988 },
7989 [NFT_MSG_GETCHAIN] = {
7990 .call = nf_tables_getchain,
7991 .type = NFNL_CB_RCU,
7992 .attr_count = NFTA_CHAIN_MAX,
7993 .policy = nft_chain_policy,
7994 },
7995 [NFT_MSG_DELCHAIN] = {
7996 .call = nf_tables_delchain,
7997 .type = NFNL_CB_BATCH,
7998 .attr_count = NFTA_CHAIN_MAX,
7999 .policy = nft_chain_policy,
8000 },
8001 [NFT_MSG_NEWRULE] = {
8002 .call = nf_tables_newrule,
8003 .type = NFNL_CB_BATCH,
8004 .attr_count = NFTA_RULE_MAX,
8005 .policy = nft_rule_policy,
8006 },
8007 [NFT_MSG_GETRULE] = {
8008 .call = nf_tables_getrule,
8009 .type = NFNL_CB_RCU,
8010 .attr_count = NFTA_RULE_MAX,
8011 .policy = nft_rule_policy,
8012 },
8013 [NFT_MSG_DELRULE] = {
8014 .call = nf_tables_delrule,
8015 .type = NFNL_CB_BATCH,
8016 .attr_count = NFTA_RULE_MAX,
8017 .policy = nft_rule_policy,
8018 },
8019 [NFT_MSG_NEWSET] = {
8020 .call = nf_tables_newset,
8021 .type = NFNL_CB_BATCH,
8022 .attr_count = NFTA_SET_MAX,
8023 .policy = nft_set_policy,
8024 },
8025 [NFT_MSG_GETSET] = {
8026 .call = nf_tables_getset,
8027 .type = NFNL_CB_RCU,
8028 .attr_count = NFTA_SET_MAX,
8029 .policy = nft_set_policy,
8030 },
8031 [NFT_MSG_DELSET] = {
8032 .call = nf_tables_delset,
8033 .type = NFNL_CB_BATCH,
8034 .attr_count = NFTA_SET_MAX,
8035 .policy = nft_set_policy,
8036 },
8037 [NFT_MSG_NEWSETELEM] = {
8038 .call = nf_tables_newsetelem,
8039 .type = NFNL_CB_BATCH,
8040 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8041 .policy = nft_set_elem_list_policy,
8042 },
8043 [NFT_MSG_GETSETELEM] = {
8044 .call = nf_tables_getsetelem,
8045 .type = NFNL_CB_RCU,
8046 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8047 .policy = nft_set_elem_list_policy,
8048 },
8049 [NFT_MSG_DELSETELEM] = {
8050 .call = nf_tables_delsetelem,
8051 .type = NFNL_CB_BATCH,
8052 .attr_count = NFTA_SET_ELEM_LIST_MAX,
8053 .policy = nft_set_elem_list_policy,
8054 },
8055 [NFT_MSG_GETGEN] = {
8056 .call = nf_tables_getgen,
8057 .type = NFNL_CB_RCU,
8058 },
8059 [NFT_MSG_NEWOBJ] = {
8060 .call = nf_tables_newobj,
8061 .type = NFNL_CB_BATCH,
8062 .attr_count = NFTA_OBJ_MAX,
8063 .policy = nft_obj_policy,
8064 },
8065 [NFT_MSG_GETOBJ] = {
8066 .call = nf_tables_getobj,
8067 .type = NFNL_CB_RCU,
8068 .attr_count = NFTA_OBJ_MAX,
8069 .policy = nft_obj_policy,
8070 },
8071 [NFT_MSG_DELOBJ] = {
8072 .call = nf_tables_delobj,
8073 .type = NFNL_CB_BATCH,
8074 .attr_count = NFTA_OBJ_MAX,
8075 .policy = nft_obj_policy,
8076 },
8077 [NFT_MSG_GETOBJ_RESET] = {
8078 .call = nf_tables_getobj,
8079 .type = NFNL_CB_RCU,
8080 .attr_count = NFTA_OBJ_MAX,
8081 .policy = nft_obj_policy,
8082 },
8083 [NFT_MSG_NEWFLOWTABLE] = {
8084 .call = nf_tables_newflowtable,
8085 .type = NFNL_CB_BATCH,
8086 .attr_count = NFTA_FLOWTABLE_MAX,
8087 .policy = nft_flowtable_policy,
8088 },
8089 [NFT_MSG_GETFLOWTABLE] = {
8090 .call = nf_tables_getflowtable,
8091 .type = NFNL_CB_RCU,
8092 .attr_count = NFTA_FLOWTABLE_MAX,
8093 .policy = nft_flowtable_policy,
8094 },
8095 [NFT_MSG_DELFLOWTABLE] = {
8096 .call = nf_tables_delflowtable,
8097 .type = NFNL_CB_BATCH,
8098 .attr_count = NFTA_FLOWTABLE_MAX,
8099 .policy = nft_flowtable_policy,
8100 },
8101 };
8102
8103 static int nf_tables_validate(struct net *net)
8104 {
8105 struct nftables_pernet *nft_net = nft_pernet(net);
8106 struct nft_table *table;
8107
8108 switch (nft_net->validate_state) {
8109 case NFT_VALIDATE_SKIP:
8110 break;
8111 case NFT_VALIDATE_NEED:
8112 nft_validate_state_update(net, NFT_VALIDATE_DO);
8113 fallthrough;
8114 case NFT_VALIDATE_DO:
8115 list_for_each_entry(table, &nft_net->tables, list) {
8116 if (nft_table_validate(net, table) < 0)
8117 return -EAGAIN;
8118 }
8119 break;
8120 }
8121
8122 return 0;
8123 }
8124
8125 /* a drop policy has to be deferred until all rules have been activated,
8126 * otherwise a large ruleset that contains a drop-policy base chain will
8127 * cause all packets to get dropped until the full transaction has been
8128 * processed.
8129 *
8130 * We defer the drop policy until the transaction has been finalized.
