]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: nftables: update table flags from the commit phase
[mirror_ubuntu-jammy-kernel.git] / net / netfilter / nf_tables_api.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
34
35 enum {
36 NFT_VALIDATE_SKIP = 0,
37 NFT_VALIDATE_NEED,
38 NFT_VALIDATE_DO,
39 };
40
41 static struct rhltable nft_objname_ht;
42
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
58 };
59
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
67 };
68
69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 {
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 break;
75 case NFT_VALIDATE_NEED:
76 break;
77 case NFT_VALIDATE_DO:
78 if (new_validate_state == NFT_VALIDATE_NEED)
79 return;
80 }
81
82 net->nft.validate_state = new_validate_state;
83 }
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86
87 static void nft_ctx_init(struct nft_ctx *ctx,
88 struct net *net,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
91 u8 family,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
95 {
96 ctx->net = net;
97 ctx->family = family;
98 ctx->level = 0;
99 ctx->table = table;
100 ctx->chain = chain;
101 ctx->nla = nla;
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->flags = nlh->nlmsg_flags;
105 ctx->seq = nlh->nlmsg_seq;
106 }
107
108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
109 int msg_type, u32 size, gfp_t gfp)
110 {
111 struct nft_trans *trans;
112
113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 if (trans == NULL)
115 return NULL;
116
117 trans->msg_type = msg_type;
118 trans->ctx = *ctx;
119
120 return trans;
121 }
122
123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 int msg_type, u32 size)
125 {
126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
127 }
128
129 static void nft_trans_destroy(struct nft_trans *trans)
130 {
131 list_del(&trans->list);
132 kfree(trans);
133 }
134
135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 {
137 struct net *net = ctx->net;
138 struct nft_trans *trans;
139
140 if (!nft_set_is_anonymous(set))
141 return;
142
143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 switch (trans->msg_type) {
145 case NFT_MSG_NEWSET:
146 if (nft_trans_set(trans) == set)
147 nft_trans_set_bound(trans) = true;
148 break;
149 case NFT_MSG_NEWSETELEM:
150 if (nft_trans_elem_set(trans) == set)
151 nft_trans_elem_set_bound(trans) = true;
152 break;
153 }
154 }
155 }
156
157 static int nft_netdev_register_hooks(struct net *net,
158 struct list_head *hook_list)
159 {
160 struct nft_hook *hook;
161 int err, j;
162
163 j = 0;
164 list_for_each_entry(hook, hook_list, list) {
165 err = nf_register_net_hook(net, &hook->ops);
166 if (err < 0)
167 goto err_register;
168
169 j++;
170 }
171 return 0;
172
173 err_register:
174 list_for_each_entry(hook, hook_list, list) {
175 if (j-- <= 0)
176 break;
177
178 nf_unregister_net_hook(net, &hook->ops);
179 }
180 return err;
181 }
182
183 static void nft_netdev_unregister_hooks(struct net *net,
184 struct list_head *hook_list)
185 {
186 struct nft_hook *hook;
187
188 list_for_each_entry(hook, hook_list, list)
189 nf_unregister_net_hook(net, &hook->ops);
190 }
191
192 static int nf_tables_register_hook(struct net *net,
193 const struct nft_table *table,
194 struct nft_chain *chain)
195 {
196 struct nft_base_chain *basechain;
197 const struct nf_hook_ops *ops;
198
199 if (table->flags & NFT_TABLE_F_DORMANT ||
200 !nft_is_base_chain(chain))
201 return 0;
202
203 basechain = nft_base_chain(chain);
204 ops = &basechain->ops;
205
206 if (basechain->type->ops_register)
207 return basechain->type->ops_register(net, ops);
208
209 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
210 return nft_netdev_register_hooks(net, &basechain->hook_list);
211
212 return nf_register_net_hook(net, &basechain->ops);
213 }
214
215 static void nf_tables_unregister_hook(struct net *net,
216 const struct nft_table *table,
217 struct nft_chain *chain)
218 {
219 struct nft_base_chain *basechain;
220 const struct nf_hook_ops *ops;
221
222 if (table->flags & NFT_TABLE_F_DORMANT ||
223 !nft_is_base_chain(chain))
224 return;
225 basechain = nft_base_chain(chain);
226 ops = &basechain->ops;
227
228 if (basechain->type->ops_unregister)
229 return basechain->type->ops_unregister(net, ops);
230
231 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
232 nft_netdev_unregister_hooks(net, &basechain->hook_list);
233 else
234 nf_unregister_net_hook(net, &basechain->ops);
235 }
236
237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
238 {
239 struct nft_trans *trans;
240
241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
242 if (trans == NULL)
243 return -ENOMEM;
244
245 if (msg_type == NFT_MSG_NEWTABLE)
246 nft_activate_next(ctx->net, ctx->table);
247
248 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
249 return 0;
250 }
251
252 static int nft_deltable(struct nft_ctx *ctx)
253 {
254 int err;
255
256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
257 if (err < 0)
258 return err;
259
260 nft_deactivate_next(ctx->net, ctx->table);
261 return err;
262 }
263
264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
265 {
266 struct nft_trans *trans;
267
268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
269 if (trans == NULL)
270 return ERR_PTR(-ENOMEM);
271
272 if (msg_type == NFT_MSG_NEWCHAIN) {
273 nft_activate_next(ctx->net, ctx->chain);
274
275 if (ctx->nla[NFTA_CHAIN_ID]) {
276 nft_trans_chain_id(trans) =
277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
278 }
279 }
280
281 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
282 return trans;
283 }
284
285 static int nft_delchain(struct nft_ctx *ctx)
286 {
287 struct nft_trans *trans;
288
289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
290 if (IS_ERR(trans))
291 return PTR_ERR(trans);
292
293 ctx->table->use--;
294 nft_deactivate_next(ctx->net, ctx->chain);
295
296 return 0;
297 }
298
299 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
300 struct nft_rule *rule)
301 {
302 struct nft_expr *expr;
303
304 expr = nft_expr_first(rule);
305 while (nft_expr_more(rule, expr)) {
306 if (expr->ops->activate)
307 expr->ops->activate(ctx, expr);
308
309 expr = nft_expr_next(expr);
310 }
311 }
312
313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
314 struct nft_rule *rule,
315 enum nft_trans_phase phase)
316 {
317 struct nft_expr *expr;
318
319 expr = nft_expr_first(rule);
320 while (nft_expr_more(rule, expr)) {
321 if (expr->ops->deactivate)
322 expr->ops->deactivate(ctx, expr, phase);
323
324 expr = nft_expr_next(expr);
325 }
326 }
327
328 static int
329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
330 {
331 /* You cannot delete the same rule twice */
332 if (nft_is_active_next(ctx->net, rule)) {
333 nft_deactivate_next(ctx->net, rule);
334 ctx->chain->use--;
335 return 0;
336 }
337 return -ENOENT;
338 }
339
340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
341 struct nft_rule *rule)
342 {
343 struct nft_trans *trans;
344
345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
346 if (trans == NULL)
347 return NULL;
348
349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
350 nft_trans_rule_id(trans) =
351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
352 }
353 nft_trans_rule(trans) = rule;
354 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
355
356 return trans;
357 }
358
359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
360 {
361 struct nft_flow_rule *flow;
362 struct nft_trans *trans;
363 int err;
364
365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
366 if (trans == NULL)
367 return -ENOMEM;
368
369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
370 flow = nft_flow_rule_create(ctx->net, rule);
371 if (IS_ERR(flow)) {
372 nft_trans_destroy(trans);
373 return PTR_ERR(flow);
374 }
375
376 nft_trans_flow_rule(trans) = flow;
377 }
378
379 err = nf_tables_delrule_deactivate(ctx, rule);
380 if (err < 0) {
381 nft_trans_destroy(trans);
382 return err;
383 }
384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
385
386 return 0;
387 }
388
389 static int nft_delrule_by_chain(struct nft_ctx *ctx)
390 {
391 struct nft_rule *rule;
392 int err;
393
394 list_for_each_entry(rule, &ctx->chain->rules, list) {
395 if (!nft_is_active_next(ctx->net, rule))
396 continue;
397
398 err = nft_delrule(ctx, rule);
399 if (err < 0)
400 return err;
401 }
402 return 0;
403 }
404
405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
406 struct nft_set *set)
407 {
408 struct nft_trans *trans;
409
410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
411 if (trans == NULL)
412 return -ENOMEM;
413
414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
415 nft_trans_set_id(trans) =
416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
417 nft_activate_next(ctx->net, set);
418 }
419 nft_trans_set(trans) = set;
420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
421
422 return 0;
423 }
424
425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
426 {
427 int err;
428
429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
430 if (err < 0)
431 return err;
432
433 nft_deactivate_next(ctx->net, set);
434 ctx->table->use--;
435
436 return err;
437 }
438
439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
440 struct nft_object *obj)
441 {
442 struct nft_trans *trans;
443
444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
445 if (trans == NULL)
446 return -ENOMEM;
447
448 if (msg_type == NFT_MSG_NEWOBJ)
449 nft_activate_next(ctx->net, obj);
450
451 nft_trans_obj(trans) = obj;
452 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
453
454 return 0;
455 }
456
457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
458 {
459 int err;
460
461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
462 if (err < 0)
463 return err;
464
465 nft_deactivate_next(ctx->net, obj);
466 ctx->table->use--;
467
468 return err;
469 }
470
471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
472 struct nft_flowtable *flowtable)
473 {
474 struct nft_trans *trans;
475
476 trans = nft_trans_alloc(ctx, msg_type,
477 sizeof(struct nft_trans_flowtable));
478 if (trans == NULL)
479 return -ENOMEM;
480
481 if (msg_type == NFT_MSG_NEWFLOWTABLE)
482 nft_activate_next(ctx->net, flowtable);
483
484 nft_trans_flowtable(trans) = flowtable;
485 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
486
487 return 0;
488 }
489
490 static int nft_delflowtable(struct nft_ctx *ctx,
491 struct nft_flowtable *flowtable)
492 {
493 int err;
494
495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
496 if (err < 0)
497 return err;
498
499 nft_deactivate_next(ctx->net, flowtable);
500 ctx->table->use--;
501
502 return err;
503 }
504
505 /*
506 * Tables
507 */
508
509 static struct nft_table *nft_table_lookup(const struct net *net,
510 const struct nlattr *nla,
511 u8 family, u8 genmask, u32 nlpid)
512 {
513 struct nft_table *table;
514
515 if (nla == NULL)
516 return ERR_PTR(-EINVAL);
517
518 list_for_each_entry_rcu(table, &net->nft.tables, list,
519 lockdep_is_held(&net->nft.commit_mutex)) {
520 if (!nla_strcmp(nla, table->name) &&
521 table->family == family &&
522 nft_active_genmask(table, genmask)) {
523 if (nft_table_has_owner(table) &&
524 table->nlpid != nlpid)
525 return ERR_PTR(-EPERM);
526
527 return table;
528 }
529 }
530
531 return ERR_PTR(-ENOENT);
532 }
533
534 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
535 const struct nlattr *nla,
536 u8 genmask)
537 {
538 struct nft_table *table;
539
540 list_for_each_entry(table, &net->nft.tables, list) {
541 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
542 nft_active_genmask(table, genmask))
543 return table;
544 }
545
546 return ERR_PTR(-ENOENT);
547 }
548
549 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
550 {
551 return ++table->hgenerator;
552 }
553
554 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
555
556 static const struct nft_chain_type *
557 __nft_chain_type_get(u8 family, enum nft_chain_types type)
558 {
559 if (family >= NFPROTO_NUMPROTO ||
560 type >= NFT_CHAIN_T_MAX)
561 return NULL;
562
563 return chain_type[family][type];
564 }
565
566 static const struct nft_chain_type *
567 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
568 {
569 const struct nft_chain_type *type;
570 int i;
571
572 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
573 type = __nft_chain_type_get(family, i);
574 if (!type)
575 continue;
576 if (!nla_strcmp(nla, type->name))
577 return type;
578 }
579 return NULL;
580 }
581
582 struct nft_module_request {
583 struct list_head list;
584 char module[MODULE_NAME_LEN];
585 bool done;
586 };
587
588 #ifdef CONFIG_MODULES
589 static __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
590 ...)
591 {
592 char module_name[MODULE_NAME_LEN];
593 struct nft_module_request *req;
594 va_list args;
595 int ret;
596
597 va_start(args, fmt);
598 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
599 va_end(args);
600 if (ret >= MODULE_NAME_LEN)
601 return 0;
602
603 list_for_each_entry(req, &net->nft.module_list, list) {
604 if (!strcmp(req->module, module_name)) {
605 if (req->done)
606 return 0;
607
608 /* A request to load this module already exists. */
609 return -EAGAIN;
610 }
611 }
612
613 req = kmalloc(sizeof(*req), GFP_KERNEL);
614 if (!req)
615 return -ENOMEM;
616
617 req->done = false;
618 strlcpy(req->module, module_name, MODULE_NAME_LEN);
619 list_add_tail(&req->list, &net->nft.module_list);
620
621 return -EAGAIN;
622 }
623 #endif
624
625 static void lockdep_nfnl_nft_mutex_not_held(void)
626 {
627 #ifdef CONFIG_PROVE_LOCKING
628 if (debug_locks)
629 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
630 #endif
631 }
632
633 static const struct nft_chain_type *
634 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
635 u8 family, bool autoload)
636 {
637 const struct nft_chain_type *type;
638
639 type = __nf_tables_chain_type_lookup(nla, family);
640 if (type != NULL)
641 return type;
642
643 lockdep_nfnl_nft_mutex_not_held();
644 #ifdef CONFIG_MODULES
645 if (autoload) {
646 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
647 nla_len(nla),
648 (const char *)nla_data(nla)) == -EAGAIN)
649 return ERR_PTR(-EAGAIN);
650 }
651 #endif
652 return ERR_PTR(-ENOENT);
653 }
654
655 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
656 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
657 .len = NFT_TABLE_MAXNAMELEN - 1 },
658 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
659 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
660 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
661 .len = NFT_USERDATA_MAXLEN }
662 };
663
664 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
665 u32 portid, u32 seq, int event, u32 flags,
666 int family, const struct nft_table *table)
667 {
668 struct nlmsghdr *nlh;
669 struct nfgenmsg *nfmsg;
670
671 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
672 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
673 if (nlh == NULL)
674 goto nla_put_failure;
675
676 nfmsg = nlmsg_data(nlh);
677 nfmsg->nfgen_family = family;
678 nfmsg->version = NFNETLINK_V0;
679 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
680
681 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
682 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
683 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
684 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
685 NFTA_TABLE_PAD))
686 goto nla_put_failure;
687 if (nft_table_has_owner(table) &&
688 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
689 goto nla_put_failure;
690
691 if (table->udata) {
692 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
693 goto nla_put_failure;
694 }
695
696 nlmsg_end(skb, nlh);
697 return 0;
698
699 nla_put_failure:
700 nlmsg_trim(skb, nlh);
701 return -1;
702 }
703
704 struct nftnl_skb_parms {
705 bool report;
706 };
707 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
708
709 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
710 struct list_head *notify_list)
711 {
712 NFT_CB(skb).report = report;
713 list_add_tail(&skb->list, notify_list);
714 }
715
716 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
717 {
718 struct sk_buff *skb;
719 int err;
720 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
721 ctx->table->name, ctx->table->handle);
722
723 audit_log_nfcfg(buf,
724 ctx->family,
725 ctx->table->use,
726 event == NFT_MSG_NEWTABLE ?
727 AUDIT_NFT_OP_TABLE_REGISTER :
728 AUDIT_NFT_OP_TABLE_UNREGISTER,
729 GFP_KERNEL);
730 kfree(buf);
731
732 if (!ctx->report &&
733 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
734 return;
735
736 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
737 if (skb == NULL)
738 goto err;
739
740 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
741 event, 0, ctx->family, ctx->table);
742 if (err < 0) {
743 kfree_skb(skb);
744 goto err;
745 }
746
747 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
748 return;
749 err:
750 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
751 }
752
753 static int nf_tables_dump_tables(struct sk_buff *skb,
754 struct netlink_callback *cb)
755 {
756 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
757 const struct nft_table *table;
758 unsigned int idx = 0, s_idx = cb->args[0];
759 struct net *net = sock_net(skb->sk);
760 int family = nfmsg->nfgen_family;
761
762 rcu_read_lock();
763 cb->seq = net->nft.base_seq;
764
765 list_for_each_entry_rcu(table, &net->nft.tables, list) {
766 if (family != NFPROTO_UNSPEC && family != table->family)
767 continue;
768
769 if (idx < s_idx)
770 goto cont;
771 if (idx > s_idx)
772 memset(&cb->args[1], 0,
773 sizeof(cb->args) - sizeof(cb->args[0]));
774 if (!nft_is_active(net, table))
775 continue;
776 if (nf_tables_fill_table_info(skb, net,
777 NETLINK_CB(cb->skb).portid,
778 cb->nlh->nlmsg_seq,
779 NFT_MSG_NEWTABLE, NLM_F_MULTI,
780 table->family, table) < 0)
781 goto done;
782
783 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
784 cont:
785 idx++;
786 }
787 done:
788 rcu_read_unlock();
789 cb->args[0] = idx;
790 return skb->len;
791 }
792
793 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
794 const struct nlmsghdr *nlh,
795 struct netlink_dump_control *c)
796 {
797 int err;
798
799 if (!try_module_get(THIS_MODULE))
800 return -EINVAL;
801
802 rcu_read_unlock();
803 err = netlink_dump_start(nlsk, skb, nlh, c);
804 rcu_read_lock();
805 module_put(THIS_MODULE);
806
807 return err;
808 }
809
810 /* called with rcu_read_lock held */
811 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
812 struct sk_buff *skb, const struct nlmsghdr *nlh,
813 const struct nlattr * const nla[],
814 struct netlink_ext_ack *extack)
815 {
816 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
817 u8 genmask = nft_genmask_cur(net);
818 const struct nft_table *table;
819 struct sk_buff *skb2;
820 int family = nfmsg->nfgen_family;
821 int err;
822
823 if (nlh->nlmsg_flags & NLM_F_DUMP) {
824 struct netlink_dump_control c = {
825 .dump = nf_tables_dump_tables,
826 .module = THIS_MODULE,
827 };
828
829 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
830 }
831
832 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
833 if (IS_ERR(table)) {
834 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
835 return PTR_ERR(table);
836 }
837
838 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
839 if (!skb2)
840 return -ENOMEM;
841
842 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
843 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
844 family, table);
845 if (err < 0)
846 goto err_fill_table_info;
847
848 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
849
850 err_fill_table_info:
851 kfree_skb(skb2);
852 return err;
853 }
854
855 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
856 {
857 struct nft_chain *chain;
858 u32 i = 0;
859
860 list_for_each_entry(chain, &table->chains, list) {
861 if (!nft_is_active_next(net, chain))
862 continue;
863 if (!nft_is_base_chain(chain))
864 continue;
865
866 if (cnt && i++ == cnt)
867 break;
868
869 nf_tables_unregister_hook(net, table, chain);
870 }
871 }
872
873 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
874 {
875 struct nft_chain *chain;
876 int err, i = 0;
877
878 list_for_each_entry(chain, &table->chains, list) {
879 if (!nft_is_active_next(net, chain))
880 continue;
881 if (!nft_is_base_chain(chain))
882 continue;
883
884 err = nf_tables_register_hook(net, table, chain);
885 if (err < 0)
886 goto err_register_hooks;
887
888 i++;
889 }
890 return 0;
891
892 err_register_hooks:
893 if (i)
894 nft_table_disable(net, table, i);
895 return err;
896 }
897
898 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
899 {
900 nft_table_disable(net, table, 0);
901 }
902
903 enum {
904 NFT_TABLE_STATE_UNCHANGED = 0,
905 NFT_TABLE_STATE_DORMANT,
906 NFT_TABLE_STATE_WAKEUP
907 };
908
909 static int nf_tables_updtable(struct nft_ctx *ctx)
910 {
911 struct nft_trans *trans;
912 u32 flags;
913 int ret = 0;
914
915 if (!ctx->nla[NFTA_TABLE_FLAGS])
916 return 0;
917
918 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
919 if (flags & ~NFT_TABLE_F_MASK)
920 return -EOPNOTSUPP;
921
922 if (flags == ctx->table->flags)
923 return 0;
924
925 if ((nft_table_has_owner(ctx->table) &&
926 !(flags & NFT_TABLE_F_OWNER)) ||
927 (!nft_table_has_owner(ctx->table) &&
928 flags & NFT_TABLE_F_OWNER))
929 return -EOPNOTSUPP;
930
931 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
932 sizeof(struct nft_trans_table));
933 if (trans == NULL)
934 return -ENOMEM;
935
936 if ((flags & NFT_TABLE_F_DORMANT) &&
937 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
938 nft_trans_table_state(trans) = NFT_TABLE_STATE_DORMANT;
939 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
940 ctx->table->flags & NFT_TABLE_F_DORMANT) {
941 ret = nf_tables_table_enable(ctx->net, ctx->table);
942 if (ret >= 0)
943 nft_trans_table_state(trans) = NFT_TABLE_STATE_WAKEUP;
944 }
945 if (ret < 0)
946 goto err;
947
948 nft_trans_table_flags(trans) = flags;
949 nft_trans_table_update(trans) = true;
950 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
951 return 0;
952 err:
953 nft_trans_destroy(trans);
954 return ret;
955 }
956
957 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
958 {
959 const char *name = data;
960
961 return jhash(name, strlen(name), seed);
962 }
963
964 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
965 {
966 const struct nft_chain *chain = data;
967
968 return nft_chain_hash(chain->name, 0, seed);
969 }
970
971 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
972 const void *ptr)
973 {
974 const struct nft_chain *chain = ptr;
975 const char *name = arg->key;
976
977 return strcmp(chain->name, name);
978 }
979
980 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
981 {
982 const struct nft_object_hash_key *k = data;
983
984 seed ^= hash_ptr(k->table, 32);
985
986 return jhash(k->name, strlen(k->name), seed);
987 }
988
989 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
990 {
991 const struct nft_object *obj = data;
992
993 return nft_objname_hash(&obj->key, 0, seed);
994 }
995
996 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
997 const void *ptr)
998 {
999 const struct nft_object_hash_key *k = arg->key;
1000 const struct nft_object *obj = ptr;
1001
1002 if (obj->key.table != k->table)
1003 return -1;
1004
1005 return strcmp(obj->key.name, k->name);
1006 }
1007
1008 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
1009 struct sk_buff *skb, const struct nlmsghdr *nlh,
1010 const struct nlattr * const nla[],
1011 struct netlink_ext_ack *extack)
1012 {
1013 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1014 u8 genmask = nft_genmask_next(net);
1015 int family = nfmsg->nfgen_family;
1016 const struct nlattr *attr;
1017 struct nft_table *table;
1018 struct nft_ctx ctx;
1019 u32 flags = 0;
1020 int err;
1021
1022 lockdep_assert_held(&net->nft.commit_mutex);
1023 attr = nla[NFTA_TABLE_NAME];
1024 table = nft_table_lookup(net, attr, family, genmask,
1025 NETLINK_CB(skb).portid);
1026 if (IS_ERR(table)) {
1027 if (PTR_ERR(table) != -ENOENT)
1028 return PTR_ERR(table);
1029 } else {
1030 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1031 NL_SET_BAD_ATTR(extack, attr);
1032 return -EEXIST;
1033 }
1034 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1035 return -EOPNOTSUPP;
1036
1037 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1038 return nf_tables_updtable(&ctx);
1039 }
1040
1041 if (nla[NFTA_TABLE_FLAGS]) {
1042 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1043 if (flags & ~NFT_TABLE_F_MASK)
1044 return -EOPNOTSUPP;
1045 }
1046
1047 err = -ENOMEM;
1048 table = kzalloc(sizeof(*table), GFP_KERNEL);
1049 if (table == NULL)
1050 goto err_kzalloc;
1051
1052 table->name = nla_strdup(attr, GFP_KERNEL);
1053 if (table->name == NULL)
1054 goto err_strdup;
1055
1056 if (nla[NFTA_TABLE_USERDATA]) {
1057 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1058 if (table->udata == NULL)
1059 goto err_table_udata;
1060
1061 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1062 }
1063
1064 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1065 if (err)
1066 goto err_chain_ht;
1067
1068 INIT_LIST_HEAD(&table->chains);
1069 INIT_LIST_HEAD(&table->sets);
1070 INIT_LIST_HEAD(&table->objects);
1071 INIT_LIST_HEAD(&table->flowtables);
1072 table->family = family;
1073 table->flags = flags;
1074 table->handle = ++table_handle;
1075 if (table->flags & NFT_TABLE_F_OWNER)
1076 table->nlpid = NETLINK_CB(skb).portid;
1077
1078 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1079 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1080 if (err < 0)
1081 goto err_trans;
1082
1083 list_add_tail_rcu(&table->list, &net->nft.tables);
1084 return 0;
1085 err_trans:
1086 rhltable_destroy(&table->chains_ht);
1087 err_chain_ht:
1088 kfree(table->udata);
1089 err_table_udata:
1090 kfree(table->name);
1091 err_strdup:
1092 kfree(table);
1093 err_kzalloc:
1094 return err;
1095 }
1096
1097 static int nft_flush_table(struct nft_ctx *ctx)
1098 {
1099 struct nft_flowtable *flowtable, *nft;
1100 struct nft_chain *chain, *nc;
1101 struct nft_object *obj, *ne;
1102 struct nft_set *set, *ns;
1103 int err;
1104
1105 list_for_each_entry(chain, &ctx->table->chains, list) {
1106 if (!nft_is_active_next(ctx->net, chain))
1107 continue;
1108
1109 if (nft_chain_is_bound(chain))
1110 continue;
1111
1112 ctx->chain = chain;
1113
1114 err = nft_delrule_by_chain(ctx);
1115 if (err < 0)
1116 goto out;
1117 }
1118
1119 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1120 if (!nft_is_active_next(ctx->net, set))
1121 continue;
1122
1123 if (nft_set_is_anonymous(set) &&
1124 !list_empty(&set->bindings))
1125 continue;
1126
1127 err = nft_delset(ctx, set);
1128 if (err < 0)
1129 goto out;
1130 }
1131
1132 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1133 if (!nft_is_active_next(ctx->net, flowtable))
1134 continue;
1135
1136 err = nft_delflowtable(ctx, flowtable);
1137 if (err < 0)
1138 goto out;
1139 }
1140
1141 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1142 if (!nft_is_active_next(ctx->net, obj))
1143 continue;
1144
1145 err = nft_delobj(ctx, obj);
1146 if (err < 0)
1147 goto out;
1148 }
1149
1150 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1151 if (!nft_is_active_next(ctx->net, chain))
1152 continue;
1153
1154 if (nft_chain_is_bound(chain))
1155 continue;
1156
1157 ctx->chain = chain;
1158
1159 err = nft_delchain(ctx);
1160 if (err < 0)
1161 goto out;
1162 }
1163
1164 err = nft_deltable(ctx);
1165 out:
1166 return err;
1167 }
1168
1169 static int nft_flush(struct nft_ctx *ctx, int family)
1170 {
1171 struct nft_table *table, *nt;
1172 const struct nlattr * const *nla = ctx->nla;
1173 int err = 0;
1174
1175 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1176 if (family != AF_UNSPEC && table->family != family)
1177 continue;
1178
1179 ctx->family = table->family;
1180
1181 if (!nft_is_active_next(ctx->net, table))
1182 continue;
1183
1184 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1185 continue;
1186
1187 if (nla[NFTA_TABLE_NAME] &&
1188 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1189 continue;
1190
1191 ctx->table = table;
1192
1193 err = nft_flush_table(ctx);
1194 if (err < 0)
1195 goto out;
1196 }
1197 out:
1198 return err;
1199 }
1200
1201 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1202 struct sk_buff *skb, const struct nlmsghdr *nlh,
1203 const struct nlattr * const nla[],
1204 struct netlink_ext_ack *extack)
1205 {
1206 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1207 u8 genmask = nft_genmask_next(net);
1208 int family = nfmsg->nfgen_family;
1209 const struct nlattr *attr;
1210 struct nft_table *table;
1211 struct nft_ctx ctx;
1212
1213 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1214 if (family == AF_UNSPEC ||
1215 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1216 return nft_flush(&ctx, family);
1217
1218 if (nla[NFTA_TABLE_HANDLE]) {
1219 attr = nla[NFTA_TABLE_HANDLE];
1220 table = nft_table_lookup_byhandle(net, attr, genmask);
1221 } else {
1222 attr = nla[NFTA_TABLE_NAME];
1223 table = nft_table_lookup(net, attr, family, genmask,
1224 NETLINK_CB(skb).portid);
1225 }
1226
1227 if (IS_ERR(table)) {
1228 NL_SET_BAD_ATTR(extack, attr);
1229 return PTR_ERR(table);
1230 }
1231
1232 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1233 table->use > 0)
1234 return -EBUSY;
1235
1236 ctx.family = family;
1237 ctx.table = table;
1238
1239 return nft_flush_table(&ctx);
1240 }
1241
1242 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1243 {
1244 if (WARN_ON(ctx->table->use > 0))
1245 return;
1246
1247 rhltable_destroy(&ctx->table->chains_ht);
1248 kfree(ctx->table->name);
1249 kfree(ctx->table->udata);
1250 kfree(ctx->table);
1251 }
1252
1253 void nft_register_chain_type(const struct nft_chain_type *ctype)
1254 {
1255 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1256 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1257 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1258 return;
1259 }
1260 chain_type[ctype->family][ctype->type] = ctype;
1261 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1262 }
1263 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1264
1265 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1266 {
1267 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1268 chain_type[ctype->family][ctype->type] = NULL;
1269 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1270 }
1271 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1272
1273 /*
1274 * Chains
1275 */
1276
1277 static struct nft_chain *
1278 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1279 {
1280 struct nft_chain *chain;
1281
1282 list_for_each_entry(chain, &table->chains, list) {
1283 if (chain->handle == handle &&
1284 nft_active_genmask(chain, genmask))
1285 return chain;
1286 }
1287
1288 return ERR_PTR(-ENOENT);
1289 }
1290
1291 static bool lockdep_commit_lock_is_held(const struct net *net)
1292 {
1293 #ifdef CONFIG_PROVE_LOCKING
1294 return lockdep_is_held(&net->nft.commit_mutex);
1295 #else
1296 return true;
1297 #endif
1298 }
1299
1300 static struct nft_chain *nft_chain_lookup(struct net *net,
1301 struct nft_table *table,
1302 const struct nlattr *nla, u8 genmask)
1303 {
1304 char search[NFT_CHAIN_MAXNAMELEN + 1];
1305 struct rhlist_head *tmp, *list;
1306 struct nft_chain *chain;
1307
1308 if (nla == NULL)
1309 return ERR_PTR(-EINVAL);
1310
1311 nla_strscpy(search, nla, sizeof(search));
1312
1313 WARN_ON(!rcu_read_lock_held() &&
1314 !lockdep_commit_lock_is_held(net));
1315
1316 chain = ERR_PTR(-ENOENT);
1317 rcu_read_lock();
1318 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1319 if (!list)
1320 goto out_unlock;
1321
1322 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1323 if (nft_active_genmask(chain, genmask))
1324 goto out_unlock;
1325 }
1326 chain = ERR_PTR(-ENOENT);
1327 out_unlock:
1328 rcu_read_unlock();
1329 return chain;
1330 }
1331
1332 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1333 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1334 .len = NFT_TABLE_MAXNAMELEN - 1 },
1335 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1336 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1337 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1338 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1339 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1340 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1341 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1342 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1343 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1344 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1345 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1346 .len = NFT_USERDATA_MAXLEN },
1347 };
1348
1349 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1350 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1351 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1352 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1353 .len = IFNAMSIZ - 1 },
1354 };
1355
1356 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1357 {
1358 struct nft_stats *cpu_stats, total;
1359 struct nlattr *nest;
1360 unsigned int seq;
1361 u64 pkts, bytes;
1362 int cpu;
1363
1364 if (!stats)
1365 return 0;
1366
1367 memset(&total, 0, sizeof(total));
1368 for_each_possible_cpu(cpu) {
1369 cpu_stats = per_cpu_ptr(stats, cpu);
1370 do {
1371 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1372 pkts = cpu_stats->pkts;
1373 bytes = cpu_stats->bytes;
1374 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1375 total.pkts += pkts;
1376 total.bytes += bytes;
1377 }
1378 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1379 if (nest == NULL)
1380 goto nla_put_failure;
1381
1382 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1383 NFTA_COUNTER_PAD) ||
1384 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1385 NFTA_COUNTER_PAD))
1386 goto nla_put_failure;
1387
1388 nla_nest_end(skb, nest);
1389 return 0;
1390
1391 nla_put_failure:
1392 return -ENOSPC;
1393 }
1394
1395 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1396 const struct nft_base_chain *basechain)
1397 {
1398 const struct nf_hook_ops *ops = &basechain->ops;
1399 struct nft_hook *hook, *first = NULL;
1400 struct nlattr *nest, *nest_devs;
1401 int n = 0;
1402
1403 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1404 if (nest == NULL)
1405 goto nla_put_failure;
1406 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1407 goto nla_put_failure;
1408 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1409 goto nla_put_failure;
1410
1411 if (nft_base_chain_netdev(family, ops->hooknum)) {
1412 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1413 list_for_each_entry(hook, &basechain->hook_list, list) {
1414 if (!first)
1415 first = hook;
1416
1417 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1418 hook->ops.dev->name))
1419 goto nla_put_failure;
1420 n++;
1421 }
1422 nla_nest_end(skb, nest_devs);
1423
1424 if (n == 1 &&
1425 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1426 goto nla_put_failure;
1427 }
1428 nla_nest_end(skb, nest);
1429
1430 return 0;
1431 nla_put_failure:
1432 return -1;
1433 }
1434
1435 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1436 u32 portid, u32 seq, int event, u32 flags,
1437 int family, const struct nft_table *table,
1438 const struct nft_chain *chain)
1439 {
1440 struct nlmsghdr *nlh;
1441 struct nfgenmsg *nfmsg;
1442
1443 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1444 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1445 if (nlh == NULL)
1446 goto nla_put_failure;
1447
1448 nfmsg = nlmsg_data(nlh);
1449 nfmsg->nfgen_family = family;
1450 nfmsg->version = NFNETLINK_V0;
1451 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1452
1453 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1454 goto nla_put_failure;
1455 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1456 NFTA_CHAIN_PAD))
1457 goto nla_put_failure;
1458 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1459 goto nla_put_failure;
1460
1461 if (nft_is_base_chain(chain)) {
1462 const struct nft_base_chain *basechain = nft_base_chain(chain);
1463 struct nft_stats __percpu *stats;
1464
1465 if (nft_dump_basechain_hook(skb, family, basechain))
1466 goto nla_put_failure;
1467
1468 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1469 htonl(basechain->policy)))
1470 goto nla_put_failure;
1471
1472 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1473 goto nla_put_failure;
1474
1475 stats = rcu_dereference_check(basechain->stats,
1476 lockdep_commit_lock_is_held(net));
1477 if (nft_dump_stats(skb, stats))
1478 goto nla_put_failure;
1479 }
1480
1481 if (chain->flags &&
1482 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1483 goto nla_put_failure;
1484
1485 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1486 goto nla_put_failure;
1487
1488 if (chain->udata &&
1489 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1490 goto nla_put_failure;
1491
1492 nlmsg_end(skb, nlh);
1493 return 0;
1494
1495 nla_put_failure:
1496 nlmsg_trim(skb, nlh);
1497 return -1;
1498 }
1499
1500 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1501 {
1502 struct sk_buff *skb;
1503 int err;
1504 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1505 ctx->table->name, ctx->table->handle,
1506 ctx->chain->name, ctx->chain->handle);
1507
1508 audit_log_nfcfg(buf,
1509 ctx->family,
1510 ctx->chain->use,
1511 event == NFT_MSG_NEWCHAIN ?
