]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
audit: log nftables configuration change events once per table
[mirror_ubuntu-jammy-kernel.git] / net / netfilter / nf_tables_api.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
34
35 enum {
36 NFT_VALIDATE_SKIP = 0,
37 NFT_VALIDATE_NEED,
38 NFT_VALIDATE_DO,
39 };
40
41 static struct rhltable nft_objname_ht;
42
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
58 };
59
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
67 };
68
69 struct nft_audit_data {
70 struct nft_table *table;
71 int entries;
72 int op;
73 struct list_head list;
74 };
75
76 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
77 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
78 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
79 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
80 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
81 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
82 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
83 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
84 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
85 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
86 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
87 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
88 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
89 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
90 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
91 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
92 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
93 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
94 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
96 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
97 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
98 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
99 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
100 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
102 };
103
104 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
105 {
106 switch (net->nft.validate_state) {
107 case NFT_VALIDATE_SKIP:
108 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
109 break;
110 case NFT_VALIDATE_NEED:
111 break;
112 case NFT_VALIDATE_DO:
113 if (new_validate_state == NFT_VALIDATE_NEED)
114 return;
115 }
116
117 net->nft.validate_state = new_validate_state;
118 }
119 static void nf_tables_trans_destroy_work(struct work_struct *w);
120 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
121
122 static void nft_ctx_init(struct nft_ctx *ctx,
123 struct net *net,
124 const struct sk_buff *skb,
125 const struct nlmsghdr *nlh,
126 u8 family,
127 struct nft_table *table,
128 struct nft_chain *chain,
129 const struct nlattr * const *nla)
130 {
131 ctx->net = net;
132 ctx->family = family;
133 ctx->level = 0;
134 ctx->table = table;
135 ctx->chain = chain;
136 ctx->nla = nla;
137 ctx->portid = NETLINK_CB(skb).portid;
138 ctx->report = nlmsg_report(nlh);
139 ctx->flags = nlh->nlmsg_flags;
140 ctx->seq = nlh->nlmsg_seq;
141 }
142
143 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
144 int msg_type, u32 size, gfp_t gfp)
145 {
146 struct nft_trans *trans;
147
148 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
149 if (trans == NULL)
150 return NULL;
151
152 trans->msg_type = msg_type;
153 trans->ctx = *ctx;
154
155 return trans;
156 }
157
158 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
159 int msg_type, u32 size)
160 {
161 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
162 }
163
164 static void nft_trans_destroy(struct nft_trans *trans)
165 {
166 list_del(&trans->list);
167 kfree(trans);
168 }
169
170 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
171 {
172 struct net *net = ctx->net;
173 struct nft_trans *trans;
174
175 if (!nft_set_is_anonymous(set))
176 return;
177
178 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
179 switch (trans->msg_type) {
180 case NFT_MSG_NEWSET:
181 if (nft_trans_set(trans) == set)
182 nft_trans_set_bound(trans) = true;
183 break;
184 case NFT_MSG_NEWSETELEM:
185 if (nft_trans_elem_set(trans) == set)
186 nft_trans_elem_set_bound(trans) = true;
187 break;
188 }
189 }
190 }
191
192 static int nft_netdev_register_hooks(struct net *net,
193 struct list_head *hook_list)
194 {
195 struct nft_hook *hook;
196 int err, j;
197
198 j = 0;
199 list_for_each_entry(hook, hook_list, list) {
200 err = nf_register_net_hook(net, &hook->ops);
201 if (err < 0)
202 goto err_register;
203
204 j++;
205 }
206 return 0;
207
208 err_register:
209 list_for_each_entry(hook, hook_list, list) {
210 if (j-- <= 0)
211 break;
212
213 nf_unregister_net_hook(net, &hook->ops);
214 }
215 return err;
216 }
217
218 static void nft_netdev_unregister_hooks(struct net *net,
219 struct list_head *hook_list)
220 {
221 struct nft_hook *hook;
222
223 list_for_each_entry(hook, hook_list, list)
224 nf_unregister_net_hook(net, &hook->ops);
225 }
226
227 static int nf_tables_register_hook(struct net *net,
228 const struct nft_table *table,
229 struct nft_chain *chain)
230 {
231 struct nft_base_chain *basechain;
232 const struct nf_hook_ops *ops;
233
234 if (table->flags & NFT_TABLE_F_DORMANT ||
235 !nft_is_base_chain(chain))
236 return 0;
237
238 basechain = nft_base_chain(chain);
239 ops = &basechain->ops;
240
241 if (basechain->type->ops_register)
242 return basechain->type->ops_register(net, ops);
243
244 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
245 return nft_netdev_register_hooks(net, &basechain->hook_list);
246
247 return nf_register_net_hook(net, &basechain->ops);
248 }
249
250 static void nf_tables_unregister_hook(struct net *net,
251 const struct nft_table *table,
252 struct nft_chain *chain)
253 {
254 struct nft_base_chain *basechain;
255 const struct nf_hook_ops *ops;
256
257 if (table->flags & NFT_TABLE_F_DORMANT ||
258 !nft_is_base_chain(chain))
259 return;
260 basechain = nft_base_chain(chain);
261 ops = &basechain->ops;
262
263 if (basechain->type->ops_unregister)
264 return basechain->type->ops_unregister(net, ops);
265
266 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
267 nft_netdev_unregister_hooks(net, &basechain->hook_list);
268 else
269 nf_unregister_net_hook(net, &basechain->ops);
270 }
271
272 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
273 {
274 struct nft_trans *trans;
275
276 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
277 if (trans == NULL)
278 return -ENOMEM;
279
280 if (msg_type == NFT_MSG_NEWTABLE)
281 nft_activate_next(ctx->net, ctx->table);
282
283 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
284 return 0;
285 }
286
287 static int nft_deltable(struct nft_ctx *ctx)
288 {
289 int err;
290
291 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
292 if (err < 0)
293 return err;
294
295 nft_deactivate_next(ctx->net, ctx->table);
296 return err;
297 }
298
299 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
300 {
301 struct nft_trans *trans;
302
303 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
304 if (trans == NULL)
305 return ERR_PTR(-ENOMEM);
306
307 if (msg_type == NFT_MSG_NEWCHAIN) {
308 nft_activate_next(ctx->net, ctx->chain);
309
310 if (ctx->nla[NFTA_CHAIN_ID]) {
311 nft_trans_chain_id(trans) =
312 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
313 }
314 }
315
316 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
317 return trans;
318 }
319
320 static int nft_delchain(struct nft_ctx *ctx)
321 {
322 struct nft_trans *trans;
323
324 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
325 if (IS_ERR(trans))
326 return PTR_ERR(trans);
327
328 ctx->table->use--;
329 nft_deactivate_next(ctx->net, ctx->chain);
330
331 return 0;
332 }
333
334 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
335 struct nft_rule *rule)
336 {
337 struct nft_expr *expr;
338
339 expr = nft_expr_first(rule);
340 while (nft_expr_more(rule, expr)) {
341 if (expr->ops->activate)
342 expr->ops->activate(ctx, expr);
343
344 expr = nft_expr_next(expr);
345 }
346 }
347
348 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
349 struct nft_rule *rule,
350 enum nft_trans_phase phase)
351 {
352 struct nft_expr *expr;
353
354 expr = nft_expr_first(rule);
355 while (nft_expr_more(rule, expr)) {
356 if (expr->ops->deactivate)
357 expr->ops->deactivate(ctx, expr, phase);
358
359 expr = nft_expr_next(expr);
360 }
361 }
362
363 static int
364 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
365 {
366 /* You cannot delete the same rule twice */
367 if (nft_is_active_next(ctx->net, rule)) {
368 nft_deactivate_next(ctx->net, rule);
369 ctx->chain->use--;
370 return 0;
371 }
372 return -ENOENT;
373 }
374
375 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
376 struct nft_rule *rule)
377 {
378 struct nft_trans *trans;
379
380 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
381 if (trans == NULL)
382 return NULL;
383
384 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
385 nft_trans_rule_id(trans) =
386 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
387 }
388 nft_trans_rule(trans) = rule;
389 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
390
391 return trans;
392 }
393
394 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
395 {
396 struct nft_flow_rule *flow;
397 struct nft_trans *trans;
398 int err;
399
400 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
401 if (trans == NULL)
402 return -ENOMEM;
403
404 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
405 flow = nft_flow_rule_create(ctx->net, rule);
406 if (IS_ERR(flow)) {
407 nft_trans_destroy(trans);
408 return PTR_ERR(flow);
409 }
410
411 nft_trans_flow_rule(trans) = flow;
412 }
413
414 err = nf_tables_delrule_deactivate(ctx, rule);
415 if (err < 0) {
416 nft_trans_destroy(trans);
417 return err;
418 }
419 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
420
421 return 0;
422 }
423
424 static int nft_delrule_by_chain(struct nft_ctx *ctx)
425 {
426 struct nft_rule *rule;
427 int err;
428
429 list_for_each_entry(rule, &ctx->chain->rules, list) {
430 if (!nft_is_active_next(ctx->net, rule))
431 continue;
432
433 err = nft_delrule(ctx, rule);
434 if (err < 0)
435 return err;
436 }
437 return 0;
438 }
439
440 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
441 struct nft_set *set)
442 {
443 struct nft_trans *trans;
444
445 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
446 if (trans == NULL)
447 return -ENOMEM;
448
449 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
450 nft_trans_set_id(trans) =
451 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
452 nft_activate_next(ctx->net, set);
453 }
454 nft_trans_set(trans) = set;
455 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
456
457 return 0;
458 }
459
460 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
461 {
462 int err;
463
464 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
465 if (err < 0)
466 return err;
467
468 nft_deactivate_next(ctx->net, set);
469 ctx->table->use--;
470
471 return err;
472 }
473
474 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
475 struct nft_object *obj)
476 {
477 struct nft_trans *trans;
478
479 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
480 if (trans == NULL)
481 return -ENOMEM;
482
483 if (msg_type == NFT_MSG_NEWOBJ)
484 nft_activate_next(ctx->net, obj);
485
486 nft_trans_obj(trans) = obj;
487 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
488
489 return 0;
490 }
491
492 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
493 {
494 int err;
495
496 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
497 if (err < 0)
498 return err;
499
500 nft_deactivate_next(ctx->net, obj);
501 ctx->table->use--;
502
503 return err;
504 }
505
506 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
507 struct nft_flowtable *flowtable)
508 {
509 struct nft_trans *trans;
510
511 trans = nft_trans_alloc(ctx, msg_type,
512 sizeof(struct nft_trans_flowtable));
513 if (trans == NULL)
514 return -ENOMEM;
515
516 if (msg_type == NFT_MSG_NEWFLOWTABLE)
517 nft_activate_next(ctx->net, flowtable);
518
519 nft_trans_flowtable(trans) = flowtable;
520 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
521
522 return 0;
523 }
524
525 static int nft_delflowtable(struct nft_ctx *ctx,
526 struct nft_flowtable *flowtable)
527 {
528 int err;
529
530 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
531 if (err < 0)
532 return err;
533
534 nft_deactivate_next(ctx->net, flowtable);
535 ctx->table->use--;
536
537 return err;
538 }
539
540 /*
541 * Tables
542 */
543
544 static struct nft_table *nft_table_lookup(const struct net *net,
545 const struct nlattr *nla,
546 u8 family, u8 genmask, u32 nlpid)
547 {
548 struct nft_table *table;
549
550 if (nla == NULL)
551 return ERR_PTR(-EINVAL);
552
553 list_for_each_entry_rcu(table, &net->nft.tables, list,
554 lockdep_is_held(&net->nft.commit_mutex)) {
555 if (!nla_strcmp(nla, table->name) &&
556 table->family == family &&
557 nft_active_genmask(table, genmask)) {
558 if (nft_table_has_owner(table) &&
559 table->nlpid != nlpid)
560 return ERR_PTR(-EPERM);
561
562 return table;
563 }
564 }
565
566 return ERR_PTR(-ENOENT);
567 }
568
569 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
570 const struct nlattr *nla,
571 u8 genmask)
572 {
573 struct nft_table *table;
574
575 list_for_each_entry(table, &net->nft.tables, list) {
576 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
577 nft_active_genmask(table, genmask))
578 return table;
579 }
580
581 return ERR_PTR(-ENOENT);
582 }
583
584 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
585 {
586 return ++table->hgenerator;
587 }
588
589 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
590
591 static const struct nft_chain_type *
592 __nft_chain_type_get(u8 family, enum nft_chain_types type)
593 {
594 if (family >= NFPROTO_NUMPROTO ||
595 type >= NFT_CHAIN_T_MAX)
596 return NULL;
597
598 return chain_type[family][type];
599 }
600
601 static const struct nft_chain_type *
602 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
603 {
604 const struct nft_chain_type *type;
605 int i;
606
607 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
608 type = __nft_chain_type_get(family, i);
609 if (!type)
610 continue;
611 if (!nla_strcmp(nla, type->name))
612 return type;
613 }
614 return NULL;
615 }
616
617 struct nft_module_request {
618 struct list_head list;
619 char module[MODULE_NAME_LEN];
620 bool done;
621 };
622
623 #ifdef CONFIG_MODULES
624 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
625 ...)
626 {
627 char module_name[MODULE_NAME_LEN];
628 struct nft_module_request *req;
629 va_list args;
630 int ret;
631
632 va_start(args, fmt);
633 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
634 va_end(args);
635 if (ret >= MODULE_NAME_LEN)
636 return 0;
637
638 list_for_each_entry(req, &net->nft.module_list, list) {
639 if (!strcmp(req->module, module_name)) {
640 if (req->done)
641 return 0;
642
643 /* A request to load this module already exists. */
644 return -EAGAIN;
645 }
646 }
647
648 req = kmalloc(sizeof(*req), GFP_KERNEL);
649 if (!req)
650 return -ENOMEM;
651
652 req->done = false;
653 strlcpy(req->module, module_name, MODULE_NAME_LEN);
654 list_add_tail(&req->list, &net->nft.module_list);
655
656 return -EAGAIN;
657 }
658 EXPORT_SYMBOL_GPL(nft_request_module);
659 #endif
660
661 static void lockdep_nfnl_nft_mutex_not_held(void)
662 {
663 #ifdef CONFIG_PROVE_LOCKING
664 if (debug_locks)
665 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
666 #endif
667 }
668
669 static const struct nft_chain_type *
670 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
671 u8 family, bool autoload)
672 {
673 const struct nft_chain_type *type;
674
675 type = __nf_tables_chain_type_lookup(nla, family);
676 if (type != NULL)
677 return type;
678
679 lockdep_nfnl_nft_mutex_not_held();
680 #ifdef CONFIG_MODULES
681 if (autoload) {
682 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
683 nla_len(nla),
684 (const char *)nla_data(nla)) == -EAGAIN)
685 return ERR_PTR(-EAGAIN);
686 }
687 #endif
688 return ERR_PTR(-ENOENT);
689 }
690
691 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
692 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
693 .len = NFT_TABLE_MAXNAMELEN - 1 },
694 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
695 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
696 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
697 .len = NFT_USERDATA_MAXLEN }
698 };
699
700 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
701 u32 portid, u32 seq, int event, u32 flags,
702 int family, const struct nft_table *table)
703 {
704 struct nlmsghdr *nlh;
705 struct nfgenmsg *nfmsg;
706
707 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
708 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
709 if (nlh == NULL)
710 goto nla_put_failure;
711
712 nfmsg = nlmsg_data(nlh);
713 nfmsg->nfgen_family = family;
714 nfmsg->version = NFNETLINK_V0;
715 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
716
717 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
718 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
719 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
720 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
721 NFTA_TABLE_PAD))
722 goto nla_put_failure;
723 if (nft_table_has_owner(table) &&
724 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
725 goto nla_put_failure;
726
727 if (table->udata) {
728 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
729 goto nla_put_failure;
730 }
731
732 nlmsg_end(skb, nlh);
733 return 0;
734
735 nla_put_failure:
736 nlmsg_trim(skb, nlh);
737 return -1;
738 }
739
740 struct nftnl_skb_parms {
741 bool report;
742 };
743 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
744
745 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
746 struct list_head *notify_list)
747 {
748 NFT_CB(skb).report = report;
749 list_add_tail(&skb->list, notify_list);
750 }
751
752 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
753 {
754 struct sk_buff *skb;
755 int err;
756
757 if (!ctx->report &&
758 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
759 return;
760
761 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
762 if (skb == NULL)
763 goto err;
764
765 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
766 event, 0, ctx->family, ctx->table);
767 if (err < 0) {
768 kfree_skb(skb);
769 goto err;
770 }
771
772 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
773 return;
774 err:
775 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
776 }
777
778 static int nf_tables_dump_tables(struct sk_buff *skb,
779 struct netlink_callback *cb)
780 {
781 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
782 const struct nft_table *table;
783 unsigned int idx = 0, s_idx = cb->args[0];
784 struct net *net = sock_net(skb->sk);
785 int family = nfmsg->nfgen_family;
786
787 rcu_read_lock();
788 cb->seq = net->nft.base_seq;
789
790 list_for_each_entry_rcu(table, &net->nft.tables, list) {
791 if (family != NFPROTO_UNSPEC && family != table->family)
792 continue;
793
794 if (idx < s_idx)
795 goto cont;
796 if (idx > s_idx)
797 memset(&cb->args[1], 0,
798 sizeof(cb->args) - sizeof(cb->args[0]));
799 if (!nft_is_active(net, table))
800 continue;
801 if (nf_tables_fill_table_info(skb, net,
802 NETLINK_CB(cb->skb).portid,
803 cb->nlh->nlmsg_seq,
804 NFT_MSG_NEWTABLE, NLM_F_MULTI,
805 table->family, table) < 0)
806 goto done;
807
808 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
809 cont:
810 idx++;
811 }
812 done:
813 rcu_read_unlock();
814 cb->args[0] = idx;
815 return skb->len;
816 }
817
818 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
819 const struct nlmsghdr *nlh,
820 struct netlink_dump_control *c)
821 {
822 int err;
823
824 if (!try_module_get(THIS_MODULE))
825 return -EINVAL;
826
827 rcu_read_unlock();
828 err = netlink_dump_start(nlsk, skb, nlh, c);
829 rcu_read_lock();
830 module_put(THIS_MODULE);
831
832 return err;
833 }
834
835 /* called with rcu_read_lock held */
836 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
837 struct sk_buff *skb, const struct nlmsghdr *nlh,
838 const struct nlattr * const nla[],
839 struct netlink_ext_ack *extack)
840 {
841 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
842 u8 genmask = nft_genmask_cur(net);
843 const struct nft_table *table;
844 struct sk_buff *skb2;
845 int family = nfmsg->nfgen_family;
846 int err;
847
848 if (nlh->nlmsg_flags & NLM_F_DUMP) {
849 struct netlink_dump_control c = {
850 .dump = nf_tables_dump_tables,
851 .module = THIS_MODULE,
852 };
853
854 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
855 }
856
857 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
858 if (IS_ERR(table)) {
859 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
860 return PTR_ERR(table);
861 }
862
863 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
864 if (!skb2)
865 return -ENOMEM;
866
867 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
868 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
869 family, table);
870 if (err < 0)
871 goto err_fill_table_info;
872
873 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
874
875 err_fill_table_info:
876 kfree_skb(skb2);
877 return err;
878 }
879
880 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
881 {
882 struct nft_chain *chain;
883 u32 i = 0;
884
885 list_for_each_entry(chain, &table->chains, list) {
886 if (!nft_is_active_next(net, chain))
887 continue;
888 if (!nft_is_base_chain(chain))
889 continue;
890
891 if (cnt && i++ == cnt)
892 break;
893
894 nf_tables_unregister_hook(net, table, chain);
895 }
896 }
897
898 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
899 {
900 struct nft_chain *chain;
901 int err, i = 0;
902
903 list_for_each_entry(chain, &table->chains, list) {
904 if (!nft_is_active_next(net, chain))
905 continue;
906 if (!nft_is_base_chain(chain))
907 continue;
908
909 err = nf_tables_register_hook(net, table, chain);
910 if (err < 0)
911 goto err_register_hooks;
912
913 i++;
914 }
915 return 0;
916
917 err_register_hooks:
918 if (i)
919 nft_table_disable(net, table, i);
920 return err;
921 }
922
923 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
924 {
925 nft_table_disable(net, table, 0);
926 }
927
928 enum {
929 NFT_TABLE_STATE_UNCHANGED = 0,
930 NFT_TABLE_STATE_DORMANT,
931 NFT_TABLE_STATE_WAKEUP
932 };
933
934 static int nf_tables_updtable(struct nft_ctx *ctx)
935 {
936 struct nft_trans *trans;
937 u32 flags;
938 int ret = 0;
939
940 if (!ctx->nla[NFTA_TABLE_FLAGS])
941 return 0;
942
943 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
944 if (flags & ~NFT_TABLE_F_MASK)
945 return -EOPNOTSUPP;
946
947 if (flags == ctx->table->flags)
948 return 0;
949
950 if ((nft_table_has_owner(ctx->table) &&
951 !(flags & NFT_TABLE_F_OWNER)) ||
952 (!nft_table_has_owner(ctx->table) &&
953 flags & NFT_TABLE_F_OWNER))
954 return -EOPNOTSUPP;
955
956 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
957 sizeof(struct nft_trans_table));
958 if (trans == NULL)
959 return -ENOMEM;
960
961 if ((flags & NFT_TABLE_F_DORMANT) &&
962 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
963 nft_trans_table_state(trans) = NFT_TABLE_STATE_DORMANT;
964 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
965 ctx->table->flags & NFT_TABLE_F_DORMANT) {
966 ret = nf_tables_table_enable(ctx->net, ctx->table);
967 if (ret >= 0)
968 nft_trans_table_state(trans) = NFT_TABLE_STATE_WAKEUP;
969 }
970 if (ret < 0)
971 goto err;
972
973 nft_trans_table_flags(trans) = flags;
974 nft_trans_table_update(trans) = true;
975 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
976 return 0;
977 err:
978 nft_trans_destroy(trans);
979 return ret;
980 }
981
982 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
983 {
984 const char *name = data;
985
986 return jhash(name, strlen(name), seed);
987 }
988
989 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
990 {
991 const struct nft_chain *chain = data;
992
993 return nft_chain_hash(chain->name, 0, seed);
994 }
995
996 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
997 const void *ptr)
998 {
999 const struct nft_chain *chain = ptr;
1000 const char *name = arg->key;
1001
1002 return strcmp(chain->name, name);
1003 }
1004
1005 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1006 {
1007 const struct nft_object_hash_key *k = data;
1008
1009 seed ^= hash_ptr(k->table, 32);
1010
1011 return jhash(k->name, strlen(k->name), seed);
1012 }
1013
1014 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1015 {
1016 const struct nft_object *obj = data;
1017
1018 return nft_objname_hash(&obj->key, 0, seed);
1019 }
1020
1021 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1022 const void *ptr)
1023 {
1024 const struct nft_object_hash_key *k = arg->key;
1025 const struct nft_object *obj = ptr;
1026
1027 if (obj->key.table != k->table)
1028 return -1;
1029
1030 return strcmp(obj->key.name, k->name);
1031 }
1032
1033 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
1034 struct sk_buff *skb, const struct nlmsghdr *nlh,
1035 const struct nlattr * const nla[],
1036 struct netlink_ext_ack *extack)
1037 {
1038 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1039 u8 genmask = nft_genmask_next(net);
1040 int family = nfmsg->nfgen_family;
1041 const struct nlattr *attr;
1042 struct nft_table *table;
1043 struct nft_ctx ctx;
1044 u32 flags = 0;
1045 int err;
1046
1047 lockdep_assert_held(&net->nft.commit_mutex);
1048 attr = nla[NFTA_TABLE_NAME];
1049 table = nft_table_lookup(net, attr, family, genmask,
1050 NETLINK_CB(skb).portid);
1051 if (IS_ERR(table)) {
1052 if (PTR_ERR(table) != -ENOENT)
1053 return PTR_ERR(table);
1054 } else {
1055 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1056 NL_SET_BAD_ATTR(extack, attr);
1057 return -EEXIST;
1058 }
1059 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1060 return -EOPNOTSUPP;
1061
1062 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1063 return nf_tables_updtable(&ctx);
1064 }
1065
1066 if (nla[NFTA_TABLE_FLAGS]) {
1067 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1068 if (flags & ~NFT_TABLE_F_MASK)
1069 return -EOPNOTSUPP;
1070 }
1071
1072 err = -ENOMEM;
1073 table = kzalloc(sizeof(*table), GFP_KERNEL);
1074 if (table == NULL)
1075 goto err_kzalloc;
1076
1077 table->name = nla_strdup(attr, GFP_KERNEL);
1078 if (table->name == NULL)
1079 goto err_strdup;
1080
1081 if (nla[NFTA_TABLE_USERDATA]) {
1082 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1083 if (table->udata == NULL)
1084 goto err_table_udata;
1085
1086 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1087 }
1088
1089 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1090 if (err)
1091 goto err_chain_ht;
1092
1093 INIT_LIST_HEAD(&table->chains);
1094 INIT_LIST_HEAD(&table->sets);
1095 INIT_LIST_HEAD(&table->objects);
1096 INIT_LIST_HEAD(&table->flowtables);
1097 table->family = family;
1098 table->flags = flags;
1099 table->handle = ++table_handle;
1100 if (table->flags & NFT_TABLE_F_OWNER)
1101 table->nlpid = NETLINK_CB(skb).portid;
1102
1103 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1104 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1105 if (err < 0)
1106 goto err_trans;
1107
1108 list_add_tail_rcu(&table->list, &net->nft.tables);
1109 return 0;
1110 err_trans:
1111 rhltable_destroy(&table->chains_ht);
1112 err_chain_ht:
1113 kfree(table->udata);
1114 err_table_udata:
1115 kfree(table->name);
1116 err_strdup:
1117 kfree(table);
1118 err_kzalloc:
1119 return err;
1120 }
1121
1122 static int nft_flush_table(struct nft_ctx *ctx)
1123 {
1124 struct nft_flowtable *flowtable, *nft;
1125 struct nft_chain *chain, *nc;
1126 struct nft_object *obj, *ne;
1127 struct nft_set *set, *ns;
1128 int err;
1129
1130 list_for_each_entry(chain, &ctx->table->chains, list) {
1131 if (!nft_is_active_next(ctx->net, chain))
1132 continue;
1133
1134 if (nft_chain_is_bound(chain))
1135 continue;
1136
1137 ctx->chain = chain;
1138
1139 err = nft_delrule_by_chain(ctx);
1140 if (err < 0)
1141 goto out;
1142 }
1143
1144 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1145 if (!nft_is_active_next(ctx->net, set))
1146 continue;
1147
1148 if (nft_set_is_anonymous(set) &&
1149 !list_empty(&set->bindings))
1150 continue;
1151
1152 err = nft_delset(ctx, set);
1153 if (err < 0)
1154 goto out;
1155 }
1156
1157 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1158 if (!nft_is_active_next(ctx->net, flowtable))
1159 continue;
1160
1161 err = nft_delflowtable(ctx, flowtable);
1162 if (err < 0)
1163 goto out;
1164 }
1165
1166 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1167 if (!nft_is_active_next(ctx->net, obj))
1168 continue;
1169
1170 err = nft_delobj(ctx, obj);
1171 if (err < 0)
1172 goto out;
1173 }
1174
1175 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1176 if (!nft_is_active_next(ctx->net, chain))
1177 continue;
1178
1179 if (nft_chain_is_bound(chain))
1180 continue;
1181
1182 ctx->chain = chain;
1183
1184 err = nft_delchain(ctx);
1185 if (err < 0)
1186 goto out;
1187 }
1188
1189 err = nft_deltable(ctx);
1190 out:
1191 return err;
1192 }
1193
1194 static int nft_flush(struct nft_ctx *ctx, int family)
1195 {
1196 struct nft_table *table, *nt;
1197 const struct nlattr * const *nla = ctx->nla;
1198 int err = 0;
1199
1200 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1201 if (family != AF_UNSPEC && table->family != family)
1202 continue;
1203
1204 ctx->family = table->family;
1205
1206 if (!nft_is_active_next(ctx->net, table))
1207 continue;
1208
1209 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1210 continue;
1211
1212 if (nla[NFTA_TABLE_NAME] &&
1213 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1214 continue;
1215
1216 ctx->table = table;
1217
1218 err = nft_flush_table(ctx);
1219 if (err < 0)
1220 goto out;
1221 }
1222 out:
1223 return err;
1224 }
1225
1226 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1227 struct sk_buff *skb, const struct nlmsghdr *nlh,
1228 const struct nlattr * const nla[],
1229 struct netlink_ext_ack *extack)
1230 {
1231 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1232 u8 genmask = nft_genmask_next(net);
1233 int family = nfmsg->nfgen_family;
1234 const struct nlattr *attr;
1235 struct nft_table *table;
1236 struct nft_ctx ctx;
1237
1238 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1239 if (family == AF_UNSPEC ||
1240 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1241 return nft_flush(&ctx, family);
1242
1243 if (nla[NFTA_TABLE_HANDLE]) {
1244 attr = nla[NFTA_TABLE_HANDLE];
1245 table = nft_table_lookup_byhandle(net, attr, genmask);
1246 } else {
1247 attr = nla[NFTA_TABLE_NAME];
1248 table = nft_table_lookup(net, attr, family, genmask,
1249 NETLINK_CB(skb).portid);
1250 }
1251
1252 if (IS_ERR(table)) {
1253 NL_SET_BAD_ATTR(extack, attr);
1254 return PTR_ERR(table);
1255 }
1256
1257 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1258 table->use > 0)
1259 return -EBUSY;
1260
1261 ctx.family = family;
1262 ctx.table = table;
1263
1264 return nft_flush_table(&ctx);
1265 }
1266
1267 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1268 {
1269 if (WARN_ON(ctx->table->use > 0))
1270 return;
1271
1272 rhltable_destroy(&ctx->table->chains_ht);
1273 kfree(ctx->table->name);
1274 kfree(ctx->table->udata);
1275 kfree(ctx->table);
1276 }
1277
1278 void nft_register_chain_type(const struct nft_chain_type *ctype)
1279 {
1280 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1281 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1282 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1283 return;
1284 }
1285 chain_type[ctype->family][ctype->type] = ctype;
1286 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1287 }
1288 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1289
1290 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1291 {
1292 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1293 chain_type[ctype->family][ctype->type] = NULL;
1294 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1295 }
1296 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1297
1298 /*
1299 * Chains
1300 */
1301
1302 static struct nft_chain *
1303 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1304 {
1305 struct nft_chain *chain;
1306
1307 list_for_each_entry(chain, &table->chains, list) {
1308 if (chain->handle == handle &&
1309 nft_active_genmask(chain, genmask))
1310 return chain;
1311 }
1312
1313 return ERR_PTR(-ENOENT);
1314 }
1315
1316 static bool lockdep_commit_lock_is_held(const struct net *net)
1317 {
1318 #ifdef CONFIG_PROVE_LOCKING
1319 return lockdep_is_held(&net->nft.commit_mutex);
1320 #else
1321 return true;
1322 #endif
1323 }
1324
1325 static struct nft_chain *nft_chain_lookup(struct net *net,
1326 struct nft_table *table,
1327 const struct nlattr *nla, u8 genmask)
1328 {
1329 char search[NFT_CHAIN_MAXNAMELEN + 1];
1330 struct rhlist_head *tmp, *list;
1331 struct nft_chain *chain;
1332
1333 if (nla == NULL)
1334 return ERR_PTR(-EINVAL);
1335
1336 nla_strscpy(search, nla, sizeof(search));
1337
1338 WARN_ON(!rcu_read_lock_held() &&
1339 !lockdep_commit_lock_is_held(net));
1340
1341 chain = ERR_PTR(-ENOENT);
1342 rcu_read_lock();
1343 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1344 if (!list)
1345 goto out_unlock;
1346
1347 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1348 if (nft_active_genmask(chain, genmask))
1349 goto out_unlock;
1350 }
1351 chain = ERR_PTR(-ENOENT);
1352 out_unlock:
1353 rcu_read_unlock();
1354 return chain;
1355 }
1356
1357 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1358 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1359 .len = NFT_TABLE_MAXNAMELEN - 1 },
1360 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1361 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1362 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1363 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1364 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1365 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1366 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1367 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1368 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1369 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1370 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1371 .len = NFT_USERDATA_MAXLEN },
1372 };
1373
1374 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1375 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1376 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1377 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1378 .len = IFNAMSIZ - 1 },
1379 };
1380
1381 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1382 {
1383 struct nft_stats *cpu_stats, total;
1384 struct nlattr *nest;
1385 unsigned int seq;
1386 u64 pkts, bytes;
1387 int cpu;
1388
1389 if (!stats)
1390 return 0;
1391
1392 memset(&total, 0, sizeof(total));
1393 for_each_possible_cpu(cpu) {
1394 cpu_stats = per_cpu_ptr(stats, cpu);
1395 do {
1396 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1397 pkts = cpu_stats->pkts;
1398 bytes = cpu_stats->bytes;
1399 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1400 total.pkts += pkts;
1401 total.bytes += bytes;
1402 }
1403 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1404 if (nest == NULL)
1405 goto nla_put_failure;
1406
1407 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1408 NFTA_COUNTER_PAD) ||
1409 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1410 NFTA_COUNTER_PAD))
1411 goto nla_put_failure;
1412
1413 nla_nest_end(skb, nest);
1414 return 0;
1415
1416 nla_put_failure:
1417 return -ENOSPC;
1418 }
1419
1420 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1421 const struct nft_base_chain *basechain)
1422 {
1423 const struct nf_hook_ops *ops = &basechain->ops;
1424 struct nft_hook *hook, *first = NULL;
1425 struct nlattr *nest, *nest_devs;
1426 int n = 0;
1427
1428 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1429 if (nest == NULL)
1430 goto nla_put_failure;
1431 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1432 goto nla_put_failure;
1433 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1434 goto nla_put_failure;
1435
1436 if (nft_base_chain_netdev(family, ops->hooknum)) {
1437 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1438 list_for_each_entry(hook, &basechain->hook_list, list) {
1439 if (!first)
1440 first = hook;
1441
1442 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1443 hook->ops.dev->name))
1444 goto nla_put_failure;
1445 n++;
1446 }
1447 nla_nest_end(skb, nest_devs);
1448
1449 if (n == 1 &&
1450 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1451 goto nla_put_failure;
1452 }
1453 nla_nest_end(skb, nest);
1454
1455 return 0;
1456 nla_put_failure:
1457 return -1;
1458 }
1459
1460 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1461 u32 portid, u32 seq, int event, u32 flags,
1462 int family, const struct nft_table *table,
1463 const struct nft_chain *chain)
1464 {
1465 struct nlmsghdr *nlh;
1466 struct nfgenmsg *nfmsg;
1467
1468 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1469 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1470 if (nlh == NULL)
1471 goto nla_put_failure;
1472
1473 nfmsg = nlmsg_data(nlh);
1474 nfmsg->nfgen_family = family;
1475 nfmsg->version = NFNETLINK_V0;
1476 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1477
1478 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1479 goto nla_put_failure;
1480 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1481 NFTA_CHAIN_PAD))
1482 goto nla_put_failure;
1483 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1484 goto nla_put_failure;
1485
1486 if (nft_is_base_chain(chain)) {
1487 const struct nft_base_chain *basechain = nft_base_chain(chain);
1488 struct nft_stats __percpu *stats;
1489
1490 if (nft_dump_basechain_hook(skb, family, basechain))
1491 goto nla_put_failure;
1492
1493 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1494 htonl(basechain->policy)))
1495 goto nla_put_failure;
1496
1497 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1498 goto nla_put_failure;
1499
1500 stats = rcu_dereference_check(basechain->stats,
1501 lockdep_commit_lock_is_held(net));
1502 if (nft_dump_stats(skb, stats))
1503 goto nla_put_failure;
1504 }
1505
1506 if (chain->flags &&
1507 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1508 goto nla_put_failure;
1509
1510 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1511 goto nla_put_failure;
1512
1513 if (chain->udata &&
1514 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1515 goto nla_put_failure;
1516
1517 nlmsg_end(skb, nlh);
1518 return 0;
1519
1520 nla_put_failure:
1521 nlmsg_trim(skb, nlh);
1522 return -1;
1523 }
1524
1525 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1526 {
1527 struct sk_buff *skb;
1528 int err;
1529
1530 if (!ctx->report &&
1531 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1532 return;
1533
1534 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1535 if (skb == NULL)
1536 goto err;
1537
1538 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1539 event, 0, ctx->family, ctx->table,
1540 ctx->chain);
1541 if (err < 0) {
1542 kfree_skb(skb);
1543 goto err;
1544 }
1545
1546 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1547 return;
1548 err:
1549 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1550 }
1551
1552 static int nf_tables_dump_chains(struct sk_buff *skb,
1553 struct netlink_callback *cb)
1554 {
1555 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1556 const struct nft_table *table;
1557 const struct nft_chain *chain;
1558 unsigned int idx = 0, s_idx = cb->args[0];
1559 struct net *net = sock_net(skb->sk);
1560 int family = nfmsg->nfgen_family;
1561
1562 rcu_read_lock();
1563 cb->seq = net->nft.base_seq;
1564
1565 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1566 if (family != NFPROTO_UNSPEC && family != table->family)
1567 continue;
1568
1569 list_for_each_entry_rcu(chain, &table->chains, list) {
1570 if (idx < s_idx)
1571 goto cont;
1572 if (idx > s_idx)
1573 memset(&cb->args[1], 0,
1574 sizeof(cb->args) - sizeof(cb->args[0]));
1575 if (!nft_is_active(net, chain))
1576 continue;
1577 if (nf_tables_fill_chain_info(skb, net,
1578 NETLINK_CB(cb->skb).portid,
1579 cb->nlh->nlmsg_seq,
1580 NFT_MSG_NEWCHAIN,
1581 NLM_F_MULTI,
1582 table->family, table,
1583 chain) < 0)
1584 goto done;
1585
1586 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1587 cont:
1588 idx++;
1589 }
1590 }
1591 done:
1592 rcu_read_unlock();
1593 cb->args[0] = idx;
1594 return skb->len;
1595 }
1596
1597 /* called with rcu_read_lock held */
1598 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1599 struct sk_buff *skb, const struct nlmsghdr *nlh,
1600 const struct nlattr * const nla[],
1601 struct netlink_ext_ack *extack)
1602 {
1603 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1604 u8 genmask = nft_genmask_cur(net);
1605 const struct nft_chain *chain;
1606 struct nft_table *table;
1607 struct sk_buff *skb2;
1608 int family = nfmsg->nfgen_family;
1609 int err;
1610
1611 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1612 struct netlink_dump_control c = {
1613 .dump = nf_tables_dump_chains,
1614 .module = THIS_MODULE,
1615 };
1616
1617 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1618 }
1619
1620 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1621 if (IS_ERR(table)) {
1622 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1623 return PTR_ERR(table);
1624 }
1625
1626 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1627 if (IS_ERR(chain)) {
1628 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1629 return PTR_ERR(chain);
1630 }
1631
1632 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1633 if (!skb2)
1634 return -ENOMEM;
1635
1636 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1637 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1638 family, table, chain);
1639 if (err < 0)
1640 goto err_fill_chain_info;
1641
1642 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1643
1644 err_fill_chain_info:
1645 kfree_skb(skb2);
1646 return err;
1647 }
1648
1649 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1650 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1651 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1652 };
1653
1654 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1655 {
1656 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1657 struct nft_stats __percpu *newstats;
1658 struct nft_stats *stats;
1659 int err;
1660
1661 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1662 nft_counter_policy, NULL);
1663 if (err < 0)
1664 return ERR_PTR(err);
1665
1666 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1667 return ERR_PTR(-EINVAL);
1668
1669 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1670 if (newstats == NULL)
1671 return ERR_PTR(-ENOMEM);
1672
1673 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1674 * are not exposed to userspace.
