]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/netfilter/nf_tables_api.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'iommu-fixes-v5.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git...
[mirror_ubuntu-jammy-kernel.git] / net / netfilter / nf_tables_api.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
34
35 enum {
36 NFT_VALIDATE_SKIP = 0,
37 NFT_VALIDATE_NEED,
38 NFT_VALIDATE_DO,
39 };
40
41 static struct rhltable nft_objname_ht;
42
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
58 };
59
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
67 };
68
69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 {
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 break;
75 case NFT_VALIDATE_NEED:
76 break;
77 case NFT_VALIDATE_DO:
78 if (new_validate_state == NFT_VALIDATE_NEED)
79 return;
80 }
81
82 net->nft.validate_state = new_validate_state;
83 }
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86
87 static void nft_ctx_init(struct nft_ctx *ctx,
88 struct net *net,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
91 u8 family,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
95 {
96 ctx->net = net;
97 ctx->family = family;
98 ctx->level = 0;
99 ctx->table = table;
100 ctx->chain = chain;
101 ctx->nla = nla;
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->flags = nlh->nlmsg_flags;
105 ctx->seq = nlh->nlmsg_seq;
106 }
107
108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
109 int msg_type, u32 size, gfp_t gfp)
110 {
111 struct nft_trans *trans;
112
113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 if (trans == NULL)
115 return NULL;
116
117 trans->msg_type = msg_type;
118 trans->ctx = *ctx;
119
120 return trans;
121 }
122
123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 int msg_type, u32 size)
125 {
126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
127 }
128
129 static void nft_trans_destroy(struct nft_trans *trans)
130 {
131 list_del(&trans->list);
132 kfree(trans);
133 }
134
135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 {
137 struct net *net = ctx->net;
138 struct nft_trans *trans;
139
140 if (!nft_set_is_anonymous(set))
141 return;
142
143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 switch (trans->msg_type) {
145 case NFT_MSG_NEWSET:
146 if (nft_trans_set(trans) == set)
147 nft_trans_set_bound(trans) = true;
148 break;
149 case NFT_MSG_NEWSETELEM:
150 if (nft_trans_elem_set(trans) == set)
151 nft_trans_elem_set_bound(trans) = true;
152 break;
153 }
154 }
155 }
156
157 static int nft_netdev_register_hooks(struct net *net,
158 struct list_head *hook_list)
159 {
160 struct nft_hook *hook;
161 int err, j;
162
163 j = 0;
164 list_for_each_entry(hook, hook_list, list) {
165 err = nf_register_net_hook(net, &hook->ops);
166 if (err < 0)
167 goto err_register;
168
169 j++;
170 }
171 return 0;
172
173 err_register:
174 list_for_each_entry(hook, hook_list, list) {
175 if (j-- <= 0)
176 break;
177
178 nf_unregister_net_hook(net, &hook->ops);
179 }
180 return err;
181 }
182
183 static void nft_netdev_unregister_hooks(struct net *net,
184 struct list_head *hook_list)
185 {
186 struct nft_hook *hook;
187
188 list_for_each_entry(hook, hook_list, list)
189 nf_unregister_net_hook(net, &hook->ops);
190 }
191
192 static int nf_tables_register_hook(struct net *net,
193 const struct nft_table *table,
194 struct nft_chain *chain)
195 {
196 struct nft_base_chain *basechain;
197 const struct nf_hook_ops *ops;
198
199 if (table->flags & NFT_TABLE_F_DORMANT ||
200 !nft_is_base_chain(chain))
201 return 0;
202
203 basechain = nft_base_chain(chain);
204 ops = &basechain->ops;
205
206 if (basechain->type->ops_register)
207 return basechain->type->ops_register(net, ops);
208
209 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
210 return nft_netdev_register_hooks(net, &basechain->hook_list);
211
212 return nf_register_net_hook(net, &basechain->ops);
213 }
214
215 static void nf_tables_unregister_hook(struct net *net,
216 const struct nft_table *table,
217 struct nft_chain *chain)
218 {
219 struct nft_base_chain *basechain;
220 const struct nf_hook_ops *ops;
221
222 if (table->flags & NFT_TABLE_F_DORMANT ||
223 !nft_is_base_chain(chain))
224 return;
225 basechain = nft_base_chain(chain);
226 ops = &basechain->ops;
227
228 if (basechain->type->ops_unregister)
229 return basechain->type->ops_unregister(net, ops);
230
231 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
232 nft_netdev_unregister_hooks(net, &basechain->hook_list);
233 else
234 nf_unregister_net_hook(net, &basechain->ops);
235 }
236
237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
238 {
239 struct nft_trans *trans;
240
241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
242 if (trans == NULL)
243 return -ENOMEM;
244
245 if (msg_type == NFT_MSG_NEWTABLE)
246 nft_activate_next(ctx->net, ctx->table);
247
248 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
249 return 0;
250 }
251
252 static int nft_deltable(struct nft_ctx *ctx)
253 {
254 int err;
255
256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
257 if (err < 0)
258 return err;
259
260 nft_deactivate_next(ctx->net, ctx->table);
261 return err;
262 }
263
264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
265 {
266 struct nft_trans *trans;
267
268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
269 if (trans == NULL)
270 return ERR_PTR(-ENOMEM);
271
272 if (msg_type == NFT_MSG_NEWCHAIN) {
273 nft_activate_next(ctx->net, ctx->chain);
274
275 if (ctx->nla[NFTA_CHAIN_ID]) {
276 nft_trans_chain_id(trans) =
277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
278 }
279 }
280
281 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
282 return trans;
283 }
284
285 static int nft_delchain(struct nft_ctx *ctx)
286 {
287 struct nft_trans *trans;
288
289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
290 if (IS_ERR(trans))
291 return PTR_ERR(trans);
292
293 ctx->table->use--;
294 nft_deactivate_next(ctx->net, ctx->chain);
295
296 return 0;
297 }
298
299 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
300 struct nft_rule *rule)
301 {
302 struct nft_expr *expr;
303
304 expr = nft_expr_first(rule);
305 while (nft_expr_more(rule, expr)) {
306 if (expr->ops->activate)
307 expr->ops->activate(ctx, expr);
308
309 expr = nft_expr_next(expr);
310 }
311 }
312
313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
314 struct nft_rule *rule,
315 enum nft_trans_phase phase)
316 {
317 struct nft_expr *expr;
318
319 expr = nft_expr_first(rule);
320 while (nft_expr_more(rule, expr)) {
321 if (expr->ops->deactivate)
322 expr->ops->deactivate(ctx, expr, phase);
323
324 expr = nft_expr_next(expr);
325 }
326 }
327
328 static int
329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
330 {
331 /* You cannot delete the same rule twice */
332 if (nft_is_active_next(ctx->net, rule)) {
333 nft_deactivate_next(ctx->net, rule);
334 ctx->chain->use--;
335 return 0;
336 }
337 return -ENOENT;
338 }
339
340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
341 struct nft_rule *rule)
342 {
343 struct nft_trans *trans;
344
345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
346 if (trans == NULL)
347 return NULL;
348
349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
350 nft_trans_rule_id(trans) =
351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
352 }
353 nft_trans_rule(trans) = rule;
354 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
355
356 return trans;
357 }
358
359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
360 {
361 struct nft_flow_rule *flow;
362 struct nft_trans *trans;
363 int err;
364
365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
366 if (trans == NULL)
367 return -ENOMEM;
368
369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
370 flow = nft_flow_rule_create(ctx->net, rule);
371 if (IS_ERR(flow)) {
372 nft_trans_destroy(trans);
373 return PTR_ERR(flow);
374 }
375
376 nft_trans_flow_rule(trans) = flow;
377 }
378
379 err = nf_tables_delrule_deactivate(ctx, rule);
380 if (err < 0) {
381 nft_trans_destroy(trans);
382 return err;
383 }
384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
385
386 return 0;
387 }
388
389 static int nft_delrule_by_chain(struct nft_ctx *ctx)
390 {
391 struct nft_rule *rule;
392 int err;
393
394 list_for_each_entry(rule, &ctx->chain->rules, list) {
395 if (!nft_is_active_next(ctx->net, rule))
396 continue;
397
398 err = nft_delrule(ctx, rule);
399 if (err < 0)
400 return err;
401 }
402 return 0;
403 }
404
405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
406 struct nft_set *set)
407 {
408 struct nft_trans *trans;
409
410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
411 if (trans == NULL)
412 return -ENOMEM;
413
414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
415 nft_trans_set_id(trans) =
416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
417 nft_activate_next(ctx->net, set);
418 }
419 nft_trans_set(trans) = set;
420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
421
422 return 0;
423 }
424
425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
426 {
427 int err;
428
429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
430 if (err < 0)
431 return err;
432
433 nft_deactivate_next(ctx->net, set);
434 ctx->table->use--;
435
436 return err;
437 }
438
439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
440 struct nft_object *obj)
441 {
442 struct nft_trans *trans;
443
444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
445 if (trans == NULL)
446 return -ENOMEM;
447
448 if (msg_type == NFT_MSG_NEWOBJ)
449 nft_activate_next(ctx->net, obj);
450
451 nft_trans_obj(trans) = obj;
452 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
453
454 return 0;
455 }
456
457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
458 {
459 int err;
460
461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
462 if (err < 0)
463 return err;
464
465 nft_deactivate_next(ctx->net, obj);
466 ctx->table->use--;
467
468 return err;
469 }
470
471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
472 struct nft_flowtable *flowtable)
473 {
474 struct nft_trans *trans;
475
476 trans = nft_trans_alloc(ctx, msg_type,
477 sizeof(struct nft_trans_flowtable));
478 if (trans == NULL)
479 return -ENOMEM;
480
481 if (msg_type == NFT_MSG_NEWFLOWTABLE)
482 nft_activate_next(ctx->net, flowtable);
483
484 nft_trans_flowtable(trans) = flowtable;
485 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
486
487 return 0;
488 }
489
490 static int nft_delflowtable(struct nft_ctx *ctx,
491 struct nft_flowtable *flowtable)
492 {
493 int err;
494
495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
496 if (err < 0)
497 return err;
498
499 nft_deactivate_next(ctx->net, flowtable);
500 ctx->table->use--;
501
502 return err;
503 }
504
505 /*
506 * Tables
507 */
508
509 static struct nft_table *nft_table_lookup(const struct net *net,
510 const struct nlattr *nla,
511 u8 family, u8 genmask, u32 nlpid)
512 {
513 struct nft_table *table;
514
515 if (nla == NULL)
516 return ERR_PTR(-EINVAL);
517
518 list_for_each_entry_rcu(table, &net->nft.tables, list,
519 lockdep_is_held(&net->nft.commit_mutex)) {
520 if (!nla_strcmp(nla, table->name) &&
521 table->family == family &&
522 nft_active_genmask(table, genmask)) {
523 if (nft_table_has_owner(table) &&
524 table->nlpid != nlpid)
525 return ERR_PTR(-EPERM);
526
527 return table;
528 }
529 }
530
531 return ERR_PTR(-ENOENT);
532 }
533
534 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
535 const struct nlattr *nla,
536 u8 genmask)
537 {
538 struct nft_table *table;
539
540 list_for_each_entry(table, &net->nft.tables, list) {
541 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
542 nft_active_genmask(table, genmask))
543 return table;
544 }
545
546 return ERR_PTR(-ENOENT);
547 }
548
549 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
550 {
551 return ++table->hgenerator;
552 }
553
554 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
555
556 static const struct nft_chain_type *
557 __nft_chain_type_get(u8 family, enum nft_chain_types type)
558 {
559 if (family >= NFPROTO_NUMPROTO ||
560 type >= NFT_CHAIN_T_MAX)
561 return NULL;
562
563 return chain_type[family][type];
564 }
565
566 static const struct nft_chain_type *
567 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
568 {
569 const struct nft_chain_type *type;
570 int i;
571
572 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
573 type = __nft_chain_type_get(family, i);
574 if (!type)
575 continue;
576 if (!nla_strcmp(nla, type->name))
577 return type;
578 }
579 return NULL;
580 }
581
582 struct nft_module_request {
583 struct list_head list;
584 char module[MODULE_NAME_LEN];
585 bool done;
586 };
587
588 #ifdef CONFIG_MODULES
589 static __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
590 ...)
591 {
592 char module_name[MODULE_NAME_LEN];
593 struct nft_module_request *req;
594 va_list args;
595 int ret;
596
597 va_start(args, fmt);
598 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
599 va_end(args);
600 if (ret >= MODULE_NAME_LEN)
601 return 0;
602
603 list_for_each_entry(req, &net->nft.module_list, list) {
604 if (!strcmp(req->module, module_name)) {
605 if (req->done)
606 return 0;
607
608 /* A request to load this module already exists. */
609 return -EAGAIN;
610 }
611 }
612
613 req = kmalloc(sizeof(*req), GFP_KERNEL);
614 if (!req)
615 return -ENOMEM;
616
617 req->done = false;
618 strlcpy(req->module, module_name, MODULE_NAME_LEN);
619 list_add_tail(&req->list, &net->nft.module_list);
620
621 return -EAGAIN;
622 }
623 #endif
624
625 static void lockdep_nfnl_nft_mutex_not_held(void)
626 {
627 #ifdef CONFIG_PROVE_LOCKING
628 if (debug_locks)
629 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
630 #endif
631 }
632
633 static const struct nft_chain_type *
634 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
635 u8 family, bool autoload)
636 {
637 const struct nft_chain_type *type;
638
639 type = __nf_tables_chain_type_lookup(nla, family);
640 if (type != NULL)
641 return type;
642
643 lockdep_nfnl_nft_mutex_not_held();
644 #ifdef CONFIG_MODULES
645 if (autoload) {
646 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
647 nla_len(nla),
648 (const char *)nla_data(nla)) == -EAGAIN)
649 return ERR_PTR(-EAGAIN);
650 }
651 #endif
652 return ERR_PTR(-ENOENT);
653 }
654
655 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
656 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
657 .len = NFT_TABLE_MAXNAMELEN - 1 },
658 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
659 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
660 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
661 .len = NFT_USERDATA_MAXLEN }
662 };
663
664 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
665 u32 portid, u32 seq, int event, u32 flags,
666 int family, const struct nft_table *table)
667 {
668 struct nlmsghdr *nlh;
669 struct nfgenmsg *nfmsg;
670
671 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
672 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
673 if (nlh == NULL)
674 goto nla_put_failure;
675
676 nfmsg = nlmsg_data(nlh);
677 nfmsg->nfgen_family = family;
678 nfmsg->version = NFNETLINK_V0;
679 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
680
681 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
682 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
683 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
684 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
685 NFTA_TABLE_PAD))
686 goto nla_put_failure;
687 if (nft_table_has_owner(table) &&
688 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
689 goto nla_put_failure;
690
691 if (table->udata) {
692 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
693 goto nla_put_failure;
694 }
695
696 nlmsg_end(skb, nlh);
697 return 0;
698
699 nla_put_failure:
700 nlmsg_trim(skb, nlh);
701 return -1;
702 }
703
704 struct nftnl_skb_parms {
705 bool report;
706 };
707 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
708
709 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
710 struct list_head *notify_list)
711 {
712 NFT_CB(skb).report = report;
713 list_add_tail(&skb->list, notify_list);
714 }
715
716 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
717 {
718 struct sk_buff *skb;
719 int err;
720 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
721 ctx->table->name, ctx->table->handle);
722
723 audit_log_nfcfg(buf,
724 ctx->family,
725 ctx->table->use,
726 event == NFT_MSG_NEWTABLE ?