1512 AUDIT_NFT_OP_CHAIN_REGISTER :
1513 AUDIT_NFT_OP_CHAIN_UNREGISTER,
1514 GFP_KERNEL);
1515 kfree(buf);
1516
1517 if (!ctx->report &&
1518 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1519 return;
1520
1521 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1522 if (skb == NULL)
1523 goto err;
1524
1525 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1526 event, 0, ctx->family, ctx->table,
1527 ctx->chain);
1528 if (err < 0) {
1529 kfree_skb(skb);
1530 goto err;
1531 }
1532
1533 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1534 return;
1535 err:
1536 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1537 }
1538
1539 static int nf_tables_dump_chains(struct sk_buff *skb,
1540 struct netlink_callback *cb)
1541 {
1542 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1543 const struct nft_table *table;
1544 const struct nft_chain *chain;
1545 unsigned int idx = 0, s_idx = cb->args[0];
1546 struct net *net = sock_net(skb->sk);
1547 int family = nfmsg->nfgen_family;
1548
1549 rcu_read_lock();
1550 cb->seq = net->nft.base_seq;
1551
1552 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1553 if (family != NFPROTO_UNSPEC && family != table->family)
1554 continue;
1555
1556 list_for_each_entry_rcu(chain, &table->chains, list) {
1557 if (idx < s_idx)
1558 goto cont;
1559 if (idx > s_idx)
1560 memset(&cb->args[1], 0,
1561 sizeof(cb->args) - sizeof(cb->args[0]));
1562 if (!nft_is_active(net, chain))
1563 continue;
1564 if (nf_tables_fill_chain_info(skb, net,
1565 NETLINK_CB(cb->skb).portid,
1566 cb->nlh->nlmsg_seq,
1567 NFT_MSG_NEWCHAIN,
1568 NLM_F_MULTI,
1569 table->family, table,
1570 chain) < 0)
1571 goto done;
1572
1573 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1574 cont:
1575 idx++;
1576 }
1577 }
1578 done:
1579 rcu_read_unlock();
1580 cb->args[0] = idx;
1581 return skb->len;
1582 }
1583
1584 /* called with rcu_read_lock held */
1585 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1586 struct sk_buff *skb, const struct nlmsghdr *nlh,
1587 const struct nlattr * const nla[],
1588 struct netlink_ext_ack *extack)
1589 {
1590 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1591 u8 genmask = nft_genmask_cur(net);
1592 const struct nft_chain *chain;
1593 struct nft_table *table;
1594 struct sk_buff *skb2;
1595 int family = nfmsg->nfgen_family;
1596 int err;
1597
1598 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1599 struct netlink_dump_control c = {
1600 .dump = nf_tables_dump_chains,
1601 .module = THIS_MODULE,
1602 };
1603
1604 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1605 }
1606
1607 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1608 if (IS_ERR(table)) {
1609 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1610 return PTR_ERR(table);
1611 }
1612
1613 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1614 if (IS_ERR(chain)) {
1615 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1616 return PTR_ERR(chain);
1617 }
1618
1619 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1620 if (!skb2)
1621 return -ENOMEM;
1622
1623 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1624 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1625 family, table, chain);
1626 if (err < 0)
1627 goto err_fill_chain_info;
1628
1629 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1630
1631 err_fill_chain_info:
1632 kfree_skb(skb2);
1633 return err;
1634 }
1635
1636 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1637 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1638 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1639 };
1640
1641 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1642 {
1643 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1644 struct nft_stats __percpu *newstats;
1645 struct nft_stats *stats;
1646 int err;
1647
1648 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1649 nft_counter_policy, NULL);
1650 if (err < 0)
1651 return ERR_PTR(err);
1652
1653 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1654 return ERR_PTR(-EINVAL);
1655
1656 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1657 if (newstats == NULL)
1658 return ERR_PTR(-ENOMEM);
1659
1660 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1661 * are not exposed to userspace.
1662 */
1663 preempt_disable();
1664 stats = this_cpu_ptr(newstats);
1665 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1666 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1667 preempt_enable();
1668
1669 return newstats;
1670 }
1671
1672 static void nft_chain_stats_replace(struct nft_trans *trans)
1673 {
1674 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1675
1676 if (!nft_trans_chain_stats(trans))
1677 return;
1678
1679 nft_trans_chain_stats(trans) =
1680 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1681 lockdep_commit_lock_is_held(trans->ctx.net));
1682
1683 if (!nft_trans_chain_stats(trans))
1684 static_branch_inc(&nft_counters_enabled);
1685 }
1686
1687 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1688 {
1689 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1690 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1691
1692 if (g0 != g1)
1693 kvfree(g1);
1694 kvfree(g0);
1695
1696 /* should be NULL either via abort or via successful commit */
1697 WARN_ON_ONCE(chain->rules_next);
1698 kvfree(chain->rules_next);
1699 }
1700
1701 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1702 {
1703 struct nft_chain *chain = ctx->chain;
1704 struct nft_hook *hook, *next;
1705
1706 if (WARN_ON(chain->use > 0))
1707 return;
1708
1709 /* no concurrent access possible anymore */
1710 nf_tables_chain_free_chain_rules(chain);
1711
1712 if (nft_is_base_chain(chain)) {
1713 struct nft_base_chain *basechain = nft_base_chain(chain);
1714
1715 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1716 list_for_each_entry_safe(hook, next,
1717 &basechain->hook_list, list) {
1718 list_del_rcu(&hook->list);
1719 kfree_rcu(hook, rcu);
1720 }
1721 }
1722 module_put(basechain->type->owner);
1723 if (rcu_access_pointer(basechain->stats)) {
1724 static_branch_dec(&nft_counters_enabled);
1725 free_percpu(rcu_dereference_raw(basechain->stats));
1726 }
1727 kfree(chain->name);
1728 kfree(chain->udata);
1729 kfree(basechain);
1730 } else {
1731 kfree(chain->name);
1732 kfree(chain->udata);
1733 kfree(chain);
1734 }
1735 }
1736
1737 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1738 const struct nlattr *attr)
1739 {
1740 struct net_device *dev;
1741 char ifname[IFNAMSIZ];
1742 struct nft_hook *hook;
1743 int err;
1744
1745 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1746 if (!hook) {
1747 err = -ENOMEM;
1748 goto err_hook_alloc;
1749 }
1750
1751 nla_strscpy(ifname, attr, IFNAMSIZ);
1752 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1753 * indirectly serializing all the other holders of the commit_mutex with
1754 * the rtnl_mutex.
1755 */
1756 dev = __dev_get_by_name(net, ifname);
1757 if (!dev) {
1758 err = -ENOENT;
1759 goto err_hook_dev;
1760 }
1761 hook->ops.dev = dev;
1762 hook->inactive = false;
1763
1764 return hook;
1765
1766 err_hook_dev:
1767 kfree(hook);
1768 err_hook_alloc:
1769 return ERR_PTR(err);
1770 }
1771
1772 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1773 const struct nft_hook *this)
1774 {
1775 struct nft_hook *hook;
1776
1777 list_for_each_entry(hook, hook_list, list) {
1778 if (this->ops.dev == hook->ops.dev)
1779 return hook;
1780 }
1781
1782 return NULL;
1783 }
1784
1785 static int nf_tables_parse_netdev_hooks(struct net *net,
1786 const struct nlattr *attr,
1787 struct list_head *hook_list)
1788 {
1789 struct nft_hook *hook, *next;
1790 const struct nlattr *tmp;
1791 int rem, n = 0, err;
1792
1793 nla_for_each_nested(tmp, attr, rem) {
1794 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1795 err = -EINVAL;
1796 goto err_hook;
1797 }
1798
1799 hook = nft_netdev_hook_alloc(net, tmp);
1800 if (IS_ERR(hook)) {
1801 err = PTR_ERR(hook);
1802 goto err_hook;
1803 }
1804 if (nft_hook_list_find(hook_list, hook)) {
1805 kfree(hook);
1806 err = -EEXIST;
1807 goto err_hook;
1808 }
1809 list_add_tail(&hook->list, hook_list);
1810 n++;
1811
1812 if (n == NFT_NETDEVICE_MAX) {
1813 err = -EFBIG;
1814 goto err_hook;
1815 }
1816 }
1817
1818 return 0;
1819
1820 err_hook:
1821 list_for_each_entry_safe(hook, next, hook_list, list) {
1822 list_del(&hook->list);
1823 kfree(hook);
1824 }
1825 return err;
1826 }
1827
1828 struct nft_chain_hook {
1829 u32 num;
1830 s32 priority;
1831 const struct nft_chain_type *type;
1832 struct list_head list;
1833 };
1834
1835 static int nft_chain_parse_netdev(struct net *net,
1836 struct nlattr *tb[],
1837 struct list_head *hook_list)
1838 {
1839 struct nft_hook *hook;
1840 int err;
1841
1842 if (tb[NFTA_HOOK_DEV]) {
1843 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1844 if (IS_ERR(hook))
1845 return PTR_ERR(hook);
1846
1847 list_add_tail(&hook->list, hook_list);
1848 } else if (tb[NFTA_HOOK_DEVS]) {
1849 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1850 hook_list);
1851 if (err < 0)
1852 return err;
1853
1854 if (list_empty(hook_list))
1855 return -EINVAL;
1856 } else {
1857 return -EINVAL;
1858 }
1859
1860 return 0;
1861 }
1862
1863 static int nft_chain_parse_hook(struct net *net,
1864 const struct nlattr * const nla[],
1865 struct nft_chain_hook *hook, u8 family,
1866 bool autoload)
1867 {
1868 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1869 const struct nft_chain_type *type;
1870 int err;
1871
1872 lockdep_assert_held(&net->nft.commit_mutex);
1873 lockdep_nfnl_nft_mutex_not_held();
1874
1875 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1876 nla[NFTA_CHAIN_HOOK],
1877 nft_hook_policy, NULL);
1878 if (err < 0)
1879 return err;
1880
1881 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1882 ha[NFTA_HOOK_PRIORITY] == NULL)
1883 return -EINVAL;
1884
1885 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1886 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1887
1888 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1889 if (!type)
1890 return -EOPNOTSUPP;
1891
1892 if (nla[NFTA_CHAIN_TYPE]) {
1893 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1894 family, autoload);
1895 if (IS_ERR(type))
1896 return PTR_ERR(type);
1897 }
1898 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1899 return -EOPNOTSUPP;
1900
1901 if (type->type == NFT_CHAIN_T_NAT &&
1902 hook->priority <= NF_IP_PRI_CONNTRACK)
1903 return -EOPNOTSUPP;
1904
1905 if (!try_module_get(type->owner))
1906 return -ENOENT;
1907
1908 hook->type = type;
1909
1910 INIT_LIST_HEAD(&hook->list);
1911 if (nft_base_chain_netdev(family, hook->num)) {
1912 err = nft_chain_parse_netdev(net, ha, &hook->list);
1913 if (err < 0) {
1914 module_put(type->owner);
1915 return err;
1916 }
1917 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1918 module_put(type->owner);
1919 return -EOPNOTSUPP;
1920 }
1921
1922 return 0;
1923 }
1924
1925 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1926 {
1927 struct nft_hook *h, *next;
1928
1929 list_for_each_entry_safe(h, next, &hook->list, list) {
1930 list_del(&h->list);
1931 kfree(h);
1932 }
1933 module_put(hook->type->owner);
1934 }
1935
1936 struct nft_rules_old {
1937 struct rcu_head h;
1938 struct nft_rule **start;
1939 };
1940
1941 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1942 unsigned int alloc)
1943 {
1944 if (alloc > INT_MAX)
1945 return NULL;
1946
1947 alloc += 1; /* NULL, ends rules */
1948 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1949 return NULL;
1950
1951 alloc *= sizeof(struct nft_rule *);
1952 alloc += sizeof(struct nft_rules_old);
1953
1954 return kvmalloc(alloc, GFP_KERNEL);
1955 }
1956
1957 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1958 const struct nft_chain_hook *hook,
1959 struct nft_chain *chain)
1960 {
1961 ops->pf = family;
1962 ops->hooknum = hook->num;
1963 ops->priority = hook->priority;
1964 ops->priv = chain;
1965 ops->hook = hook->type->hooks[ops->hooknum];
1966 }
1967
1968 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1969 struct nft_chain_hook *hook, u32 flags)
1970 {
1971 struct nft_chain *chain;
1972 struct nft_hook *h;
1973
1974 basechain->type = hook->type;
1975 INIT_LIST_HEAD(&basechain->hook_list);
1976 chain = &basechain->chain;
1977
1978 if (nft_base_chain_netdev(family, hook->num)) {
1979 list_splice_init(&hook->list, &basechain->hook_list);
1980 list_for_each_entry(h, &basechain->hook_list, list)
1981 nft_basechain_hook_init(&h->ops, family, hook, chain);
1982
1983 basechain->ops.hooknum = hook->num;
1984 basechain->ops.priority = hook->priority;
1985 } else {
1986 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1987 }
1988
1989 chain->flags |= NFT_CHAIN_BASE | flags;
1990 basechain->policy = NF_ACCEPT;
1991 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1992 nft_chain_offload_priority(basechain) < 0)
1993 return -EOPNOTSUPP;
1994
1995 flow_block_init(&basechain->flow_block);
1996
1997 return 0;
1998 }
1999
2000 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2001 {
2002 int err;
2003
2004 err = rhltable_insert_key(&table->chains_ht, chain->name,
2005 &chain->rhlhead, nft_chain_ht_params);
2006 if (err)
2007 return err;
2008
2009 list_add_tail_rcu(&chain->list, &table->chains);
2010
2011 return 0;
2012 }
2013
2014 static u64 chain_id;
2015
2016 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2017 u8 policy, u32 flags)
2018 {
2019 const struct nlattr * const *nla = ctx->nla;
2020 struct nft_table *table = ctx->table;
2021 struct nft_base_chain *basechain;
2022 struct nft_stats __percpu *stats;
2023 struct net *net = ctx->net;
2024 char name[NFT_NAME_MAXLEN];
2025 struct nft_trans *trans;
2026 struct nft_chain *chain;
2027 struct nft_rule **rules;
2028 int err;
2029
2030 if (table->use == UINT_MAX)
2031 return -EOVERFLOW;
2032
2033 if (nla[NFTA_CHAIN_HOOK]) {
2034 struct nft_chain_hook hook;
2035
2036 if (flags & NFT_CHAIN_BINDING)
2037 return -EOPNOTSUPP;
2038
2039 err = nft_chain_parse_hook(net, nla, &hook, family, true);
2040 if (err < 0)
2041 return err;
2042
2043 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2044 if (basechain == NULL) {
2045 nft_chain_release_hook(&hook);
2046 return -ENOMEM;
2047 }
2048 chain = &basechain->chain;
2049
2050 if (nla[NFTA_CHAIN_COUNTERS]) {
2051 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2052 if (IS_ERR(stats)) {
2053 nft_chain_release_hook(&hook);
2054 kfree(basechain);
2055 return PTR_ERR(stats);
2056 }
2057 rcu_assign_pointer(basechain->stats, stats);
2058 static_branch_inc(&nft_counters_enabled);
2059 }
2060
2061 err = nft_basechain_init(basechain, family, &hook, flags);
2062 if (err < 0) {
2063 nft_chain_release_hook(&hook);
2064 kfree(basechain);
2065 return err;
2066 }
2067 } else {
2068 if (flags & NFT_CHAIN_BASE)
2069 return -EINVAL;
2070 if (flags & NFT_CHAIN_HW_OFFLOAD)
2071 return -EOPNOTSUPP;
2072
2073 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2074 if (chain == NULL)
2075 return -ENOMEM;
2076
2077 chain->flags = flags;
2078 }
2079 ctx->chain = chain;
2080
2081 INIT_LIST_HEAD(&chain->rules);
2082 chain->handle = nf_tables_alloc_handle(table);
2083 chain->table = table;
2084
2085 if (nla[NFTA_CHAIN_NAME]) {
2086 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2087 } else {
2088 if (!(flags & NFT_CHAIN_BINDING)) {
2089 err = -EINVAL;
2090 goto err_destroy_chain;
2091 }
2092
2093 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2094 chain->name = kstrdup(name, GFP_KERNEL);
2095 }
2096
2097 if (!chain->name) {
2098 err = -ENOMEM;
2099 goto err_destroy_chain;
2100 }
2101
2102 if (nla[NFTA_CHAIN_USERDATA]) {
2103 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2104 if (chain->udata == NULL) {
2105 err = -ENOMEM;
2106 goto err_destroy_chain;
2107 }
2108 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2109 }
2110
2111 rules = nf_tables_chain_alloc_rules(chain, 0);
2112 if (!rules) {
2113 err = -ENOMEM;
2114 goto err_destroy_chain;
2115 }
2116
2117 *rules = NULL;
2118 rcu_assign_pointer(chain->rules_gen_0, rules);
2119 rcu_assign_pointer(chain->rules_gen_1, rules);
2120
2121 err = nf_tables_register_hook(net, table, chain);
2122 if (err < 0)
2123 goto err_destroy_chain;
2124
2125 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2126 if (IS_ERR(trans)) {
2127 err = PTR_ERR(trans);
2128 goto err_unregister_hook;
2129 }
2130
2131 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2132 if (nft_is_base_chain(chain))
2133 nft_trans_chain_policy(trans) = policy;
2134
2135 err = nft_chain_add(table, chain);
2136 if (err < 0) {
2137 nft_trans_destroy(trans);
2138 goto err_unregister_hook;
2139 }
2140
2141 table->use++;
2142
2143 return 0;
2144 err_unregister_hook:
2145 nf_tables_unregister_hook(net, table, chain);
2146 err_destroy_chain:
2147 nf_tables_chain_destroy(ctx);
2148
2149 return err;
2150 }
2151
2152 static bool nft_hook_list_equal(struct list_head *hook_list1,
2153 struct list_head *hook_list2)
2154 {
2155 struct nft_hook *hook;
2156 int n = 0, m = 0;
2157
2158 n = 0;
2159 list_for_each_entry(hook, hook_list2, list) {
2160 if (!nft_hook_list_find(hook_list1, hook))
2161 return false;
2162
2163 n++;
2164 }
2165 list_for_each_entry(hook, hook_list1, list)
2166 m++;
2167
2168 return n == m;
2169 }
2170
2171 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2172 u32 flags, const struct nlattr *attr,
2173 struct netlink_ext_ack *extack)
2174 {
2175 const struct nlattr * const *nla = ctx->nla;
2176 struct nft_table *table = ctx->table;
2177 struct nft_chain *chain = ctx->chain;
2178 struct nft_base_chain *basechain;
2179 struct nft_stats *stats = NULL;
2180 struct nft_chain_hook hook;
2181 struct nf_hook_ops *ops;
2182 struct nft_trans *trans;
2183 int err;
2184
2185 if (chain->flags ^ flags)
2186 return -EOPNOTSUPP;
2187
2188 if (nla[NFTA_CHAIN_HOOK]) {
2189 if (!nft_is_base_chain(chain)) {
2190 NL_SET_BAD_ATTR(extack, attr);
2191 return -EEXIST;
2192 }
2193 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2194 false);
2195 if (err < 0)
2196 return err;
2197
2198 basechain = nft_base_chain(chain);
2199 if (basechain->type != hook.type) {
2200 nft_chain_release_hook(&hook);
2201 NL_SET_BAD_ATTR(extack, attr);
2202 return -EEXIST;
2203 }
2204
2205 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2206 if (!nft_hook_list_equal(&basechain->hook_list,
2207 &hook.list)) {
2208 nft_chain_release_hook(&hook);
2209 NL_SET_BAD_ATTR(extack, attr);
2210 return -EEXIST;
2211 }
2212 } else {
2213 ops = &basechain->ops;
2214 if (ops->hooknum != hook.num ||
2215 ops->priority != hook.priority) {
2216 nft_chain_release_hook(&hook);
2217 NL_SET_BAD_ATTR(extack, attr);
2218 return -EEXIST;
2219 }
2220 }
2221 nft_chain_release_hook(&hook);
2222 }
2223
2224 if (nla[NFTA_CHAIN_HANDLE] &&
2225 nla[NFTA_CHAIN_NAME]) {
2226 struct nft_chain *chain2;
2227
2228 chain2 = nft_chain_lookup(ctx->net, table,
2229 nla[NFTA_CHAIN_NAME], genmask);
2230 if (!IS_ERR(chain2)) {
2231 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2232 return -EEXIST;
2233 }
2234 }
2235
2236 if (nla[NFTA_CHAIN_COUNTERS]) {
2237 if (!nft_is_base_chain(chain))
2238 return -EOPNOTSUPP;
2239
2240 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2241 if (IS_ERR(stats))
2242 return PTR_ERR(stats);
2243 }
2244
2245 err = -ENOMEM;
2246 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2247 sizeof(struct nft_trans_chain));
2248 if (trans == NULL)
2249 goto err;
2250
2251 nft_trans_chain_stats(trans) = stats;
2252 nft_trans_chain_update(trans) = true;
2253
2254 if (nla[NFTA_CHAIN_POLICY])
2255 nft_trans_chain_policy(trans) = policy;
2256 else
2257 nft_trans_chain_policy(trans) = -1;
2258
2259 if (nla[NFTA_CHAIN_HANDLE] &&
2260 nla[NFTA_CHAIN_NAME]) {
2261 struct nft_trans *tmp;
2262 char *name;
2263
2264 err = -ENOMEM;
2265 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2266 if (!name)
2267 goto err;
2268
2269 err = -EEXIST;
2270 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2271 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2272 tmp->ctx.table == table &&
2273 nft_trans_chain_update(tmp) &&
2274 nft_trans_chain_name(tmp) &&
2275 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2276 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2277 kfree(name);
2278 goto err;
2279 }
2280 }
2281
2282 nft_trans_chain_name(trans) = name;
2283 }
2284 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2285
2286 return 0;
2287 err:
2288 free_percpu(stats);
2289 kfree(trans);
2290 return err;
2291 }
2292
2293 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2294 const struct nlattr *nla)
2295 {
2296 u32 id = ntohl(nla_get_be32(nla));
2297 struct nft_trans *trans;
2298
2299 list_for_each_entry(trans, &net->nft.commit_list, list) {
2300 struct nft_chain *chain = trans->ctx.chain;
2301
2302 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2303 id == nft_trans_chain_id(trans))
2304 return chain;
2305 }
2306 return ERR_PTR(-ENOENT);
2307 }
2308
2309 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2310 struct sk_buff *skb, const struct nlmsghdr *nlh,
2311 const struct nlattr * const nla[],
2312 struct netlink_ext_ack *extack)
2313 {
2314 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2315 u8 genmask = nft_genmask_next(net);
2316 int family = nfmsg->nfgen_family;
2317 struct nft_chain *chain = NULL;
2318 const struct nlattr *attr;
2319 struct nft_table *table;
2320 u8 policy = NF_ACCEPT;
2321 struct nft_ctx ctx;
2322 u64 handle = 0;
2323 u32 flags = 0;
2324
2325 lockdep_assert_held(&net->nft.commit_mutex);
2326
2327 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2328 NETLINK_CB(skb).portid);
2329 if (IS_ERR(table)) {
2330 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2331 return PTR_ERR(table);
2332 }
2333
2334 chain = NULL;
2335 attr = nla[NFTA_CHAIN_NAME];
2336
2337 if (nla[NFTA_CHAIN_HANDLE]) {
2338 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2339 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2340 if (IS_ERR(chain)) {
2341 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2342 return PTR_ERR(chain);
2343 }
2344 attr = nla[NFTA_CHAIN_HANDLE];
2345 } else if (nla[NFTA_CHAIN_NAME]) {
2346 chain = nft_chain_lookup(net, table, attr, genmask);
2347 if (IS_ERR(chain)) {
2348 if (PTR_ERR(chain) != -ENOENT) {
2349 NL_SET_BAD_ATTR(extack, attr);
2350 return PTR_ERR(chain);
2351 }
2352 chain = NULL;
2353 }
2354 } else if (!nla[NFTA_CHAIN_ID]) {
2355 return -EINVAL;
2356 }
2357
2358 if (nla[NFTA_CHAIN_POLICY]) {
2359 if (chain != NULL &&
2360 !nft_is_base_chain(chain)) {
2361 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2362 return -EOPNOTSUPP;
2363 }
2364
2365 if (chain == NULL &&
2366 nla[NFTA_CHAIN_HOOK] == NULL) {
2367 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2368 return -EOPNOTSUPP;
2369 }
2370
2371 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2372 switch (policy) {
2373 case NF_DROP:
2374 case NF_ACCEPT:
2375 break;
2376 default:
2377 return -EINVAL;
2378 }
2379 }
2380
2381 if (nla[NFTA_CHAIN_FLAGS])
2382 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2383 else if (chain)
2384 flags = chain->flags;
2385
2386 if (flags & ~NFT_CHAIN_FLAGS)
2387 return -EOPNOTSUPP;
2388
2389 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2390
2391 if (chain != NULL) {
2392 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2393 NL_SET_BAD_ATTR(extack, attr);
2394 return -EEXIST;
2395 }
2396 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2397 return -EOPNOTSUPP;
2398
2399 flags |= chain->flags & NFT_CHAIN_BASE;
2400 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2401 extack);
2402 }
2403
2404 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2405 }
2406
2407 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2408 struct sk_buff *skb, const struct nlmsghdr *nlh,
2409 const struct nlattr * const nla[],
2410 struct netlink_ext_ack *extack)
2411 {
2412 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2413 u8 genmask = nft_genmask_next(net);
2414 int family = nfmsg->nfgen_family;
2415 const struct nlattr *attr;
2416 struct nft_table *table;
2417 struct nft_chain *chain;
2418 struct nft_rule *rule;
2419 struct nft_ctx ctx;
2420 u64 handle;
2421 u32 use;
2422 int err;
2423
2424 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2425 NETLINK_CB(skb).portid);
2426 if (IS_ERR(table)) {
2427 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2428 return PTR_ERR(table);
2429 }
2430
2431 if (nla[NFTA_CHAIN_HANDLE]) {
2432 attr = nla[NFTA_CHAIN_HANDLE];
2433 handle = be64_to_cpu(nla_get_be64(attr));
2434 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2435 } else {
2436 attr = nla[NFTA_CHAIN_NAME];
2437 chain = nft_chain_lookup(net, table, attr, genmask);
2438 }
2439 if (IS_ERR(chain)) {
2440 NL_SET_BAD_ATTR(extack, attr);
2441 return PTR_ERR(chain);
2442 }
2443
2444 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2445 chain->use > 0)
2446 return -EBUSY;
2447
2448 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2449
2450 use = chain->use;
2451 list_for_each_entry(rule, &chain->rules, list) {
2452 if (!nft_is_active_next(net, rule))
2453 continue;
2454 use--;
2455
2456 err = nft_delrule(&ctx, rule);
2457 if (err < 0)
2458 return err;
2459 }
2460
2461 /* There are rules and elements that are still holding references to us,
2462 * we cannot do a recursive removal in this case.