1675 */
1676 preempt_disable();
1677 stats = this_cpu_ptr(newstats);
1678 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1679 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1680 preempt_enable();
1681
1682 return newstats;
1683 }
1684
1685 static void nft_chain_stats_replace(struct nft_trans *trans)
1686 {
1687 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1688
1689 if (!nft_trans_chain_stats(trans))
1690 return;
1691
1692 nft_trans_chain_stats(trans) =
1693 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1694 lockdep_commit_lock_is_held(trans->ctx.net));
1695
1696 if (!nft_trans_chain_stats(trans))
1697 static_branch_inc(&nft_counters_enabled);
1698 }
1699
1700 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1701 {
1702 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1703 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1704
1705 if (g0 != g1)
1706 kvfree(g1);
1707 kvfree(g0);
1708
1709 /* should be NULL either via abort or via successful commit */
1710 WARN_ON_ONCE(chain->rules_next);
1711 kvfree(chain->rules_next);
1712 }
1713
1714 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1715 {
1716 struct nft_chain *chain = ctx->chain;
1717 struct nft_hook *hook, *next;
1718
1719 if (WARN_ON(chain->use > 0))
1720 return;
1721
1722 /* no concurrent access possible anymore */
1723 nf_tables_chain_free_chain_rules(chain);
1724
1725 if (nft_is_base_chain(chain)) {
1726 struct nft_base_chain *basechain = nft_base_chain(chain);
1727
1728 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1729 list_for_each_entry_safe(hook, next,
1730 &basechain->hook_list, list) {
1731 list_del_rcu(&hook->list);
1732 kfree_rcu(hook, rcu);
1733 }
1734 }
1735 module_put(basechain->type->owner);
1736 if (rcu_access_pointer(basechain->stats)) {
1737 static_branch_dec(&nft_counters_enabled);
1738 free_percpu(rcu_dereference_raw(basechain->stats));
1739 }
1740 kfree(chain->name);
1741 kfree(chain->udata);
1742 kfree(basechain);
1743 } else {
1744 kfree(chain->name);
1745 kfree(chain->udata);
1746 kfree(chain);
1747 }
1748 }
1749
1750 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1751 const struct nlattr *attr)
1752 {
1753 struct net_device *dev;
1754 char ifname[IFNAMSIZ];
1755 struct nft_hook *hook;
1756 int err;
1757
1758 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1759 if (!hook) {
1760 err = -ENOMEM;
1761 goto err_hook_alloc;
1762 }
1763
1764 nla_strscpy(ifname, attr, IFNAMSIZ);
1765 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1766 * indirectly serializing all the other holders of the commit_mutex with
1767 * the rtnl_mutex.
1768 */
1769 dev = __dev_get_by_name(net, ifname);
1770 if (!dev) {
1771 err = -ENOENT;
1772 goto err_hook_dev;
1773 }
1774 hook->ops.dev = dev;
1775 hook->inactive = false;
1776
1777 return hook;
1778
1779 err_hook_dev:
1780 kfree(hook);
1781 err_hook_alloc:
1782 return ERR_PTR(err);
1783 }
1784
1785 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1786 const struct nft_hook *this)
1787 {
1788 struct nft_hook *hook;
1789
1790 list_for_each_entry(hook, hook_list, list) {
1791 if (this->ops.dev == hook->ops.dev)
1792 return hook;
1793 }
1794
1795 return NULL;
1796 }
1797
1798 static int nf_tables_parse_netdev_hooks(struct net *net,
1799 const struct nlattr *attr,
1800 struct list_head *hook_list)
1801 {
1802 struct nft_hook *hook, *next;
1803 const struct nlattr *tmp;
1804 int rem, n = 0, err;
1805
1806 nla_for_each_nested(tmp, attr, rem) {
1807 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1808 err = -EINVAL;
1809 goto err_hook;
1810 }
1811
1812 hook = nft_netdev_hook_alloc(net, tmp);
1813 if (IS_ERR(hook)) {
1814 err = PTR_ERR(hook);
1815 goto err_hook;
1816 }
1817 if (nft_hook_list_find(hook_list, hook)) {
1818 kfree(hook);
1819 err = -EEXIST;
1820 goto err_hook;
1821 }
1822 list_add_tail(&hook->list, hook_list);
1823 n++;
1824
1825 if (n == NFT_NETDEVICE_MAX) {
1826 err = -EFBIG;
1827 goto err_hook;
1828 }
1829 }
1830
1831 return 0;
1832
1833 err_hook:
1834 list_for_each_entry_safe(hook, next, hook_list, list) {
1835 list_del(&hook->list);
1836 kfree(hook);
1837 }
1838 return err;
1839 }
1840
1841 struct nft_chain_hook {
1842 u32 num;
1843 s32 priority;
1844 const struct nft_chain_type *type;
1845 struct list_head list;
1846 };
1847
1848 static int nft_chain_parse_netdev(struct net *net,
1849 struct nlattr *tb[],
1850 struct list_head *hook_list)
1851 {
1852 struct nft_hook *hook;
1853 int err;
1854
1855 if (tb[NFTA_HOOK_DEV]) {
1856 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1857 if (IS_ERR(hook))
1858 return PTR_ERR(hook);
1859
1860 list_add_tail(&hook->list, hook_list);
1861 } else if (tb[NFTA_HOOK_DEVS]) {
1862 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1863 hook_list);
1864 if (err < 0)
1865 return err;
1866
1867 if (list_empty(hook_list))
1868 return -EINVAL;
1869 } else {
1870 return -EINVAL;
1871 }
1872
1873 return 0;
1874 }
1875
1876 static int nft_chain_parse_hook(struct net *net,
1877 const struct nlattr * const nla[],
1878 struct nft_chain_hook *hook, u8 family,
1879 bool autoload)
1880 {
1881 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1882 const struct nft_chain_type *type;
1883 int err;
1884
1885 lockdep_assert_held(&net->nft.commit_mutex);
1886 lockdep_nfnl_nft_mutex_not_held();
1887
1888 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1889 nla[NFTA_CHAIN_HOOK],
1890 nft_hook_policy, NULL);
1891 if (err < 0)
1892 return err;
1893
1894 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1895 ha[NFTA_HOOK_PRIORITY] == NULL)
1896 return -EINVAL;
1897
1898 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1899 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1900
1901 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1902 if (!type)
1903 return -EOPNOTSUPP;
1904
1905 if (nla[NFTA_CHAIN_TYPE]) {
1906 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1907 family, autoload);
1908 if (IS_ERR(type))
1909 return PTR_ERR(type);
1910 }
1911 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1912 return -EOPNOTSUPP;
1913
1914 if (type->type == NFT_CHAIN_T_NAT &&
1915 hook->priority <= NF_IP_PRI_CONNTRACK)
1916 return -EOPNOTSUPP;
1917
1918 if (!try_module_get(type->owner))
1919 return -ENOENT;
1920
1921 hook->type = type;
1922
1923 INIT_LIST_HEAD(&hook->list);
1924 if (nft_base_chain_netdev(family, hook->num)) {
1925 err = nft_chain_parse_netdev(net, ha, &hook->list);
1926 if (err < 0) {
1927 module_put(type->owner);
1928 return err;
1929 }
1930 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1931 module_put(type->owner);
1932 return -EOPNOTSUPP;
1933 }
1934
1935 return 0;
1936 }
1937
1938 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1939 {
1940 struct nft_hook *h, *next;
1941
1942 list_for_each_entry_safe(h, next, &hook->list, list) {
1943 list_del(&h->list);
1944 kfree(h);
1945 }
1946 module_put(hook->type->owner);
1947 }
1948
1949 struct nft_rules_old {
1950 struct rcu_head h;
1951 struct nft_rule **start;
1952 };
1953
1954 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1955 unsigned int alloc)
1956 {
1957 if (alloc > INT_MAX)
1958 return NULL;
1959
1960 alloc += 1; /* NULL, ends rules */
1961 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1962 return NULL;
1963
1964 alloc *= sizeof(struct nft_rule *);
1965 alloc += sizeof(struct nft_rules_old);
1966
1967 return kvmalloc(alloc, GFP_KERNEL);
1968 }
1969
1970 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1971 const struct nft_chain_hook *hook,
1972 struct nft_chain *chain)
1973 {
1974 ops->pf = family;
1975 ops->hooknum = hook->num;
1976 ops->priority = hook->priority;
1977 ops->priv = chain;
1978 ops->hook = hook->type->hooks[ops->hooknum];
1979 }
1980
1981 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1982 struct nft_chain_hook *hook, u32 flags)
1983 {
1984 struct nft_chain *chain;
1985 struct nft_hook *h;
1986
1987 basechain->type = hook->type;
1988 INIT_LIST_HEAD(&basechain->hook_list);
1989 chain = &basechain->chain;
1990
1991 if (nft_base_chain_netdev(family, hook->num)) {
1992 list_splice_init(&hook->list, &basechain->hook_list);
1993 list_for_each_entry(h, &basechain->hook_list, list)
1994 nft_basechain_hook_init(&h->ops, family, hook, chain);
1995
1996 basechain->ops.hooknum = hook->num;
1997 basechain->ops.priority = hook->priority;
1998 } else {
1999 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2000 }
2001
2002 chain->flags |= NFT_CHAIN_BASE | flags;
2003 basechain->policy = NF_ACCEPT;
2004 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2005 nft_chain_offload_priority(basechain) < 0)
2006 return -EOPNOTSUPP;
2007
2008 flow_block_init(&basechain->flow_block);
2009
2010 return 0;
2011 }
2012
2013 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2014 {
2015 int err;
2016
2017 err = rhltable_insert_key(&table->chains_ht, chain->name,
2018 &chain->rhlhead, nft_chain_ht_params);
2019 if (err)
2020 return err;
2021
2022 list_add_tail_rcu(&chain->list, &table->chains);
2023
2024 return 0;
2025 }
2026
2027 static u64 chain_id;
2028
2029 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2030 u8 policy, u32 flags)
2031 {
2032 const struct nlattr * const *nla = ctx->nla;
2033 struct nft_table *table = ctx->table;
2034 struct nft_base_chain *basechain;
2035 struct nft_stats __percpu *stats;
2036 struct net *net = ctx->net;
2037 char name[NFT_NAME_MAXLEN];
2038 struct nft_trans *trans;
2039 struct nft_chain *chain;
2040 struct nft_rule **rules;
2041 int err;
2042
2043 if (table->use == UINT_MAX)
2044 return -EOVERFLOW;
2045
2046 if (nla[NFTA_CHAIN_HOOK]) {
2047 struct nft_chain_hook hook;
2048
2049 if (flags & NFT_CHAIN_BINDING)
2050 return -EOPNOTSUPP;
2051
2052 err = nft_chain_parse_hook(net, nla, &hook, family, true);
2053 if (err < 0)
2054 return err;
2055
2056 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2057 if (basechain == NULL) {
2058 nft_chain_release_hook(&hook);
2059 return -ENOMEM;
2060 }
2061 chain = &basechain->chain;
2062
2063 if (nla[NFTA_CHAIN_COUNTERS]) {
2064 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2065 if (IS_ERR(stats)) {
2066 nft_chain_release_hook(&hook);
2067 kfree(basechain);
2068 return PTR_ERR(stats);
2069 }
2070 rcu_assign_pointer(basechain->stats, stats);
2071 static_branch_inc(&nft_counters_enabled);
2072 }
2073
2074 err = nft_basechain_init(basechain, family, &hook, flags);
2075 if (err < 0) {
2076 nft_chain_release_hook(&hook);
2077 kfree(basechain);
2078 return err;
2079 }
2080 } else {
2081 if (flags & NFT_CHAIN_BASE)
2082 return -EINVAL;
2083 if (flags & NFT_CHAIN_HW_OFFLOAD)
2084 return -EOPNOTSUPP;
2085
2086 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2087 if (chain == NULL)
2088 return -ENOMEM;
2089
2090 chain->flags = flags;
2091 }
2092 ctx->chain = chain;
2093
2094 INIT_LIST_HEAD(&chain->rules);
2095 chain->handle = nf_tables_alloc_handle(table);
2096 chain->table = table;
2097
2098 if (nla[NFTA_CHAIN_NAME]) {
2099 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2100 } else {
2101 if (!(flags & NFT_CHAIN_BINDING)) {
2102 err = -EINVAL;
2103 goto err_destroy_chain;
2104 }
2105
2106 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2107 chain->name = kstrdup(name, GFP_KERNEL);
2108 }
2109
2110 if (!chain->name) {
2111 err = -ENOMEM;
2112 goto err_destroy_chain;
2113 }
2114
2115 if (nla[NFTA_CHAIN_USERDATA]) {
2116 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2117 if (chain->udata == NULL) {
2118 err = -ENOMEM;
2119 goto err_destroy_chain;
2120 }
2121 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2122 }
2123
2124 rules = nf_tables_chain_alloc_rules(chain, 0);
2125 if (!rules) {
2126 err = -ENOMEM;
2127 goto err_destroy_chain;
2128 }
2129
2130 *rules = NULL;
2131 rcu_assign_pointer(chain->rules_gen_0, rules);
2132 rcu_assign_pointer(chain->rules_gen_1, rules);
2133
2134 err = nf_tables_register_hook(net, table, chain);
2135 if (err < 0)
2136 goto err_destroy_chain;
2137
2138 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2139 if (IS_ERR(trans)) {
2140 err = PTR_ERR(trans);
2141 goto err_unregister_hook;
2142 }
2143
2144 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2145 if (nft_is_base_chain(chain))
2146 nft_trans_chain_policy(trans) = policy;
2147
2148 err = nft_chain_add(table, chain);
2149 if (err < 0) {
2150 nft_trans_destroy(trans);
2151 goto err_unregister_hook;
2152 }
2153
2154 table->use++;
2155
2156 return 0;
2157 err_unregister_hook:
2158 nf_tables_unregister_hook(net, table, chain);
2159 err_destroy_chain:
2160 nf_tables_chain_destroy(ctx);
2161
2162 return err;
2163 }
2164
2165 static bool nft_hook_list_equal(struct list_head *hook_list1,
2166 struct list_head *hook_list2)
2167 {
2168 struct nft_hook *hook;
2169 int n = 0, m = 0;
2170
2171 n = 0;
2172 list_for_each_entry(hook, hook_list2, list) {
2173 if (!nft_hook_list_find(hook_list1, hook))
2174 return false;
2175
2176 n++;
2177 }
2178 list_for_each_entry(hook, hook_list1, list)
2179 m++;
2180
2181 return n == m;
2182 }
2183
2184 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2185 u32 flags, const struct nlattr *attr,
2186 struct netlink_ext_ack *extack)
2187 {
2188 const struct nlattr * const *nla = ctx->nla;
2189 struct nft_table *table = ctx->table;
2190 struct nft_chain *chain = ctx->chain;
2191 struct nft_base_chain *basechain;
2192 struct nft_stats *stats = NULL;
2193 struct nft_chain_hook hook;
2194 struct nf_hook_ops *ops;
2195 struct nft_trans *trans;
2196 int err;
2197
2198 if (chain->flags ^ flags)
2199 return -EOPNOTSUPP;
2200
2201 if (nla[NFTA_CHAIN_HOOK]) {
2202 if (!nft_is_base_chain(chain)) {
2203 NL_SET_BAD_ATTR(extack, attr);
2204 return -EEXIST;
2205 }
2206 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2207 false);
2208 if (err < 0)
2209 return err;
2210
2211 basechain = nft_base_chain(chain);
2212 if (basechain->type != hook.type) {
2213 nft_chain_release_hook(&hook);
2214 NL_SET_BAD_ATTR(extack, attr);
2215 return -EEXIST;
2216 }
2217
2218 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2219 if (!nft_hook_list_equal(&basechain->hook_list,
2220 &hook.list)) {
2221 nft_chain_release_hook(&hook);
2222 NL_SET_BAD_ATTR(extack, attr);
2223 return -EEXIST;
2224 }
2225 } else {
2226 ops = &basechain->ops;
2227 if (ops->hooknum != hook.num ||
2228 ops->priority != hook.priority) {
2229 nft_chain_release_hook(&hook);
2230 NL_SET_BAD_ATTR(extack, attr);
2231 return -EEXIST;
2232 }
2233 }
2234 nft_chain_release_hook(&hook);
2235 }
2236
2237 if (nla[NFTA_CHAIN_HANDLE] &&
2238 nla[NFTA_CHAIN_NAME]) {
2239 struct nft_chain *chain2;
2240
2241 chain2 = nft_chain_lookup(ctx->net, table,
2242 nla[NFTA_CHAIN_NAME], genmask);
2243 if (!IS_ERR(chain2)) {
2244 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2245 return -EEXIST;
2246 }
2247 }
2248
2249 if (nla[NFTA_CHAIN_COUNTERS]) {
2250 if (!nft_is_base_chain(chain))
2251 return -EOPNOTSUPP;
2252
2253 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2254 if (IS_ERR(stats))
2255 return PTR_ERR(stats);
2256 }
2257
2258 err = -ENOMEM;
2259 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2260 sizeof(struct nft_trans_chain));
2261 if (trans == NULL)
2262 goto err;
2263
2264 nft_trans_chain_stats(trans) = stats;
2265 nft_trans_chain_update(trans) = true;
2266
2267 if (nla[NFTA_CHAIN_POLICY])
2268 nft_trans_chain_policy(trans) = policy;
2269 else
2270 nft_trans_chain_policy(trans) = -1;
2271
2272 if (nla[NFTA_CHAIN_HANDLE] &&
2273 nla[NFTA_CHAIN_NAME]) {
2274 struct nft_trans *tmp;
2275 char *name;
2276
2277 err = -ENOMEM;
2278 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2279 if (!name)
2280 goto err;
2281
2282 err = -EEXIST;
2283 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2284 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2285 tmp->ctx.table == table &&
2286 nft_trans_chain_update(tmp) &&
2287 nft_trans_chain_name(tmp) &&
2288 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2289 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2290 kfree(name);
2291 goto err;
2292 }
2293 }
2294
2295 nft_trans_chain_name(trans) = name;
2296 }
2297 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2298
2299 return 0;
2300 err:
2301 free_percpu(stats);
2302 kfree(trans);
2303 return err;
2304 }
2305
2306 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2307 const struct nlattr *nla)
2308 {
2309 u32 id = ntohl(nla_get_be32(nla));
2310 struct nft_trans *trans;
2311
2312 list_for_each_entry(trans, &net->nft.commit_list, list) {
2313 struct nft_chain *chain = trans->ctx.chain;
2314
2315 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2316 id == nft_trans_chain_id(trans))
2317 return chain;
2318 }
2319 return ERR_PTR(-ENOENT);
2320 }
2321
2322 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2323 struct sk_buff *skb, const struct nlmsghdr *nlh,
2324 const struct nlattr * const nla[],
2325 struct netlink_ext_ack *extack)
2326 {
2327 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2328 u8 genmask = nft_genmask_next(net);
2329 int family = nfmsg->nfgen_family;
2330 struct nft_chain *chain = NULL;
2331 const struct nlattr *attr;
2332 struct nft_table *table;
2333 u8 policy = NF_ACCEPT;
2334 struct nft_ctx ctx;
2335 u64 handle = 0;
2336 u32 flags = 0;
2337
2338 lockdep_assert_held(&net->nft.commit_mutex);
2339
2340 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2341 NETLINK_CB(skb).portid);
2342 if (IS_ERR(table)) {
2343 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2344 return PTR_ERR(table);
2345 }
2346
2347 chain = NULL;
2348 attr = nla[NFTA_CHAIN_NAME];
2349
2350 if (nla[NFTA_CHAIN_HANDLE]) {
2351 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2352 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2353 if (IS_ERR(chain)) {
2354 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2355 return PTR_ERR(chain);
2356 }
2357 attr = nla[NFTA_CHAIN_HANDLE];
2358 } else if (nla[NFTA_CHAIN_NAME]) {
2359 chain = nft_chain_lookup(net, table, attr, genmask);
2360 if (IS_ERR(chain)) {
2361 if (PTR_ERR(chain) != -ENOENT) {
2362 NL_SET_BAD_ATTR(extack, attr);
2363 return PTR_ERR(chain);
2364 }
2365 chain = NULL;
2366 }
2367 } else if (!nla[NFTA_CHAIN_ID]) {
2368 return -EINVAL;
2369 }
2370
2371 if (nla[NFTA_CHAIN_POLICY]) {
2372 if (chain != NULL &&
2373 !nft_is_base_chain(chain)) {
2374 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2375 return -EOPNOTSUPP;
2376 }
2377
2378 if (chain == NULL &&
2379 nla[NFTA_CHAIN_HOOK] == NULL) {
2380 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2381 return -EOPNOTSUPP;
2382 }
2383
2384 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2385 switch (policy) {
2386 case NF_DROP:
2387 case NF_ACCEPT:
2388 break;
2389 default:
2390 return -EINVAL;
2391 }
2392 }
2393
2394 if (nla[NFTA_CHAIN_FLAGS])
2395 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2396 else if (chain)
2397 flags = chain->flags;
2398
2399 if (flags & ~NFT_CHAIN_FLAGS)
2400 return -EOPNOTSUPP;
2401
2402 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2403
2404 if (chain != NULL) {
2405 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2406 NL_SET_BAD_ATTR(extack, attr);
2407 return -EEXIST;
2408 }
2409 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2410 return -EOPNOTSUPP;
2411
2412 flags |= chain->flags & NFT_CHAIN_BASE;
2413 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2414 extack);
2415 }
2416
2417 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2418 }
2419
2420 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2421 struct sk_buff *skb, const struct nlmsghdr *nlh,
2422 const struct nlattr * const nla[],
2423 struct netlink_ext_ack *extack)
2424 {
2425 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2426 u8 genmask = nft_genmask_next(net);
2427 int family = nfmsg->nfgen_family;
2428 const struct nlattr *attr;
2429 struct nft_table *table;
2430 struct nft_chain *chain;
2431 struct nft_rule *rule;
2432 struct nft_ctx ctx;
2433 u64 handle;
2434 u32 use;
2435 int err;
2436
2437 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2438 NETLINK_CB(skb).portid);
2439 if (IS_ERR(table)) {
2440 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2441 return PTR_ERR(table);
2442 }
2443
2444 if (nla[NFTA_CHAIN_HANDLE]) {
2445 attr = nla[NFTA_CHAIN_HANDLE];
2446 handle = be64_to_cpu(nla_get_be64(attr));
2447 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2448 } else {
2449 attr = nla[NFTA_CHAIN_NAME];
2450 chain = nft_chain_lookup(net, table, attr, genmask);
2451 }
2452 if (IS_ERR(chain)) {
2453 NL_SET_BAD_ATTR(extack, attr);
2454 return PTR_ERR(chain);
2455 }
2456
2457 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2458 chain->use > 0)
2459 return -EBUSY;
2460
2461 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2462
2463 use = chain->use;
2464 list_for_each_entry(rule, &chain->rules, list) {
2465 if (!nft_is_active_next(net, rule))
2466 continue;
2467 use--;
2468
2469 err = nft_delrule(&ctx, rule);
2470 if (err < 0)
2471 return err;
2472 }
2473
2474 /* There are rules and elements that are still holding references to us,
2475 * we cannot do a recursive removal in this case.