727 AUDIT_NFT_OP_TABLE_REGISTER :
728 AUDIT_NFT_OP_TABLE_UNREGISTER,
729 GFP_KERNEL);
730 kfree(buf);
731
732 if (!ctx->report &&
733 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
734 return;
735
736 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
737 if (skb == NULL)
738 goto err;
739
740 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
741 event, 0, ctx->family, ctx->table);
742 if (err < 0) {
743 kfree_skb(skb);
744 goto err;
745 }
746
747 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
748 return;
749 err:
750 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
751 }
752
753 static int nf_tables_dump_tables(struct sk_buff *skb,
754 struct netlink_callback *cb)
755 {
756 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
757 const struct nft_table *table;
758 unsigned int idx = 0, s_idx = cb->args[0];
759 struct net *net = sock_net(skb->sk);
760 int family = nfmsg->nfgen_family;
761
762 rcu_read_lock();
763 cb->seq = net->nft.base_seq;
764
765 list_for_each_entry_rcu(table, &net->nft.tables, list) {
766 if (family != NFPROTO_UNSPEC && family != table->family)
767 continue;
768
769 if (idx < s_idx)
770 goto cont;
771 if (idx > s_idx)
772 memset(&cb->args[1], 0,
773 sizeof(cb->args) - sizeof(cb->args[0]));
774 if (!nft_is_active(net, table))
775 continue;
776 if (nf_tables_fill_table_info(skb, net,
777 NETLINK_CB(cb->skb).portid,
778 cb->nlh->nlmsg_seq,
779 NFT_MSG_NEWTABLE, NLM_F_MULTI,
780 table->family, table) < 0)
781 goto done;
782
783 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
784 cont:
785 idx++;
786 }
787 done:
788 rcu_read_unlock();
789 cb->args[0] = idx;
790 return skb->len;
791 }
792
793 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
794 const struct nlmsghdr *nlh,
795 struct netlink_dump_control *c)
796 {
797 int err;
798
799 if (!try_module_get(THIS_MODULE))
800 return -EINVAL;
801
802 rcu_read_unlock();
803 err = netlink_dump_start(nlsk, skb, nlh, c);
804 rcu_read_lock();
805 module_put(THIS_MODULE);
806
807 return err;
808 }
809
810 /* called with rcu_read_lock held */
811 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
812 struct sk_buff *skb, const struct nlmsghdr *nlh,
813 const struct nlattr * const nla[],
814 struct netlink_ext_ack *extack)
815 {
816 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
817 u8 genmask = nft_genmask_cur(net);
818 const struct nft_table *table;
819 struct sk_buff *skb2;
820 int family = nfmsg->nfgen_family;
821 int err;
822
823 if (nlh->nlmsg_flags & NLM_F_DUMP) {
824 struct netlink_dump_control c = {
825 .dump = nf_tables_dump_tables,
826 .module = THIS_MODULE,
827 };
828
829 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
830 }
831
832 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
833 if (IS_ERR(table)) {
834 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
835 return PTR_ERR(table);
836 }
837
838 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
839 if (!skb2)
840 return -ENOMEM;
841
842 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
843 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
844 family, table);
845 if (err < 0)
846 goto err_fill_table_info;
847
848 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
849
850 err_fill_table_info:
851 kfree_skb(skb2);
852 return err;
853 }
854
855 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
856 {
857 struct nft_chain *chain;
858 u32 i = 0;
859
860 list_for_each_entry(chain, &table->chains, list) {
861 if (!nft_is_active_next(net, chain))
862 continue;
863 if (!nft_is_base_chain(chain))
864 continue;
865
866 if (cnt && i++ == cnt)
867 break;
868
869 nf_tables_unregister_hook(net, table, chain);
870 }
871 }
872
873 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
874 {
875 struct nft_chain *chain;
876 int err, i = 0;
877
878 list_for_each_entry(chain, &table->chains, list) {
879 if (!nft_is_active_next(net, chain))
880 continue;
881 if (!nft_is_base_chain(chain))
882 continue;
883
884 err = nf_tables_register_hook(net, table, chain);
885 if (err < 0)
886 goto err_register_hooks;
887
888 i++;
889 }
890 return 0;
891
892 err_register_hooks:
893 if (i)
894 nft_table_disable(net, table, i);
895 return err;
896 }
897
898 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
899 {
900 nft_table_disable(net, table, 0);
901 }
902
903 static int nf_tables_updtable(struct nft_ctx *ctx)
904 {
905 struct nft_trans *trans;
906 u32 flags;
907 int ret = 0;
908
909 if (!ctx->nla[NFTA_TABLE_FLAGS])
910 return 0;
911
912 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
913 if (flags & ~NFT_TABLE_F_MASK)
914 return -EOPNOTSUPP;
915
916 if (flags == ctx->table->flags)
917 return 0;
918
919 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
920 sizeof(struct nft_trans_table));
921 if (trans == NULL)
922 return -ENOMEM;
923
924 if ((flags & NFT_TABLE_F_DORMANT) &&
925 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
926 nft_trans_table_enable(trans) = false;
927 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
928 ctx->table->flags & NFT_TABLE_F_DORMANT) {
929 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
930 ret = nf_tables_table_enable(ctx->net, ctx->table);
931 if (ret >= 0)
932 nft_trans_table_enable(trans) = true;
933 else
934 ctx->table->flags |= NFT_TABLE_F_DORMANT;
935 }
936 if (ret < 0)
937 goto err;
938
939 nft_trans_table_update(trans) = true;
940 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
941 return 0;
942 err:
943 nft_trans_destroy(trans);
944 return ret;
945 }
946
947 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
948 {
949 const char *name = data;
950
951 return jhash(name, strlen(name), seed);
952 }
953
954 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
955 {
956 const struct nft_chain *chain = data;
957
958 return nft_chain_hash(chain->name, 0, seed);
959 }
960
961 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
962 const void *ptr)
963 {
964 const struct nft_chain *chain = ptr;
965 const char *name = arg->key;
966
967 return strcmp(chain->name, name);
968 }
969
970 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
971 {
972 const struct nft_object_hash_key *k = data;
973
974 seed ^= hash_ptr(k->table, 32);
975
976 return jhash(k->name, strlen(k->name), seed);
977 }
978
979 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
980 {
981 const struct nft_object *obj = data;
982
983 return nft_objname_hash(&obj->key, 0, seed);
984 }
985
986 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
987 const void *ptr)
988 {
989 const struct nft_object_hash_key *k = arg->key;
990 const struct nft_object *obj = ptr;
991
992 if (obj->key.table != k->table)
993 return -1;
994
995 return strcmp(obj->key.name, k->name);
996 }
997
998 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
999 struct sk_buff *skb, const struct nlmsghdr *nlh,
1000 const struct nlattr * const nla[],
1001 struct netlink_ext_ack *extack)
1002 {
1003 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1004 u8 genmask = nft_genmask_next(net);
1005 int family = nfmsg->nfgen_family;
1006 const struct nlattr *attr;
1007 struct nft_table *table;
1008 struct nft_ctx ctx;
1009 u32 flags = 0;
1010 int err;
1011
1012 lockdep_assert_held(&net->nft.commit_mutex);
1013 attr = nla[NFTA_TABLE_NAME];
1014 table = nft_table_lookup(net, attr, family, genmask,
1015 NETLINK_CB(skb).portid);
1016 if (IS_ERR(table)) {
1017 if (PTR_ERR(table) != -ENOENT)
1018 return PTR_ERR(table);
1019 } else {
1020 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1021 NL_SET_BAD_ATTR(extack, attr);
1022 return -EEXIST;
1023 }
1024 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1025 return -EOPNOTSUPP;
1026
1027 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1028 return nf_tables_updtable(&ctx);
1029 }
1030
1031 if (nla[NFTA_TABLE_FLAGS]) {
1032 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1033 if (flags & ~NFT_TABLE_F_MASK)
1034 return -EOPNOTSUPP;
1035 }
1036
1037 err = -ENOMEM;
1038 table = kzalloc(sizeof(*table), GFP_KERNEL);
1039 if (table == NULL)
1040 goto err_kzalloc;
1041
1042 table->name = nla_strdup(attr, GFP_KERNEL);
1043 if (table->name == NULL)
1044 goto err_strdup;
1045
1046 if (nla[NFTA_TABLE_USERDATA]) {
1047 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1048 if (table->udata == NULL)
1049 goto err_table_udata;
1050
1051 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1052 }
1053
1054 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1055 if (err)
1056 goto err_chain_ht;
1057
1058 INIT_LIST_HEAD(&table->chains);
1059 INIT_LIST_HEAD(&table->sets);
1060 INIT_LIST_HEAD(&table->objects);
1061 INIT_LIST_HEAD(&table->flowtables);
1062 table->family = family;
1063 table->flags = flags;
1064 table->handle = ++table_handle;
1065 if (table->flags & NFT_TABLE_F_OWNER)
1066 table->nlpid = NETLINK_CB(skb).portid;
1067
1068 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1069 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1070 if (err < 0)
1071 goto err_trans;
1072
1073 list_add_tail_rcu(&table->list, &net->nft.tables);
1074 return 0;
1075 err_trans:
1076 rhltable_destroy(&table->chains_ht);
1077 err_chain_ht:
1078 kfree(table->udata);
1079 err_table_udata:
1080 kfree(table->name);
1081 err_strdup:
1082 kfree(table);
1083 err_kzalloc:
1084 return err;
1085 }
1086
1087 static int nft_flush_table(struct nft_ctx *ctx)
1088 {
1089 struct nft_flowtable *flowtable, *nft;
1090 struct nft_chain *chain, *nc;
1091 struct nft_object *obj, *ne;
1092 struct nft_set *set, *ns;
1093 int err;
1094
1095 list_for_each_entry(chain, &ctx->table->chains, list) {
1096 if (!nft_is_active_next(ctx->net, chain))
1097 continue;
1098
1099 if (nft_chain_is_bound(chain))
1100 continue;
1101
1102 ctx->chain = chain;
1103
1104 err = nft_delrule_by_chain(ctx);
1105 if (err < 0)
1106 goto out;
1107 }
1108
1109 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1110 if (!nft_is_active_next(ctx->net, set))
1111 continue;
1112
1113 if (nft_set_is_anonymous(set) &&
1114 !list_empty(&set->bindings))
1115 continue;
1116
1117 err = nft_delset(ctx, set);
1118 if (err < 0)
1119 goto out;
1120 }
1121
1122 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1123 if (!nft_is_active_next(ctx->net, flowtable))
1124 continue;
1125
1126 err = nft_delflowtable(ctx, flowtable);
1127 if (err < 0)
1128 goto out;
1129 }
1130
1131 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1132 if (!nft_is_active_next(ctx->net, obj))
1133 continue;
1134
1135 err = nft_delobj(ctx, obj);
1136 if (err < 0)
1137 goto out;
1138 }
1139
1140 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1141 if (!nft_is_active_next(ctx->net, chain))
1142 continue;
1143
1144 if (nft_chain_is_bound(chain))
1145 continue;
1146
1147 ctx->chain = chain;
1148
1149 err = nft_delchain(ctx);
1150 if (err < 0)
1151 goto out;
1152 }
1153
1154 err = nft_deltable(ctx);
1155 out:
1156 return err;
1157 }
1158
1159 static int nft_flush(struct nft_ctx *ctx, int family)
1160 {
1161 struct nft_table *table, *nt;
1162 const struct nlattr * const *nla = ctx->nla;
1163 int err = 0;
1164
1165 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1166 if (family != AF_UNSPEC && table->family != family)
1167 continue;
1168
1169 ctx->family = table->family;
1170
1171 if (!nft_is_active_next(ctx->net, table))
1172 continue;
1173
1174 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1175 continue;
1176
1177 if (nla[NFTA_TABLE_NAME] &&
1178 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1179 continue;
1180
1181 ctx->table = table;
1182
1183 err = nft_flush_table(ctx);
1184 if (err < 0)
1185 goto out;
1186 }
1187 out:
1188 return err;
1189 }
1190
1191 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1192 struct sk_buff *skb, const struct nlmsghdr *nlh,
1193 const struct nlattr * const nla[],
1194 struct netlink_ext_ack *extack)
1195 {
1196 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1197 u8 genmask = nft_genmask_next(net);
1198 int family = nfmsg->nfgen_family;
1199 const struct nlattr *attr;
1200 struct nft_table *table;
1201 struct nft_ctx ctx;
1202
1203 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1204 if (family == AF_UNSPEC ||
1205 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1206 return nft_flush(&ctx, family);
1207
1208 if (nla[NFTA_TABLE_HANDLE]) {
1209 attr = nla[NFTA_TABLE_HANDLE];
1210 table = nft_table_lookup_byhandle(net, attr, genmask);
1211 } else {
1212 attr = nla[NFTA_TABLE_NAME];
1213 table = nft_table_lookup(net, attr, family, genmask,
1214 NETLINK_CB(skb).portid);
1215 }
1216
1217 if (IS_ERR(table)) {
1218 NL_SET_BAD_ATTR(extack, attr);
1219 return PTR_ERR(table);
1220 }
1221
1222 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1223 table->use > 0)
1224 return -EBUSY;
1225
1226 ctx.family = family;
1227 ctx.table = table;
1228
1229 return nft_flush_table(&ctx);
1230 }
1231
1232 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1233 {
1234 if (WARN_ON(ctx->table->use > 0))
1235 return;
1236
1237 rhltable_destroy(&ctx->table->chains_ht);
1238 kfree(ctx->table->name);
1239 kfree(ctx->table->udata);
1240 kfree(ctx->table);
1241 }
1242
1243 void nft_register_chain_type(const struct nft_chain_type *ctype)
1244 {
1245 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1246 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1247 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1248 return;
1249 }
1250 chain_type[ctype->family][ctype->type] = ctype;
1251 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1252 }
1253 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1254
1255 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1256 {
1257 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1258 chain_type[ctype->family][ctype->type] = NULL;
1259 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1260 }
1261 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1262
1263 /*
1264 * Chains
1265 */
1266
1267 static struct nft_chain *
1268 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1269 {
1270 struct nft_chain *chain;
1271
1272 list_for_each_entry(chain, &table->chains, list) {
1273 if (chain->handle == handle &&
1274 nft_active_genmask(chain, genmask))
1275 return chain;
1276 }
1277
1278 return ERR_PTR(-ENOENT);
1279 }
1280
1281 static bool lockdep_commit_lock_is_held(const struct net *net)
1282 {
1283 #ifdef CONFIG_PROVE_LOCKING
1284 return lockdep_is_held(&net->nft.commit_mutex);
1285 #else
1286 return true;
1287 #endif
1288 }
1289
1290 static struct nft_chain *nft_chain_lookup(struct net *net,
1291 struct nft_table *table,
1292 const struct nlattr *nla, u8 genmask)
1293 {
1294 char search[NFT_CHAIN_MAXNAMELEN + 1];
1295 struct rhlist_head *tmp, *list;
1296 struct nft_chain *chain;
1297
1298 if (nla == NULL)
1299 return ERR_PTR(-EINVAL);
1300
1301 nla_strscpy(search, nla, sizeof(search));
1302
1303 WARN_ON(!rcu_read_lock_held() &&
1304 !lockdep_commit_lock_is_held(net));
1305
1306 chain = ERR_PTR(-ENOENT);
1307 rcu_read_lock();
1308 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1309 if (!list)
1310 goto out_unlock;
1311
1312 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1313 if (nft_active_genmask(chain, genmask))
1314 goto out_unlock;
1315 }
1316 chain = ERR_PTR(-ENOENT);
1317 out_unlock:
1318 rcu_read_unlock();
1319 return chain;
1320 }
1321
1322 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1323 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1324 .len = NFT_TABLE_MAXNAMELEN - 1 },
1325 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1326 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1327 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1328 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1329 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1330 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1331 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1332 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1333 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1334 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1335 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1336 .len = NFT_USERDATA_MAXLEN },
1337 };
1338
1339 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1340 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1341 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1342 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1343 .len = IFNAMSIZ - 1 },
1344 };
1345
1346 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1347 {
1348 struct nft_stats *cpu_stats, total;
1349 struct nlattr *nest;
1350 unsigned int seq;
1351 u64 pkts, bytes;
1352 int cpu;
1353
1354 if (!stats)
1355 return 0;
1356
1357 memset(&total, 0, sizeof(total));
1358 for_each_possible_cpu(cpu) {
1359 cpu_stats = per_cpu_ptr(stats, cpu);
1360 do {
1361 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1362 pkts = cpu_stats->pkts;
1363 bytes = cpu_stats->bytes;
1364 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1365 total.pkts += pkts;
1366 total.bytes += bytes;
1367 }
1368 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1369 if (nest == NULL)
1370 goto nla_put_failure;
1371
1372 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1373 NFTA_COUNTER_PAD) ||
1374 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1375 NFTA_COUNTER_PAD))
1376 goto nla_put_failure;
1377
1378 nla_nest_end(skb, nest);
1379 return 0;
1380
1381 nla_put_failure:
1382 return -ENOSPC;
1383 }
1384
1385 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1386 const struct nft_base_chain *basechain)
1387 {
1388 const struct nf_hook_ops *ops = &basechain->ops;
1389 struct nft_hook *hook, *first = NULL;
1390 struct nlattr *nest, *nest_devs;
1391 int n = 0;
1392
1393 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1394 if (nest == NULL)
1395 goto nla_put_failure;
1396 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1397 goto nla_put_failure;
1398 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1399 goto nla_put_failure;
1400
1401 if (nft_base_chain_netdev(family, ops->hooknum)) {
1402 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1403 list_for_each_entry(hook, &basechain->hook_list, list) {
1404 if (!first)
1405 first = hook;
1406
1407 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1408 hook->ops.dev->name))
1409 goto nla_put_failure;
1410 n++;
1411 }
1412 nla_nest_end(skb, nest_devs);
1413
1414 if (n == 1 &&
1415 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1416 goto nla_put_failure;
1417 }
1418 nla_nest_end(skb, nest);
1419
1420 return 0;
1421 nla_put_failure:
1422 return -1;
1423 }
1424
1425 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1426 u32 portid, u32 seq, int event, u32 flags,
1427 int family, const struct nft_table *table,
1428 const struct nft_chain *chain)
1429 {
1430 struct nlmsghdr *nlh;
1431 struct nfgenmsg *nfmsg;
1432
1433 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1434 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1435 if (nlh == NULL)
1436 goto nla_put_failure;
1437
1438 nfmsg = nlmsg_data(nlh);
1439 nfmsg->nfgen_family = family;
1440 nfmsg->version = NFNETLINK_V0;
1441 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1442
1443 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1444 goto nla_put_failure;
1445 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1446 NFTA_CHAIN_PAD))
1447 goto nla_put_failure;
1448 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1449 goto nla_put_failure;
1450
1451 if (nft_is_base_chain(chain)) {
1452 const struct nft_base_chain *basechain = nft_base_chain(chain);
1453 struct nft_stats __percpu *stats;
1454
1455 if (nft_dump_basechain_hook(skb, family, basechain))
1456 goto nla_put_failure;
1457
1458 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1459 htonl(basechain->policy)))
1460 goto nla_put_failure;
1461
1462 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1463 goto nla_put_failure;
1464
1465 stats = rcu_dereference_check(basechain->stats,
1466 lockdep_commit_lock_is_held(net));
1467 if (nft_dump_stats(skb, stats))
1468 goto nla_put_failure;
1469 }
1470
1471 if (chain->flags &&
1472 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1473 goto nla_put_failure;
1474
1475 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1476 goto nla_put_failure;
1477
1478 if (chain->udata &&
1479 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1480 goto nla_put_failure;
1481
1482 nlmsg_end(skb, nlh);
1483 return 0;
1484
1485 nla_put_failure:
1486 nlmsg_trim(skb, nlh);
1487 return -1;
1488 }
1489
1490 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1491 {
1492 struct sk_buff *skb;
1493 int err;
1494 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1495 ctx->table->name, ctx->table->handle,
1496 ctx->chain->name, ctx->chain->handle);
1497
1498 audit_log_nfcfg(buf,
1499 ctx->family,
1500 ctx->chain->use,
1501 event == NFT_MSG_NEWCHAIN ?
1502 AUDIT_NFT_OP_CHAIN_REGISTER :
1503 AUDIT_NFT_OP_CHAIN_UNREGISTER,
1504 GFP_KERNEL);
1505 kfree(buf);
1506
1507 if (!ctx->report &&
1508 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1509 return;
1510
1511 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1512 if (skb == NULL)
1513 goto err;
1514
1515 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1516 event, 0, ctx->family, ctx->table,
1517 ctx->chain);
1518 if (err < 0) {
1519 kfree_skb(skb);
1520 goto err;
1521 }
1522
1523 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1524 return;
1525 err:
1526 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1527 }
1528
1529 static int nf_tables_dump_chains(struct sk_buff *skb,
1530 struct netlink_callback *cb)
1531 {
1532 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1533 const struct nft_table *table;
1534 const struct nft_chain *chain;
1535 unsigned int idx = 0, s_idx = cb->args[0];
1536 struct net *net = sock_net(skb->sk);
1537 int family = nfmsg->nfgen_family;
1538
1539 rcu_read_lock();
1540 cb->seq = net->nft.base_seq;
1541
1542 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1543 if (family != NFPROTO_UNSPEC && family != table->family)
1544 continue;
1545
1546 list_for_each_entry_rcu(chain, &table->chains, list) {
1547 if (idx < s_idx)
1548 goto cont;
1549 if (idx > s_idx)
1550 memset(&cb->args[1], 0,
1551 sizeof(cb->args) - sizeof(cb->args[0]));
1552 if (!nft_is_active(net, chain))
1553 continue;
1554 if (nf_tables_fill_chain_info(skb, net,
1555 NETLINK_CB(cb->skb).portid,
1556 cb->nlh->nlmsg_seq,
1557 NFT_MSG_NEWCHAIN,
1558 NLM_F_MULTI,
1559 table->family, table,
1560 chain) < 0)
1561 goto done;
1562
1563 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1564 cont:
1565 idx++;
1566 }
1567 }
1568 done:
1569 rcu_read_unlock();
1570 cb->args[0] = idx;
1571 return skb->len;
1572 }
1573
1574 /* called with rcu_read_lock held */
1575 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1576 struct sk_buff *skb, const struct nlmsghdr *nlh,
1577 const struct nlattr * const nla[],
1578 struct netlink_ext_ack *extack)
1579 {
1580 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1581 u8 genmask = nft_genmask_cur(net);
1582 const struct nft_chain *chain;
1583 struct nft_table *table;
1584 struct sk_buff *skb2;
1585 int family = nfmsg->nfgen_family;
1586 int err;
1587
1588 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1589 struct netlink_dump_control c = {
1590 .dump = nf_tables_dump_chains,
1591 .module = THIS_MODULE,
1592 };
1593
1594 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1595 }
1596
1597 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1598 if (IS_ERR(table)) {
1599 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1600 return PTR_ERR(table);
1601 }
1602
1603 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1604 if (IS_ERR(chain)) {
1605 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1606 return PTR_ERR(chain);
1607 }
1608
1609 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1610 if (!skb2)
1611 return -ENOMEM;
1612
1613 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1614 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1615 family, table, chain);
1616 if (err < 0)
1617 goto err_fill_chain_info;
1618
1619 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1620
1621 err_fill_chain_info:
1622 kfree_skb(skb2);
1623 return err;
1624 }
1625
1626 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1627 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1628 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1629 };
1630
1631 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1632 {
1633 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1634 struct nft_stats __percpu *newstats;
1635 struct nft_stats *stats;
1636 int err;
1637
1638 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1639 nft_counter_policy, NULL);
1640 if (err < 0)
1641 return ERR_PTR(err);
1642
1643 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1644 return ERR_PTR(-EINVAL);
1645
1646 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1647 if (newstats == NULL)
1648 return ERR_PTR(-ENOMEM);
1649
1650 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1651 * are not exposed to userspace.