2463 */
2464 if (use > 0) {
2465 NL_SET_BAD_ATTR(extack, attr);
2466 return -EBUSY;
2467 }
2468
2469 return nft_delchain(&ctx);
2470 }
2471
2472 /*
2473 * Expressions
2474 */
2475
2476 /**
2477 * nft_register_expr - register nf_tables expr type
2478 * @type: expr type
2479 *
2480 * Registers the expr type for use with nf_tables. Returns zero on
2481 * success or a negative errno code otherwise.
2482 */
2483 int nft_register_expr(struct nft_expr_type *type)
2484 {
2485 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2486 if (type->family == NFPROTO_UNSPEC)
2487 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2488 else
2489 list_add_rcu(&type->list, &nf_tables_expressions);
2490 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2491 return 0;
2492 }
2493 EXPORT_SYMBOL_GPL(nft_register_expr);
2494
2495 /**
2496 * nft_unregister_expr - unregister nf_tables expr type
2497 * @type: expr type
2498 *
2499 * Unregisters the expr typefor use with nf_tables.
2500 */
2501 void nft_unregister_expr(struct nft_expr_type *type)
2502 {
2503 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2504 list_del_rcu(&type->list);
2505 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2506 }
2507 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2508
2509 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2510 struct nlattr *nla)
2511 {
2512 const struct nft_expr_type *type, *candidate = NULL;
2513
2514 list_for_each_entry(type, &nf_tables_expressions, list) {
2515 if (!nla_strcmp(nla, type->name)) {
2516 if (!type->family && !candidate)
2517 candidate = type;
2518 else if (type->family == family)
2519 candidate = type;
2520 }
2521 }
2522 return candidate;
2523 }
2524
2525 #ifdef CONFIG_MODULES
2526 static int nft_expr_type_request_module(struct net *net, u8 family,
2527 struct nlattr *nla)
2528 {
2529 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2530 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2531 return -EAGAIN;
2532
2533 return 0;
2534 }
2535 #endif
2536
2537 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2538 u8 family,
2539 struct nlattr *nla)
2540 {
2541 const struct nft_expr_type *type;
2542
2543 if (nla == NULL)
2544 return ERR_PTR(-EINVAL);
2545
2546 type = __nft_expr_type_get(family, nla);
2547 if (type != NULL && try_module_get(type->owner))
2548 return type;
2549
2550 lockdep_nfnl_nft_mutex_not_held();
2551 #ifdef CONFIG_MODULES
2552 if (type == NULL) {
2553 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2554 return ERR_PTR(-EAGAIN);
2555
2556 if (nft_request_module(net, "nft-expr-%.*s",
2557 nla_len(nla),
2558 (char *)nla_data(nla)) == -EAGAIN)
2559 return ERR_PTR(-EAGAIN);
2560 }
2561 #endif
2562 return ERR_PTR(-ENOENT);
2563 }
2564
2565 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2566 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2567 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2568 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2569 };
2570
2571 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2572 const struct nft_expr *expr)
2573 {
2574 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2575 goto nla_put_failure;
2576
2577 if (expr->ops->dump) {
2578 struct nlattr *data = nla_nest_start_noflag(skb,
2579 NFTA_EXPR_DATA);
2580 if (data == NULL)
2581 goto nla_put_failure;
2582 if (expr->ops->dump(skb, expr) < 0)
2583 goto nla_put_failure;
2584 nla_nest_end(skb, data);
2585 }
2586
2587 return skb->len;
2588
2589 nla_put_failure:
2590 return -1;
2591 };
2592
2593 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2594 const struct nft_expr *expr)
2595 {
2596 struct nlattr *nest;
2597
2598 nest = nla_nest_start_noflag(skb, attr);
2599 if (!nest)
2600 goto nla_put_failure;
2601 if (nf_tables_fill_expr_info(skb, expr) < 0)
2602 goto nla_put_failure;
2603 nla_nest_end(skb, nest);
2604 return 0;
2605
2606 nla_put_failure:
2607 return -1;
2608 }
2609
2610 struct nft_expr_info {
2611 const struct nft_expr_ops *ops;
2612 const struct nlattr *attr;
2613 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2614 };
2615
2616 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2617 const struct nlattr *nla,
2618 struct nft_expr_info *info)
2619 {
2620 const struct nft_expr_type *type;
2621 const struct nft_expr_ops *ops;
2622 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2623 int err;
2624
2625 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2626 nft_expr_policy, NULL);
2627 if (err < 0)
2628 return err;
2629
2630 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2631 if (IS_ERR(type))
2632 return PTR_ERR(type);
2633
2634 if (tb[NFTA_EXPR_DATA]) {
2635 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2636 tb[NFTA_EXPR_DATA],
2637 type->policy, NULL);
2638 if (err < 0)
2639 goto err1;
2640 } else
2641 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2642
2643 if (type->select_ops != NULL) {
2644 ops = type->select_ops(ctx,
2645 (const struct nlattr * const *)info->tb);
2646 if (IS_ERR(ops)) {
2647 err = PTR_ERR(ops);
2648 #ifdef CONFIG_MODULES
2649 if (err == -EAGAIN)
2650 if (nft_expr_type_request_module(ctx->net,
2651 ctx->family,
2652 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2653 err = -ENOENT;
2654 #endif
2655 goto err1;
2656 }
2657 } else
2658 ops = type->ops;
2659
2660 info->attr = nla;
2661 info->ops = ops;
2662
2663 return 0;
2664
2665 err1:
2666 module_put(type->owner);
2667 return err;
2668 }
2669
2670 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2671 const struct nft_expr_info *info,
2672 struct nft_expr *expr)
2673 {
2674 const struct nft_expr_ops *ops = info->ops;
2675 int err;
2676
2677 expr->ops = ops;
2678 if (ops->init) {
2679 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2680 if (err < 0)
2681 goto err1;
2682 }
2683
2684 return 0;
2685 err1:
2686 expr->ops = NULL;
2687 return err;
2688 }
2689
2690 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2691 struct nft_expr *expr)
2692 {
2693 const struct nft_expr_type *type = expr->ops->type;
2694
2695 if (expr->ops->destroy)
2696 expr->ops->destroy(ctx, expr);
2697 module_put(type->owner);
2698 }
2699
2700 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2701 const struct nlattr *nla)
2702 {
2703 struct nft_expr_info info;
2704 struct nft_expr *expr;
2705 struct module *owner;
2706 int err;
2707
2708 err = nf_tables_expr_parse(ctx, nla, &info);
2709 if (err < 0)
2710 goto err1;
2711
2712 err = -ENOMEM;
2713 expr = kzalloc(info.ops->size, GFP_KERNEL);
2714 if (expr == NULL)
2715 goto err2;
2716
2717 err = nf_tables_newexpr(ctx, &info, expr);
2718 if (err < 0)
2719 goto err3;
2720
2721 return expr;
2722 err3:
2723 kfree(expr);
2724 err2:
2725 owner = info.ops->type->owner;
2726 if (info.ops->type->release_ops)
2727 info.ops->type->release_ops(info.ops);
2728
2729 module_put(owner);
2730 err1:
2731 return ERR_PTR(err);
2732 }
2733
2734 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2735 {
2736 int err;
2737
2738 if (src->ops->clone) {
2739 dst->ops = src->ops;
2740 err = src->ops->clone(dst, src);
2741 if (err < 0)
2742 return err;
2743 } else {
2744 memcpy(dst, src, src->ops->size);
2745 }
2746
2747 __module_get(src->ops->type->owner);
2748
2749 return 0;
2750 }
2751
2752 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2753 {
2754 nf_tables_expr_destroy(ctx, expr);
2755 kfree(expr);
2756 }
2757
2758 /*
2759 * Rules
2760 */
2761
2762 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2763 u64 handle)
2764 {
2765 struct nft_rule *rule;
2766
2767 // FIXME: this sucks
2768 list_for_each_entry_rcu(rule, &chain->rules, list) {
2769 if (handle == rule->handle)
2770 return rule;
2771 }
2772
2773 return ERR_PTR(-ENOENT);
2774 }
2775
2776 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2777 const struct nlattr *nla)
2778 {
2779 if (nla == NULL)
2780 return ERR_PTR(-EINVAL);
2781
2782 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2783 }
2784
2785 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2786 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2787 .len = NFT_TABLE_MAXNAMELEN - 1 },
2788 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2789 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2790 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2791 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2792 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2793 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2794 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2795 .len = NFT_USERDATA_MAXLEN },
2796 [NFTA_RULE_ID] = { .type = NLA_U32 },
2797 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2798 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2799 };
2800
2801 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2802 u32 portid, u32 seq, int event,
2803 u32 flags, int family,
2804 const struct nft_table *table,
2805 const struct nft_chain *chain,
2806 const struct nft_rule *rule,
2807 const struct nft_rule *prule)
2808 {
2809 struct nlmsghdr *nlh;
2810 struct nfgenmsg *nfmsg;
2811 const struct nft_expr *expr, *next;
2812 struct nlattr *list;
2813 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2814
2815 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2816 if (nlh == NULL)
2817 goto nla_put_failure;
2818
2819 nfmsg = nlmsg_data(nlh);
2820 nfmsg->nfgen_family = family;
2821 nfmsg->version = NFNETLINK_V0;
2822 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2823
2824 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2825 goto nla_put_failure;
2826 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2827 goto nla_put_failure;
2828 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2829 NFTA_RULE_PAD))
2830 goto nla_put_failure;
2831
2832 if (event != NFT_MSG_DELRULE && prule) {
2833 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2834 cpu_to_be64(prule->handle),
2835 NFTA_RULE_PAD))
2836 goto nla_put_failure;
2837 }
2838
2839 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2840 if (list == NULL)
2841 goto nla_put_failure;
2842 nft_rule_for_each_expr(expr, next, rule) {
2843 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2844 goto nla_put_failure;
2845 }
2846 nla_nest_end(skb, list);
2847
2848 if (rule->udata) {
2849 struct nft_userdata *udata = nft_userdata(rule);
2850 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2851 udata->data) < 0)
2852 goto nla_put_failure;
2853 }
2854
2855 nlmsg_end(skb, nlh);
2856 return 0;
2857
2858 nla_put_failure:
2859 nlmsg_trim(skb, nlh);
2860 return -1;
2861 }
2862
2863 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2864 const struct nft_rule *rule, int event)
2865 {
2866 struct sk_buff *skb;
2867 int err;
2868 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2869 ctx->table->name, ctx->table->handle,
2870 ctx->chain->name, ctx->chain->handle);
2871
2872 audit_log_nfcfg(buf,
2873 ctx->family,
2874 rule->handle,
2875 event == NFT_MSG_NEWRULE ?
2876 AUDIT_NFT_OP_RULE_REGISTER :
2877 AUDIT_NFT_OP_RULE_UNREGISTER,
2878 GFP_KERNEL);
2879 kfree(buf);
2880
2881 if (!ctx->report &&
2882 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2883 return;
2884
2885 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2886 if (skb == NULL)
2887 goto err;
2888
2889 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2890 event, 0, ctx->family, ctx->table,
2891 ctx->chain, rule, NULL);
2892 if (err < 0) {
2893 kfree_skb(skb);
2894 goto err;
2895 }
2896
2897 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2898 return;
2899 err:
2900 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2901 }
2902
2903 struct nft_rule_dump_ctx {
2904 char *table;
2905 char *chain;
2906 };
2907
2908 static int __nf_tables_dump_rules(struct sk_buff *skb,
2909 unsigned int *idx,
2910 struct netlink_callback *cb,
2911 const struct nft_table *table,
2912 const struct nft_chain *chain)
2913 {
2914 struct net *net = sock_net(skb->sk);
2915 const struct nft_rule *rule, *prule;
2916 unsigned int s_idx = cb->args[0];
2917
2918 prule = NULL;
2919 list_for_each_entry_rcu(rule, &chain->rules, list) {
2920 if (!nft_is_active(net, rule))
2921 goto cont_skip;
2922 if (*idx < s_idx)
2923 goto cont;
2924 if (*idx > s_idx) {
2925 memset(&cb->args[1], 0,
2926 sizeof(cb->args) - sizeof(cb->args[0]));
2927 }
2928 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2929 cb->nlh->nlmsg_seq,
2930 NFT_MSG_NEWRULE,
2931 NLM_F_MULTI | NLM_F_APPEND,
2932 table->family,
2933 table, chain, rule, prule) < 0)
2934 return 1;
2935
2936 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2937 cont:
2938 prule = rule;
2939 cont_skip:
2940 (*idx)++;
2941 }
2942 return 0;
2943 }
2944
2945 static int nf_tables_dump_rules(struct sk_buff *skb,
2946 struct netlink_callback *cb)
2947 {
2948 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2949 const struct nft_rule_dump_ctx *ctx = cb->data;
2950 struct nft_table *table;
2951 const struct nft_chain *chain;
2952 unsigned int idx = 0;
2953 struct net *net = sock_net(skb->sk);
2954 int family = nfmsg->nfgen_family;
2955
2956 rcu_read_lock();
2957 cb->seq = net->nft.base_seq;
2958
2959 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2960 if (family != NFPROTO_UNSPEC && family != table->family)
2961 continue;
2962
2963 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2964 continue;
2965
2966 if (ctx && ctx->table && ctx->chain) {
2967 struct rhlist_head *list, *tmp;
2968
2969 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2970 nft_chain_ht_params);
2971 if (!list)
2972 goto done;
2973
2974 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2975 if (!nft_is_active(net, chain))
2976 continue;
2977 __nf_tables_dump_rules(skb, &idx,
2978 cb, table, chain);
2979 break;
2980 }
2981 goto done;
2982 }
2983
2984 list_for_each_entry_rcu(chain, &table->chains, list) {
2985 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2986 goto done;
2987 }
2988
2989 if (ctx && ctx->table)
2990 break;
2991 }
2992 done:
2993 rcu_read_unlock();
2994
2995 cb->args[0] = idx;
2996 return skb->len;
2997 }
2998
2999 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3000 {
3001 const struct nlattr * const *nla = cb->data;
3002 struct nft_rule_dump_ctx *ctx = NULL;
3003
3004 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3005 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3006 if (!ctx)
3007 return -ENOMEM;
3008
3009 if (nla[NFTA_RULE_TABLE]) {
3010 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3011 GFP_ATOMIC);
3012 if (!ctx->table) {
3013 kfree(ctx);
3014 return -ENOMEM;
3015 }
3016 }
3017 if (nla[NFTA_RULE_CHAIN]) {
3018 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3019 GFP_ATOMIC);
3020 if (!ctx->chain) {
3021 kfree(ctx->table);
3022 kfree(ctx);
3023 return -ENOMEM;
3024 }
3025 }
3026 }
3027
3028 cb->data = ctx;
3029 return 0;
3030 }
3031
3032 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3033 {
3034 struct nft_rule_dump_ctx *ctx = cb->data;
3035
3036 if (ctx) {
3037 kfree(ctx->table);
3038 kfree(ctx->chain);
3039 kfree(ctx);
3040 }
3041 return 0;
3042 }
3043
3044 /* called with rcu_read_lock held */
3045 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3046 struct sk_buff *skb, const struct nlmsghdr *nlh,
3047 const struct nlattr * const nla[],
3048 struct netlink_ext_ack *extack)
3049 {
3050 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3051 u8 genmask = nft_genmask_cur(net);
3052 const struct nft_chain *chain;
3053 const struct nft_rule *rule;
3054 struct nft_table *table;
3055 struct sk_buff *skb2;
3056 int family = nfmsg->nfgen_family;
3057 int err;
3058
3059 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3060 struct netlink_dump_control c = {
3061 .start= nf_tables_dump_rules_start,
3062 .dump = nf_tables_dump_rules,
3063 .done = nf_tables_dump_rules_done,
3064 .module = THIS_MODULE,
3065 .data = (void *)nla,
3066 };
3067
3068 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3069 }
3070
3071 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3072 if (IS_ERR(table)) {
3073 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3074 return PTR_ERR(table);
3075 }
3076
3077 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3078 if (IS_ERR(chain)) {
3079 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3080 return PTR_ERR(chain);
3081 }
3082
3083 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3084 if (IS_ERR(rule)) {
3085 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3086 return PTR_ERR(rule);
3087 }
3088
3089 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3090 if (!skb2)
3091 return -ENOMEM;
3092
3093 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3094 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3095 family, table, chain, rule, NULL);
3096 if (err < 0)
3097 goto err_fill_rule_info;
3098
3099 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3100
3101 err_fill_rule_info:
3102 kfree_skb(skb2);
3103 return err;
3104 }
3105
3106 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3107 struct nft_rule *rule)
3108 {
3109 struct nft_expr *expr, *next;
3110
3111 /*
3112 * Careful: some expressions might not be initialized in case this
3113 * is called on error from nf_tables_newrule().
3114 */
3115 expr = nft_expr_first(rule);
3116 while (nft_expr_more(rule, expr)) {
3117 next = nft_expr_next(expr);
3118 nf_tables_expr_destroy(ctx, expr);
3119 expr = next;
3120 }
3121 kfree(rule);
3122 }
3123
3124 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3125 {
3126 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3127 nf_tables_rule_destroy(ctx, rule);
3128 }
3129
3130 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3131 {
3132 struct nft_expr *expr, *last;
3133 const struct nft_data *data;
3134 struct nft_rule *rule;
3135 int err;
3136
3137 if (ctx->level == NFT_JUMP_STACK_SIZE)
3138 return -EMLINK;
3139
3140 list_for_each_entry(rule, &chain->rules, list) {
3141 if (!nft_is_active_next(ctx->net, rule))
3142 continue;
3143
3144 nft_rule_for_each_expr(expr, last, rule) {
3145 if (!expr->ops->validate)
3146 continue;
3147
3148 err = expr->ops->validate(ctx, expr, &data);
3149 if (err < 0)
3150 return err;
3151 }
3152 }
3153
3154 return 0;
3155 }
3156 EXPORT_SYMBOL_GPL(nft_chain_validate);
3157
3158 static int nft_table_validate(struct net *net, const struct nft_table *table)
3159 {
3160 struct nft_chain *chain;
3161 struct nft_ctx ctx = {
3162 .net = net,
3163 .family = table->family,
3164 };
3165 int err;
3166
3167 list_for_each_entry(chain, &table->chains, list) {
3168 if (!nft_is_base_chain(chain))
3169 continue;
3170
3171 ctx.chain = chain;
3172 err = nft_chain_validate(&ctx, chain);
3173 if (err < 0)
3174 return err;
3175 }
3176
3177 return 0;
3178 }
3179
3180 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3181 const struct nlattr *nla);
3182
3183 #define NFT_RULE_MAXEXPRS 128
3184
3185 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3186 struct sk_buff *skb, const struct nlmsghdr *nlh,
3187 const struct nlattr * const nla[],
3188 struct netlink_ext_ack *extack)
3189 {
3190 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3191 u8 genmask = nft_genmask_next(net);
3192 struct nft_expr_info *info = NULL;
3193 int family = nfmsg->nfgen_family;
3194 struct nft_flow_rule *flow;
3195 struct nft_table *table;
3196 struct nft_chain *chain;
3197 struct nft_rule *rule, *old_rule = NULL;
3198 struct nft_userdata *udata;
3199 struct nft_trans *trans = NULL;
3200 struct nft_expr *expr;
3201 struct nft_ctx ctx;
3202 struct nlattr *tmp;
3203 unsigned int size, i, n, ulen = 0, usize = 0;
3204 int err, rem;
3205 u64 handle, pos_handle;
3206
3207 lockdep_assert_held(&net->nft.commit_mutex);
3208
3209 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3210 NETLINK_CB(skb).portid);
3211 if (IS_ERR(table)) {
3212 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3213 return PTR_ERR(table);
3214 }
3215
3216 if (nla[NFTA_RULE_CHAIN]) {
3217 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3218 genmask);
3219 if (IS_ERR(chain)) {
3220 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3221 return PTR_ERR(chain);
3222 }
3223 if (nft_chain_is_bound(chain))
3224 return -EOPNOTSUPP;
3225
3226 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3227 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3228 if (IS_ERR(chain)) {
3229 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3230 return PTR_ERR(chain);
3231 }
3232 } else {
3233 return -EINVAL;
3234 }
3235
3236 if (nla[NFTA_RULE_HANDLE]) {
3237 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3238 rule = __nft_rule_lookup(chain, handle);
3239 if (IS_ERR(rule)) {
3240 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3241 return PTR_ERR(rule);
3242 }
3243
3244 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3245 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3246 return -EEXIST;
3247 }
3248 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3249 old_rule = rule;
3250 else
3251 return -EOPNOTSUPP;
3252 } else {
3253 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3254 nlh->nlmsg_flags & NLM_F_REPLACE)
3255 return -EINVAL;
3256 handle = nf_tables_alloc_handle(table);
3257
3258 if (chain->use == UINT_MAX)
3259 return -EOVERFLOW;
3260
3261 if (nla[NFTA_RULE_POSITION]) {
3262 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3263 old_rule = __nft_rule_lookup(chain, pos_handle);
3264 if (IS_ERR(old_rule)) {
3265 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3266 return PTR_ERR(old_rule);
3267 }
3268 } else if (nla[NFTA_RULE_POSITION_ID]) {
3269 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3270 if (IS_ERR(old_rule)) {
3271 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3272 return PTR_ERR(old_rule);
3273 }
3274 }
3275 }
3276
3277 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3278
3279 n = 0;
3280 size = 0;
3281 if (nla[NFTA_RULE_EXPRESSIONS]) {
3282 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3283 sizeof(struct nft_expr_info),
3284 GFP_KERNEL);
3285 if (!info)
3286 return -ENOMEM;
3287
3288 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3289 err = -EINVAL;
3290 if (nla_type(tmp) != NFTA_LIST_ELEM)
3291 goto err1;
3292 if (n == NFT_RULE_MAXEXPRS)
3293 goto err1;
3294 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3295 if (err < 0)
3296 goto err1;
3297 size += info[n].ops->size;
3298 n++;
3299 }
3300 }
3301 /* Check for overflow of dlen field */
3302 err = -EFBIG;
3303 if (size >= 1 << 12)
3304 goto err1;
3305
3306 if (nla[NFTA_RULE_USERDATA]) {
3307 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3308 if (ulen > 0)
3309 usize = sizeof(struct nft_userdata) + ulen;
3310 }
3311
3312 err = -ENOMEM;
3313 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3314 if (rule == NULL)
3315 goto err1;
3316
3317 nft_activate_next(net, rule);
3318
3319 rule->handle = handle;
3320 rule->dlen = size;
3321 rule->udata = ulen ? 1 : 0;
3322
3323 if (ulen) {
3324 udata = nft_userdata(rule);
3325 udata->len = ulen - 1;
3326 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3327 }
3328
3329 expr = nft_expr_first(rule);
3330 for (i = 0; i < n; i++) {
3331 err = nf_tables_newexpr(&ctx, &info[i], expr);
3332 if (err < 0) {
3333 NL_SET_BAD_ATTR(extack, info[i].attr);
3334 goto err2;
3335 }
3336
3337 if (info[i].ops->validate)
3338 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3339
3340 info[i].ops = NULL;
3341 expr = nft_expr_next(expr);
3342 }
3343
3344 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3345 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3346 if (trans == NULL) {
3347 err = -ENOMEM;
3348 goto err2;
3349 }
3350 err = nft_delrule(&ctx, old_rule);
3351 if (err < 0) {
3352 nft_trans_destroy(trans);
3353 goto err2;
3354 }
3355
3356 list_add_tail_rcu(&rule->list, &old_rule->list);
3357 } else {
3358 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3359 if (!trans) {
3360 err = -ENOMEM;
3361 goto err2;
3362 }
3363
3364 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3365 if (old_rule)
3366 list_add_rcu(&rule->list, &old_rule->list);
3367 else
3368 list_add_tail_rcu(&rule->list, &chain->rules);
3369 } else {
3370 if (old_rule)
3371 list_add_tail_rcu(&rule->list, &old_rule->list);
3372 else
3373 list_add_rcu(&rule->list, &chain->rules);
3374 }
3375 }
3376 kvfree(info);
3377 chain->use++;
3378
3379 if (net->nft.validate_state == NFT_VALIDATE_DO)
3380 return nft_table_validate(net, table);
3381
3382 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3383 flow = nft_flow_rule_create(net, rule);
3384 if (IS_ERR(flow))
3385 return PTR_ERR(flow);
3386
3387 nft_trans_flow_rule(trans) = flow;
3388 }
3389
3390 return 0;
3391 err2:
3392 nf_tables_rule_release(&ctx, rule);
3393 err1:
3394 for (i = 0; i < n; i++) {
3395 if (info[i].ops) {
3396 module_put(info[i].ops->type->owner);
3397 if (info[i].ops->type->release_ops)
3398 info[i].ops->type->release_ops(info[i].ops);
3399 }
3400 }
3401 kvfree(info);
3402 return err;
3403 }
3404
3405 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3406 const struct nlattr *nla)
3407 {
3408 u32 id = ntohl(nla_get_be32(nla));
3409 struct nft_trans *trans;
3410
3411 list_for_each_entry(trans, &net->nft.commit_list, list) {
3412 struct nft_rule *rule = nft_trans_rule(trans);
3413
3414 if (trans->msg_type == NFT_MSG_NEWRULE &&
3415 id == nft_trans_rule_id(trans))
3416 return rule;
3417 }
3418 return ERR_PTR(-ENOENT);
3419 }
3420
3421 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3422 struct sk_buff *skb, const struct nlmsghdr *nlh,
3423 const struct nlattr * const nla[],
3424 struct netlink_ext_ack *extack)
3425 {
3426 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3427 u8 genmask = nft_genmask_next(net);
3428 struct nft_table *table;
3429 struct nft_chain *chain = NULL;
3430 struct nft_rule *rule;
3431 int family = nfmsg->nfgen_family, err = 0;
3432 struct nft_ctx ctx;
3433
3434 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3435 NETLINK_CB(skb).portid);
3436 if (IS_ERR(table)) {
3437 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3438 return PTR_ERR(table);
3439 }
3440
3441 if (nla[NFTA_RULE_CHAIN]) {
3442 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3443 genmask);
3444 if (IS_ERR(chain)) {
3445 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3446 return PTR_ERR(chain);
3447 }
3448 if (nft_chain_is_bound(chain))
3449 return -EOPNOTSUPP;
3450 }
3451
3452 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3453
3454 if (chain) {
3455 if (nla[NFTA_RULE_HANDLE]) {
3456 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3457 if (IS_ERR(rule)) {
3458 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3459 return PTR_ERR(rule);
3460 }
3461
3462 err = nft_delrule(&ctx, rule);
3463 } else if (nla[NFTA_RULE_ID]) {
3464 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3465 if (IS_ERR(rule)) {
3466 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3467 return PTR_ERR(rule);
3468 }
3469
3470 err = nft_delrule(&ctx, rule);
3471 } else {
3472 err = nft_delrule_by_chain(&ctx);
3473 }
3474 } else {
3475 list_for_each_entry(chain, &table->chains, list) {
3476 if (!nft_is_active_next(net, chain))
3477 continue;
3478
3479 ctx.chain = chain;
3480 err = nft_delrule_by_chain(&ctx);
3481 if (err < 0)
3482 break;
3483 }
3484 }
3485
3486 return err;
3487 }
3488
3489 /*
3490 * Sets
3491 */
3492 static const struct nft_set_type *nft_set_types[] = {
3493 &nft_set_hash_fast_type,
3494 &nft_set_hash_type,
3495 &nft_set_rhash_type,
3496 &nft_set_bitmap_type,
3497 &nft_set_rbtree_type,
3498 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3499 &nft_set_pipapo_avx2_type,
3500 #endif
3501 &nft_set_pipapo_type,
3502 };
3503
3504 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3505 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3506 NFT_SET_EVAL)
3507
3508 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3509 {
3510 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3511 }
3512
3513 /*
3514 * Select a set implementation based on the data characteristics and the
3515 * given policy. The total memory use might not be known if no size is
3516 * given, in that case the amount of memory per element is used.