8131 */
8132 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
8133 {
8134 struct nft_base_chain *basechain;
8135
8136 if (nft_trans_chain_policy(trans) != NF_DROP)
8137 return;
8138
8139 if (!nft_is_base_chain(trans->ctx.chain))
8140 return;
8141
8142 basechain = nft_base_chain(trans->ctx.chain);
8143 basechain->policy = NF_DROP;
8144 }
8145
8146 static void nft_chain_commit_update(struct nft_trans *trans)
8147 {
8148 struct nft_base_chain *basechain;
8149
8150 if (nft_trans_chain_name(trans)) {
8151 rhltable_remove(&trans->ctx.table->chains_ht,
8152 &trans->ctx.chain->rhlhead,
8153 nft_chain_ht_params);
8154 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
8155 rhltable_insert_key(&trans->ctx.table->chains_ht,
8156 trans->ctx.chain->name,
8157 &trans->ctx.chain->rhlhead,
8158 nft_chain_ht_params);
8159 }
8160
8161 if (!nft_is_base_chain(trans->ctx.chain))
8162 return;
8163
8164 nft_chain_stats_replace(trans);
8165
8166 basechain = nft_base_chain(trans->ctx.chain);
8167
8168 switch (nft_trans_chain_policy(trans)) {
8169 case NF_DROP:
8170 case NF_ACCEPT:
8171 basechain->policy = nft_trans_chain_policy(trans);
8172 break;
8173 }
8174 }
8175
8176 static void nft_obj_commit_update(struct nft_trans *trans)
8177 {
8178 struct nft_object *newobj;
8179 struct nft_object *obj;
8180
8181 obj = nft_trans_obj(trans);
8182 newobj = nft_trans_obj_newobj(trans);
8183
8184 if (obj->ops->update)
8185 obj->ops->update(obj, newobj);
8186
8187 nft_obj_destroy(&trans->ctx, newobj);
8188 }
8189
8190 static void nft_commit_release(struct nft_trans *trans)
8191 {
8192 switch (trans->msg_type) {
8193 case NFT_MSG_DELTABLE:
8194 nf_tables_table_destroy(&trans->ctx);
8195 break;
8196 case NFT_MSG_NEWCHAIN:
8197 free_percpu(nft_trans_chain_stats(trans));
8198 kfree(nft_trans_chain_name(trans));
8199 break;
8200 case NFT_MSG_DELCHAIN:
8201 nf_tables_chain_destroy(&trans->ctx);
8202 break;
8203 case NFT_MSG_DELRULE:
8204 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8205 break;
8206 case NFT_MSG_DELSET:
8207 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8208 break;
8209 case NFT_MSG_DELSETELEM:
8210 nf_tables_set_elem_destroy(&trans->ctx,
8211 nft_trans_elem_set(trans),
8212 nft_trans_elem(trans).priv);
8213 break;
8214 case NFT_MSG_DELOBJ:
8215 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8216 break;
8217 case NFT_MSG_DELFLOWTABLE:
8218 if (nft_trans_flowtable_update(trans))
8219 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8220 else
8221 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8222 break;
8223 }
8224
8225 if (trans->put_net)
8226 put_net(trans->ctx.net);
8227
8228 kfree(trans);
8229 }
8230
8231 static void nf_tables_trans_destroy_work(struct work_struct *w)
8232 {
8233 struct nft_trans *trans, *next;
8234 LIST_HEAD(head);
8235
8236 spin_lock(&nf_tables_destroy_list_lock);
8237 list_splice_init(&nf_tables_destroy_list, &head);
8238 spin_unlock(&nf_tables_destroy_list_lock);
8239
8240 if (list_empty(&head))
8241 return;
8242
8243 synchronize_rcu();
8244
8245 list_for_each_entry_safe(trans, next, &head, list) {
8246 list_del(&trans->list);
8247 nft_commit_release(trans);
8248 }
8249 }
8250
8251 void nf_tables_trans_destroy_flush_work(void)
8252 {
8253 flush_work(&trans_destroy_work);
8254 }
8255 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
8256
8257 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
8258 {
8259 struct nft_rule *rule;
8260 unsigned int alloc = 0;
8261 int i;
8262
8263 /* already handled or inactive chain? */
8264 if (chain->rules_next || !nft_is_active_next(net, chain))
8265 return 0;
8266
8267 rule = list_entry(&chain->rules, struct nft_rule, list);
8268 i = 0;
8269
8270 list_for_each_entry_continue(rule, &chain->rules, list) {
8271 if (nft_is_active_next(net, rule))
8272 alloc++;
8273 }
8274
8275 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
8276 if (!chain->rules_next)
8277 return -ENOMEM;
8278
8279 list_for_each_entry_continue(rule, &chain->rules, list) {
8280 if (nft_is_active_next(net, rule))
8281 chain->rules_next[i++] = rule;
8282 }
8283
8284 chain->rules_next[i] = NULL;
8285 return 0;
8286 }
8287
8288 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
8289 {
8290 struct nftables_pernet *nft_net = nft_pernet(net);
8291 struct nft_trans *trans, *next;
8292
8293 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8294 struct nft_chain *chain = trans->ctx.chain;
8295
8296 if (trans->msg_type == NFT_MSG_NEWRULE ||
8297 trans->msg_type == NFT_MSG_DELRULE) {
8298 kvfree(chain->rules_next);
8299 chain->rules_next = NULL;
8300 }
8301 }
8302 }
8303
8304 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
8305 {
8306 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
8307
8308 kvfree(o->start);
8309 }
8310
8311 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
8312 {
8313 struct nft_rule **r = rules;
8314 struct nft_rules_old *old;
8315
8316 while (*r)
8317 r++;
8318
8319 r++; /* rcu_head is after end marker */
8320 old = (void *) r;
8321 old->start = rules;
8322
8323 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
8324 }
8325
8326 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
8327 {
8328 struct nft_rule **g0, **g1;
8329 bool next_genbit;
8330
8331 next_genbit = nft_gencursor_next(net);
8332
8333 g0 = rcu_dereference_protected(chain->rules_gen_0,
8334 lockdep_commit_lock_is_held(net));
8335 g1 = rcu_dereference_protected(chain->rules_gen_1,
8336 lockdep_commit_lock_is_held(net));
8337
8338 /* No changes to this chain? */
8339 if (chain->rules_next == NULL) {
8340 /* chain had no change in last or next generation */
8341 if (g0 == g1)
8342 return;
8343 /*
8344 * chain had no change in this generation; make sure next
8345 * one uses same rules as current generation.
8346 */
8347 if (next_genbit) {
8348 rcu_assign_pointer(chain->rules_gen_1, g0);
8349 nf_tables_commit_chain_free_rules_old(g1);
8350 } else {
8351 rcu_assign_pointer(chain->rules_gen_0, g1);
8352 nf_tables_commit_chain_free_rules_old(g0);
8353 }
8354
8355 return;
8356 }
8357
8358 if (next_genbit)
8359 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
8360 else
8361 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
8362
8363 chain->rules_next = NULL;
8364
8365 if (g0 == g1)
8366 return;
8367
8368 if (next_genbit)
8369 nf_tables_commit_chain_free_rules_old(g1);
8370 else
8371 nf_tables_commit_chain_free_rules_old(g0);
8372 }
8373
8374 static void nft_obj_del(struct nft_object *obj)
8375 {
8376 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
8377 list_del_rcu(&obj->list);
8378 }
8379
8380 void nft_chain_del(struct nft_chain *chain)
8381 {
8382 struct nft_table *table = chain->table;
8383
8384 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
8385 nft_chain_ht_params));
8386 list_del_rcu(&chain->list);
8387 }
8388
8389 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
8390 struct list_head *hook_list)
8391 {
8392 struct nft_hook *hook, *next;
8393
8394 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
8395 if (hook->inactive)
8396 list_move(&hook->list, hook_list);
8397 }
8398 }
8399
8400 static void nf_tables_module_autoload_cleanup(struct net *net)
8401 {
8402 struct nftables_pernet *nft_net = nft_pernet(net);
8403 struct nft_module_request *req, *next;
8404
8405 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
8406 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
8407 WARN_ON_ONCE(!req->done);
8408 list_del(&req->list);
8409 kfree(req);
8410 }
8411 }
8412
8413 static void nf_tables_commit_release(struct net *net)
8414 {
8415 struct nftables_pernet *nft_net = nft_pernet(net);
8416 struct nft_trans *trans;
8417
8418 /* all side effects have to be made visible.
8419 * For example, if a chain named 'foo' has been deleted, a
8420 * new transaction must not find it anymore.
8421 *
8422 * Memory reclaim happens asynchronously from work queue
8423 * to prevent expensive synchronize_rcu() in commit phase.