1652 */
1653 preempt_disable();
1654 stats = this_cpu_ptr(newstats);
1655 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1656 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1657 preempt_enable();
1658
1659 return newstats;
1660 }
1661
1662 static void nft_chain_stats_replace(struct nft_trans *trans)
1663 {
1664 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1665
1666 if (!nft_trans_chain_stats(trans))
1667 return;
1668
1669 nft_trans_chain_stats(trans) =
1670 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1671 lockdep_commit_lock_is_held(trans->ctx.net));
1672
1673 if (!nft_trans_chain_stats(trans))
1674 static_branch_inc(&nft_counters_enabled);
1675 }
1676
1677 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1678 {
1679 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1680 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1681
1682 if (g0 != g1)
1683 kvfree(g1);
1684 kvfree(g0);
1685
1686 /* should be NULL either via abort or via successful commit */
1687 WARN_ON_ONCE(chain->rules_next);
1688 kvfree(chain->rules_next);
1689 }
1690
1691 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1692 {
1693 struct nft_chain *chain = ctx->chain;
1694 struct nft_hook *hook, *next;
1695
1696 if (WARN_ON(chain->use > 0))
1697 return;
1698
1699 /* no concurrent access possible anymore */
1700 nf_tables_chain_free_chain_rules(chain);
1701
1702 if (nft_is_base_chain(chain)) {
1703 struct nft_base_chain *basechain = nft_base_chain(chain);
1704
1705 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1706 list_for_each_entry_safe(hook, next,
1707 &basechain->hook_list, list) {
1708 list_del_rcu(&hook->list);
1709 kfree_rcu(hook, rcu);
1710 }
1711 }
1712 module_put(basechain->type->owner);
1713 if (rcu_access_pointer(basechain->stats)) {
1714 static_branch_dec(&nft_counters_enabled);
1715 free_percpu(rcu_dereference_raw(basechain->stats));
1716 }
1717 kfree(chain->name);
1718 kfree(chain->udata);
1719 kfree(basechain);
1720 } else {
1721 kfree(chain->name);
1722 kfree(chain->udata);
1723 kfree(chain);
1724 }
1725 }
1726
1727 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1728 const struct nlattr *attr)
1729 {
1730 struct net_device *dev;
1731 char ifname[IFNAMSIZ];
1732 struct nft_hook *hook;
1733 int err;
1734
1735 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1736 if (!hook) {
1737 err = -ENOMEM;
1738 goto err_hook_alloc;
1739 }
1740
1741 nla_strscpy(ifname, attr, IFNAMSIZ);
1742 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1743 * indirectly serializing all the other holders of the commit_mutex with
1744 * the rtnl_mutex.
1745 */
1746 dev = __dev_get_by_name(net, ifname);
1747 if (!dev) {
1748 err = -ENOENT;
1749 goto err_hook_dev;
1750 }
1751 hook->ops.dev = dev;
1752 hook->inactive = false;
1753
1754 return hook;
1755
1756 err_hook_dev:
1757 kfree(hook);
1758 err_hook_alloc:
1759 return ERR_PTR(err);
1760 }
1761
1762 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1763 const struct nft_hook *this)
1764 {
1765 struct nft_hook *hook;
1766
1767 list_for_each_entry(hook, hook_list, list) {
1768 if (this->ops.dev == hook->ops.dev)
1769 return hook;
1770 }
1771
1772 return NULL;
1773 }
1774
1775 static int nf_tables_parse_netdev_hooks(struct net *net,
1776 const struct nlattr *attr,
1777 struct list_head *hook_list)
1778 {
1779 struct nft_hook *hook, *next;
1780 const struct nlattr *tmp;
1781 int rem, n = 0, err;
1782
1783 nla_for_each_nested(tmp, attr, rem) {
1784 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1785 err = -EINVAL;
1786 goto err_hook;
1787 }
1788
1789 hook = nft_netdev_hook_alloc(net, tmp);
1790 if (IS_ERR(hook)) {
1791 err = PTR_ERR(hook);
1792 goto err_hook;
1793 }
1794 if (nft_hook_list_find(hook_list, hook)) {
1795 kfree(hook);
1796 err = -EEXIST;
1797 goto err_hook;
1798 }
1799 list_add_tail(&hook->list, hook_list);
1800 n++;
1801
1802 if (n == NFT_NETDEVICE_MAX) {
1803 err = -EFBIG;
1804 goto err_hook;
1805 }
1806 }
1807
1808 return 0;
1809
1810 err_hook:
1811 list_for_each_entry_safe(hook, next, hook_list, list) {
1812 list_del(&hook->list);
1813 kfree(hook);
1814 }
1815 return err;
1816 }
1817
1818 struct nft_chain_hook {
1819 u32 num;
1820 s32 priority;
1821 const struct nft_chain_type *type;
1822 struct list_head list;
1823 };
1824
1825 static int nft_chain_parse_netdev(struct net *net,
1826 struct nlattr *tb[],
1827 struct list_head *hook_list)
1828 {
1829 struct nft_hook *hook;
1830 int err;
1831
1832 if (tb[NFTA_HOOK_DEV]) {
1833 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1834 if (IS_ERR(hook))
1835 return PTR_ERR(hook);
1836
1837 list_add_tail(&hook->list, hook_list);
1838 } else if (tb[NFTA_HOOK_DEVS]) {
1839 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1840 hook_list);
1841 if (err < 0)
1842 return err;
1843
1844 if (list_empty(hook_list))
1845 return -EINVAL;
1846 } else {
1847 return -EINVAL;
1848 }
1849
1850 return 0;
1851 }
1852
1853 static int nft_chain_parse_hook(struct net *net,
1854 const struct nlattr * const nla[],
1855 struct nft_chain_hook *hook, u8 family,
1856 bool autoload)
1857 {
1858 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1859 const struct nft_chain_type *type;
1860 int err;
1861
1862 lockdep_assert_held(&net->nft.commit_mutex);
1863 lockdep_nfnl_nft_mutex_not_held();
1864
1865 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1866 nla[NFTA_CHAIN_HOOK],
1867 nft_hook_policy, NULL);
1868 if (err < 0)
1869 return err;
1870
1871 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1872 ha[NFTA_HOOK_PRIORITY] == NULL)
1873 return -EINVAL;
1874
1875 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1876 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1877
1878 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1879 if (!type)
1880 return -EOPNOTSUPP;
1881
1882 if (nla[NFTA_CHAIN_TYPE]) {
1883 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1884 family, autoload);
1885 if (IS_ERR(type))
1886 return PTR_ERR(type);
1887 }
1888 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1889 return -EOPNOTSUPP;
1890
1891 if (type->type == NFT_CHAIN_T_NAT &&
1892 hook->priority <= NF_IP_PRI_CONNTRACK)
1893 return -EOPNOTSUPP;
1894
1895 if (!try_module_get(type->owner))
1896 return -ENOENT;
1897
1898 hook->type = type;
1899
1900 INIT_LIST_HEAD(&hook->list);
1901 if (nft_base_chain_netdev(family, hook->num)) {
1902 err = nft_chain_parse_netdev(net, ha, &hook->list);
1903 if (err < 0) {
1904 module_put(type->owner);
1905 return err;
1906 }
1907 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1908 module_put(type->owner);
1909 return -EOPNOTSUPP;
1910 }
1911
1912 return 0;
1913 }
1914
1915 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1916 {
1917 struct nft_hook *h, *next;
1918
1919 list_for_each_entry_safe(h, next, &hook->list, list) {
1920 list_del(&h->list);
1921 kfree(h);
1922 }
1923 module_put(hook->type->owner);
1924 }
1925
1926 struct nft_rules_old {
1927 struct rcu_head h;
1928 struct nft_rule **start;
1929 };
1930
1931 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1932 unsigned int alloc)
1933 {
1934 if (alloc > INT_MAX)
1935 return NULL;
1936
1937 alloc += 1; /* NULL, ends rules */
1938 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1939 return NULL;
1940
1941 alloc *= sizeof(struct nft_rule *);
1942 alloc += sizeof(struct nft_rules_old);
1943
1944 return kvmalloc(alloc, GFP_KERNEL);
1945 }
1946
1947 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1948 const struct nft_chain_hook *hook,
1949 struct nft_chain *chain)
1950 {
1951 ops->pf = family;
1952 ops->hooknum = hook->num;
1953 ops->priority = hook->priority;
1954 ops->priv = chain;
1955 ops->hook = hook->type->hooks[ops->hooknum];
1956 }
1957
1958 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1959 struct nft_chain_hook *hook, u32 flags)
1960 {
1961 struct nft_chain *chain;
1962 struct nft_hook *h;
1963
1964 basechain->type = hook->type;
1965 INIT_LIST_HEAD(&basechain->hook_list);
1966 chain = &basechain->chain;
1967
1968 if (nft_base_chain_netdev(family, hook->num)) {
1969 list_splice_init(&hook->list, &basechain->hook_list);
1970 list_for_each_entry(h, &basechain->hook_list, list)
1971 nft_basechain_hook_init(&h->ops, family, hook, chain);
1972
1973 basechain->ops.hooknum = hook->num;
1974 basechain->ops.priority = hook->priority;
1975 } else {
1976 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1977 }
1978
1979 chain->flags |= NFT_CHAIN_BASE | flags;
1980 basechain->policy = NF_ACCEPT;
1981 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1982 nft_chain_offload_priority(basechain) < 0)
1983 return -EOPNOTSUPP;
1984
1985 flow_block_init(&basechain->flow_block);
1986
1987 return 0;
1988 }
1989
1990 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
1991 {
1992 int err;
1993
1994 err = rhltable_insert_key(&table->chains_ht, chain->name,
1995 &chain->rhlhead, nft_chain_ht_params);
1996 if (err)
1997 return err;
1998
1999 list_add_tail_rcu(&chain->list, &table->chains);
2000
2001 return 0;
2002 }
2003
2004 static u64 chain_id;
2005
2006 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2007 u8 policy, u32 flags)
2008 {
2009 const struct nlattr * const *nla = ctx->nla;
2010 struct nft_table *table = ctx->table;
2011 struct nft_base_chain *basechain;
2012 struct nft_stats __percpu *stats;
2013 struct net *net = ctx->net;
2014 char name[NFT_NAME_MAXLEN];
2015 struct nft_trans *trans;
2016 struct nft_chain *chain;
2017 struct nft_rule **rules;
2018 int err;
2019
2020 if (table->use == UINT_MAX)
2021 return -EOVERFLOW;
2022
2023 if (nla[NFTA_CHAIN_HOOK]) {
2024 struct nft_chain_hook hook;
2025
2026 if (flags & NFT_CHAIN_BINDING)
2027 return -EOPNOTSUPP;
2028
2029 err = nft_chain_parse_hook(net, nla, &hook, family, true);
2030 if (err < 0)
2031 return err;
2032
2033 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2034 if (basechain == NULL) {
2035 nft_chain_release_hook(&hook);
2036 return -ENOMEM;
2037 }
2038 chain = &basechain->chain;
2039
2040 if (nla[NFTA_CHAIN_COUNTERS]) {
2041 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2042 if (IS_ERR(stats)) {
2043 nft_chain_release_hook(&hook);
2044 kfree(basechain);
2045 return PTR_ERR(stats);
2046 }
2047 rcu_assign_pointer(basechain->stats, stats);
2048 static_branch_inc(&nft_counters_enabled);
2049 }
2050
2051 err = nft_basechain_init(basechain, family, &hook, flags);
2052 if (err < 0) {
2053 nft_chain_release_hook(&hook);
2054 kfree(basechain);
2055 return err;
2056 }
2057 } else {
2058 if (flags & NFT_CHAIN_BASE)
2059 return -EINVAL;
2060 if (flags & NFT_CHAIN_HW_OFFLOAD)
2061 return -EOPNOTSUPP;
2062
2063 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2064 if (chain == NULL)
2065 return -ENOMEM;
2066
2067 chain->flags = flags;
2068 }
2069 ctx->chain = chain;
2070
2071 INIT_LIST_HEAD(&chain->rules);
2072 chain->handle = nf_tables_alloc_handle(table);
2073 chain->table = table;
2074
2075 if (nla[NFTA_CHAIN_NAME]) {
2076 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2077 } else {
2078 if (!(flags & NFT_CHAIN_BINDING)) {
2079 err = -EINVAL;
2080 goto err_destroy_chain;
2081 }
2082
2083 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2084 chain->name = kstrdup(name, GFP_KERNEL);
2085 }
2086
2087 if (!chain->name) {
2088 err = -ENOMEM;
2089 goto err_destroy_chain;
2090 }
2091
2092 if (nla[NFTA_CHAIN_USERDATA]) {
2093 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2094 if (chain->udata == NULL) {
2095 err = -ENOMEM;
2096 goto err_destroy_chain;
2097 }
2098 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2099 }
2100
2101 rules = nf_tables_chain_alloc_rules(chain, 0);
2102 if (!rules) {
2103 err = -ENOMEM;
2104 goto err_destroy_chain;
2105 }
2106
2107 *rules = NULL;
2108 rcu_assign_pointer(chain->rules_gen_0, rules);
2109 rcu_assign_pointer(chain->rules_gen_1, rules);
2110
2111 err = nf_tables_register_hook(net, table, chain);
2112 if (err < 0)
2113 goto err_destroy_chain;
2114
2115 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2116 if (IS_ERR(trans)) {
2117 err = PTR_ERR(trans);
2118 goto err_unregister_hook;
2119 }
2120
2121 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2122 if (nft_is_base_chain(chain))
2123 nft_trans_chain_policy(trans) = policy;
2124
2125 err = nft_chain_add(table, chain);
2126 if (err < 0) {
2127 nft_trans_destroy(trans);
2128 goto err_unregister_hook;
2129 }
2130
2131 table->use++;
2132
2133 return 0;
2134 err_unregister_hook:
2135 nf_tables_unregister_hook(net, table, chain);
2136 err_destroy_chain:
2137 nf_tables_chain_destroy(ctx);
2138
2139 return err;
2140 }
2141
2142 static bool nft_hook_list_equal(struct list_head *hook_list1,
2143 struct list_head *hook_list2)
2144 {
2145 struct nft_hook *hook;
2146 int n = 0, m = 0;
2147
2148 n = 0;
2149 list_for_each_entry(hook, hook_list2, list) {
2150 if (!nft_hook_list_find(hook_list1, hook))
2151 return false;
2152
2153 n++;
2154 }
2155 list_for_each_entry(hook, hook_list1, list)
2156 m++;
2157
2158 return n == m;
2159 }
2160
2161 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2162 u32 flags, const struct nlattr *attr,
2163 struct netlink_ext_ack *extack)
2164 {
2165 const struct nlattr * const *nla = ctx->nla;
2166 struct nft_table *table = ctx->table;
2167 struct nft_chain *chain = ctx->chain;
2168 struct nft_base_chain *basechain;
2169 struct nft_stats *stats = NULL;
2170 struct nft_chain_hook hook;
2171 struct nf_hook_ops *ops;
2172 struct nft_trans *trans;
2173 int err;
2174
2175 if (chain->flags ^ flags)
2176 return -EOPNOTSUPP;
2177
2178 if (nla[NFTA_CHAIN_HOOK]) {
2179 if (!nft_is_base_chain(chain)) {
2180 NL_SET_BAD_ATTR(extack, attr);
2181 return -EEXIST;
2182 }
2183 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2184 false);
2185 if (err < 0)
2186 return err;
2187
2188 basechain = nft_base_chain(chain);
2189 if (basechain->type != hook.type) {
2190 nft_chain_release_hook(&hook);
2191 NL_SET_BAD_ATTR(extack, attr);
2192 return -EEXIST;
2193 }
2194
2195 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2196 if (!nft_hook_list_equal(&basechain->hook_list,
2197 &hook.list)) {
2198 nft_chain_release_hook(&hook);
2199 NL_SET_BAD_ATTR(extack, attr);
2200 return -EEXIST;
2201 }
2202 } else {
2203 ops = &basechain->ops;
2204 if (ops->hooknum != hook.num ||
2205 ops->priority != hook.priority) {
2206 nft_chain_release_hook(&hook);
2207 NL_SET_BAD_ATTR(extack, attr);
2208 return -EEXIST;
2209 }
2210 }
2211 nft_chain_release_hook(&hook);
2212 }
2213
2214 if (nla[NFTA_CHAIN_HANDLE] &&
2215 nla[NFTA_CHAIN_NAME]) {
2216 struct nft_chain *chain2;
2217
2218 chain2 = nft_chain_lookup(ctx->net, table,
2219 nla[NFTA_CHAIN_NAME], genmask);
2220 if (!IS_ERR(chain2)) {
2221 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2222 return -EEXIST;
2223 }
2224 }
2225
2226 if (nla[NFTA_CHAIN_COUNTERS]) {
2227 if (!nft_is_base_chain(chain))
2228 return -EOPNOTSUPP;
2229
2230 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2231 if (IS_ERR(stats))
2232 return PTR_ERR(stats);
2233 }
2234
2235 err = -ENOMEM;
2236 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2237 sizeof(struct nft_trans_chain));
2238 if (trans == NULL)
2239 goto err;
2240
2241 nft_trans_chain_stats(trans) = stats;
2242 nft_trans_chain_update(trans) = true;
2243
2244 if (nla[NFTA_CHAIN_POLICY])
2245 nft_trans_chain_policy(trans) = policy;
2246 else
2247 nft_trans_chain_policy(trans) = -1;
2248
2249 if (nla[NFTA_CHAIN_HANDLE] &&
2250 nla[NFTA_CHAIN_NAME]) {
2251 struct nft_trans *tmp;
2252 char *name;
2253
2254 err = -ENOMEM;
2255 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2256 if (!name)
2257 goto err;
2258
2259 err = -EEXIST;
2260 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2261 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2262 tmp->ctx.table == table &&
2263 nft_trans_chain_update(tmp) &&
2264 nft_trans_chain_name(tmp) &&
2265 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2266 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2267 kfree(name);
2268 goto err;
2269 }
2270 }
2271
2272 nft_trans_chain_name(trans) = name;
2273 }
2274 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2275
2276 return 0;
2277 err:
2278 free_percpu(stats);
2279 kfree(trans);
2280 return err;
2281 }
2282
2283 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2284 const struct nlattr *nla)
2285 {
2286 u32 id = ntohl(nla_get_be32(nla));
2287 struct nft_trans *trans;
2288
2289 list_for_each_entry(trans, &net->nft.commit_list, list) {
2290 struct nft_chain *chain = trans->ctx.chain;
2291
2292 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2293 id == nft_trans_chain_id(trans))
2294 return chain;
2295 }
2296 return ERR_PTR(-ENOENT);
2297 }
2298
2299 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2300 struct sk_buff *skb, const struct nlmsghdr *nlh,
2301 const struct nlattr * const nla[],
2302 struct netlink_ext_ack *extack)
2303 {
2304 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2305 u8 genmask = nft_genmask_next(net);
2306 int family = nfmsg->nfgen_family;
2307 struct nft_chain *chain = NULL;
2308 const struct nlattr *attr;
2309 struct nft_table *table;
2310 u8 policy = NF_ACCEPT;
2311 struct nft_ctx ctx;
2312 u64 handle = 0;
2313 u32 flags = 0;
2314
2315 lockdep_assert_held(&net->nft.commit_mutex);
2316
2317 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2318 NETLINK_CB(skb).portid);
2319 if (IS_ERR(table)) {
2320 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2321 return PTR_ERR(table);
2322 }
2323
2324 chain = NULL;
2325 attr = nla[NFTA_CHAIN_NAME];
2326
2327 if (nla[NFTA_CHAIN_HANDLE]) {
2328 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2329 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2330 if (IS_ERR(chain)) {
2331 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2332 return PTR_ERR(chain);
2333 }
2334 attr = nla[NFTA_CHAIN_HANDLE];
2335 } else if (nla[NFTA_CHAIN_NAME]) {
2336 chain = nft_chain_lookup(net, table, attr, genmask);
2337 if (IS_ERR(chain)) {
2338 if (PTR_ERR(chain) != -ENOENT) {
2339 NL_SET_BAD_ATTR(extack, attr);
2340 return PTR_ERR(chain);
2341 }
2342 chain = NULL;
2343 }
2344 } else if (!nla[NFTA_CHAIN_ID]) {
2345 return -EINVAL;
2346 }
2347
2348 if (nla[NFTA_CHAIN_POLICY]) {
2349 if (chain != NULL &&
2350 !nft_is_base_chain(chain)) {
2351 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2352 return -EOPNOTSUPP;
2353 }
2354
2355 if (chain == NULL &&
2356 nla[NFTA_CHAIN_HOOK] == NULL) {
2357 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2358 return -EOPNOTSUPP;
2359 }
2360
2361 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2362 switch (policy) {
2363 case NF_DROP:
2364 case NF_ACCEPT:
2365 break;
2366 default:
2367 return -EINVAL;
2368 }
2369 }
2370
2371 if (nla[NFTA_CHAIN_FLAGS])
2372 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2373 else if (chain)
2374 flags = chain->flags;
2375
2376 if (flags & ~NFT_CHAIN_FLAGS)
2377 return -EOPNOTSUPP;
2378
2379 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2380
2381 if (chain != NULL) {
2382 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2383 NL_SET_BAD_ATTR(extack, attr);
2384 return -EEXIST;
2385 }
2386 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2387 return -EOPNOTSUPP;
2388
2389 flags |= chain->flags & NFT_CHAIN_BASE;
2390 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2391 extack);
2392 }
2393
2394 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2395 }
2396
2397 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2398 struct sk_buff *skb, const struct nlmsghdr *nlh,
2399 const struct nlattr * const nla[],
2400 struct netlink_ext_ack *extack)
2401 {
2402 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2403 u8 genmask = nft_genmask_next(net);
2404 int family = nfmsg->nfgen_family;
2405 const struct nlattr *attr;
2406 struct nft_table *table;
2407 struct nft_chain *chain;
2408 struct nft_rule *rule;
2409 struct nft_ctx ctx;
2410 u64 handle;
2411 u32 use;
2412 int err;
2413
2414 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2415 NETLINK_CB(skb).portid);
2416 if (IS_ERR(table)) {
2417 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2418 return PTR_ERR(table);
2419 }
2420
2421 if (nla[NFTA_CHAIN_HANDLE]) {
2422 attr = nla[NFTA_CHAIN_HANDLE];
2423 handle = be64_to_cpu(nla_get_be64(attr));
2424 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2425 } else {
2426 attr = nla[NFTA_CHAIN_NAME];
2427 chain = nft_chain_lookup(net, table, attr, genmask);
2428 }
2429 if (IS_ERR(chain)) {
2430 NL_SET_BAD_ATTR(extack, attr);
2431 return PTR_ERR(chain);
2432 }
2433
2434 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2435 chain->use > 0)
2436 return -EBUSY;
2437
2438 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2439
2440 use = chain->use;
2441 list_for_each_entry(rule, &chain->rules, list) {
2442 if (!nft_is_active_next(net, rule))
2443 continue;
2444 use--;
2445
2446 err = nft_delrule(&ctx, rule);
2447 if (err < 0)
2448 return err;
2449 }
2450
2451 /* There are rules and elements that are still holding references to us,
2452 * we cannot do a recursive removal in this case.