3517 */
3518 static const struct nft_set_ops *
3519 nft_select_set_ops(const struct nft_ctx *ctx,
3520 const struct nlattr * const nla[],
3521 const struct nft_set_desc *desc,
3522 enum nft_set_policies policy)
3523 {
3524 const struct nft_set_ops *ops, *bops;
3525 struct nft_set_estimate est, best;
3526 const struct nft_set_type *type;
3527 u32 flags = 0;
3528 int i;
3529
3530 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3531 lockdep_nfnl_nft_mutex_not_held();
3532
3533 if (nla[NFTA_SET_FLAGS] != NULL)
3534 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3535
3536 bops = NULL;
3537 best.size = ~0;
3538 best.lookup = ~0;
3539 best.space = ~0;
3540
3541 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3542 type = nft_set_types[i];
3543 ops = &type->ops;
3544
3545 if (!nft_set_ops_candidate(type, flags))
3546 continue;
3547 if (!ops->estimate(desc, flags, &est))
3548 continue;
3549
3550 switch (policy) {
3551 case NFT_SET_POL_PERFORMANCE:
3552 if (est.lookup < best.lookup)
3553 break;
3554 if (est.lookup == best.lookup &&
3555 est.space < best.space)
3556 break;
3557 continue;
3558 case NFT_SET_POL_MEMORY:
3559 if (!desc->size) {
3560 if (est.space < best.space)
3561 break;
3562 if (est.space == best.space &&
3563 est.lookup < best.lookup)
3564 break;
3565 } else if (est.size < best.size || !bops) {
3566 break;
3567 }
3568 continue;
3569 default:
3570 break;
3571 }
3572
3573 bops = ops;
3574 best = est;
3575 }
3576
3577 if (bops != NULL)
3578 return bops;
3579
3580 return ERR_PTR(-EOPNOTSUPP);
3581 }
3582
3583 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3584 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3585 .len = NFT_TABLE_MAXNAMELEN - 1 },
3586 [NFTA_SET_NAME] = { .type = NLA_STRING,
3587 .len = NFT_SET_MAXNAMELEN - 1 },
3588 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3589 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3590 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3591 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3592 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3593 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3594 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3595 [NFTA_SET_ID] = { .type = NLA_U32 },
3596 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3597 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3598 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3599 .len = NFT_USERDATA_MAXLEN },
3600 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3601 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3602 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3603 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3604 };
3605
3606 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3607 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3608 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3609 };
3610
3611 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3612 const struct sk_buff *skb,
3613 const struct nlmsghdr *nlh,
3614 const struct nlattr * const nla[],
3615 struct netlink_ext_ack *extack,
3616 u8 genmask, u32 nlpid)
3617 {
3618 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3619 int family = nfmsg->nfgen_family;
3620 struct nft_table *table = NULL;
3621
3622 if (nla[NFTA_SET_TABLE] != NULL) {
3623 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3624 genmask, nlpid);
3625 if (IS_ERR(table)) {
3626 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3627 return PTR_ERR(table);
3628 }
3629 }
3630
3631 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3632 return 0;
3633 }
3634
3635 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3636 const struct nlattr *nla, u8 genmask)
3637 {
3638 struct nft_set *set;
3639
3640 if (nla == NULL)
3641 return ERR_PTR(-EINVAL);
3642
3643 list_for_each_entry_rcu(set, &table->sets, list) {
3644 if (!nla_strcmp(nla, set->name) &&
3645 nft_active_genmask(set, genmask))
3646 return set;
3647 }
3648 return ERR_PTR(-ENOENT);
3649 }
3650
3651 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3652 const struct nlattr *nla,
3653 u8 genmask)
3654 {
3655 struct nft_set *set;
3656
3657 list_for_each_entry(set, &table->sets, list) {
3658 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3659 nft_active_genmask(set, genmask))
3660 return set;
3661 }
3662 return ERR_PTR(-ENOENT);
3663 }
3664
3665 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3666 const struct nlattr *nla, u8 genmask)
3667 {
3668 struct nft_trans *trans;
3669 u32 id = ntohl(nla_get_be32(nla));
3670
3671 list_for_each_entry(trans, &net->nft.commit_list, list) {
3672 if (trans->msg_type == NFT_MSG_NEWSET) {
3673 struct nft_set *set = nft_trans_set(trans);
3674
3675 if (id == nft_trans_set_id(trans) &&
3676 nft_active_genmask(set, genmask))
3677 return set;
3678 }
3679 }
3680 return ERR_PTR(-ENOENT);
3681 }
3682
3683 struct nft_set *nft_set_lookup_global(const struct net *net,
3684 const struct nft_table *table,
3685 const struct nlattr *nla_set_name,
3686 const struct nlattr *nla_set_id,
3687 u8 genmask)
3688 {
3689 struct nft_set *set;
3690
3691 set = nft_set_lookup(table, nla_set_name, genmask);
3692 if (IS_ERR(set)) {
3693 if (!nla_set_id)
3694 return set;
3695
3696 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3697 }
3698 return set;
3699 }
3700 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3701
3702 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3703 const char *name)
3704 {
3705 const struct nft_set *i;
3706 const char *p;
3707 unsigned long *inuse;
3708 unsigned int n = 0, min = 0;
3709
3710 p = strchr(name, '%');
3711 if (p != NULL) {
3712 if (p[1] != 'd' || strchr(p + 2, '%'))
3713 return -EINVAL;
3714
3715 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3716 if (inuse == NULL)
3717 return -ENOMEM;
3718 cont:
3719 list_for_each_entry(i, &ctx->table->sets, list) {
3720 int tmp;
3721
3722 if (!nft_is_active_next(ctx->net, set))
3723 continue;
3724 if (!sscanf(i->name, name, &tmp))
3725 continue;
3726 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3727 continue;
3728
3729 set_bit(tmp - min, inuse);
3730 }
3731
3732 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3733 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3734 min += BITS_PER_BYTE * PAGE_SIZE;
3735 memset(inuse, 0, PAGE_SIZE);
3736 goto cont;
3737 }
3738 free_page((unsigned long)inuse);
3739 }
3740
3741 set->name = kasprintf(GFP_KERNEL, name, min + n);
3742 if (!set->name)
3743 return -ENOMEM;
3744
3745 list_for_each_entry(i, &ctx->table->sets, list) {
3746 if (!nft_is_active_next(ctx->net, i))
3747 continue;
3748 if (!strcmp(set->name, i->name)) {
3749 kfree(set->name);
3750 set->name = NULL;
3751 return -ENFILE;
3752 }
3753 }
3754 return 0;
3755 }
3756
3757 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3758 {
3759 u64 ms = be64_to_cpu(nla_get_be64(nla));
3760 u64 max = (u64)(~((u64)0));
3761
3762 max = div_u64(max, NSEC_PER_MSEC);
3763 if (ms >= max)
3764 return -ERANGE;
3765
3766 ms *= NSEC_PER_MSEC;
3767 *result = nsecs_to_jiffies64(ms);
3768 return 0;
3769 }
3770
3771 __be64 nf_jiffies64_to_msecs(u64 input)
3772 {
3773 return cpu_to_be64(jiffies64_to_msecs(input));
3774 }
3775
3776 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3777 const struct nft_set *set)
3778 {
3779 struct nlattr *concat, *field;
3780 int i;
3781
3782 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3783 if (!concat)
3784 return -ENOMEM;
3785
3786 for (i = 0; i < set->field_count; i++) {
3787 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3788 if (!field)
3789 return -ENOMEM;
3790
3791 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3792 htonl(set->field_len[i])))
3793 return -ENOMEM;
3794
3795 nla_nest_end(skb, field);
3796 }
3797
3798 nla_nest_end(skb, concat);
3799
3800 return 0;
3801 }
3802
3803 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3804 const struct nft_set *set, u16 event, u16 flags)
3805 {
3806 struct nfgenmsg *nfmsg;
3807 struct nlmsghdr *nlh;
3808 u32 portid = ctx->portid;
3809 struct nlattr *nest;
3810 u32 seq = ctx->seq;
3811 int i;
3812
3813 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3814 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3815 flags);
3816 if (nlh == NULL)
3817 goto nla_put_failure;
3818
3819 nfmsg = nlmsg_data(nlh);
3820 nfmsg->nfgen_family = ctx->family;
3821 nfmsg->version = NFNETLINK_V0;
3822 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3823
3824 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3825 goto nla_put_failure;
3826 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3827 goto nla_put_failure;
3828 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3829 NFTA_SET_PAD))
3830 goto nla_put_failure;
3831 if (set->flags != 0)
3832 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3833 goto nla_put_failure;
3834
3835 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3836 goto nla_put_failure;
3837 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3838 goto nla_put_failure;
3839 if (set->flags & NFT_SET_MAP) {
3840 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3841 goto nla_put_failure;
3842 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3843 goto nla_put_failure;
3844 }
3845 if (set->flags & NFT_SET_OBJECT &&
3846 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3847 goto nla_put_failure;
3848
3849 if (set->timeout &&
3850 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3851 nf_jiffies64_to_msecs(set->timeout),
3852 NFTA_SET_PAD))
3853 goto nla_put_failure;
3854 if (set->gc_int &&
3855 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3856 goto nla_put_failure;
3857
3858 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3859 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3860 goto nla_put_failure;
3861 }
3862
3863 if (set->udata &&
3864 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3865 goto nla_put_failure;
3866
3867 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3868 if (!nest)
3869 goto nla_put_failure;
3870 if (set->size &&
3871 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3872 goto nla_put_failure;
3873
3874 if (set->field_count > 1 &&
3875 nf_tables_fill_set_concat(skb, set))
3876 goto nla_put_failure;
3877
3878 nla_nest_end(skb, nest);
3879
3880 if (set->num_exprs == 1) {
3881 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3882 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
3883 goto nla_put_failure;
3884
3885 nla_nest_end(skb, nest);
3886 } else if (set->num_exprs > 1) {
3887 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
3888 if (nest == NULL)
3889 goto nla_put_failure;
3890
3891 for (i = 0; i < set->num_exprs; i++) {
3892 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
3893 set->exprs[i]) < 0)
3894 goto nla_put_failure;
3895 }
3896 nla_nest_end(skb, nest);
3897 }
3898
3899 nlmsg_end(skb, nlh);
3900 return 0;
3901
3902 nla_put_failure:
3903 nlmsg_trim(skb, nlh);
3904 return -1;
3905 }
3906
3907 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3908 const struct nft_set *set, int event,
3909 gfp_t gfp_flags)
3910 {
3911 struct sk_buff *skb;
3912 u32 portid = ctx->portid;
3913 int err;
3914 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3915 ctx->table->name, ctx->table->handle,
3916 set->name, set->handle);
3917
3918 audit_log_nfcfg(buf,
3919 ctx->family,
3920 set->field_count,
3921 event == NFT_MSG_NEWSET ?
3922 AUDIT_NFT_OP_SET_REGISTER :
3923 AUDIT_NFT_OP_SET_UNREGISTER,
3924 gfp_flags);
3925 kfree(buf);
3926
3927 if (!ctx->report &&
3928 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3929 return;
3930
3931 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3932 if (skb == NULL)
3933 goto err;
3934
3935 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3936 if (err < 0) {
3937 kfree_skb(skb);
3938 goto err;
3939 }
3940
3941 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3942 return;
3943 err:
3944 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3945 }
3946
3947 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3948 {
3949 const struct nft_set *set;
3950 unsigned int idx, s_idx = cb->args[0];
3951 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3952 struct net *net = sock_net(skb->sk);
3953 struct nft_ctx *ctx = cb->data, ctx_set;
3954
3955 if (cb->args[1])
3956 return skb->len;
3957
3958 rcu_read_lock();
3959 cb->seq = net->nft.base_seq;
3960
3961 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3962 if (ctx->family != NFPROTO_UNSPEC &&
3963 ctx->family != table->family)
3964 continue;
3965
3966 if (ctx->table && ctx->table != table)
3967 continue;
3968
3969 if (cur_table) {
3970 if (cur_table != table)
3971 continue;
3972
3973 cur_table = NULL;
3974 }
3975 idx = 0;
3976 list_for_each_entry_rcu(set, &table->sets, list) {
3977 if (idx < s_idx)
3978 goto cont;
3979 if (!nft_is_active(net, set))
3980 goto cont;
3981
3982 ctx_set = *ctx;
3983 ctx_set.table = table;
3984 ctx_set.family = table->family;
3985
3986 if (nf_tables_fill_set(skb, &ctx_set, set,
3987 NFT_MSG_NEWSET,
3988 NLM_F_MULTI) < 0) {
3989 cb->args[0] = idx;
3990 cb->args[2] = (unsigned long) table;
3991 goto done;
3992 }
3993 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3994 cont:
3995 idx++;
3996 }
3997 if (s_idx)
3998 s_idx = 0;
3999 }
4000 cb->args[1] = 1;
4001 done:
4002 rcu_read_unlock();
4003 return skb->len;
4004 }
4005
4006 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4007 {
4008 struct nft_ctx *ctx_dump = NULL;
4009
4010 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4011 if (ctx_dump == NULL)
4012 return -ENOMEM;
4013
4014 cb->data = ctx_dump;
4015 return 0;
4016 }
4017
4018 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4019 {
4020 kfree(cb->data);
4021 return 0;
4022 }
4023
4024 /* called with rcu_read_lock held */
4025 static int nf_tables_getset(struct net *net, struct sock *nlsk,
4026 struct sk_buff *skb, const struct nlmsghdr *nlh,
4027 const struct nlattr * const nla[],
4028 struct netlink_ext_ack *extack)
4029 {
4030 u8 genmask = nft_genmask_cur(net);
4031 const struct nft_set *set;
4032 struct nft_ctx ctx;
4033 struct sk_buff *skb2;
4034 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4035 int err;
4036
4037 /* Verify existence before starting dump */
4038 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4039 genmask, 0);
4040 if (err < 0)
4041 return err;
4042
4043 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4044 struct netlink_dump_control c = {
4045 .start = nf_tables_dump_sets_start,
4046 .dump = nf_tables_dump_sets,
4047 .done = nf_tables_dump_sets_done,
4048 .data = &ctx,
4049 .module = THIS_MODULE,
4050 };
4051
4052 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4053 }
4054
4055 /* Only accept unspec with dump */
4056 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4057 return -EAFNOSUPPORT;
4058 if (!nla[NFTA_SET_TABLE])
4059 return -EINVAL;
4060
4061 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4062 if (IS_ERR(set))
4063 return PTR_ERR(set);
4064
4065 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4066 if (skb2 == NULL)
4067 return -ENOMEM;
4068
4069 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4070 if (err < 0)
4071 goto err_fill_set_info;
4072
4073 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4074
4075 err_fill_set_info:
4076 kfree_skb(skb2);
4077 return err;
4078 }
4079
4080 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4081 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4082 };
4083
4084 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4085 struct nft_set_desc *desc)
4086 {
4087 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4088 u32 len;
4089 int err;
4090
4091 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4092 nft_concat_policy, NULL);
4093 if (err < 0)
4094 return err;
4095
4096 if (!tb[NFTA_SET_FIELD_LEN])
4097 return -EINVAL;
4098
4099 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4100
4101 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4102 return -E2BIG;
4103
4104 desc->field_len[desc->field_count++] = len;
4105
4106 return 0;
4107 }
4108
4109 static int nft_set_desc_concat(struct nft_set_desc *desc,
4110 const struct nlattr *nla)
4111 {
4112 struct nlattr *attr;
4113 int rem, err;
4114
4115 nla_for_each_nested(attr, nla, rem) {
4116 if (nla_type(attr) != NFTA_LIST_ELEM)
4117 return -EINVAL;
4118
4119 err = nft_set_desc_concat_parse(attr, desc);
4120 if (err < 0)
4121 return err;
4122 }
4123
4124 return 0;
4125 }
4126
4127 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4128 const struct nlattr *nla)
4129 {
4130 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4131 int err;
4132
4133 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4134 nft_set_desc_policy, NULL);
4135 if (err < 0)
4136 return err;
4137
4138 if (da[NFTA_SET_DESC_SIZE] != NULL)
4139 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4140 if (da[NFTA_SET_DESC_CONCAT])
4141 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4142
4143 return err;
4144 }
4145
4146 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4147 struct sk_buff *skb, const struct nlmsghdr *nlh,
4148 const struct nlattr * const nla[],
4149 struct netlink_ext_ack *extack)
4150 {
4151 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4152 u8 genmask = nft_genmask_next(net);
4153 int family = nfmsg->nfgen_family;
4154 const struct nft_set_ops *ops;
4155 struct nft_expr *expr = NULL;
4156 struct nft_table *table;
4157 struct nft_set *set;
4158 struct nft_ctx ctx;
4159 char *name;
4160 u64 size;
4161 u64 timeout;
4162 u32 ktype, dtype, flags, policy, gc_int, objtype;
4163 struct nft_set_desc desc;
4164 unsigned char *udata;
4165 u16 udlen;
4166 int err;
4167 int i;
4168
4169 if (nla[NFTA_SET_TABLE] == NULL ||
4170 nla[NFTA_SET_NAME] == NULL ||
4171 nla[NFTA_SET_KEY_LEN] == NULL ||
4172 nla[NFTA_SET_ID] == NULL)
4173 return -EINVAL;
4174
4175 memset(&desc, 0, sizeof(desc));
4176
4177 ktype = NFT_DATA_VALUE;
4178 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4179 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4180 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4181 return -EINVAL;
4182 }
4183
4184 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4185 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4186 return -EINVAL;
4187
4188 flags = 0;
4189 if (nla[NFTA_SET_FLAGS] != NULL) {
4190 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4191 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4192 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4193 NFT_SET_MAP | NFT_SET_EVAL |
4194 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4195 return -EOPNOTSUPP;
4196 /* Only one of these operations is supported */
4197 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4198 (NFT_SET_MAP | NFT_SET_OBJECT))
4199 return -EOPNOTSUPP;
4200 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4201 (NFT_SET_EVAL | NFT_SET_OBJECT))
4202 return -EOPNOTSUPP;
4203 }
4204
4205 dtype = 0;
4206 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4207 if (!(flags & NFT_SET_MAP))
4208 return -EINVAL;
4209
4210 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4211 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4212 dtype != NFT_DATA_VERDICT)
4213 return -EINVAL;
4214
4215 if (dtype != NFT_DATA_VERDICT) {
4216 if (nla[NFTA_SET_DATA_LEN] == NULL)
4217 return -EINVAL;
4218 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4219 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4220 return -EINVAL;
4221 } else
4222 desc.dlen = sizeof(struct nft_verdict);
4223 } else if (flags & NFT_SET_MAP)
4224 return -EINVAL;
4225
4226 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4227 if (!(flags & NFT_SET_OBJECT))
4228 return -EINVAL;
4229
4230 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4231 if (objtype == NFT_OBJECT_UNSPEC ||
4232 objtype > NFT_OBJECT_MAX)
4233 return -EOPNOTSUPP;
4234 } else if (flags & NFT_SET_OBJECT)
4235 return -EINVAL;
4236 else
4237 objtype = NFT_OBJECT_UNSPEC;
4238
4239 timeout = 0;
4240 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4241 if (!(flags & NFT_SET_TIMEOUT))
4242 return -EINVAL;
4243
4244 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4245 if (err)
4246 return err;
4247 }
4248 gc_int = 0;
4249 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4250 if (!(flags & NFT_SET_TIMEOUT))
4251 return -EINVAL;
4252 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4253 }
4254
4255 policy = NFT_SET_POL_PERFORMANCE;
4256 if (nla[NFTA_SET_POLICY] != NULL)
4257 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4258
4259 if (nla[NFTA_SET_DESC] != NULL) {
4260 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4261 if (err < 0)
4262 return err;
4263 }
4264
4265 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4266 desc.expr = true;
4267
4268 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4269 NETLINK_CB(skb).portid);
4270 if (IS_ERR(table)) {
4271 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4272 return PTR_ERR(table);
4273 }
4274
4275 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4276
4277 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4278 if (IS_ERR(set)) {
4279 if (PTR_ERR(set) != -ENOENT) {
4280 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4281 return PTR_ERR(set);
4282 }
4283 } else {
4284 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4285 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4286 return -EEXIST;
4287 }
4288 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4289 return -EOPNOTSUPP;
4290
4291 return 0;
4292 }
4293
4294 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4295 return -ENOENT;
4296
4297 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4298 if (IS_ERR(ops))
4299 return PTR_ERR(ops);
4300
4301 udlen = 0;
4302 if (nla[NFTA_SET_USERDATA])
4303 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4304
4305 size = 0;
4306 if (ops->privsize != NULL)
4307 size = ops->privsize(nla, &desc);
4308
4309 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4310 if (!set)
4311 return -ENOMEM;
4312
4313 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4314 if (!name) {
4315 err = -ENOMEM;
4316 goto err_set_name;
4317 }
4318
4319 err = nf_tables_set_alloc_name(&ctx, set, name);
4320 kfree(name);
4321 if (err < 0)
4322 goto err_set_alloc_name;
4323
4324 if (nla[NFTA_SET_EXPR]) {
4325 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4326 if (IS_ERR(expr)) {
4327 err = PTR_ERR(expr);
4328 goto err_set_alloc_name;
4329 }
4330 set->exprs[0] = expr;
4331 set->num_exprs++;
4332 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4333 struct nft_expr *expr;
4334 struct nlattr *tmp;
4335 int left;
4336
4337 if (!(flags & NFT_SET_EXPR)) {
4338 err = -EINVAL;
4339 goto err_set_alloc_name;
4340 }
4341 i = 0;
4342 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4343 if (i == NFT_SET_EXPR_MAX) {
4344 err = -E2BIG;
4345 goto err_set_init;
4346 }
4347 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4348 err = -EINVAL;
4349 goto err_set_init;
4350 }
4351 expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4352 if (IS_ERR(expr)) {
4353 err = PTR_ERR(expr);
4354 goto err_set_init;
4355 }
4356 set->exprs[i++] = expr;
4357 set->num_exprs++;
4358 }
4359 }
4360
4361 udata = NULL;
4362 if (udlen) {
4363 udata = set->data + size;
4364 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4365 }
4366
4367 INIT_LIST_HEAD(&set->bindings);
4368 set->table = table;
4369 write_pnet(&set->net, net);
4370 set->ops = ops;
4371 set->ktype = ktype;
4372 set->klen = desc.klen;
4373 set->dtype = dtype;
4374 set->objtype = objtype;
4375 set->dlen = desc.dlen;
4376 set->flags = flags;
4377 set->size = desc.size;
4378 set->policy = policy;
4379 set->udlen = udlen;
4380 set->udata = udata;
4381 set->timeout = timeout;
4382 set->gc_int = gc_int;
4383 set->handle = nf_tables_alloc_handle(table);
4384
4385 set->field_count = desc.field_count;
4386 for (i = 0; i < desc.field_count; i++)
4387 set->field_len[i] = desc.field_len[i];
4388
4389 err = ops->init(set, &desc, nla);
4390 if (err < 0)
4391 goto err_set_init;
4392
4393 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4394 if (err < 0)
4395 goto err_set_trans;
4396
4397 list_add_tail_rcu(&set->list, &table->sets);
4398 table->use++;
4399 return 0;
4400
4401 err_set_trans:
4402 ops->destroy(set);
4403 err_set_init:
4404 for (i = 0; i < set->num_exprs; i++)
4405 nft_expr_destroy(&ctx, set->exprs[i]);
4406 err_set_alloc_name:
4407 kfree(set->name);
4408 err_set_name:
4409 kvfree(set);
4410 return err;
4411 }
4412
4413 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4414 {
4415 int i;
4416
4417 if (WARN_ON(set->use > 0))
4418 return;
4419
4420 for (i = 0; i < set->num_exprs; i++)
4421 nft_expr_destroy(ctx, set->exprs[i]);
4422
4423 set->ops->destroy(set);
4424 kfree(set->name);
4425 kvfree(set);
4426 }
4427
4428 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4429 struct sk_buff *skb, const struct nlmsghdr *nlh,
4430 const struct nlattr * const nla[],
4431 struct netlink_ext_ack *extack)
4432 {
4433 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4434 u8 genmask = nft_genmask_next(net);
4435 const struct nlattr *attr;
4436 struct nft_set *set;
4437 struct nft_ctx ctx;
4438 int err;
4439
4440 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4441 return -EAFNOSUPPORT;
4442 if (nla[NFTA_SET_TABLE] == NULL)
4443 return -EINVAL;
4444
4445 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4446 genmask, NETLINK_CB(skb).portid);
4447 if (err < 0)
4448 return err;
4449
4450 if (nla[NFTA_SET_HANDLE]) {
4451 attr = nla[NFTA_SET_HANDLE];
4452 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4453 } else {
4454 attr = nla[NFTA_SET_NAME];
4455 set = nft_set_lookup(ctx.table, attr, genmask);
4456 }
4457
4458 if (IS_ERR(set)) {
4459 NL_SET_BAD_ATTR(extack, attr);
4460 return PTR_ERR(set);
4461 }
4462 if (set->use ||
4463 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4464 NL_SET_BAD_ATTR(extack, attr);
4465 return -EBUSY;
4466 }
4467
4468 return nft_delset(&ctx, set);
4469 }
4470
4471 static int nft_validate_register_store(const struct nft_ctx *ctx,
4472 enum nft_registers reg,
4473 const struct nft_data *data,
4474 enum nft_data_types type,
4475 unsigned int len);
4476
4477 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4478 struct nft_set *set,
4479 const struct nft_set_iter *iter,
4480 struct nft_set_elem *elem)
4481 {
4482 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4483 enum nft_registers dreg;
4484
4485 dreg = nft_type_to_reg(set->dtype);
4486 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4487 set->dtype == NFT_DATA_VERDICT ?
4488 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4489 set->dlen);
4490 }
4491
4492 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4493 struct nft_set_binding *binding)
4494 {
4495 struct nft_set_binding *i;
4496 struct nft_set_iter iter;
4497
4498 if (set->use == UINT_MAX)
4499 return -EOVERFLOW;
4500
4501 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4502 return -EBUSY;
4503
4504 if (binding->flags & NFT_SET_MAP) {
4505 /* If the set is already bound to the same chain all
4506 * jumps are already validated for that chain.
4507 */
4508 list_for_each_entry(i, &set->bindings, list) {
4509 if (i->flags & NFT_SET_MAP &&
4510 i->chain == binding->chain)
4511 goto bind;
4512 }
4513
4514 iter.genmask = nft_genmask_next(ctx->net);
4515 iter.skip = 0;
4516 iter.count = 0;
4517 iter.err = 0;
4518 iter.fn = nf_tables_bind_check_setelem;
4519
4520 set->ops->walk(ctx, set, &iter);
4521 if (iter.err < 0)
4522 return iter.err;
4523 }
4524 bind:
4525 binding->chain = ctx->chain;
4526 list_add_tail_rcu(&binding->list, &set->bindings);
4527 nft_set_trans_bind(ctx, set);
4528 set->use++;
4529
4530 return 0;
4531 }
4532 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4533
4534 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4535 struct nft_set_binding *binding, bool event)
4536 {
4537 list_del_rcu(&binding->list);
4538
4539 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4540 list_del_rcu(&set->list);
4541 if (event)
4542 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4543 GFP_KERNEL);
4544 }
4545 }
4546
4547 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4548 struct nft_set_binding *binding,
4549 enum nft_trans_phase phase)
4550 {
4551 switch (phase) {
4552 case NFT_TRANS_PREPARE:
4553 set->use--;
4554 return;
4555 case NFT_TRANS_ABORT:
4556 case NFT_TRANS_RELEASE:
4557 set->use--;
4558 fallthrough;
4559 default:
4560 nf_tables_unbind_set(ctx, set, binding,
4561 phase == NFT_TRANS_COMMIT);
4562 }
4563 }
4564 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4565
4566 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4567 {
4568 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4569 nft_set_destroy(ctx, set);
4570 }
4571 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4572
4573 const struct nft_set_ext_type nft_set_ext_types[] = {
4574 [NFT_SET_EXT_KEY] = {
4575 .align = __alignof__(u32),
4576 },
4577 [NFT_SET_EXT_DATA] = {
4578 .align = __alignof__(u32),
4579 },
4580 [NFT_SET_EXT_EXPRESSIONS] = {
4581 .align = __alignof__(struct nft_set_elem_expr),
4582 },
4583 [NFT_SET_EXT_OBJREF] = {
4584 .len = sizeof(struct nft_object *),
4585 .align = __alignof__(struct nft_object *),
4586 },
4587 [NFT_SET_EXT_FLAGS] = {
4588 .len = sizeof(u8),
4589 .align = __alignof__(u8),
4590 },
4591 [NFT_SET_EXT_TIMEOUT] = {
4592 .len = sizeof(u64),
4593 .align = __alignof__(u64),
4594 },
4595 [NFT_SET_EXT_EXPIRATION] = {
4596 .len = sizeof(u64),
4597 .align = __alignof__(u64),
4598 },
4599 [NFT_SET_EXT_USERDATA] = {
4600 .len = sizeof(struct nft_userdata),
4601 .align = __alignof__(struct nft_userdata),
4602 },
4603 [NFT_SET_EXT_KEY_END] = {
4604 .align = __alignof__(u32),
4605 },
4606 };
4607
4608 /*
4609 * Set elements
4610 */
4611
4612 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4613 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4614 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4615 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4616 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4617 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4618 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4619 .len = NFT_USERDATA_MAXLEN },
4620 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4621 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4622 .len = NFT_OBJ_MAXNAMELEN - 1 },
4623 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4624 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4625 };
4626
4627 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4628 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4629 .len = NFT_TABLE_MAXNAMELEN - 1 },
4630 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4631 .len = NFT_SET_MAXNAMELEN - 1 },
4632 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4633 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4634 };
4635
4636 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4637 const struct sk_buff *skb,
4638 const struct nlmsghdr *nlh,
4639 const struct nlattr * const nla[],
4640 struct netlink_ext_ack *extack,
4641 u8 genmask, u32 nlpid)
4642 {
4643 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4644 int family = nfmsg->nfgen_family;
4645 struct nft_table *table;
4646
4647 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4648 genmask, nlpid);
4649 if (IS_ERR(table)) {
4650 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4651 return PTR_ERR(table);
4652 }
4653
4654 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4655 return 0;
4656 }
4657
4658 static int nft_set_elem_expr_dump(struct sk_buff *skb,
4659 const struct nft_set *set,
4660 const struct nft_set_ext *ext)
4661 {
4662 struct nft_set_elem_expr *elem_expr;
4663 u32 size, num_exprs = 0;
4664 struct nft_expr *expr;
4665 struct nlattr *nest;
4666
4667 elem_expr = nft_set_ext_expr(ext);
4668 nft_setelem_expr_foreach(expr, elem_expr, size)
4669 num_exprs++;
4670
4671 if (num_exprs == 1) {
4672 expr = nft_setelem_expr_at(elem_expr, 0);
4673 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4674 return -1;
4675
4676 return 0;
4677 } else if (num_exprs > 1) {
4678 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4679 if (nest == NULL)
4680 goto nla_put_failure;
4681
4682 nft_setelem_expr_foreach(expr, elem_expr, size) {
4683 expr = nft_setelem_expr_at(elem_expr, size);
4684 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4685 goto nla_put_failure;
4686 }
4687 nla_nest_end(skb, nest);
4688 }
4689 return 0;
4690
4691 nla_put_failure:
4692 return -1;
4693 }
4694
4695 static int nf_tables_fill_setelem(struct sk_buff *skb,
4696 const struct nft_set *set,
4697 const struct nft_set_elem *elem)
4698 {
4699 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4700 unsigned char *b = skb_tail_pointer(skb);
4701 struct nlattr *nest;
4702
4703 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4704 if (nest == NULL)
4705 goto nla_put_failure;
4706
4707 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4708 NFT_DATA_VALUE, set->klen) < 0)
4709 goto nla_put_failure;
4710
4711 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4712 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4713 NFT_DATA_VALUE, set->klen) < 0)
4714 goto nla_put_failure;
4715
4716 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4717 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4718 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4719 set->dlen) < 0)
4720 goto nla_put_failure;
4721
4722 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4723 nft_set_elem_expr_dump(skb, set, ext))
4724 goto nla_put_failure;
4725
4726 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4727 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4728 (*nft_set_ext_obj(ext))->key.name) < 0)
4729 goto nla_put_failure;
4730
4731 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4732 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4733 htonl(*nft_set_ext_flags(ext))))
4734 goto nla_put_failure;
4735
4736 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4737 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4738 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4739 NFTA_SET_ELEM_PAD))
4740 goto nla_put_failure;
4741
4742 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4743 u64 expires, now = get_jiffies_64();
4744
4745 expires = *nft_set_ext_expiration(ext);
4746 if (time_before64(now, expires))
4747 expires -= now;
4748 else
4749 expires = 0;
4750
4751 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4752 nf_jiffies64_to_msecs(expires),
4753 NFTA_SET_ELEM_PAD))
4754 goto nla_put_failure;
4755 }
4756
4757 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4758 struct nft_userdata *udata;
4759
4760 udata = nft_set_ext_userdata(ext);
4761 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4762 udata->len + 1, udata->data))
4763 goto nla_put_failure;
4764 }
4765
4766 nla_nest_end(skb, nest);
4767 return 0;
4768
4769 nla_put_failure:
4770 nlmsg_trim(skb, b);
4771 return -EMSGSIZE;
4772 }
4773
4774 struct nft_set_dump_args {
4775 const struct netlink_callback *cb;
4776 struct nft_set_iter iter;
4777 struct sk_buff *skb;
4778 };
4779
4780 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4781 struct nft_set *set,
4782 const struct nft_set_iter *iter,
4783 struct nft_set_elem *elem)
4784 {
4785 struct nft_set_dump_args *args;
4786
4787 args = container_of(iter, struct nft_set_dump_args, iter);
4788 return nf_tables_fill_setelem(args->skb, set, elem);
4789 }
4790
4791 struct nft_set_dump_ctx {
4792 const struct nft_set *set;
4793 struct nft_ctx ctx;
4794 };
4795
4796 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4797 {
4798 struct nft_set_dump_ctx *dump_ctx = cb->data;
4799 struct net *net = sock_net(skb->sk);
4800 struct nft_table *table;
4801 struct nft_set *set;
4802 struct nft_set_dump_args args;
4803 bool set_found = false;
4804 struct nfgenmsg *nfmsg;
4805 struct nlmsghdr *nlh;
4806 struct nlattr *nest;
4807 u32 portid, seq;
4808 int event;
4809
4810 rcu_read_lock();
4811 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4812 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4813 dump_ctx->ctx.family != table->family)
4814 continue;
4815
4816 if (table != dump_ctx->ctx.table)
4817 continue;
4818
4819 list_for_each_entry_rcu(set, &table->sets, list) {
4820 if (set == dump_ctx->set) {
4821 set_found = true;
4822 break;
4823 }
4824 }
4825 break;
4826 }
4827
4828 if (!set_found) {
4829 rcu_read_unlock();
4830 return -ENOENT;
4831 }
4832
4833 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4834 portid = NETLINK_CB(cb->skb).portid;
4835 seq = cb->nlh->nlmsg_seq;
4836
4837 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4838 NLM_F_MULTI);
4839 if (nlh == NULL)
4840 goto nla_put_failure;
4841
4842 nfmsg = nlmsg_data(nlh);
4843 nfmsg->nfgen_family = table->family;
4844 nfmsg->version = NFNETLINK_V0;
4845 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4846
4847 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4848 goto nla_put_failure;
4849 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4850 goto nla_put_failure;
4851
4852 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4853 if (nest == NULL)
4854 goto nla_put_failure;
4855
4856 args.cb = cb;
4857 args.skb = skb;
4858 args.iter.genmask = nft_genmask_cur(net);
4859 args.iter.skip = cb->args[0];
4860 args.iter.count = 0;
4861 args.iter.err = 0;
4862 args.iter.fn = nf_tables_dump_setelem;
4863 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4864 rcu_read_unlock();
4865
4866 nla_nest_end(skb, nest);
4867 nlmsg_end(skb, nlh);
4868
4869 if (args.iter.err && args.iter.err != -EMSGSIZE)
4870 return args.iter.err;
4871 if (args.iter.count == cb->args[0])
4872 return 0;
4873
4874 cb->args[0] = args.iter.count;
4875 return skb->len;
4876
4877 nla_put_failure:
4878 rcu_read_unlock();
4879 return -ENOSPC;
4880 }
4881
4882 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4883 {
4884 struct nft_set_dump_ctx *dump_ctx = cb->data;
4885
4886 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4887
4888 return cb->data ? 0 : -ENOMEM;
4889 }
4890
4891 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4892 {
4893 kfree(cb->data);
4894 return 0;
4895 }
4896
4897 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4898 const struct nft_ctx *ctx, u32 seq,
4899 u32 portid, int event, u16 flags,
4900 const struct nft_set *set,
4901 const struct nft_set_elem *elem)
4902 {
4903 struct nfgenmsg *nfmsg;
4904 struct nlmsghdr *nlh;
4905 struct nlattr *nest;
4906 int err;
4907
4908 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4909 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4910 flags);
4911 if (nlh == NULL)
4912 goto nla_put_failure;
4913
4914 nfmsg = nlmsg_data(nlh);
4915 nfmsg->nfgen_family = ctx->family;
4916 nfmsg->version = NFNETLINK_V0;
4917 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4918
4919 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4920 goto nla_put_failure;
4921 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4922 goto nla_put_failure;
4923
4924 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4925 if (nest == NULL)
4926 goto nla_put_failure;
4927
4928 err = nf_tables_fill_setelem(skb, set, elem);
4929 if (err < 0)
4930 goto nla_put_failure;
4931
4932 nla_nest_end(skb, nest);
4933
4934 nlmsg_end(skb, nlh);
4935 return 0;
4936
4937 nla_put_failure:
4938 nlmsg_trim(skb, nlh);
4939 return -1;
4940 }
4941
4942 static int nft_setelem_parse_flags(const struct nft_set *set,
4943 const struct nlattr *attr, u32 *flags)
4944 {
4945 if (attr == NULL)
4946 return 0;
4947
4948 *flags = ntohl(nla_get_be32(attr));
4949 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4950 return -EINVAL;
4951 if (!(set->flags & NFT_SET_INTERVAL) &&
4952 *flags & NFT_SET_ELEM_INTERVAL_END)
4953 return -EINVAL;
4954
4955 return 0;
4956 }
4957
4958 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4959 struct nft_data *key, struct nlattr *attr)
4960 {
4961 struct nft_data_desc desc;
4962 int err;
4963
4964 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4965 if (err < 0)
4966 return err;
4967
4968 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4969 nft_data_release(key, desc.type);
4970 return -EINVAL;
4971 }
4972
4973 return 0;
4974 }
4975
4976 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4977 struct nft_data_desc *desc,
4978 struct nft_data *data,
4979 struct nlattr *attr)
4980 {
4981 int err;
4982
4983 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4984 if (err < 0)
4985 return err;
4986
4987 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4988 nft_data_release(data, desc->type);
4989 return -EINVAL;
4990 }
4991
4992 return 0;
4993 }
4994
4995 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4996 const struct nlattr *attr)
4997 {
4998 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4999 struct nft_set_elem elem;
5000 struct sk_buff *skb;
5001 uint32_t flags = 0;
5002 void *priv;
5003 int err;
5004
5005 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5006 nft_set_elem_policy, NULL);
5007 if (err < 0)
5008 return err;
5009
5010 if (!nla[NFTA_SET_ELEM_KEY])
5011 return -EINVAL;
5012
5013 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5014 if (err < 0)
5015 return err;
5016
5017 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5018 nla[NFTA_SET_ELEM_KEY]);
5019 if (err < 0)
5020 return err;
5021
5022 if (nla[NFTA_SET_ELEM_KEY_END]) {
5023 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5024 nla[NFTA_SET_ELEM_KEY_END]);
5025 if (err < 0)
5026 return err;
5027 }
5028
5029 priv = set->ops->get(ctx->net, set, &elem, flags);
5030 if (IS_ERR(priv))
5031 return PTR_ERR(priv);
5032
5033 elem.priv = priv;
5034
5035 err = -ENOMEM;
5036 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5037 if (skb == NULL)
5038 return err;
5039
5040 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5041 NFT_MSG_NEWSETELEM, 0, set, &elem);
5042 if (err < 0)
5043 goto err_fill_setelem;
5044
5045 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5046
5047 err_fill_setelem:
5048 kfree_skb(skb);
5049 return err;
5050 }
5051
5052 /* called with rcu_read_lock held */
5053 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
5054 struct sk_buff *skb, const struct nlmsghdr *nlh,
5055 const struct nlattr * const nla[],
5056 struct netlink_ext_ack *extack)
5057 {
5058 u8 genmask = nft_genmask_cur(net);
5059 struct nft_set *set;
5060 struct nlattr *attr;
5061 struct nft_ctx ctx;
5062 int rem, err = 0;
5063
5064 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5065 genmask, NETLINK_CB(skb).portid);
5066 if (err < 0)
5067 return err;
5068
5069 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5070 if (IS_ERR(set))
5071 return PTR_ERR(set);
5072
5073 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5074 struct netlink_dump_control c = {
5075 .start = nf_tables_dump_set_start,
5076 .dump = nf_tables_dump_set,
5077 .done = nf_tables_dump_set_done,
5078 .module = THIS_MODULE,
5079 };
5080 struct nft_set_dump_ctx dump_ctx = {
5081 .set = set,
5082 .ctx = ctx,
5083 };
5084
5085 c.data = &dump_ctx;
5086 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5087 }
5088
5089 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5090 return -EINVAL;
5091
5092 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5093 err = nft_get_set_elem(&ctx, set, attr);
5094 if (err < 0)
5095 break;
5096 }
5097
5098 return err;
5099 }
5100
5101 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5102 const struct nft_set *set,
5103 const struct nft_set_elem *elem,
5104 int event, u16 flags)
5105 {
5106 struct net *net = ctx->net;
5107 u32 portid = ctx->portid;
5108 struct sk_buff *skb;
5109 int err;
5110 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
5111 ctx->table->name, ctx->table->handle,
5112 set->name, set->handle);
5113
5114 audit_log_nfcfg(buf,
5115 ctx->family,
5116 set->handle,
5117 event == NFT_MSG_NEWSETELEM ?