2476 */
2477 if (use > 0) {
2478 NL_SET_BAD_ATTR(extack, attr);
2479 return -EBUSY;
2480 }
2481
2482 return nft_delchain(&ctx);
2483 }
2484
2485 /*
2486 * Expressions
2487 */
2488
2489 /**
2490 * nft_register_expr - register nf_tables expr type
2491 * @type: expr type
2492 *
2493 * Registers the expr type for use with nf_tables. Returns zero on
2494 * success or a negative errno code otherwise.
2495 */
2496 int nft_register_expr(struct nft_expr_type *type)
2497 {
2498 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2499 if (type->family == NFPROTO_UNSPEC)
2500 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2501 else
2502 list_add_rcu(&type->list, &nf_tables_expressions);
2503 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2504 return 0;
2505 }
2506 EXPORT_SYMBOL_GPL(nft_register_expr);
2507
2508 /**
2509 * nft_unregister_expr - unregister nf_tables expr type
2510 * @type: expr type
2511 *
2512 * Unregisters the expr typefor use with nf_tables.
2513 */
2514 void nft_unregister_expr(struct nft_expr_type *type)
2515 {
2516 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2517 list_del_rcu(&type->list);
2518 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2519 }
2520 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2521
2522 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2523 struct nlattr *nla)
2524 {
2525 const struct nft_expr_type *type, *candidate = NULL;
2526
2527 list_for_each_entry(type, &nf_tables_expressions, list) {
2528 if (!nla_strcmp(nla, type->name)) {
2529 if (!type->family && !candidate)
2530 candidate = type;
2531 else if (type->family == family)
2532 candidate = type;
2533 }
2534 }
2535 return candidate;
2536 }
2537
2538 #ifdef CONFIG_MODULES
2539 static int nft_expr_type_request_module(struct net *net, u8 family,
2540 struct nlattr *nla)
2541 {
2542 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2543 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2544 return -EAGAIN;
2545
2546 return 0;
2547 }
2548 #endif
2549
2550 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2551 u8 family,
2552 struct nlattr *nla)
2553 {
2554 const struct nft_expr_type *type;
2555
2556 if (nla == NULL)
2557 return ERR_PTR(-EINVAL);
2558
2559 type = __nft_expr_type_get(family, nla);
2560 if (type != NULL && try_module_get(type->owner))
2561 return type;
2562
2563 lockdep_nfnl_nft_mutex_not_held();
2564 #ifdef CONFIG_MODULES
2565 if (type == NULL) {
2566 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2567 return ERR_PTR(-EAGAIN);
2568
2569 if (nft_request_module(net, "nft-expr-%.*s",
2570 nla_len(nla),
2571 (char *)nla_data(nla)) == -EAGAIN)
2572 return ERR_PTR(-EAGAIN);
2573 }
2574 #endif
2575 return ERR_PTR(-ENOENT);
2576 }
2577
2578 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2579 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2580 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2581 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2582 };
2583
2584 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2585 const struct nft_expr *expr)
2586 {
2587 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2588 goto nla_put_failure;
2589
2590 if (expr->ops->dump) {
2591 struct nlattr *data = nla_nest_start_noflag(skb,
2592 NFTA_EXPR_DATA);
2593 if (data == NULL)
2594 goto nla_put_failure;
2595 if (expr->ops->dump(skb, expr) < 0)
2596 goto nla_put_failure;
2597 nla_nest_end(skb, data);
2598 }
2599
2600 return skb->len;
2601
2602 nla_put_failure:
2603 return -1;
2604 };
2605
2606 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2607 const struct nft_expr *expr)
2608 {
2609 struct nlattr *nest;
2610
2611 nest = nla_nest_start_noflag(skb, attr);
2612 if (!nest)
2613 goto nla_put_failure;
2614 if (nf_tables_fill_expr_info(skb, expr) < 0)
2615 goto nla_put_failure;
2616 nla_nest_end(skb, nest);
2617 return 0;
2618
2619 nla_put_failure:
2620 return -1;
2621 }
2622
2623 struct nft_expr_info {
2624 const struct nft_expr_ops *ops;
2625 const struct nlattr *attr;
2626 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2627 };
2628
2629 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2630 const struct nlattr *nla,
2631 struct nft_expr_info *info)
2632 {
2633 const struct nft_expr_type *type;
2634 const struct nft_expr_ops *ops;
2635 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2636 int err;
2637
2638 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2639 nft_expr_policy, NULL);
2640 if (err < 0)
2641 return err;
2642
2643 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2644 if (IS_ERR(type))
2645 return PTR_ERR(type);
2646
2647 if (tb[NFTA_EXPR_DATA]) {
2648 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2649 tb[NFTA_EXPR_DATA],
2650 type->policy, NULL);
2651 if (err < 0)
2652 goto err1;
2653 } else
2654 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2655
2656 if (type->select_ops != NULL) {
2657 ops = type->select_ops(ctx,
2658 (const struct nlattr * const *)info->tb);
2659 if (IS_ERR(ops)) {
2660 err = PTR_ERR(ops);
2661 #ifdef CONFIG_MODULES
2662 if (err == -EAGAIN)
2663 if (nft_expr_type_request_module(ctx->net,
2664 ctx->family,
2665 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2666 err = -ENOENT;
2667 #endif
2668 goto err1;
2669 }
2670 } else
2671 ops = type->ops;
2672
2673 info->attr = nla;
2674 info->ops = ops;
2675
2676 return 0;
2677
2678 err1:
2679 module_put(type->owner);
2680 return err;
2681 }
2682
2683 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2684 const struct nft_expr_info *info,
2685 struct nft_expr *expr)
2686 {
2687 const struct nft_expr_ops *ops = info->ops;
2688 int err;
2689
2690 expr->ops = ops;
2691 if (ops->init) {
2692 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2693 if (err < 0)
2694 goto err1;
2695 }
2696
2697 return 0;
2698 err1:
2699 expr->ops = NULL;
2700 return err;
2701 }
2702
2703 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2704 struct nft_expr *expr)
2705 {
2706 const struct nft_expr_type *type = expr->ops->type;
2707
2708 if (expr->ops->destroy)
2709 expr->ops->destroy(ctx, expr);
2710 module_put(type->owner);
2711 }
2712
2713 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2714 const struct nlattr *nla)
2715 {
2716 struct nft_expr_info info;
2717 struct nft_expr *expr;
2718 struct module *owner;
2719 int err;
2720
2721 err = nf_tables_expr_parse(ctx, nla, &info);
2722 if (err < 0)
2723 goto err1;
2724
2725 err = -ENOMEM;
2726 expr = kzalloc(info.ops->size, GFP_KERNEL);
2727 if (expr == NULL)
2728 goto err2;
2729
2730 err = nf_tables_newexpr(ctx, &info, expr);
2731 if (err < 0)
2732 goto err3;
2733
2734 return expr;
2735 err3:
2736 kfree(expr);
2737 err2:
2738 owner = info.ops->type->owner;
2739 if (info.ops->type->release_ops)
2740 info.ops->type->release_ops(info.ops);
2741
2742 module_put(owner);
2743 err1:
2744 return ERR_PTR(err);
2745 }
2746
2747 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2748 {
2749 int err;
2750
2751 if (src->ops->clone) {
2752 dst->ops = src->ops;
2753 err = src->ops->clone(dst, src);
2754 if (err < 0)
2755 return err;
2756 } else {
2757 memcpy(dst, src, src->ops->size);
2758 }
2759
2760 __module_get(src->ops->type->owner);
2761
2762 return 0;
2763 }
2764
2765 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2766 {
2767 nf_tables_expr_destroy(ctx, expr);
2768 kfree(expr);
2769 }
2770
2771 /*
2772 * Rules
2773 */
2774
2775 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2776 u64 handle)
2777 {
2778 struct nft_rule *rule;
2779
2780 // FIXME: this sucks
2781 list_for_each_entry_rcu(rule, &chain->rules, list) {
2782 if (handle == rule->handle)
2783 return rule;
2784 }
2785
2786 return ERR_PTR(-ENOENT);
2787 }
2788
2789 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2790 const struct nlattr *nla)
2791 {
2792 if (nla == NULL)
2793 return ERR_PTR(-EINVAL);
2794
2795 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2796 }
2797
2798 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2799 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2800 .len = NFT_TABLE_MAXNAMELEN - 1 },
2801 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2802 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2803 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2804 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2805 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2806 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2807 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2808 .len = NFT_USERDATA_MAXLEN },
2809 [NFTA_RULE_ID] = { .type = NLA_U32 },
2810 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2811 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2812 };
2813
2814 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2815 u32 portid, u32 seq, int event,
2816 u32 flags, int family,
2817 const struct nft_table *table,
2818 const struct nft_chain *chain,
2819 const struct nft_rule *rule,
2820 const struct nft_rule *prule)
2821 {
2822 struct nlmsghdr *nlh;
2823 struct nfgenmsg *nfmsg;
2824 const struct nft_expr *expr, *next;
2825 struct nlattr *list;
2826 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2827
2828 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2829 if (nlh == NULL)
2830 goto nla_put_failure;
2831
2832 nfmsg = nlmsg_data(nlh);
2833 nfmsg->nfgen_family = family;
2834 nfmsg->version = NFNETLINK_V0;
2835 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2836
2837 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2838 goto nla_put_failure;
2839 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2840 goto nla_put_failure;
2841 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2842 NFTA_RULE_PAD))
2843 goto nla_put_failure;
2844
2845 if (event != NFT_MSG_DELRULE && prule) {
2846 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2847 cpu_to_be64(prule->handle),
2848 NFTA_RULE_PAD))
2849 goto nla_put_failure;
2850 }
2851
2852 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2853 if (list == NULL)
2854 goto nla_put_failure;
2855 nft_rule_for_each_expr(expr, next, rule) {
2856 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2857 goto nla_put_failure;
2858 }
2859 nla_nest_end(skb, list);
2860
2861 if (rule->udata) {
2862 struct nft_userdata *udata = nft_userdata(rule);
2863 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2864 udata->data) < 0)
2865 goto nla_put_failure;
2866 }
2867
2868 nlmsg_end(skb, nlh);
2869 return 0;
2870
2871 nla_put_failure:
2872 nlmsg_trim(skb, nlh);
2873 return -1;
2874 }
2875
2876 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2877 const struct nft_rule *rule, int event)
2878 {
2879 struct sk_buff *skb;
2880 int err;
2881
2882 if (!ctx->report &&
2883 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2884 return;
2885
2886 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2887 if (skb == NULL)
2888 goto err;
2889
2890 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2891 event, 0, ctx->family, ctx->table,
2892 ctx->chain, rule, NULL);
2893 if (err < 0) {
2894 kfree_skb(skb);
2895 goto err;
2896 }
2897
2898 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2899 return;
2900 err:
2901 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2902 }
2903
2904 struct nft_rule_dump_ctx {
2905 char *table;
2906 char *chain;
2907 };
2908
2909 static int __nf_tables_dump_rules(struct sk_buff *skb,
2910 unsigned int *idx,
2911 struct netlink_callback *cb,
2912 const struct nft_table *table,
2913 const struct nft_chain *chain)
2914 {
2915 struct net *net = sock_net(skb->sk);
2916 const struct nft_rule *rule, *prule;
2917 unsigned int s_idx = cb->args[0];
2918
2919 prule = NULL;
2920 list_for_each_entry_rcu(rule, &chain->rules, list) {
2921 if (!nft_is_active(net, rule))
2922 goto cont_skip;
2923 if (*idx < s_idx)
2924 goto cont;
2925 if (*idx > s_idx) {
2926 memset(&cb->args[1], 0,
2927 sizeof(cb->args) - sizeof(cb->args[0]));
2928 }
2929 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2930 cb->nlh->nlmsg_seq,
2931 NFT_MSG_NEWRULE,
2932 NLM_F_MULTI | NLM_F_APPEND,
2933 table->family,
2934 table, chain, rule, prule) < 0)
2935 return 1;
2936
2937 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2938 cont:
2939 prule = rule;
2940 cont_skip:
2941 (*idx)++;
2942 }
2943 return 0;
2944 }
2945
2946 static int nf_tables_dump_rules(struct sk_buff *skb,
2947 struct netlink_callback *cb)
2948 {
2949 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2950 const struct nft_rule_dump_ctx *ctx = cb->data;
2951 struct nft_table *table;
2952 const struct nft_chain *chain;
2953 unsigned int idx = 0;
2954 struct net *net = sock_net(skb->sk);
2955 int family = nfmsg->nfgen_family;
2956
2957 rcu_read_lock();
2958 cb->seq = net->nft.base_seq;
2959
2960 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2961 if (family != NFPROTO_UNSPEC && family != table->family)
2962 continue;
2963
2964 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2965 continue;
2966
2967 if (ctx && ctx->table && ctx->chain) {
2968 struct rhlist_head *list, *tmp;
2969
2970 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2971 nft_chain_ht_params);
2972 if (!list)
2973 goto done;
2974
2975 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2976 if (!nft_is_active(net, chain))
2977 continue;
2978 __nf_tables_dump_rules(skb, &idx,
2979 cb, table, chain);
2980 break;
2981 }
2982 goto done;
2983 }
2984
2985 list_for_each_entry_rcu(chain, &table->chains, list) {
2986 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2987 goto done;
2988 }
2989
2990 if (ctx && ctx->table)
2991 break;
2992 }
2993 done:
2994 rcu_read_unlock();
2995
2996 cb->args[0] = idx;
2997 return skb->len;
2998 }
2999
3000 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3001 {
3002 const struct nlattr * const *nla = cb->data;
3003 struct nft_rule_dump_ctx *ctx = NULL;
3004
3005 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3006 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3007 if (!ctx)
3008 return -ENOMEM;
3009
3010 if (nla[NFTA_RULE_TABLE]) {
3011 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3012 GFP_ATOMIC);
3013 if (!ctx->table) {
3014 kfree(ctx);
3015 return -ENOMEM;
3016 }
3017 }
3018 if (nla[NFTA_RULE_CHAIN]) {
3019 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3020 GFP_ATOMIC);
3021 if (!ctx->chain) {
3022 kfree(ctx->table);
3023 kfree(ctx);
3024 return -ENOMEM;
3025 }
3026 }
3027 }
3028
3029 cb->data = ctx;
3030 return 0;
3031 }
3032
3033 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3034 {
3035 struct nft_rule_dump_ctx *ctx = cb->data;
3036
3037 if (ctx) {
3038 kfree(ctx->table);
3039 kfree(ctx->chain);
3040 kfree(ctx);
3041 }
3042 return 0;
3043 }
3044
3045 /* called with rcu_read_lock held */
3046 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3047 struct sk_buff *skb, const struct nlmsghdr *nlh,
3048 const struct nlattr * const nla[],
3049 struct netlink_ext_ack *extack)
3050 {
3051 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3052 u8 genmask = nft_genmask_cur(net);
3053 const struct nft_chain *chain;
3054 const struct nft_rule *rule;
3055 struct nft_table *table;
3056 struct sk_buff *skb2;
3057 int family = nfmsg->nfgen_family;
3058 int err;
3059
3060 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3061 struct netlink_dump_control c = {
3062 .start= nf_tables_dump_rules_start,
3063 .dump = nf_tables_dump_rules,
3064 .done = nf_tables_dump_rules_done,
3065 .module = THIS_MODULE,
3066 .data = (void *)nla,
3067 };
3068
3069 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3070 }
3071
3072 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3073 if (IS_ERR(table)) {
3074 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3075 return PTR_ERR(table);
3076 }
3077
3078 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3079 if (IS_ERR(chain)) {
3080 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3081 return PTR_ERR(chain);
3082 }
3083
3084 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3085 if (IS_ERR(rule)) {
3086 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3087 return PTR_ERR(rule);
3088 }
3089
3090 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3091 if (!skb2)
3092 return -ENOMEM;
3093
3094 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3095 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3096 family, table, chain, rule, NULL);
3097 if (err < 0)
3098 goto err_fill_rule_info;
3099
3100 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3101
3102 err_fill_rule_info:
3103 kfree_skb(skb2);
3104 return err;
3105 }
3106
3107 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3108 struct nft_rule *rule)
3109 {
3110 struct nft_expr *expr, *next;
3111
3112 /*
3113 * Careful: some expressions might not be initialized in case this
3114 * is called on error from nf_tables_newrule().
3115 */
3116 expr = nft_expr_first(rule);
3117 while (nft_expr_more(rule, expr)) {
3118 next = nft_expr_next(expr);
3119 nf_tables_expr_destroy(ctx, expr);
3120 expr = next;
3121 }
3122 kfree(rule);
3123 }
3124
3125 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3126 {
3127 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3128 nf_tables_rule_destroy(ctx, rule);
3129 }
3130
3131 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3132 {
3133 struct nft_expr *expr, *last;
3134 const struct nft_data *data;
3135 struct nft_rule *rule;
3136 int err;
3137
3138 if (ctx->level == NFT_JUMP_STACK_SIZE)
3139 return -EMLINK;
3140
3141 list_for_each_entry(rule, &chain->rules, list) {
3142 if (!nft_is_active_next(ctx->net, rule))
3143 continue;
3144
3145 nft_rule_for_each_expr(expr, last, rule) {
3146 if (!expr->ops->validate)
3147 continue;
3148
3149 err = expr->ops->validate(ctx, expr, &data);
3150 if (err < 0)
3151 return err;
3152 }
3153 }
3154
3155 return 0;
3156 }
3157 EXPORT_SYMBOL_GPL(nft_chain_validate);
3158
3159 static int nft_table_validate(struct net *net, const struct nft_table *table)
3160 {
3161 struct nft_chain *chain;
3162 struct nft_ctx ctx = {
3163 .net = net,
3164 .family = table->family,
3165 };
3166 int err;
3167
3168 list_for_each_entry(chain, &table->chains, list) {
3169 if (!nft_is_base_chain(chain))
3170 continue;
3171
3172 ctx.chain = chain;
3173 err = nft_chain_validate(&ctx, chain);
3174 if (err < 0)
3175 return err;
3176 }
3177
3178 return 0;
3179 }
3180
3181 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3182 const struct nlattr *nla);
3183
3184 #define NFT_RULE_MAXEXPRS 128
3185
3186 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3187 struct sk_buff *skb, const struct nlmsghdr *nlh,
3188 const struct nlattr * const nla[],
3189 struct netlink_ext_ack *extack)
3190 {
3191 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3192 u8 genmask = nft_genmask_next(net);
3193 struct nft_expr_info *info = NULL;
3194 int family = nfmsg->nfgen_family;
3195 struct nft_flow_rule *flow;
3196 struct nft_table *table;
3197 struct nft_chain *chain;
3198 struct nft_rule *rule, *old_rule = NULL;
3199 struct nft_userdata *udata;
3200 struct nft_trans *trans = NULL;
3201 struct nft_expr *expr;
3202 struct nft_ctx ctx;
3203 struct nlattr *tmp;
3204 unsigned int size, i, n, ulen = 0, usize = 0;
3205 int err, rem;
3206 u64 handle, pos_handle;
3207
3208 lockdep_assert_held(&net->nft.commit_mutex);
3209
3210 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3211 NETLINK_CB(skb).portid);
3212 if (IS_ERR(table)) {
3213 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3214 return PTR_ERR(table);
3215 }
3216
3217 if (nla[NFTA_RULE_CHAIN]) {
3218 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3219 genmask);
3220 if (IS_ERR(chain)) {
3221 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3222 return PTR_ERR(chain);
3223 }
3224 if (nft_chain_is_bound(chain))
3225 return -EOPNOTSUPP;
3226
3227 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3228 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3229 if (IS_ERR(chain)) {
3230 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3231 return PTR_ERR(chain);
3232 }
3233 } else {
3234 return -EINVAL;
3235 }
3236
3237 if (nla[NFTA_RULE_HANDLE]) {
3238 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3239 rule = __nft_rule_lookup(chain, handle);
3240 if (IS_ERR(rule)) {
3241 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3242 return PTR_ERR(rule);
3243 }
3244
3245 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3246 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3247 return -EEXIST;
3248 }
3249 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3250 old_rule = rule;
3251 else
3252 return -EOPNOTSUPP;
3253 } else {
3254 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3255 nlh->nlmsg_flags & NLM_F_REPLACE)
3256 return -EINVAL;
3257 handle = nf_tables_alloc_handle(table);
3258
3259 if (chain->use == UINT_MAX)
3260 return -EOVERFLOW;
3261
3262 if (nla[NFTA_RULE_POSITION]) {
3263 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3264 old_rule = __nft_rule_lookup(chain, pos_handle);
3265 if (IS_ERR(old_rule)) {
3266 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3267 return PTR_ERR(old_rule);
3268 }
3269 } else if (nla[NFTA_RULE_POSITION_ID]) {
3270 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3271 if (IS_ERR(old_rule)) {
3272 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3273 return PTR_ERR(old_rule);
3274 }
3275 }
3276 }
3277
3278 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3279
3280 n = 0;
3281 size = 0;
3282 if (nla[NFTA_RULE_EXPRESSIONS]) {
3283 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3284 sizeof(struct nft_expr_info),
3285 GFP_KERNEL);
3286 if (!info)
3287 return -ENOMEM;
3288
3289 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3290 err = -EINVAL;
3291 if (nla_type(tmp) != NFTA_LIST_ELEM)
3292 goto err1;
3293 if (n == NFT_RULE_MAXEXPRS)
3294 goto err1;
3295 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3296 if (err < 0)
3297 goto err1;
3298 size += info[n].ops->size;
3299 n++;
3300 }
3301 }
3302 /* Check for overflow of dlen field */
3303 err = -EFBIG;
3304 if (size >= 1 << 12)
3305 goto err1;
3306
3307 if (nla[NFTA_RULE_USERDATA]) {
3308 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3309 if (ulen > 0)
3310 usize = sizeof(struct nft_userdata) + ulen;
3311 }
3312
3313 err = -ENOMEM;
3314 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3315 if (rule == NULL)
3316 goto err1;
3317
3318 nft_activate_next(net, rule);
3319
3320 rule->handle = handle;
3321 rule->dlen = size;
3322 rule->udata = ulen ? 1 : 0;
3323
3324 if (ulen) {
3325 udata = nft_userdata(rule);
3326 udata->len = ulen - 1;
3327 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3328 }
3329
3330 expr = nft_expr_first(rule);
3331 for (i = 0; i < n; i++) {
3332 err = nf_tables_newexpr(&ctx, &info[i], expr);
3333 if (err < 0) {
3334 NL_SET_BAD_ATTR(extack, info[i].attr);
3335 goto err2;
3336 }
3337
3338 if (info[i].ops->validate)
3339 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3340
3341 info[i].ops = NULL;
3342 expr = nft_expr_next(expr);
3343 }
3344
3345 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3346 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3347 if (trans == NULL) {
3348 err = -ENOMEM;
3349 goto err2;
3350 }
3351 err = nft_delrule(&ctx, old_rule);
3352 if (err < 0) {
3353 nft_trans_destroy(trans);
3354 goto err2;
3355 }
3356
3357 list_add_tail_rcu(&rule->list, &old_rule->list);
3358 } else {
3359 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3360 if (!trans) {
3361 err = -ENOMEM;
3362 goto err2;
3363 }
3364
3365 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3366 if (old_rule)
3367 list_add_rcu(&rule->list, &old_rule->list);
3368 else
3369 list_add_tail_rcu(&rule->list, &chain->rules);
3370 } else {
3371 if (old_rule)
3372 list_add_tail_rcu(&rule->list, &old_rule->list);
3373 else
3374 list_add_rcu(&rule->list, &chain->rules);
3375 }
3376 }
3377 kvfree(info);
3378 chain->use++;
3379
3380 if (net->nft.validate_state == NFT_VALIDATE_DO)
3381 return nft_table_validate(net, table);
3382
3383 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3384 flow = nft_flow_rule_create(net, rule);
3385 if (IS_ERR(flow))
3386 return PTR_ERR(flow);
3387
3388 nft_trans_flow_rule(trans) = flow;
3389 }
3390
3391 return 0;
3392 err2:
3393 nf_tables_rule_release(&ctx, rule);
3394 err1:
3395 for (i = 0; i < n; i++) {
3396 if (info[i].ops) {
3397 module_put(info[i].ops->type->owner);
3398 if (info[i].ops->type->release_ops)
3399 info[i].ops->type->release_ops(info[i].ops);
3400 }
3401 }
3402 kvfree(info);
3403 return err;
3404 }
3405
3406 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3407 const struct nlattr *nla)
3408 {
3409 u32 id = ntohl(nla_get_be32(nla));
3410 struct nft_trans *trans;
3411
3412 list_for_each_entry(trans, &net->nft.commit_list, list) {
3413 struct nft_rule *rule = nft_trans_rule(trans);
3414
3415 if (trans->msg_type == NFT_MSG_NEWRULE &&
3416 id == nft_trans_rule_id(trans))
3417 return rule;
3418 }
3419 return ERR_PTR(-ENOENT);
3420 }
3421
3422 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3423 struct sk_buff *skb, const struct nlmsghdr *nlh,
3424 const struct nlattr * const nla[],
3425 struct netlink_ext_ack *extack)
3426 {
3427 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3428 u8 genmask = nft_genmask_next(net);
3429 struct nft_table *table;
3430 struct nft_chain *chain = NULL;
3431 struct nft_rule *rule;
3432 int family = nfmsg->nfgen_family, err = 0;
3433 struct nft_ctx ctx;
3434
3435 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3436 NETLINK_CB(skb).portid);
3437 if (IS_ERR(table)) {
3438 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3439 return PTR_ERR(table);
3440 }
3441
3442 if (nla[NFTA_RULE_CHAIN]) {
3443 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3444 genmask);
3445 if (IS_ERR(chain)) {
3446 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3447 return PTR_ERR(chain);
3448 }
3449 if (nft_chain_is_bound(chain))
3450 return -EOPNOTSUPP;
3451 }
3452
3453 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3454
3455 if (chain) {
3456 if (nla[NFTA_RULE_HANDLE]) {
3457 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3458 if (IS_ERR(rule)) {
3459 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3460 return PTR_ERR(rule);
3461 }
3462
3463 err = nft_delrule(&ctx, rule);
3464 } else if (nla[NFTA_RULE_ID]) {
3465 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3466 if (IS_ERR(rule)) {
3467 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3468 return PTR_ERR(rule);
3469 }
3470
3471 err = nft_delrule(&ctx, rule);
3472 } else {
3473 err = nft_delrule_by_chain(&ctx);
3474 }
3475 } else {
3476 list_for_each_entry(chain, &table->chains, list) {
3477 if (!nft_is_active_next(net, chain))
3478 continue;
3479
3480 ctx.chain = chain;
3481 err = nft_delrule_by_chain(&ctx);
3482 if (err < 0)
3483 break;
3484 }
3485 }
3486
3487 return err;
3488 }
3489
3490 /*
3491 * Sets
3492 */
3493 static const struct nft_set_type *nft_set_types[] = {
3494 &nft_set_hash_fast_type,
3495 &nft_set_hash_type,
3496 &nft_set_rhash_type,
3497 &nft_set_bitmap_type,
3498 &nft_set_rbtree_type,
3499 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3500 &nft_set_pipapo_avx2_type,
3501 #endif
3502 &nft_set_pipapo_type,
3503 };
3504
3505 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3506 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3507 NFT_SET_EVAL)
3508
3509 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3510 {
3511 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3512 }
3513
3514 /*
3515 * Select a set implementation based on the data characteristics and the
3516 * given policy. The total memory use might not be known if no size is
3517 * given, in that case the amount of memory per element is used.