2453 */
2454 if (use > 0) {
2455 NL_SET_BAD_ATTR(extack, attr);
2456 return -EBUSY;
2457 }
2458
2459 return nft_delchain(&ctx);
2460 }
2461
2462 /*
2463 * Expressions
2464 */
2465
2466 /**
2467 * nft_register_expr - register nf_tables expr type
2468 * @type: expr type
2469 *
2470 * Registers the expr type for use with nf_tables. Returns zero on
2471 * success or a negative errno code otherwise.
2472 */
2473 int nft_register_expr(struct nft_expr_type *type)
2474 {
2475 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2476 if (type->family == NFPROTO_UNSPEC)
2477 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2478 else
2479 list_add_rcu(&type->list, &nf_tables_expressions);
2480 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2481 return 0;
2482 }
2483 EXPORT_SYMBOL_GPL(nft_register_expr);
2484
2485 /**
2486 * nft_unregister_expr - unregister nf_tables expr type
2487 * @type: expr type
2488 *
2489 * Unregisters the expr typefor use with nf_tables.
2490 */
2491 void nft_unregister_expr(struct nft_expr_type *type)
2492 {
2493 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2494 list_del_rcu(&type->list);
2495 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2496 }
2497 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2498
2499 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2500 struct nlattr *nla)
2501 {
2502 const struct nft_expr_type *type, *candidate = NULL;
2503
2504 list_for_each_entry(type, &nf_tables_expressions, list) {
2505 if (!nla_strcmp(nla, type->name)) {
2506 if (!type->family && !candidate)
2507 candidate = type;
2508 else if (type->family == family)
2509 candidate = type;
2510 }
2511 }
2512 return candidate;
2513 }
2514
2515 #ifdef CONFIG_MODULES
2516 static int nft_expr_type_request_module(struct net *net, u8 family,
2517 struct nlattr *nla)
2518 {
2519 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2520 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2521 return -EAGAIN;
2522
2523 return 0;
2524 }
2525 #endif
2526
2527 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2528 u8 family,
2529 struct nlattr *nla)
2530 {
2531 const struct nft_expr_type *type;
2532
2533 if (nla == NULL)
2534 return ERR_PTR(-EINVAL);
2535
2536 type = __nft_expr_type_get(family, nla);
2537 if (type != NULL && try_module_get(type->owner))
2538 return type;
2539
2540 lockdep_nfnl_nft_mutex_not_held();
2541 #ifdef CONFIG_MODULES
2542 if (type == NULL) {
2543 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2544 return ERR_PTR(-EAGAIN);
2545
2546 if (nft_request_module(net, "nft-expr-%.*s",
2547 nla_len(nla),
2548 (char *)nla_data(nla)) == -EAGAIN)
2549 return ERR_PTR(-EAGAIN);
2550 }
2551 #endif
2552 return ERR_PTR(-ENOENT);
2553 }
2554
2555 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2556 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2557 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2558 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2559 };
2560
2561 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2562 const struct nft_expr *expr)
2563 {
2564 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2565 goto nla_put_failure;
2566
2567 if (expr->ops->dump) {
2568 struct nlattr *data = nla_nest_start_noflag(skb,
2569 NFTA_EXPR_DATA);
2570 if (data == NULL)
2571 goto nla_put_failure;
2572 if (expr->ops->dump(skb, expr) < 0)
2573 goto nla_put_failure;
2574 nla_nest_end(skb, data);
2575 }
2576
2577 return skb->len;
2578
2579 nla_put_failure:
2580 return -1;
2581 };
2582
2583 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2584 const struct nft_expr *expr)
2585 {
2586 struct nlattr *nest;
2587
2588 nest = nla_nest_start_noflag(skb, attr);
2589 if (!nest)
2590 goto nla_put_failure;
2591 if (nf_tables_fill_expr_info(skb, expr) < 0)
2592 goto nla_put_failure;
2593 nla_nest_end(skb, nest);
2594 return 0;
2595
2596 nla_put_failure:
2597 return -1;
2598 }
2599
2600 struct nft_expr_info {
2601 const struct nft_expr_ops *ops;
2602 const struct nlattr *attr;
2603 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2604 };
2605
2606 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2607 const struct nlattr *nla,
2608 struct nft_expr_info *info)
2609 {
2610 const struct nft_expr_type *type;
2611 const struct nft_expr_ops *ops;
2612 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2613 int err;
2614
2615 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2616 nft_expr_policy, NULL);
2617 if (err < 0)
2618 return err;
2619
2620 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2621 if (IS_ERR(type))
2622 return PTR_ERR(type);
2623
2624 if (tb[NFTA_EXPR_DATA]) {
2625 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2626 tb[NFTA_EXPR_DATA],
2627 type->policy, NULL);
2628 if (err < 0)
2629 goto err1;
2630 } else
2631 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2632
2633 if (type->select_ops != NULL) {
2634 ops = type->select_ops(ctx,
2635 (const struct nlattr * const *)info->tb);
2636 if (IS_ERR(ops)) {
2637 err = PTR_ERR(ops);
2638 #ifdef CONFIG_MODULES
2639 if (err == -EAGAIN)
2640 if (nft_expr_type_request_module(ctx->net,
2641 ctx->family,
2642 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2643 err = -ENOENT;
2644 #endif
2645 goto err1;
2646 }
2647 } else
2648 ops = type->ops;
2649
2650 info->attr = nla;
2651 info->ops = ops;
2652
2653 return 0;
2654
2655 err1:
2656 module_put(type->owner);
2657 return err;
2658 }
2659
2660 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2661 const struct nft_expr_info *info,
2662 struct nft_expr *expr)
2663 {
2664 const struct nft_expr_ops *ops = info->ops;
2665 int err;
2666
2667 expr->ops = ops;
2668 if (ops->init) {
2669 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2670 if (err < 0)
2671 goto err1;
2672 }
2673
2674 return 0;
2675 err1:
2676 expr->ops = NULL;
2677 return err;
2678 }
2679
2680 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2681 struct nft_expr *expr)
2682 {
2683 const struct nft_expr_type *type = expr->ops->type;
2684
2685 if (expr->ops->destroy)
2686 expr->ops->destroy(ctx, expr);
2687 module_put(type->owner);
2688 }
2689
2690 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2691 const struct nlattr *nla)
2692 {
2693 struct nft_expr_info info;
2694 struct nft_expr *expr;
2695 struct module *owner;
2696 int err;
2697
2698 err = nf_tables_expr_parse(ctx, nla, &info);
2699 if (err < 0)
2700 goto err1;
2701
2702 err = -ENOMEM;
2703 expr = kzalloc(info.ops->size, GFP_KERNEL);
2704 if (expr == NULL)
2705 goto err2;
2706
2707 err = nf_tables_newexpr(ctx, &info, expr);
2708 if (err < 0)
2709 goto err3;
2710
2711 return expr;
2712 err3:
2713 kfree(expr);
2714 err2:
2715 owner = info.ops->type->owner;
2716 if (info.ops->type->release_ops)
2717 info.ops->type->release_ops(info.ops);
2718
2719 module_put(owner);
2720 err1:
2721 return ERR_PTR(err);
2722 }
2723
2724 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2725 {
2726 int err;
2727
2728 if (src->ops->clone) {
2729 dst->ops = src->ops;
2730 err = src->ops->clone(dst, src);
2731 if (err < 0)
2732 return err;
2733 } else {
2734 memcpy(dst, src, src->ops->size);
2735 }
2736
2737 __module_get(src->ops->type->owner);
2738
2739 return 0;
2740 }
2741
2742 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2743 {
2744 nf_tables_expr_destroy(ctx, expr);
2745 kfree(expr);
2746 }
2747
2748 /*
2749 * Rules
2750 */
2751
2752 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2753 u64 handle)
2754 {
2755 struct nft_rule *rule;
2756
2757 // FIXME: this sucks
2758 list_for_each_entry_rcu(rule, &chain->rules, list) {
2759 if (handle == rule->handle)
2760 return rule;
2761 }
2762
2763 return ERR_PTR(-ENOENT);
2764 }
2765
2766 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2767 const struct nlattr *nla)
2768 {
2769 if (nla == NULL)
2770 return ERR_PTR(-EINVAL);
2771
2772 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2773 }
2774
2775 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2776 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2777 .len = NFT_TABLE_MAXNAMELEN - 1 },
2778 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2779 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2780 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2781 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2782 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2783 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2784 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2785 .len = NFT_USERDATA_MAXLEN },
2786 [NFTA_RULE_ID] = { .type = NLA_U32 },
2787 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2788 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2789 };
2790
2791 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2792 u32 portid, u32 seq, int event,
2793 u32 flags, int family,
2794 const struct nft_table *table,
2795 const struct nft_chain *chain,
2796 const struct nft_rule *rule,
2797 const struct nft_rule *prule)
2798 {
2799 struct nlmsghdr *nlh;
2800 struct nfgenmsg *nfmsg;
2801 const struct nft_expr *expr, *next;
2802 struct nlattr *list;
2803 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2804
2805 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2806 if (nlh == NULL)
2807 goto nla_put_failure;
2808
2809 nfmsg = nlmsg_data(nlh);
2810 nfmsg->nfgen_family = family;
2811 nfmsg->version = NFNETLINK_V0;
2812 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2813
2814 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2815 goto nla_put_failure;
2816 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2817 goto nla_put_failure;
2818 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2819 NFTA_RULE_PAD))
2820 goto nla_put_failure;
2821
2822 if (event != NFT_MSG_DELRULE && prule) {
2823 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2824 cpu_to_be64(prule->handle),
2825 NFTA_RULE_PAD))
2826 goto nla_put_failure;
2827 }
2828
2829 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2830 if (list == NULL)
2831 goto nla_put_failure;
2832 nft_rule_for_each_expr(expr, next, rule) {
2833 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2834 goto nla_put_failure;
2835 }
2836 nla_nest_end(skb, list);
2837
2838 if (rule->udata) {
2839 struct nft_userdata *udata = nft_userdata(rule);
2840 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2841 udata->data) < 0)
2842 goto nla_put_failure;
2843 }
2844
2845 nlmsg_end(skb, nlh);
2846 return 0;
2847
2848 nla_put_failure:
2849 nlmsg_trim(skb, nlh);
2850 return -1;
2851 }
2852
2853 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2854 const struct nft_rule *rule, int event)
2855 {
2856 struct sk_buff *skb;
2857 int err;
2858 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2859 ctx->table->name, ctx->table->handle,
2860 ctx->chain->name, ctx->chain->handle);
2861
2862 audit_log_nfcfg(buf,
2863 ctx->family,
2864 rule->handle,
2865 event == NFT_MSG_NEWRULE ?
2866 AUDIT_NFT_OP_RULE_REGISTER :
2867 AUDIT_NFT_OP_RULE_UNREGISTER,
2868 GFP_KERNEL);
2869 kfree(buf);
2870
2871 if (!ctx->report &&
2872 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2873 return;
2874
2875 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2876 if (skb == NULL)
2877 goto err;
2878
2879 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2880 event, 0, ctx->family, ctx->table,
2881 ctx->chain, rule, NULL);
2882 if (err < 0) {
2883 kfree_skb(skb);
2884 goto err;
2885 }
2886
2887 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2888 return;
2889 err:
2890 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2891 }
2892
2893 struct nft_rule_dump_ctx {
2894 char *table;
2895 char *chain;
2896 };
2897
2898 static int __nf_tables_dump_rules(struct sk_buff *skb,
2899 unsigned int *idx,
2900 struct netlink_callback *cb,
2901 const struct nft_table *table,
2902 const struct nft_chain *chain)
2903 {
2904 struct net *net = sock_net(skb->sk);
2905 const struct nft_rule *rule, *prule;
2906 unsigned int s_idx = cb->args[0];
2907
2908 prule = NULL;
2909 list_for_each_entry_rcu(rule, &chain->rules, list) {
2910 if (!nft_is_active(net, rule))
2911 goto cont_skip;
2912 if (*idx < s_idx)
2913 goto cont;
2914 if (*idx > s_idx) {
2915 memset(&cb->args[1], 0,
2916 sizeof(cb->args) - sizeof(cb->args[0]));
2917 }
2918 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2919 cb->nlh->nlmsg_seq,
2920 NFT_MSG_NEWRULE,
2921 NLM_F_MULTI | NLM_F_APPEND,
2922 table->family,
2923 table, chain, rule, prule) < 0)
2924 return 1;
2925
2926 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2927 cont:
2928 prule = rule;
2929 cont_skip:
2930 (*idx)++;
2931 }
2932 return 0;
2933 }
2934
2935 static int nf_tables_dump_rules(struct sk_buff *skb,
2936 struct netlink_callback *cb)
2937 {
2938 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2939 const struct nft_rule_dump_ctx *ctx = cb->data;
2940 struct nft_table *table;
2941 const struct nft_chain *chain;
2942 unsigned int idx = 0;
2943 struct net *net = sock_net(skb->sk);
2944 int family = nfmsg->nfgen_family;
2945
2946 rcu_read_lock();
2947 cb->seq = net->nft.base_seq;
2948
2949 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2950 if (family != NFPROTO_UNSPEC && family != table->family)
2951 continue;
2952
2953 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2954 continue;
2955
2956 if (ctx && ctx->table && ctx->chain) {
2957 struct rhlist_head *list, *tmp;
2958
2959 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2960 nft_chain_ht_params);
2961 if (!list)
2962 goto done;
2963
2964 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2965 if (!nft_is_active(net, chain))
2966 continue;
2967 __nf_tables_dump_rules(skb, &idx,
2968 cb, table, chain);
2969 break;
2970 }
2971 goto done;
2972 }
2973
2974 list_for_each_entry_rcu(chain, &table->chains, list) {
2975 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2976 goto done;
2977 }
2978
2979 if (ctx && ctx->table)
2980 break;
2981 }
2982 done:
2983 rcu_read_unlock();
2984
2985 cb->args[0] = idx;
2986 return skb->len;
2987 }
2988
2989 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2990 {
2991 const struct nlattr * const *nla = cb->data;
2992 struct nft_rule_dump_ctx *ctx = NULL;
2993
2994 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2995 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2996 if (!ctx)
2997 return -ENOMEM;
2998
2999 if (nla[NFTA_RULE_TABLE]) {
3000 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3001 GFP_ATOMIC);
3002 if (!ctx->table) {
3003 kfree(ctx);
3004 return -ENOMEM;
3005 }
3006 }
3007 if (nla[NFTA_RULE_CHAIN]) {
3008 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3009 GFP_ATOMIC);
3010 if (!ctx->chain) {
3011 kfree(ctx->table);
3012 kfree(ctx);
3013 return -ENOMEM;
3014 }
3015 }
3016 }
3017
3018 cb->data = ctx;
3019 return 0;
3020 }
3021
3022 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3023 {
3024 struct nft_rule_dump_ctx *ctx = cb->data;
3025
3026 if (ctx) {
3027 kfree(ctx->table);
3028 kfree(ctx->chain);
3029 kfree(ctx);
3030 }
3031 return 0;
3032 }
3033
3034 /* called with rcu_read_lock held */
3035 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3036 struct sk_buff *skb, const struct nlmsghdr *nlh,
3037 const struct nlattr * const nla[],
3038 struct netlink_ext_ack *extack)
3039 {
3040 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3041 u8 genmask = nft_genmask_cur(net);
3042 const struct nft_chain *chain;
3043 const struct nft_rule *rule;
3044 struct nft_table *table;
3045 struct sk_buff *skb2;
3046 int family = nfmsg->nfgen_family;
3047 int err;
3048
3049 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3050 struct netlink_dump_control c = {
3051 .start= nf_tables_dump_rules_start,
3052 .dump = nf_tables_dump_rules,
3053 .done = nf_tables_dump_rules_done,
3054 .module = THIS_MODULE,
3055 .data = (void *)nla,
3056 };
3057
3058 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3059 }
3060
3061 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3062 if (IS_ERR(table)) {
3063 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3064 return PTR_ERR(table);
3065 }
3066
3067 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3068 if (IS_ERR(chain)) {
3069 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3070 return PTR_ERR(chain);
3071 }
3072
3073 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3074 if (IS_ERR(rule)) {
3075 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3076 return PTR_ERR(rule);
3077 }
3078
3079 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3080 if (!skb2)
3081 return -ENOMEM;
3082
3083 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3084 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3085 family, table, chain, rule, NULL);
3086 if (err < 0)
3087 goto err_fill_rule_info;
3088
3089 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3090
3091 err_fill_rule_info:
3092 kfree_skb(skb2);
3093 return err;
3094 }
3095
3096 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3097 struct nft_rule *rule)
3098 {
3099 struct nft_expr *expr, *next;
3100
3101 /*
3102 * Careful: some expressions might not be initialized in case this
3103 * is called on error from nf_tables_newrule().