5118 AUDIT_NFT_OP_SETELEM_REGISTER :
5119 AUDIT_NFT_OP_SETELEM_UNREGISTER,
5120 GFP_KERNEL);
5121 kfree(buf);
5122
5123 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5124 return;
5125
5126 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5127 if (skb == NULL)
5128 goto err;
5129
5130 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5131 set, elem);
5132 if (err < 0) {
5133 kfree_skb(skb);
5134 goto err;
5135 }
5136
5137 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5138 return;
5139 err:
5140 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5141 }
5142
5143 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5144 int msg_type,
5145 struct nft_set *set)
5146 {
5147 struct nft_trans *trans;
5148
5149 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5150 if (trans == NULL)
5151 return NULL;
5152
5153 nft_trans_elem_set(trans) = set;
5154 return trans;
5155 }
5156
5157 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5158 const struct nft_set *set,
5159 const struct nlattr *attr)
5160 {
5161 struct nft_expr *expr;
5162 int err;
5163
5164 expr = nft_expr_init(ctx, attr);
5165 if (IS_ERR(expr))
5166 return expr;
5167
5168 err = -EOPNOTSUPP;
5169 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5170 goto err_set_elem_expr;
5171
5172 if (expr->ops->type->flags & NFT_EXPR_GC) {
5173 if (set->flags & NFT_SET_TIMEOUT)
5174 goto err_set_elem_expr;
5175 if (!set->ops->gc_init)
5176 goto err_set_elem_expr;
5177 set->ops->gc_init(set);
5178 }
5179
5180 return expr;
5181
5182 err_set_elem_expr:
5183 nft_expr_destroy(ctx, expr);
5184 return ERR_PTR(err);
5185 }
5186
5187 void *nft_set_elem_init(const struct nft_set *set,
5188 const struct nft_set_ext_tmpl *tmpl,
5189 const u32 *key, const u32 *key_end,
5190 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5191 {
5192 struct nft_set_ext *ext;
5193 void *elem;
5194
5195 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5196 if (elem == NULL)
5197 return NULL;
5198
5199 ext = nft_set_elem_ext(set, elem);
5200 nft_set_ext_init(ext, tmpl);
5201
5202 memcpy(nft_set_ext_key(ext), key, set->klen);
5203 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5204 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5205 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5206 memcpy(nft_set_ext_data(ext), data, set->dlen);
5207 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5208 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5209 if (expiration == 0)
5210 *nft_set_ext_expiration(ext) += timeout;
5211 }
5212 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5213 *nft_set_ext_timeout(ext) = timeout;
5214
5215 return elem;
5216 }
5217
5218 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5219 struct nft_expr *expr)
5220 {
5221 if (expr->ops->destroy_clone) {
5222 expr->ops->destroy_clone(ctx, expr);
5223 module_put(expr->ops->type->owner);
5224 } else {
5225 nf_tables_expr_destroy(ctx, expr);
5226 }
5227 }
5228
5229 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5230 struct nft_set_elem_expr *elem_expr)
5231 {
5232 struct nft_expr *expr;
5233 u32 size;
5234
5235 nft_setelem_expr_foreach(expr, elem_expr, size)
5236 __nft_set_elem_expr_destroy(ctx, expr);
5237 }
5238
5239 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5240 bool destroy_expr)
5241 {
5242 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5243 struct nft_ctx ctx = {
5244 .net = read_pnet(&set->net),
5245 .family = set->table->family,
5246 };
5247
5248 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5249 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5250 nft_data_release(nft_set_ext_data(ext), set->dtype);
5251 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5252 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5253
5254 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5255 (*nft_set_ext_obj(ext))->use--;
5256 kfree(elem);
5257 }
5258 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5259
5260 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5261 * the refcounting from the preparation phase.
5262 */
5263 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5264 const struct nft_set *set, void *elem)
5265 {
5266 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5267
5268 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5269 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5270
5271 kfree(elem);
5272 }
5273
5274 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5275 struct nft_expr *expr_array[])
5276 {
5277 struct nft_expr *expr;
5278 int err, i, k;
5279
5280 for (i = 0; i < set->num_exprs; i++) {
5281 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
5282 if (!expr)
5283 goto err_expr;
5284
5285 err = nft_expr_clone(expr, set->exprs[i]);
5286 if (err < 0) {
5287 nft_expr_destroy(ctx, expr);
5288 goto err_expr;
5289 }
5290 expr_array[i] = expr;
5291 }
5292
5293 return 0;
5294
5295 err_expr:
5296 for (k = i - 1; k >= 0; k--)
5297 nft_expr_destroy(ctx, expr_array[k]);
5298
5299 return -ENOMEM;
5300 }
5301
5302 static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i,
5303 struct nft_expr *expr_array[])
5304 {
5305 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5306 struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5307
5308 memcpy(expr, expr_array[i], expr_array[i]->ops->size);
5309 elem_expr->size += expr_array[i]->ops->size;
5310 kfree(expr_array[i]);
5311 expr_array[i] = NULL;
5312 }
5313
5314 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5315 const struct nlattr *attr, u32 nlmsg_flags)
5316 {
5317 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5318 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5319 u8 genmask = nft_genmask_next(ctx->net);
5320 u32 flags = 0, size = 0, num_exprs = 0;
5321 struct nft_set_ext_tmpl tmpl;
5322 struct nft_set_ext *ext, *ext2;
5323 struct nft_set_elem elem;
5324 struct nft_set_binding *binding;
5325 struct nft_object *obj = NULL;
5326 struct nft_userdata *udata;
5327 struct nft_data_desc desc;
5328 enum nft_registers dreg;
5329 struct nft_trans *trans;
5330 u64 timeout;
5331 u64 expiration;
5332 int err, i;
5333 u8 ulen;
5334
5335 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5336 nft_set_elem_policy, NULL);
5337 if (err < 0)
5338 return err;
5339
5340 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5341 return -EINVAL;
5342
5343 nft_set_ext_prepare(&tmpl);
5344
5345 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5346 if (err < 0)
5347 return err;
5348 if (flags != 0)
5349 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5350
5351 if (set->flags & NFT_SET_MAP) {
5352 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5353 !(flags & NFT_SET_ELEM_INTERVAL_END))
5354 return -EINVAL;
5355 } else {
5356 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5357 return -EINVAL;
5358 }
5359
5360 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5361 (nla[NFTA_SET_ELEM_DATA] ||
5362 nla[NFTA_SET_ELEM_OBJREF] ||
5363 nla[NFTA_SET_ELEM_TIMEOUT] ||
5364 nla[NFTA_SET_ELEM_EXPIRATION] ||
5365 nla[NFTA_SET_ELEM_USERDATA] ||
5366 nla[NFTA_SET_ELEM_EXPR] ||
5367 nla[NFTA_SET_ELEM_EXPRESSIONS]))
5368 return -EINVAL;
5369
5370 timeout = 0;
5371 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5372 if (!(set->flags & NFT_SET_TIMEOUT))
5373 return -EINVAL;
5374 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5375 &timeout);
5376 if (err)
5377 return err;
5378 } else if (set->flags & NFT_SET_TIMEOUT) {
5379 timeout = set->timeout;
5380 }
5381
5382 expiration = 0;
5383 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5384 if (!(set->flags & NFT_SET_TIMEOUT))
5385 return -EINVAL;
5386 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5387 &expiration);
5388 if (err)
5389 return err;
5390 }
5391
5392 if (nla[NFTA_SET_ELEM_EXPR]) {
5393 struct nft_expr *expr;
5394
5395 if (set->num_exprs && set->num_exprs != 1)
5396 return -EOPNOTSUPP;
5397
5398 expr = nft_set_elem_expr_alloc(ctx, set,
5399 nla[NFTA_SET_ELEM_EXPR]);
5400 if (IS_ERR(expr))
5401 return PTR_ERR(expr);
5402
5403 expr_array[0] = expr;
5404 num_exprs = 1;
5405
5406 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5407 err = -EOPNOTSUPP;
5408 goto err_set_elem_expr;
5409 }
5410 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5411 struct nft_expr *expr;
5412 struct nlattr *tmp;
5413 int left;
5414
5415 i = 0;
5416 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5417 if (i == NFT_SET_EXPR_MAX ||
5418 (set->num_exprs && set->num_exprs == i)) {
5419 err = -E2BIG;
5420 goto err_set_elem_expr;
5421 }
5422 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5423 err = -EINVAL;
5424 goto err_set_elem_expr;
5425 }
5426 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5427 if (IS_ERR(expr)) {
5428 err = PTR_ERR(expr);
5429 goto err_set_elem_expr;
5430 }
5431 expr_array[i] = expr;
5432 num_exprs++;
5433
5434 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5435 err = -EOPNOTSUPP;
5436 goto err_set_elem_expr;
5437 }
5438 i++;
5439 }
5440 if (set->num_exprs && set->num_exprs != i) {
5441 err = -EOPNOTSUPP;
5442 goto err_set_elem_expr;
5443 }
5444 } else if (set->num_exprs > 0) {
5445 err = nft_set_elem_expr_clone(ctx, set, expr_array);
5446 if (err < 0)
5447 goto err_set_elem_expr_clone;
5448
5449 num_exprs = set->num_exprs;
5450 }
5451
5452 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5453 nla[NFTA_SET_ELEM_KEY]);
5454 if (err < 0)
5455 goto err_set_elem_expr;
5456
5457 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5458
5459 if (nla[NFTA_SET_ELEM_KEY_END]) {
5460 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5461 nla[NFTA_SET_ELEM_KEY_END]);
5462 if (err < 0)
5463 goto err_parse_key;
5464
5465 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5466 }
5467
5468 if (timeout > 0) {
5469 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5470 if (timeout != set->timeout)
5471 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5472 }
5473
5474 if (num_exprs) {
5475 for (i = 0; i < num_exprs; i++)
5476 size += expr_array[i]->ops->size;
5477
5478 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5479 sizeof(struct nft_set_elem_expr) +
5480 size);
5481 }
5482
5483 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5484 if (!(set->flags & NFT_SET_OBJECT)) {
5485 err = -EINVAL;
5486 goto err_parse_key_end;
5487 }
5488 obj = nft_obj_lookup(ctx->net, ctx->table,
5489 nla[NFTA_SET_ELEM_OBJREF],
5490 set->objtype, genmask);
5491 if (IS_ERR(obj)) {
5492 err = PTR_ERR(obj);
5493 goto err_parse_key_end;
5494 }
5495 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5496 }
5497
5498 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5499 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5500 nla[NFTA_SET_ELEM_DATA]);
5501 if (err < 0)
5502 goto err_parse_key_end;
5503
5504 dreg = nft_type_to_reg(set->dtype);
5505 list_for_each_entry(binding, &set->bindings, list) {
5506 struct nft_ctx bind_ctx = {
5507 .net = ctx->net,
5508 .family = ctx->family,
5509 .table = ctx->table,
5510 .chain = (struct nft_chain *)binding->chain,
5511 };
5512
5513 if (!(binding->flags & NFT_SET_MAP))
5514 continue;
5515
5516 err = nft_validate_register_store(&bind_ctx, dreg,
5517 &elem.data.val,
5518 desc.type, desc.len);
5519 if (err < 0)
5520 goto err_parse_data;
5521
5522 if (desc.type == NFT_DATA_VERDICT &&
5523 (elem.data.val.verdict.code == NFT_GOTO ||
5524 elem.data.val.verdict.code == NFT_JUMP))
5525 nft_validate_state_update(ctx->net,
5526 NFT_VALIDATE_NEED);
5527 }
5528
5529 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5530 }
5531
5532 /* The full maximum length of userdata can exceed the maximum
5533 * offset value (U8_MAX) for following extensions, therefor it
5534 * must be the last extension added.
5535 */
5536 ulen = 0;
5537 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5538 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5539 if (ulen > 0)
5540 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5541 ulen);
5542 }
5543
5544 err = -ENOMEM;
5545 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5546 elem.key_end.val.data, elem.data.val.data,
5547 timeout, expiration, GFP_KERNEL);
5548 if (elem.priv == NULL)
5549 goto err_parse_data;
5550
5551 ext = nft_set_elem_ext(set, elem.priv);
5552 if (flags)
5553 *nft_set_ext_flags(ext) = flags;
5554 if (ulen > 0) {
5555 udata = nft_set_ext_userdata(ext);
5556 udata->len = ulen - 1;
5557 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5558 }
5559 if (obj) {
5560 *nft_set_ext_obj(ext) = obj;
5561 obj->use++;
5562 }
5563 for (i = 0; i < num_exprs; i++)
5564 nft_set_elem_expr_setup(ext, i, expr_array);
5565
5566 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5567 if (trans == NULL)
5568 goto err_trans;
5569
5570 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5571 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5572 if (err) {
5573 if (err == -EEXIST) {
5574 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5575 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5576 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5577 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5578 goto err_element_clash;
5579 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5580 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5581 memcmp(nft_set_ext_data(ext),
5582 nft_set_ext_data(ext2), set->dlen) != 0) ||
5583 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5584 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5585 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5586 goto err_element_clash;
5587 else if (!(nlmsg_flags & NLM_F_EXCL))
5588 err = 0;
5589 } else if (err == -ENOTEMPTY) {
5590 /* ENOTEMPTY reports overlapping between this element
5591 * and an existing one.
5592 */
5593 err = -EEXIST;
5594 }
5595 goto err_element_clash;
5596 }
5597
5598 if (set->size &&
5599 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5600 err = -ENFILE;
5601 goto err_set_full;
5602 }
5603
5604 nft_trans_elem(trans) = elem;
5605 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5606 return 0;
5607
5608 err_set_full:
5609 set->ops->remove(ctx->net, set, &elem);
5610 err_element_clash:
5611 kfree(trans);
5612 err_trans:
5613 if (obj)
5614 obj->use--;
5615
5616 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5617 err_parse_data:
5618 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5619 nft_data_release(&elem.data.val, desc.type);
5620 err_parse_key_end:
5621 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5622 err_parse_key:
5623 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5624 err_set_elem_expr:
5625 for (i = 0; i < num_exprs && expr_array[i]; i++)
5626 nft_expr_destroy(ctx, expr_array[i]);
5627 err_set_elem_expr_clone:
5628 return err;
5629 }
5630
5631 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5632 struct sk_buff *skb, const struct nlmsghdr *nlh,
5633 const struct nlattr * const nla[],
5634 struct netlink_ext_ack *extack)
5635 {
5636 u8 genmask = nft_genmask_next(net);
5637 const struct nlattr *attr;
5638 struct nft_set *set;
5639 struct nft_ctx ctx;
5640 int rem, err;
5641
5642 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5643 return -EINVAL;
5644
5645 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5646 genmask, NETLINK_CB(skb).portid);
5647 if (err < 0)
5648 return err;
5649
5650 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5651 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5652 if (IS_ERR(set))
5653 return PTR_ERR(set);
5654
5655 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5656 return -EBUSY;
5657
5658 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5659 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5660 if (err < 0)
5661 return err;
5662 }
5663
5664 if (net->nft.validate_state == NFT_VALIDATE_DO)
5665 return nft_table_validate(net, ctx.table);
5666
5667 return 0;
5668 }
5669
5670 /**
5671 * nft_data_hold - hold a nft_data item
5672 *
5673 * @data: struct nft_data to release
5674 * @type: type of data
5675 *
5676 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5677 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5678 * NFT_GOTO verdicts. This function must be called on active data objects
5679 * from the second phase of the commit protocol.
5680 */
5681 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5682 {
5683 struct nft_chain *chain;
5684 struct nft_rule *rule;
5685
5686 if (type == NFT_DATA_VERDICT) {
5687 switch (data->verdict.code) {
5688 case NFT_JUMP:
5689 case NFT_GOTO:
5690 chain = data->verdict.chain;
5691 chain->use++;
5692
5693 if (!nft_chain_is_bound(chain))
5694 break;
5695
5696 chain->table->use++;
5697 list_for_each_entry(rule, &chain->rules, list)
5698 chain->use++;
5699
5700 nft_chain_add(chain->table, chain);
5701 break;
5702 }
5703 }
5704 }
5705
5706 static void nft_set_elem_activate(const struct net *net,
5707 const struct nft_set *set,
5708 struct nft_set_elem *elem)
5709 {
5710 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5711
5712 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5713 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5714 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5715 (*nft_set_ext_obj(ext))->use++;
5716 }
5717
5718 static void nft_set_elem_deactivate(const struct net *net,
5719 const struct nft_set *set,
5720 struct nft_set_elem *elem)
5721 {
5722 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5723
5724 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5725 nft_data_release(nft_set_ext_data(ext), set->dtype);
5726 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5727 (*nft_set_ext_obj(ext))->use--;
5728 }
5729
5730 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5731 const struct nlattr *attr)
5732 {
5733 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5734 struct nft_set_ext_tmpl tmpl;
5735 struct nft_set_elem elem;
5736 struct nft_set_ext *ext;
5737 struct nft_trans *trans;
5738 u32 flags = 0;
5739 void *priv;
5740 int err;
5741
5742 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5743 nft_set_elem_policy, NULL);
5744 if (err < 0)
5745 return err;
5746
5747 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5748 return -EINVAL;
5749
5750 nft_set_ext_prepare(&tmpl);
5751
5752 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5753 if (err < 0)
5754 return err;
5755 if (flags != 0)
5756 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5757
5758 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5759 nla[NFTA_SET_ELEM_KEY]);
5760 if (err < 0)
5761 return err;
5762
5763 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5764
5765 if (nla[NFTA_SET_ELEM_KEY_END]) {
5766 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5767 nla[NFTA_SET_ELEM_KEY_END]);
5768 if (err < 0)
5769 return err;
5770
5771 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5772 }
5773
5774 err = -ENOMEM;
5775 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5776 elem.key_end.val.data, NULL, 0, 0,
5777 GFP_KERNEL);
5778 if (elem.priv == NULL)
5779 goto fail_elem;
5780
5781 ext = nft_set_elem_ext(set, elem.priv);
5782 if (flags)
5783 *nft_set_ext_flags(ext) = flags;
5784
5785 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5786 if (trans == NULL)
5787 goto fail_trans;
5788
5789 priv = set->ops->deactivate(ctx->net, set, &elem);
5790 if (priv == NULL) {
5791 err = -ENOENT;
5792 goto fail_ops;
5793 }
5794 kfree(elem.priv);
5795 elem.priv = priv;
5796
5797 nft_set_elem_deactivate(ctx->net, set, &elem);
5798
5799 nft_trans_elem(trans) = elem;
5800 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5801 return 0;
5802
5803 fail_ops:
5804 kfree(trans);
5805 fail_trans:
5806 kfree(elem.priv);
5807 fail_elem:
5808 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5809 return err;
5810 }
5811
5812 static int nft_flush_set(const struct nft_ctx *ctx,
5813 struct nft_set *set,
5814 const struct nft_set_iter *iter,
5815 struct nft_set_elem *elem)
5816 {
5817 struct nft_trans *trans;
5818 int err;
5819
5820 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5821 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5822 if (!trans)
5823 return -ENOMEM;
5824
5825 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5826 err = -ENOENT;
5827 goto err1;
5828 }
5829 set->ndeact++;
5830
5831 nft_set_elem_deactivate(ctx->net, set, elem);
5832 nft_trans_elem_set(trans) = set;
5833 nft_trans_elem(trans) = *elem;
5834 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5835
5836 return 0;
5837 err1:
5838 kfree(trans);
5839 return err;
5840 }
5841
5842 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5843 struct sk_buff *skb, const struct nlmsghdr *nlh,
5844 const struct nlattr * const nla[],
5845 struct netlink_ext_ack *extack)
5846 {
5847 u8 genmask = nft_genmask_next(net);
5848 const struct nlattr *attr;
5849 struct nft_set *set;
5850 struct nft_ctx ctx;
5851 int rem, err = 0;
5852
5853 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5854 genmask, NETLINK_CB(skb).portid);
5855 if (err < 0)
5856 return err;
5857
5858 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5859 if (IS_ERR(set))
5860 return PTR_ERR(set);
5861 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5862 return -EBUSY;
5863
5864 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5865 struct nft_set_iter iter = {
5866 .genmask = genmask,
5867 .fn = nft_flush_set,
5868 };
5869 set->ops->walk(&ctx, set, &iter);
5870
5871 return iter.err;
5872 }
5873
5874 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5875 err = nft_del_setelem(&ctx, set, attr);
5876 if (err < 0)
5877 break;
5878
5879 set->ndeact++;
5880 }
5881 return err;
5882 }
5883
5884 void nft_set_gc_batch_release(struct rcu_head *rcu)
5885 {
5886 struct nft_set_gc_batch *gcb;
5887 unsigned int i;
5888
5889 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5890 for (i = 0; i < gcb->head.cnt; i++)
5891 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5892 kfree(gcb);
5893 }
5894
5895 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5896 gfp_t gfp)
5897 {
5898 struct nft_set_gc_batch *gcb;
5899
5900 gcb = kzalloc(sizeof(*gcb), gfp);
5901 if (gcb == NULL)
5902 return gcb;
5903 gcb->head.set = set;
5904 return gcb;
5905 }
5906
5907 /*
5908 * Stateful objects
5909 */
5910
5911 /**
5912 * nft_register_obj- register nf_tables stateful object type
5913 * @obj_type: object type
5914 *
5915 * Registers the object type for use with nf_tables. Returns zero on
5916 * success or a negative errno code otherwise.
5917 */
5918 int nft_register_obj(struct nft_object_type *obj_type)
5919 {
5920 if (obj_type->type == NFT_OBJECT_UNSPEC)
5921 return -EINVAL;
5922
5923 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5924 list_add_rcu(&obj_type->list, &nf_tables_objects);
5925 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5926 return 0;
5927 }
5928 EXPORT_SYMBOL_GPL(nft_register_obj);
5929
5930 /**
5931 * nft_unregister_obj - unregister nf_tables object type
5932 * @obj_type: object type
5933 *
5934 * Unregisters the object type for use with nf_tables.