3518 */
3519 static const struct nft_set_ops *
3520 nft_select_set_ops(const struct nft_ctx *ctx,
3521 const struct nlattr * const nla[],
3522 const struct nft_set_desc *desc,
3523 enum nft_set_policies policy)
3524 {
3525 const struct nft_set_ops *ops, *bops;
3526 struct nft_set_estimate est, best;
3527 const struct nft_set_type *type;
3528 u32 flags = 0;
3529 int i;
3530
3531 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3532 lockdep_nfnl_nft_mutex_not_held();
3533
3534 if (nla[NFTA_SET_FLAGS] != NULL)
3535 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3536
3537 bops = NULL;
3538 best.size = ~0;
3539 best.lookup = ~0;
3540 best.space = ~0;
3541
3542 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3543 type = nft_set_types[i];
3544 ops = &type->ops;
3545
3546 if (!nft_set_ops_candidate(type, flags))
3547 continue;
3548 if (!ops->estimate(desc, flags, &est))
3549 continue;
3550
3551 switch (policy) {
3552 case NFT_SET_POL_PERFORMANCE:
3553 if (est.lookup < best.lookup)
3554 break;
3555 if (est.lookup == best.lookup &&
3556 est.space < best.space)
3557 break;
3558 continue;
3559 case NFT_SET_POL_MEMORY:
3560 if (!desc->size) {
3561 if (est.space < best.space)
3562 break;
3563 if (est.space == best.space &&
3564 est.lookup < best.lookup)
3565 break;
3566 } else if (est.size < best.size || !bops) {
3567 break;
3568 }
3569 continue;
3570 default:
3571 break;
3572 }
3573
3574 bops = ops;
3575 best = est;
3576 }
3577
3578 if (bops != NULL)
3579 return bops;
3580
3581 return ERR_PTR(-EOPNOTSUPP);
3582 }
3583
3584 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3585 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3586 .len = NFT_TABLE_MAXNAMELEN - 1 },
3587 [NFTA_SET_NAME] = { .type = NLA_STRING,
3588 .len = NFT_SET_MAXNAMELEN - 1 },
3589 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3590 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3591 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3592 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3593 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3594 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3595 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3596 [NFTA_SET_ID] = { .type = NLA_U32 },
3597 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3598 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3599 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3600 .len = NFT_USERDATA_MAXLEN },
3601 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3602 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3603 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3604 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3605 };
3606
3607 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3608 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3609 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3610 };
3611
3612 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3613 const struct sk_buff *skb,
3614 const struct nlmsghdr *nlh,
3615 const struct nlattr * const nla[],
3616 struct netlink_ext_ack *extack,
3617 u8 genmask, u32 nlpid)
3618 {
3619 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3620 int family = nfmsg->nfgen_family;
3621 struct nft_table *table = NULL;
3622
3623 if (nla[NFTA_SET_TABLE] != NULL) {
3624 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3625 genmask, nlpid);
3626 if (IS_ERR(table)) {
3627 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3628 return PTR_ERR(table);
3629 }
3630 }
3631
3632 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3633 return 0;
3634 }
3635
3636 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3637 const struct nlattr *nla, u8 genmask)
3638 {
3639 struct nft_set *set;
3640
3641 if (nla == NULL)
3642 return ERR_PTR(-EINVAL);
3643
3644 list_for_each_entry_rcu(set, &table->sets, list) {
3645 if (!nla_strcmp(nla, set->name) &&
3646 nft_active_genmask(set, genmask))
3647 return set;
3648 }
3649 return ERR_PTR(-ENOENT);
3650 }
3651
3652 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3653 const struct nlattr *nla,
3654 u8 genmask)
3655 {
3656 struct nft_set *set;
3657
3658 list_for_each_entry(set, &table->sets, list) {
3659 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3660 nft_active_genmask(set, genmask))
3661 return set;
3662 }
3663 return ERR_PTR(-ENOENT);
3664 }
3665
3666 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3667 const struct nlattr *nla, u8 genmask)
3668 {
3669 struct nft_trans *trans;
3670 u32 id = ntohl(nla_get_be32(nla));
3671
3672 list_for_each_entry(trans, &net->nft.commit_list, list) {
3673 if (trans->msg_type == NFT_MSG_NEWSET) {
3674 struct nft_set *set = nft_trans_set(trans);
3675
3676 if (id == nft_trans_set_id(trans) &&
3677 nft_active_genmask(set, genmask))
3678 return set;
3679 }
3680 }
3681 return ERR_PTR(-ENOENT);
3682 }
3683
3684 struct nft_set *nft_set_lookup_global(const struct net *net,
3685 const struct nft_table *table,
3686 const struct nlattr *nla_set_name,
3687 const struct nlattr *nla_set_id,
3688 u8 genmask)
3689 {
3690 struct nft_set *set;
3691
3692 set = nft_set_lookup(table, nla_set_name, genmask);
3693 if (IS_ERR(set)) {
3694 if (!nla_set_id)
3695 return set;
3696
3697 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3698 }
3699 return set;
3700 }
3701 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3702
3703 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3704 const char *name)
3705 {
3706 const struct nft_set *i;
3707 const char *p;
3708 unsigned long *inuse;
3709 unsigned int n = 0, min = 0;
3710
3711 p = strchr(name, '%');
3712 if (p != NULL) {
3713 if (p[1] != 'd' || strchr(p + 2, '%'))
3714 return -EINVAL;
3715
3716 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3717 if (inuse == NULL)
3718 return -ENOMEM;
3719 cont:
3720 list_for_each_entry(i, &ctx->table->sets, list) {
3721 int tmp;
3722
3723 if (!nft_is_active_next(ctx->net, set))
3724 continue;
3725 if (!sscanf(i->name, name, &tmp))
3726 continue;
3727 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3728 continue;
3729
3730 set_bit(tmp - min, inuse);
3731 }
3732
3733 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3734 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3735 min += BITS_PER_BYTE * PAGE_SIZE;
3736 memset(inuse, 0, PAGE_SIZE);
3737 goto cont;
3738 }
3739 free_page((unsigned long)inuse);
3740 }
3741
3742 set->name = kasprintf(GFP_KERNEL, name, min + n);
3743 if (!set->name)
3744 return -ENOMEM;
3745
3746 list_for_each_entry(i, &ctx->table->sets, list) {
3747 if (!nft_is_active_next(ctx->net, i))
3748 continue;
3749 if (!strcmp(set->name, i->name)) {
3750 kfree(set->name);
3751 set->name = NULL;
3752 return -ENFILE;
3753 }
3754 }
3755 return 0;
3756 }
3757
3758 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3759 {
3760 u64 ms = be64_to_cpu(nla_get_be64(nla));
3761 u64 max = (u64)(~((u64)0));
3762
3763 max = div_u64(max, NSEC_PER_MSEC);
3764 if (ms >= max)
3765 return -ERANGE;
3766
3767 ms *= NSEC_PER_MSEC;
3768 *result = nsecs_to_jiffies64(ms);
3769 return 0;
3770 }
3771
3772 __be64 nf_jiffies64_to_msecs(u64 input)
3773 {
3774 return cpu_to_be64(jiffies64_to_msecs(input));
3775 }
3776
3777 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3778 const struct nft_set *set)
3779 {
3780 struct nlattr *concat, *field;
3781 int i;
3782
3783 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3784 if (!concat)
3785 return -ENOMEM;
3786
3787 for (i = 0; i < set->field_count; i++) {
3788 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3789 if (!field)
3790 return -ENOMEM;
3791
3792 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3793 htonl(set->field_len[i])))
3794 return -ENOMEM;
3795
3796 nla_nest_end(skb, field);
3797 }
3798
3799 nla_nest_end(skb, concat);
3800
3801 return 0;
3802 }
3803
3804 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3805 const struct nft_set *set, u16 event, u16 flags)
3806 {
3807 struct nfgenmsg *nfmsg;
3808 struct nlmsghdr *nlh;
3809 u32 portid = ctx->portid;
3810 struct nlattr *nest;
3811 u32 seq = ctx->seq;
3812 int i;
3813
3814 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3815 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3816 flags);
3817 if (nlh == NULL)
3818 goto nla_put_failure;
3819
3820 nfmsg = nlmsg_data(nlh);
3821 nfmsg->nfgen_family = ctx->family;
3822 nfmsg->version = NFNETLINK_V0;
3823 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3824
3825 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3826 goto nla_put_failure;
3827 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3828 goto nla_put_failure;
3829 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3830 NFTA_SET_PAD))
3831 goto nla_put_failure;
3832 if (set->flags != 0)
3833 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3834 goto nla_put_failure;
3835
3836 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3837 goto nla_put_failure;
3838 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3839 goto nla_put_failure;
3840 if (set->flags & NFT_SET_MAP) {
3841 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3842 goto nla_put_failure;
3843 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3844 goto nla_put_failure;
3845 }
3846 if (set->flags & NFT_SET_OBJECT &&
3847 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3848 goto nla_put_failure;
3849
3850 if (set->timeout &&
3851 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3852 nf_jiffies64_to_msecs(set->timeout),
3853 NFTA_SET_PAD))
3854 goto nla_put_failure;
3855 if (set->gc_int &&
3856 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3857 goto nla_put_failure;
3858
3859 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3860 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3861 goto nla_put_failure;
3862 }
3863
3864 if (set->udata &&
3865 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3866 goto nla_put_failure;
3867
3868 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3869 if (!nest)
3870 goto nla_put_failure;
3871 if (set->size &&
3872 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3873 goto nla_put_failure;
3874
3875 if (set->field_count > 1 &&
3876 nf_tables_fill_set_concat(skb, set))
3877 goto nla_put_failure;
3878
3879 nla_nest_end(skb, nest);
3880
3881 if (set->num_exprs == 1) {
3882 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3883 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
3884 goto nla_put_failure;
3885
3886 nla_nest_end(skb, nest);
3887 } else if (set->num_exprs > 1) {
3888 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
3889 if (nest == NULL)
3890 goto nla_put_failure;
3891
3892 for (i = 0; i < set->num_exprs; i++) {
3893 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
3894 set->exprs[i]) < 0)
3895 goto nla_put_failure;
3896 }
3897 nla_nest_end(skb, nest);
3898 }
3899
3900 nlmsg_end(skb, nlh);
3901 return 0;
3902
3903 nla_put_failure:
3904 nlmsg_trim(skb, nlh);
3905 return -1;
3906 }
3907
3908 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3909 const struct nft_set *set, int event,
3910 gfp_t gfp_flags)
3911 {
3912 struct sk_buff *skb;
3913 u32 portid = ctx->portid;
3914 int err;
3915
3916 if (!ctx->report &&
3917 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3918 return;
3919
3920 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3921 if (skb == NULL)
3922 goto err;
3923
3924 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3925 if (err < 0) {
3926 kfree_skb(skb);
3927 goto err;
3928 }
3929
3930 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3931 return;
3932 err:
3933 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3934 }
3935
3936 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3937 {
3938 const struct nft_set *set;
3939 unsigned int idx, s_idx = cb->args[0];
3940 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3941 struct net *net = sock_net(skb->sk);
3942 struct nft_ctx *ctx = cb->data, ctx_set;
3943
3944 if (cb->args[1])
3945 return skb->len;
3946
3947 rcu_read_lock();
3948 cb->seq = net->nft.base_seq;
3949
3950 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3951 if (ctx->family != NFPROTO_UNSPEC &&
3952 ctx->family != table->family)
3953 continue;
3954
3955 if (ctx->table && ctx->table != table)
3956 continue;
3957
3958 if (cur_table) {
3959 if (cur_table != table)
3960 continue;
3961
3962 cur_table = NULL;
3963 }
3964 idx = 0;
3965 list_for_each_entry_rcu(set, &table->sets, list) {
3966 if (idx < s_idx)
3967 goto cont;
3968 if (!nft_is_active(net, set))
3969 goto cont;
3970
3971 ctx_set = *ctx;
3972 ctx_set.table = table;
3973 ctx_set.family = table->family;
3974
3975 if (nf_tables_fill_set(skb, &ctx_set, set,
3976 NFT_MSG_NEWSET,
3977 NLM_F_MULTI) < 0) {
3978 cb->args[0] = idx;
3979 cb->args[2] = (unsigned long) table;
3980 goto done;
3981 }
3982 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3983 cont:
3984 idx++;
3985 }
3986 if (s_idx)
3987 s_idx = 0;
3988 }
3989 cb->args[1] = 1;
3990 done:
3991 rcu_read_unlock();
3992 return skb->len;
3993 }
3994
3995 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3996 {
3997 struct nft_ctx *ctx_dump = NULL;
3998
3999 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4000 if (ctx_dump == NULL)
4001 return -ENOMEM;
4002
4003 cb->data = ctx_dump;
4004 return 0;
4005 }
4006
4007 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4008 {
4009 kfree(cb->data);
4010 return 0;
4011 }
4012
4013 /* called with rcu_read_lock held */
4014 static int nf_tables_getset(struct net *net, struct sock *nlsk,
4015 struct sk_buff *skb, const struct nlmsghdr *nlh,
4016 const struct nlattr * const nla[],
4017 struct netlink_ext_ack *extack)
4018 {
4019 u8 genmask = nft_genmask_cur(net);
4020 const struct nft_set *set;
4021 struct nft_ctx ctx;
4022 struct sk_buff *skb2;
4023 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4024 int err;
4025
4026 /* Verify existence before starting dump */
4027 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4028 genmask, 0);
4029 if (err < 0)
4030 return err;
4031
4032 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4033 struct netlink_dump_control c = {
4034 .start = nf_tables_dump_sets_start,
4035 .dump = nf_tables_dump_sets,
4036 .done = nf_tables_dump_sets_done,
4037 .data = &ctx,
4038 .module = THIS_MODULE,
4039 };
4040
4041 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4042 }
4043
4044 /* Only accept unspec with dump */
4045 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4046 return -EAFNOSUPPORT;
4047 if (!nla[NFTA_SET_TABLE])
4048 return -EINVAL;
4049
4050 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4051 if (IS_ERR(set))
4052 return PTR_ERR(set);
4053
4054 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4055 if (skb2 == NULL)
4056 return -ENOMEM;
4057
4058 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4059 if (err < 0)
4060 goto err_fill_set_info;
4061
4062 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4063
4064 err_fill_set_info:
4065 kfree_skb(skb2);
4066 return err;
4067 }
4068
4069 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4070 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4071 };
4072
4073 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4074 struct nft_set_desc *desc)
4075 {
4076 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4077 u32 len;
4078 int err;
4079
4080 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4081 nft_concat_policy, NULL);
4082 if (err < 0)
4083 return err;
4084
4085 if (!tb[NFTA_SET_FIELD_LEN])
4086 return -EINVAL;
4087
4088 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4089
4090 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4091 return -E2BIG;
4092
4093 desc->field_len[desc->field_count++] = len;
4094
4095 return 0;
4096 }
4097
4098 static int nft_set_desc_concat(struct nft_set_desc *desc,
4099 const struct nlattr *nla)
4100 {
4101 struct nlattr *attr;
4102 int rem, err;
4103
4104 nla_for_each_nested(attr, nla, rem) {
4105 if (nla_type(attr) != NFTA_LIST_ELEM)
4106 return -EINVAL;
4107
4108 err = nft_set_desc_concat_parse(attr, desc);
4109 if (err < 0)
4110 return err;
4111 }
4112
4113 return 0;
4114 }
4115
4116 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4117 const struct nlattr *nla)
4118 {
4119 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4120 int err;
4121
4122 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4123 nft_set_desc_policy, NULL);
4124 if (err < 0)
4125 return err;
4126
4127 if (da[NFTA_SET_DESC_SIZE] != NULL)
4128 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4129 if (da[NFTA_SET_DESC_CONCAT])
4130 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4131
4132 return err;
4133 }
4134
4135 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4136 struct sk_buff *skb, const struct nlmsghdr *nlh,
4137 const struct nlattr * const nla[],
4138 struct netlink_ext_ack *extack)
4139 {
4140 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4141 u8 genmask = nft_genmask_next(net);
4142 int family = nfmsg->nfgen_family;
4143 const struct nft_set_ops *ops;
4144 struct nft_expr *expr = NULL;
4145 struct nft_table *table;
4146 struct nft_set *set;
4147 struct nft_ctx ctx;
4148 char *name;
4149 u64 size;
4150 u64 timeout;
4151 u32 ktype, dtype, flags, policy, gc_int, objtype;
4152 struct nft_set_desc desc;
4153 unsigned char *udata;
4154 u16 udlen;
4155 int err;
4156 int i;
4157
4158 if (nla[NFTA_SET_TABLE] == NULL ||
4159 nla[NFTA_SET_NAME] == NULL ||
4160 nla[NFTA_SET_KEY_LEN] == NULL ||
4161 nla[NFTA_SET_ID] == NULL)
4162 return -EINVAL;
4163
4164 memset(&desc, 0, sizeof(desc));
4165
4166 ktype = NFT_DATA_VALUE;
4167 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4168 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4169 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4170 return -EINVAL;
4171 }
4172
4173 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4174 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4175 return -EINVAL;
4176
4177 flags = 0;
4178 if (nla[NFTA_SET_FLAGS] != NULL) {
4179 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4180 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4181 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4182 NFT_SET_MAP | NFT_SET_EVAL |
4183 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4184 return -EOPNOTSUPP;
4185 /* Only one of these operations is supported */
4186 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4187 (NFT_SET_MAP | NFT_SET_OBJECT))
4188 return -EOPNOTSUPP;
4189 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4190 (NFT_SET_EVAL | NFT_SET_OBJECT))
4191 return -EOPNOTSUPP;
4192 }
4193
4194 dtype = 0;
4195 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4196 if (!(flags & NFT_SET_MAP))
4197 return -EINVAL;
4198
4199 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4200 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4201 dtype != NFT_DATA_VERDICT)
4202 return -EINVAL;
4203
4204 if (dtype != NFT_DATA_VERDICT) {
4205 if (nla[NFTA_SET_DATA_LEN] == NULL)
4206 return -EINVAL;
4207 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4208 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4209 return -EINVAL;
4210 } else
4211 desc.dlen = sizeof(struct nft_verdict);
4212 } else if (flags & NFT_SET_MAP)
4213 return -EINVAL;
4214
4215 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4216 if (!(flags & NFT_SET_OBJECT))
4217 return -EINVAL;
4218
4219 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4220 if (objtype == NFT_OBJECT_UNSPEC ||
4221 objtype > NFT_OBJECT_MAX)
4222 return -EOPNOTSUPP;
4223 } else if (flags & NFT_SET_OBJECT)
4224 return -EINVAL;
4225 else
4226 objtype = NFT_OBJECT_UNSPEC;
4227
4228 timeout = 0;
4229 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4230 if (!(flags & NFT_SET_TIMEOUT))
4231 return -EINVAL;
4232
4233 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4234 if (err)
4235 return err;
4236 }
4237 gc_int = 0;
4238 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4239 if (!(flags & NFT_SET_TIMEOUT))
4240 return -EINVAL;
4241 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4242 }
4243
4244 policy = NFT_SET_POL_PERFORMANCE;
4245 if (nla[NFTA_SET_POLICY] != NULL)
4246 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4247
4248 if (nla[NFTA_SET_DESC] != NULL) {
4249 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4250 if (err < 0)
4251 return err;
4252 }
4253
4254 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4255 desc.expr = true;
4256
4257 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4258 NETLINK_CB(skb).portid);
4259 if (IS_ERR(table)) {
4260 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4261 return PTR_ERR(table);
4262 }
4263
4264 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4265
4266 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4267 if (IS_ERR(set)) {
4268 if (PTR_ERR(set) != -ENOENT) {
4269 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4270 return PTR_ERR(set);
4271 }
4272 } else {
4273 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4274 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4275 return -EEXIST;
4276 }
4277 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4278 return -EOPNOTSUPP;
4279
4280 return 0;
4281 }
4282
4283 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4284 return -ENOENT;
4285
4286 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4287 if (IS_ERR(ops))
4288 return PTR_ERR(ops);
4289
4290 udlen = 0;
4291 if (nla[NFTA_SET_USERDATA])
4292 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4293
4294 size = 0;
4295 if (ops->privsize != NULL)
4296 size = ops->privsize(nla, &desc);
4297
4298 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4299 if (!set)
4300 return -ENOMEM;
4301
4302 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4303 if (!name) {
4304 err = -ENOMEM;
4305 goto err_set_name;
4306 }
4307
4308 err = nf_tables_set_alloc_name(&ctx, set, name);
4309 kfree(name);
4310 if (err < 0)
4311 goto err_set_alloc_name;
4312
4313 if (nla[NFTA_SET_EXPR]) {
4314 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4315 if (IS_ERR(expr)) {
4316 err = PTR_ERR(expr);
4317 goto err_set_alloc_name;
4318 }
4319 set->exprs[0] = expr;
4320 set->num_exprs++;
4321 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4322 struct nft_expr *expr;
4323 struct nlattr *tmp;
4324 int left;
4325
4326 if (!(flags & NFT_SET_EXPR)) {
4327 err = -EINVAL;
4328 goto err_set_alloc_name;
4329 }
4330 i = 0;
4331 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4332 if (i == NFT_SET_EXPR_MAX) {
4333 err = -E2BIG;
4334 goto err_set_init;
4335 }
4336 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4337 err = -EINVAL;
4338 goto err_set_init;
4339 }
4340 expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4341 if (IS_ERR(expr)) {
4342 err = PTR_ERR(expr);
4343 goto err_set_init;
4344 }
4345 set->exprs[i++] = expr;
4346 set->num_exprs++;
4347 }
4348 }
4349
4350 udata = NULL;
4351 if (udlen) {
4352 udata = set->data + size;
4353 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4354 }
4355
4356 INIT_LIST_HEAD(&set->bindings);
4357 set->table = table;
4358 write_pnet(&set->net, net);
4359 set->ops = ops;
4360 set->ktype = ktype;
4361 set->klen = desc.klen;
4362 set->dtype = dtype;
4363 set->objtype = objtype;
4364 set->dlen = desc.dlen;
4365 set->flags = flags;
4366 set->size = desc.size;
4367 set->policy = policy;
4368 set->udlen = udlen;
4369 set->udata = udata;
4370 set->timeout = timeout;
4371 set->gc_int = gc_int;
4372 set->handle = nf_tables_alloc_handle(table);
4373
4374 set->field_count = desc.field_count;
4375 for (i = 0; i < desc.field_count; i++)
4376 set->field_len[i] = desc.field_len[i];
4377
4378 err = ops->init(set, &desc, nla);
4379 if (err < 0)
4380 goto err_set_init;
4381
4382 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4383 if (err < 0)
4384 goto err_set_trans;
4385
4386 list_add_tail_rcu(&set->list, &table->sets);
4387 table->use++;
4388 return 0;
4389
4390 err_set_trans:
4391 ops->destroy(set);
4392 err_set_init:
4393 for (i = 0; i < set->num_exprs; i++)
4394 nft_expr_destroy(&ctx, set->exprs[i]);
4395 err_set_alloc_name:
4396 kfree(set->name);
4397 err_set_name:
4398 kvfree(set);
4399 return err;
4400 }
4401
4402 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4403 {
4404 int i;
4405
4406 if (WARN_ON(set->use > 0))
4407 return;
4408
4409 for (i = 0; i < set->num_exprs; i++)
4410 nft_expr_destroy(ctx, set->exprs[i]);
4411
4412 set->ops->destroy(set);
4413 kfree(set->name);
4414 kvfree(set);
4415 }
4416
4417 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4418 struct sk_buff *skb, const struct nlmsghdr *nlh,
4419 const struct nlattr * const nla[],
4420 struct netlink_ext_ack *extack)
4421 {
4422 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4423 u8 genmask = nft_genmask_next(net);
4424 const struct nlattr *attr;
4425 struct nft_set *set;
4426 struct nft_ctx ctx;
4427 int err;
4428
4429 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4430 return -EAFNOSUPPORT;
4431 if (nla[NFTA_SET_TABLE] == NULL)
4432 return -EINVAL;
4433
4434 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4435 genmask, NETLINK_CB(skb).portid);
4436 if (err < 0)
4437 return err;
4438
4439 if (nla[NFTA_SET_HANDLE]) {
4440 attr = nla[NFTA_SET_HANDLE];
4441 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4442 } else {
4443 attr = nla[NFTA_SET_NAME];
4444 set = nft_set_lookup(ctx.table, attr, genmask);
4445 }
4446
4447 if (IS_ERR(set)) {
4448 NL_SET_BAD_ATTR(extack, attr);
4449 return PTR_ERR(set);
4450 }
4451 if (set->use ||
4452 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4453 NL_SET_BAD_ATTR(extack, attr);
4454 return -EBUSY;
4455 }
4456
4457 return nft_delset(&ctx, set);
4458 }
4459
4460 static int nft_validate_register_store(const struct nft_ctx *ctx,
4461 enum nft_registers reg,
4462 const struct nft_data *data,
4463 enum nft_data_types type,
4464 unsigned int len);
4465
4466 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4467 struct nft_set *set,
4468 const struct nft_set_iter *iter,
4469 struct nft_set_elem *elem)
4470 {
4471 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4472 enum nft_registers dreg;
4473
4474 dreg = nft_type_to_reg(set->dtype);
4475 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4476 set->dtype == NFT_DATA_VERDICT ?
4477 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4478 set->dlen);
4479 }
4480
4481 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4482 struct nft_set_binding *binding)
4483 {
4484 struct nft_set_binding *i;
4485 struct nft_set_iter iter;
4486
4487 if (set->use == UINT_MAX)
4488 return -EOVERFLOW;
4489
4490 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4491 return -EBUSY;
4492
4493 if (binding->flags & NFT_SET_MAP) {
4494 /* If the set is already bound to the same chain all
4495 * jumps are already validated for that chain.
4496 */
4497 list_for_each_entry(i, &set->bindings, list) {
4498 if (i->flags & NFT_SET_MAP &&
4499 i->chain == binding->chain)
4500 goto bind;
4501 }
4502
4503 iter.genmask = nft_genmask_next(ctx->net);
4504 iter.skip = 0;
4505 iter.count = 0;
4506 iter.err = 0;
4507 iter.fn = nf_tables_bind_check_setelem;
4508
4509 set->ops->walk(ctx, set, &iter);
4510 if (iter.err < 0)
4511 return iter.err;
4512 }
4513 bind:
4514 binding->chain = ctx->chain;
4515 list_add_tail_rcu(&binding->list, &set->bindings);
4516 nft_set_trans_bind(ctx, set);
4517 set->use++;
4518
4519 return 0;
4520 }
4521 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4522
4523 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4524 struct nft_set_binding *binding, bool event)
4525 {
4526 list_del_rcu(&binding->list);
4527
4528 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4529 list_del_rcu(&set->list);
4530 if (event)
4531 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4532 GFP_KERNEL);
4533 }
4534 }
4535
4536 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4537 struct nft_set_binding *binding,
4538 enum nft_trans_phase phase)
4539 {
4540 switch (phase) {
4541 case NFT_TRANS_PREPARE:
4542 set->use--;
4543 return;
4544 case NFT_TRANS_ABORT:
4545 case NFT_TRANS_RELEASE:
4546 set->use--;
4547 fallthrough;
4548 default:
4549 nf_tables_unbind_set(ctx, set, binding,
4550 phase == NFT_TRANS_COMMIT);
4551 }
4552 }
4553 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4554
4555 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4556 {
4557 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4558 nft_set_destroy(ctx, set);
4559 }
4560 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4561
4562 const struct nft_set_ext_type nft_set_ext_types[] = {
4563 [NFT_SET_EXT_KEY] = {
4564 .align = __alignof__(u32),
4565 },
4566 [NFT_SET_EXT_DATA] = {
4567 .align = __alignof__(u32),
4568 },
4569 [NFT_SET_EXT_EXPRESSIONS] = {
4570 .align = __alignof__(struct nft_set_elem_expr),
4571 },
4572 [NFT_SET_EXT_OBJREF] = {
4573 .len = sizeof(struct nft_object *),
4574 .align = __alignof__(struct nft_object *),
4575 },
4576 [NFT_SET_EXT_FLAGS] = {
4577 .len = sizeof(u8),
4578 .align = __alignof__(u8),
4579 },
4580 [NFT_SET_EXT_TIMEOUT] = {
4581 .len = sizeof(u64),
4582 .align = __alignof__(u64),
4583 },
4584 [NFT_SET_EXT_EXPIRATION] = {
4585 .len = sizeof(u64),
4586 .align = __alignof__(u64),
4587 },
4588 [NFT_SET_EXT_USERDATA] = {
4589 .len = sizeof(struct nft_userdata),
4590 .align = __alignof__(struct nft_userdata),
4591 },
4592 [NFT_SET_EXT_KEY_END] = {
4593 .align = __alignof__(u32),
4594 },
4595 };
4596
4597 /*
4598 * Set elements
4599 */
4600
4601 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4602 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4603 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4604 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4605 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4606 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4607 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4608 .len = NFT_USERDATA_MAXLEN },
4609 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4610 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4611 .len = NFT_OBJ_MAXNAMELEN - 1 },
4612 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4613 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4614 };
4615
4616 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4617 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4618 .len = NFT_TABLE_MAXNAMELEN - 1 },
4619 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4620 .len = NFT_SET_MAXNAMELEN - 1 },
4621 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4622 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4623 };
4624
4625 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4626 const struct sk_buff *skb,
4627 const struct nlmsghdr *nlh,
4628 const struct nlattr * const nla[],
4629 struct netlink_ext_ack *extack,
4630 u8 genmask, u32 nlpid)
4631 {
4632 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4633 int family = nfmsg->nfgen_family;
4634 struct nft_table *table;
4635
4636 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4637 genmask, nlpid);
4638 if (IS_ERR(table)) {
4639 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4640 return PTR_ERR(table);
4641 }
4642
4643 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4644 return 0;
4645 }
4646
4647 static int nft_set_elem_expr_dump(struct sk_buff *skb,
4648 const struct nft_set *set,
4649 const struct nft_set_ext *ext)
4650 {
4651 struct nft_set_elem_expr *elem_expr;
4652 u32 size, num_exprs = 0;
4653 struct nft_expr *expr;
4654 struct nlattr *nest;
4655
4656 elem_expr = nft_set_ext_expr(ext);
4657 nft_setelem_expr_foreach(expr, elem_expr, size)
4658 num_exprs++;
4659
4660 if (num_exprs == 1) {
4661 expr = nft_setelem_expr_at(elem_expr, 0);
4662 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4663 return -1;
4664
4665 return 0;
4666 } else if (num_exprs > 1) {
4667 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4668 if (nest == NULL)
4669 goto nla_put_failure;
4670
4671 nft_setelem_expr_foreach(expr, elem_expr, size) {
4672 expr = nft_setelem_expr_at(elem_expr, size);
4673 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4674 goto nla_put_failure;
4675 }
4676 nla_nest_end(skb, nest);
4677 }
4678 return 0;
4679
4680 nla_put_failure:
4681 return -1;
4682 }
4683
4684 static int nf_tables_fill_setelem(struct sk_buff *skb,
4685 const struct nft_set *set,
4686 const struct nft_set_elem *elem)
4687 {
4688 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4689 unsigned char *b = skb_tail_pointer(skb);
4690 struct nlattr *nest;
4691
4692 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4693 if (nest == NULL)
4694 goto nla_put_failure;
4695
4696 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4697 NFT_DATA_VALUE, set->klen) < 0)
4698 goto nla_put_failure;
4699
4700 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4701 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4702 NFT_DATA_VALUE, set->klen) < 0)
4703 goto nla_put_failure;
4704
4705 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4706 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4707 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4708 set->dlen) < 0)
4709 goto nla_put_failure;
4710
4711 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4712 nft_set_elem_expr_dump(skb, set, ext))
4713 goto nla_put_failure;
4714
4715 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4716 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4717 (*nft_set_ext_obj(ext))->key.name) < 0)
4718 goto nla_put_failure;
4719
4720 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4721 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4722 htonl(*nft_set_ext_flags(ext))))
4723 goto nla_put_failure;
4724
4725 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4726 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4727 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4728 NFTA_SET_ELEM_PAD))
4729 goto nla_put_failure;
4730
4731 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4732 u64 expires, now = get_jiffies_64();
4733
4734 expires = *nft_set_ext_expiration(ext);
4735 if (time_before64(now, expires))
4736 expires -= now;
4737 else
4738 expires = 0;
4739
4740 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4741 nf_jiffies64_to_msecs(expires),
4742 NFTA_SET_ELEM_PAD))
4743 goto nla_put_failure;
4744 }
4745
4746 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4747 struct nft_userdata *udata;
4748
4749 udata = nft_set_ext_userdata(ext);
4750 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4751 udata->len + 1, udata->data))
4752 goto nla_put_failure;
4753 }
4754
4755 nla_nest_end(skb, nest);
4756 return 0;
4757
4758 nla_put_failure:
4759 nlmsg_trim(skb, b);
4760 return -EMSGSIZE;
4761 }
4762
4763 struct nft_set_dump_args {
4764 const struct netlink_callback *cb;
4765 struct nft_set_iter iter;
4766 struct sk_buff *skb;
4767 };
4768
4769 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4770 struct nft_set *set,
4771 const struct nft_set_iter *iter,
4772 struct nft_set_elem *elem)
4773 {
4774 struct nft_set_dump_args *args;
4775
4776 args = container_of(iter, struct nft_set_dump_args, iter);
4777 return nf_tables_fill_setelem(args->skb, set, elem);
4778 }
4779
4780 struct nft_set_dump_ctx {
4781 const struct nft_set *set;
4782 struct nft_ctx ctx;
4783 };
4784
4785 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4786 {
4787 struct nft_set_dump_ctx *dump_ctx = cb->data;
4788 struct net *net = sock_net(skb->sk);
4789 struct nft_table *table;
4790 struct nft_set *set;
4791 struct nft_set_dump_args args;
4792 bool set_found = false;
4793 struct nfgenmsg *nfmsg;
4794 struct nlmsghdr *nlh;
4795 struct nlattr *nest;
4796 u32 portid, seq;
4797 int event;
4798
4799 rcu_read_lock();
4800 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4801 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4802 dump_ctx->ctx.family != table->family)
4803 continue;
4804
4805 if (table != dump_ctx->ctx.table)
4806 continue;
4807
4808 list_for_each_entry_rcu(set, &table->sets, list) {
4809 if (set == dump_ctx->set) {
4810 set_found = true;
4811 break;
4812 }
4813 }
4814 break;
4815 }
4816
4817 if (!set_found) {
4818 rcu_read_unlock();
4819 return -ENOENT;
4820 }
4821
4822 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4823 portid = NETLINK_CB(cb->skb).portid;
4824 seq = cb->nlh->nlmsg_seq;
4825
4826 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4827 NLM_F_MULTI);
4828 if (nlh == NULL)
4829 goto nla_put_failure;
4830
4831 nfmsg = nlmsg_data(nlh);
4832 nfmsg->nfgen_family = table->family;
4833 nfmsg->version = NFNETLINK_V0;
4834 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4835
4836 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4837 goto nla_put_failure;
4838 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4839 goto nla_put_failure;
4840
4841 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4842 if (nest == NULL)
4843 goto nla_put_failure;
4844
4845 args.cb = cb;
4846 args.skb = skb;
4847 args.iter.genmask = nft_genmask_cur(net);
4848 args.iter.skip = cb->args[0];
4849 args.iter.count = 0;
4850 args.iter.err = 0;
4851 args.iter.fn = nf_tables_dump_setelem;
4852 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4853 rcu_read_unlock();
4854
4855 nla_nest_end(skb, nest);
4856 nlmsg_end(skb, nlh);
4857
4858 if (args.iter.err && args.iter.err != -EMSGSIZE)
4859 return args.iter.err;
4860 if (args.iter.count == cb->args[0])
4861 return 0;
4862
4863 cb->args[0] = args.iter.count;
4864 return skb->len;
4865
4866 nla_put_failure:
4867 rcu_read_unlock();
4868 return -ENOSPC;
4869 }
4870
4871 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4872 {
4873 struct nft_set_dump_ctx *dump_ctx = cb->data;
4874
4875 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4876
4877 return cb->data ? 0 : -ENOMEM;
4878 }
4879
4880 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4881 {
4882 kfree(cb->data);
4883 return 0;
4884 }
4885
4886 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4887 const struct nft_ctx *ctx, u32 seq,
4888 u32 portid, int event, u16 flags,
4889 const struct nft_set *set,
4890 const struct nft_set_elem *elem)
4891 {
4892 struct nfgenmsg *nfmsg;
4893 struct nlmsghdr *nlh;
4894 struct nlattr *nest;
4895 int err;
4896
4897 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4898 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4899 flags);
4900 if (nlh == NULL)
4901 goto nla_put_failure;
4902
4903 nfmsg = nlmsg_data(nlh);
4904 nfmsg->nfgen_family = ctx->family;
4905 nfmsg->version = NFNETLINK_V0;
4906 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4907
4908 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4909 goto nla_put_failure;
4910 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4911 goto nla_put_failure;
4912
4913 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4914 if (nest == NULL)
4915 goto nla_put_failure;
4916
4917 err = nf_tables_fill_setelem(skb, set, elem);
4918 if (err < 0)
4919 goto nla_put_failure;
4920
4921 nla_nest_end(skb, nest);
4922
4923 nlmsg_end(skb, nlh);
4924 return 0;
4925
4926 nla_put_failure:
4927 nlmsg_trim(skb, nlh);
4928 return -1;
4929 }
4930
4931 static int nft_setelem_parse_flags(const struct nft_set *set,
4932 const struct nlattr *attr, u32 *flags)
4933 {
4934 if (attr == NULL)
4935 return 0;
4936
4937 *flags = ntohl(nla_get_be32(attr));
4938 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4939 return -EINVAL;
4940 if (!(set->flags & NFT_SET_INTERVAL) &&
4941 *flags & NFT_SET_ELEM_INTERVAL_END)
4942 return -EINVAL;
4943
4944 return 0;
4945 }
4946
4947 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4948 struct nft_data *key, struct nlattr *attr)
4949 {
4950 struct nft_data_desc desc;
4951 int err;
4952
4953 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4954 if (err < 0)
4955 return err;
4956
4957 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4958 nft_data_release(key, desc.type);
4959 return -EINVAL;
4960 }
4961
4962 return 0;
4963 }
4964
4965 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4966 struct nft_data_desc *desc,
4967 struct nft_data *data,
4968 struct nlattr *attr)
4969 {
4970 int err;
4971
4972 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4973 if (err < 0)
4974 return err;
4975
4976 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4977 nft_data_release(data, desc->type);
4978 return -EINVAL;
4979 }
4980
4981 return 0;
4982 }
4983
4984 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4985 const struct nlattr *attr)
4986 {
4987 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4988 struct nft_set_elem elem;
4989 struct sk_buff *skb;
4990 uint32_t flags = 0;
4991 void *priv;
4992 int err;
4993
4994 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4995 nft_set_elem_policy, NULL);
4996 if (err < 0)
4997 return err;
4998
4999 if (!nla[NFTA_SET_ELEM_KEY])
5000 return -EINVAL;
5001
5002 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5003 if (err < 0)
5004 return err;
5005
5006 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5007 nla[NFTA_SET_ELEM_KEY]);
5008 if (err < 0)
5009 return err;
5010
5011 if (nla[NFTA_SET_ELEM_KEY_END]) {
5012 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5013 nla[NFTA_SET_ELEM_KEY_END]);
5014 if (err < 0)
5015 return err;
5016 }
5017
5018 priv = set->ops->get(ctx->net, set, &elem, flags);
5019 if (IS_ERR(priv))
5020 return PTR_ERR(priv);
5021
5022 elem.priv = priv;
5023
5024 err = -ENOMEM;
5025 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5026 if (skb == NULL)
5027 return err;
5028
5029 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5030 NFT_MSG_NEWSETELEM, 0, set, &elem);
5031 if (err < 0)
5032 goto err_fill_setelem;
5033
5034 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5035
5036 err_fill_setelem:
5037 kfree_skb(skb);
5038 return err;
5039 }
5040
5041 /* called with rcu_read_lock held */
5042 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
5043 struct sk_buff *skb, const struct nlmsghdr *nlh,
5044 const struct nlattr * const nla[],
5045 struct netlink_ext_ack *extack)
5046 {
5047 u8 genmask = nft_genmask_cur(net);
5048 struct nft_set *set;
5049 struct nlattr *attr;
5050 struct nft_ctx ctx;
5051 int rem, err = 0;
5052
5053 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5054 genmask, NETLINK_CB(skb).portid);
5055 if (err < 0)
5056 return err;
5057
5058 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5059 if (IS_ERR(set))
5060 return PTR_ERR(set);
5061
5062 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5063 struct netlink_dump_control c = {
5064 .start = nf_tables_dump_set_start,
5065 .dump = nf_tables_dump_set,
5066 .done = nf_tables_dump_set_done,
5067 .module = THIS_MODULE,
5068 };
5069 struct nft_set_dump_ctx dump_ctx = {
5070 .set = set,
5071 .ctx = ctx,
5072 };
5073
5074 c.data = &dump_ctx;
5075 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5076 }
5077
5078 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5079 return -EINVAL;
5080
5081 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5082 err = nft_get_set_elem(&ctx, set, attr);
5083 if (err < 0)
5084 break;
5085 }
5086
5087 return err;
5088 }
5089
5090 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5091 const struct nft_set *set,
5092 const struct nft_set_elem *elem,
5093 int event, u16 flags)
5094 {
5095 struct net *net = ctx->net;
5096 u32 portid = ctx->portid;
5097 struct sk_buff *skb;
5098 int err;
5099
5100 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5101 return;
5102
5103 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5104 if (skb == NULL)
5105 goto err;
5106
5107 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5108 set, elem);
5109 if (err < 0) {
5110 kfree_skb(skb);
5111 goto err;
5112 }
5113
5114 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5115 return;
5116 err:
5117 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5118 }
5119
5120 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5121 int msg_type,
5122 struct nft_set *set)
5123 {
5124 struct nft_trans *trans;
5125
5126 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5127 if (trans == NULL)
5128 return NULL;
5129
5130 nft_trans_elem_set(trans) = set;
5131 return trans;
5132 }
5133
5134 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5135 const struct nft_set *set,
5136 const struct nlattr *attr)
5137 {
5138 struct nft_expr *expr;
5139 int err;
5140
5141 expr = nft_expr_init(ctx, attr);
5142 if (IS_ERR(expr))
5143 return expr;
5144
5145 err = -EOPNOTSUPP;
5146 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5147 goto err_set_elem_expr;
5148
5149 if (expr->ops->type->flags & NFT_EXPR_GC) {
5150 if (set->flags & NFT_SET_TIMEOUT)
5151 goto err_set_elem_expr;
5152 if (!set->ops->gc_init)
5153 goto err_set_elem_expr;
5154 set->ops->gc_init(set);
5155 }
5156
5157 return expr;
5158
5159 err_set_elem_expr:
5160 nft_expr_destroy(ctx, expr);
5161 return ERR_PTR(err);
5162 }
5163
5164 void *nft_set_elem_init(const struct nft_set *set,
5165 const struct nft_set_ext_tmpl *tmpl,
5166 const u32 *key, const u32 *key_end,
5167 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5168 {
5169 struct nft_set_ext *ext;
5170 void *elem;
5171
5172 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5173 if (elem == NULL)
5174 return NULL;
5175
5176 ext = nft_set_elem_ext(set, elem);
5177 nft_set_ext_init(ext, tmpl);
5178
5179 memcpy(nft_set_ext_key(ext), key, set->klen);
5180 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5181 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5182 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5183 memcpy(nft_set_ext_data(ext), data, set->dlen);
5184 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5185 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5186 if (expiration == 0)
5187 *nft_set_ext_expiration(ext) += timeout;
5188 }
5189 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5190 *nft_set_ext_timeout(ext) = timeout;
5191
5192 return elem;
5193 }
5194
5195 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5196 struct nft_expr *expr)
5197 {
5198 if (expr->ops->destroy_clone) {
5199 expr->ops->destroy_clone(ctx, expr);
5200 module_put(expr->ops->type->owner);
5201 } else {
5202 nf_tables_expr_destroy(ctx, expr);
5203 }
5204 }
5205
5206 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5207 struct nft_set_elem_expr *elem_expr)
5208 {
5209 struct nft_expr *expr;
5210 u32 size;
5211
5212 nft_setelem_expr_foreach(expr, elem_expr, size)
5213 __nft_set_elem_expr_destroy(ctx, expr);
5214 }
5215
5216 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5217 bool destroy_expr)
5218 {
5219 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5220 struct nft_ctx ctx = {
5221 .net = read_pnet(&set->net),
5222 .family = set->table->family,
5223 };
5224
5225 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5226 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5227 nft_data_release(nft_set_ext_data(ext), set->dtype);
5228 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5229 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5230
5231 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5232 (*nft_set_ext_obj(ext))->use--;
5233 kfree(elem);
5234 }
5235 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5236
5237 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5238 * the refcounting from the preparation phase.