3104 */
3105 expr = nft_expr_first(rule);
3106 while (nft_expr_more(rule, expr)) {
3107 next = nft_expr_next(expr);
3108 nf_tables_expr_destroy(ctx, expr);
3109 expr = next;
3110 }
3111 kfree(rule);
3112 }
3113
3114 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3115 {
3116 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3117 nf_tables_rule_destroy(ctx, rule);
3118 }
3119
3120 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3121 {
3122 struct nft_expr *expr, *last;
3123 const struct nft_data *data;
3124 struct nft_rule *rule;
3125 int err;
3126
3127 if (ctx->level == NFT_JUMP_STACK_SIZE)
3128 return -EMLINK;
3129
3130 list_for_each_entry(rule, &chain->rules, list) {
3131 if (!nft_is_active_next(ctx->net, rule))
3132 continue;
3133
3134 nft_rule_for_each_expr(expr, last, rule) {
3135 if (!expr->ops->validate)
3136 continue;
3137
3138 err = expr->ops->validate(ctx, expr, &data);
3139 if (err < 0)
3140 return err;
3141 }
3142 }
3143
3144 return 0;
3145 }
3146 EXPORT_SYMBOL_GPL(nft_chain_validate);
3147
3148 static int nft_table_validate(struct net *net, const struct nft_table *table)
3149 {
3150 struct nft_chain *chain;
3151 struct nft_ctx ctx = {
3152 .net = net,
3153 .family = table->family,
3154 };
3155 int err;
3156
3157 list_for_each_entry(chain, &table->chains, list) {
3158 if (!nft_is_base_chain(chain))
3159 continue;
3160
3161 ctx.chain = chain;
3162 err = nft_chain_validate(&ctx, chain);
3163 if (err < 0)
3164 return err;
3165 }
3166
3167 return 0;
3168 }
3169
3170 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3171 const struct nlattr *nla);
3172
3173 #define NFT_RULE_MAXEXPRS 128
3174
3175 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3176 struct sk_buff *skb, const struct nlmsghdr *nlh,
3177 const struct nlattr * const nla[],
3178 struct netlink_ext_ack *extack)
3179 {
3180 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3181 u8 genmask = nft_genmask_next(net);
3182 struct nft_expr_info *info = NULL;
3183 int family = nfmsg->nfgen_family;
3184 struct nft_flow_rule *flow;
3185 struct nft_table *table;
3186 struct nft_chain *chain;
3187 struct nft_rule *rule, *old_rule = NULL;
3188 struct nft_userdata *udata;
3189 struct nft_trans *trans = NULL;
3190 struct nft_expr *expr;
3191 struct nft_ctx ctx;
3192 struct nlattr *tmp;
3193 unsigned int size, i, n, ulen = 0, usize = 0;
3194 int err, rem;
3195 u64 handle, pos_handle;
3196
3197 lockdep_assert_held(&net->nft.commit_mutex);
3198
3199 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3200 NETLINK_CB(skb).portid);
3201 if (IS_ERR(table)) {
3202 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3203 return PTR_ERR(table);
3204 }
3205
3206 if (nla[NFTA_RULE_CHAIN]) {
3207 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3208 genmask);
3209 if (IS_ERR(chain)) {
3210 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3211 return PTR_ERR(chain);
3212 }
3213 if (nft_chain_is_bound(chain))
3214 return -EOPNOTSUPP;
3215
3216 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3217 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3218 if (IS_ERR(chain)) {
3219 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3220 return PTR_ERR(chain);
3221 }
3222 } else {
3223 return -EINVAL;
3224 }
3225
3226 if (nla[NFTA_RULE_HANDLE]) {
3227 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3228 rule = __nft_rule_lookup(chain, handle);
3229 if (IS_ERR(rule)) {
3230 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3231 return PTR_ERR(rule);
3232 }
3233
3234 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3235 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3236 return -EEXIST;
3237 }
3238 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3239 old_rule = rule;
3240 else
3241 return -EOPNOTSUPP;
3242 } else {
3243 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3244 nlh->nlmsg_flags & NLM_F_REPLACE)
3245 return -EINVAL;
3246 handle = nf_tables_alloc_handle(table);
3247
3248 if (chain->use == UINT_MAX)
3249 return -EOVERFLOW;
3250
3251 if (nla[NFTA_RULE_POSITION]) {
3252 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3253 old_rule = __nft_rule_lookup(chain, pos_handle);
3254 if (IS_ERR(old_rule)) {
3255 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3256 return PTR_ERR(old_rule);
3257 }
3258 } else if (nla[NFTA_RULE_POSITION_ID]) {
3259 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3260 if (IS_ERR(old_rule)) {
3261 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3262 return PTR_ERR(old_rule);
3263 }
3264 }
3265 }
3266
3267 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3268
3269 n = 0;
3270 size = 0;
3271 if (nla[NFTA_RULE_EXPRESSIONS]) {
3272 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3273 sizeof(struct nft_expr_info),
3274 GFP_KERNEL);
3275 if (!info)
3276 return -ENOMEM;
3277
3278 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3279 err = -EINVAL;
3280 if (nla_type(tmp) != NFTA_LIST_ELEM)
3281 goto err1;
3282 if (n == NFT_RULE_MAXEXPRS)
3283 goto err1;
3284 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3285 if (err < 0)
3286 goto err1;
3287 size += info[n].ops->size;
3288 n++;
3289 }
3290 }
3291 /* Check for overflow of dlen field */
3292 err = -EFBIG;
3293 if (size >= 1 << 12)
3294 goto err1;
3295
3296 if (nla[NFTA_RULE_USERDATA]) {
3297 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3298 if (ulen > 0)
3299 usize = sizeof(struct nft_userdata) + ulen;
3300 }
3301
3302 err = -ENOMEM;
3303 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3304 if (rule == NULL)
3305 goto err1;
3306
3307 nft_activate_next(net, rule);
3308
3309 rule->handle = handle;
3310 rule->dlen = size;
3311 rule->udata = ulen ? 1 : 0;
3312
3313 if (ulen) {
3314 udata = nft_userdata(rule);
3315 udata->len = ulen - 1;
3316 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3317 }
3318
3319 expr = nft_expr_first(rule);
3320 for (i = 0; i < n; i++) {
3321 err = nf_tables_newexpr(&ctx, &info[i], expr);
3322 if (err < 0) {
3323 NL_SET_BAD_ATTR(extack, info[i].attr);
3324 goto err2;
3325 }
3326
3327 if (info[i].ops->validate)
3328 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3329
3330 info[i].ops = NULL;
3331 expr = nft_expr_next(expr);
3332 }
3333
3334 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3335 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3336 if (trans == NULL) {
3337 err = -ENOMEM;
3338 goto err2;
3339 }
3340 err = nft_delrule(&ctx, old_rule);
3341 if (err < 0) {
3342 nft_trans_destroy(trans);
3343 goto err2;
3344 }
3345
3346 list_add_tail_rcu(&rule->list, &old_rule->list);
3347 } else {
3348 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3349 if (!trans) {
3350 err = -ENOMEM;
3351 goto err2;
3352 }
3353
3354 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3355 if (old_rule)
3356 list_add_rcu(&rule->list, &old_rule->list);
3357 else
3358 list_add_tail_rcu(&rule->list, &chain->rules);
3359 } else {
3360 if (old_rule)
3361 list_add_tail_rcu(&rule->list, &old_rule->list);
3362 else
3363 list_add_rcu(&rule->list, &chain->rules);
3364 }
3365 }
3366 kvfree(info);
3367 chain->use++;
3368
3369 if (net->nft.validate_state == NFT_VALIDATE_DO)
3370 return nft_table_validate(net, table);
3371
3372 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3373 flow = nft_flow_rule_create(net, rule);
3374 if (IS_ERR(flow))
3375 return PTR_ERR(flow);
3376
3377 nft_trans_flow_rule(trans) = flow;
3378 }
3379
3380 return 0;
3381 err2:
3382 nf_tables_rule_release(&ctx, rule);
3383 err1:
3384 for (i = 0; i < n; i++) {
3385 if (info[i].ops) {
3386 module_put(info[i].ops->type->owner);
3387 if (info[i].ops->type->release_ops)
3388 info[i].ops->type->release_ops(info[i].ops);
3389 }
3390 }
3391 kvfree(info);
3392 return err;
3393 }
3394
3395 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3396 const struct nlattr *nla)
3397 {
3398 u32 id = ntohl(nla_get_be32(nla));
3399 struct nft_trans *trans;
3400
3401 list_for_each_entry(trans, &net->nft.commit_list, list) {
3402 struct nft_rule *rule = nft_trans_rule(trans);
3403
3404 if (trans->msg_type == NFT_MSG_NEWRULE &&
3405 id == nft_trans_rule_id(trans))
3406 return rule;
3407 }
3408 return ERR_PTR(-ENOENT);
3409 }
3410
3411 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3412 struct sk_buff *skb, const struct nlmsghdr *nlh,
3413 const struct nlattr * const nla[],
3414 struct netlink_ext_ack *extack)
3415 {
3416 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3417 u8 genmask = nft_genmask_next(net);
3418 struct nft_table *table;
3419 struct nft_chain *chain = NULL;
3420 struct nft_rule *rule;
3421 int family = nfmsg->nfgen_family, err = 0;
3422 struct nft_ctx ctx;
3423
3424 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3425 NETLINK_CB(skb).portid);
3426 if (IS_ERR(table)) {
3427 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3428 return PTR_ERR(table);
3429 }
3430
3431 if (nla[NFTA_RULE_CHAIN]) {
3432 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3433 genmask);
3434 if (IS_ERR(chain)) {
3435 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3436 return PTR_ERR(chain);
3437 }
3438 if (nft_chain_is_bound(chain))
3439 return -EOPNOTSUPP;
3440 }
3441
3442 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3443
3444 if (chain) {
3445 if (nla[NFTA_RULE_HANDLE]) {
3446 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3447 if (IS_ERR(rule)) {
3448 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3449 return PTR_ERR(rule);
3450 }
3451
3452 err = nft_delrule(&ctx, rule);
3453 } else if (nla[NFTA_RULE_ID]) {
3454 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3455 if (IS_ERR(rule)) {
3456 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3457 return PTR_ERR(rule);
3458 }
3459
3460 err = nft_delrule(&ctx, rule);
3461 } else {
3462 err = nft_delrule_by_chain(&ctx);
3463 }
3464 } else {
3465 list_for_each_entry(chain, &table->chains, list) {
3466 if (!nft_is_active_next(net, chain))
3467 continue;
3468
3469 ctx.chain = chain;
3470 err = nft_delrule_by_chain(&ctx);
3471 if (err < 0)
3472 break;
3473 }
3474 }
3475
3476 return err;
3477 }
3478
3479 /*
3480 * Sets
3481 */
3482 static const struct nft_set_type *nft_set_types[] = {
3483 &nft_set_hash_fast_type,
3484 &nft_set_hash_type,
3485 &nft_set_rhash_type,
3486 &nft_set_bitmap_type,
3487 &nft_set_rbtree_type,
3488 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3489 &nft_set_pipapo_avx2_type,
3490 #endif
3491 &nft_set_pipapo_type,
3492 };
3493
3494 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3495 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3496 NFT_SET_EVAL)
3497
3498 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3499 {
3500 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3501 }
3502
3503 /*
3504 * Select a set implementation based on the data characteristics and the
3505 * given policy. The total memory use might not be known if no size is
3506 * given, in that case the amount of memory per element is used.
3507 */
3508 static const struct nft_set_ops *
3509 nft_select_set_ops(const struct nft_ctx *ctx,
3510 const struct nlattr * const nla[],
3511 const struct nft_set_desc *desc,
3512 enum nft_set_policies policy)
3513 {
3514 const struct nft_set_ops *ops, *bops;
3515 struct nft_set_estimate est, best;
3516 const struct nft_set_type *type;
3517 u32 flags = 0;
3518 int i;
3519
3520 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3521 lockdep_nfnl_nft_mutex_not_held();
3522
3523 if (nla[NFTA_SET_FLAGS] != NULL)
3524 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3525
3526 bops = NULL;
3527 best.size = ~0;
3528 best.lookup = ~0;
3529 best.space = ~0;
3530
3531 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3532 type = nft_set_types[i];
3533 ops = &type->ops;
3534
3535 if (!nft_set_ops_candidate(type, flags))
3536 continue;
3537 if (!ops->estimate(desc, flags, &est))
3538 continue;
3539
3540 switch (policy) {
3541 case NFT_SET_POL_PERFORMANCE:
3542 if (est.lookup < best.lookup)
3543 break;
3544 if (est.lookup == best.lookup &&
3545 est.space < best.space)
3546 break;
3547 continue;
3548 case NFT_SET_POL_MEMORY:
3549 if (!desc->size) {
3550 if (est.space < best.space)
3551 break;
3552 if (est.space == best.space &&
3553 est.lookup < best.lookup)
3554 break;
3555 } else if (est.size < best.size || !bops) {
3556 break;
3557 }
3558 continue;
3559 default:
3560 break;
3561 }
3562
3563 bops = ops;
3564 best = est;
3565 }
3566
3567 if (bops != NULL)
3568 return bops;
3569
3570 return ERR_PTR(-EOPNOTSUPP);
3571 }
3572
3573 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3574 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3575 .len = NFT_TABLE_MAXNAMELEN - 1 },
3576 [NFTA_SET_NAME] = { .type = NLA_STRING,
3577 .len = NFT_SET_MAXNAMELEN - 1 },
3578 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3579 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3580 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3581 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3582 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3583 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3584 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3585 [NFTA_SET_ID] = { .type = NLA_U32 },
3586 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3587 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3588 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3589 .len = NFT_USERDATA_MAXLEN },
3590 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3591 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3592 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3593 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
3594 };
3595
3596 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3597 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3598 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3599 };
3600
3601 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3602 const struct sk_buff *skb,
3603 const struct nlmsghdr *nlh,
3604 const struct nlattr * const nla[],
3605 struct netlink_ext_ack *extack,
3606 u8 genmask, u32 nlpid)
3607 {
3608 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3609 int family = nfmsg->nfgen_family;
3610 struct nft_table *table = NULL;
3611
3612 if (nla[NFTA_SET_TABLE] != NULL) {
3613 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3614 genmask, nlpid);
3615 if (IS_ERR(table)) {
3616 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3617 return PTR_ERR(table);
3618 }
3619 }
3620
3621 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3622 return 0;
3623 }
3624
3625 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3626 const struct nlattr *nla, u8 genmask)
3627 {
3628 struct nft_set *set;
3629
3630 if (nla == NULL)
3631 return ERR_PTR(-EINVAL);
3632
3633 list_for_each_entry_rcu(set, &table->sets, list) {
3634 if (!nla_strcmp(nla, set->name) &&
3635 nft_active_genmask(set, genmask))
3636 return set;
3637 }
3638 return ERR_PTR(-ENOENT);
3639 }
3640
3641 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3642 const struct nlattr *nla,
3643 u8 genmask)
3644 {
3645 struct nft_set *set;
3646
3647 list_for_each_entry(set, &table->sets, list) {
3648 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3649 nft_active_genmask(set, genmask))
3650 return set;
3651 }
3652 return ERR_PTR(-ENOENT);
3653 }
3654
3655 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3656 const struct nlattr *nla, u8 genmask)
3657 {
3658 struct nft_trans *trans;
3659 u32 id = ntohl(nla_get_be32(nla));
3660
3661 list_for_each_entry(trans, &net->nft.commit_list, list) {
3662 if (trans->msg_type == NFT_MSG_NEWSET) {
3663 struct nft_set *set = nft_trans_set(trans);
3664
3665 if (id == nft_trans_set_id(trans) &&
3666 nft_active_genmask(set, genmask))
3667 return set;
3668 }
3669 }
3670 return ERR_PTR(-ENOENT);
3671 }
3672
3673 struct nft_set *nft_set_lookup_global(const struct net *net,
3674 const struct nft_table *table,
3675 const struct nlattr *nla_set_name,
3676 const struct nlattr *nla_set_id,
3677 u8 genmask)
3678 {
3679 struct nft_set *set;
3680
3681 set = nft_set_lookup(table, nla_set_name, genmask);
3682 if (IS_ERR(set)) {
3683 if (!nla_set_id)
3684 return set;
3685
3686 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3687 }
3688 return set;
3689 }
3690 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3691
3692 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3693 const char *name)
3694 {
3695 const struct nft_set *i;
3696 const char *p;
3697 unsigned long *inuse;
3698 unsigned int n = 0, min = 0;
3699
3700 p = strchr(name, '%');
3701 if (p != NULL) {
3702 if (p[1] != 'd' || strchr(p + 2, '%'))
3703 return -EINVAL;
3704
3705 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3706 if (inuse == NULL)
3707 return -ENOMEM;
3708 cont:
3709 list_for_each_entry(i, &ctx->table->sets, list) {
3710 int tmp;
3711
3712 if (!nft_is_active_next(ctx->net, set))
3713 continue;
3714 if (!sscanf(i->name, name, &tmp))
3715 continue;
3716 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3717 continue;
3718
3719 set_bit(tmp - min, inuse);
3720 }
3721
3722 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3723 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3724 min += BITS_PER_BYTE * PAGE_SIZE;
3725 memset(inuse, 0, PAGE_SIZE);
3726 goto cont;
3727 }
3728 free_page((unsigned long)inuse);
3729 }
3730
3731 set->name = kasprintf(GFP_KERNEL, name, min + n);
3732 if (!set->name)
3733 return -ENOMEM;
3734
3735 list_for_each_entry(i, &ctx->table->sets, list) {
3736 if (!nft_is_active_next(ctx->net, i))
3737 continue;
3738 if (!strcmp(set->name, i->name)) {
3739 kfree(set->name);
3740 set->name = NULL;
3741 return -ENFILE;
3742 }
3743 }
3744 return 0;
3745 }
3746
3747 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3748 {
3749 u64 ms = be64_to_cpu(nla_get_be64(nla));
3750 u64 max = (u64)(~((u64)0));
3751
3752 max = div_u64(max, NSEC_PER_MSEC);
3753 if (ms >= max)
3754 return -ERANGE;
3755
3756 ms *= NSEC_PER_MSEC;
3757 *result = nsecs_to_jiffies64(ms);
3758 return 0;
3759 }
3760
3761 __be64 nf_jiffies64_to_msecs(u64 input)
3762 {
3763 return cpu_to_be64(jiffies64_to_msecs(input));
3764 }
3765
3766 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3767 const struct nft_set *set)
3768 {
3769 struct nlattr *concat, *field;
3770 int i;
3771
3772 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3773 if (!concat)
3774 return -ENOMEM;
3775
3776 for (i = 0; i < set->field_count; i++) {
3777 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3778 if (!field)
3779 return -ENOMEM;
3780
3781 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3782 htonl(set->field_len[i])))
3783 return -ENOMEM;
3784
3785 nla_nest_end(skb, field);
3786 }
3787
3788 nla_nest_end(skb, concat);
3789
3790 return 0;
3791 }
3792
3793 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3794 const struct nft_set *set, u16 event, u16 flags)
3795 {
3796 struct nfgenmsg *nfmsg;
3797 struct nlmsghdr *nlh;
3798 u32 portid = ctx->portid;
3799 struct nlattr *nest;
3800 u32 seq = ctx->seq;
3801 int i;
3802
3803 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3804 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3805 flags);
3806 if (nlh == NULL)
3807 goto nla_put_failure;
3808
3809 nfmsg = nlmsg_data(nlh);
3810 nfmsg->nfgen_family = ctx->family;
3811 nfmsg->version = NFNETLINK_V0;
3812 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3813
3814 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3815 goto nla_put_failure;
3816 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3817 goto nla_put_failure;
3818 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3819 NFTA_SET_PAD))
3820 goto nla_put_failure;
3821 if (set->flags != 0)
3822 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3823 goto nla_put_failure;
3824
3825 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3826 goto nla_put_failure;
3827 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3828 goto nla_put_failure;
3829 if (set->flags & NFT_SET_MAP) {
3830 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3831 goto nla_put_failure;
3832 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3833 goto nla_put_failure;
3834 }
3835 if (set->flags & NFT_SET_OBJECT &&
3836 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3837 goto nla_put_failure;
3838
3839 if (set->timeout &&
3840 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3841 nf_jiffies64_to_msecs(set->timeout),
3842 NFTA_SET_PAD))
3843 goto nla_put_failure;
3844 if (set->gc_int &&
3845 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3846 goto nla_put_failure;
3847
3848 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3849 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3850 goto nla_put_failure;
3851 }
3852
3853 if (set->udata &&
3854 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3855 goto nla_put_failure;
3856
3857 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3858 if (!nest)
3859 goto nla_put_failure;
3860 if (set->size &&
3861 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3862 goto nla_put_failure;
3863
3864 if (set->field_count > 1 &&
3865 nf_tables_fill_set_concat(skb, set))
3866 goto nla_put_failure;
3867
3868 nla_nest_end(skb, nest);
3869
3870 if (set->num_exprs == 1) {
3871 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3872 if (nf_tables_fill_expr_info(skb, set->exprs[0]) < 0)
3873 goto nla_put_failure;
3874
3875 nla_nest_end(skb, nest);
3876 } else if (set->num_exprs > 1) {
3877 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
3878 if (nest == NULL)
3879 goto nla_put_failure;
3880
3881 for (i = 0; i < set->num_exprs; i++) {
3882 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
3883 set->exprs[i]) < 0)
3884 goto nla_put_failure;
3885 }
3886 nla_nest_end(skb, nest);
3887 }
3888
3889 nlmsg_end(skb, nlh);
3890 return 0;
3891
3892 nla_put_failure:
3893 nlmsg_trim(skb, nlh);
3894 return -1;
3895 }
3896
3897 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3898 const struct nft_set *set, int event,
3899 gfp_t gfp_flags)
3900 {
3901 struct sk_buff *skb;
3902 u32 portid = ctx->portid;
3903 int err;
3904 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3905 ctx->table->name, ctx->table->handle,
3906 set->name, set->handle);
3907
3908 audit_log_nfcfg(buf,
3909 ctx->family,
3910 set->field_count,
3911 event == NFT_MSG_NEWSET ?