5935 */
5936 void nft_unregister_obj(struct nft_object_type *obj_type)
5937 {
5938 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5939 list_del_rcu(&obj_type->list);
5940 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5941 }
5942 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5943
5944 struct nft_object *nft_obj_lookup(const struct net *net,
5945 const struct nft_table *table,
5946 const struct nlattr *nla, u32 objtype,
5947 u8 genmask)
5948 {
5949 struct nft_object_hash_key k = { .table = table };
5950 char search[NFT_OBJ_MAXNAMELEN];
5951 struct rhlist_head *tmp, *list;
5952 struct nft_object *obj;
5953
5954 nla_strscpy(search, nla, sizeof(search));
5955 k.name = search;
5956
5957 WARN_ON_ONCE(!rcu_read_lock_held() &&
5958 !lockdep_commit_lock_is_held(net));
5959
5960 rcu_read_lock();
5961 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5962 if (!list)
5963 goto out;
5964
5965 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5966 if (objtype == obj->ops->type->type &&
5967 nft_active_genmask(obj, genmask)) {
5968 rcu_read_unlock();
5969 return obj;
5970 }
5971 }
5972 out:
5973 rcu_read_unlock();
5974 return ERR_PTR(-ENOENT);
5975 }
5976 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5977
5978 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5979 const struct nlattr *nla,
5980 u32 objtype, u8 genmask)
5981 {
5982 struct nft_object *obj;
5983
5984 list_for_each_entry(obj, &table->objects, list) {
5985 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5986 objtype == obj->ops->type->type &&
5987 nft_active_genmask(obj, genmask))
5988 return obj;
5989 }
5990 return ERR_PTR(-ENOENT);
5991 }
5992
5993 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5994 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5995 .len = NFT_TABLE_MAXNAMELEN - 1 },
5996 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5997 .len = NFT_OBJ_MAXNAMELEN - 1 },
5998 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5999 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
6000 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
6001 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
6002 .len = NFT_USERDATA_MAXLEN },
6003 };
6004
6005 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
6006 const struct nft_object_type *type,
6007 const struct nlattr *attr)
6008 {
6009 struct nlattr **tb;
6010 const struct nft_object_ops *ops;
6011 struct nft_object *obj;
6012 int err = -ENOMEM;
6013
6014 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6015 if (!tb)
6016 goto err1;
6017
6018 if (attr) {
6019 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6020 type->policy, NULL);
6021 if (err < 0)
6022 goto err2;
6023 } else {
6024 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6025 }
6026
6027 if (type->select_ops) {
6028 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6029 if (IS_ERR(ops)) {
6030 err = PTR_ERR(ops);
6031 goto err2;
6032 }
6033 } else {
6034 ops = type->ops;
6035 }
6036
6037 err = -ENOMEM;
6038 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6039 if (!obj)
6040 goto err2;
6041
6042 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6043 if (err < 0)
6044 goto err3;
6045
6046 obj->ops = ops;
6047
6048 kfree(tb);
6049 return obj;
6050 err3:
6051 kfree(obj);
6052 err2:
6053 kfree(tb);
6054 err1:
6055 return ERR_PTR(err);
6056 }
6057
6058 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6059 struct nft_object *obj, bool reset)
6060 {
6061 struct nlattr *nest;
6062
6063 nest = nla_nest_start_noflag(skb, attr);
6064 if (!nest)
6065 goto nla_put_failure;
6066 if (obj->ops->dump(skb, obj, reset) < 0)
6067 goto nla_put_failure;
6068 nla_nest_end(skb, nest);
6069 return 0;
6070
6071 nla_put_failure:
6072 return -1;
6073 }
6074
6075 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6076 {
6077 const struct nft_object_type *type;
6078
6079 list_for_each_entry(type, &nf_tables_objects, list) {
6080 if (objtype == type->type)
6081 return type;
6082 }
6083 return NULL;
6084 }
6085
6086 static const struct nft_object_type *
6087 nft_obj_type_get(struct net *net, u32 objtype)
6088 {
6089 const struct nft_object_type *type;
6090
6091 type = __nft_obj_type_get(objtype);
6092 if (type != NULL && try_module_get(type->owner))
6093 return type;
6094
6095 lockdep_nfnl_nft_mutex_not_held();
6096 #ifdef CONFIG_MODULES
6097 if (type == NULL) {
6098 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6099 return ERR_PTR(-EAGAIN);
6100 }
6101 #endif
6102 return ERR_PTR(-ENOENT);
6103 }
6104
6105 static int nf_tables_updobj(const struct nft_ctx *ctx,
6106 const struct nft_object_type *type,
6107 const struct nlattr *attr,
6108 struct nft_object *obj)
6109 {
6110 struct nft_object *newobj;
6111 struct nft_trans *trans;
6112 int err;
6113
6114 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6115 sizeof(struct nft_trans_obj));
6116 if (!trans)
6117 return -ENOMEM;
6118
6119 newobj = nft_obj_init(ctx, type, attr);
6120 if (IS_ERR(newobj)) {
6121 err = PTR_ERR(newobj);
6122 goto err_free_trans;
6123 }
6124
6125 nft_trans_obj(trans) = obj;
6126 nft_trans_obj_update(trans) = true;
6127 nft_trans_obj_newobj(trans) = newobj;
6128 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6129
6130 return 0;
6131
6132 err_free_trans:
6133 kfree(trans);
6134 return err;
6135 }
6136
6137 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
6138 struct sk_buff *skb, const struct nlmsghdr *nlh,
6139 const struct nlattr * const nla[],
6140 struct netlink_ext_ack *extack)
6141 {
6142 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6143 const struct nft_object_type *type;
6144 u8 genmask = nft_genmask_next(net);
6145 int family = nfmsg->nfgen_family;
6146 struct nft_table *table;
6147 struct nft_object *obj;
6148 struct nft_ctx ctx;
6149 u32 objtype;
6150 int err;
6151
6152 if (!nla[NFTA_OBJ_TYPE] ||
6153 !nla[NFTA_OBJ_NAME] ||
6154 !nla[NFTA_OBJ_DATA])
6155 return -EINVAL;
6156
6157 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6158 NETLINK_CB(skb).portid);
6159 if (IS_ERR(table)) {
6160 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6161 return PTR_ERR(table);
6162 }
6163
6164 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6165 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6166 if (IS_ERR(obj)) {
6167 err = PTR_ERR(obj);
6168 if (err != -ENOENT) {
6169 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6170 return err;
6171 }
6172 } else {
6173 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6174 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6175 return -EEXIST;
6176 }
6177 if (nlh->nlmsg_flags & NLM_F_REPLACE)
6178 return -EOPNOTSUPP;
6179
6180 type = __nft_obj_type_get(objtype);
6181 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6182
6183 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6184 }
6185
6186 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6187
6188 type = nft_obj_type_get(net, objtype);
6189 if (IS_ERR(type))
6190 return PTR_ERR(type);
6191
6192 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6193 if (IS_ERR(obj)) {
6194 err = PTR_ERR(obj);
6195 goto err_init;
6196 }
6197 obj->key.table = table;
6198 obj->handle = nf_tables_alloc_handle(table);
6199
6200 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6201 if (!obj->key.name) {
6202 err = -ENOMEM;
6203 goto err_strdup;
6204 }
6205
6206 if (nla[NFTA_OBJ_USERDATA]) {
6207 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6208 if (obj->udata == NULL)
6209 goto err_userdata;
6210
6211 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6212 }
6213
6214 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6215 if (err < 0)
6216 goto err_trans;
6217
6218 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6219 nft_objname_ht_params);
6220 if (err < 0)
6221 goto err_obj_ht;
6222
6223 list_add_tail_rcu(&obj->list, &table->objects);
6224 table->use++;
6225 return 0;
6226 err_obj_ht:
6227 /* queued in transaction log */
6228 INIT_LIST_HEAD(&obj->list);
6229 return err;
6230 err_trans:
6231 kfree(obj->key.name);
6232 err_userdata:
6233 kfree(obj->udata);
6234 err_strdup:
6235 if (obj->ops->destroy)
6236 obj->ops->destroy(&ctx, obj);
6237 kfree(obj);
6238 err_init:
6239 module_put(type->owner);
6240 return err;
6241 }
6242
6243 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6244 u32 portid, u32 seq, int event, u32 flags,
6245 int family, const struct nft_table *table,
6246 struct nft_object *obj, bool reset)
6247 {
6248 struct nfgenmsg *nfmsg;
6249 struct nlmsghdr *nlh;
6250
6251 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6252 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6253 if (nlh == NULL)
6254 goto nla_put_failure;
6255
6256 nfmsg = nlmsg_data(nlh);
6257 nfmsg->nfgen_family = family;
6258 nfmsg->version = NFNETLINK_V0;
6259 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6260
6261 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6262 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6263 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6264 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6265 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6266 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6267 NFTA_OBJ_PAD))
6268 goto nla_put_failure;
6269
6270 if (obj->udata &&
6271 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6272 goto nla_put_failure;
6273
6274 nlmsg_end(skb, nlh);
6275 return 0;
6276
6277 nla_put_failure:
6278 nlmsg_trim(skb, nlh);
6279 return -1;
6280 }
6281
6282 struct nft_obj_filter {
6283 char *table;
6284 u32 type;
6285 };
6286
6287 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6288 {
6289 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6290 const struct nft_table *table;
6291 unsigned int idx = 0, s_idx = cb->args[0];
6292 struct nft_obj_filter *filter = cb->data;
6293 struct net *net = sock_net(skb->sk);
6294 int family = nfmsg->nfgen_family;
6295 struct nft_object *obj;
6296 bool reset = false;
6297
6298 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6299 reset = true;
6300
6301 rcu_read_lock();
6302 cb->seq = net->nft.base_seq;
6303
6304 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6305 if (family != NFPROTO_UNSPEC && family != table->family)
6306 continue;
6307
6308 list_for_each_entry_rcu(obj, &table->objects, list) {
6309 if (!nft_is_active(net, obj))
6310 goto cont;
6311 if (idx < s_idx)
6312 goto cont;
6313 if (idx > s_idx)
6314 memset(&cb->args[1], 0,
6315 sizeof(cb->args) - sizeof(cb->args[0]));
6316 if (filter && filter->table &&
6317 strcmp(filter->table, table->name))
6318 goto cont;
6319 if (filter &&
6320 filter->type != NFT_OBJECT_UNSPEC &&
6321 obj->ops->type->type != filter->type)
6322 goto cont;
6323
6324 if (reset) {
6325 char *buf = kasprintf(GFP_ATOMIC,
6326 "%s:%llu;?:0",
6327 table->name,
6328 table->handle);
6329
6330 audit_log_nfcfg(buf,
6331 family,
6332 obj->handle,
6333 AUDIT_NFT_OP_OBJ_RESET,
6334 GFP_ATOMIC);
6335 kfree(buf);
6336 }
6337
6338 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6339 cb->nlh->nlmsg_seq,
6340 NFT_MSG_NEWOBJ,
6341 NLM_F_MULTI | NLM_F_APPEND,
6342 table->family, table,
6343 obj, reset) < 0)
6344 goto done;
6345
6346 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6347 cont:
6348 idx++;
6349 }
6350 }
6351 done:
6352 rcu_read_unlock();
6353
6354 cb->args[0] = idx;
6355 return skb->len;
6356 }
6357
6358 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6359 {
6360 const struct nlattr * const *nla = cb->data;
6361 struct nft_obj_filter *filter = NULL;
6362
6363 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6364 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6365 if (!filter)
6366 return -ENOMEM;
6367
6368 if (nla[NFTA_OBJ_TABLE]) {
6369 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6370 if (!filter->table) {
6371 kfree(filter);
6372 return -ENOMEM;
6373 }
6374 }
6375
6376 if (nla[NFTA_OBJ_TYPE])
6377 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6378 }
6379
6380 cb->data = filter;
6381 return 0;
6382 }
6383
6384 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6385 {
6386 struct nft_obj_filter *filter = cb->data;
6387
6388 if (filter) {
6389 kfree(filter->table);
6390 kfree(filter);
6391 }
6392
6393 return 0;
6394 }
6395
6396 /* called with rcu_read_lock held */
6397 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6398 struct sk_buff *skb, const struct nlmsghdr *nlh,
6399 const struct nlattr * const nla[],
6400 struct netlink_ext_ack *extack)
6401 {
6402 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6403 u8 genmask = nft_genmask_cur(net);
6404 int family = nfmsg->nfgen_family;
6405 const struct nft_table *table;
6406 struct nft_object *obj;
6407 struct sk_buff *skb2;
6408 bool reset = false;
6409 u32 objtype;
6410 int err;
6411
6412 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6413 struct netlink_dump_control c = {
6414 .start = nf_tables_dump_obj_start,
6415 .dump = nf_tables_dump_obj,
6416 .done = nf_tables_dump_obj_done,
6417 .module = THIS_MODULE,
6418 .data = (void *)nla,
6419 };
6420
6421 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6422 }
6423
6424 if (!nla[NFTA_OBJ_NAME] ||
6425 !nla[NFTA_OBJ_TYPE])
6426 return -EINVAL;
6427
6428 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6429 if (IS_ERR(table)) {
6430 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6431 return PTR_ERR(table);
6432 }
6433
6434 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6435 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6436 if (IS_ERR(obj)) {
6437 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6438 return PTR_ERR(obj);
6439 }
6440
6441 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6442 if (!skb2)
6443 return -ENOMEM;
6444
6445 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6446 reset = true;
6447
6448 if (reset) {
6449 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
6450 table->name, table->handle);
6451
6452 audit_log_nfcfg(buf,
6453 family,
6454 obj->handle,
6455 AUDIT_NFT_OP_OBJ_RESET,
6456 GFP_ATOMIC);
6457 kfree(buf);
6458 }
6459
6460 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6461 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6462 family, table, obj, reset);
6463 if (err < 0)
6464 goto err_fill_obj_info;
6465
6466 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6467
6468 err_fill_obj_info:
6469 kfree_skb(skb2);
6470 return err;
6471 }
6472
6473 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6474 {
6475 if (obj->ops->destroy)
6476 obj->ops->destroy(ctx, obj);
6477
6478 module_put(obj->ops->type->owner);
6479 kfree(obj->key.name);
6480 kfree(obj->udata);
6481 kfree(obj);
6482 }
6483
6484 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6485 struct sk_buff *skb, const struct nlmsghdr *nlh,
6486 const struct nlattr * const nla[],
6487 struct netlink_ext_ack *extack)
6488 {
6489 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6490 u8 genmask = nft_genmask_next(net);
6491 int family = nfmsg->nfgen_family;
6492 const struct nlattr *attr;
6493 struct nft_table *table;
6494 struct nft_object *obj;
6495 struct nft_ctx ctx;
6496 u32 objtype;
6497
6498 if (!nla[NFTA_OBJ_TYPE] ||
6499 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6500 return -EINVAL;
6501
6502 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6503 NETLINK_CB(skb).portid);
6504 if (IS_ERR(table)) {
6505 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6506 return PTR_ERR(table);
6507 }
6508
6509 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6510 if (nla[NFTA_OBJ_HANDLE]) {
6511 attr = nla[NFTA_OBJ_HANDLE];
6512 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6513 } else {
6514 attr = nla[NFTA_OBJ_NAME];
6515 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6516 }
6517
6518 if (IS_ERR(obj)) {
6519 NL_SET_BAD_ATTR(extack, attr);
6520 return PTR_ERR(obj);
6521 }
6522 if (obj->use > 0) {
6523 NL_SET_BAD_ATTR(extack, attr);
6524 return -EBUSY;
6525 }
6526
6527 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6528
6529 return nft_delobj(&ctx, obj);
6530 }
6531
6532 void nft_obj_notify(struct net *net, const struct nft_table *table,
6533 struct nft_object *obj, u32 portid, u32 seq, int event,
6534 int family, int report, gfp_t gfp)
6535 {
6536 struct sk_buff *skb;
6537 int err;
6538 char *buf = kasprintf(gfp, "%s:%llu;?:0",
6539 table->name, table->handle);
6540
6541 audit_log_nfcfg(buf,
6542 family,
6543 obj->handle,
6544 event == NFT_MSG_NEWOBJ ?
6545 AUDIT_NFT_OP_OBJ_REGISTER :
6546 AUDIT_NFT_OP_OBJ_UNREGISTER,
6547 gfp);
6548 kfree(buf);
6549
6550 if (!report &&
6551 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6552 return;
6553
6554 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6555 if (skb == NULL)
6556 goto err;
6557
6558 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6559 table, obj, false);
6560 if (err < 0) {
6561 kfree_skb(skb);
6562 goto err;
6563 }
6564
6565 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6566 return;
6567 err:
6568 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6569 }
6570 EXPORT_SYMBOL_GPL(nft_obj_notify);
6571
6572 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6573 struct nft_object *obj, int event)
6574 {
6575 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6576 ctx->family, ctx->report, GFP_KERNEL);
6577 }
6578
6579 /*
6580 * Flow tables
6581 */
6582 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6583 {
6584 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6585 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6586 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6587 }
6588 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6589
6590 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6591 {
6592 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6593 list_del_rcu(&type->list);
6594 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6595 }
6596 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6597
6598 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6599 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6600 .len = NFT_NAME_MAXLEN - 1 },
6601 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6602 .len = NFT_NAME_MAXLEN - 1 },
6603 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6604 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6605 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6606 };
6607
6608 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6609 const struct nlattr *nla, u8 genmask)
6610 {
6611 struct nft_flowtable *flowtable;
6612
6613 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6614 if (!nla_strcmp(nla, flowtable->name) &&
6615 nft_active_genmask(flowtable, genmask))
6616 return flowtable;
6617 }
6618 return ERR_PTR(-ENOENT);
6619 }
6620 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6621
6622 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6623 struct nft_flowtable *flowtable,
6624 enum nft_trans_phase phase)
6625 {
6626 switch (phase) {
6627 case NFT_TRANS_PREPARE:
6628 case NFT_TRANS_ABORT:
6629 case NFT_TRANS_RELEASE:
6630 flowtable->use--;
6631 fallthrough;
6632 default:
6633 return;
6634 }
6635 }
6636 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6637
6638 static struct nft_flowtable *
6639 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6640 const struct nlattr *nla, u8 genmask)
6641 {
6642 struct nft_flowtable *flowtable;
6643
6644 list_for_each_entry(flowtable, &table->flowtables, list) {
6645 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6646 nft_active_genmask(flowtable, genmask))
6647 return flowtable;
6648 }
6649 return ERR_PTR(-ENOENT);
6650 }
6651
6652 struct nft_flowtable_hook {
6653 u32 num;
6654 int priority;
6655 struct list_head list;
6656 };
6657
6658 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6659 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6660 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6661 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6662 };
6663
6664 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6665 const struct nlattr *attr,
6666 struct nft_flowtable_hook *flowtable_hook,
6667 struct nft_flowtable *flowtable, bool add)
6668 {
6669 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6670 struct nft_hook *hook;
6671 int hooknum, priority;
6672 int err;
6673
6674 INIT_LIST_HEAD(&flowtable_hook->list);
6675
6676 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6677 nft_flowtable_hook_policy, NULL);
6678 if (err < 0)
6679 return err;
6680
6681 if (add) {
6682 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6683 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6684 return -EINVAL;
6685
6686 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6687 if (hooknum != NF_NETDEV_INGRESS)
6688 return -EOPNOTSUPP;
6689
6690 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6691
6692 flowtable_hook->priority = priority;
6693 flowtable_hook->num = hooknum;
6694 } else {
6695 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6696 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6697 if (hooknum != flowtable->hooknum)
6698 return -EOPNOTSUPP;
6699 }
6700
6701 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6702 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6703 if (priority != flowtable->data.priority)
6704 return -EOPNOTSUPP;
6705 }
6706
6707 flowtable_hook->priority = flowtable->data.priority;
6708 flowtable_hook->num = flowtable->hooknum;
6709 }
6710
6711 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6712 err = nf_tables_parse_netdev_hooks(ctx->net,
6713 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6714 &flowtable_hook->list);
6715 if (err < 0)
6716 return err;
6717 }
6718
6719 list_for_each_entry(hook, &flowtable_hook->list, list) {
6720 hook->ops.pf = NFPROTO_NETDEV;
6721 hook->ops.hooknum = flowtable_hook->num;
6722 hook->ops.priority = flowtable_hook->priority;
6723 hook->ops.priv = &flowtable->data;
6724 hook->ops.hook = flowtable->data.type->hook;
6725 }
6726
6727 return err;
6728 }
6729
6730 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6731 {
6732 const struct nf_flowtable_type *type;
6733
6734 list_for_each_entry(type, &nf_tables_flowtables, list) {
6735 if (family == type->family)
6736 return type;
6737 }
6738 return NULL;
6739 }
6740
6741 static const struct nf_flowtable_type *
6742 nft_flowtable_type_get(struct net *net, u8 family)
6743 {
6744 const struct nf_flowtable_type *type;
6745
6746 type = __nft_flowtable_type_get(family);
6747 if (type != NULL && try_module_get(type->owner))
6748 return type;
6749
6750 lockdep_nfnl_nft_mutex_not_held();
6751 #ifdef CONFIG_MODULES
6752 if (type == NULL) {
6753 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6754 return ERR_PTR(-EAGAIN);
6755 }
6756 #endif
6757 return ERR_PTR(-ENOENT);
6758 }
6759
6760 /* Only called from error and netdev event paths. */
6761 static void nft_unregister_flowtable_hook(struct net *net,
6762 struct nft_flowtable *flowtable,
6763 struct nft_hook *hook)
6764 {
6765 nf_unregister_net_hook(net, &hook->ops);
6766 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6767 FLOW_BLOCK_UNBIND);
6768 }
6769
6770 static void nft_unregister_flowtable_net_hooks(struct net *net,
6771 struct list_head *hook_list)
6772 {
6773 struct nft_hook *hook;
6774
6775 list_for_each_entry(hook, hook_list, list)
6776 nf_unregister_net_hook(net, &hook->ops);
6777 }
6778
6779 static int nft_register_flowtable_net_hooks(struct net *net,
6780 struct nft_table *table,
6781 struct list_head *hook_list,
6782 struct nft_flowtable *flowtable)
6783 {
6784 struct nft_hook *hook, *hook2, *next;
6785 struct nft_flowtable *ft;
6786 int err, i = 0;
6787
6788 list_for_each_entry(hook, hook_list, list) {
6789 list_for_each_entry(ft, &table->flowtables, list) {
6790 list_for_each_entry(hook2, &ft->hook_list, list) {
6791 if (hook->ops.dev == hook2->ops.dev &&
6792 hook->ops.pf == hook2->ops.pf) {
6793 err = -EEXIST;
6794 goto err_unregister_net_hooks;
6795 }
6796 }
6797 }
6798
6799 err = flowtable->data.type->setup(&flowtable->data,
6800 hook->ops.dev,
6801 FLOW_BLOCK_BIND);
6802 if (err < 0)
6803 goto err_unregister_net_hooks;
6804
6805 err = nf_register_net_hook(net, &hook->ops);
6806 if (err < 0) {
6807 flowtable->data.type->setup(&flowtable->data,
6808 hook->ops.dev,
6809 FLOW_BLOCK_UNBIND);
6810 goto err_unregister_net_hooks;
6811 }
6812
6813 i++;
6814 }
6815
6816 return 0;
6817
6818 err_unregister_net_hooks:
6819 list_for_each_entry_safe(hook, next, hook_list, list) {
6820 if (i-- <= 0)
6821 break;
6822
6823 nft_unregister_flowtable_hook(net, flowtable, hook);
6824 list_del_rcu(&hook->list);
6825 kfree_rcu(hook, rcu);
6826 }
6827
6828 return err;
6829 }
6830
6831 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6832 {
6833 struct nft_hook *hook, *next;
6834
6835 list_for_each_entry_safe(hook, next, hook_list, list) {
6836 list_del_rcu(&hook->list);
6837 kfree_rcu(hook, rcu);
6838 }
6839 }
6840
6841 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6842 struct nft_flowtable *flowtable)
6843 {
6844 const struct nlattr * const *nla = ctx->nla;
6845 struct nft_flowtable_hook flowtable_hook;
6846 struct nft_hook *hook, *next;
6847 struct nft_trans *trans;
6848 bool unregister = false;
6849 int err;
6850
6851 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6852 &flowtable_hook, flowtable, false);
6853 if (err < 0)
6854 return err;
6855
6856 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6857 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6858 list_del(&hook->list);
6859 kfree(hook);
6860 }
6861 }
6862
6863 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6864 &flowtable_hook.list, flowtable);
6865 if (err < 0)
6866 goto err_flowtable_update_hook;
6867
6868 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6869 sizeof(struct nft_trans_flowtable));
6870 if (!trans) {
6871 unregister = true;
6872 err = -ENOMEM;
6873 goto err_flowtable_update_hook;
6874 }
6875
6876 nft_trans_flowtable(trans) = flowtable;
6877 nft_trans_flowtable_update(trans) = true;
6878 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6879 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6880
6881 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6882
6883 return 0;
6884
6885 err_flowtable_update_hook:
6886 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6887 if (unregister)
6888 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6889 list_del_rcu(&hook->list);
6890 kfree_rcu(hook, rcu);
6891 }
6892
6893 return err;
6894
6895 }
6896
6897 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6898 struct sk_buff *skb,
6899 const struct nlmsghdr *nlh,
6900 const struct nlattr * const nla[],
6901 struct netlink_ext_ack *extack)
6902 {
6903 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6904 struct nft_flowtable_hook flowtable_hook;
6905 const struct nf_flowtable_type *type;
6906 u8 genmask = nft_genmask_next(net);
6907 int family = nfmsg->nfgen_family;
6908 struct nft_flowtable *flowtable;
6909 struct nft_hook *hook, *next;
6910 struct nft_table *table;
6911 struct nft_ctx ctx;
6912 int err;
6913
6914 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6915 !nla[NFTA_FLOWTABLE_NAME] ||
6916 !nla[NFTA_FLOWTABLE_HOOK])
6917 return -EINVAL;
6918
6919 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6920 genmask, NETLINK_CB(skb).portid);
6921 if (IS_ERR(table)) {
6922 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6923 return PTR_ERR(table);
6924 }
6925
6926 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6927 genmask);
6928 if (IS_ERR(flowtable)) {
6929 err = PTR_ERR(flowtable);
6930 if (err != -ENOENT) {
6931 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6932 return err;
6933 }
6934 } else {
6935 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6936 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6937 return -EEXIST;
6938 }
6939
6940 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6941
6942 return nft_flowtable_update(&ctx, nlh, flowtable);
6943 }
6944
6945 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6946
6947 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6948 if (!flowtable)
6949 return -ENOMEM;
6950
6951 flowtable->table = table;
6952 flowtable->handle = nf_tables_alloc_handle(table);
6953 INIT_LIST_HEAD(&flowtable->hook_list);
6954
6955 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6956 if (!flowtable->name) {
6957 err = -ENOMEM;
6958 goto err1;
6959 }
6960
6961 type = nft_flowtable_type_get(net, family);
6962 if (IS_ERR(type)) {
6963 err = PTR_ERR(type);
6964 goto err2;
6965 }
6966
6967 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6968 flowtable->data.flags =
6969 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6970 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6971 goto err3;
6972 }
6973
6974 write_pnet(&flowtable->data.net, net);
6975 flowtable->data.type = type;
6976 err = type->init(&flowtable->data);
6977 if (err < 0)
6978 goto err3;
6979
6980 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6981 &flowtable_hook, flowtable, true);
6982 if (err < 0)
6983 goto err4;
6984
6985 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6986 flowtable->data.priority = flowtable_hook.priority;
6987 flowtable->hooknum = flowtable_hook.num;
6988
6989 err = nft_register_flowtable_net_hooks(ctx.net, table,
6990 &flowtable->hook_list,
6991 flowtable);
6992 if (err < 0) {
6993 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6994 goto err4;
6995 }
6996
6997 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6998 if (err < 0)
6999 goto err5;
7000
7001 list_add_tail_rcu(&flowtable->list, &table->flowtables);
7002 table->use++;
7003
7004 return 0;
7005 err5:
7006 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7007 nft_unregister_flowtable_hook(net, flowtable, hook);
7008 list_del_rcu(&hook->list);
7009 kfree_rcu(hook, rcu);
7010 }
7011 err4:
7012 flowtable->data.type->free(&flowtable->data);
7013 err3:
7014 module_put(type->owner);
7015 err2:
7016 kfree(flowtable->name);
7017 err1:
7018 kfree(flowtable);
7019 return err;
7020 }
7021
7022 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7023 {
7024 struct nft_hook *this, *next;
7025
7026 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7027 list_del(&this->list);
7028 kfree(this);
7029 }
7030 }
7031
7032 static int nft_delflowtable_hook(struct nft_ctx *ctx,
7033 struct nft_flowtable *flowtable)
7034 {
7035 const struct nlattr * const *nla = ctx->nla;
7036 struct nft_flowtable_hook flowtable_hook;
7037 struct nft_hook *this, *hook;
7038 struct nft_trans *trans;
7039 int err;
7040
7041 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7042 &flowtable_hook, flowtable, false);
7043 if (err < 0)
7044 return err;
7045
7046 list_for_each_entry(this, &flowtable_hook.list, list) {
7047 hook = nft_hook_list_find(&flowtable->hook_list, this);
7048 if (!hook) {
7049 err = -ENOENT;
7050 goto err_flowtable_del_hook;
7051 }
7052 hook->inactive = true;
7053 }
7054
7055 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7056 sizeof(struct nft_trans_flowtable));
7057 if (!trans) {
7058 err = -ENOMEM;
7059 goto err_flowtable_del_hook;
7060 }
7061
7062 nft_trans_flowtable(trans) = flowtable;
7063 nft_trans_flowtable_update(trans) = true;
7064 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7065 nft_flowtable_hook_release(&flowtable_hook);
7066
7067 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
7068
7069 return 0;
7070
7071 err_flowtable_del_hook:
7072 list_for_each_entry(this, &flowtable_hook.list, list) {
7073 hook = nft_hook_list_find(&flowtable->hook_list, this);
7074 if (!hook)
7075 break;
7076
7077 hook->inactive = false;
7078 }
7079 nft_flowtable_hook_release(&flowtable_hook);
7080
7081 return err;
7082 }
7083
7084 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
7085 struct sk_buff *skb,
7086 const struct nlmsghdr *nlh,
7087 const struct nlattr * const nla[],
7088 struct netlink_ext_ack *extack)
7089 {
7090 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7091 u8 genmask = nft_genmask_next(net);
7092 int family = nfmsg->nfgen_family;
7093 struct nft_flowtable *flowtable;
7094 const struct nlattr *attr;
7095 struct nft_table *table;
7096 struct nft_ctx ctx;
7097
7098 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7099 (!nla[NFTA_FLOWTABLE_NAME] &&
7100 !nla[NFTA_FLOWTABLE_HANDLE]))
7101 return -EINVAL;
7102
7103 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7104 genmask, NETLINK_CB(skb).portid);
7105 if (IS_ERR(table)) {
7106 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7107 return PTR_ERR(table);
7108 }
7109
7110 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7111 attr = nla[NFTA_FLOWTABLE_HANDLE];
7112 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7113 } else {
7114 attr = nla[NFTA_FLOWTABLE_NAME];
7115 flowtable = nft_flowtable_lookup(table, attr, genmask);
7116 }
7117
7118 if (IS_ERR(flowtable)) {
7119 NL_SET_BAD_ATTR(extack, attr);
7120 return PTR_ERR(flowtable);
7121 }
7122
7123 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
7124
7125 if (nla[NFTA_FLOWTABLE_HOOK])
7126 return nft_delflowtable_hook(&ctx, flowtable);
7127
7128 if (flowtable->use > 0) {
7129 NL_SET_BAD_ATTR(extack, attr);
7130 return -EBUSY;
7131 }
7132
7133 return nft_delflowtable(&ctx, flowtable);
7134 }
7135
7136 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7137 u32 portid, u32 seq, int event,
7138 u32 flags, int family,
7139 struct nft_flowtable *flowtable,
7140 struct list_head *hook_list)
7141 {
7142 struct nlattr *nest, *nest_devs;
7143 struct nfgenmsg *nfmsg;
7144 struct nft_hook *hook;
7145 struct nlmsghdr *nlh;
7146
7147 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7148 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
7149 if (nlh == NULL)
7150 goto nla_put_failure;
7151
7152 nfmsg = nlmsg_data(nlh);
7153 nfmsg->nfgen_family = family;
7154 nfmsg->version = NFNETLINK_V0;
7155 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7156
7157 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7158 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7159 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7160 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7161 NFTA_FLOWTABLE_PAD) ||
7162 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7163 goto nla_put_failure;
7164
7165 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7166 if (!nest)
7167 goto nla_put_failure;
7168 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7169 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7170 goto nla_put_failure;
7171
7172 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7173 if (!nest_devs)
7174 goto nla_put_failure;
7175
7176 list_for_each_entry_rcu(hook, hook_list, list) {
7177 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7178 goto nla_put_failure;
7179 }
7180 nla_nest_end(skb, nest_devs);
7181 nla_nest_end(skb, nest);
7182
7183 nlmsg_end(skb, nlh);
7184 return 0;
7185
7186 nla_put_failure:
7187 nlmsg_trim(skb, nlh);
7188 return -1;
7189 }
7190
7191 struct nft_flowtable_filter {
7192 char *table;
7193 };
7194
7195 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7196 struct netlink_callback *cb)
7197 {
7198 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7199 struct nft_flowtable_filter *filter = cb->data;
7200 unsigned int idx = 0, s_idx = cb->args[0];
7201 struct net *net = sock_net(skb->sk);
7202 int family = nfmsg->nfgen_family;
7203 struct nft_flowtable *flowtable;
7204 const struct nft_table *table;
7205
7206 rcu_read_lock();
7207 cb->seq = net->nft.base_seq;
7208
7209 list_for_each_entry_rcu(table, &net->nft.tables, list) {
7210 if (family != NFPROTO_UNSPEC && family != table->family)
7211 continue;
7212
7213 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7214 if (!nft_is_active(net, flowtable))
7215 goto cont;
7216 if (idx < s_idx)
7217 goto cont;
7218 if (idx > s_idx)
7219 memset(&cb->args[1], 0,
7220 sizeof(cb->args) - sizeof(cb->args[0]));
7221 if (filter && filter->table &&
7222 strcmp(filter->table, table->name))
7223 goto cont;
7224
7225 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7226 cb->nlh->nlmsg_seq,
7227 NFT_MSG_NEWFLOWTABLE,
7228 NLM_F_MULTI | NLM_F_APPEND,
7229 table->family,
7230 flowtable,
7231 &flowtable->hook_list) < 0)
7232 goto done;
7233
7234 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7235 cont:
7236 idx++;
7237 }
7238 }
7239 done:
7240 rcu_read_unlock();
7241
7242 cb->args[0] = idx;
7243 return skb->len;
7244 }
7245
7246 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7247 {
7248 const struct nlattr * const *nla = cb->data;
7249 struct nft_flowtable_filter *filter = NULL;
7250
7251 if (nla[NFTA_FLOWTABLE_TABLE]) {
7252 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7253 if (!filter)
7254 return -ENOMEM;
7255
7256 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7257 GFP_ATOMIC);
7258 if (!filter->table) {
7259 kfree(filter);
7260 return -ENOMEM;
7261 }
7262 }
7263
7264 cb->data = filter;
7265 return 0;
7266 }
7267
7268 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7269 {
7270 struct nft_flowtable_filter *filter = cb->data;
7271
7272 if (!filter)
7273 return 0;
7274
7275 kfree(filter->table);
7276 kfree(filter);
7277
7278 return 0;
7279 }
7280
7281 /* called with rcu_read_lock held */
7282 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7283 struct sk_buff *skb,
7284 const struct nlmsghdr *nlh,
7285 const struct nlattr * const nla[],
7286 struct netlink_ext_ack *extack)
7287 {
7288 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7289 u8 genmask = nft_genmask_cur(net);
7290 int family = nfmsg->nfgen_family;
7291 struct nft_flowtable *flowtable;
7292 const struct nft_table *table;
7293 struct sk_buff *skb2;
7294 int err;
7295
7296 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7297 struct netlink_dump_control c = {
7298 .start = nf_tables_dump_flowtable_start,
7299 .dump = nf_tables_dump_flowtable,
7300 .done = nf_tables_dump_flowtable_done,
7301 .module = THIS_MODULE,
7302 .data = (void *)nla,
7303 };
7304
7305 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7306 }
7307
7308 if (!nla[NFTA_FLOWTABLE_NAME])
7309 return -EINVAL;
7310
7311 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7312 genmask, 0);
7313 if (IS_ERR(table))
7314 return PTR_ERR(table);
7315
7316 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7317 genmask);
7318 if (IS_ERR(flowtable))
7319 return PTR_ERR(flowtable);
7320
7321 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7322 if (!skb2)
7323 return -ENOMEM;
7324
7325 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7326 nlh->nlmsg_seq,
7327 NFT_MSG_NEWFLOWTABLE, 0, family,
7328 flowtable, &flowtable->hook_list);
7329 if (err < 0)
7330 goto err_fill_flowtable_info;
7331
7332 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7333
7334 err_fill_flowtable_info:
7335 kfree_skb(skb2);
7336 return err;
7337 }
7338
7339 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7340 struct nft_flowtable *flowtable,
7341 struct list_head *hook_list,
7342 int event)
7343 {
7344 struct sk_buff *skb;
7345 int err;
7346 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
7347 flowtable->table->name, flowtable->table->handle,
7348 flowtable->name, flowtable->handle);
7349
7350 audit_log_nfcfg(buf,
7351 ctx->family,
7352 flowtable->hooknum,
7353 event == NFT_MSG_NEWFLOWTABLE ?