5239 */
5240 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5241 const struct nft_set *set, void *elem)
5242 {
5243 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5244
5245 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5246 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5247
5248 kfree(elem);
5249 }
5250
5251 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5252 struct nft_expr *expr_array[])
5253 {
5254 struct nft_expr *expr;
5255 int err, i, k;
5256
5257 for (i = 0; i < set->num_exprs; i++) {
5258 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
5259 if (!expr)
5260 goto err_expr;
5261
5262 err = nft_expr_clone(expr, set->exprs[i]);
5263 if (err < 0) {
5264 nft_expr_destroy(ctx, expr);
5265 goto err_expr;
5266 }
5267 expr_array[i] = expr;
5268 }
5269
5270 return 0;
5271
5272 err_expr:
5273 for (k = i - 1; k >= 0; k--)
5274 nft_expr_destroy(ctx, expr_array[k]);
5275
5276 return -ENOMEM;
5277 }
5278
5279 static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i,
5280 struct nft_expr *expr_array[])
5281 {
5282 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5283 struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5284
5285 memcpy(expr, expr_array[i], expr_array[i]->ops->size);
5286 elem_expr->size += expr_array[i]->ops->size;
5287 kfree(expr_array[i]);
5288 expr_array[i] = NULL;
5289 }
5290
5291 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5292 const struct nlattr *attr, u32 nlmsg_flags)
5293 {
5294 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5295 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5296 u8 genmask = nft_genmask_next(ctx->net);
5297 u32 flags = 0, size = 0, num_exprs = 0;
5298 struct nft_set_ext_tmpl tmpl;
5299 struct nft_set_ext *ext, *ext2;
5300 struct nft_set_elem elem;
5301 struct nft_set_binding *binding;
5302 struct nft_object *obj = NULL;
5303 struct nft_userdata *udata;
5304 struct nft_data_desc desc;
5305 enum nft_registers dreg;
5306 struct nft_trans *trans;
5307 u64 timeout;
5308 u64 expiration;
5309 int err, i;
5310 u8 ulen;
5311
5312 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5313 nft_set_elem_policy, NULL);
5314 if (err < 0)
5315 return err;
5316
5317 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5318 return -EINVAL;
5319
5320 nft_set_ext_prepare(&tmpl);
5321
5322 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5323 if (err < 0)
5324 return err;
5325 if (flags != 0)
5326 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5327
5328 if (set->flags & NFT_SET_MAP) {
5329 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5330 !(flags & NFT_SET_ELEM_INTERVAL_END))
5331 return -EINVAL;
5332 } else {
5333 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5334 return -EINVAL;
5335 }
5336
5337 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5338 (nla[NFTA_SET_ELEM_DATA] ||
5339 nla[NFTA_SET_ELEM_OBJREF] ||
5340 nla[NFTA_SET_ELEM_TIMEOUT] ||
5341 nla[NFTA_SET_ELEM_EXPIRATION] ||
5342 nla[NFTA_SET_ELEM_USERDATA] ||
5343 nla[NFTA_SET_ELEM_EXPR] ||
5344 nla[NFTA_SET_ELEM_EXPRESSIONS]))
5345 return -EINVAL;
5346
5347 timeout = 0;
5348 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5349 if (!(set->flags & NFT_SET_TIMEOUT))
5350 return -EINVAL;
5351 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5352 &timeout);
5353 if (err)
5354 return err;
5355 } else if (set->flags & NFT_SET_TIMEOUT) {
5356 timeout = set->timeout;
5357 }
5358
5359 expiration = 0;
5360 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5361 if (!(set->flags & NFT_SET_TIMEOUT))
5362 return -EINVAL;
5363 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5364 &expiration);
5365 if (err)
5366 return err;
5367 }
5368
5369 if (nla[NFTA_SET_ELEM_EXPR]) {
5370 struct nft_expr *expr;
5371
5372 if (set->num_exprs && set->num_exprs != 1)
5373 return -EOPNOTSUPP;
5374
5375 expr = nft_set_elem_expr_alloc(ctx, set,
5376 nla[NFTA_SET_ELEM_EXPR]);
5377 if (IS_ERR(expr))
5378 return PTR_ERR(expr);
5379
5380 expr_array[0] = expr;
5381 num_exprs = 1;
5382
5383 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5384 err = -EOPNOTSUPP;
5385 goto err_set_elem_expr;
5386 }
5387 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5388 struct nft_expr *expr;
5389 struct nlattr *tmp;
5390 int left;
5391
5392 i = 0;
5393 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5394 if (i == NFT_SET_EXPR_MAX ||
5395 (set->num_exprs && set->num_exprs == i)) {
5396 err = -E2BIG;
5397 goto err_set_elem_expr;
5398 }
5399 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5400 err = -EINVAL;
5401 goto err_set_elem_expr;
5402 }
5403 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5404 if (IS_ERR(expr)) {
5405 err = PTR_ERR(expr);
5406 goto err_set_elem_expr;
5407 }
5408 expr_array[i] = expr;
5409 num_exprs++;
5410
5411 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5412 err = -EOPNOTSUPP;
5413 goto err_set_elem_expr;
5414 }
5415 i++;
5416 }
5417 if (set->num_exprs && set->num_exprs != i) {
5418 err = -EOPNOTSUPP;
5419 goto err_set_elem_expr;
5420 }
5421 } else if (set->num_exprs > 0) {
5422 err = nft_set_elem_expr_clone(ctx, set, expr_array);
5423 if (err < 0)
5424 goto err_set_elem_expr_clone;
5425
5426 num_exprs = set->num_exprs;
5427 }
5428
5429 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5430 nla[NFTA_SET_ELEM_KEY]);
5431 if (err < 0)
5432 goto err_set_elem_expr;
5433
5434 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5435
5436 if (nla[NFTA_SET_ELEM_KEY_END]) {
5437 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5438 nla[NFTA_SET_ELEM_KEY_END]);
5439 if (err < 0)
5440 goto err_parse_key;
5441
5442 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5443 }
5444
5445 if (timeout > 0) {
5446 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5447 if (timeout != set->timeout)
5448 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5449 }
5450
5451 if (num_exprs) {
5452 for (i = 0; i < num_exprs; i++)
5453 size += expr_array[i]->ops->size;
5454
5455 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5456 sizeof(struct nft_set_elem_expr) +
5457 size);
5458 }
5459
5460 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5461 if (!(set->flags & NFT_SET_OBJECT)) {
5462 err = -EINVAL;
5463 goto err_parse_key_end;
5464 }
5465 obj = nft_obj_lookup(ctx->net, ctx->table,
5466 nla[NFTA_SET_ELEM_OBJREF],
5467 set->objtype, genmask);
5468 if (IS_ERR(obj)) {
5469 err = PTR_ERR(obj);
5470 goto err_parse_key_end;
5471 }
5472 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5473 }
5474
5475 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5476 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5477 nla[NFTA_SET_ELEM_DATA]);
5478 if (err < 0)
5479 goto err_parse_key_end;
5480
5481 dreg = nft_type_to_reg(set->dtype);
5482 list_for_each_entry(binding, &set->bindings, list) {
5483 struct nft_ctx bind_ctx = {
5484 .net = ctx->net,
5485 .family = ctx->family,
5486 .table = ctx->table,
5487 .chain = (struct nft_chain *)binding->chain,
5488 };
5489
5490 if (!(binding->flags & NFT_SET_MAP))
5491 continue;
5492
5493 err = nft_validate_register_store(&bind_ctx, dreg,
5494 &elem.data.val,
5495 desc.type, desc.len);
5496 if (err < 0)
5497 goto err_parse_data;
5498
5499 if (desc.type == NFT_DATA_VERDICT &&
5500 (elem.data.val.verdict.code == NFT_GOTO ||
5501 elem.data.val.verdict.code == NFT_JUMP))
5502 nft_validate_state_update(ctx->net,
5503 NFT_VALIDATE_NEED);
5504 }
5505
5506 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5507 }
5508
5509 /* The full maximum length of userdata can exceed the maximum
5510 * offset value (U8_MAX) for following extensions, therefor it
5511 * must be the last extension added.
5512 */
5513 ulen = 0;
5514 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5515 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5516 if (ulen > 0)
5517 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5518 ulen);
5519 }
5520
5521 err = -ENOMEM;
5522 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5523 elem.key_end.val.data, elem.data.val.data,
5524 timeout, expiration, GFP_KERNEL);
5525 if (elem.priv == NULL)
5526 goto err_parse_data;
5527
5528 ext = nft_set_elem_ext(set, elem.priv);
5529 if (flags)
5530 *nft_set_ext_flags(ext) = flags;
5531 if (ulen > 0) {
5532 udata = nft_set_ext_userdata(ext);
5533 udata->len = ulen - 1;
5534 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5535 }
5536 if (obj) {
5537 *nft_set_ext_obj(ext) = obj;
5538 obj->use++;
5539 }
5540 for (i = 0; i < num_exprs; i++)
5541 nft_set_elem_expr_setup(ext, i, expr_array);
5542
5543 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5544 if (trans == NULL)
5545 goto err_trans;
5546
5547 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5548 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5549 if (err) {
5550 if (err == -EEXIST) {
5551 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5552 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5553 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5554 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5555 goto err_element_clash;
5556 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5557 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5558 memcmp(nft_set_ext_data(ext),
5559 nft_set_ext_data(ext2), set->dlen) != 0) ||
5560 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5561 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5562 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5563 goto err_element_clash;
5564 else if (!(nlmsg_flags & NLM_F_EXCL))
5565 err = 0;
5566 } else if (err == -ENOTEMPTY) {
5567 /* ENOTEMPTY reports overlapping between this element
5568 * and an existing one.
5569 */
5570 err = -EEXIST;
5571 }
5572 goto err_element_clash;
5573 }
5574
5575 if (set->size &&
5576 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5577 err = -ENFILE;
5578 goto err_set_full;
5579 }
5580
5581 nft_trans_elem(trans) = elem;
5582 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5583 return 0;
5584
5585 err_set_full:
5586 set->ops->remove(ctx->net, set, &elem);
5587 err_element_clash:
5588 kfree(trans);
5589 err_trans:
5590 if (obj)
5591 obj->use--;
5592
5593 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5594 err_parse_data:
5595 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5596 nft_data_release(&elem.data.val, desc.type);
5597 err_parse_key_end:
5598 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5599 err_parse_key:
5600 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5601 err_set_elem_expr:
5602 for (i = 0; i < num_exprs && expr_array[i]; i++)
5603 nft_expr_destroy(ctx, expr_array[i]);
5604 err_set_elem_expr_clone:
5605 return err;
5606 }
5607
5608 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5609 struct sk_buff *skb, const struct nlmsghdr *nlh,
5610 const struct nlattr * const nla[],
5611 struct netlink_ext_ack *extack)
5612 {
5613 u8 genmask = nft_genmask_next(net);
5614 const struct nlattr *attr;
5615 struct nft_set *set;
5616 struct nft_ctx ctx;
5617 int rem, err;
5618
5619 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5620 return -EINVAL;
5621
5622 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5623 genmask, NETLINK_CB(skb).portid);
5624 if (err < 0)
5625 return err;
5626
5627 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5628 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5629 if (IS_ERR(set))
5630 return PTR_ERR(set);
5631
5632 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5633 return -EBUSY;
5634
5635 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5636 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5637 if (err < 0)
5638 return err;
5639 }
5640
5641 if (net->nft.validate_state == NFT_VALIDATE_DO)
5642 return nft_table_validate(net, ctx.table);
5643
5644 return 0;
5645 }
5646
5647 /**
5648 * nft_data_hold - hold a nft_data item
5649 *
5650 * @data: struct nft_data to release
5651 * @type: type of data
5652 *
5653 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5654 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5655 * NFT_GOTO verdicts. This function must be called on active data objects
5656 * from the second phase of the commit protocol.
5657 */
5658 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5659 {
5660 struct nft_chain *chain;
5661 struct nft_rule *rule;
5662
5663 if (type == NFT_DATA_VERDICT) {
5664 switch (data->verdict.code) {
5665 case NFT_JUMP:
5666 case NFT_GOTO:
5667 chain = data->verdict.chain;
5668 chain->use++;
5669
5670 if (!nft_chain_is_bound(chain))
5671 break;
5672
5673 chain->table->use++;
5674 list_for_each_entry(rule, &chain->rules, list)
5675 chain->use++;
5676
5677 nft_chain_add(chain->table, chain);
5678 break;
5679 }
5680 }
5681 }
5682
5683 static void nft_set_elem_activate(const struct net *net,
5684 const struct nft_set *set,
5685 struct nft_set_elem *elem)
5686 {
5687 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5688
5689 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5690 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5691 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5692 (*nft_set_ext_obj(ext))->use++;
5693 }
5694
5695 static void nft_set_elem_deactivate(const struct net *net,
5696 const struct nft_set *set,
5697 struct nft_set_elem *elem)
5698 {
5699 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5700
5701 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5702 nft_data_release(nft_set_ext_data(ext), set->dtype);
5703 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5704 (*nft_set_ext_obj(ext))->use--;
5705 }
5706
5707 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5708 const struct nlattr *attr)
5709 {
5710 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5711 struct nft_set_ext_tmpl tmpl;
5712 struct nft_set_elem elem;
5713 struct nft_set_ext *ext;
5714 struct nft_trans *trans;
5715 u32 flags = 0;
5716 void *priv;
5717 int err;
5718
5719 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5720 nft_set_elem_policy, NULL);
5721 if (err < 0)
5722 return err;
5723
5724 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5725 return -EINVAL;
5726
5727 nft_set_ext_prepare(&tmpl);
5728
5729 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5730 if (err < 0)
5731 return err;
5732 if (flags != 0)
5733 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5734
5735 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5736 nla[NFTA_SET_ELEM_KEY]);
5737 if (err < 0)
5738 return err;
5739
5740 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5741
5742 if (nla[NFTA_SET_ELEM_KEY_END]) {
5743 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5744 nla[NFTA_SET_ELEM_KEY_END]);
5745 if (err < 0)
5746 return err;
5747
5748 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5749 }
5750
5751 err = -ENOMEM;
5752 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5753 elem.key_end.val.data, NULL, 0, 0,
5754 GFP_KERNEL);
5755 if (elem.priv == NULL)
5756 goto fail_elem;
5757
5758 ext = nft_set_elem_ext(set, elem.priv);
5759 if (flags)
5760 *nft_set_ext_flags(ext) = flags;
5761
5762 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5763 if (trans == NULL)
5764 goto fail_trans;
5765
5766 priv = set->ops->deactivate(ctx->net, set, &elem);
5767 if (priv == NULL) {
5768 err = -ENOENT;
5769 goto fail_ops;
5770 }
5771 kfree(elem.priv);
5772 elem.priv = priv;
5773
5774 nft_set_elem_deactivate(ctx->net, set, &elem);
5775
5776 nft_trans_elem(trans) = elem;
5777 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5778 return 0;
5779
5780 fail_ops:
5781 kfree(trans);
5782 fail_trans:
5783 kfree(elem.priv);
5784 fail_elem:
5785 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5786 return err;
5787 }
5788
5789 static int nft_flush_set(const struct nft_ctx *ctx,
5790 struct nft_set *set,
5791 const struct nft_set_iter *iter,
5792 struct nft_set_elem *elem)
5793 {
5794 struct nft_trans *trans;
5795 int err;
5796
5797 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5798 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5799 if (!trans)
5800 return -ENOMEM;
5801
5802 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5803 err = -ENOENT;
5804 goto err1;
5805 }
5806 set->ndeact++;
5807
5808 nft_set_elem_deactivate(ctx->net, set, elem);
5809 nft_trans_elem_set(trans) = set;
5810 nft_trans_elem(trans) = *elem;
5811 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5812
5813 return 0;
5814 err1:
5815 kfree(trans);
5816 return err;
5817 }
5818
5819 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5820 struct sk_buff *skb, const struct nlmsghdr *nlh,
5821 const struct nlattr * const nla[],
5822 struct netlink_ext_ack *extack)
5823 {
5824 u8 genmask = nft_genmask_next(net);
5825 const struct nlattr *attr;
5826 struct nft_set *set;
5827 struct nft_ctx ctx;
5828 int rem, err = 0;
5829
5830 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5831 genmask, NETLINK_CB(skb).portid);
5832 if (err < 0)
5833 return err;
5834
5835 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5836 if (IS_ERR(set))
5837 return PTR_ERR(set);
5838 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5839 return -EBUSY;
5840
5841 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5842 struct nft_set_iter iter = {
5843 .genmask = genmask,
5844 .fn = nft_flush_set,
5845 };
5846 set->ops->walk(&ctx, set, &iter);
5847
5848 return iter.err;
5849 }
5850
5851 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5852 err = nft_del_setelem(&ctx, set, attr);
5853 if (err < 0)
5854 break;
5855
5856 set->ndeact++;
5857 }
5858 return err;
5859 }
5860
5861 void nft_set_gc_batch_release(struct rcu_head *rcu)
5862 {
5863 struct nft_set_gc_batch *gcb;
5864 unsigned int i;
5865
5866 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5867 for (i = 0; i < gcb->head.cnt; i++)
5868 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5869 kfree(gcb);
5870 }
5871
5872 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5873 gfp_t gfp)
5874 {
5875 struct nft_set_gc_batch *gcb;
5876
5877 gcb = kzalloc(sizeof(*gcb), gfp);
5878 if (gcb == NULL)
5879 return gcb;
5880 gcb->head.set = set;
5881 return gcb;
5882 }
5883
5884 /*
5885 * Stateful objects
5886 */
5887
5888 /**
5889 * nft_register_obj- register nf_tables stateful object type
5890 * @obj_type: object type
5891 *
5892 * Registers the object type for use with nf_tables. Returns zero on
5893 * success or a negative errno code otherwise.
5894 */
5895 int nft_register_obj(struct nft_object_type *obj_type)
5896 {
5897 if (obj_type->type == NFT_OBJECT_UNSPEC)
5898 return -EINVAL;
5899
5900 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5901 list_add_rcu(&obj_type->list, &nf_tables_objects);
5902 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5903 return 0;
5904 }
5905 EXPORT_SYMBOL_GPL(nft_register_obj);
5906
5907 /**
5908 * nft_unregister_obj - unregister nf_tables object type
5909 * @obj_type: object type
5910 *
5911 * Unregisters the object type for use with nf_tables.