3912 AUDIT_NFT_OP_SET_REGISTER :
3913 AUDIT_NFT_OP_SET_UNREGISTER,
3914 gfp_flags);
3915 kfree(buf);
3916
3917 if (!ctx->report &&
3918 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3919 return;
3920
3921 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3922 if (skb == NULL)
3923 goto err;
3924
3925 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3926 if (err < 0) {
3927 kfree_skb(skb);
3928 goto err;
3929 }
3930
3931 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3932 return;
3933 err:
3934 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3935 }
3936
3937 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3938 {
3939 const struct nft_set *set;
3940 unsigned int idx, s_idx = cb->args[0];
3941 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3942 struct net *net = sock_net(skb->sk);
3943 struct nft_ctx *ctx = cb->data, ctx_set;
3944
3945 if (cb->args[1])
3946 return skb->len;
3947
3948 rcu_read_lock();
3949 cb->seq = net->nft.base_seq;
3950
3951 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3952 if (ctx->family != NFPROTO_UNSPEC &&
3953 ctx->family != table->family)
3954 continue;
3955
3956 if (ctx->table && ctx->table != table)
3957 continue;
3958
3959 if (cur_table) {
3960 if (cur_table != table)
3961 continue;
3962
3963 cur_table = NULL;
3964 }
3965 idx = 0;
3966 list_for_each_entry_rcu(set, &table->sets, list) {
3967 if (idx < s_idx)
3968 goto cont;
3969 if (!nft_is_active(net, set))
3970 goto cont;
3971
3972 ctx_set = *ctx;
3973 ctx_set.table = table;
3974 ctx_set.family = table->family;
3975
3976 if (nf_tables_fill_set(skb, &ctx_set, set,
3977 NFT_MSG_NEWSET,
3978 NLM_F_MULTI) < 0) {
3979 cb->args[0] = idx;
3980 cb->args[2] = (unsigned long) table;
3981 goto done;
3982 }
3983 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3984 cont:
3985 idx++;
3986 }
3987 if (s_idx)
3988 s_idx = 0;
3989 }
3990 cb->args[1] = 1;
3991 done:
3992 rcu_read_unlock();
3993 return skb->len;
3994 }
3995
3996 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3997 {
3998 struct nft_ctx *ctx_dump = NULL;
3999
4000 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4001 if (ctx_dump == NULL)
4002 return -ENOMEM;
4003
4004 cb->data = ctx_dump;
4005 return 0;
4006 }
4007
4008 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4009 {
4010 kfree(cb->data);
4011 return 0;
4012 }
4013
4014 /* called with rcu_read_lock held */
4015 static int nf_tables_getset(struct net *net, struct sock *nlsk,
4016 struct sk_buff *skb, const struct nlmsghdr *nlh,
4017 const struct nlattr * const nla[],
4018 struct netlink_ext_ack *extack)
4019 {
4020 u8 genmask = nft_genmask_cur(net);
4021 const struct nft_set *set;
4022 struct nft_ctx ctx;
4023 struct sk_buff *skb2;
4024 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4025 int err;
4026
4027 /* Verify existence before starting dump */
4028 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4029 genmask, 0);
4030 if (err < 0)
4031 return err;
4032
4033 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4034 struct netlink_dump_control c = {
4035 .start = nf_tables_dump_sets_start,
4036 .dump = nf_tables_dump_sets,
4037 .done = nf_tables_dump_sets_done,
4038 .data = &ctx,
4039 .module = THIS_MODULE,
4040 };
4041
4042 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4043 }
4044
4045 /* Only accept unspec with dump */
4046 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4047 return -EAFNOSUPPORT;
4048 if (!nla[NFTA_SET_TABLE])
4049 return -EINVAL;
4050
4051 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4052 if (IS_ERR(set))
4053 return PTR_ERR(set);
4054
4055 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4056 if (skb2 == NULL)
4057 return -ENOMEM;
4058
4059 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4060 if (err < 0)
4061 goto err_fill_set_info;
4062
4063 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4064
4065 err_fill_set_info:
4066 kfree_skb(skb2);
4067 return err;
4068 }
4069
4070 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4071 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4072 };
4073
4074 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4075 struct nft_set_desc *desc)
4076 {
4077 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4078 u32 len;
4079 int err;
4080
4081 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4082 nft_concat_policy, NULL);
4083 if (err < 0)
4084 return err;
4085
4086 if (!tb[NFTA_SET_FIELD_LEN])
4087 return -EINVAL;
4088
4089 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4090
4091 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4092 return -E2BIG;
4093
4094 desc->field_len[desc->field_count++] = len;
4095
4096 return 0;
4097 }
4098
4099 static int nft_set_desc_concat(struct nft_set_desc *desc,
4100 const struct nlattr *nla)
4101 {
4102 struct nlattr *attr;
4103 int rem, err;
4104
4105 nla_for_each_nested(attr, nla, rem) {
4106 if (nla_type(attr) != NFTA_LIST_ELEM)
4107 return -EINVAL;
4108
4109 err = nft_set_desc_concat_parse(attr, desc);
4110 if (err < 0)
4111 return err;
4112 }
4113
4114 return 0;
4115 }
4116
4117 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4118 const struct nlattr *nla)
4119 {
4120 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4121 int err;
4122
4123 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4124 nft_set_desc_policy, NULL);
4125 if (err < 0)
4126 return err;
4127
4128 if (da[NFTA_SET_DESC_SIZE] != NULL)
4129 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4130 if (da[NFTA_SET_DESC_CONCAT])
4131 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4132
4133 return err;
4134 }
4135
4136 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4137 struct sk_buff *skb, const struct nlmsghdr *nlh,
4138 const struct nlattr * const nla[],
4139 struct netlink_ext_ack *extack)
4140 {
4141 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4142 u8 genmask = nft_genmask_next(net);
4143 int family = nfmsg->nfgen_family;
4144 const struct nft_set_ops *ops;
4145 struct nft_expr *expr = NULL;
4146 struct nft_table *table;
4147 struct nft_set *set;
4148 struct nft_ctx ctx;
4149 char *name;
4150 u64 size;
4151 u64 timeout;
4152 u32 ktype, dtype, flags, policy, gc_int, objtype;
4153 struct nft_set_desc desc;
4154 unsigned char *udata;
4155 u16 udlen;
4156 int err;
4157 int i;
4158
4159 if (nla[NFTA_SET_TABLE] == NULL ||
4160 nla[NFTA_SET_NAME] == NULL ||
4161 nla[NFTA_SET_KEY_LEN] == NULL ||
4162 nla[NFTA_SET_ID] == NULL)
4163 return -EINVAL;
4164
4165 memset(&desc, 0, sizeof(desc));
4166
4167 ktype = NFT_DATA_VALUE;
4168 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4169 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4170 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4171 return -EINVAL;
4172 }
4173
4174 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4175 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4176 return -EINVAL;
4177
4178 flags = 0;
4179 if (nla[NFTA_SET_FLAGS] != NULL) {
4180 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4181 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4182 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4183 NFT_SET_MAP | NFT_SET_EVAL |
4184 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
4185 return -EOPNOTSUPP;
4186 /* Only one of these operations is supported */
4187 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4188 (NFT_SET_MAP | NFT_SET_OBJECT))
4189 return -EOPNOTSUPP;
4190 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4191 (NFT_SET_EVAL | NFT_SET_OBJECT))
4192 return -EOPNOTSUPP;
4193 }
4194
4195 dtype = 0;
4196 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4197 if (!(flags & NFT_SET_MAP))
4198 return -EINVAL;
4199
4200 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4201 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4202 dtype != NFT_DATA_VERDICT)
4203 return -EINVAL;
4204
4205 if (dtype != NFT_DATA_VERDICT) {
4206 if (nla[NFTA_SET_DATA_LEN] == NULL)
4207 return -EINVAL;
4208 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4209 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4210 return -EINVAL;
4211 } else
4212 desc.dlen = sizeof(struct nft_verdict);
4213 } else if (flags & NFT_SET_MAP)
4214 return -EINVAL;
4215
4216 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4217 if (!(flags & NFT_SET_OBJECT))
4218 return -EINVAL;
4219
4220 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4221 if (objtype == NFT_OBJECT_UNSPEC ||
4222 objtype > NFT_OBJECT_MAX)
4223 return -EOPNOTSUPP;
4224 } else if (flags & NFT_SET_OBJECT)
4225 return -EINVAL;
4226 else
4227 objtype = NFT_OBJECT_UNSPEC;
4228
4229 timeout = 0;
4230 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4231 if (!(flags & NFT_SET_TIMEOUT))
4232 return -EINVAL;
4233
4234 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4235 if (err)
4236 return err;
4237 }
4238 gc_int = 0;
4239 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4240 if (!(flags & NFT_SET_TIMEOUT))
4241 return -EINVAL;
4242 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4243 }
4244
4245 policy = NFT_SET_POL_PERFORMANCE;
4246 if (nla[NFTA_SET_POLICY] != NULL)
4247 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4248
4249 if (nla[NFTA_SET_DESC] != NULL) {
4250 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4251 if (err < 0)
4252 return err;
4253 }
4254
4255 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
4256 desc.expr = true;
4257
4258 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
4259 NETLINK_CB(skb).portid);
4260 if (IS_ERR(table)) {
4261 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4262 return PTR_ERR(table);
4263 }
4264
4265 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4266
4267 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4268 if (IS_ERR(set)) {
4269 if (PTR_ERR(set) != -ENOENT) {
4270 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4271 return PTR_ERR(set);
4272 }
4273 } else {
4274 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4275 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4276 return -EEXIST;
4277 }
4278 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4279 return -EOPNOTSUPP;
4280
4281 return 0;
4282 }
4283
4284 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4285 return -ENOENT;
4286
4287 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4288 if (IS_ERR(ops))
4289 return PTR_ERR(ops);
4290
4291 udlen = 0;
4292 if (nla[NFTA_SET_USERDATA])
4293 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4294
4295 size = 0;
4296 if (ops->privsize != NULL)
4297 size = ops->privsize(nla, &desc);
4298
4299 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4300 if (!set)
4301 return -ENOMEM;
4302
4303 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4304 if (!name) {
4305 err = -ENOMEM;
4306 goto err_set_name;
4307 }
4308
4309 err = nf_tables_set_alloc_name(&ctx, set, name);
4310 kfree(name);
4311 if (err < 0)
4312 goto err_set_alloc_name;
4313
4314 if (nla[NFTA_SET_EXPR]) {
4315 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4316 if (IS_ERR(expr)) {
4317 err = PTR_ERR(expr);
4318 goto err_set_alloc_name;
4319 }
4320 set->exprs[0] = expr;
4321 set->num_exprs++;
4322 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4323 struct nft_expr *expr;
4324 struct nlattr *tmp;
4325 int left;
4326
4327 if (!(flags & NFT_SET_EXPR)) {
4328 err = -EINVAL;
4329 goto err_set_alloc_name;
4330 }
4331 i = 0;
4332 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4333 if (i == NFT_SET_EXPR_MAX) {
4334 err = -E2BIG;
4335 goto err_set_init;
4336 }
4337 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4338 err = -EINVAL;
4339 goto err_set_init;
4340 }
4341 expr = nft_set_elem_expr_alloc(&ctx, set, tmp);
4342 if (IS_ERR(expr)) {
4343 err = PTR_ERR(expr);
4344 goto err_set_init;
4345 }
4346 set->exprs[i++] = expr;
4347 set->num_exprs++;
4348 }
4349 }
4350
4351 udata = NULL;
4352 if (udlen) {
4353 udata = set->data + size;
4354 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4355 }
4356
4357 INIT_LIST_HEAD(&set->bindings);
4358 set->table = table;
4359 write_pnet(&set->net, net);
4360 set->ops = ops;
4361 set->ktype = ktype;
4362 set->klen = desc.klen;
4363 set->dtype = dtype;
4364 set->objtype = objtype;
4365 set->dlen = desc.dlen;
4366 set->flags = flags;
4367 set->size = desc.size;
4368 set->policy = policy;
4369 set->udlen = udlen;
4370 set->udata = udata;
4371 set->timeout = timeout;
4372 set->gc_int = gc_int;
4373 set->handle = nf_tables_alloc_handle(table);
4374
4375 set->field_count = desc.field_count;
4376 for (i = 0; i < desc.field_count; i++)
4377 set->field_len[i] = desc.field_len[i];
4378
4379 err = ops->init(set, &desc, nla);
4380 if (err < 0)
4381 goto err_set_init;
4382
4383 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4384 if (err < 0)
4385 goto err_set_trans;
4386
4387 list_add_tail_rcu(&set->list, &table->sets);
4388 table->use++;
4389 return 0;
4390
4391 err_set_trans:
4392 ops->destroy(set);
4393 err_set_init:
4394 for (i = 0; i < set->num_exprs; i++)
4395 nft_expr_destroy(&ctx, set->exprs[i]);
4396 err_set_alloc_name:
4397 kfree(set->name);
4398 err_set_name:
4399 kvfree(set);
4400 return err;
4401 }
4402
4403 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4404 {
4405 int i;
4406
4407 if (WARN_ON(set->use > 0))
4408 return;
4409
4410 for (i = 0; i < set->num_exprs; i++)
4411 nft_expr_destroy(ctx, set->exprs[i]);
4412
4413 set->ops->destroy(set);
4414 kfree(set->name);
4415 kvfree(set);
4416 }
4417
4418 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4419 struct sk_buff *skb, const struct nlmsghdr *nlh,
4420 const struct nlattr * const nla[],
4421 struct netlink_ext_ack *extack)
4422 {
4423 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4424 u8 genmask = nft_genmask_next(net);
4425 const struct nlattr *attr;
4426 struct nft_set *set;
4427 struct nft_ctx ctx;
4428 int err;
4429
4430 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4431 return -EAFNOSUPPORT;
4432 if (nla[NFTA_SET_TABLE] == NULL)
4433 return -EINVAL;
4434
4435 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4436 genmask, NETLINK_CB(skb).portid);
4437 if (err < 0)
4438 return err;
4439
4440 if (nla[NFTA_SET_HANDLE]) {
4441 attr = nla[NFTA_SET_HANDLE];
4442 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4443 } else {
4444 attr = nla[NFTA_SET_NAME];
4445 set = nft_set_lookup(ctx.table, attr, genmask);
4446 }
4447
4448 if (IS_ERR(set)) {
4449 NL_SET_BAD_ATTR(extack, attr);
4450 return PTR_ERR(set);
4451 }
4452 if (set->use ||
4453 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4454 NL_SET_BAD_ATTR(extack, attr);
4455 return -EBUSY;
4456 }
4457
4458 return nft_delset(&ctx, set);
4459 }
4460
4461 static int nft_validate_register_store(const struct nft_ctx *ctx,
4462 enum nft_registers reg,
4463 const struct nft_data *data,
4464 enum nft_data_types type,
4465 unsigned int len);
4466
4467 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4468 struct nft_set *set,
4469 const struct nft_set_iter *iter,
4470 struct nft_set_elem *elem)
4471 {
4472 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4473 enum nft_registers dreg;
4474
4475 dreg = nft_type_to_reg(set->dtype);
4476 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4477 set->dtype == NFT_DATA_VERDICT ?