8424 */
8425 if (list_empty(&nft_net->commit_list)) {
8426 nf_tables_module_autoload_cleanup(net);
8427 mutex_unlock(&nft_net->commit_mutex);
8428 return;
8429 }
8430
8431 trans = list_last_entry(&nft_net->commit_list,
8432 struct nft_trans, list);
8433 get_net(trans->ctx.net);
8434 WARN_ON_ONCE(trans->put_net);
8435
8436 trans->put_net = true;
8437 spin_lock(&nf_tables_destroy_list_lock);
8438 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
8439 spin_unlock(&nf_tables_destroy_list_lock);
8440
8441 nf_tables_module_autoload_cleanup(net);
8442 schedule_work(&trans_destroy_work);
8443
8444 mutex_unlock(&nft_net->commit_mutex);
8445 }
8446
8447 static void nft_commit_notify(struct net *net, u32 portid)
8448 {
8449 struct nftables_pernet *nft_net = nft_pernet(net);
8450 struct sk_buff *batch_skb = NULL, *nskb, *skb;
8451 unsigned char *data;
8452 int len;
8453
8454 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
8455 if (!batch_skb) {
8456 new_batch:
8457 batch_skb = skb;
8458 len = NLMSG_GOODSIZE - skb->len;
8459 list_del(&skb->list);
8460 continue;
8461 }
8462 len -= skb->len;
8463 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
8464 data = skb_put(batch_skb, skb->len);
8465 memcpy(data, skb->data, skb->len);
8466 list_del(&skb->list);
8467 kfree_skb(skb);
8468 continue;
8469 }
8470 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8471 NFT_CB(batch_skb).report, GFP_KERNEL);
8472 goto new_batch;
8473 }
8474
8475 if (batch_skb) {
8476 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8477 NFT_CB(batch_skb).report, GFP_KERNEL);
8478 }
8479
8480 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
8481 }
8482
8483 static int nf_tables_commit_audit_alloc(struct list_head *adl,
8484 struct nft_table *table)
8485 {
8486 struct nft_audit_data *adp;
8487
8488 list_for_each_entry(adp, adl, list) {
8489 if (adp->table == table)
8490 return 0;
8491 }
8492 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
8493 if (!adp)
8494 return -ENOMEM;
8495 adp->table = table;
8496 list_add(&adp->list, adl);
8497 return 0;
8498 }
8499
8500 static void nf_tables_commit_audit_free(struct list_head *adl)
8501 {
8502 struct nft_audit_data *adp, *adn;
8503
8504 list_for_each_entry_safe(adp, adn, adl, list) {
8505 list_del(&adp->list);
8506 kfree(adp);
8507 }
8508 }
8509
8510 static void nf_tables_commit_audit_collect(struct list_head *adl,
8511 struct nft_table *table, u32 op)
8512 {
8513 struct nft_audit_data *adp;
8514
8515 list_for_each_entry(adp, adl, list) {
8516 if (adp->table == table)
8517 goto found;
8518 }
8519 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
8520 return;
8521 found:
8522 adp->entries++;
8523 if (!adp->op || adp->op > op)
8524 adp->op = op;
8525 }
8526
8527 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
8528
8529 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
8530 {
8531 struct nft_audit_data *adp, *adn;
8532 char aubuf[AUNFTABLENAMELEN];
8533
8534 list_for_each_entry_safe(adp, adn, adl, list) {
8535 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
8536 generation);
8537 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
8538 nft2audit_op[adp->op], GFP_KERNEL);
8539 list_del(&adp->list);
8540 kfree(adp);
8541 }
8542 }
8543
8544 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8545 {
8546 struct nftables_pernet *nft_net = nft_pernet(net);
8547 struct nft_trans *trans, *next;
8548 struct nft_trans_elem *te;
8549 struct nft_chain *chain;
8550 struct nft_table *table;
8551 LIST_HEAD(adl);
8552 int err;
8553
8554 if (list_empty(&nft_net->commit_list)) {
8555 mutex_unlock(&nft_net->commit_mutex);
8556 return 0;
8557 }
8558
8559 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8560 if (nf_tables_validate(net) < 0)
8561 return -EAGAIN;
8562
8563 err = nft_flow_rule_offload_commit(net);
8564 if (err < 0)
8565 return err;
8566
8567 /* 1. Allocate space for next generation rules_gen_X[] */
8568 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8569 int ret;
8570
8571 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
8572 if (ret) {
8573 nf_tables_commit_chain_prepare_cancel(net);
8574 nf_tables_commit_audit_free(&adl);
8575 return ret;
8576 }
8577 if (trans->msg_type == NFT_MSG_NEWRULE ||
8578 trans->msg_type == NFT_MSG_DELRULE) {
8579 chain = trans->ctx.chain;
8580
8581 ret = nf_tables_commit_chain_prepare(net, chain);
8582 if (ret < 0) {
8583 nf_tables_commit_chain_prepare_cancel(net);
8584 nf_tables_commit_audit_free(&adl);
8585 return ret;
8586 }
8587 }
8588 }
8589
8590 /* step 2. Make rules_gen_X visible to packet path */
8591 list_for_each_entry(table, &nft_net->tables, list) {
8592 list_for_each_entry(chain, &table->chains, list)
8593 nf_tables_commit_chain(net, chain);
8594 }
8595
8596 /*
8597 * Bump generation counter, invalidate any dump in progress.
8598 * Cannot fail after this point.
8599 */
8600 while (++nft_net->base_seq == 0)
8601 ;
8602
8603 /* step 3. Start new generation, rules_gen_X now in use. */
8604 net->nft.gencursor = nft_gencursor_next(net);
8605
8606 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
8607 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8608 trans->msg_type);
8609 switch (trans->msg_type) {
8610 case NFT_MSG_NEWTABLE:
8611 if (nft_trans_table_update(trans)) {
8612 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
8613 nft_trans_destroy(trans);
8614 break;
8615 }
8616 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
8617 nf_tables_table_disable(net, trans->ctx.table);
8618
8619 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
8620 } else {
8621 nft_clear(net, trans->ctx.table);
8622 }
8623 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8624 nft_trans_destroy(trans);
8625 break;
8626 case NFT_MSG_DELTABLE:
8627 list_del_rcu(&trans->ctx.table->list);
8628 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8629 break;
8630 case NFT_MSG_NEWCHAIN:
8631 if (nft_trans_chain_update(trans)) {
8632 nft_chain_commit_update(trans);
8633 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8634 /* trans destroyed after rcu grace period */
8635 } else {
8636 nft_chain_commit_drop_policy(trans);
8637 nft_clear(net, trans->ctx.chain);
8638 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8639 nft_trans_destroy(trans);
8640 }
8641 break;
8642 case NFT_MSG_DELCHAIN:
8643 nft_chain_del(trans->ctx.chain);
8644 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8645 nf_tables_unregister_hook(trans->ctx.net,
8646 trans->ctx.table,
8647 trans->ctx.chain);
8648 break;
8649 case NFT_MSG_NEWRULE:
8650 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8651 nf_tables_rule_notify(&trans->ctx,
8652 nft_trans_rule(trans),
8653 NFT_MSG_NEWRULE);
8654 nft_trans_destroy(trans);
8655 break;
8656 case NFT_MSG_DELRULE:
8657 list_del_rcu(&nft_trans_rule(trans)->list);
8658 nf_tables_rule_notify(&trans->ctx,
8659 nft_trans_rule(trans),
8660 NFT_MSG_DELRULE);
8661 nft_rule_expr_deactivate(&trans->ctx,
8662 nft_trans_rule(trans),
8663 NFT_TRANS_COMMIT);
8664 break;
8665 case NFT_MSG_NEWSET:
8666 nft_clear(net, nft_trans_set(trans));
8667 /* This avoids hitting -EBUSY when deleting the table
8668 * from the transaction.