5912 */
5913 void nft_unregister_obj(struct nft_object_type *obj_type)
5914 {
5915 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5916 list_del_rcu(&obj_type->list);
5917 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5918 }
5919 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5920
5921 struct nft_object *nft_obj_lookup(const struct net *net,
5922 const struct nft_table *table,
5923 const struct nlattr *nla, u32 objtype,
5924 u8 genmask)
5925 {
5926 struct nft_object_hash_key k = { .table = table };
5927 char search[NFT_OBJ_MAXNAMELEN];
5928 struct rhlist_head *tmp, *list;
5929 struct nft_object *obj;
5930
5931 nla_strscpy(search, nla, sizeof(search));
5932 k.name = search;
5933
5934 WARN_ON_ONCE(!rcu_read_lock_held() &&
5935 !lockdep_commit_lock_is_held(net));
5936
5937 rcu_read_lock();
5938 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5939 if (!list)
5940 goto out;
5941
5942 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5943 if (objtype == obj->ops->type->type &&
5944 nft_active_genmask(obj, genmask)) {
5945 rcu_read_unlock();
5946 return obj;
5947 }
5948 }
5949 out:
5950 rcu_read_unlock();
5951 return ERR_PTR(-ENOENT);
5952 }
5953 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5954
5955 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5956 const struct nlattr *nla,
5957 u32 objtype, u8 genmask)
5958 {
5959 struct nft_object *obj;
5960
5961 list_for_each_entry(obj, &table->objects, list) {
5962 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5963 objtype == obj->ops->type->type &&
5964 nft_active_genmask(obj, genmask))
5965 return obj;
5966 }
5967 return ERR_PTR(-ENOENT);
5968 }
5969
5970 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5971 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5972 .len = NFT_TABLE_MAXNAMELEN - 1 },
5973 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5974 .len = NFT_OBJ_MAXNAMELEN - 1 },
5975 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5976 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5977 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5978 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
5979 .len = NFT_USERDATA_MAXLEN },
5980 };
5981
5982 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5983 const struct nft_object_type *type,
5984 const struct nlattr *attr)
5985 {
5986 struct nlattr **tb;
5987 const struct nft_object_ops *ops;
5988 struct nft_object *obj;
5989 int err = -ENOMEM;
5990
5991 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5992 if (!tb)
5993 goto err1;
5994
5995 if (attr) {
5996 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5997 type->policy, NULL);
5998 if (err < 0)
5999 goto err2;
6000 } else {
6001 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6002 }
6003
6004 if (type->select_ops) {
6005 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6006 if (IS_ERR(ops)) {
6007 err = PTR_ERR(ops);
6008 goto err2;
6009 }
6010 } else {
6011 ops = type->ops;
6012 }
6013
6014 err = -ENOMEM;
6015 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6016 if (!obj)
6017 goto err2;
6018
6019 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6020 if (err < 0)
6021 goto err3;
6022
6023 obj->ops = ops;
6024
6025 kfree(tb);
6026 return obj;
6027 err3:
6028 kfree(obj);
6029 err2:
6030 kfree(tb);
6031 err1:
6032 return ERR_PTR(err);
6033 }
6034
6035 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6036 struct nft_object *obj, bool reset)
6037 {
6038 struct nlattr *nest;
6039
6040 nest = nla_nest_start_noflag(skb, attr);
6041 if (!nest)
6042 goto nla_put_failure;
6043 if (obj->ops->dump(skb, obj, reset) < 0)
6044 goto nla_put_failure;
6045 nla_nest_end(skb, nest);
6046 return 0;
6047
6048 nla_put_failure:
6049 return -1;
6050 }
6051
6052 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6053 {
6054 const struct nft_object_type *type;
6055
6056 list_for_each_entry(type, &nf_tables_objects, list) {
6057 if (objtype == type->type)
6058 return type;
6059 }
6060 return NULL;
6061 }
6062
6063 static const struct nft_object_type *
6064 nft_obj_type_get(struct net *net, u32 objtype)
6065 {
6066 const struct nft_object_type *type;
6067
6068 type = __nft_obj_type_get(objtype);
6069 if (type != NULL && try_module_get(type->owner))
6070 return type;
6071
6072 lockdep_nfnl_nft_mutex_not_held();
6073 #ifdef CONFIG_MODULES
6074 if (type == NULL) {
6075 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6076 return ERR_PTR(-EAGAIN);
6077 }
6078 #endif
6079 return ERR_PTR(-ENOENT);
6080 }
6081
6082 static int nf_tables_updobj(const struct nft_ctx *ctx,
6083 const struct nft_object_type *type,
6084 const struct nlattr *attr,
6085 struct nft_object *obj)
6086 {
6087 struct nft_object *newobj;
6088 struct nft_trans *trans;
6089 int err;
6090
6091 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6092 sizeof(struct nft_trans_obj));
6093 if (!trans)
6094 return -ENOMEM;
6095
6096 newobj = nft_obj_init(ctx, type, attr);
6097 if (IS_ERR(newobj)) {
6098 err = PTR_ERR(newobj);
6099 goto err_free_trans;
6100 }
6101
6102 nft_trans_obj(trans) = obj;
6103 nft_trans_obj_update(trans) = true;
6104 nft_trans_obj_newobj(trans) = newobj;
6105 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6106
6107 return 0;
6108
6109 err_free_trans:
6110 kfree(trans);
6111 return err;
6112 }
6113
6114 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
6115 struct sk_buff *skb, const struct nlmsghdr *nlh,
6116 const struct nlattr * const nla[],
6117 struct netlink_ext_ack *extack)
6118 {
6119 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6120 const struct nft_object_type *type;
6121 u8 genmask = nft_genmask_next(net);
6122 int family = nfmsg->nfgen_family;
6123 struct nft_table *table;
6124 struct nft_object *obj;
6125 struct nft_ctx ctx;
6126 u32 objtype;
6127 int err;
6128
6129 if (!nla[NFTA_OBJ_TYPE] ||
6130 !nla[NFTA_OBJ_NAME] ||
6131 !nla[NFTA_OBJ_DATA])
6132 return -EINVAL;
6133
6134 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6135 NETLINK_CB(skb).portid);
6136 if (IS_ERR(table)) {
6137 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6138 return PTR_ERR(table);
6139 }
6140
6141 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6142 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6143 if (IS_ERR(obj)) {
6144 err = PTR_ERR(obj);
6145 if (err != -ENOENT) {
6146 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6147 return err;
6148 }
6149 } else {
6150 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6151 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6152 return -EEXIST;
6153 }
6154 if (nlh->nlmsg_flags & NLM_F_REPLACE)
6155 return -EOPNOTSUPP;
6156
6157 type = __nft_obj_type_get(objtype);
6158 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6159
6160 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6161 }
6162
6163 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6164
6165 type = nft_obj_type_get(net, objtype);
6166 if (IS_ERR(type))
6167 return PTR_ERR(type);
6168
6169 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6170 if (IS_ERR(obj)) {
6171 err = PTR_ERR(obj);
6172 goto err_init;
6173 }
6174 obj->key.table = table;
6175 obj->handle = nf_tables_alloc_handle(table);
6176
6177 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6178 if (!obj->key.name) {
6179 err = -ENOMEM;
6180 goto err_strdup;
6181 }
6182
6183 if (nla[NFTA_OBJ_USERDATA]) {
6184 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6185 if (obj->udata == NULL)
6186 goto err_userdata;
6187
6188 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6189 }
6190
6191 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6192 if (err < 0)
6193 goto err_trans;
6194
6195 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6196 nft_objname_ht_params);
6197 if (err < 0)
6198 goto err_obj_ht;
6199
6200 list_add_tail_rcu(&obj->list, &table->objects);
6201 table->use++;
6202 return 0;
6203 err_obj_ht:
6204 /* queued in transaction log */
6205 INIT_LIST_HEAD(&obj->list);
6206 return err;
6207 err_trans:
6208 kfree(obj->key.name);
6209 err_userdata:
6210 kfree(obj->udata);
6211 err_strdup:
6212 if (obj->ops->destroy)
6213 obj->ops->destroy(&ctx, obj);
6214 kfree(obj);
6215 err_init:
6216 module_put(type->owner);
6217 return err;
6218 }
6219
6220 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6221 u32 portid, u32 seq, int event, u32 flags,
6222 int family, const struct nft_table *table,
6223 struct nft_object *obj, bool reset)
6224 {
6225 struct nfgenmsg *nfmsg;
6226 struct nlmsghdr *nlh;
6227
6228 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6229 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6230 if (nlh == NULL)
6231 goto nla_put_failure;
6232
6233 nfmsg = nlmsg_data(nlh);
6234 nfmsg->nfgen_family = family;
6235 nfmsg->version = NFNETLINK_V0;
6236 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6237
6238 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6239 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6240 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6241 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6242 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6243 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6244 NFTA_OBJ_PAD))
6245 goto nla_put_failure;
6246
6247 if (obj->udata &&
6248 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6249 goto nla_put_failure;
6250
6251 nlmsg_end(skb, nlh);
6252 return 0;
6253
6254 nla_put_failure:
6255 nlmsg_trim(skb, nlh);
6256 return -1;
6257 }
6258
6259 struct nft_obj_filter {
6260 char *table;
6261 u32 type;
6262 };
6263
6264 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6265 {
6266 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6267 const struct nft_table *table;
6268 unsigned int idx = 0, s_idx = cb->args[0];
6269 struct nft_obj_filter *filter = cb->data;
6270 struct net *net = sock_net(skb->sk);
6271 int family = nfmsg->nfgen_family;
6272 struct nft_object *obj;
6273 bool reset = false;
6274
6275 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6276 reset = true;
6277
6278 rcu_read_lock();
6279 cb->seq = net->nft.base_seq;
6280
6281 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6282 if (family != NFPROTO_UNSPEC && family != table->family)
6283 continue;
6284
6285 list_for_each_entry_rcu(obj, &table->objects, list) {
6286 if (!nft_is_active(net, obj))
6287 goto cont;
6288 if (idx < s_idx)
6289 goto cont;
6290 if (idx > s_idx)
6291 memset(&cb->args[1], 0,
6292 sizeof(cb->args) - sizeof(cb->args[0]));
6293 if (filter && filter->table &&
6294 strcmp(filter->table, table->name))
6295 goto cont;
6296 if (filter &&
6297 filter->type != NFT_OBJECT_UNSPEC &&
6298 obj->ops->type->type != filter->type)
6299 goto cont;
6300 if (reset) {
6301 char *buf = kasprintf(GFP_ATOMIC,
6302 "%s:%u",
6303 table->name,
6304 net->nft.base_seq);
6305
6306 audit_log_nfcfg(buf,
6307 family,
6308 obj->handle,
6309 AUDIT_NFT_OP_OBJ_RESET,
6310 GFP_ATOMIC);
6311 kfree(buf);
6312 }
6313
6314 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6315 cb->nlh->nlmsg_seq,
6316 NFT_MSG_NEWOBJ,
6317 NLM_F_MULTI | NLM_F_APPEND,
6318 table->family, table,
6319 obj, reset) < 0)
6320 goto done;
6321
6322 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6323 cont:
6324 idx++;
6325 }
6326 }
6327 done:
6328 rcu_read_unlock();
6329
6330 cb->args[0] = idx;
6331 return skb->len;
6332 }
6333
6334 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6335 {
6336 const struct nlattr * const *nla = cb->data;
6337 struct nft_obj_filter *filter = NULL;
6338
6339 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6340 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6341 if (!filter)
6342 return -ENOMEM;
6343
6344 if (nla[NFTA_OBJ_TABLE]) {
6345 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6346 if (!filter->table) {
6347 kfree(filter);
6348 return -ENOMEM;
6349 }
6350 }
6351
6352 if (nla[NFTA_OBJ_TYPE])
6353 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6354 }
6355
6356 cb->data = filter;
6357 return 0;
6358 }
6359
6360 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6361 {
6362 struct nft_obj_filter *filter = cb->data;
6363
6364 if (filter) {
6365 kfree(filter->table);
6366 kfree(filter);
6367 }
6368
6369 return 0;
6370 }
6371
6372 /* called with rcu_read_lock held */
6373 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6374 struct sk_buff *skb, const struct nlmsghdr *nlh,
6375 const struct nlattr * const nla[],
6376 struct netlink_ext_ack *extack)
6377 {
6378 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6379 u8 genmask = nft_genmask_cur(net);
6380 int family = nfmsg->nfgen_family;
6381 const struct nft_table *table;
6382 struct nft_object *obj;
6383 struct sk_buff *skb2;
6384 bool reset = false;
6385 u32 objtype;
6386 int err;
6387
6388 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6389 struct netlink_dump_control c = {
6390 .start = nf_tables_dump_obj_start,
6391 .dump = nf_tables_dump_obj,
6392 .done = nf_tables_dump_obj_done,
6393 .module = THIS_MODULE,
6394 .data = (void *)nla,
6395 };
6396
6397 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6398 }
6399
6400 if (!nla[NFTA_OBJ_NAME] ||
6401 !nla[NFTA_OBJ_TYPE])
6402 return -EINVAL;
6403
6404 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6405 if (IS_ERR(table)) {
6406 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6407 return PTR_ERR(table);
6408 }
6409
6410 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6411 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6412 if (IS_ERR(obj)) {
6413 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6414 return PTR_ERR(obj);
6415 }
6416
6417 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6418 if (!skb2)
6419 return -ENOMEM;
6420
6421 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6422 reset = true;
6423
6424 if (reset) {
6425 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
6426 table->name, net->nft.base_seq);
6427
6428 audit_log_nfcfg(buf,
6429 family,
6430 obj->handle,
6431 AUDIT_NFT_OP_OBJ_RESET,
6432 GFP_ATOMIC);
6433 kfree(buf);
6434 }
6435
6436 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6437 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6438 family, table, obj, reset);
6439 if (err < 0)
6440 goto err_fill_obj_info;
6441
6442 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6443
6444 err_fill_obj_info:
6445 kfree_skb(skb2);
6446 return err;
6447 }
6448
6449 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6450 {
6451 if (obj->ops->destroy)
6452 obj->ops->destroy(ctx, obj);
6453
6454 module_put(obj->ops->type->owner);
6455 kfree(obj->key.name);
6456 kfree(obj->udata);
6457 kfree(obj);
6458 }
6459
6460 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6461 struct sk_buff *skb, const struct nlmsghdr *nlh,
6462 const struct nlattr * const nla[],
6463 struct netlink_ext_ack *extack)
6464 {
6465 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6466 u8 genmask = nft_genmask_next(net);
6467 int family = nfmsg->nfgen_family;
6468 const struct nlattr *attr;
6469 struct nft_table *table;
6470 struct nft_object *obj;
6471 struct nft_ctx ctx;
6472 u32 objtype;
6473
6474 if (!nla[NFTA_OBJ_TYPE] ||
6475 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6476 return -EINVAL;
6477
6478 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6479 NETLINK_CB(skb).portid);
6480 if (IS_ERR(table)) {
6481 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6482 return PTR_ERR(table);
6483 }
6484
6485 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6486 if (nla[NFTA_OBJ_HANDLE]) {
6487 attr = nla[NFTA_OBJ_HANDLE];
6488 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6489 } else {
6490 attr = nla[NFTA_OBJ_NAME];
6491 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6492 }
6493
6494 if (IS_ERR(obj)) {
6495 NL_SET_BAD_ATTR(extack, attr);
6496 return PTR_ERR(obj);
6497 }
6498 if (obj->use > 0) {
6499 NL_SET_BAD_ATTR(extack, attr);
6500 return -EBUSY;
6501 }
6502
6503 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6504
6505 return nft_delobj(&ctx, obj);
6506 }
6507
6508 void nft_obj_notify(struct net *net, const struct nft_table *table,
6509 struct nft_object *obj, u32 portid, u32 seq, int event,
6510 int family, int report, gfp_t gfp)
6511 {
6512 struct sk_buff *skb;
6513 int err;
6514 char *buf = kasprintf(gfp, "%s:%u",
6515 table->name, net->nft.base_seq);
6516
6517 audit_log_nfcfg(buf,
6518 family,
6519 obj->handle,
6520 event == NFT_MSG_NEWOBJ ?
6521 AUDIT_NFT_OP_OBJ_REGISTER :
6522 AUDIT_NFT_OP_OBJ_UNREGISTER,
6523 gfp);
6524 kfree(buf);
6525
6526 if (!report &&
6527 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6528 return;
6529
6530 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6531 if (skb == NULL)
6532 goto err;
6533
6534 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6535 table, obj, false);
6536 if (err < 0) {
6537 kfree_skb(skb);
6538 goto err;
6539 }
6540
6541 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6542 return;
6543 err:
6544 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6545 }
6546 EXPORT_SYMBOL_GPL(nft_obj_notify);
6547
6548 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6549 struct nft_object *obj, int event)
6550 {
6551 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6552 ctx->family, ctx->report, GFP_KERNEL);
6553 }
6554
6555 /*
6556 * Flow tables
6557 */
6558 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6559 {
6560 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6561 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6562 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6563 }
6564 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6565
6566 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6567 {
6568 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6569 list_del_rcu(&type->list);
6570 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6571 }
6572 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6573
6574 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6575 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6576 .len = NFT_NAME_MAXLEN - 1 },
6577 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6578 .len = NFT_NAME_MAXLEN - 1 },
6579 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6580 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6581 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6582 };
6583
6584 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6585 const struct nlattr *nla, u8 genmask)
6586 {
6587 struct nft_flowtable *flowtable;
6588
6589 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6590 if (!nla_strcmp(nla, flowtable->name) &&
6591 nft_active_genmask(flowtable, genmask))
6592 return flowtable;
6593 }
6594 return ERR_PTR(-ENOENT);
6595 }
6596 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6597
6598 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6599 struct nft_flowtable *flowtable,
6600 enum nft_trans_phase phase)
6601 {
6602 switch (phase) {
6603 case NFT_TRANS_PREPARE:
6604 case NFT_TRANS_ABORT:
6605 case NFT_TRANS_RELEASE:
6606 flowtable->use--;
6607 fallthrough;
6608 default:
6609 return;
6610 }
6611 }
6612 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6613
6614 static struct nft_flowtable *
6615 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6616 const struct nlattr *nla, u8 genmask)
6617 {
6618 struct nft_flowtable *flowtable;
6619
6620 list_for_each_entry(flowtable, &table->flowtables, list) {
6621 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6622 nft_active_genmask(flowtable, genmask))
6623 return flowtable;
6624 }
6625 return ERR_PTR(-ENOENT);
6626 }
6627
6628 struct nft_flowtable_hook {
6629 u32 num;
6630 int priority;
6631 struct list_head list;
6632 };
6633
6634 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6635 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6636 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6637 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6638 };
6639
6640 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6641 const struct nlattr *attr,
6642 struct nft_flowtable_hook *flowtable_hook,
6643 struct nft_flowtable *flowtable, bool add)
6644 {
6645 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6646 struct nft_hook *hook;
6647 int hooknum, priority;
6648 int err;
6649
6650 INIT_LIST_HEAD(&flowtable_hook->list);
6651
6652 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6653 nft_flowtable_hook_policy, NULL);
6654 if (err < 0)
6655 return err;
6656
6657 if (add) {
6658 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6659 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6660 return -EINVAL;
6661
6662 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6663 if (hooknum != NF_NETDEV_INGRESS)
6664 return -EOPNOTSUPP;
6665
6666 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6667
6668 flowtable_hook->priority = priority;
6669 flowtable_hook->num = hooknum;
6670 } else {
6671 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6672 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6673 if (hooknum != flowtable->hooknum)
6674 return -EOPNOTSUPP;
6675 }
6676
6677 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6678 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6679 if (priority != flowtable->data.priority)
6680 return -EOPNOTSUPP;
6681 }
6682
6683 flowtable_hook->priority = flowtable->data.priority;
6684 flowtable_hook->num = flowtable->hooknum;
6685 }
6686
6687 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6688 err = nf_tables_parse_netdev_hooks(ctx->net,
6689 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6690 &flowtable_hook->list);
6691 if (err < 0)
6692 return err;
6693 }
6694
6695 list_for_each_entry(hook, &flowtable_hook->list, list) {
6696 hook->ops.pf = NFPROTO_NETDEV;
6697 hook->ops.hooknum = flowtable_hook->num;
6698 hook->ops.priority = flowtable_hook->priority;
6699 hook->ops.priv = &flowtable->data;
6700 hook->ops.hook = flowtable->data.type->hook;
6701 }
6702
6703 return err;
6704 }
6705
6706 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6707 {
6708 const struct nf_flowtable_type *type;
6709
6710 list_for_each_entry(type, &nf_tables_flowtables, list) {
6711 if (family == type->family)
6712 return type;
6713 }
6714 return NULL;
6715 }
6716
6717 static const struct nf_flowtable_type *
6718 nft_flowtable_type_get(struct net *net, u8 family)
6719 {
6720 const struct nf_flowtable_type *type;
6721
6722 type = __nft_flowtable_type_get(family);
6723 if (type != NULL && try_module_get(type->owner))
6724 return type;
6725
6726 lockdep_nfnl_nft_mutex_not_held();
6727 #ifdef CONFIG_MODULES
6728 if (type == NULL) {
6729 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6730 return ERR_PTR(-EAGAIN);
6731 }
6732 #endif
6733 return ERR_PTR(-ENOENT);
6734 }
6735
6736 /* Only called from error and netdev event paths. */
6737 static void nft_unregister_flowtable_hook(struct net *net,
6738 struct nft_flowtable *flowtable,
6739 struct nft_hook *hook)
6740 {
6741 nf_unregister_net_hook(net, &hook->ops);
6742 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6743 FLOW_BLOCK_UNBIND);
6744 }
6745
6746 static void nft_unregister_flowtable_net_hooks(struct net *net,
6747 struct list_head *hook_list)
6748 {
6749 struct nft_hook *hook;
6750
6751 list_for_each_entry(hook, hook_list, list)
6752 nf_unregister_net_hook(net, &hook->ops);
6753 }
6754
6755 static int nft_register_flowtable_net_hooks(struct net *net,
6756 struct nft_table *table,
6757 struct list_head *hook_list,
6758 struct nft_flowtable *flowtable)
6759 {
6760 struct nft_hook *hook, *hook2, *next;
6761 struct nft_flowtable *ft;
6762 int err, i = 0;
6763
6764 list_for_each_entry(hook, hook_list, list) {
6765 list_for_each_entry(ft, &table->flowtables, list) {
6766 if (!nft_is_active_next(net, ft))
6767 continue;
6768
6769 list_for_each_entry(hook2, &ft->hook_list, list) {
6770 if (hook->ops.dev == hook2->ops.dev &&
6771 hook->ops.pf == hook2->ops.pf) {
6772 err = -EEXIST;
6773 goto err_unregister_net_hooks;
6774 }
6775 }
6776 }
6777
6778 err = flowtable->data.type->setup(&flowtable->data,
6779 hook->ops.dev,
6780 FLOW_BLOCK_BIND);
6781 if (err < 0)
6782 goto err_unregister_net_hooks;
6783
6784 err = nf_register_net_hook(net, &hook->ops);
6785 if (err < 0) {
6786 flowtable->data.type->setup(&flowtable->data,
6787 hook->ops.dev,
6788 FLOW_BLOCK_UNBIND);
6789 goto err_unregister_net_hooks;
6790 }
6791
6792 i++;
6793 }
6794
6795 return 0;
6796
6797 err_unregister_net_hooks:
6798 list_for_each_entry_safe(hook, next, hook_list, list) {
6799 if (i-- <= 0)
6800 break;
6801
6802 nft_unregister_flowtable_hook(net, flowtable, hook);
6803 list_del_rcu(&hook->list);
6804 kfree_rcu(hook, rcu);
6805 }
6806
6807 return err;
6808 }
6809
6810 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6811 {
6812 struct nft_hook *hook, *next;
6813
6814 list_for_each_entry_safe(hook, next, hook_list, list) {
6815 list_del_rcu(&hook->list);
6816 kfree_rcu(hook, rcu);
6817 }
6818 }
6819
6820 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6821 struct nft_flowtable *flowtable)
6822 {
6823 const struct nlattr * const *nla = ctx->nla;
6824 struct nft_flowtable_hook flowtable_hook;
6825 struct nft_hook *hook, *next;
6826 struct nft_trans *trans;
6827 bool unregister = false;
6828 u32 flags;
6829 int err;
6830
6831 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6832 &flowtable_hook, flowtable, false);
6833 if (err < 0)
6834 return err;
6835
6836 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6837 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6838 list_del(&hook->list);
6839 kfree(hook);
6840 }
6841 }
6842
6843 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6844 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6845 if (flags & ~NFT_FLOWTABLE_MASK)
6846 return -EOPNOTSUPP;
6847 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
6848 (flags & NFT_FLOWTABLE_HW_OFFLOAD))
6849 return -EOPNOTSUPP;
6850 } else {
6851 flags = flowtable->data.flags;
6852 }
6853
6854 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6855 &flowtable_hook.list, flowtable);
6856 if (err < 0)
6857 goto err_flowtable_update_hook;
6858
6859 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6860 sizeof(struct nft_trans_flowtable));
6861 if (!trans) {
6862 unregister = true;
6863 err = -ENOMEM;
6864 goto err_flowtable_update_hook;
6865 }
6866
6867 nft_trans_flowtable_flags(trans) = flags;
6868 nft_trans_flowtable(trans) = flowtable;
6869 nft_trans_flowtable_update(trans) = true;
6870 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6871 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6872
6873 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6874
6875 return 0;
6876
6877 err_flowtable_update_hook:
6878 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6879 if (unregister)
6880 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6881 list_del_rcu(&hook->list);
6882 kfree_rcu(hook, rcu);
6883 }
6884
6885 return err;
6886
6887 }
6888
6889 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6890 struct sk_buff *skb,
6891 const struct nlmsghdr *nlh,
6892 const struct nlattr * const nla[],
6893 struct netlink_ext_ack *extack)
6894 {
6895 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6896 struct nft_flowtable_hook flowtable_hook;
6897 const struct nf_flowtable_type *type;
6898 u8 genmask = nft_genmask_next(net);
6899 int family = nfmsg->nfgen_family;
6900 struct nft_flowtable *flowtable;
6901 struct nft_hook *hook, *next;
6902 struct nft_table *table;
6903 struct nft_ctx ctx;
6904 int err;
6905
6906 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6907 !nla[NFTA_FLOWTABLE_NAME] ||
6908 !nla[NFTA_FLOWTABLE_HOOK])
6909 return -EINVAL;
6910
6911 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6912 genmask, NETLINK_CB(skb).portid);
6913 if (IS_ERR(table)) {
6914 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6915 return PTR_ERR(table);
6916 }
6917
6918 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6919 genmask);
6920 if (IS_ERR(flowtable)) {
6921 err = PTR_ERR(flowtable);
6922 if (err != -ENOENT) {
6923 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6924 return err;
6925 }
6926 } else {
6927 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6928 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6929 return -EEXIST;
6930 }
6931
6932 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6933
6934 return nft_flowtable_update(&ctx, nlh, flowtable);
6935 }
6936
6937 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6938
6939 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6940 if (!flowtable)
6941 return -ENOMEM;
6942
6943 flowtable->table = table;
6944 flowtable->handle = nf_tables_alloc_handle(table);
6945 INIT_LIST_HEAD(&flowtable->hook_list);
6946
6947 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6948 if (!flowtable->name) {
6949 err = -ENOMEM;
6950 goto err1;
6951 }
6952
6953 type = nft_flowtable_type_get(net, family);
6954 if (IS_ERR(type)) {
6955 err = PTR_ERR(type);
6956 goto err2;
6957 }
6958
6959 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6960 flowtable->data.flags =
6961 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6962 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
6963 err = -EOPNOTSUPP;
6964 goto err3;
6965 }
6966 }
6967
6968 write_pnet(&flowtable->data.net, net);
6969 flowtable->data.type = type;
6970 err = type->init(&flowtable->data);
6971 if (err < 0)
6972 goto err3;
6973
6974 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6975 &flowtable_hook, flowtable, true);
6976 if (err < 0)
6977 goto err4;
6978
6979 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6980 flowtable->data.priority = flowtable_hook.priority;
6981 flowtable->hooknum = flowtable_hook.num;
6982
6983 err = nft_register_flowtable_net_hooks(ctx.net, table,
6984 &flowtable->hook_list,
6985 flowtable);
6986 if (err < 0) {
6987 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6988 goto err4;
6989 }
6990
6991 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6992 if (err < 0)
6993 goto err5;
6994
6995 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6996 table->use++;
6997
6998 return 0;
6999 err5:
7000 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7001 nft_unregister_flowtable_hook(net, flowtable, hook);
7002 list_del_rcu(&hook->list);
7003 kfree_rcu(hook, rcu);
7004 }
7005 err4:
7006 flowtable->data.type->free(&flowtable->data);
7007 err3:
7008 module_put(type->owner);
7009 err2:
7010 kfree(flowtable->name);
7011 err1:
7012 kfree(flowtable);
7013 return err;
7014 }
7015
7016 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7017 {
7018 struct nft_hook *this, *next;
7019
7020 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7021 list_del(&this->list);
7022 kfree(this);
7023 }
7024 }
7025
7026 static int nft_delflowtable_hook(struct nft_ctx *ctx,
7027 struct nft_flowtable *flowtable)
7028 {
7029 const struct nlattr * const *nla = ctx->nla;
7030 struct nft_flowtable_hook flowtable_hook;
7031 struct nft_hook *this, *hook;
7032 struct nft_trans *trans;
7033 int err;
7034
7035 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7036 &flowtable_hook, flowtable, false);
7037 if (err < 0)
7038 return err;
7039
7040 list_for_each_entry(this, &flowtable_hook.list, list) {
7041 hook = nft_hook_list_find(&flowtable->hook_list, this);