4478 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4479 set->dlen);
4480 }
4481
4482 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4483 struct nft_set_binding *binding)
4484 {
4485 struct nft_set_binding *i;
4486 struct nft_set_iter iter;
4487
4488 if (set->use == UINT_MAX)
4489 return -EOVERFLOW;
4490
4491 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4492 return -EBUSY;
4493
4494 if (binding->flags & NFT_SET_MAP) {
4495 /* If the set is already bound to the same chain all
4496 * jumps are already validated for that chain.
4497 */
4498 list_for_each_entry(i, &set->bindings, list) {
4499 if (i->flags & NFT_SET_MAP &&
4500 i->chain == binding->chain)
4501 goto bind;
4502 }
4503
4504 iter.genmask = nft_genmask_next(ctx->net);
4505 iter.skip = 0;
4506 iter.count = 0;
4507 iter.err = 0;
4508 iter.fn = nf_tables_bind_check_setelem;
4509
4510 set->ops->walk(ctx, set, &iter);
4511 if (iter.err < 0)
4512 return iter.err;
4513 }
4514 bind:
4515 binding->chain = ctx->chain;
4516 list_add_tail_rcu(&binding->list, &set->bindings);
4517 nft_set_trans_bind(ctx, set);
4518 set->use++;
4519
4520 return 0;
4521 }
4522 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4523
4524 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4525 struct nft_set_binding *binding, bool event)
4526 {
4527 list_del_rcu(&binding->list);
4528
4529 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4530 list_del_rcu(&set->list);
4531 if (event)
4532 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4533 GFP_KERNEL);
4534 }
4535 }
4536
4537 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4538 struct nft_set_binding *binding,
4539 enum nft_trans_phase phase)
4540 {
4541 switch (phase) {
4542 case NFT_TRANS_PREPARE:
4543 set->use--;
4544 return;
4545 case NFT_TRANS_ABORT:
4546 case NFT_TRANS_RELEASE:
4547 set->use--;
4548 fallthrough;
4549 default:
4550 nf_tables_unbind_set(ctx, set, binding,
4551 phase == NFT_TRANS_COMMIT);
4552 }
4553 }
4554 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4555
4556 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4557 {
4558 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4559 nft_set_destroy(ctx, set);
4560 }
4561 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4562
4563 const struct nft_set_ext_type nft_set_ext_types[] = {
4564 [NFT_SET_EXT_KEY] = {
4565 .align = __alignof__(u32),
4566 },
4567 [NFT_SET_EXT_DATA] = {
4568 .align = __alignof__(u32),
4569 },
4570 [NFT_SET_EXT_EXPRESSIONS] = {
4571 .align = __alignof__(struct nft_set_elem_expr),
4572 },
4573 [NFT_SET_EXT_OBJREF] = {
4574 .len = sizeof(struct nft_object *),
4575 .align = __alignof__(struct nft_object *),
4576 },
4577 [NFT_SET_EXT_FLAGS] = {
4578 .len = sizeof(u8),
4579 .align = __alignof__(u8),
4580 },
4581 [NFT_SET_EXT_TIMEOUT] = {
4582 .len = sizeof(u64),
4583 .align = __alignof__(u64),
4584 },
4585 [NFT_SET_EXT_EXPIRATION] = {
4586 .len = sizeof(u64),
4587 .align = __alignof__(u64),
4588 },
4589 [NFT_SET_EXT_USERDATA] = {
4590 .len = sizeof(struct nft_userdata),
4591 .align = __alignof__(struct nft_userdata),
4592 },
4593 [NFT_SET_EXT_KEY_END] = {
4594 .align = __alignof__(u32),
4595 },
4596 };
4597
4598 /*
4599 * Set elements
4600 */
4601
4602 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4603 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4604 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4605 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4606 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4607 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4608 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4609 .len = NFT_USERDATA_MAXLEN },
4610 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4611 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4612 .len = NFT_OBJ_MAXNAMELEN - 1 },
4613 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4614 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
4615 };
4616
4617 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4618 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4619 .len = NFT_TABLE_MAXNAMELEN - 1 },
4620 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4621 .len = NFT_SET_MAXNAMELEN - 1 },
4622 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4623 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4624 };
4625
4626 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4627 const struct sk_buff *skb,
4628 const struct nlmsghdr *nlh,
4629 const struct nlattr * const nla[],
4630 struct netlink_ext_ack *extack,
4631 u8 genmask, u32 nlpid)
4632 {
4633 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4634 int family = nfmsg->nfgen_family;
4635 struct nft_table *table;
4636
4637 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4638 genmask, nlpid);
4639 if (IS_ERR(table)) {
4640 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4641 return PTR_ERR(table);
4642 }
4643
4644 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4645 return 0;
4646 }
4647
4648 static int nft_set_elem_expr_dump(struct sk_buff *skb,
4649 const struct nft_set *set,
4650 const struct nft_set_ext *ext)
4651 {
4652 struct nft_set_elem_expr *elem_expr;
4653 u32 size, num_exprs = 0;
4654 struct nft_expr *expr;
4655 struct nlattr *nest;
4656
4657 elem_expr = nft_set_ext_expr(ext);
4658 nft_setelem_expr_foreach(expr, elem_expr, size)
4659 num_exprs++;
4660
4661 if (num_exprs == 1) {
4662 expr = nft_setelem_expr_at(elem_expr, 0);
4663 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr) < 0)
4664 return -1;
4665
4666 return 0;
4667 } else if (num_exprs > 1) {
4668 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
4669 if (nest == NULL)
4670 goto nla_put_failure;
4671
4672 nft_setelem_expr_foreach(expr, elem_expr, size) {
4673 expr = nft_setelem_expr_at(elem_expr, size);
4674 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
4675 goto nla_put_failure;
4676 }
4677 nla_nest_end(skb, nest);
4678 }
4679 return 0;
4680
4681 nla_put_failure:
4682 return -1;
4683 }
4684
4685 static int nf_tables_fill_setelem(struct sk_buff *skb,
4686 const struct nft_set *set,
4687 const struct nft_set_elem *elem)
4688 {
4689 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4690 unsigned char *b = skb_tail_pointer(skb);
4691 struct nlattr *nest;
4692
4693 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4694 if (nest == NULL)
4695 goto nla_put_failure;
4696
4697 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4698 NFT_DATA_VALUE, set->klen) < 0)
4699 goto nla_put_failure;
4700
4701 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4702 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4703 NFT_DATA_VALUE, set->klen) < 0)
4704 goto nla_put_failure;
4705
4706 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4707 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4708 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4709 set->dlen) < 0)
4710 goto nla_put_failure;
4711
4712 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
4713 nft_set_elem_expr_dump(skb, set, ext))
4714 goto nla_put_failure;
4715
4716 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4717 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4718 (*nft_set_ext_obj(ext))->key.name) < 0)
4719 goto nla_put_failure;
4720
4721 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4722 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4723 htonl(*nft_set_ext_flags(ext))))
4724 goto nla_put_failure;
4725
4726 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4727 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4728 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4729 NFTA_SET_ELEM_PAD))
4730 goto nla_put_failure;
4731
4732 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4733 u64 expires, now = get_jiffies_64();
4734
4735 expires = *nft_set_ext_expiration(ext);
4736 if (time_before64(now, expires))
4737 expires -= now;
4738 else
4739 expires = 0;
4740
4741 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4742 nf_jiffies64_to_msecs(expires),
4743 NFTA_SET_ELEM_PAD))
4744 goto nla_put_failure;
4745 }
4746
4747 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4748 struct nft_userdata *udata;
4749
4750 udata = nft_set_ext_userdata(ext);
4751 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4752 udata->len + 1, udata->data))
4753 goto nla_put_failure;
4754 }
4755
4756 nla_nest_end(skb, nest);
4757 return 0;
4758
4759 nla_put_failure:
4760 nlmsg_trim(skb, b);
4761 return -EMSGSIZE;
4762 }
4763
4764 struct nft_set_dump_args {
4765 const struct netlink_callback *cb;
4766 struct nft_set_iter iter;
4767 struct sk_buff *skb;
4768 };
4769
4770 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4771 struct nft_set *set,
4772 const struct nft_set_iter *iter,
4773 struct nft_set_elem *elem)
4774 {
4775 struct nft_set_dump_args *args;
4776
4777 args = container_of(iter, struct nft_set_dump_args, iter);
4778 return nf_tables_fill_setelem(args->skb, set, elem);
4779 }
4780
4781 struct nft_set_dump_ctx {
4782 const struct nft_set *set;
4783 struct nft_ctx ctx;
4784 };
4785
4786 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4787 {
4788 struct nft_set_dump_ctx *dump_ctx = cb->data;
4789 struct net *net = sock_net(skb->sk);
4790 struct nft_table *table;
4791 struct nft_set *set;
4792 struct nft_set_dump_args args;
4793 bool set_found = false;
4794 struct nfgenmsg *nfmsg;
4795 struct nlmsghdr *nlh;
4796 struct nlattr *nest;
4797 u32 portid, seq;
4798 int event;
4799
4800 rcu_read_lock();
4801 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4802 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4803 dump_ctx->ctx.family != table->family)
4804 continue;
4805
4806 if (table != dump_ctx->ctx.table)
4807 continue;
4808
4809 list_for_each_entry_rcu(set, &table->sets, list) {
4810 if (set == dump_ctx->set) {
4811 set_found = true;
4812 break;
4813 }
4814 }
4815 break;
4816 }
4817
4818 if (!set_found) {
4819 rcu_read_unlock();
4820 return -ENOENT;
4821 }
4822
4823 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4824 portid = NETLINK_CB(cb->skb).portid;
4825 seq = cb->nlh->nlmsg_seq;
4826
4827 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4828 NLM_F_MULTI);
4829 if (nlh == NULL)
4830 goto nla_put_failure;
4831
4832 nfmsg = nlmsg_data(nlh);
4833 nfmsg->nfgen_family = table->family;
4834 nfmsg->version = NFNETLINK_V0;
4835 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4836
4837 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4838 goto nla_put_failure;
4839 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4840 goto nla_put_failure;
4841
4842 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4843 if (nest == NULL)
4844 goto nla_put_failure;
4845
4846 args.cb = cb;
4847 args.skb = skb;
4848 args.iter.genmask = nft_genmask_cur(net);
4849 args.iter.skip = cb->args[0];
4850 args.iter.count = 0;
4851 args.iter.err = 0;
4852 args.iter.fn = nf_tables_dump_setelem;
4853 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4854 rcu_read_unlock();
4855
4856 nla_nest_end(skb, nest);
4857 nlmsg_end(skb, nlh);
4858
4859 if (args.iter.err && args.iter.err != -EMSGSIZE)
4860 return args.iter.err;
4861 if (args.iter.count == cb->args[0])
4862 return 0;
4863
4864 cb->args[0] = args.iter.count;
4865 return skb->len;
4866
4867 nla_put_failure:
4868 rcu_read_unlock();
4869 return -ENOSPC;
4870 }
4871
4872 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4873 {
4874 struct nft_set_dump_ctx *dump_ctx = cb->data;
4875
4876 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4877
4878 return cb->data ? 0 : -ENOMEM;
4879 }
4880
4881 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4882 {
4883 kfree(cb->data);
4884 return 0;
4885 }
4886
4887 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4888 const struct nft_ctx *ctx, u32 seq,
4889 u32 portid, int event, u16 flags,
4890 const struct nft_set *set,
4891 const struct nft_set_elem *elem)
4892 {
4893 struct nfgenmsg *nfmsg;
4894 struct nlmsghdr *nlh;
4895 struct nlattr *nest;
4896 int err;
4897
4898 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4899 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4900 flags);
4901 if (nlh == NULL)
4902 goto nla_put_failure;
4903
4904 nfmsg = nlmsg_data(nlh);
4905 nfmsg->nfgen_family = ctx->family;
4906 nfmsg->version = NFNETLINK_V0;
4907 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4908
4909 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4910 goto nla_put_failure;
4911 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4912 goto nla_put_failure;
4913
4914 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4915 if (nest == NULL)
4916 goto nla_put_failure;
4917
4918 err = nf_tables_fill_setelem(skb, set, elem);
4919 if (err < 0)
4920 goto nla_put_failure;
4921
4922 nla_nest_end(skb, nest);
4923
4924 nlmsg_end(skb, nlh);
4925 return 0;
4926
4927 nla_put_failure:
4928 nlmsg_trim(skb, nlh);
4929 return -1;
4930 }
4931
4932 static int nft_setelem_parse_flags(const struct nft_set *set,
4933 const struct nlattr *attr, u32 *flags)
4934 {
4935 if (attr == NULL)
4936 return 0;
4937
4938 *flags = ntohl(nla_get_be32(attr));
4939 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4940 return -EINVAL;
4941 if (!(set->flags & NFT_SET_INTERVAL) &&
4942 *flags & NFT_SET_ELEM_INTERVAL_END)
4943 return -EINVAL;
4944
4945 return 0;
4946 }
4947
4948 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4949 struct nft_data *key, struct nlattr *attr)
4950 {
4951 struct nft_data_desc desc;
4952 int err;
4953
4954 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4955 if (err < 0)
4956 return err;
4957
4958 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4959 nft_data_release(key, desc.type);
4960 return -EINVAL;
4961 }
4962
4963 return 0;
4964 }
4965
4966 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4967 struct nft_data_desc *desc,
4968 struct nft_data *data,
4969 struct nlattr *attr)
4970 {
4971 int err;
4972
4973 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4974 if (err < 0)
4975 return err;
4976
4977 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4978 nft_data_release(data, desc->type);
4979 return -EINVAL;
4980 }
4981
4982 return 0;
4983 }
4984
4985 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4986 const struct nlattr *attr)
4987 {
4988 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4989 struct nft_set_elem elem;
4990 struct sk_buff *skb;
4991 uint32_t flags = 0;
4992 void *priv;
4993 int err;
4994
4995 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4996 nft_set_elem_policy, NULL);
4997 if (err < 0)
4998 return err;
4999
5000 if (!nla[NFTA_SET_ELEM_KEY])
5001 return -EINVAL;
5002
5003 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5004 if (err < 0)
5005 return err;
5006
5007 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5008 nla[NFTA_SET_ELEM_KEY]);
5009 if (err < 0)
5010 return err;
5011
5012 if (nla[NFTA_SET_ELEM_KEY_END]) {
5013 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5014 nla[NFTA_SET_ELEM_KEY_END]);
5015 if (err < 0)
5016 return err;
5017 }
5018
5019 priv = set->ops->get(ctx->net, set, &elem, flags);
5020 if (IS_ERR(priv))
5021 return PTR_ERR(priv);
5022
5023 elem.priv = priv;
5024
5025 err = -ENOMEM;
5026 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
5027 if (skb == NULL)
5028 return err;
5029
5030 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
5031 NFT_MSG_NEWSETELEM, 0, set, &elem);
5032 if (err < 0)
5033 goto err_fill_setelem;
5034
5035 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
5036
5037 err_fill_setelem:
5038 kfree_skb(skb);
5039 return err;
5040 }
5041
5042 /* called with rcu_read_lock held */
5043 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
5044 struct sk_buff *skb, const struct nlmsghdr *nlh,
5045 const struct nlattr * const nla[],
5046 struct netlink_ext_ack *extack)
5047 {
5048 u8 genmask = nft_genmask_cur(net);
5049 struct nft_set *set;
5050 struct nlattr *attr;
5051 struct nft_ctx ctx;
5052 int rem, err = 0;
5053
5054 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5055 genmask, NETLINK_CB(skb).portid);
5056 if (err < 0)
5057 return err;
5058
5059 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5060 if (IS_ERR(set))
5061 return PTR_ERR(set);
5062
5063 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5064 struct netlink_dump_control c = {
5065 .start = nf_tables_dump_set_start,
5066 .dump = nf_tables_dump_set,
5067 .done = nf_tables_dump_set_done,
5068 .module = THIS_MODULE,
5069 };
5070 struct nft_set_dump_ctx dump_ctx = {
5071 .set = set,
5072 .ctx = ctx,
5073 };
5074
5075 c.data = &dump_ctx;
5076 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5077 }
5078
5079 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5080 return -EINVAL;
5081
5082 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5083 err = nft_get_set_elem(&ctx, set, attr);
5084 if (err < 0)
5085 break;
5086 }
5087
5088 return err;
5089 }
5090
5091 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5092 const struct nft_set *set,
5093 const struct nft_set_elem *elem,
5094 int event, u16 flags)
5095 {
5096 struct net *net = ctx->net;
5097 u32 portid = ctx->portid;
5098 struct sk_buff *skb;
5099 int err;
5100 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
5101 ctx->table->name, ctx->table->handle,
5102 set->name, set->handle);
5103
5104 audit_log_nfcfg(buf,
5105 ctx->family,
5106 set->handle,
5107 event == NFT_MSG_NEWSETELEM ?
5108 AUDIT_NFT_OP_SETELEM_REGISTER :
5109 AUDIT_NFT_OP_SETELEM_UNREGISTER,
5110 GFP_KERNEL);
5111 kfree(buf);
5112
5113 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5114 return;
5115
5116 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5117 if (skb == NULL)
5118 goto err;
5119
5120 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5121 set, elem);
5122 if (err < 0) {
5123 kfree_skb(skb);
5124 goto err;
5125 }
5126
5127 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5128 return;
5129 err:
5130 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5131 }
5132
5133 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5134 int msg_type,
5135 struct nft_set *set)
5136 {
5137 struct nft_trans *trans;
5138
5139 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5140 if (trans == NULL)
5141 return NULL;
5142
5143 nft_trans_elem_set(trans) = set;
5144 return trans;
5145 }
5146
5147 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5148 const struct nft_set *set,
5149 const struct nlattr *attr)
5150 {
5151 struct nft_expr *expr;
5152 int err;
5153
5154 expr = nft_expr_init(ctx, attr);
5155 if (IS_ERR(expr))
5156 return expr;
5157
5158 err = -EOPNOTSUPP;
5159 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5160 goto err_set_elem_expr;
5161
5162 if (expr->ops->type->flags & NFT_EXPR_GC) {
5163 if (set->flags & NFT_SET_TIMEOUT)
5164 goto err_set_elem_expr;
5165 if (!set->ops->gc_init)
5166 goto err_set_elem_expr;
5167 set->ops->gc_init(set);
5168 }
5169
5170 return expr;
5171
5172 err_set_elem_expr:
5173 nft_expr_destroy(ctx, expr);
5174 return ERR_PTR(err);
5175 }
5176
5177 void *nft_set_elem_init(const struct nft_set *set,
5178 const struct nft_set_ext_tmpl *tmpl,
5179 const u32 *key, const u32 *key_end,
5180 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5181 {
5182 struct nft_set_ext *ext;
5183 void *elem;
5184
5185 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5186 if (elem == NULL)
5187 return NULL;
5188
5189 ext = nft_set_elem_ext(set, elem);
5190 nft_set_ext_init(ext, tmpl);
5191
5192 memcpy(nft_set_ext_key(ext), key, set->klen);
5193 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5194 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5195 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5196 memcpy(nft_set_ext_data(ext), data, set->dlen);
5197 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5198 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5199 if (expiration == 0)
5200 *nft_set_ext_expiration(ext) += timeout;
5201 }
5202 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5203 *nft_set_ext_timeout(ext) = timeout;
5204
5205 return elem;
5206 }
5207
5208 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5209 struct nft_expr *expr)
5210 {
5211 if (expr->ops->destroy_clone) {
5212 expr->ops->destroy_clone(ctx, expr);
5213 module_put(expr->ops->type->owner);
5214 } else {
5215 nf_tables_expr_destroy(ctx, expr);
5216 }
5217 }
5218
5219 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5220 struct nft_set_elem_expr *elem_expr)
5221 {
5222 struct nft_expr *expr;
5223 u32 size;
5224
5225 nft_setelem_expr_foreach(expr, elem_expr, size)
5226 __nft_set_elem_expr_destroy(ctx, expr);
5227 }
5228
5229 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5230 bool destroy_expr)
5231 {
5232 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5233 struct nft_ctx ctx = {
5234 .net = read_pnet(&set->net),
5235 .family = set->table->family,
5236 };
5237
5238 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5239 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5240 nft_data_release(nft_set_ext_data(ext), set->dtype);
5241 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5242 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5243
5244 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5245 (*nft_set_ext_obj(ext))->use--;
5246 kfree(elem);
5247 }
5248 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5249
5250 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5251 * the refcounting from the preparation phase.