8669 */
8670 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8671 !list_empty(&nft_trans_set(trans)->bindings))
8672 trans->ctx.table->use--;
8673
8674 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8675 NFT_MSG_NEWSET, GFP_KERNEL);
8676 nft_trans_destroy(trans);
8677 break;
8678 case NFT_MSG_DELSET:
8679 list_del_rcu(&nft_trans_set(trans)->list);
8680 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8681 NFT_MSG_DELSET, GFP_KERNEL);
8682 break;
8683 case NFT_MSG_NEWSETELEM:
8684 te = (struct nft_trans_elem *)trans->data;
8685
8686 nft_setelem_activate(net, te->set, &te->elem);
8687 nf_tables_setelem_notify(&trans->ctx, te->set,
8688 &te->elem,
8689 NFT_MSG_NEWSETELEM);
8690 nft_trans_destroy(trans);
8691 break;
8692 case NFT_MSG_DELSETELEM:
8693 te = (struct nft_trans_elem *)trans->data;
8694
8695 nf_tables_setelem_notify(&trans->ctx, te->set,
8696 &te->elem,
8697 NFT_MSG_DELSETELEM);
8698 nft_setelem_remove(net, te->set, &te->elem);
8699 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
8700 atomic_dec(&te->set->nelems);
8701 te->set->ndeact--;
8702 }
8703 break;
8704 case NFT_MSG_NEWOBJ:
8705 if (nft_trans_obj_update(trans)) {
8706 nft_obj_commit_update(trans);
8707 nf_tables_obj_notify(&trans->ctx,
8708 nft_trans_obj(trans),
8709 NFT_MSG_NEWOBJ);
8710 } else {
8711 nft_clear(net, nft_trans_obj(trans));
8712 nf_tables_obj_notify(&trans->ctx,
8713 nft_trans_obj(trans),
8714 NFT_MSG_NEWOBJ);
8715 nft_trans_destroy(trans);
8716 }
8717 break;
8718 case NFT_MSG_DELOBJ:
8719 nft_obj_del(nft_trans_obj(trans));
8720 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8721 NFT_MSG_DELOBJ);
8722 break;
8723 case NFT_MSG_NEWFLOWTABLE:
8724 if (nft_trans_flowtable_update(trans)) {
8725 nft_trans_flowtable(trans)->data.flags =
8726 nft_trans_flowtable_flags(trans);
8727 nf_tables_flowtable_notify(&trans->ctx,
8728 nft_trans_flowtable(trans),
8729 &nft_trans_flowtable_hooks(trans),
8730 NFT_MSG_NEWFLOWTABLE);
8731 list_splice(&nft_trans_flowtable_hooks(trans),
8732 &nft_trans_flowtable(trans)->hook_list);
8733 } else {
8734 nft_clear(net, nft_trans_flowtable(trans));
8735 nf_tables_flowtable_notify(&trans->ctx,
8736 nft_trans_flowtable(trans),
8737 &nft_trans_flowtable(trans)->hook_list,
8738 NFT_MSG_NEWFLOWTABLE);
8739 }
8740 nft_trans_destroy(trans);
8741 break;
8742 case NFT_MSG_DELFLOWTABLE:
8743 if (nft_trans_flowtable_update(trans)) {
8744 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8745 &nft_trans_flowtable_hooks(trans));
8746 nf_tables_flowtable_notify(&trans->ctx,
8747 nft_trans_flowtable(trans),
8748 &nft_trans_flowtable_hooks(trans),
8749 NFT_MSG_DELFLOWTABLE);
8750 nft_unregister_flowtable_net_hooks(net,
8751 &nft_trans_flowtable_hooks(trans));
8752 } else {
8753 list_del_rcu(&nft_trans_flowtable(trans)->list);
8754 nf_tables_flowtable_notify(&trans->ctx,
8755 nft_trans_flowtable(trans),
8756 &nft_trans_flowtable(trans)->hook_list,
8757 NFT_MSG_DELFLOWTABLE);
8758 nft_unregister_flowtable_net_hooks(net,
8759 &nft_trans_flowtable(trans)->hook_list);
8760 }
8761 break;
8762 }
8763 }
8764
8765 nft_commit_notify(net, NETLINK_CB(skb).portid);
8766 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8767 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
8768 nf_tables_commit_release(net);
8769
8770 return 0;
8771 }
8772
8773 static void nf_tables_module_autoload(struct net *net)
8774 {
8775 struct nftables_pernet *nft_net = nft_pernet(net);
8776 struct nft_module_request *req, *next;
8777 LIST_HEAD(module_list);
8778
8779 list_splice_init(&nft_net->module_list, &module_list);
8780 mutex_unlock(&nft_net->commit_mutex);
8781 list_for_each_entry_safe(req, next, &module_list, list) {
8782 request_module("%s", req->module);
8783 req->done = true;
8784 }
8785 mutex_lock(&nft_net->commit_mutex);
8786 list_splice(&module_list, &nft_net->module_list);
8787 }
8788
8789 static void nf_tables_abort_release(struct nft_trans *trans)
8790 {
8791 switch (trans->msg_type) {
8792 case NFT_MSG_NEWTABLE:
8793 nf_tables_table_destroy(&trans->ctx);
8794 break;
8795 case NFT_MSG_NEWCHAIN:
8796 nf_tables_chain_destroy(&trans->ctx);
8797 break;
8798 case NFT_MSG_NEWRULE:
8799 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8800 break;
8801 case NFT_MSG_NEWSET:
8802 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8803 break;
8804 case NFT_MSG_NEWSETELEM:
8805 nft_set_elem_destroy(nft_trans_elem_set(trans),
8806 nft_trans_elem(trans).priv, true);
8807 break;
8808 case NFT_MSG_NEWOBJ:
8809 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8810 break;
8811 case NFT_MSG_NEWFLOWTABLE:
8812 if (nft_trans_flowtable_update(trans))
8813 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8814 else
8815 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8816 break;
8817 }
8818 kfree(trans);
8819 }
8820
8821 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8822 {
8823 struct nftables_pernet *nft_net = nft_pernet(net);
8824 struct nft_trans *trans, *next;
8825 struct nft_trans_elem *te;
8826 struct nft_hook *hook;
8827
8828 if (action == NFNL_ABORT_VALIDATE &&
8829 nf_tables_validate(net) < 0)
8830 return -EAGAIN;
8831
8832 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
8833 list) {
8834 switch (trans->msg_type) {
8835 case NFT_MSG_NEWTABLE:
8836 if (nft_trans_table_update(trans)) {
8837 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
8838 nft_trans_destroy(trans);
8839 break;
8840 }
8841 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
8842 nf_tables_table_disable(net, trans->ctx.table);
8843 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8844 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
8845 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
8846 }
8847 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
8848 nft_trans_destroy(trans);
8849 } else {
8850 list_del_rcu(&trans->ctx.table->list);
8851 }
8852 break;
8853 case NFT_MSG_DELTABLE:
8854 nft_clear(trans->ctx.net, trans->ctx.table);
8855 nft_trans_destroy(trans);
8856 break;
8857 case NFT_MSG_NEWCHAIN:
8858 if (nft_trans_chain_update(trans)) {
8859 free_percpu(nft_trans_chain_stats(trans));