7354 AUDIT_NFT_OP_FLOWTABLE_REGISTER :
7355 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
7356 GFP_KERNEL);
7357 kfree(buf);
7358
7359 if (!ctx->report &&
7360 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7361 return;
7362
7363 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7364 if (skb == NULL)
7365 goto err;
7366
7367 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7368 ctx->seq, event, 0,
7369 ctx->family, flowtable, hook_list);
7370 if (err < 0) {
7371 kfree_skb(skb);
7372 goto err;
7373 }
7374
7375 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7376 return;
7377 err:
7378 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7379 }
7380
7381 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7382 {
7383 struct nft_hook *hook, *next;
7384
7385 flowtable->data.type->free(&flowtable->data);
7386 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7387 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7388 FLOW_BLOCK_UNBIND);
7389 list_del_rcu(&hook->list);
7390 kfree(hook);
7391 }
7392 kfree(flowtable->name);
7393 module_put(flowtable->data.type->owner);
7394 kfree(flowtable);
7395 }
7396
7397 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7398 u32 portid, u32 seq)
7399 {
7400 struct nlmsghdr *nlh;
7401 struct nfgenmsg *nfmsg;
7402 char buf[TASK_COMM_LEN];
7403 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7404
7405 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7406 if (nlh == NULL)
7407 goto nla_put_failure;
7408
7409 nfmsg = nlmsg_data(nlh);
7410 nfmsg->nfgen_family = AF_UNSPEC;
7411 nfmsg->version = NFNETLINK_V0;
7412 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7413
7414 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7415 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7416 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7417 goto nla_put_failure;
7418
7419 nlmsg_end(skb, nlh);
7420 return 0;
7421
7422 nla_put_failure:
7423 nlmsg_trim(skb, nlh);
7424 return -EMSGSIZE;
7425 }
7426
7427 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7428 struct nft_flowtable *flowtable)
7429 {
7430 struct nft_hook *hook;
7431
7432 list_for_each_entry(hook, &flowtable->hook_list, list) {
7433 if (hook->ops.dev != dev)
7434 continue;
7435
7436 /* flow_offload_netdev_event() cleans up entries for us. */
7437 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7438 list_del_rcu(&hook->list);
7439 kfree_rcu(hook, rcu);
7440 break;
7441 }
7442 }
7443
7444 static int nf_tables_flowtable_event(struct notifier_block *this,
7445 unsigned long event, void *ptr)
7446 {
7447 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7448 struct nft_flowtable *flowtable;
7449 struct nft_table *table;
7450 struct net *net;
7451
7452 if (event != NETDEV_UNREGISTER)
7453 return 0;
7454
7455 net = dev_net(dev);
7456 mutex_lock(&net->nft.commit_mutex);
7457 list_for_each_entry(table, &net->nft.tables, list) {
7458 list_for_each_entry(flowtable, &table->flowtables, list) {
7459 nft_flowtable_event(event, dev, flowtable);
7460 }
7461 }
7462 mutex_unlock(&net->nft.commit_mutex);
7463
7464 return NOTIFY_DONE;
7465 }
7466
7467 static struct notifier_block nf_tables_flowtable_notifier = {
7468 .notifier_call = nf_tables_flowtable_event,
7469 };
7470
7471 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7472 int event)
7473 {
7474 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7475 struct sk_buff *skb2;
7476 int err;
7477
7478 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
7479 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
7480
7481 if (!nlmsg_report(nlh) &&
7482 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7483 return;
7484
7485 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7486 if (skb2 == NULL)
7487 goto err;
7488
7489 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7490 nlh->nlmsg_seq);
7491 if (err < 0) {
7492 kfree_skb(skb2);
7493 goto err;
7494 }
7495
7496 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7497 nlmsg_report(nlh), GFP_KERNEL);
7498 return;
7499 err:
7500 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7501 -ENOBUFS);
7502 }
7503
7504 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7505 struct sk_buff *skb, const struct nlmsghdr *nlh,
7506 const struct nlattr * const nla[],
7507 struct netlink_ext_ack *extack)
7508 {
7509 struct sk_buff *skb2;
7510 int err;
7511
7512 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7513 if (skb2 == NULL)
7514 return -ENOMEM;
7515
7516 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7517 nlh->nlmsg_seq);
7518 if (err < 0)
7519 goto err_fill_gen_info;
7520
7521 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7522
7523 err_fill_gen_info:
7524 kfree_skb(skb2);
7525 return err;
7526 }
7527
7528 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7529 [NFT_MSG_NEWTABLE] = {
7530 .call_batch = nf_tables_newtable,
7531 .attr_count = NFTA_TABLE_MAX,
7532 .policy = nft_table_policy,
7533 },
7534 [NFT_MSG_GETTABLE] = {
7535 .call_rcu = nf_tables_gettable,
7536 .attr_count = NFTA_TABLE_MAX,
7537 .policy = nft_table_policy,
7538 },
7539 [NFT_MSG_DELTABLE] = {
7540 .call_batch = nf_tables_deltable,
7541 .attr_count = NFTA_TABLE_MAX,
7542 .policy = nft_table_policy,
7543 },
7544 [NFT_MSG_NEWCHAIN] = {
7545 .call_batch = nf_tables_newchain,
7546 .attr_count = NFTA_CHAIN_MAX,
7547 .policy = nft_chain_policy,
7548 },
7549 [NFT_MSG_GETCHAIN] = {
7550 .call_rcu = nf_tables_getchain,
7551 .attr_count = NFTA_CHAIN_MAX,
7552 .policy = nft_chain_policy,
7553 },
7554 [NFT_MSG_DELCHAIN] = {
7555 .call_batch = nf_tables_delchain,
7556 .attr_count = NFTA_CHAIN_MAX,
7557 .policy = nft_chain_policy,
7558 },
7559 [NFT_MSG_NEWRULE] = {
7560 .call_batch = nf_tables_newrule,
7561 .attr_count = NFTA_RULE_MAX,
7562 .policy = nft_rule_policy,
7563 },
7564 [NFT_MSG_GETRULE] = {
7565 .call_rcu = nf_tables_getrule,
7566 .attr_count = NFTA_RULE_MAX,
7567 .policy = nft_rule_policy,
7568 },
7569 [NFT_MSG_DELRULE] = {
7570 .call_batch = nf_tables_delrule,
7571 .attr_count = NFTA_RULE_MAX,
7572 .policy = nft_rule_policy,
7573 },
7574 [NFT_MSG_NEWSET] = {
7575 .call_batch = nf_tables_newset,
7576 .attr_count = NFTA_SET_MAX,
7577 .policy = nft_set_policy,
7578 },
7579 [NFT_MSG_GETSET] = {
7580 .call_rcu = nf_tables_getset,
7581 .attr_count = NFTA_SET_MAX,
7582 .policy = nft_set_policy,
7583 },
7584 [NFT_MSG_DELSET] = {
7585 .call_batch = nf_tables_delset,
7586 .attr_count = NFTA_SET_MAX,
7587 .policy = nft_set_policy,
7588 },
7589 [NFT_MSG_NEWSETELEM] = {
7590 .call_batch = nf_tables_newsetelem,
7591 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7592 .policy = nft_set_elem_list_policy,
7593 },
7594 [NFT_MSG_GETSETELEM] = {
7595 .call_rcu = nf_tables_getsetelem,
7596 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7597 .policy = nft_set_elem_list_policy,
7598 },
7599 [NFT_MSG_DELSETELEM] = {
7600 .call_batch = nf_tables_delsetelem,
7601 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7602 .policy = nft_set_elem_list_policy,
7603 },
7604 [NFT_MSG_GETGEN] = {
7605 .call_rcu = nf_tables_getgen,
7606 },
7607 [NFT_MSG_NEWOBJ] = {
7608 .call_batch = nf_tables_newobj,
7609 .attr_count = NFTA_OBJ_MAX,
7610 .policy = nft_obj_policy,
7611 },
7612 [NFT_MSG_GETOBJ] = {
7613 .call_rcu = nf_tables_getobj,
7614 .attr_count = NFTA_OBJ_MAX,
7615 .policy = nft_obj_policy,
7616 },
7617 [NFT_MSG_DELOBJ] = {
7618 .call_batch = nf_tables_delobj,
7619 .attr_count = NFTA_OBJ_MAX,
7620 .policy = nft_obj_policy,
7621 },
7622 [NFT_MSG_GETOBJ_RESET] = {
7623 .call_rcu = nf_tables_getobj,
7624 .attr_count = NFTA_OBJ_MAX,
7625 .policy = nft_obj_policy,
7626 },
7627 [NFT_MSG_NEWFLOWTABLE] = {
7628 .call_batch = nf_tables_newflowtable,
7629 .attr_count = NFTA_FLOWTABLE_MAX,
7630 .policy = nft_flowtable_policy,
7631 },
7632 [NFT_MSG_GETFLOWTABLE] = {
7633 .call_rcu = nf_tables_getflowtable,
7634 .attr_count = NFTA_FLOWTABLE_MAX,
7635 .policy = nft_flowtable_policy,
7636 },
7637 [NFT_MSG_DELFLOWTABLE] = {
7638 .call_batch = nf_tables_delflowtable,
7639 .attr_count = NFTA_FLOWTABLE_MAX,
7640 .policy = nft_flowtable_policy,
7641 },
7642 };
7643
7644 static int nf_tables_validate(struct net *net)
7645 {
7646 struct nft_table *table;
7647
7648 switch (net->nft.validate_state) {
7649 case NFT_VALIDATE_SKIP:
7650 break;
7651 case NFT_VALIDATE_NEED:
7652 nft_validate_state_update(net, NFT_VALIDATE_DO);
7653 fallthrough;
7654 case NFT_VALIDATE_DO:
7655 list_for_each_entry(table, &net->nft.tables, list) {
7656 if (nft_table_validate(net, table) < 0)
7657 return -EAGAIN;
7658 }
7659 break;
7660 }
7661
7662 return 0;
7663 }
7664
7665 /* a drop policy has to be deferred until all rules have been activated,
7666 * otherwise a large ruleset that contains a drop-policy base chain will
7667 * cause all packets to get dropped until the full transaction has been
7668 * processed.
7669 *
7670 * We defer the drop policy until the transaction has been finalized.
7671 */
7672 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7673 {
7674 struct nft_base_chain *basechain;
7675
7676 if (nft_trans_chain_policy(trans) != NF_DROP)
7677 return;
7678
7679 if (!nft_is_base_chain(trans->ctx.chain))
7680 return;
7681
7682 basechain = nft_base_chain(trans->ctx.chain);
7683 basechain->policy = NF_DROP;
7684 }
7685
7686 static void nft_chain_commit_update(struct nft_trans *trans)
7687 {
7688 struct nft_base_chain *basechain;
7689
7690 if (nft_trans_chain_name(trans)) {
7691 rhltable_remove(&trans->ctx.table->chains_ht,
7692 &trans->ctx.chain->rhlhead,
7693 nft_chain_ht_params);
7694 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7695 rhltable_insert_key(&trans->ctx.table->chains_ht,
7696 trans->ctx.chain->name,
7697 &trans->ctx.chain->rhlhead,
7698 nft_chain_ht_params);
7699 }
7700
7701 if (!nft_is_base_chain(trans->ctx.chain))
7702 return;
7703
7704 nft_chain_stats_replace(trans);
7705
7706 basechain = nft_base_chain(trans->ctx.chain);
7707
7708 switch (nft_trans_chain_policy(trans)) {
7709 case NF_DROP:
7710 case NF_ACCEPT:
7711 basechain->policy = nft_trans_chain_policy(trans);
7712 break;
7713 }
7714 }
7715
7716 static void nft_obj_commit_update(struct nft_trans *trans)
7717 {
7718 struct nft_object *newobj;
7719 struct nft_object *obj;
7720
7721 obj = nft_trans_obj(trans);
7722 newobj = nft_trans_obj_newobj(trans);
7723
7724 if (obj->ops->update)
7725 obj->ops->update(obj, newobj);
7726
7727 kfree(newobj);
7728 }
7729
7730 static void nft_commit_release(struct nft_trans *trans)
7731 {
7732 switch (trans->msg_type) {
7733 case NFT_MSG_DELTABLE:
7734 nf_tables_table_destroy(&trans->ctx);
7735 break;
7736 case NFT_MSG_NEWCHAIN:
7737 free_percpu(nft_trans_chain_stats(trans));
7738 kfree(nft_trans_chain_name(trans));
7739 break;
7740 case NFT_MSG_DELCHAIN:
7741 nf_tables_chain_destroy(&trans->ctx);
7742 break;
7743 case NFT_MSG_DELRULE:
7744 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7745 break;
7746 case NFT_MSG_DELSET:
7747 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7748 break;
7749 case NFT_MSG_DELSETELEM:
7750 nf_tables_set_elem_destroy(&trans->ctx,
7751 nft_trans_elem_set(trans),
7752 nft_trans_elem(trans).priv);
7753 break;
7754 case NFT_MSG_DELOBJ:
7755 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7756 break;
7757 case NFT_MSG_DELFLOWTABLE:
7758 if (nft_trans_flowtable_update(trans))
7759 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7760 else
7761 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7762 break;
7763 }
7764
7765 if (trans->put_net)
7766 put_net(trans->ctx.net);
7767
7768 kfree(trans);
7769 }
7770
7771 static void nf_tables_trans_destroy_work(struct work_struct *w)
7772 {
7773 struct nft_trans *trans, *next;
7774 LIST_HEAD(head);
7775
7776 spin_lock(&nf_tables_destroy_list_lock);
7777 list_splice_init(&nf_tables_destroy_list, &head);
7778 spin_unlock(&nf_tables_destroy_list_lock);
7779
7780 if (list_empty(&head))
7781 return;
7782
7783 synchronize_rcu();
7784
7785 list_for_each_entry_safe(trans, next, &head, list) {
7786 list_del(&trans->list);
7787 nft_commit_release(trans);
7788 }
7789 }
7790
7791 void nf_tables_trans_destroy_flush_work(void)
7792 {
7793 flush_work(&trans_destroy_work);
7794 }
7795 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7796
7797 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7798 {
7799 struct nft_rule *rule;
7800 unsigned int alloc = 0;
7801 int i;
7802
7803 /* already handled or inactive chain? */
7804 if (chain->rules_next || !nft_is_active_next(net, chain))
7805 return 0;
7806
7807 rule = list_entry(&chain->rules, struct nft_rule, list);
7808 i = 0;
7809
7810 list_for_each_entry_continue(rule, &chain->rules, list) {
7811 if (nft_is_active_next(net, rule))
7812 alloc++;
7813 }
7814
7815 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7816 if (!chain->rules_next)
7817 return -ENOMEM;
7818
7819 list_for_each_entry_continue(rule, &chain->rules, list) {
7820 if (nft_is_active_next(net, rule))
7821 chain->rules_next[i++] = rule;
7822 }
7823
7824 chain->rules_next[i] = NULL;
7825 return 0;
7826 }
7827
7828 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7829 {
7830 struct nft_trans *trans, *next;
7831
7832 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7833 struct nft_chain *chain = trans->ctx.chain;
7834
7835 if (trans->msg_type == NFT_MSG_NEWRULE ||
7836 trans->msg_type == NFT_MSG_DELRULE) {
7837 kvfree(chain->rules_next);
7838 chain->rules_next = NULL;
7839 }
7840 }
7841 }
7842
7843 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7844 {
7845 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7846
7847 kvfree(o->start);
7848 }
7849
7850 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7851 {
7852 struct nft_rule **r = rules;
7853 struct nft_rules_old *old;
7854
7855 while (*r)
7856 r++;
7857
7858 r++; /* rcu_head is after end marker */
7859 old = (void *) r;
7860 old->start = rules;
7861
7862 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7863 }
7864
7865 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7866 {
7867 struct nft_rule **g0, **g1;
7868 bool next_genbit;
7869
7870 next_genbit = nft_gencursor_next(net);
7871
7872 g0 = rcu_dereference_protected(chain->rules_gen_0,
7873 lockdep_commit_lock_is_held(net));
7874 g1 = rcu_dereference_protected(chain->rules_gen_1,
7875 lockdep_commit_lock_is_held(net));
7876
7877 /* No changes to this chain? */
7878 if (chain->rules_next == NULL) {
7879 /* chain had no change in last or next generation */
7880 if (g0 == g1)
7881 return;
7882 /*
7883 * chain had no change in this generation; make sure next
7884 * one uses same rules as current generation.
7885 */
7886 if (next_genbit) {
7887 rcu_assign_pointer(chain->rules_gen_1, g0);
7888 nf_tables_commit_chain_free_rules_old(g1);
7889 } else {
7890 rcu_assign_pointer(chain->rules_gen_0, g1);
7891 nf_tables_commit_chain_free_rules_old(g0);
7892 }
7893
7894 return;
7895 }
7896
7897 if (next_genbit)
7898 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7899 else
7900 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7901
7902 chain->rules_next = NULL;
7903
7904 if (g0 == g1)
7905 return;
7906
7907 if (next_genbit)
7908 nf_tables_commit_chain_free_rules_old(g1);
7909 else
7910 nf_tables_commit_chain_free_rules_old(g0);
7911 }
7912
7913 static void nft_obj_del(struct nft_object *obj)
7914 {
7915 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7916 list_del_rcu(&obj->list);
7917 }
7918
7919 void nft_chain_del(struct nft_chain *chain)
7920 {
7921 struct nft_table *table = chain->table;
7922
7923 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7924 nft_chain_ht_params));
7925 list_del_rcu(&chain->list);
7926 }
7927
7928 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7929 struct list_head *hook_list)
7930 {
7931 struct nft_hook *hook, *next;
7932
7933 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7934 if (hook->inactive)
7935 list_move(&hook->list, hook_list);
7936 }
7937 }
7938
7939 static void nf_tables_module_autoload_cleanup(struct net *net)
7940 {
7941 struct nft_module_request *req, *next;
7942
7943 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7944 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7945 WARN_ON_ONCE(!req->done);
7946 list_del(&req->list);
7947 kfree(req);
7948 }
7949 }
7950
7951 static void nf_tables_commit_release(struct net *net)
7952 {
7953 struct nft_trans *trans;
7954
7955 /* all side effects have to be made visible.
7956 * For example, if a chain named 'foo' has been deleted, a
7957 * new transaction must not find it anymore.
7958 *
7959 * Memory reclaim happens asynchronously from work queue
7960 * to prevent expensive synchronize_rcu() in commit phase.
7961 */
7962 if (list_empty(&net->nft.commit_list)) {
7963 nf_tables_module_autoload_cleanup(net);
7964 mutex_unlock(&net->nft.commit_mutex);
7965 return;
7966 }
7967
7968 trans = list_last_entry(&net->nft.commit_list,
7969 struct nft_trans, list);
7970 get_net(trans->ctx.net);
7971 WARN_ON_ONCE(trans->put_net);
7972
7973 trans->put_net = true;
7974 spin_lock(&nf_tables_destroy_list_lock);
7975 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7976 spin_unlock(&nf_tables_destroy_list_lock);
7977
7978 nf_tables_module_autoload_cleanup(net);
7979 schedule_work(&trans_destroy_work);
7980
7981 mutex_unlock(&net->nft.commit_mutex);
7982 }
7983
7984 static void nft_commit_notify(struct net *net, u32 portid)
7985 {
7986 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7987 unsigned char *data;
7988 int len;
7989
7990 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7991 if (!batch_skb) {
7992 new_batch:
7993 batch_skb = skb;
7994 len = NLMSG_GOODSIZE - skb->len;
7995 list_del(&skb->list);
7996 continue;
7997 }
7998 len -= skb->len;
7999 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
8000 data = skb_put(batch_skb, skb->len);
8001 memcpy(data, skb->data, skb->len);
8002 list_del(&skb->list);
8003 kfree_skb(skb);
8004 continue;
8005 }
8006 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8007 NFT_CB(batch_skb).report, GFP_KERNEL);
8008 goto new_batch;
8009 }
8010
8011 if (batch_skb) {
8012 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8013 NFT_CB(batch_skb).report, GFP_KERNEL);
8014 }
8015
8016 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8017 }
8018
8019 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8020 {
8021 struct nft_trans *trans, *next;
8022 struct nft_trans_elem *te;
8023 struct nft_chain *chain;
8024 struct nft_table *table;
8025 int err;
8026
8027 if (list_empty(&net->nft.commit_list)) {
8028 mutex_unlock(&net->nft.commit_mutex);
8029 return 0;
8030 }
8031
8032 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8033 if (nf_tables_validate(net) < 0)
8034 return -EAGAIN;
8035
8036 err = nft_flow_rule_offload_commit(net);
8037 if (err < 0)
8038 return err;
8039
8040 /* 1. Allocate space for next generation rules_gen_X[] */
8041 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8042 int ret;
8043
8044 if (trans->msg_type == NFT_MSG_NEWRULE ||
8045 trans->msg_type == NFT_MSG_DELRULE) {
8046 chain = trans->ctx.chain;
8047
8048 ret = nf_tables_commit_chain_prepare(net, chain);
8049 if (ret < 0) {
8050 nf_tables_commit_chain_prepare_cancel(net);
8051 return ret;
8052 }
8053 }
8054 }
8055
8056 /* step 2. Make rules_gen_X visible to packet path */
8057 list_for_each_entry(table, &net->nft.tables, list) {
8058 list_for_each_entry(chain, &table->chains, list)
8059 nf_tables_commit_chain(net, chain);
8060 }
8061
8062 /*
8063 * Bump generation counter, invalidate any dump in progress.
8064 * Cannot fail after this point.
8065 */
8066 while (++net->nft.base_seq == 0);
8067
8068 /* step 3. Start new generation, rules_gen_X now in use. */
8069 net->nft.gencursor = nft_gencursor_next(net);
8070
8071 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8072 switch (trans->msg_type) {
8073 case NFT_MSG_NEWTABLE:
8074 if (nft_trans_table_update(trans)) {
8075 if (nft_trans_table_state(trans) == NFT_TABLE_STATE_DORMANT)
8076 nf_tables_table_disable(net, trans->ctx.table);
8077
8078 trans->ctx.table->flags = nft_trans_table_flags(trans);
8079 } else {
8080 nft_clear(net, trans->ctx.table);
8081 }
8082 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8083 nft_trans_destroy(trans);
8084 break;
8085 case NFT_MSG_DELTABLE:
8086 list_del_rcu(&trans->ctx.table->list);
8087 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8088 break;
8089 case NFT_MSG_NEWCHAIN:
8090 if (nft_trans_chain_update(trans)) {
8091 nft_chain_commit_update(trans);
8092 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8093 /* trans destroyed after rcu grace period */
8094 } else {
8095 nft_chain_commit_drop_policy(trans);
8096 nft_clear(net, trans->ctx.chain);
8097 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8098 nft_trans_destroy(trans);
8099 }
8100 break;
8101 case NFT_MSG_DELCHAIN:
8102 nft_chain_del(trans->ctx.chain);
8103 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8104 nf_tables_unregister_hook(trans->ctx.net,
8105 trans->ctx.table,
8106 trans->ctx.chain);
8107 break;
8108 case NFT_MSG_NEWRULE:
8109 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8110 nf_tables_rule_notify(&trans->ctx,
8111 nft_trans_rule(trans),
8112 NFT_MSG_NEWRULE);
8113 nft_trans_destroy(trans);
8114 break;
8115 case NFT_MSG_DELRULE:
8116 list_del_rcu(&nft_trans_rule(trans)->list);
8117 nf_tables_rule_notify(&trans->ctx,
8118 nft_trans_rule(trans),
8119 NFT_MSG_DELRULE);
8120 nft_rule_expr_deactivate(&trans->ctx,
8121 nft_trans_rule(trans),
8122 NFT_TRANS_COMMIT);
8123 break;
8124 case NFT_MSG_NEWSET:
8125 nft_clear(net, nft_trans_set(trans));
8126 /* This avoids hitting -EBUSY when deleting the table
8127 * from the transaction.