7042 if (!hook) {
7043 err = -ENOENT;
7044 goto err_flowtable_del_hook;
7045 }
7046 hook->inactive = true;
7047 }
7048
7049 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7050 sizeof(struct nft_trans_flowtable));
7051 if (!trans) {
7052 err = -ENOMEM;
7053 goto err_flowtable_del_hook;
7054 }
7055
7056 nft_trans_flowtable(trans) = flowtable;
7057 nft_trans_flowtable_update(trans) = true;
7058 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7059 nft_flowtable_hook_release(&flowtable_hook);
7060
7061 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
7062
7063 return 0;
7064
7065 err_flowtable_del_hook:
7066 list_for_each_entry(this, &flowtable_hook.list, list) {
7067 hook = nft_hook_list_find(&flowtable->hook_list, this);
7068 if (!hook)
7069 break;
7070
7071 hook->inactive = false;
7072 }
7073 nft_flowtable_hook_release(&flowtable_hook);
7074
7075 return err;
7076 }
7077
7078 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
7079 struct sk_buff *skb,
7080 const struct nlmsghdr *nlh,
7081 const struct nlattr * const nla[],
7082 struct netlink_ext_ack *extack)
7083 {
7084 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7085 u8 genmask = nft_genmask_next(net);
7086 int family = nfmsg->nfgen_family;
7087 struct nft_flowtable *flowtable;
7088 const struct nlattr *attr;
7089 struct nft_table *table;
7090 struct nft_ctx ctx;
7091
7092 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7093 (!nla[NFTA_FLOWTABLE_NAME] &&
7094 !nla[NFTA_FLOWTABLE_HANDLE]))
7095 return -EINVAL;
7096
7097 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7098 genmask, NETLINK_CB(skb).portid);
7099 if (IS_ERR(table)) {
7100 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7101 return PTR_ERR(table);
7102 }
7103
7104 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7105 attr = nla[NFTA_FLOWTABLE_HANDLE];
7106 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7107 } else {
7108 attr = nla[NFTA_FLOWTABLE_NAME];
7109 flowtable = nft_flowtable_lookup(table, attr, genmask);
7110 }
7111
7112 if (IS_ERR(flowtable)) {
7113 NL_SET_BAD_ATTR(extack, attr);
7114 return PTR_ERR(flowtable);
7115 }
7116
7117 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
7118
7119 if (nla[NFTA_FLOWTABLE_HOOK])
7120 return nft_delflowtable_hook(&ctx, flowtable);
7121
7122 if (flowtable->use > 0) {
7123 NL_SET_BAD_ATTR(extack, attr);
7124 return -EBUSY;
7125 }
7126
7127 return nft_delflowtable(&ctx, flowtable);
7128 }
7129
7130 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7131 u32 portid, u32 seq, int event,
7132 u32 flags, int family,
7133 struct nft_flowtable *flowtable,
7134 struct list_head *hook_list)
7135 {
7136 struct nlattr *nest, *nest_devs;
7137 struct nfgenmsg *nfmsg;
7138 struct nft_hook *hook;
7139 struct nlmsghdr *nlh;
7140
7141 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7142 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
7143 if (nlh == NULL)
7144 goto nla_put_failure;
7145
7146 nfmsg = nlmsg_data(nlh);
7147 nfmsg->nfgen_family = family;
7148 nfmsg->version = NFNETLINK_V0;
7149 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7150
7151 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7152 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7153 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7154 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7155 NFTA_FLOWTABLE_PAD) ||
7156 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7157 goto nla_put_failure;
7158
7159 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7160 if (!nest)
7161 goto nla_put_failure;
7162 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7163 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7164 goto nla_put_failure;
7165
7166 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7167 if (!nest_devs)
7168 goto nla_put_failure;
7169
7170 list_for_each_entry_rcu(hook, hook_list, list) {
7171 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7172 goto nla_put_failure;
7173 }
7174 nla_nest_end(skb, nest_devs);
7175 nla_nest_end(skb, nest);
7176
7177 nlmsg_end(skb, nlh);
7178 return 0;
7179
7180 nla_put_failure:
7181 nlmsg_trim(skb, nlh);
7182 return -1;
7183 }
7184
7185 struct nft_flowtable_filter {
7186 char *table;
7187 };
7188
7189 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7190 struct netlink_callback *cb)
7191 {
7192 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7193 struct nft_flowtable_filter *filter = cb->data;
7194 unsigned int idx = 0, s_idx = cb->args[0];
7195 struct net *net = sock_net(skb->sk);
7196 int family = nfmsg->nfgen_family;
7197 struct nft_flowtable *flowtable;
7198 const struct nft_table *table;
7199
7200 rcu_read_lock();
7201 cb->seq = net->nft.base_seq;
7202
7203 list_for_each_entry_rcu(table, &net->nft.tables, list) {
7204 if (family != NFPROTO_UNSPEC && family != table->family)
7205 continue;
7206
7207 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7208 if (!nft_is_active(net, flowtable))
7209 goto cont;
7210 if (idx < s_idx)
7211 goto cont;
7212 if (idx > s_idx)
7213 memset(&cb->args[1], 0,
7214 sizeof(cb->args) - sizeof(cb->args[0]));
7215 if (filter && filter->table &&
7216 strcmp(filter->table, table->name))
7217 goto cont;
7218
7219 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7220 cb->nlh->nlmsg_seq,
7221 NFT_MSG_NEWFLOWTABLE,
7222 NLM_F_MULTI | NLM_F_APPEND,
7223 table->family,
7224 flowtable,
7225 &flowtable->hook_list) < 0)
7226 goto done;
7227
7228 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7229 cont:
7230 idx++;
7231 }
7232 }
7233 done:
7234 rcu_read_unlock();
7235
7236 cb->args[0] = idx;
7237 return skb->len;
7238 }
7239
7240 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7241 {
7242 const struct nlattr * const *nla = cb->data;
7243 struct nft_flowtable_filter *filter = NULL;
7244
7245 if (nla[NFTA_FLOWTABLE_TABLE]) {
7246 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7247 if (!filter)
7248 return -ENOMEM;
7249
7250 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7251 GFP_ATOMIC);
7252 if (!filter->table) {
7253 kfree(filter);
7254 return -ENOMEM;
7255 }
7256 }
7257
7258 cb->data = filter;
7259 return 0;
7260 }
7261
7262 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7263 {
7264 struct nft_flowtable_filter *filter = cb->data;
7265
7266 if (!filter)
7267 return 0;
7268
7269 kfree(filter->table);
7270 kfree(filter);
7271
7272 return 0;
7273 }
7274
7275 /* called with rcu_read_lock held */
7276 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7277 struct sk_buff *skb,
7278 const struct nlmsghdr *nlh,
7279 const struct nlattr * const nla[],
7280 struct netlink_ext_ack *extack)
7281 {
7282 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7283 u8 genmask = nft_genmask_cur(net);
7284 int family = nfmsg->nfgen_family;
7285 struct nft_flowtable *flowtable;
7286 const struct nft_table *table;
7287 struct sk_buff *skb2;
7288 int err;
7289
7290 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7291 struct netlink_dump_control c = {
7292 .start = nf_tables_dump_flowtable_start,
7293 .dump = nf_tables_dump_flowtable,
7294 .done = nf_tables_dump_flowtable_done,
7295 .module = THIS_MODULE,
7296 .data = (void *)nla,
7297 };
7298
7299 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7300 }
7301
7302 if (!nla[NFTA_FLOWTABLE_NAME])
7303 return -EINVAL;
7304
7305 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7306 genmask, 0);
7307 if (IS_ERR(table))
7308 return PTR_ERR(table);
7309
7310 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7311 genmask);
7312 if (IS_ERR(flowtable))
7313 return PTR_ERR(flowtable);
7314
7315 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7316 if (!skb2)
7317 return -ENOMEM;
7318
7319 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7320 nlh->nlmsg_seq,
7321 NFT_MSG_NEWFLOWTABLE, 0, family,
7322 flowtable, &flowtable->hook_list);
7323 if (err < 0)
7324 goto err_fill_flowtable_info;
7325
7326 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7327
7328 err_fill_flowtable_info:
7329 kfree_skb(skb2);
7330 return err;
7331 }
7332
7333 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7334 struct nft_flowtable *flowtable,
7335 struct list_head *hook_list,
7336 int event)
7337 {
7338 struct sk_buff *skb;
7339 int err;
7340
7341 if (!ctx->report &&
7342 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7343 return;
7344
7345 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7346 if (skb == NULL)
7347 goto err;
7348
7349 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7350 ctx->seq, event, 0,
7351 ctx->family, flowtable, hook_list);
7352 if (err < 0) {
7353 kfree_skb(skb);
7354 goto err;
7355 }
7356
7357 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7358 return;
7359 err:
7360 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7361 }
7362
7363 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7364 {
7365 struct nft_hook *hook, *next;
7366
7367 flowtable->data.type->free(&flowtable->data);
7368 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7369 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7370 FLOW_BLOCK_UNBIND);
7371 list_del_rcu(&hook->list);
7372 kfree(hook);
7373 }
7374 kfree(flowtable->name);
7375 module_put(flowtable->data.type->owner);
7376 kfree(flowtable);
7377 }
7378
7379 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7380 u32 portid, u32 seq)
7381 {
7382 struct nlmsghdr *nlh;
7383 struct nfgenmsg *nfmsg;
7384 char buf[TASK_COMM_LEN];
7385 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7386
7387 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7388 if (nlh == NULL)
7389 goto nla_put_failure;
7390
7391 nfmsg = nlmsg_data(nlh);
7392 nfmsg->nfgen_family = AF_UNSPEC;
7393 nfmsg->version = NFNETLINK_V0;
7394 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7395
7396 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7397 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7398 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7399 goto nla_put_failure;
7400
7401 nlmsg_end(skb, nlh);
7402 return 0;
7403
7404 nla_put_failure:
7405 nlmsg_trim(skb, nlh);
7406 return -EMSGSIZE;
7407 }
7408
7409 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7410 struct nft_flowtable *flowtable)
7411 {
7412 struct nft_hook *hook;
7413
7414 list_for_each_entry(hook, &flowtable->hook_list, list) {
7415 if (hook->ops.dev != dev)
7416 continue;
7417
7418 /* flow_offload_netdev_event() cleans up entries for us. */
7419 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7420 list_del_rcu(&hook->list);
7421 kfree_rcu(hook, rcu);
7422 break;
7423 }
7424 }
7425
7426 static int nf_tables_flowtable_event(struct notifier_block *this,
7427 unsigned long event, void *ptr)
7428 {
7429 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7430 struct nft_flowtable *flowtable;
7431 struct nft_table *table;
7432 struct net *net;
7433
7434 if (event != NETDEV_UNREGISTER)
7435 return 0;
7436
7437 net = dev_net(dev);
7438 mutex_lock(&net->nft.commit_mutex);
7439 list_for_each_entry(table, &net->nft.tables, list) {
7440 list_for_each_entry(flowtable, &table->flowtables, list) {
7441 nft_flowtable_event(event, dev, flowtable);
7442 }
7443 }
7444 mutex_unlock(&net->nft.commit_mutex);
7445
7446 return NOTIFY_DONE;
7447 }
7448
7449 static struct notifier_block nf_tables_flowtable_notifier = {
7450 .notifier_call = nf_tables_flowtable_event,
7451 };
7452
7453 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7454 int event)
7455 {
7456 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7457 struct sk_buff *skb2;
7458 int err;
7459
7460 if (!nlmsg_report(nlh) &&
7461 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7462 return;
7463
7464 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7465 if (skb2 == NULL)
7466 goto err;
7467
7468 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7469 nlh->nlmsg_seq);
7470 if (err < 0) {
7471 kfree_skb(skb2);
7472 goto err;
7473 }
7474
7475 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7476 nlmsg_report(nlh), GFP_KERNEL);
7477 return;
7478 err:
7479 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7480 -ENOBUFS);
7481 }
7482
7483 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7484 struct sk_buff *skb, const struct nlmsghdr *nlh,
7485 const struct nlattr * const nla[],
7486 struct netlink_ext_ack *extack)
7487 {
7488 struct sk_buff *skb2;
7489 int err;
7490
7491 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7492 if (skb2 == NULL)
7493 return -ENOMEM;
7494
7495 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7496 nlh->nlmsg_seq);
7497 if (err < 0)
7498 goto err_fill_gen_info;
7499
7500 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7501
7502 err_fill_gen_info:
7503 kfree_skb(skb2);
7504 return err;
7505 }
7506
7507 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7508 [NFT_MSG_NEWTABLE] = {
7509 .call_batch = nf_tables_newtable,
7510 .attr_count = NFTA_TABLE_MAX,
7511 .policy = nft_table_policy,
7512 },
7513 [NFT_MSG_GETTABLE] = {
7514 .call_rcu = nf_tables_gettable,
7515 .attr_count = NFTA_TABLE_MAX,
7516 .policy = nft_table_policy,
7517 },
7518 [NFT_MSG_DELTABLE] = {
7519 .call_batch = nf_tables_deltable,
7520 .attr_count = NFTA_TABLE_MAX,
7521 .policy = nft_table_policy,
7522 },
7523 [NFT_MSG_NEWCHAIN] = {
7524 .call_batch = nf_tables_newchain,
7525 .attr_count = NFTA_CHAIN_MAX,
7526 .policy = nft_chain_policy,
7527 },
7528 [NFT_MSG_GETCHAIN] = {
7529 .call_rcu = nf_tables_getchain,
7530 .attr_count = NFTA_CHAIN_MAX,
7531 .policy = nft_chain_policy,
7532 },
7533 [NFT_MSG_DELCHAIN] = {
7534 .call_batch = nf_tables_delchain,
7535 .attr_count = NFTA_CHAIN_MAX,
7536 .policy = nft_chain_policy,
7537 },
7538 [NFT_MSG_NEWRULE] = {
7539 .call_batch = nf_tables_newrule,
7540 .attr_count = NFTA_RULE_MAX,
7541 .policy = nft_rule_policy,
7542 },
7543 [NFT_MSG_GETRULE] = {
7544 .call_rcu = nf_tables_getrule,
7545 .attr_count = NFTA_RULE_MAX,
7546 .policy = nft_rule_policy,
7547 },
7548 [NFT_MSG_DELRULE] = {
7549 .call_batch = nf_tables_delrule,
7550 .attr_count = NFTA_RULE_MAX,
7551 .policy = nft_rule_policy,
7552 },
7553 [NFT_MSG_NEWSET] = {
7554 .call_batch = nf_tables_newset,
7555 .attr_count = NFTA_SET_MAX,
7556 .policy = nft_set_policy,
7557 },
7558 [NFT_MSG_GETSET] = {
7559 .call_rcu = nf_tables_getset,
7560 .attr_count = NFTA_SET_MAX,
7561 .policy = nft_set_policy,
7562 },
7563 [NFT_MSG_DELSET] = {
7564 .call_batch = nf_tables_delset,
7565 .attr_count = NFTA_SET_MAX,
7566 .policy = nft_set_policy,
7567 },
7568 [NFT_MSG_NEWSETELEM] = {
7569 .call_batch = nf_tables_newsetelem,
7570 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7571 .policy = nft_set_elem_list_policy,
7572 },
7573 [NFT_MSG_GETSETELEM] = {
7574 .call_rcu = nf_tables_getsetelem,
7575 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7576 .policy = nft_set_elem_list_policy,
7577 },
7578 [NFT_MSG_DELSETELEM] = {
7579 .call_batch = nf_tables_delsetelem,
7580 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7581 .policy = nft_set_elem_list_policy,
7582 },
7583 [NFT_MSG_GETGEN] = {
7584 .call_rcu = nf_tables_getgen,
7585 },
7586 [NFT_MSG_NEWOBJ] = {
7587 .call_batch = nf_tables_newobj,
7588 .attr_count = NFTA_OBJ_MAX,
7589 .policy = nft_obj_policy,
7590 },
7591 [NFT_MSG_GETOBJ] = {
7592 .call_rcu = nf_tables_getobj,
7593 .attr_count = NFTA_OBJ_MAX,
7594 .policy = nft_obj_policy,
7595 },
7596 [NFT_MSG_DELOBJ] = {
7597 .call_batch = nf_tables_delobj,
7598 .attr_count = NFTA_OBJ_MAX,
7599 .policy = nft_obj_policy,
7600 },
7601 [NFT_MSG_GETOBJ_RESET] = {
7602 .call_rcu = nf_tables_getobj,
7603 .attr_count = NFTA_OBJ_MAX,
7604 .policy = nft_obj_policy,
7605 },
7606 [NFT_MSG_NEWFLOWTABLE] = {
7607 .call_batch = nf_tables_newflowtable,
7608 .attr_count = NFTA_FLOWTABLE_MAX,
7609 .policy = nft_flowtable_policy,
7610 },
7611 [NFT_MSG_GETFLOWTABLE] = {
7612 .call_rcu = nf_tables_getflowtable,
7613 .attr_count = NFTA_FLOWTABLE_MAX,
7614 .policy = nft_flowtable_policy,
7615 },
7616 [NFT_MSG_DELFLOWTABLE] = {
7617 .call_batch = nf_tables_delflowtable,
7618 .attr_count = NFTA_FLOWTABLE_MAX,
7619 .policy = nft_flowtable_policy,
7620 },
7621 };
7622
7623 static int nf_tables_validate(struct net *net)
7624 {
7625 struct nft_table *table;
7626
7627 switch (net->nft.validate_state) {
7628 case NFT_VALIDATE_SKIP:
7629 break;
7630 case NFT_VALIDATE_NEED:
7631 nft_validate_state_update(net, NFT_VALIDATE_DO);
7632 fallthrough;
7633 case NFT_VALIDATE_DO:
7634 list_for_each_entry(table, &net->nft.tables, list) {
7635 if (nft_table_validate(net, table) < 0)
7636 return -EAGAIN;
7637 }
7638 break;
7639 }
7640
7641 return 0;
7642 }
7643
7644 /* a drop policy has to be deferred until all rules have been activated,
7645 * otherwise a large ruleset that contains a drop-policy base chain will
7646 * cause all packets to get dropped until the full transaction has been
7647 * processed.
7648 *
7649 * We defer the drop policy until the transaction has been finalized.
7650 */
7651 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7652 {
7653 struct nft_base_chain *basechain;
7654
7655 if (nft_trans_chain_policy(trans) != NF_DROP)
7656 return;
7657
7658 if (!nft_is_base_chain(trans->ctx.chain))
7659 return;
7660
7661 basechain = nft_base_chain(trans->ctx.chain);
7662 basechain->policy = NF_DROP;
7663 }
7664
7665 static void nft_chain_commit_update(struct nft_trans *trans)
7666 {
7667 struct nft_base_chain *basechain;
7668
7669 if (nft_trans_chain_name(trans)) {
7670 rhltable_remove(&trans->ctx.table->chains_ht,
7671 &trans->ctx.chain->rhlhead,
7672 nft_chain_ht_params);
7673 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7674 rhltable_insert_key(&trans->ctx.table->chains_ht,
7675 trans->ctx.chain->name,
7676 &trans->ctx.chain->rhlhead,
7677 nft_chain_ht_params);
7678 }
7679
7680 if (!nft_is_base_chain(trans->ctx.chain))
7681 return;
7682
7683 nft_chain_stats_replace(trans);
7684
7685 basechain = nft_base_chain(trans->ctx.chain);
7686
7687 switch (nft_trans_chain_policy(trans)) {
7688 case NF_DROP:
7689 case NF_ACCEPT:
7690 basechain->policy = nft_trans_chain_policy(trans);
7691 break;
7692 }
7693 }
7694
7695 static void nft_obj_commit_update(struct nft_trans *trans)
7696 {
7697 struct nft_object *newobj;
7698 struct nft_object *obj;
7699
7700 obj = nft_trans_obj(trans);
7701 newobj = nft_trans_obj_newobj(trans);
7702
7703 if (obj->ops->update)
7704 obj->ops->update(obj, newobj);
7705
7706 kfree(newobj);
7707 }
7708
7709 static void nft_commit_release(struct nft_trans *trans)
7710 {
7711 switch (trans->msg_type) {
7712 case NFT_MSG_DELTABLE:
7713 nf_tables_table_destroy(&trans->ctx);
7714 break;
7715 case NFT_MSG_NEWCHAIN:
7716 free_percpu(nft_trans_chain_stats(trans));
7717 kfree(nft_trans_chain_name(trans));
7718 break;
7719 case NFT_MSG_DELCHAIN:
7720 nf_tables_chain_destroy(&trans->ctx);
7721 break;
7722 case NFT_MSG_DELRULE:
7723 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7724 break;
7725 case NFT_MSG_DELSET:
7726 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7727 break;
7728 case NFT_MSG_DELSETELEM:
7729 nf_tables_set_elem_destroy(&trans->ctx,
7730 nft_trans_elem_set(trans),
7731 nft_trans_elem(trans).priv);
7732 break;
7733 case NFT_MSG_DELOBJ:
7734 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7735 break;
7736 case NFT_MSG_DELFLOWTABLE:
7737 if (nft_trans_flowtable_update(trans))
7738 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7739 else
7740 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7741 break;
7742 }
7743
7744 if (trans->put_net)
7745 put_net(trans->ctx.net);
7746
7747 kfree(trans);
7748 }
7749
7750 static void nf_tables_trans_destroy_work(struct work_struct *w)
7751 {
7752 struct nft_trans *trans, *next;
7753 LIST_HEAD(head);
7754
7755 spin_lock(&nf_tables_destroy_list_lock);
7756 list_splice_init(&nf_tables_destroy_list, &head);
7757 spin_unlock(&nf_tables_destroy_list_lock);
7758
7759 if (list_empty(&head))
7760 return;
7761
7762 synchronize_rcu();
7763
7764 list_for_each_entry_safe(trans, next, &head, list) {
7765 list_del(&trans->list);
7766 nft_commit_release(trans);
7767 }
7768 }
7769
7770 void nf_tables_trans_destroy_flush_work(void)
7771 {
7772 flush_work(&trans_destroy_work);
7773 }
7774 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7775
7776 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7777 {
7778 struct nft_rule *rule;
7779 unsigned int alloc = 0;
7780 int i;
7781
7782 /* already handled or inactive chain? */
7783 if (chain->rules_next || !nft_is_active_next(net, chain))
7784 return 0;
7785
7786 rule = list_entry(&chain->rules, struct nft_rule, list);
7787 i = 0;
7788
7789 list_for_each_entry_continue(rule, &chain->rules, list) {
7790 if (nft_is_active_next(net, rule))
7791 alloc++;
7792 }
7793
7794 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7795 if (!chain->rules_next)
7796 return -ENOMEM;
7797
7798 list_for_each_entry_continue(rule, &chain->rules, list) {
7799 if (nft_is_active_next(net, rule))
7800 chain->rules_next[i++] = rule;
7801 }
7802
7803 chain->rules_next[i] = NULL;
7804 return 0;
7805 }
7806
7807 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7808 {
7809 struct nft_trans *trans, *next;
7810
7811 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7812 struct nft_chain *chain = trans->ctx.chain;
7813
7814 if (trans->msg_type == NFT_MSG_NEWRULE ||
7815 trans->msg_type == NFT_MSG_DELRULE) {
7816 kvfree(chain->rules_next);
7817 chain->rules_next = NULL;
7818 }
7819 }
7820 }
7821
7822 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7823 {
7824 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7825
7826 kvfree(o->start);
7827 }
7828
7829 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7830 {
7831 struct nft_rule **r = rules;
7832 struct nft_rules_old *old;
7833
7834 while (*r)
7835 r++;
7836
7837 r++; /* rcu_head is after end marker */
7838 old = (void *) r;
7839 old->start = rules;
7840
7841 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7842 }
7843
7844 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7845 {
7846 struct nft_rule **g0, **g1;
7847 bool next_genbit;
7848
7849 next_genbit = nft_gencursor_next(net);
7850
7851 g0 = rcu_dereference_protected(chain->rules_gen_0,
7852 lockdep_commit_lock_is_held(net));
7853 g1 = rcu_dereference_protected(chain->rules_gen_1,
7854 lockdep_commit_lock_is_held(net));
7855
7856 /* No changes to this chain? */
7857 if (chain->rules_next == NULL) {
7858 /* chain had no change in last or next generation */
7859 if (g0 == g1)
7860 return;
7861 /*
7862 * chain had no change in this generation; make sure next
7863 * one uses same rules as current generation.
7864 */
7865 if (next_genbit) {
7866 rcu_assign_pointer(chain->rules_gen_1, g0);
7867 nf_tables_commit_chain_free_rules_old(g1);
7868 } else {
7869 rcu_assign_pointer(chain->rules_gen_0, g1);
7870 nf_tables_commit_chain_free_rules_old(g0);
7871 }
7872
7873 return;
7874 }
7875
7876 if (next_genbit)
7877 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7878 else
7879 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7880
7881 chain->rules_next = NULL;
7882
7883 if (g0 == g1)
7884 return;
7885
7886 if (next_genbit)
7887 nf_tables_commit_chain_free_rules_old(g1);
7888 else
7889 nf_tables_commit_chain_free_rules_old(g0);
7890 }
7891
7892 static void nft_obj_del(struct nft_object *obj)
7893 {
7894 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7895 list_del_rcu(&obj->list);
7896 }
7897
7898 void nft_chain_del(struct nft_chain *chain)
7899 {
7900 struct nft_table *table = chain->table;
7901
7902 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7903 nft_chain_ht_params));
7904 list_del_rcu(&chain->list);
7905 }
7906
7907 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7908 struct list_head *hook_list)
7909 {
7910 struct nft_hook *hook, *next;
7911
7912 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7913 if (hook->inactive)
7914 list_move(&hook->list, hook_list);
7915 }
7916 }
7917
7918 static void nf_tables_module_autoload_cleanup(struct net *net)
7919 {
7920 struct nft_module_request *req, *next;
7921
7922 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7923 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7924 WARN_ON_ONCE(!req->done);
7925 list_del(&req->list);
7926 kfree(req);
7927 }
7928 }
7929
7930 static void nf_tables_commit_release(struct net *net)
7931 {
7932 struct nft_trans *trans;
7933
7934 /* all side effects have to be made visible.
7935 * For example, if a chain named 'foo' has been deleted, a
7936 * new transaction must not find it anymore.
7937 *
7938 * Memory reclaim happens asynchronously from work queue
7939 * to prevent expensive synchronize_rcu() in commit phase.
7940 */
7941 if (list_empty(&net->nft.commit_list)) {
7942 nf_tables_module_autoload_cleanup(net);
7943 mutex_unlock(&net->nft.commit_mutex);
7944 return;
7945 }
7946
7947 trans = list_last_entry(&net->nft.commit_list,
7948 struct nft_trans, list);
7949 get_net(trans->ctx.net);
7950 WARN_ON_ONCE(trans->put_net);
7951
7952 trans->put_net = true;
7953 spin_lock(&nf_tables_destroy_list_lock);
7954 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7955 spin_unlock(&nf_tables_destroy_list_lock);
7956
7957 nf_tables_module_autoload_cleanup(net);
7958 schedule_work(&trans_destroy_work);
7959
7960 mutex_unlock(&net->nft.commit_mutex);
7961 }
7962
7963 static void nft_commit_notify(struct net *net, u32 portid)
7964 {
7965 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7966 unsigned char *data;
7967 int len;
7968
7969 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7970 if (!batch_skb) {
7971 new_batch:
7972 batch_skb = skb;
7973 len = NLMSG_GOODSIZE - skb->len;
7974 list_del(&skb->list);
7975 continue;
7976 }
7977 len -= skb->len;
7978 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7979 data = skb_put(batch_skb, skb->len);
7980 memcpy(data, skb->data, skb->len);
7981 list_del(&skb->list);
7982 kfree_skb(skb);
7983 continue;
7984 }
7985 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7986 NFT_CB(batch_skb).report, GFP_KERNEL);
7987 goto new_batch;
7988 }
7989
7990 if (batch_skb) {
7991 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7992 NFT_CB(batch_skb).report, GFP_KERNEL);
7993 }
7994
7995 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
7996 }
7997
7998 static int nf_tables_commit_audit_alloc(struct list_head *adl,
7999 struct nft_table *table)
8000 {
8001 struct nft_audit_data *adp;
8002
8003 list_for_each_entry(adp, adl, list) {
8004 if (adp->table == table)
8005 return 0;
8006 }
8007 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
8008 if (!adp)
8009 return -ENOMEM;
8010 adp->table = table;
8011 list_add(&adp->list, adl);
8012 return 0;
8013 }
8014
8015 static void nf_tables_commit_audit_collect(struct list_head *adl,
8016 struct nft_table *table, u32 op)
8017 {
8018 struct nft_audit_data *adp;
8019
8020 list_for_each_entry(adp, adl, list) {
8021 if (adp->table == table)
8022 goto found;
8023 }
8024 WARN_ONCE("table=%s not expected in commit list", table->name);
8025 return;
8026 found:
8027 adp->entries++;
8028 if (!adp->op || adp->op > op)
8029 adp->op = op;
8030 }
8031
8032 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
8033
8034 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
8035 {
8036 struct nft_audit_data *adp, *adn;
8037 char aubuf[AUNFTABLENAMELEN];
8038
8039 list_for_each_entry_safe(adp, adn, adl, list) {
8040 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
8041 generation);
8042 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
8043 nft2audit_op[adp->op], GFP_KERNEL);
8044 list_del(&adp->list);
8045 kfree(adp);
8046 }
8047 }
8048
8049 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8050 {
8051 struct nft_trans *trans, *next;
8052 struct nft_trans_elem *te;
8053 struct nft_chain *chain;
8054 struct nft_table *table;
8055 LIST_HEAD(adl);
8056 int err;
8057
8058 if (list_empty(&net->nft.commit_list)) {
8059 mutex_unlock(&net->nft.commit_mutex);
8060 return 0;
8061 }
8062
8063 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8064 if (nf_tables_validate(net) < 0)
8065 return -EAGAIN;
8066
8067 err = nft_flow_rule_offload_commit(net);
8068 if (err < 0)
8069 return err;
8070
8071 /* 1. Allocate space for next generation rules_gen_X[] */
8072 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8073 int ret;
8074
8075 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
8076 if (ret) {
8077 nf_tables_commit_chain_prepare_cancel(net);
8078 return ret;
8079 }
8080 if (trans->msg_type == NFT_MSG_NEWRULE ||
8081 trans->msg_type == NFT_MSG_DELRULE) {
8082 chain = trans->ctx.chain;
8083
8084 ret = nf_tables_commit_chain_prepare(net, chain);
8085 if (ret < 0) {
8086 nf_tables_commit_chain_prepare_cancel(net);
8087 return ret;
8088 }
8089 }
8090 }
8091
8092 /* step 2. Make rules_gen_X visible to packet path */
8093 list_for_each_entry(table, &net->nft.tables, list) {
8094 list_for_each_entry(chain, &table->chains, list)
8095 nf_tables_commit_chain(net, chain);
8096 }
8097
8098 /*
8099 * Bump generation counter, invalidate any dump in progress.
8100 * Cannot fail after this point.
8101 */
8102 while (++net->nft.base_seq == 0);
8103
8104 /* step 3. Start new generation, rules_gen_X now in use. */
8105 net->nft.gencursor = nft_gencursor_next(net);
8106
8107 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8108 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
8109 trans->msg_type);
8110 switch (trans->msg_type) {
8111 case NFT_MSG_NEWTABLE:
8112 if (nft_trans_table_update(trans)) {
8113 if (nft_trans_table_state(trans) == NFT_TABLE_STATE_DORMANT)
8114 nf_tables_table_disable(net, trans->ctx.table);
8115
8116 trans->ctx.table->flags = nft_trans_table_flags(trans);
8117 } else {
8118 nft_clear(net, trans->ctx.table);
8119 }
8120 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8121 nft_trans_destroy(trans);
8122 break;
8123 case NFT_MSG_DELTABLE:
8124 list_del_rcu(&trans->ctx.table->list);
8125 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8126 break;
8127 case NFT_MSG_NEWCHAIN:
8128 if (nft_trans_chain_update(trans)) {
8129 nft_chain_commit_update(trans);
8130 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8131 /* trans destroyed after rcu grace period */
8132 } else {
8133 nft_chain_commit_drop_policy(trans);
8134 nft_clear(net, trans->ctx.chain);
8135 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8136 nft_trans_destroy(trans);
8137 }
8138 break;
8139 case NFT_MSG_DELCHAIN:
8140 nft_chain_del(trans->ctx.chain);
8141 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8142 nf_tables_unregister_hook(trans->ctx.net,
8143 trans->ctx.table,
8144 trans->ctx.chain);
8145 break;
8146 case NFT_MSG_NEWRULE:
8147 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8148 nf_tables_rule_notify(&trans->ctx,
8149 nft_trans_rule(trans),
8150 NFT_MSG_NEWRULE);
8151 nft_trans_destroy(trans);
8152 break;
8153 case NFT_MSG_DELRULE:
8154 list_del_rcu(&nft_trans_rule(trans)->list);
8155 nf_tables_rule_notify(&trans->ctx,
8156 nft_trans_rule(trans),
8157 NFT_MSG_DELRULE);
8158 nft_rule_expr_deactivate(&trans->ctx,
8159 nft_trans_rule(trans),
8160 NFT_TRANS_COMMIT);
8161 break;
8162 case NFT_MSG_NEWSET:
8163 nft_clear(net, nft_trans_set(trans));
8164 /* This avoids hitting -EBUSY when deleting the table
8165 * from the transaction.