8860 kfree(nft_trans_chain_name(trans));
8861 nft_trans_destroy(trans);
8862 } else {
8863 if (nft_chain_is_bound(trans->ctx.chain)) {
8864 nft_trans_destroy(trans);
8865 break;
8866 }
8867 trans->ctx.table->use--;
8868 nft_chain_del(trans->ctx.chain);
8869 nf_tables_unregister_hook(trans->ctx.net,
8870 trans->ctx.table,
8871 trans->ctx.chain);
8872 }
8873 break;
8874 case NFT_MSG_DELCHAIN:
8875 trans->ctx.table->use++;
8876 nft_clear(trans->ctx.net, trans->ctx.chain);
8877 nft_trans_destroy(trans);
8878 break;
8879 case NFT_MSG_NEWRULE:
8880 trans->ctx.chain->use--;
8881 list_del_rcu(&nft_trans_rule(trans)->list);
8882 nft_rule_expr_deactivate(&trans->ctx,
8883 nft_trans_rule(trans),
8884 NFT_TRANS_ABORT);
8885 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
8886 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
8887 break;
8888 case NFT_MSG_DELRULE:
8889 trans->ctx.chain->use++;
8890 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8891 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8892 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
8893 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
8894
8895 nft_trans_destroy(trans);
8896 break;
8897 case NFT_MSG_NEWSET:
8898 trans->ctx.table->use--;
8899 if (nft_trans_set_bound(trans)) {
8900 nft_trans_destroy(trans);
8901 break;
8902 }
8903 list_del_rcu(&nft_trans_set(trans)->list);
8904 break;
8905 case NFT_MSG_DELSET:
8906 trans->ctx.table->use++;
8907 nft_clear(trans->ctx.net, nft_trans_set(trans));
8908 nft_trans_destroy(trans);
8909 break;
8910 case NFT_MSG_NEWSETELEM:
8911 if (nft_trans_elem_set_bound(trans)) {
8912 nft_trans_destroy(trans);
8913 break;
8914 }
8915 te = (struct nft_trans_elem *)trans->data;
8916 nft_setelem_remove(net, te->set, &te->elem);
8917 if (!nft_setelem_is_catchall(te->set, &te->elem))
8918 atomic_dec(&te->set->nelems);
8919 break;
8920 case NFT_MSG_DELSETELEM:
8921 te = (struct nft_trans_elem *)trans->data;
8922
8923 nft_setelem_data_activate(net, te->set, &te->elem);
8924 nft_setelem_activate(net, te->set, &te->elem);
8925 if (!nft_setelem_is_catchall(te->set, &te->elem))
8926 te->set->ndeact--;
8927
8928 nft_trans_destroy(trans);
8929 break;
8930 case NFT_MSG_NEWOBJ:
8931 if (nft_trans_obj_update(trans)) {
8932 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
8933 nft_trans_destroy(trans);
8934 } else {
8935 trans->ctx.table->use--;
8936 nft_obj_del(nft_trans_obj(trans));
8937 }
8938 break;
8939 case NFT_MSG_DELOBJ:
8940 trans->ctx.table->use++;
8941 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8942 nft_trans_destroy(trans);
8943 break;
8944 case NFT_MSG_NEWFLOWTABLE:
8945 if (nft_trans_flowtable_update(trans)) {
8946 nft_unregister_flowtable_net_hooks(net,
8947 &nft_trans_flowtable_hooks(trans));
8948 } else {
8949 trans->ctx.table->use--;
8950 list_del_rcu(&nft_trans_flowtable(trans)->list);
8951 nft_unregister_flowtable_net_hooks(net,
8952 &nft_trans_flowtable(trans)->hook_list);
8953 }
8954 break;
8955 case NFT_MSG_DELFLOWTABLE:
8956 if (nft_trans_flowtable_update(trans)) {
8957 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8958 hook->inactive = false;
8959 } else {
8960 trans->ctx.table->use++;
8961 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8962 }
8963 nft_trans_destroy(trans);
8964 break;
8965 }
8966 }
8967
8968 synchronize_rcu();
8969
8970 list_for_each_entry_safe_reverse(trans, next,
8971 &nft_net->commit_list, list) {
8972 list_del(&trans->list);
8973 nf_tables_abort_release(trans);
8974 }
8975
8976 if (action == NFNL_ABORT_AUTOLOAD)
8977 nf_tables_module_autoload(net);
8978 else
8979 nf_tables_module_autoload_cleanup(net);
8980
8981 return 0;
8982 }
8983
8984 static void nf_tables_cleanup(struct net *net)
8985 {
8986 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8987 }
8988
8989 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8990 enum nfnl_abort_action action)
8991 {
8992 struct nftables_pernet *nft_net = nft_pernet(net);
8993 int ret = __nf_tables_abort(net, action);
8994
8995 mutex_unlock(&nft_net->commit_mutex);
8996
8997 return ret;
8998 }
8999
9000 static bool nf_tables_valid_genid(struct net *net, u32 genid)
9001 {
9002 struct nftables_pernet *nft_net = nft_pernet(net);
9003 bool genid_ok;
9004
9005 mutex_lock(&nft_net->commit_mutex);
9006
9007 genid_ok = genid == 0 || nft_net->base_seq == genid;
9008 if (!genid_ok)
9009 mutex_unlock(&nft_net->commit_mutex);
9010
9011 /* else, commit mutex has to be released by commit or abort function */
9012 return genid_ok;
9013 }
9014
9015 static const struct nfnetlink_subsystem nf_tables_subsys = {
9016 .name = "nf_tables",
9017 .subsys_id = NFNL_SUBSYS_NFTABLES,
9018 .cb_count = NFT_MSG_MAX,
9019 .cb = nf_tables_cb,
9020 .commit = nf_tables_commit,
9021 .abort = nf_tables_abort,
9022 .cleanup = nf_tables_cleanup,
9023 .valid_genid = nf_tables_valid_genid,
9024 .owner = THIS_MODULE,
9025 };
9026
9027 int nft_chain_validate_dependency(const struct nft_chain *chain,
9028 enum nft_chain_types type)
9029 {
9030 const struct nft_base_chain *basechain;
9031
9032 if (nft_is_base_chain(chain)) {
9033 basechain = nft_base_chain(chain);
9034 if (basechain->type->type != type)
9035 return -EOPNOTSUPP;
9036 }
9037 return 0;
9038 }
9039 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
9040
9041 int nft_chain_validate_hooks(const struct nft_chain *chain,
9042 unsigned int hook_flags)
9043 {
9044 struct nft_base_chain *basechain;
9045
9046 if (nft_is_base_chain(chain)) {
9047 basechain = nft_base_chain(chain);
9048
9049 if ((1 << basechain->ops.hooknum) & hook_flags)
9050 return 0;
9051
9052 return -EOPNOTSUPP;
9053 }
9054
9055 return 0;
9056 }
9057 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
9058
9059 /*
9060 * Loop detection - walk through the ruleset beginning at the destination chain
9061 * of a new jump until either the source chain is reached (loop) or all
9062 * reachable chains have been traversed.
9063 *
9064 * The loop check is performed whenever a new jump verdict is added to an
9065 * expression or verdict map or a verdict map is bound to a new chain.