8128 */
8129 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8130 !list_empty(&nft_trans_set(trans)->bindings))
8131 trans->ctx.table->use--;
8132
8133 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8134 NFT_MSG_NEWSET, GFP_KERNEL);
8135 nft_trans_destroy(trans);
8136 break;
8137 case NFT_MSG_DELSET:
8138 list_del_rcu(&nft_trans_set(trans)->list);
8139 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8140 NFT_MSG_DELSET, GFP_KERNEL);
8141 break;
8142 case NFT_MSG_NEWSETELEM:
8143 te = (struct nft_trans_elem *)trans->data;
8144
8145 te->set->ops->activate(net, te->set, &te->elem);
8146 nf_tables_setelem_notify(&trans->ctx, te->set,
8147 &te->elem,
8148 NFT_MSG_NEWSETELEM, 0);
8149 nft_trans_destroy(trans);
8150 break;
8151 case NFT_MSG_DELSETELEM:
8152 te = (struct nft_trans_elem *)trans->data;
8153
8154 nf_tables_setelem_notify(&trans->ctx, te->set,
8155 &te->elem,
8156 NFT_MSG_DELSETELEM, 0);
8157 te->set->ops->remove(net, te->set, &te->elem);
8158 atomic_dec(&te->set->nelems);
8159 te->set->ndeact--;
8160 break;
8161 case NFT_MSG_NEWOBJ:
8162 if (nft_trans_obj_update(trans)) {
8163 nft_obj_commit_update(trans);
8164 nf_tables_obj_notify(&trans->ctx,
8165 nft_trans_obj(trans),
8166 NFT_MSG_NEWOBJ);
8167 } else {
8168 nft_clear(net, nft_trans_obj(trans));
8169 nf_tables_obj_notify(&trans->ctx,
8170 nft_trans_obj(trans),
8171 NFT_MSG_NEWOBJ);
8172 nft_trans_destroy(trans);
8173 }
8174 break;
8175 case NFT_MSG_DELOBJ:
8176 nft_obj_del(nft_trans_obj(trans));
8177 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8178 NFT_MSG_DELOBJ);
8179 break;
8180 case NFT_MSG_NEWFLOWTABLE:
8181 if (nft_trans_flowtable_update(trans)) {
8182 nf_tables_flowtable_notify(&trans->ctx,
8183 nft_trans_flowtable(trans),
8184 &nft_trans_flowtable_hooks(trans),
8185 NFT_MSG_NEWFLOWTABLE);
8186 list_splice(&nft_trans_flowtable_hooks(trans),
8187 &nft_trans_flowtable(trans)->hook_list);
8188 } else {
8189 nft_clear(net, nft_trans_flowtable(trans));
8190 nf_tables_flowtable_notify(&trans->ctx,
8191 nft_trans_flowtable(trans),
8192 &nft_trans_flowtable(trans)->hook_list,
8193 NFT_MSG_NEWFLOWTABLE);
8194 }
8195 nft_trans_destroy(trans);
8196 break;
8197 case NFT_MSG_DELFLOWTABLE:
8198 if (nft_trans_flowtable_update(trans)) {
8199 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8200 &nft_trans_flowtable_hooks(trans));
8201 nf_tables_flowtable_notify(&trans->ctx,
8202 nft_trans_flowtable(trans),
8203 &nft_trans_flowtable_hooks(trans),
8204 NFT_MSG_DELFLOWTABLE);
8205 nft_unregister_flowtable_net_hooks(net,
8206 &nft_trans_flowtable_hooks(trans));
8207 } else {
8208 list_del_rcu(&nft_trans_flowtable(trans)->list);
8209 nf_tables_flowtable_notify(&trans->ctx,
8210 nft_trans_flowtable(trans),
8211 &nft_trans_flowtable(trans)->hook_list,
8212 NFT_MSG_DELFLOWTABLE);
8213 nft_unregister_flowtable_net_hooks(net,
8214 &nft_trans_flowtable(trans)->hook_list);
8215 }
8216 break;
8217 }
8218 }
8219
8220 nft_commit_notify(net, NETLINK_CB(skb).portid);
8221 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8222 nf_tables_commit_release(net);
8223
8224 return 0;
8225 }
8226
8227 static void nf_tables_module_autoload(struct net *net)
8228 {
8229 struct nft_module_request *req, *next;
8230 LIST_HEAD(module_list);
8231
8232 list_splice_init(&net->nft.module_list, &module_list);
8233 mutex_unlock(&net->nft.commit_mutex);
8234 list_for_each_entry_safe(req, next, &module_list, list) {
8235 request_module("%s", req->module);
8236 req->done = true;
8237 }
8238 mutex_lock(&net->nft.commit_mutex);
8239 list_splice(&module_list, &net->nft.module_list);
8240 }
8241
8242 static void nf_tables_abort_release(struct nft_trans *trans)
8243 {
8244 switch (trans->msg_type) {
8245 case NFT_MSG_NEWTABLE:
8246 nf_tables_table_destroy(&trans->ctx);
8247 break;
8248 case NFT_MSG_NEWCHAIN:
8249 nf_tables_chain_destroy(&trans->ctx);
8250 break;
8251 case NFT_MSG_NEWRULE:
8252 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8253 break;
8254 case NFT_MSG_NEWSET:
8255 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8256 break;
8257 case NFT_MSG_NEWSETELEM:
8258 nft_set_elem_destroy(nft_trans_elem_set(trans),
8259 nft_trans_elem(trans).priv, true);
8260 break;
8261 case NFT_MSG_NEWOBJ:
8262 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8263 break;
8264 case NFT_MSG_NEWFLOWTABLE:
8265 if (nft_trans_flowtable_update(trans))
8266 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8267 else
8268 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8269 break;
8270 }
8271 kfree(trans);
8272 }
8273
8274 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8275 {
8276 struct nft_trans *trans, *next;
8277 struct nft_trans_elem *te;
8278 struct nft_hook *hook;
8279
8280 if (action == NFNL_ABORT_VALIDATE &&
8281 nf_tables_validate(net) < 0)
8282 return -EAGAIN;
8283
8284 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8285 list) {
8286 switch (trans->msg_type) {
8287 case NFT_MSG_NEWTABLE:
8288 if (nft_trans_table_update(trans)) {
8289 if (nft_trans_table_state(trans) == NFT_TABLE_STATE_WAKEUP)
8290 nf_tables_table_disable(net, trans->ctx.table);
8291
8292 nft_trans_destroy(trans);
8293 } else {
8294 list_del_rcu(&trans->ctx.table->list);
8295 }
8296 break;
8297 case NFT_MSG_DELTABLE:
8298 nft_clear(trans->ctx.net, trans->ctx.table);
8299 nft_trans_destroy(trans);
8300 break;
8301 case NFT_MSG_NEWCHAIN:
8302 if (nft_trans_chain_update(trans)) {
8303 free_percpu(nft_trans_chain_stats(trans));
8304 kfree(nft_trans_chain_name(trans));
8305 nft_trans_destroy(trans);
8306 } else {
8307 if (nft_chain_is_bound(trans->ctx.chain)) {
8308 nft_trans_destroy(trans);
8309 break;
8310 }
8311 trans->ctx.table->use--;
8312 nft_chain_del(trans->ctx.chain);
8313 nf_tables_unregister_hook(trans->ctx.net,
8314 trans->ctx.table,
8315 trans->ctx.chain);
8316 }
8317 break;
8318 case NFT_MSG_DELCHAIN:
8319 trans->ctx.table->use++;
8320 nft_clear(trans->ctx.net, trans->ctx.chain);
8321 nft_trans_destroy(trans);
8322 break;
8323 case NFT_MSG_NEWRULE:
8324 trans->ctx.chain->use--;
8325 list_del_rcu(&nft_trans_rule(trans)->list);
8326 nft_rule_expr_deactivate(&trans->ctx,
8327 nft_trans_rule(trans),
8328 NFT_TRANS_ABORT);
8329 break;
8330 case NFT_MSG_DELRULE:
8331 trans->ctx.chain->use++;
8332 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8333 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8334 nft_trans_destroy(trans);
8335 break;
8336 case NFT_MSG_NEWSET:
8337 trans->ctx.table->use--;
8338 if (nft_trans_set_bound(trans)) {
8339 nft_trans_destroy(trans);
8340 break;
8341 }
8342 list_del_rcu(&nft_trans_set(trans)->list);
8343 break;
8344 case NFT_MSG_DELSET:
8345 trans->ctx.table->use++;
8346 nft_clear(trans->ctx.net, nft_trans_set(trans));
8347 nft_trans_destroy(trans);
8348 break;
8349 case NFT_MSG_NEWSETELEM:
8350 if (nft_trans_elem_set_bound(trans)) {
8351 nft_trans_destroy(trans);
8352 break;
8353 }
8354 te = (struct nft_trans_elem *)trans->data;
8355 te->set->ops->remove(net, te->set, &te->elem);
8356 atomic_dec(&te->set->nelems);
8357 break;
8358 case NFT_MSG_DELSETELEM:
8359 te = (struct nft_trans_elem *)trans->data;
8360
8361 nft_set_elem_activate(net, te->set, &te->elem);
8362 te->set->ops->activate(net, te->set, &te->elem);
8363 te->set->ndeact--;
8364
8365 nft_trans_destroy(trans);
8366 break;
8367 case NFT_MSG_NEWOBJ:
8368 if (nft_trans_obj_update(trans)) {
8369 kfree(nft_trans_obj_newobj(trans));
8370 nft_trans_destroy(trans);
8371 } else {
8372 trans->ctx.table->use--;
8373 nft_obj_del(nft_trans_obj(trans));
8374 }
8375 break;
8376 case NFT_MSG_DELOBJ:
8377 trans->ctx.table->use++;
8378 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8379 nft_trans_destroy(trans);
8380 break;
8381 case NFT_MSG_NEWFLOWTABLE:
8382 if (nft_trans_flowtable_update(trans)) {
8383 nft_unregister_flowtable_net_hooks(net,
8384 &nft_trans_flowtable_hooks(trans));
8385 } else {
8386 trans->ctx.table->use--;
8387 list_del_rcu(&nft_trans_flowtable(trans)->list);
8388 nft_unregister_flowtable_net_hooks(net,
8389 &nft_trans_flowtable(trans)->hook_list);
8390 }
8391 break;
8392 case NFT_MSG_DELFLOWTABLE:
8393 if (nft_trans_flowtable_update(trans)) {
8394 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8395 hook->inactive = false;
8396 } else {
8397 trans->ctx.table->use++;
8398 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8399 }
8400 nft_trans_destroy(trans);
8401 break;
8402 }
8403 }
8404
8405 synchronize_rcu();
8406
8407 list_for_each_entry_safe_reverse(trans, next,
8408 &net->nft.commit_list, list) {
8409 list_del(&trans->list);
8410 nf_tables_abort_release(trans);
8411 }
8412
8413 if (action == NFNL_ABORT_AUTOLOAD)
8414 nf_tables_module_autoload(net);
8415 else
8416 nf_tables_module_autoload_cleanup(net);
8417
8418 return 0;
8419 }
8420
8421 static void nf_tables_cleanup(struct net *net)
8422 {
8423 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8424 }
8425
8426 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8427 enum nfnl_abort_action action)
8428 {
8429 int ret = __nf_tables_abort(net, action);
8430
8431 mutex_unlock(&net->nft.commit_mutex);
8432
8433 return ret;
8434 }
8435
8436 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8437 {
8438 bool genid_ok;
8439
8440 mutex_lock(&net->nft.commit_mutex);
8441
8442 genid_ok = genid == 0 || net->nft.base_seq == genid;
8443 if (!genid_ok)
8444 mutex_unlock(&net->nft.commit_mutex);
8445
8446 /* else, commit mutex has to be released by commit or abort function */
8447 return genid_ok;
8448 }
8449
8450 static const struct nfnetlink_subsystem nf_tables_subsys = {
8451 .name = "nf_tables",
8452 .subsys_id = NFNL_SUBSYS_NFTABLES,
8453 .cb_count = NFT_MSG_MAX,
8454 .cb = nf_tables_cb,
8455 .commit = nf_tables_commit,
8456 .abort = nf_tables_abort,
8457 .cleanup = nf_tables_cleanup,
8458 .valid_genid = nf_tables_valid_genid,
8459 .owner = THIS_MODULE,
8460 };
8461
8462 int nft_chain_validate_dependency(const struct nft_chain *chain,
8463 enum nft_chain_types type)
8464 {
8465 const struct nft_base_chain *basechain;
8466
8467 if (nft_is_base_chain(chain)) {
8468 basechain = nft_base_chain(chain);
8469 if (basechain->type->type != type)
8470 return -EOPNOTSUPP;
8471 }
8472 return 0;
8473 }
8474 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8475
8476 int nft_chain_validate_hooks(const struct nft_chain *chain,
8477 unsigned int hook_flags)
8478 {
8479 struct nft_base_chain *basechain;
8480
8481 if (nft_is_base_chain(chain)) {
8482 basechain = nft_base_chain(chain);
8483
8484 if ((1 << basechain->ops.hooknum) & hook_flags)
8485 return 0;
8486
8487 return -EOPNOTSUPP;
8488 }
8489
8490 return 0;
8491 }
8492 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8493
8494 /*
8495 * Loop detection - walk through the ruleset beginning at the destination chain
8496 * of a new jump until either the source chain is reached (loop) or all
8497 * reachable chains have been traversed.
8498 *
8499 * The loop check is performed whenever a new jump verdict is added to an
8500 * expression or verdict map or a verdict map is bound to a new chain.
8501 */
8502
8503 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8504 const struct nft_chain *chain);
8505
8506 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8507 struct nft_set *set,
8508 const struct nft_set_iter *iter,
8509 struct nft_set_elem *elem)
8510 {
8511 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8512 const struct nft_data *data;
8513
8514 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8515 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8516 return 0;
8517
8518 data = nft_set_ext_data(ext);
8519 switch (data->verdict.code) {
8520 case NFT_JUMP:
8521 case NFT_GOTO:
8522 return nf_tables_check_loops(ctx, data->verdict.chain);
8523 default:
8524 return 0;
8525 }
8526 }
8527
8528 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8529 const struct nft_chain *chain)
8530 {
8531 const struct nft_rule *rule;
8532 const struct nft_expr *expr, *last;
8533 struct nft_set *set;
8534 struct nft_set_binding *binding;
8535 struct nft_set_iter iter;
8536
8537 if (ctx->chain == chain)
8538 return -ELOOP;
8539
8540 list_for_each_entry(rule, &chain->rules, list) {
8541 nft_rule_for_each_expr(expr, last, rule) {
8542 struct nft_immediate_expr *priv;
8543 const struct nft_data *data;
8544 int err;
8545
8546 if (strcmp(expr->ops->type->name, "immediate"))
8547 continue;
8548
8549 priv = nft_expr_priv(expr);
8550 if (priv->dreg != NFT_REG_VERDICT)
8551 continue;
8552
8553 data = &priv->data;
8554 switch (data->verdict.code) {
8555 case NFT_JUMP:
8556 case NFT_GOTO:
8557 err = nf_tables_check_loops(ctx,
8558 data->verdict.chain);
8559 if (err < 0)
8560 return err;
8561 break;
8562 default:
8563 break;
8564 }
8565 }
8566 }
8567
8568 list_for_each_entry(set, &ctx->table->sets, list) {
8569 if (!nft_is_active_next(ctx->net, set))
8570 continue;
8571 if (!(set->flags & NFT_SET_MAP) ||
8572 set->dtype != NFT_DATA_VERDICT)
8573 continue;
8574
8575 list_for_each_entry(binding, &set->bindings, list) {
8576 if (!(binding->flags & NFT_SET_MAP) ||
8577 binding->chain != chain)
8578 continue;
8579
8580 iter.genmask = nft_genmask_next(ctx->net);
8581 iter.skip = 0;
8582 iter.count = 0;
8583 iter.err = 0;
8584 iter.fn = nf_tables_loop_check_setelem;
8585
8586 set->ops->walk(ctx, set, &iter);
8587 if (iter.err < 0)
8588 return iter.err;
8589 }
8590 }
8591
8592 return 0;
8593 }
8594
8595 /**
8596 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8597 *
8598 * @attr: netlink attribute to fetch value from
8599 * @max: maximum value to be stored in dest
8600 * @dest: pointer to the variable
8601 *
8602 * Parse, check and store a given u32 netlink attribute into variable.
8603 * This function returns -ERANGE if the value goes over maximum value.
8604 * Otherwise a 0 is returned and the attribute value is stored in the
8605 * destination variable.
8606 */
8607 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8608 {
8609 u32 val;
8610
8611 val = ntohl(nla_get_be32(attr));
8612 if (val > max)
8613 return -ERANGE;
8614
8615 *dest = val;
8616 return 0;
8617 }
8618 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8619
8620 /**
8621 * nft_parse_register - parse a register value from a netlink attribute
8622 *
8623 * @attr: netlink attribute
8624 *
8625 * Parse and translate a register value from a netlink attribute.
8626 * Registers used to be 128 bit wide, these register numbers will be
8627 * mapped to the corresponding 32 bit register numbers.
8628 */
8629 static unsigned int nft_parse_register(const struct nlattr *attr)
8630 {
8631 unsigned int reg;
8632
8633 reg = ntohl(nla_get_be32(attr));
8634 switch (reg) {
8635 case NFT_REG_VERDICT...NFT_REG_4:
8636 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8637 default:
8638 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8639 }
8640 }
8641
8642 /**
8643 * nft_dump_register - dump a register value to a netlink attribute
8644 *
8645 * @skb: socket buffer
8646 * @attr: attribute number
8647 * @reg: register number
8648 *
8649 * Construct a netlink attribute containing the register number. For
8650 * compatibility reasons, register numbers being a multiple of 4 are
8651 * translated to the corresponding 128 bit register numbers.
8652 */
8653 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8654 {
8655 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8656 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8657 else
8658 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8659
8660 return nla_put_be32(skb, attr, htonl(reg));
8661 }
8662 EXPORT_SYMBOL_GPL(nft_dump_register);
8663
8664 /**
8665 * nft_validate_register_load - validate a load from a register
8666 *
8667 * @reg: the register number
8668 * @len: the length of the data
8669 *
8670 * Validate that the input register is one of the general purpose
8671 * registers and that the length of the load is within the bounds.
8672 */
8673 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8674 {
8675 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8676 return -EINVAL;
8677 if (len == 0)
8678 return -EINVAL;
8679 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8680 return -ERANGE;
8681
8682 return 0;
8683 }
8684
8685 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
8686 {
8687 u32 reg;
8688 int err;
8689
8690 reg = nft_parse_register(attr);
8691 err = nft_validate_register_load(reg, len);
8692 if (err < 0)
8693 return err;
8694
8695 *sreg = reg;
8696 return 0;
8697 }
8698 EXPORT_SYMBOL_GPL(nft_parse_register_load);
8699
8700 /**
8701 * nft_validate_register_store - validate an expressions' register store
8702 *
8703 * @ctx: context of the expression performing the load
8704 * @reg: the destination register number
8705 * @data: the data to load
8706 * @type: the data type
8707 * @len: the length of the data
8708 *
8709 * Validate that a data load uses the appropriate data type for
8710 * the destination register and the length is within the bounds.
8711 * A value of NULL for the data means that its runtime gathered
8712 * data.
8713 */
8714 static int nft_validate_register_store(const struct nft_ctx *ctx,
8715 enum nft_registers reg,
8716 const struct nft_data *data,
8717 enum nft_data_types type,
8718 unsigned int len)
8719 {
8720 int err;
8721
8722 switch (reg) {
8723 case NFT_REG_VERDICT:
8724 if (type != NFT_DATA_VERDICT)
8725 return -EINVAL;
8726
8727 if (data != NULL &&
8728 (data->verdict.code == NFT_GOTO ||
8729 data->verdict.code == NFT_JUMP)) {
8730 err = nf_tables_check_loops(ctx, data->verdict.chain);
8731 if (err < 0)
8732 return err;
8733 }
8734
8735 return 0;
8736 default:
8737 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8738 return -EINVAL;
8739 if (len == 0)
8740 return -EINVAL;
8741 if (reg * NFT_REG32_SIZE + len >
8742 sizeof_field(struct nft_regs, data))
8743 return -ERANGE;
8744
8745 if (data != NULL && type != NFT_DATA_VALUE)
8746 return -EINVAL;
8747 return 0;
8748 }
8749 }
8750
8751 int nft_parse_register_store(const struct nft_ctx *ctx,
8752 const struct nlattr *attr, u8 *dreg,
8753 const struct nft_data *data,
8754 enum nft_data_types type, unsigned int len)
8755 {
8756 int err;
8757 u32 reg;
8758
8759 reg = nft_parse_register(attr);
8760 err = nft_validate_register_store(ctx, reg, data, type, len);
8761 if (err < 0)
8762 return err;
8763
8764 *dreg = reg;
8765 return 0;
8766 }
8767 EXPORT_SYMBOL_GPL(nft_parse_register_store);
8768
8769 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8770 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8771 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8772 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8773 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8774 };
8775
8776 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8777 struct nft_data_desc *desc, const struct nlattr *nla)
8778 {
8779 u8 genmask = nft_genmask_next(ctx->net);
8780 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8781 struct nft_chain *chain;
8782 int err;
8783
8784 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8785 nft_verdict_policy, NULL);
8786 if (err < 0)
8787 return err;
8788
8789 if (!tb[NFTA_VERDICT_CODE])
8790 return -EINVAL;
8791 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8792
8793 switch (data->verdict.code) {
8794 default:
8795 switch (data->verdict.code & NF_VERDICT_MASK) {
8796 case NF_ACCEPT:
8797 case NF_DROP:
8798 case NF_QUEUE:
8799 break;
8800 default:
8801 return -EINVAL;
8802 }
8803 fallthrough;
8804 case NFT_CONTINUE:
8805 case NFT_BREAK:
8806 case NFT_RETURN:
8807 break;
8808 case NFT_JUMP:
8809 case NFT_GOTO:
8810 if (tb[NFTA_VERDICT_CHAIN]) {
8811 chain = nft_chain_lookup(ctx->net, ctx->table,
8812 tb[NFTA_VERDICT_CHAIN],
8813 genmask);
8814 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8815 chain = nft_chain_lookup_byid(ctx->net,
8816 tb[NFTA_VERDICT_CHAIN_ID]);
8817 if (IS_ERR(chain))
8818 return PTR_ERR(chain);
8819 } else {
8820 return -EINVAL;
8821 }
8822
8823 if (IS_ERR(chain))
8824 return PTR_ERR(chain);
8825 if (nft_is_base_chain(chain))
8826 return -EOPNOTSUPP;
8827
8828 chain->use++;
8829 data->verdict.chain = chain;
8830 break;
8831 }
8832
8833 desc->len = sizeof(data->verdict);
8834 desc->type = NFT_DATA_VERDICT;
8835 return 0;
8836 }
8837
8838 static void nft_verdict_uninit(const struct nft_data *data)
8839 {
8840 struct nft_chain *chain;
8841 struct nft_rule *rule;
8842
8843 switch (data->verdict.code) {
8844 case NFT_JUMP:
8845 case NFT_GOTO:
8846 chain = data->verdict.chain;
8847 chain->use--;
8848
8849 if (!nft_chain_is_bound(chain))
8850 break;
8851
8852 chain->table->use--;
8853 list_for_each_entry(rule, &chain->rules, list)
8854 chain->use--;
8855
8856 nft_chain_del(chain);
8857 break;
8858 }
8859 }
8860
8861 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8862 {
8863 struct nlattr *nest;
8864
8865 nest = nla_nest_start_noflag(skb, type);
8866 if (!nest)
8867 goto nla_put_failure;
8868
8869 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8870 goto nla_put_failure;
8871
8872 switch (v->code) {
8873 case NFT_JUMP:
8874 case NFT_GOTO:
8875 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8876 v->chain->name))
8877 goto nla_put_failure;
8878 }
8879 nla_nest_end(skb, nest);
8880 return 0;
8881
8882 nla_put_failure:
8883 return -1;
8884 }
8885
8886 static int nft_value_init(const struct nft_ctx *ctx,
8887 struct nft_data *data, unsigned int size,
8888 struct nft_data_desc *desc, const struct nlattr *nla)
8889 {
8890 unsigned int len;
8891
8892 len = nla_len(nla);
8893 if (len == 0)
8894 return -EINVAL;
8895 if (len > size)
8896 return -EOVERFLOW;
8897
8898 nla_memcpy(data->data, nla, len);
8899 desc->type = NFT_DATA_VALUE;
8900 desc->len = len;
8901 return 0;
8902 }
8903
8904 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8905 unsigned int len)
8906 {
8907 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8908 }
8909
8910 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8911 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8912 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8913 };
8914
8915 /**
8916 * nft_data_init - parse nf_tables data netlink attributes
8917 *
8918 * @ctx: context of the expression using the data
8919 * @data: destination struct nft_data
8920 * @size: maximum data length
8921 * @desc: data description
8922 * @nla: netlink attribute containing data
8923 *
8924 * Parse the netlink data attributes and initialize a struct nft_data.
8925 * The type and length of data are returned in the data description.
8926 *
8927 * The caller can indicate that it only wants to accept data of type
8928 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8929 */
8930 int nft_data_init(const struct nft_ctx *ctx,
8931 struct nft_data *data, unsigned int size,
8932 struct nft_data_desc *desc, const struct nlattr *nla)
8933 {
8934 struct nlattr *tb[NFTA_DATA_MAX + 1];
8935 int err;
8936
8937 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8938 nft_data_policy, NULL);
8939 if (err < 0)
8940 return err;
8941
8942 if (tb[NFTA_DATA_VALUE])
8943 return nft_value_init(ctx, data, size, desc,
8944 tb[NFTA_DATA_VALUE]);
8945 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8946 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8947 return -EINVAL;
8948 }
8949 EXPORT_SYMBOL_GPL(nft_data_init);
8950
8951 /**
8952 * nft_data_release - release a nft_data item
8953 *
8954 * @data: struct nft_data to release
8955 * @type: type of data
8956 *
8957 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8958 * all others need to be released by calling this function.
8959 */
8960 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8961 {
8962 if (type < NFT_DATA_VERDICT)
8963 return;
8964 switch (type) {
8965 case NFT_DATA_VERDICT:
8966 return nft_verdict_uninit(data);
8967 default:
8968 WARN_ON(1);
8969 }
8970 }
8971 EXPORT_SYMBOL_GPL(nft_data_release);
8972
8973 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8974 enum nft_data_types type, unsigned int len)
8975 {
8976 struct nlattr *nest;
8977 int err;
8978
8979 nest = nla_nest_start_noflag(skb, attr);
8980 if (nest == NULL)
8981 return -1;
8982
8983 switch (type) {
8984 case NFT_DATA_VALUE:
8985 err = nft_value_dump(skb, data, len);
8986 break;
8987 case NFT_DATA_VERDICT:
8988 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8989 break;
8990 default:
8991 err = -EINVAL;
8992 WARN_ON(1);
8993 }
8994
8995 nla_nest_end(skb, nest);
8996 return err;
8997 }
8998 EXPORT_SYMBOL_GPL(nft_data_dump);
8999
9000 int __nft_release_basechain(struct nft_ctx *ctx)
9001 {
9002 struct nft_rule *rule, *nr;
9003
9004 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
9005 return 0;
9006
9007 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9008 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9009 list_del(&rule->list);
9010 ctx->chain->use--;
9011 nf_tables_rule_release(ctx, rule);
9012 }
9013 nft_chain_del(ctx->chain);
9014 ctx->table->use--;
9015 nf_tables_chain_destroy(ctx);
9016
9017 return 0;
9018 }
9019 EXPORT_SYMBOL_GPL(__nft_release_basechain);
9020
9021 static void __nft_release_hook(struct net *net, struct nft_table *table)
9022 {
9023 struct nft_chain *chain;
9024
9025 list_for_each_entry(chain, &table->chains, list)
9026 nf_tables_unregister_hook(net, table, chain);
9027 }
9028
9029 static void __nft_release_hooks(struct net *net)
9030 {
9031 struct nft_table *table;
9032
9033 list_for_each_entry(table, &net->nft.tables, list) {
9034 if (nft_table_has_owner(table))
9035 continue;
9036
9037 __nft_release_hook(net, table);
9038 }
9039 }
9040
9041 static void __nft_release_table(struct net *net, struct nft_table *table)
9042 {
9043 struct nft_flowtable *flowtable, *nf;
9044 struct nft_chain *chain, *nc;
9045 struct nft_object *obj, *ne;
9046 struct nft_rule *rule, *nr;
9047 struct nft_set *set, *ns;
9048 struct nft_ctx ctx = {
9049 .net = net,
9050 .family = NFPROTO_NETDEV,
9051 };
9052
9053 ctx.family = table->family;
9054 ctx.table = table;
9055 list_for_each_entry(chain, &table->chains, list) {
9056 ctx.chain = chain;
9057 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9058 list_del(&rule->list);
9059 chain->use--;
9060 nf_tables_rule_release(&ctx, rule);
9061 }
9062 }
9063 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9064 list_del(&flowtable->list);
9065 table->use--;
9066 nf_tables_flowtable_destroy(flowtable);
9067 }
9068 list_for_each_entry_safe(set, ns, &table->sets, list) {
9069 list_del(&set->list);
9070 table->use--;
9071 nft_set_destroy(&ctx, set);
9072 }
9073 list_for_each_entry_safe(obj, ne, &table->objects, list) {
9074 nft_obj_del(obj);
9075 table->use--;
9076 nft_obj_destroy(&ctx, obj);
9077 }
9078 list_for_each_entry_safe(chain, nc, &table->chains, list) {
9079 ctx.chain = chain;
9080 nft_chain_del(chain);
9081 table->use--;
9082 nf_tables_chain_destroy(&ctx);
9083 }
9084 list_del(&table->list);
9085 nf_tables_table_destroy(&ctx);
9086 }
9087
9088 static void __nft_release_tables(struct net *net)
9089 {
9090 struct nft_table *table, *nt;
9091
9092 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9093 if (nft_table_has_owner(table))
9094 continue;
9095
9096 __nft_release_table(net, table);
9097 }
9098 }
9099
9100 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9101 void *ptr)
9102 {
9103 struct netlink_notify *n = ptr;
9104 struct nft_table *table, *nt;
9105 struct net *net = n->net;
9106 bool release = false;
9107
9108 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9109 return NOTIFY_DONE;
9110
9111 mutex_lock(&net->nft.commit_mutex);
9112 list_for_each_entry(table, &net->nft.tables, list) {
9113 if (nft_table_has_owner(table) &&
9114 n->portid == table->nlpid) {
9115 __nft_release_hook(net, table);
9116 release = true;
9117 }
9118 }
9119 if (release) {
9120 synchronize_rcu();
9121 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9122 if (nft_table_has_owner(table) &&
9123 n->portid == table->nlpid)
9124 __nft_release_table(net, table);
9125 }
9126 }
9127 mutex_unlock(&net->nft.commit_mutex);
9128
9129 return NOTIFY_DONE;
9130 }
9131
9132 static struct notifier_block nft_nl_notifier = {
9133 .notifier_call = nft_rcv_nl_event,
9134 };
9135
9136 static int __net_init nf_tables_init_net(struct net *net)
9137 {
9138 INIT_LIST_HEAD(&net->nft.tables);
9139 INIT_LIST_HEAD(&net->nft.commit_list);
9140 INIT_LIST_HEAD(&net->nft.module_list);
9141 INIT_LIST_HEAD(&net->nft.notify_list);
9142 mutex_init(&net->nft.commit_mutex);
9143 net->nft.base_seq = 1;
9144 net->nft.validate_state = NFT_VALIDATE_SKIP;
9145
9146 return 0;
9147 }
9148
9149 static void __net_exit nf_tables_pre_exit_net(struct net *net)
9150 {
9151 __nft_release_hooks(net);
9152 }
9153
9154 static void __net_exit nf_tables_exit_net(struct net *net)
9155 {
9156 mutex_lock(&net->nft.commit_mutex);
9157 if (!list_empty(&net->nft.commit_list))
9158 __nf_tables_abort(net, NFNL_ABORT_NONE);
9159 __nft_release_tables(net);
9160 mutex_unlock(&net->nft.commit_mutex);
9161 WARN_ON_ONCE(!list_empty(&net->nft.tables));
9162 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
9163 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
9164 }
9165
9166 static struct pernet_operations nf_tables_net_ops = {
9167 .init = nf_tables_init_net,
9168 .pre_exit = nf_tables_pre_exit_net,
9169 .exit = nf_tables_exit_net,
9170 };
9171
9172 static int __init nf_tables_module_init(void)
9173 {
9174 int err;
9175
9176 spin_lock_init(&nf_tables_destroy_list_lock);
9177 err = register_pernet_subsys(&nf_tables_net_ops);
9178 if (err < 0)
9179 return err;
9180
9181 err = nft_chain_filter_init();
9182 if (err < 0)
9183 goto err_chain_filter;
9184
9185 err = nf_tables_core_module_init();
9186 if (err < 0)
9187 goto err_core_module;
9188
9189 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9190 if (err < 0)
9191 goto err_netdev_notifier;
9192
9193 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9194 if (err < 0)
9195 goto err_rht_objname;
9196
9197 err = nft_offload_init();
9198 if (err < 0)
9199 goto err_offload;
9200
9201 err = netlink_register_notifier(&nft_nl_notifier);
9202 if (err < 0)
9203 goto err_netlink_notifier;
9204
9205 /* must be last */
9206 err = nfnetlink_subsys_register(&nf_tables_subsys);
9207 if (err < 0)
9208 goto err_nfnl_subsys;
9209
9210 nft_chain_route_init();
9211
9212 return err;
9213
9214 err_nfnl_subsys:
9215 netlink_unregister_notifier(&nft_nl_notifier);
9216 err_netlink_notifier:
9217 nft_offload_exit();
9218 err_offload:
9219 rhltable_destroy(&nft_objname_ht);
9220 err_rht_objname:
9221 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9222 err_netdev_notifier:
9223 nf_tables_core_module_exit();
9224 err_core_module:
9225 nft_chain_filter_fini();
9226 err_chain_filter:
9227 unregister_pernet_subsys(&nf_tables_net_ops);
9228 return err;
9229 }
9230
9231 static void __exit nf_tables_module_exit(void)
9232 {
9233 nfnetlink_subsys_unregister(&nf_tables_subsys);
9234 netlink_unregister_notifier(&nft_nl_notifier);
9235 nft_offload_exit();
9236 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9237 nft_chain_filter_fini();
9238 nft_chain_route_fini();
9239 unregister_pernet_subsys(&nf_tables_net_ops);
9240 cancel_work_sync(&trans_destroy_work);
9241 rcu_barrier();
9242 rhltable_destroy(&nft_objname_ht);
9243 nf_tables_core_module_exit();
9244 }
9245
9246 module_init(nf_tables_module_init);
9247 module_exit(nf_tables_module_exit);
9248
9249 MODULE_LICENSE("GPL");
9250 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9251 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
Ubuntu Jammy Linux kernel mirror