8166 */
8167 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8168 !list_empty(&nft_trans_set(trans)->bindings))
8169 trans->ctx.table->use--;
8170
8171 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8172 NFT_MSG_NEWSET, GFP_KERNEL);
8173 nft_trans_destroy(trans);
8174 break;
8175 case NFT_MSG_DELSET:
8176 list_del_rcu(&nft_trans_set(trans)->list);
8177 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8178 NFT_MSG_DELSET, GFP_KERNEL);
8179 break;
8180 case NFT_MSG_NEWSETELEM:
8181 te = (struct nft_trans_elem *)trans->data;
8182
8183 te->set->ops->activate(net, te->set, &te->elem);
8184 nf_tables_setelem_notify(&trans->ctx, te->set,
8185 &te->elem,
8186 NFT_MSG_NEWSETELEM, 0);
8187 nft_trans_destroy(trans);
8188 break;
8189 case NFT_MSG_DELSETELEM:
8190 te = (struct nft_trans_elem *)trans->data;
8191
8192 nf_tables_setelem_notify(&trans->ctx, te->set,
8193 &te->elem,
8194 NFT_MSG_DELSETELEM, 0);
8195 te->set->ops->remove(net, te->set, &te->elem);
8196 atomic_dec(&te->set->nelems);
8197 te->set->ndeact--;
8198 break;
8199 case NFT_MSG_NEWOBJ:
8200 if (nft_trans_obj_update(trans)) {
8201 nft_obj_commit_update(trans);
8202 nf_tables_obj_notify(&trans->ctx,
8203 nft_trans_obj(trans),
8204 NFT_MSG_NEWOBJ);
8205 } else {
8206 nft_clear(net, nft_trans_obj(trans));
8207 nf_tables_obj_notify(&trans->ctx,
8208 nft_trans_obj(trans),
8209 NFT_MSG_NEWOBJ);
8210 nft_trans_destroy(trans);
8211 }
8212 break;
8213 case NFT_MSG_DELOBJ:
8214 nft_obj_del(nft_trans_obj(trans));
8215 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8216 NFT_MSG_DELOBJ);
8217 break;
8218 case NFT_MSG_NEWFLOWTABLE:
8219 if (nft_trans_flowtable_update(trans)) {
8220 nft_trans_flowtable(trans)->data.flags =
8221 nft_trans_flowtable_flags(trans);
8222 nf_tables_flowtable_notify(&trans->ctx,
8223 nft_trans_flowtable(trans),
8224 &nft_trans_flowtable_hooks(trans),
8225 NFT_MSG_NEWFLOWTABLE);
8226 list_splice(&nft_trans_flowtable_hooks(trans),
8227 &nft_trans_flowtable(trans)->hook_list);
8228 } else {
8229 nft_clear(net, nft_trans_flowtable(trans));
8230 nf_tables_flowtable_notify(&trans->ctx,
8231 nft_trans_flowtable(trans),
8232 &nft_trans_flowtable(trans)->hook_list,
8233 NFT_MSG_NEWFLOWTABLE);
8234 }
8235 nft_trans_destroy(trans);
8236 break;
8237 case NFT_MSG_DELFLOWTABLE:
8238 if (nft_trans_flowtable_update(trans)) {
8239 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8240 &nft_trans_flowtable_hooks(trans));
8241 nf_tables_flowtable_notify(&trans->ctx,
8242 nft_trans_flowtable(trans),
8243 &nft_trans_flowtable_hooks(trans),
8244 NFT_MSG_DELFLOWTABLE);
8245 nft_unregister_flowtable_net_hooks(net,
8246 &nft_trans_flowtable_hooks(trans));
8247 } else {
8248 list_del_rcu(&nft_trans_flowtable(trans)->list);
8249 nf_tables_flowtable_notify(&trans->ctx,
8250 nft_trans_flowtable(trans),
8251 &nft_trans_flowtable(trans)->hook_list,
8252 NFT_MSG_DELFLOWTABLE);
8253 nft_unregister_flowtable_net_hooks(net,
8254 &nft_trans_flowtable(trans)->hook_list);
8255 }
8256 break;
8257 }
8258 }
8259
8260 nft_commit_notify(net, NETLINK_CB(skb).portid);
8261 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8262 nf_tables_commit_audit_log(&adl, net->nft.base_seq);
8263 nf_tables_commit_release(net);
8264
8265 return 0;
8266 }
8267
8268 static void nf_tables_module_autoload(struct net *net)
8269 {
8270 struct nft_module_request *req, *next;
8271 LIST_HEAD(module_list);
8272
8273 list_splice_init(&net->nft.module_list, &module_list);
8274 mutex_unlock(&net->nft.commit_mutex);
8275 list_for_each_entry_safe(req, next, &module_list, list) {
8276 request_module("%s", req->module);
8277 req->done = true;
8278 }
8279 mutex_lock(&net->nft.commit_mutex);
8280 list_splice(&module_list, &net->nft.module_list);
8281 }
8282
8283 static void nf_tables_abort_release(struct nft_trans *trans)
8284 {
8285 switch (trans->msg_type) {
8286 case NFT_MSG_NEWTABLE:
8287 nf_tables_table_destroy(&trans->ctx);
8288 break;
8289 case NFT_MSG_NEWCHAIN:
8290 nf_tables_chain_destroy(&trans->ctx);
8291 break;
8292 case NFT_MSG_NEWRULE:
8293 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8294 break;
8295 case NFT_MSG_NEWSET:
8296 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8297 break;
8298 case NFT_MSG_NEWSETELEM:
8299 nft_set_elem_destroy(nft_trans_elem_set(trans),
8300 nft_trans_elem(trans).priv, true);
8301 break;
8302 case NFT_MSG_NEWOBJ:
8303 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8304 break;
8305 case NFT_MSG_NEWFLOWTABLE:
8306 if (nft_trans_flowtable_update(trans))
8307 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8308 else
8309 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8310 break;
8311 }
8312 kfree(trans);
8313 }
8314
8315 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8316 {
8317 struct nft_trans *trans, *next;
8318 struct nft_trans_elem *te;
8319 struct nft_hook *hook;
8320
8321 if (action == NFNL_ABORT_VALIDATE &&
8322 nf_tables_validate(net) < 0)
8323 return -EAGAIN;
8324
8325 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8326 list) {
8327 switch (trans->msg_type) {
8328 case NFT_MSG_NEWTABLE:
8329 if (nft_trans_table_update(trans)) {
8330 if (nft_trans_table_state(trans) == NFT_TABLE_STATE_WAKEUP)
8331 nf_tables_table_disable(net, trans->ctx.table);
8332
8333 nft_trans_destroy(trans);
8334 } else {
8335 list_del_rcu(&trans->ctx.table->list);
8336 }
8337 break;
8338 case NFT_MSG_DELTABLE:
8339 nft_clear(trans->ctx.net, trans->ctx.table);
8340 nft_trans_destroy(trans);
8341 break;
8342 case NFT_MSG_NEWCHAIN:
8343 if (nft_trans_chain_update(trans)) {
8344 free_percpu(nft_trans_chain_stats(trans));
8345 kfree(nft_trans_chain_name(trans));
8346 nft_trans_destroy(trans);
8347 } else {
8348 if (nft_chain_is_bound(trans->ctx.chain)) {
8349 nft_trans_destroy(trans);
8350 break;
8351 }
8352 trans->ctx.table->use--;
8353 nft_chain_del(trans->ctx.chain);
8354 nf_tables_unregister_hook(trans->ctx.net,
8355 trans->ctx.table,
8356 trans->ctx.chain);
8357 }
8358 break;
8359 case NFT_MSG_DELCHAIN:
8360 trans->ctx.table->use++;
8361 nft_clear(trans->ctx.net, trans->ctx.chain);
8362 nft_trans_destroy(trans);
8363 break;
8364 case NFT_MSG_NEWRULE:
8365 trans->ctx.chain->use--;
8366 list_del_rcu(&nft_trans_rule(trans)->list);
8367 nft_rule_expr_deactivate(&trans->ctx,
8368 nft_trans_rule(trans),
8369 NFT_TRANS_ABORT);
8370 break;
8371 case NFT_MSG_DELRULE:
8372 trans->ctx.chain->use++;
8373 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8374 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8375 nft_trans_destroy(trans);
8376 break;
8377 case NFT_MSG_NEWSET:
8378 trans->ctx.table->use--;
8379 if (nft_trans_set_bound(trans)) {
8380 nft_trans_destroy(trans);
8381 break;
8382 }
8383 list_del_rcu(&nft_trans_set(trans)->list);
8384 break;
8385 case NFT_MSG_DELSET:
8386 trans->ctx.table->use++;
8387 nft_clear(trans->ctx.net, nft_trans_set(trans));
8388 nft_trans_destroy(trans);
8389 break;
8390 case NFT_MSG_NEWSETELEM:
8391 if (nft_trans_elem_set_bound(trans)) {
8392 nft_trans_destroy(trans);
8393 break;
8394 }
8395 te = (struct nft_trans_elem *)trans->data;
8396 te->set->ops->remove(net, te->set, &te->elem);
8397 atomic_dec(&te->set->nelems);
8398 break;
8399 case NFT_MSG_DELSETELEM:
8400 te = (struct nft_trans_elem *)trans->data;
8401
8402 nft_set_elem_activate(net, te->set, &te->elem);
8403 te->set->ops->activate(net, te->set, &te->elem);
8404 te->set->ndeact--;
8405
8406 nft_trans_destroy(trans);
8407 break;
8408 case NFT_MSG_NEWOBJ:
8409 if (nft_trans_obj_update(trans)) {
8410 kfree(nft_trans_obj_newobj(trans));
8411 nft_trans_destroy(trans);
8412 } else {
8413 trans->ctx.table->use--;
8414 nft_obj_del(nft_trans_obj(trans));
8415 }
8416 break;
8417 case NFT_MSG_DELOBJ:
8418 trans->ctx.table->use++;
8419 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8420 nft_trans_destroy(trans);
8421 break;
8422 case NFT_MSG_NEWFLOWTABLE:
8423 if (nft_trans_flowtable_update(trans)) {
8424 nft_unregister_flowtable_net_hooks(net,
8425 &nft_trans_flowtable_hooks(trans));
8426 } else {
8427 trans->ctx.table->use--;
8428 list_del_rcu(&nft_trans_flowtable(trans)->list);
8429 nft_unregister_flowtable_net_hooks(net,
8430 &nft_trans_flowtable(trans)->hook_list);
8431 }
8432 break;
8433 case NFT_MSG_DELFLOWTABLE:
8434 if (nft_trans_flowtable_update(trans)) {
8435 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8436 hook->inactive = false;
8437 } else {
8438 trans->ctx.table->use++;
8439 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8440 }
8441 nft_trans_destroy(trans);
8442 break;
8443 }
8444 }
8445
8446 synchronize_rcu();
8447
8448 list_for_each_entry_safe_reverse(trans, next,
8449 &net->nft.commit_list, list) {
8450 list_del(&trans->list);
8451 nf_tables_abort_release(trans);
8452 }
8453
8454 if (action == NFNL_ABORT_AUTOLOAD)
8455 nf_tables_module_autoload(net);
8456 else
8457 nf_tables_module_autoload_cleanup(net);
8458
8459 return 0;
8460 }
8461
8462 static void nf_tables_cleanup(struct net *net)
8463 {
8464 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8465 }
8466
8467 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8468 enum nfnl_abort_action action)
8469 {
8470 int ret = __nf_tables_abort(net, action);
8471
8472 mutex_unlock(&net->nft.commit_mutex);
8473
8474 return ret;
8475 }
8476
8477 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8478 {
8479 bool genid_ok;
8480
8481 mutex_lock(&net->nft.commit_mutex);
8482
8483 genid_ok = genid == 0 || net->nft.base_seq == genid;
8484 if (!genid_ok)
8485 mutex_unlock(&net->nft.commit_mutex);
8486
8487 /* else, commit mutex has to be released by commit or abort function */
8488 return genid_ok;
8489 }
8490
8491 static const struct nfnetlink_subsystem nf_tables_subsys = {
8492 .name = "nf_tables",
8493 .subsys_id = NFNL_SUBSYS_NFTABLES,
8494 .cb_count = NFT_MSG_MAX,
8495 .cb = nf_tables_cb,
8496 .commit = nf_tables_commit,
8497 .abort = nf_tables_abort,
8498 .cleanup = nf_tables_cleanup,
8499 .valid_genid = nf_tables_valid_genid,
8500 .owner = THIS_MODULE,
8501 };
8502
8503 int nft_chain_validate_dependency(const struct nft_chain *chain,
8504 enum nft_chain_types type)
8505 {
8506 const struct nft_base_chain *basechain;
8507
8508 if (nft_is_base_chain(chain)) {
8509 basechain = nft_base_chain(chain);
8510 if (basechain->type->type != type)
8511 return -EOPNOTSUPP;
8512 }
8513 return 0;
8514 }
8515 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8516
8517 int nft_chain_validate_hooks(const struct nft_chain *chain,
8518 unsigned int hook_flags)
8519 {
8520 struct nft_base_chain *basechain;
8521
8522 if (nft_is_base_chain(chain)) {
8523 basechain = nft_base_chain(chain);
8524
8525 if ((1 << basechain->ops.hooknum) & hook_flags)
8526 return 0;
8527
8528 return -EOPNOTSUPP;
8529 }
8530
8531 return 0;
8532 }
8533 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8534
8535 /*
8536 * Loop detection - walk through the ruleset beginning at the destination chain
8537 * of a new jump until either the source chain is reached (loop) or all
8538 * reachable chains have been traversed.
8539 *
8540 * The loop check is performed whenever a new jump verdict is added to an
8541 * expression or verdict map or a verdict map is bound to a new chain.
8542 */
8543
8544 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8545 const struct nft_chain *chain);
8546
8547 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8548 struct nft_set *set,
8549 const struct nft_set_iter *iter,
8550 struct nft_set_elem *elem)
8551 {
8552 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8553 const struct nft_data *data;
8554
8555 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8556 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8557 return 0;
8558
8559 data = nft_set_ext_data(ext);
8560 switch (data->verdict.code) {
8561 case NFT_JUMP:
8562 case NFT_GOTO:
8563 return nf_tables_check_loops(ctx, data->verdict.chain);
8564 default:
8565 return 0;
8566 }
8567 }
8568
8569 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8570 const struct nft_chain *chain)
8571 {
8572 const struct nft_rule *rule;
8573 const struct nft_expr *expr, *last;
8574 struct nft_set *set;
8575 struct nft_set_binding *binding;
8576 struct nft_set_iter iter;
8577
8578 if (ctx->chain == chain)
8579 return -ELOOP;
8580
8581 list_for_each_entry(rule, &chain->rules, list) {
8582 nft_rule_for_each_expr(expr, last, rule) {
8583 struct nft_immediate_expr *priv;
8584 const struct nft_data *data;
8585 int err;
8586
8587 if (strcmp(expr->ops->type->name, "immediate"))
8588 continue;
8589
8590 priv = nft_expr_priv(expr);
8591 if (priv->dreg != NFT_REG_VERDICT)
8592 continue;
8593
8594 data = &priv->data;
8595 switch (data->verdict.code) {
8596 case NFT_JUMP:
8597 case NFT_GOTO:
8598 err = nf_tables_check_loops(ctx,
8599 data->verdict.chain);
8600 if (err < 0)
8601 return err;
8602 break;
8603 default:
8604 break;
8605 }
8606 }
8607 }
8608
8609 list_for_each_entry(set, &ctx->table->sets, list) {
8610 if (!nft_is_active_next(ctx->net, set))
8611 continue;
8612 if (!(set->flags & NFT_SET_MAP) ||
8613 set->dtype != NFT_DATA_VERDICT)
8614 continue;
8615
8616 list_for_each_entry(binding, &set->bindings, list) {
8617 if (!(binding->flags & NFT_SET_MAP) ||
8618 binding->chain != chain)
8619 continue;
8620
8621 iter.genmask = nft_genmask_next(ctx->net);
8622 iter.skip = 0;
8623 iter.count = 0;
8624 iter.err = 0;
8625 iter.fn = nf_tables_loop_check_setelem;
8626
8627 set->ops->walk(ctx, set, &iter);
8628 if (iter.err < 0)
8629 return iter.err;
8630 }
8631 }
8632
8633 return 0;
8634 }
8635
8636 /**
8637 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8638 *
8639 * @attr: netlink attribute to fetch value from
8640 * @max: maximum value to be stored in dest
8641 * @dest: pointer to the variable
8642 *
8643 * Parse, check and store a given u32 netlink attribute into variable.
8644 * This function returns -ERANGE if the value goes over maximum value.
8645 * Otherwise a 0 is returned and the attribute value is stored in the
8646 * destination variable.
8647 */
8648 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8649 {
8650 u32 val;
8651
8652 val = ntohl(nla_get_be32(attr));
8653 if (val > max)
8654 return -ERANGE;
8655
8656 *dest = val;
8657 return 0;
8658 }
8659 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8660
8661 /**
8662 * nft_parse_register - parse a register value from a netlink attribute
8663 *
8664 * @attr: netlink attribute
8665 *
8666 * Parse and translate a register value from a netlink attribute.
8667 * Registers used to be 128 bit wide, these register numbers will be
8668 * mapped to the corresponding 32 bit register numbers.
8669 */
8670 static unsigned int nft_parse_register(const struct nlattr *attr)
8671 {
8672 unsigned int reg;
8673
8674 reg = ntohl(nla_get_be32(attr));
8675 switch (reg) {
8676 case NFT_REG_VERDICT...NFT_REG_4:
8677 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8678 default:
8679 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8680 }
8681 }
8682
8683 /**
8684 * nft_dump_register - dump a register value to a netlink attribute
8685 *
8686 * @skb: socket buffer
8687 * @attr: attribute number
8688 * @reg: register number
8689 *
8690 * Construct a netlink attribute containing the register number. For
8691 * compatibility reasons, register numbers being a multiple of 4 are
8692 * translated to the corresponding 128 bit register numbers.
8693 */
8694 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8695 {
8696 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8697 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8698 else
8699 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8700
8701 return nla_put_be32(skb, attr, htonl(reg));
8702 }
8703 EXPORT_SYMBOL_GPL(nft_dump_register);
8704
8705 /**
8706 * nft_validate_register_load - validate a load from a register
8707 *
8708 * @reg: the register number
8709 * @len: the length of the data
8710 *
8711 * Validate that the input register is one of the general purpose
8712 * registers and that the length of the load is within the bounds.
8713 */
8714 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8715 {
8716 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8717 return -EINVAL;
8718 if (len == 0)
8719 return -EINVAL;
8720 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8721 return -ERANGE;
8722
8723 return 0;
8724 }
8725
8726 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
8727 {
8728 u32 reg;
8729 int err;
8730
8731 reg = nft_parse_register(attr);
8732 err = nft_validate_register_load(reg, len);
8733 if (err < 0)
8734 return err;
8735
8736 *sreg = reg;
8737 return 0;
8738 }
8739 EXPORT_SYMBOL_GPL(nft_parse_register_load);
8740
8741 /**
8742 * nft_validate_register_store - validate an expressions' register store
8743 *
8744 * @ctx: context of the expression performing the load
8745 * @reg: the destination register number
8746 * @data: the data to load
8747 * @type: the data type
8748 * @len: the length of the data
8749 *
8750 * Validate that a data load uses the appropriate data type for
8751 * the destination register and the length is within the bounds.
8752 * A value of NULL for the data means that its runtime gathered
8753 * data.
8754 */
8755 static int nft_validate_register_store(const struct nft_ctx *ctx,
8756 enum nft_registers reg,
8757 const struct nft_data *data,
8758 enum nft_data_types type,
8759 unsigned int len)
8760 {
8761 int err;
8762
8763 switch (reg) {
8764 case NFT_REG_VERDICT:
8765 if (type != NFT_DATA_VERDICT)
8766 return -EINVAL;
8767
8768 if (data != NULL &&
8769 (data->verdict.code == NFT_GOTO ||
8770 data->verdict.code == NFT_JUMP)) {
8771 err = nf_tables_check_loops(ctx, data->verdict.chain);
8772 if (err < 0)
8773 return err;
8774 }
8775
8776 return 0;
8777 default:
8778 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8779 return -EINVAL;
8780 if (len == 0)
8781 return -EINVAL;
8782 if (reg * NFT_REG32_SIZE + len >
8783 sizeof_field(struct nft_regs, data))
8784 return -ERANGE;
8785
8786 if (data != NULL && type != NFT_DATA_VALUE)
8787 return -EINVAL;
8788 return 0;
8789 }
8790 }
8791
8792 int nft_parse_register_store(const struct nft_ctx *ctx,
8793 const struct nlattr *attr, u8 *dreg,
8794 const struct nft_data *data,
8795 enum nft_data_types type, unsigned int len)
8796 {
8797 int err;
8798 u32 reg;
8799
8800 reg = nft_parse_register(attr);
8801 err = nft_validate_register_store(ctx, reg, data, type, len);
8802 if (err < 0)
8803 return err;
8804
8805 *dreg = reg;
8806 return 0;
8807 }
8808 EXPORT_SYMBOL_GPL(nft_parse_register_store);
8809
8810 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8811 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8812 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8813 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8814 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8815 };
8816
8817 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8818 struct nft_data_desc *desc, const struct nlattr *nla)
8819 {
8820 u8 genmask = nft_genmask_next(ctx->net);
8821 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8822 struct nft_chain *chain;
8823 int err;
8824
8825 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8826 nft_verdict_policy, NULL);
8827 if (err < 0)
8828 return err;
8829
8830 if (!tb[NFTA_VERDICT_CODE])
8831 return -EINVAL;
8832 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8833
8834 switch (data->verdict.code) {
8835 default:
8836 switch (data->verdict.code & NF_VERDICT_MASK) {
8837 case NF_ACCEPT:
8838 case NF_DROP:
8839 case NF_QUEUE:
8840 break;
8841 default:
8842 return -EINVAL;
8843 }
8844 fallthrough;
8845 case NFT_CONTINUE:
8846 case NFT_BREAK:
8847 case NFT_RETURN:
8848 break;
8849 case NFT_JUMP:
8850 case NFT_GOTO:
8851 if (tb[NFTA_VERDICT_CHAIN]) {
8852 chain = nft_chain_lookup(ctx->net, ctx->table,
8853 tb[NFTA_VERDICT_CHAIN],
8854 genmask);
8855 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8856 chain = nft_chain_lookup_byid(ctx->net,
8857 tb[NFTA_VERDICT_CHAIN_ID]);
8858 if (IS_ERR(chain))
8859 return PTR_ERR(chain);
8860 } else {
8861 return -EINVAL;
8862 }
8863
8864 if (IS_ERR(chain))
8865 return PTR_ERR(chain);
8866 if (nft_is_base_chain(chain))
8867 return -EOPNOTSUPP;
8868
8869 chain->use++;
8870 data->verdict.chain = chain;
8871 break;
8872 }
8873
8874 desc->len = sizeof(data->verdict);
8875 desc->type = NFT_DATA_VERDICT;
8876 return 0;
8877 }
8878
8879 static void nft_verdict_uninit(const struct nft_data *data)
8880 {
8881 struct nft_chain *chain;
8882 struct nft_rule *rule;
8883
8884 switch (data->verdict.code) {
8885 case NFT_JUMP:
8886 case NFT_GOTO:
8887 chain = data->verdict.chain;
8888 chain->use--;
8889
8890 if (!nft_chain_is_bound(chain))
8891 break;
8892
8893 chain->table->use--;
8894 list_for_each_entry(rule, &chain->rules, list)
8895 chain->use--;
8896
8897 nft_chain_del(chain);
8898 break;
8899 }
8900 }
8901
8902 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8903 {
8904 struct nlattr *nest;
8905
8906 nest = nla_nest_start_noflag(skb, type);
8907 if (!nest)
8908 goto nla_put_failure;
8909
8910 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8911 goto nla_put_failure;
8912
8913 switch (v->code) {
8914 case NFT_JUMP:
8915 case NFT_GOTO:
8916 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8917 v->chain->name))
8918 goto nla_put_failure;
8919 }
8920 nla_nest_end(skb, nest);
8921 return 0;
8922
8923 nla_put_failure:
8924 return -1;
8925 }
8926
8927 static int nft_value_init(const struct nft_ctx *ctx,
8928 struct nft_data *data, unsigned int size,
8929 struct nft_data_desc *desc, const struct nlattr *nla)
8930 {
8931 unsigned int len;
8932
8933 len = nla_len(nla);
8934 if (len == 0)
8935 return -EINVAL;
8936 if (len > size)
8937 return -EOVERFLOW;
8938
8939 nla_memcpy(data->data, nla, len);
8940 desc->type = NFT_DATA_VALUE;
8941 desc->len = len;
8942 return 0;
8943 }
8944
8945 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8946 unsigned int len)
8947 {
8948 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8949 }
8950
8951 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8952 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8953 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8954 };
8955
8956 /**
8957 * nft_data_init - parse nf_tables data netlink attributes
8958 *
8959 * @ctx: context of the expression using the data
8960 * @data: destination struct nft_data
8961 * @size: maximum data length
8962 * @desc: data description
8963 * @nla: netlink attribute containing data
8964 *
8965 * Parse the netlink data attributes and initialize a struct nft_data.
8966 * The type and length of data are returned in the data description.
8967 *
8968 * The caller can indicate that it only wants to accept data of type
8969 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8970 */
8971 int nft_data_init(const struct nft_ctx *ctx,
8972 struct nft_data *data, unsigned int size,
8973 struct nft_data_desc *desc, const struct nlattr *nla)
8974 {
8975 struct nlattr *tb[NFTA_DATA_MAX + 1];
8976 int err;
8977
8978 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8979 nft_data_policy, NULL);
8980 if (err < 0)
8981 return err;
8982
8983 if (tb[NFTA_DATA_VALUE])
8984 return nft_value_init(ctx, data, size, desc,
8985 tb[NFTA_DATA_VALUE]);
8986 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8987 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8988 return -EINVAL;
8989 }
8990 EXPORT_SYMBOL_GPL(nft_data_init);
8991
8992 /**
8993 * nft_data_release - release a nft_data item
8994 *
8995 * @data: struct nft_data to release
8996 * @type: type of data
8997 *
8998 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8999 * all others need to be released by calling this function.
9000 */
9001 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
9002 {
9003 if (type < NFT_DATA_VERDICT)
9004 return;
9005 switch (type) {
9006 case NFT_DATA_VERDICT:
9007 return nft_verdict_uninit(data);
9008 default:
9009 WARN_ON(1);
9010 }
9011 }
9012 EXPORT_SYMBOL_GPL(nft_data_release);
9013
9014 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
9015 enum nft_data_types type, unsigned int len)
9016 {
9017 struct nlattr *nest;
9018 int err;
9019
9020 nest = nla_nest_start_noflag(skb, attr);
9021 if (nest == NULL)
9022 return -1;
9023
9024 switch (type) {
9025 case NFT_DATA_VALUE:
9026 err = nft_value_dump(skb, data, len);
9027 break;
9028 case NFT_DATA_VERDICT:
9029 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
9030 break;
9031 default:
9032 err = -EINVAL;
9033 WARN_ON(1);
9034 }
9035
9036 nla_nest_end(skb, nest);
9037 return err;
9038 }
9039 EXPORT_SYMBOL_GPL(nft_data_dump);
9040
9041 int __nft_release_basechain(struct nft_ctx *ctx)
9042 {
9043 struct nft_rule *rule, *nr;
9044
9045 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
9046 return 0;
9047
9048 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9049 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9050 list_del(&rule->list);
9051 ctx->chain->use--;
9052 nf_tables_rule_release(ctx, rule);
9053 }
9054 nft_chain_del(ctx->chain);
9055 ctx->table->use--;
9056 nf_tables_chain_destroy(ctx);
9057
9058 return 0;
9059 }
9060 EXPORT_SYMBOL_GPL(__nft_release_basechain);
9061
9062 static void __nft_release_hook(struct net *net, struct nft_table *table)
9063 {
9064 struct nft_chain *chain;
9065
9066 list_for_each_entry(chain, &table->chains, list)
9067 nf_tables_unregister_hook(net, table, chain);
9068 }
9069
9070 static void __nft_release_hooks(struct net *net)
9071 {
9072 struct nft_table *table;
9073
9074 list_for_each_entry(table, &net->nft.tables, list) {
9075 if (nft_table_has_owner(table))
9076 continue;
9077
9078 __nft_release_hook(net, table);
9079 }
9080 }
9081
9082 static void __nft_release_table(struct net *net, struct nft_table *table)
9083 {
9084 struct nft_flowtable *flowtable, *nf;
9085 struct nft_chain *chain, *nc;
9086 struct nft_object *obj, *ne;
9087 struct nft_rule *rule, *nr;
9088 struct nft_set *set, *ns;
9089 struct nft_ctx ctx = {
9090 .net = net,
9091 .family = NFPROTO_NETDEV,
9092 };
9093
9094 ctx.family = table->family;
9095 ctx.table = table;
9096 list_for_each_entry(chain, &table->chains, list) {
9097 ctx.chain = chain;
9098 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9099 list_del(&rule->list);
9100 chain->use--;
9101 nf_tables_rule_release(&ctx, rule);
9102 }
9103 }
9104 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9105 list_del(&flowtable->list);
9106 table->use--;
9107 nf_tables_flowtable_destroy(flowtable);
9108 }
9109 list_for_each_entry_safe(set, ns, &table->sets, list) {
9110 list_del(&set->list);
9111 table->use--;
9112 nft_set_destroy(&ctx, set);
9113 }
9114 list_for_each_entry_safe(obj, ne, &table->objects, list) {
9115 nft_obj_del(obj);
9116 table->use--;
9117 nft_obj_destroy(&ctx, obj);
9118 }
9119 list_for_each_entry_safe(chain, nc, &table->chains, list) {
9120 ctx.chain = chain;
9121 nft_chain_del(chain);
9122 table->use--;
9123 nf_tables_chain_destroy(&ctx);
9124 }
9125 list_del(&table->list);
9126 nf_tables_table_destroy(&ctx);
9127 }
9128
9129 static void __nft_release_tables(struct net *net)
9130 {
9131 struct nft_table *table, *nt;
9132
9133 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9134 if (nft_table_has_owner(table))
9135 continue;
9136
9137 __nft_release_table(net, table);
9138 }
9139 }
9140
9141 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9142 void *ptr)
9143 {
9144 struct netlink_notify *n = ptr;
9145 struct nft_table *table, *nt;
9146 struct net *net = n->net;
9147 bool release = false;
9148
9149 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9150 return NOTIFY_DONE;
9151
9152 mutex_lock(&net->nft.commit_mutex);
9153 list_for_each_entry(table, &net->nft.tables, list) {
9154 if (nft_table_has_owner(table) &&
9155 n->portid == table->nlpid) {
9156 __nft_release_hook(net, table);
9157 release = true;
9158 }
9159 }
9160 if (release) {
9161 synchronize_rcu();
9162 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9163 if (nft_table_has_owner(table) &&
9164 n->portid == table->nlpid)
9165 __nft_release_table(net, table);
9166 }
9167 }
9168 mutex_unlock(&net->nft.commit_mutex);
9169
9170 return NOTIFY_DONE;
9171 }
9172
9173 static struct notifier_block nft_nl_notifier = {
9174 .notifier_call = nft_rcv_nl_event,
9175 };
9176
9177 static int __net_init nf_tables_init_net(struct net *net)
9178 {
9179 INIT_LIST_HEAD(&net->nft.tables);
9180 INIT_LIST_HEAD(&net->nft.commit_list);
9181 INIT_LIST_HEAD(&net->nft.module_list);
9182 INIT_LIST_HEAD(&net->nft.notify_list);
9183 mutex_init(&net->nft.commit_mutex);
9184 net->nft.base_seq = 1;
9185 net->nft.validate_state = NFT_VALIDATE_SKIP;
9186
9187 return 0;
9188 }
9189
9190 static void __net_exit nf_tables_pre_exit_net(struct net *net)
9191 {
9192 __nft_release_hooks(net);
9193 }
9194
9195 static void __net_exit nf_tables_exit_net(struct net *net)
9196 {
9197 mutex_lock(&net->nft.commit_mutex);
9198 if (!list_empty(&net->nft.commit_list))
9199 __nf_tables_abort(net, NFNL_ABORT_NONE);
9200 __nft_release_tables(net);
9201 mutex_unlock(&net->nft.commit_mutex);
9202 WARN_ON_ONCE(!list_empty(&net->nft.tables));
9203 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
9204 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
9205 }
9206
9207 static struct pernet_operations nf_tables_net_ops = {
9208 .init = nf_tables_init_net,
9209 .pre_exit = nf_tables_pre_exit_net,
9210 .exit = nf_tables_exit_net,
9211 };
9212
9213 static int __init nf_tables_module_init(void)
9214 {
9215 int err;
9216
9217 spin_lock_init(&nf_tables_destroy_list_lock);
9218 err = register_pernet_subsys(&nf_tables_net_ops);
9219 if (err < 0)
9220 return err;
9221
9222 err = nft_chain_filter_init();
9223 if (err < 0)
9224 goto err_chain_filter;
9225
9226 err = nf_tables_core_module_init();
9227 if (err < 0)
9228 goto err_core_module;
9229
9230 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9231 if (err < 0)
9232 goto err_netdev_notifier;
9233
9234 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9235 if (err < 0)
9236 goto err_rht_objname;
9237
9238 err = nft_offload_init();
9239 if (err < 0)
9240 goto err_offload;
9241
9242 err = netlink_register_notifier(&nft_nl_notifier);
9243 if (err < 0)
9244 goto err_netlink_notifier;
9245
9246 /* must be last */
9247 err = nfnetlink_subsys_register(&nf_tables_subsys);
9248 if (err < 0)
9249 goto err_nfnl_subsys;
9250
9251 nft_chain_route_init();
9252
9253 return err;
9254
9255 err_nfnl_subsys:
9256 netlink_unregister_notifier(&nft_nl_notifier);
9257 err_netlink_notifier:
9258 nft_offload_exit();
9259 err_offload:
9260 rhltable_destroy(&nft_objname_ht);
9261 err_rht_objname:
9262 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9263 err_netdev_notifier:
9264 nf_tables_core_module_exit();
9265 err_core_module:
9266 nft_chain_filter_fini();
9267 err_chain_filter:
9268 unregister_pernet_subsys(&nf_tables_net_ops);
9269 return err;
9270 }
9271
9272 static void __exit nf_tables_module_exit(void)
9273 {
9274 nfnetlink_subsys_unregister(&nf_tables_subsys);
9275 netlink_unregister_notifier(&nft_nl_notifier);
9276 nft_offload_exit();
9277 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9278 nft_chain_filter_fini();
9279 nft_chain_route_fini();
9280 unregister_pernet_subsys(&nf_tables_net_ops);
9281 cancel_work_sync(&trans_destroy_work);
9282 rcu_barrier();
9283 rhltable_destroy(&nft_objname_ht);
9284 nf_tables_core_module_exit();
9285 }
9286
9287 module_init(nf_tables_module_init);
9288 module_exit(nf_tables_module_exit);
9289
9290 MODULE_LICENSE("GPL");
9291 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9292 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
Ubuntu Jammy Linux kernel mirror