9066 */
9067
9068 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9069 const struct nft_chain *chain);
9070
9071 static int nft_check_loops(const struct nft_ctx *ctx,
9072 const struct nft_set_ext *ext)
9073 {
9074 const struct nft_data *data;
9075 int ret;
9076
9077 data = nft_set_ext_data(ext);
9078 switch (data->verdict.code) {
9079 case NFT_JUMP:
9080 case NFT_GOTO:
9081 ret = nf_tables_check_loops(ctx, data->verdict.chain);
9082 break;
9083 default:
9084 ret = 0;
9085 break;
9086 }
9087
9088 return ret;
9089 }
9090
9091 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
9092 struct nft_set *set,
9093 const struct nft_set_iter *iter,
9094 struct nft_set_elem *elem)
9095 {
9096 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
9097
9098 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
9099 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
9100 return 0;
9101
9102 return nft_check_loops(ctx, ext);
9103 }
9104
9105 static int nft_set_catchall_loops(const struct nft_ctx *ctx,
9106 struct nft_set *set)
9107 {
9108 u8 genmask = nft_genmask_next(ctx->net);
9109 struct nft_set_elem_catchall *catchall;
9110 struct nft_set_ext *ext;
9111 int ret = 0;
9112
9113 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9114 ext = nft_set_elem_ext(set, catchall->elem);
9115 if (!nft_set_elem_active(ext, genmask))
9116 continue;
9117
9118 ret = nft_check_loops(ctx, ext);
9119 if (ret < 0)
9120 return ret;
9121 }
9122
9123 return ret;
9124 }
9125
9126 static int nf_tables_check_loops(const struct nft_ctx *ctx,
9127 const struct nft_chain *chain)
9128 {
9129 const struct nft_rule *rule;
9130 const struct nft_expr *expr, *last;
9131 struct nft_set *set;
9132 struct nft_set_binding *binding;
9133 struct nft_set_iter iter;
9134
9135 if (ctx->chain == chain)
9136 return -ELOOP;
9137
9138 list_for_each_entry(rule, &chain->rules, list) {
9139 nft_rule_for_each_expr(expr, last, rule) {
9140 struct nft_immediate_expr *priv;
9141 const struct nft_data *data;
9142 int err;
9143
9144 if (strcmp(expr->ops->type->name, "immediate"))
9145 continue;
9146
9147 priv = nft_expr_priv(expr);
9148 if (priv->dreg != NFT_REG_VERDICT)
9149 continue;
9150
9151 data = &priv->data;
9152 switch (data->verdict.code) {
9153 case NFT_JUMP:
9154 case NFT_GOTO:
9155 err = nf_tables_check_loops(ctx,
9156 data->verdict.chain);
9157 if (err < 0)
9158 return err;
9159 break;
9160 default:
9161 break;
9162 }
9163 }
9164 }
9165
9166 list_for_each_entry(set, &ctx->table->sets, list) {
9167 if (!nft_is_active_next(ctx->net, set))
9168 continue;
9169 if (!(set->flags & NFT_SET_MAP) ||
9170 set->dtype != NFT_DATA_VERDICT)
9171 continue;
9172
9173 list_for_each_entry(binding, &set->bindings, list) {
9174 if (!(binding->flags & NFT_SET_MAP) ||
9175 binding->chain != chain)
9176 continue;
9177
9178 iter.genmask = nft_genmask_next(ctx->net);
9179 iter.skip = 0;
9180 iter.count = 0;
9181 iter.err = 0;
9182 iter.fn = nf_tables_loop_check_setelem;
9183
9184 set->ops->walk(ctx, set, &iter);
9185 if (!iter.err)
9186 iter.err = nft_set_catchall_loops(ctx, set);
9187
9188 if (iter.err < 0)
9189 return iter.err;
9190 }
9191 }
9192
9193 return 0;
9194 }
9195
9196 /**
9197 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
9198 *
9199 * @attr: netlink attribute to fetch value from
9200 * @max: maximum value to be stored in dest
9201 * @dest: pointer to the variable
9202 *
9203 * Parse, check and store a given u32 netlink attribute into variable.
9204 * This function returns -ERANGE if the value goes over maximum value.
9205 * Otherwise a 0 is returned and the attribute value is stored in the
9206 * destination variable.
9207 */
9208 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
9209 {
9210 u32 val;
9211
9212 val = ntohl(nla_get_be32(attr));
9213 if (val > max)
9214 return -ERANGE;
9215
9216 *dest = val;
9217 return 0;
9218 }
9219 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
9220
9221 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
9222 {
9223 unsigned int reg;
9224
9225 reg = ntohl(nla_get_be32(attr));
9226 switch (reg) {
9227 case NFT_REG_VERDICT...NFT_REG_4:
9228 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
9229 break;
9230 case NFT_REG32_00...NFT_REG32_15:
9231 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
9232 break;
9233 default:
9234 return -ERANGE;
9235 }
9236
9237 return 0;
9238 }
9239
9240 /**
9241 * nft_dump_register - dump a register value to a netlink attribute
9242 *
9243 * @skb: socket buffer
9244 * @attr: attribute number
9245 * @reg: register number
9246 *
9247 * Construct a netlink attribute containing the register number. For
9248 * compatibility reasons, register numbers being a multiple of 4 are
9249 * translated to the corresponding 128 bit register numbers.
9250 */
9251 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
9252 {
9253 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
9254 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
9255 else
9256 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
9257
9258 return nla_put_be32(skb, attr, htonl(reg));
9259 }
9260 EXPORT_SYMBOL_GPL(nft_dump_register);
9261
9262 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
9263 {
9264 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9265 return -EINVAL;
9266 if (len == 0)
9267 return -EINVAL;
9268 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
9269 return -ERANGE;
9270
9271 return 0;
9272 }
9273
9274 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
9275 {
9276 u32 reg;
9277 int err;
9278
9279 err = nft_parse_register(attr, &reg);
9280 if (err < 0)
9281 return err;
9282
9283 err = nft_validate_register_load(reg, len);
9284 if (err < 0)
9285 return err;
9286
9287 *sreg = reg;
9288 return 0;
9289 }
9290 EXPORT_SYMBOL_GPL(nft_parse_register_load);
9291
9292 static int nft_validate_register_store(const struct nft_ctx *ctx,
9293 enum nft_registers reg,
9294 const struct nft_data *data,
9295 enum nft_data_types type,
9296 unsigned int len)
9297 {
9298 int err;
9299
9300 switch (reg) {
9301 case NFT_REG_VERDICT:
9302 if (type != NFT_DATA_VERDICT)
9303 return -EINVAL;
9304
9305 if (data != NULL &&
9306 (data->verdict.code == NFT_GOTO ||
9307 data->verdict.code == NFT_JUMP)) {
9308 err = nf_tables_check_loops(ctx, data->verdict.chain);
9309 if (err < 0)
9310 return err;
9311 }
9312
9313 return 0;
9314 default:
9315 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
9316 return -EINVAL;
9317 if (len == 0)
9318 return -EINVAL;
9319 if (reg * NFT_REG32_SIZE + len >
9320 sizeof_field(struct nft_regs, data))
9321 return -ERANGE;
9322
9323 if (data != NULL && type != NFT_DATA_VALUE)
9324 return -EINVAL;
9325 return 0;
9326 }
9327 }
9328
9329 int nft_parse_register_store(const struct nft_ctx *ctx,
9330 const struct nlattr *attr, u8 *dreg,
9331 const struct nft_data *data,
9332 enum nft_data_types type, unsigned int len)
9333 {
9334 int err;
9335 u32 reg;
9336
9337 err = nft_parse_register(attr, &reg);
9338 if (err < 0)
9339 return err;
9340
9341 err = nft_validate_register_store(ctx, reg, data, type, len);
9342 if (err < 0)
9343 return err;
9344
9345 *dreg = reg;
9346 return 0;
9347 }
9348 EXPORT_SYMBOL_GPL(nft_parse_register_store);
9349
9350 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
9351 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
9352 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
9353 .len = NFT_CHAIN_MAXNAMELEN - 1 },
9354 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
9355 };
9356
9357 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
9358 struct nft_data_desc *desc, const struct nlattr *nla)
9359 {
9360 u8 genmask = nft_genmask_next(ctx->net);
9361 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
9362 struct nft_chain *chain;
9363 int err;
9364
9365 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
9366 nft_verdict_policy, NULL);
9367 if (err < 0)
9368 return err;
9369
9370 if (!tb[NFTA_VERDICT_CODE])
9371 return -EINVAL;
9372 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
9373
9374 switch (data->verdict.code) {
9375 default:
9376 switch (data->verdict.code & NF_VERDICT_MASK) {
9377 case NF_ACCEPT:
9378 case NF_DROP:
9379 case NF_QUEUE:
9380 break;
9381 default:
9382 return -EINVAL;
9383 }
9384 fallthrough;
9385 case NFT_CONTINUE:
9386 case NFT_BREAK:
9387 case NFT_RETURN:
9388 break;
9389 case NFT_JUMP:
9390 case NFT_GOTO:
9391 if (tb[NFTA_VERDICT_CHAIN]) {
9392 chain = nft_chain_lookup(ctx->net, ctx->table,
9393 tb[NFTA_VERDICT_CHAIN],
9394 genmask);
9395 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
9396 chain = nft_chain_lookup_byid(ctx->net,
9397 tb[NFTA_VERDICT_CHAIN_ID]);
9398 if (IS_ERR(chain))
9399 return PTR_ERR(chain);
9400 } else {
9401 return -EINVAL;
9402 }
9403
9404 if (IS_ERR(chain))
9405 return PTR_ERR(chain);
9406 if (nft_is_base_chain(chain))
9407 return -EOPNOTSUPP;
9408
9409 chain->use++;
9410 data->verdict.chain = chain;
9411 break;
9412 }
9413
9414 desc->len = sizeof(data->verdict);
9415 desc->type = NFT_DATA_VERDICT;
9416 return 0;
9417 }
9418
9419 static void nft_verdict_uninit(const struct nft_data *data)
9420 {
9421 struct nft_chain *chain;
9422 struct nft_rule *rule;
9423
9424 switch (data->verdict.code) {
9425 case NFT_JUMP:
9426 case NFT_GOTO:
9427 chain = data->verdict.chain;
9428 chain->use--;
9429
9430 if (!nft_chain_is_bound(chain))
9431 break;
9432
9433 chain->table->use--;
9434 list_for_each_entry(rule, &chain->rules, list)
9435 chain->use--;
9436
9437 nft_chain_del(chain);
9438 break;
9439 }
9440 }
9441
9442 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
9443 {
9444 struct nlattr *nest;
9445
9446 nest = nla_nest_start_noflag(skb, type);
9447 if (!nest)
9448 goto nla_put_failure;
9449
9450 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
9451 goto nla_put_failure;
9452
9453 switch (v->code) {
9454 case NFT_JUMP:
9455 case NFT_GOTO:
9456 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
9457 v->chain->name))
9458 goto nla_put_failure;
9459 }
9460 nla_nest_end(skb, nest);
9461 return 0;
9462
9463 nla_put_failure:
9464 return -1;
9465 }
9466
9467 static int nft_value_init(const struct nft_ctx *ctx,
9468 struct nft_data *data, unsigned int size,
9469 struct nft_data_desc *desc, const struct nlattr *nla)
9470 {
9471 unsigned int len;
9472
9473 len = nla_len(nla);
9474 if (len == 0)
9475 return -EINVAL;
9476 if (len > size)
9477 return -EOVERFLOW;
9478
9479 nla_memcpy(data->data, nla, len);
9480 desc->type = NFT_DATA_VALUE;
9481 desc->len = len;
9482 return 0;
9483 }
9484
9485 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
9486 unsigned int len)
9487 {
9488 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
9489 }
9490
9491 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
9492 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
9493 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
9494 };
9495
9496 /**
9497 * nft_data_init - parse nf_tables data netlink attributes
9498 *
9499 * @ctx: context of the expression using the data
9500 * @data: destination struct nft_data
9501 * @size: maximum data length
9502 * @desc: data description
9503 * @nla: netlink attribute containing data
9504 *
9505 * Parse the netlink data attributes and initialize a struct nft_data.
9506 * The type and length of data are returned in the data description.
9507 *
9508 * The caller can indicate that it only wants to accept data of type
9509 * NFT_DATA_VALUE by passing NULL for the ctx argument.
9510 */
9511 int nft_data_init(const struct nft_ctx *ctx,
9512 struct nft_data *data, unsigned int size,
9513 struct nft_data_desc *desc, const struct nlattr *nla)
9514 {
9515 struct nlattr *tb[NFTA_DATA_MAX + 1];
9516 int err;
9517
9518 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
9519 nft_data_policy, NULL);
9520 if (err < 0)
9521 return err;
9522
9523 if (tb[NFTA_DATA_VALUE])
9524 return nft_value_init(ctx, data, size, desc,
9525 tb[NFTA_DATA_VALUE]);
9526 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
9527 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
9528 return -EINVAL;
9529 }
9530 EXPORT_SYMBOL_GPL(nft_data_init);
9531
9532 /**
9533 * nft_data_release - release a nft_data item
9534 *
9535 * @data: struct nft_data to release
9536 * @type: type of data
9537 *
9538 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
9539 * all others need to be released by calling this function.
9540 */
9541 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
9542 {
9543 if (type < NFT_DATA_VERDICT)
9544 return;
9545 switch (type) {
9546 case NFT_DATA_VERDICT:
9547 return nft_verdict_uninit(data);
9548 default:
9549 WARN_ON(1);
9550 }
9551 }
9552 EXPORT_SYMBOL_GPL(nft_data_release);
9553
9554 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
9555 enum nft_data_types type, unsigned int len)
9556 {
9557 struct nlattr *nest;
9558 int err;
9559
9560 nest = nla_nest_start_noflag(skb, attr);
9561 if (nest == NULL)
9562 return -1;
9563
9564 switch (type) {
9565 case NFT_DATA_VALUE:
9566 err = nft_value_dump(skb, data, len);
9567 break;
9568 case NFT_DATA_VERDICT:
9569 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
9570 break;
9571 default:
9572 err = -EINVAL;
9573 WARN_ON(1);
9574 }
9575
9576 nla_nest_end(skb, nest);
9577 return err;
9578 }
9579 EXPORT_SYMBOL_GPL(nft_data_dump);
9580
9581 int __nft_release_basechain(struct nft_ctx *ctx)
9582 {
9583 struct nft_rule *rule, *nr;
9584
9585 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
9586 return 0;
9587
9588 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9589 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9590 list_del(&rule->list);
9591 ctx->chain->use--;
9592 nf_tables_rule_release(ctx, rule);
9593 }
9594 nft_chain_del(ctx->chain);
9595 ctx->table->use--;
9596 nf_tables_chain_destroy(ctx);
9597
9598 return 0;
9599 }
9600 EXPORT_SYMBOL_GPL(__nft_release_basechain);
9601
9602 static void __nft_release_hook(struct net *net, struct nft_table *table)
9603 {
9604 struct nft_flowtable *flowtable;
9605 struct nft_chain *chain;
9606
9607 list_for_each_entry(chain, &table->chains, list)
9608 nf_tables_unregister_hook(net, table, chain);
9609 list_for_each_entry(flowtable, &table->flowtables, list)
9610 nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list);
9611 }
9612
9613 static void __nft_release_hooks(struct net *net)
9614 {
9615 struct nftables_pernet *nft_net = nft_pernet(net);
9616 struct nft_table *table;
9617
9618 list_for_each_entry(table, &nft_net->tables, list) {
9619 if (nft_table_has_owner(table))
9620 continue;
9621
9622 __nft_release_hook(net, table);
9623 }
9624 }
9625
9626 static void __nft_release_table(struct net *net, struct nft_table *table)
9627 {
9628 struct nft_flowtable *flowtable, *nf;
9629 struct nft_chain *chain, *nc;
9630 struct nft_object *obj, *ne;
9631 struct nft_rule *rule, *nr;
9632 struct nft_set *set, *ns;
9633 struct nft_ctx ctx = {
9634 .net = net,
9635 .family = NFPROTO_NETDEV,
9636 };
9637
9638 ctx.family = table->family;
9639 ctx.table = table;
9640 list_for_each_entry(chain, &table->chains, list) {
9641 ctx.chain = chain;
9642 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9643 list_del(&rule->list);
9644 chain->use--;
9645 nf_tables_rule_release(&ctx, rule);
9646 }
9647 }
9648 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9649 list_del(&flowtable->list);
9650 table->use--;
9651 nf_tables_flowtable_destroy(flowtable);
9652 }
9653 list_for_each_entry_safe(set, ns, &table->sets, list) {
9654 list_del(&set->list);
9655 table->use--;
9656 nft_set_destroy(&ctx, set);
9657 }
9658 list_for_each_entry_safe(obj, ne, &table->objects, list) {
9659 nft_obj_del(obj);
9660 table->use--;
9661 nft_obj_destroy(&ctx, obj);
9662 }
9663 list_for_each_entry_safe(chain, nc, &table->chains, list) {
9664 ctx.chain = chain;
9665 nft_chain_del(chain);
9666 table->use--;
9667 nf_tables_chain_destroy(&ctx);
9668 }
9669 nf_tables_table_destroy(&ctx);
9670 }
9671
9672 static void __nft_release_tables(struct net *net)
9673 {
9674 struct nftables_pernet *nft_net = nft_pernet(net);
9675 struct nft_table *table, *nt;
9676
9677 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
9678 if (nft_table_has_owner(table))
9679 continue;
9680
9681 list_del(&table->list);
9682
9683 __nft_release_table(net, table);
9684 }
9685 }
9686
9687 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9688 void *ptr)
9689 {
9690 struct nft_table *table, *to_delete[8];
9691 struct nftables_pernet *nft_net;
9692 struct netlink_notify *n = ptr;
9693 struct net *net = n->net;
9694 unsigned int deleted;
9695 bool restart = false;
9696
9697 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9698 return NOTIFY_DONE;
9699
9700 nft_net = nft_pernet(net);
9701 deleted = 0;
9702 mutex_lock(&nft_net->commit_mutex);
9703 again:
9704 list_for_each_entry(table, &nft_net->tables, list) {
9705 if (nft_table_has_owner(table) &&
9706 n->portid == table->nlpid) {
9707 __nft_release_hook(net, table);
9708 list_del_rcu(&table->list);
9709 to_delete[deleted++] = table;
9710 if (deleted >= ARRAY_SIZE(to_delete))
9711 break;
9712 }
9713 }
9714 if (deleted) {
9715 restart = deleted >= ARRAY_SIZE(to_delete);
9716 synchronize_rcu();
9717 while (deleted)
9718 __nft_release_table(net, to_delete[--deleted]);
9719
9720 if (restart)
9721 goto again;
9722 }
9723 mutex_unlock(&nft_net->commit_mutex);
9724
9725 return NOTIFY_DONE;
9726 }
9727
9728 static struct notifier_block nft_nl_notifier = {
9729 .notifier_call = nft_rcv_nl_event,
9730 };
9731
9732 static int __net_init nf_tables_init_net(struct net *net)
9733 {
9734 struct nftables_pernet *nft_net = nft_pernet(net);
9735
9736 INIT_LIST_HEAD(&nft_net->tables);
9737 INIT_LIST_HEAD(&nft_net->commit_list);
9738 INIT_LIST_HEAD(&nft_net->module_list);
9739 INIT_LIST_HEAD(&nft_net->notify_list);
9740 mutex_init(&nft_net->commit_mutex);
9741 nft_net->base_seq = 1;
9742 nft_net->validate_state = NFT_VALIDATE_SKIP;
9743
9744 return 0;
9745 }
9746
9747 static void __net_exit nf_tables_pre_exit_net(struct net *net)
9748 {
9749 __nft_release_hooks(net);
9750 }
9751
9752 static void __net_exit nf_tables_exit_net(struct net *net)
9753 {
9754 struct nftables_pernet *nft_net = nft_pernet(net);
9755
9756 mutex_lock(&nft_net->commit_mutex);
9757 if (!list_empty(&nft_net->commit_list))
9758 __nf_tables_abort(net, NFNL_ABORT_NONE);
9759 __nft_release_tables(net);
9760 mutex_unlock(&nft_net->commit_mutex);
9761 WARN_ON_ONCE(!list_empty(&nft_net->tables));
9762 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
9763 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
9764 }
9765
9766 static struct pernet_operations nf_tables_net_ops = {
9767 .init = nf_tables_init_net,
9768 .pre_exit = nf_tables_pre_exit_net,
9769 .exit = nf_tables_exit_net,
9770 .id = &nf_tables_net_id,
9771 .size = sizeof(struct nftables_pernet),
9772 };
9773
9774 static int __init nf_tables_module_init(void)
9775 {
9776 int err;
9777
9778 err = register_pernet_subsys(&nf_tables_net_ops);
9779 if (err < 0)
9780 return err;
9781
9782 err = nft_chain_filter_init();
9783 if (err < 0)
9784 goto err_chain_filter;
9785
9786 err = nf_tables_core_module_init();
9787 if (err < 0)
9788 goto err_core_module;
9789
9790 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9791 if (err < 0)
9792 goto err_netdev_notifier;
9793
9794 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9795 if (err < 0)
9796 goto err_rht_objname;
9797
9798 err = nft_offload_init();
9799 if (err < 0)
9800 goto err_offload;
9801
9802 err = netlink_register_notifier(&nft_nl_notifier);
9803 if (err < 0)
9804 goto err_netlink_notifier;
9805
9806 /* must be last */
9807 err = nfnetlink_subsys_register(&nf_tables_subsys);
9808 if (err < 0)
9809 goto err_nfnl_subsys;
9810
9811 nft_chain_route_init();
9812
9813 return err;
9814
9815 err_nfnl_subsys:
9816 netlink_unregister_notifier(&nft_nl_notifier);
9817 err_netlink_notifier:
9818 nft_offload_exit();
9819 err_offload:
9820 rhltable_destroy(&nft_objname_ht);
9821 err_rht_objname:
9822 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9823 err_netdev_notifier:
9824 nf_tables_core_module_exit();
9825 err_core_module:
9826 nft_chain_filter_fini();
9827 err_chain_filter:
9828 unregister_pernet_subsys(&nf_tables_net_ops);
9829 return err;
9830 }
9831
9832 static void __exit nf_tables_module_exit(void)
9833 {
9834 nfnetlink_subsys_unregister(&nf_tables_subsys);
9835 netlink_unregister_notifier(&nft_nl_notifier);
9836 nft_offload_exit();
9837 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9838 nft_chain_filter_fini();
9839 nft_chain_route_fini();
9840 unregister_pernet_subsys(&nf_tables_net_ops);
9841 cancel_work_sync(&trans_destroy_work);
9842 rcu_barrier();
9843 rhltable_destroy(&nft_objname_ht);
9844 nf_tables_core_module_exit();
9845 }
9846
9847 module_init(nf_tables_module_init);
9848 module_exit(nf_tables_module_exit);
9849
9850 MODULE_LICENSE("GPL");
9851 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9852 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
Ubuntu Jammy Linux kernel mirror