5252 */
5253 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5254 const struct nft_set *set, void *elem)
5255 {
5256 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5257
5258 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
5259 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5260
5261 kfree(elem);
5262 }
5263
5264 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
5265 struct nft_expr *expr_array[])
5266 {
5267 struct nft_expr *expr;
5268 int err, i, k;
5269
5270 for (i = 0; i < set->num_exprs; i++) {
5271 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
5272 if (!expr)
5273 goto err_expr;
5274
5275 err = nft_expr_clone(expr, set->exprs[i]);
5276 if (err < 0) {
5277 nft_expr_destroy(ctx, expr);
5278 goto err_expr;
5279 }
5280 expr_array[i] = expr;
5281 }
5282
5283 return 0;
5284
5285 err_expr:
5286 for (k = i - 1; k >= 0; k--)
5287 nft_expr_destroy(ctx, expr_array[k]);
5288
5289 return -ENOMEM;
5290 }
5291
5292 static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i,
5293 struct nft_expr *expr_array[])
5294 {
5295 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
5296 struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
5297
5298 memcpy(expr, expr_array[i], expr_array[i]->ops->size);
5299 elem_expr->size += expr_array[i]->ops->size;
5300 kfree(expr_array[i]);
5301 expr_array[i] = NULL;
5302 }
5303
5304 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5305 const struct nlattr *attr, u32 nlmsg_flags)
5306 {
5307 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
5308 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5309 u8 genmask = nft_genmask_next(ctx->net);
5310 u32 flags = 0, size = 0, num_exprs = 0;
5311 struct nft_set_ext_tmpl tmpl;
5312 struct nft_set_ext *ext, *ext2;
5313 struct nft_set_elem elem;
5314 struct nft_set_binding *binding;
5315 struct nft_object *obj = NULL;
5316 struct nft_userdata *udata;
5317 struct nft_data_desc desc;
5318 enum nft_registers dreg;
5319 struct nft_trans *trans;
5320 u64 timeout;
5321 u64 expiration;
5322 int err, i;
5323 u8 ulen;
5324
5325 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5326 nft_set_elem_policy, NULL);
5327 if (err < 0)
5328 return err;
5329
5330 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5331 return -EINVAL;
5332
5333 nft_set_ext_prepare(&tmpl);
5334
5335 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5336 if (err < 0)
5337 return err;
5338 if (flags != 0)
5339 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5340
5341 if (set->flags & NFT_SET_MAP) {
5342 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5343 !(flags & NFT_SET_ELEM_INTERVAL_END))
5344 return -EINVAL;
5345 } else {
5346 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5347 return -EINVAL;
5348 }
5349
5350 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5351 (nla[NFTA_SET_ELEM_DATA] ||
5352 nla[NFTA_SET_ELEM_OBJREF] ||
5353 nla[NFTA_SET_ELEM_TIMEOUT] ||
5354 nla[NFTA_SET_ELEM_EXPIRATION] ||
5355 nla[NFTA_SET_ELEM_USERDATA] ||
5356 nla[NFTA_SET_ELEM_EXPR] ||
5357 nla[NFTA_SET_ELEM_EXPRESSIONS]))
5358 return -EINVAL;
5359
5360 timeout = 0;
5361 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5362 if (!(set->flags & NFT_SET_TIMEOUT))
5363 return -EINVAL;
5364 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5365 &timeout);
5366 if (err)
5367 return err;
5368 } else if (set->flags & NFT_SET_TIMEOUT) {
5369 timeout = set->timeout;
5370 }
5371
5372 expiration = 0;
5373 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5374 if (!(set->flags & NFT_SET_TIMEOUT))
5375 return -EINVAL;
5376 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5377 &expiration);
5378 if (err)
5379 return err;
5380 }
5381
5382 if (nla[NFTA_SET_ELEM_EXPR]) {
5383 struct nft_expr *expr;
5384
5385 if (set->num_exprs && set->num_exprs != 1)
5386 return -EOPNOTSUPP;
5387
5388 expr = nft_set_elem_expr_alloc(ctx, set,
5389 nla[NFTA_SET_ELEM_EXPR]);
5390 if (IS_ERR(expr))
5391 return PTR_ERR(expr);
5392
5393 expr_array[0] = expr;
5394 num_exprs = 1;
5395
5396 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
5397 err = -EOPNOTSUPP;
5398 goto err_set_elem_expr;
5399 }
5400 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
5401 struct nft_expr *expr;
5402 struct nlattr *tmp;
5403 int left;
5404
5405 i = 0;
5406 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
5407 if (i == NFT_SET_EXPR_MAX ||
5408 (set->num_exprs && set->num_exprs == i)) {
5409 err = -E2BIG;
5410 goto err_set_elem_expr;
5411 }
5412 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5413 err = -EINVAL;
5414 goto err_set_elem_expr;
5415 }
5416 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5417 if (IS_ERR(expr)) {
5418 err = PTR_ERR(expr);
5419 goto err_set_elem_expr;
5420 }
5421 expr_array[i] = expr;
5422 num_exprs++;
5423
5424 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
5425 err = -EOPNOTSUPP;
5426 goto err_set_elem_expr;
5427 }
5428 i++;
5429 }
5430 if (set->num_exprs && set->num_exprs != i) {
5431 err = -EOPNOTSUPP;
5432 goto err_set_elem_expr;
5433 }
5434 } else if (set->num_exprs > 0) {
5435 err = nft_set_elem_expr_clone(ctx, set, expr_array);
5436 if (err < 0)
5437 goto err_set_elem_expr_clone;
5438
5439 num_exprs = set->num_exprs;
5440 }
5441
5442 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5443 nla[NFTA_SET_ELEM_KEY]);
5444 if (err < 0)
5445 goto err_set_elem_expr;
5446
5447 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5448
5449 if (nla[NFTA_SET_ELEM_KEY_END]) {
5450 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5451 nla[NFTA_SET_ELEM_KEY_END]);
5452 if (err < 0)
5453 goto err_parse_key;
5454
5455 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5456 }
5457
5458 if (timeout > 0) {
5459 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5460 if (timeout != set->timeout)
5461 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5462 }
5463
5464 if (num_exprs) {
5465 for (i = 0; i < num_exprs; i++)
5466 size += expr_array[i]->ops->size;
5467
5468 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
5469 sizeof(struct nft_set_elem_expr) +
5470 size);
5471 }
5472
5473 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5474 if (!(set->flags & NFT_SET_OBJECT)) {
5475 err = -EINVAL;
5476 goto err_parse_key_end;
5477 }
5478 obj = nft_obj_lookup(ctx->net, ctx->table,
5479 nla[NFTA_SET_ELEM_OBJREF],
5480 set->objtype, genmask);
5481 if (IS_ERR(obj)) {
5482 err = PTR_ERR(obj);
5483 goto err_parse_key_end;
5484 }
5485 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5486 }
5487
5488 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5489 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5490 nla[NFTA_SET_ELEM_DATA]);
5491 if (err < 0)
5492 goto err_parse_key_end;
5493
5494 dreg = nft_type_to_reg(set->dtype);
5495 list_for_each_entry(binding, &set->bindings, list) {
5496 struct nft_ctx bind_ctx = {
5497 .net = ctx->net,
5498 .family = ctx->family,
5499 .table = ctx->table,
5500 .chain = (struct nft_chain *)binding->chain,
5501 };
5502
5503 if (!(binding->flags & NFT_SET_MAP))
5504 continue;
5505
5506 err = nft_validate_register_store(&bind_ctx, dreg,
5507 &elem.data.val,
5508 desc.type, desc.len);
5509 if (err < 0)
5510 goto err_parse_data;
5511
5512 if (desc.type == NFT_DATA_VERDICT &&
5513 (elem.data.val.verdict.code == NFT_GOTO ||
5514 elem.data.val.verdict.code == NFT_JUMP))
5515 nft_validate_state_update(ctx->net,
5516 NFT_VALIDATE_NEED);
5517 }
5518
5519 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5520 }
5521
5522 /* The full maximum length of userdata can exceed the maximum
5523 * offset value (U8_MAX) for following extensions, therefor it
5524 * must be the last extension added.
5525 */
5526 ulen = 0;
5527 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5528 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5529 if (ulen > 0)
5530 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5531 ulen);
5532 }
5533
5534 err = -ENOMEM;
5535 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5536 elem.key_end.val.data, elem.data.val.data,
5537 timeout, expiration, GFP_KERNEL);
5538 if (elem.priv == NULL)
5539 goto err_parse_data;
5540
5541 ext = nft_set_elem_ext(set, elem.priv);
5542 if (flags)
5543 *nft_set_ext_flags(ext) = flags;
5544 if (ulen > 0) {
5545 udata = nft_set_ext_userdata(ext);
5546 udata->len = ulen - 1;
5547 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5548 }
5549 if (obj) {
5550 *nft_set_ext_obj(ext) = obj;
5551 obj->use++;
5552 }
5553 for (i = 0; i < num_exprs; i++)
5554 nft_set_elem_expr_setup(ext, i, expr_array);
5555
5556 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5557 if (trans == NULL)
5558 goto err_trans;
5559
5560 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5561 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5562 if (err) {
5563 if (err == -EEXIST) {
5564 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5565 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5566 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5567 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5568 goto err_element_clash;
5569 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5570 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5571 memcmp(nft_set_ext_data(ext),
5572 nft_set_ext_data(ext2), set->dlen) != 0) ||
5573 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5574 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5575 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5576 goto err_element_clash;
5577 else if (!(nlmsg_flags & NLM_F_EXCL))
5578 err = 0;
5579 } else if (err == -ENOTEMPTY) {
5580 /* ENOTEMPTY reports overlapping between this element
5581 * and an existing one.
5582 */
5583 err = -EEXIST;
5584 }
5585 goto err_element_clash;
5586 }
5587
5588 if (set->size &&
5589 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5590 err = -ENFILE;
5591 goto err_set_full;
5592 }
5593
5594 nft_trans_elem(trans) = elem;
5595 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5596 return 0;
5597
5598 err_set_full:
5599 set->ops->remove(ctx->net, set, &elem);
5600 err_element_clash:
5601 kfree(trans);
5602 err_trans:
5603 if (obj)
5604 obj->use--;
5605
5606 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5607 err_parse_data:
5608 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5609 nft_data_release(&elem.data.val, desc.type);
5610 err_parse_key_end:
5611 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5612 err_parse_key:
5613 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5614 err_set_elem_expr:
5615 for (i = 0; i < num_exprs && expr_array[i]; i++)
5616 nft_expr_destroy(ctx, expr_array[i]);
5617 err_set_elem_expr_clone:
5618 return err;
5619 }
5620
5621 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5622 struct sk_buff *skb, const struct nlmsghdr *nlh,
5623 const struct nlattr * const nla[],
5624 struct netlink_ext_ack *extack)
5625 {
5626 u8 genmask = nft_genmask_next(net);
5627 const struct nlattr *attr;
5628 struct nft_set *set;
5629 struct nft_ctx ctx;
5630 int rem, err;
5631
5632 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5633 return -EINVAL;
5634
5635 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5636 genmask, NETLINK_CB(skb).portid);
5637 if (err < 0)
5638 return err;
5639
5640 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5641 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5642 if (IS_ERR(set))
5643 return PTR_ERR(set);
5644
5645 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5646 return -EBUSY;
5647
5648 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5649 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5650 if (err < 0)
5651 return err;
5652 }
5653
5654 if (net->nft.validate_state == NFT_VALIDATE_DO)
5655 return nft_table_validate(net, ctx.table);
5656
5657 return 0;
5658 }
5659
5660 /**
5661 * nft_data_hold - hold a nft_data item
5662 *
5663 * @data: struct nft_data to release
5664 * @type: type of data
5665 *
5666 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5667 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5668 * NFT_GOTO verdicts. This function must be called on active data objects
5669 * from the second phase of the commit protocol.
5670 */
5671 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5672 {
5673 struct nft_chain *chain;
5674 struct nft_rule *rule;
5675
5676 if (type == NFT_DATA_VERDICT) {
5677 switch (data->verdict.code) {
5678 case NFT_JUMP:
5679 case NFT_GOTO:
5680 chain = data->verdict.chain;
5681 chain->use++;
5682
5683 if (!nft_chain_is_bound(chain))
5684 break;
5685
5686 chain->table->use++;
5687 list_for_each_entry(rule, &chain->rules, list)
5688 chain->use++;
5689
5690 nft_chain_add(chain->table, chain);
5691 break;
5692 }
5693 }
5694 }
5695
5696 static void nft_set_elem_activate(const struct net *net,
5697 const struct nft_set *set,
5698 struct nft_set_elem *elem)
5699 {
5700 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5701
5702 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5703 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5704 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5705 (*nft_set_ext_obj(ext))->use++;
5706 }
5707
5708 static void nft_set_elem_deactivate(const struct net *net,
5709 const struct nft_set *set,
5710 struct nft_set_elem *elem)
5711 {
5712 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5713
5714 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5715 nft_data_release(nft_set_ext_data(ext), set->dtype);
5716 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5717 (*nft_set_ext_obj(ext))->use--;
5718 }
5719
5720 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5721 const struct nlattr *attr)
5722 {
5723 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5724 struct nft_set_ext_tmpl tmpl;
5725 struct nft_set_elem elem;
5726 struct nft_set_ext *ext;
5727 struct nft_trans *trans;
5728 u32 flags = 0;
5729 void *priv;
5730 int err;
5731
5732 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5733 nft_set_elem_policy, NULL);
5734 if (err < 0)
5735 return err;
5736
5737 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5738 return -EINVAL;
5739
5740 nft_set_ext_prepare(&tmpl);
5741
5742 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5743 if (err < 0)
5744 return err;
5745 if (flags != 0)
5746 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5747
5748 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5749 nla[NFTA_SET_ELEM_KEY]);
5750 if (err < 0)
5751 return err;
5752
5753 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5754
5755 if (nla[NFTA_SET_ELEM_KEY_END]) {
5756 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5757 nla[NFTA_SET_ELEM_KEY_END]);
5758 if (err < 0)
5759 return err;
5760
5761 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5762 }
5763
5764 err = -ENOMEM;
5765 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5766 elem.key_end.val.data, NULL, 0, 0,
5767 GFP_KERNEL);
5768 if (elem.priv == NULL)
5769 goto fail_elem;
5770
5771 ext = nft_set_elem_ext(set, elem.priv);
5772 if (flags)
5773 *nft_set_ext_flags(ext) = flags;
5774
5775 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5776 if (trans == NULL)
5777 goto fail_trans;
5778
5779 priv = set->ops->deactivate(ctx->net, set, &elem);
5780 if (priv == NULL) {
5781 err = -ENOENT;
5782 goto fail_ops;
5783 }
5784 kfree(elem.priv);
5785 elem.priv = priv;
5786
5787 nft_set_elem_deactivate(ctx->net, set, &elem);
5788
5789 nft_trans_elem(trans) = elem;
5790 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5791 return 0;
5792
5793 fail_ops:
5794 kfree(trans);
5795 fail_trans:
5796 kfree(elem.priv);
5797 fail_elem:
5798 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5799 return err;
5800 }
5801
5802 static int nft_flush_set(const struct nft_ctx *ctx,
5803 struct nft_set *set,
5804 const struct nft_set_iter *iter,
5805 struct nft_set_elem *elem)
5806 {
5807 struct nft_trans *trans;
5808 int err;
5809
5810 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5811 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5812 if (!trans)
5813 return -ENOMEM;
5814
5815 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5816 err = -ENOENT;
5817 goto err1;
5818 }
5819 set->ndeact++;
5820
5821 nft_set_elem_deactivate(ctx->net, set, elem);
5822 nft_trans_elem_set(trans) = set;
5823 nft_trans_elem(trans) = *elem;
5824 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5825
5826 return 0;
5827 err1:
5828 kfree(trans);
5829 return err;
5830 }
5831
5832 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5833 struct sk_buff *skb, const struct nlmsghdr *nlh,
5834 const struct nlattr * const nla[],
5835 struct netlink_ext_ack *extack)
5836 {
5837 u8 genmask = nft_genmask_next(net);
5838 const struct nlattr *attr;
5839 struct nft_set *set;
5840 struct nft_ctx ctx;
5841 int rem, err = 0;
5842
5843 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5844 genmask, NETLINK_CB(skb).portid);
5845 if (err < 0)
5846 return err;
5847
5848 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5849 if (IS_ERR(set))
5850 return PTR_ERR(set);
5851 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5852 return -EBUSY;
5853
5854 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5855 struct nft_set_iter iter = {
5856 .genmask = genmask,
5857 .fn = nft_flush_set,
5858 };
5859 set->ops->walk(&ctx, set, &iter);
5860
5861 return iter.err;
5862 }
5863
5864 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5865 err = nft_del_setelem(&ctx, set, attr);
5866 if (err < 0)
5867 break;
5868
5869 set->ndeact++;
5870 }
5871 return err;
5872 }
5873
5874 void nft_set_gc_batch_release(struct rcu_head *rcu)
5875 {
5876 struct nft_set_gc_batch *gcb;
5877 unsigned int i;
5878
5879 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5880 for (i = 0; i < gcb->head.cnt; i++)
5881 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5882 kfree(gcb);
5883 }
5884
5885 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5886 gfp_t gfp)
5887 {
5888 struct nft_set_gc_batch *gcb;
5889
5890 gcb = kzalloc(sizeof(*gcb), gfp);
5891 if (gcb == NULL)
5892 return gcb;
5893 gcb->head.set = set;
5894 return gcb;
5895 }
5896
5897 /*
5898 * Stateful objects
5899 */
5900
5901 /**
5902 * nft_register_obj- register nf_tables stateful object type
5903 * @obj_type: object type
5904 *
5905 * Registers the object type for use with nf_tables. Returns zero on
5906 * success or a negative errno code otherwise.
5907 */
5908 int nft_register_obj(struct nft_object_type *obj_type)
5909 {
5910 if (obj_type->type == NFT_OBJECT_UNSPEC)
5911 return -EINVAL;
5912
5913 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5914 list_add_rcu(&obj_type->list, &nf_tables_objects);
5915 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5916 return 0;
5917 }
5918 EXPORT_SYMBOL_GPL(nft_register_obj);
5919
5920 /**
5921 * nft_unregister_obj - unregister nf_tables object type
5922 * @obj_type: object type
5923 *
5924 * Unregisters the object type for use with nf_tables.
5925 */
5926 void nft_unregister_obj(struct nft_object_type *obj_type)
5927 {
5928 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5929 list_del_rcu(&obj_type->list);
5930 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5931 }
5932 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5933
5934 struct nft_object *nft_obj_lookup(const struct net *net,
5935 const struct nft_table *table,
5936 const struct nlattr *nla, u32 objtype,
5937 u8 genmask)
5938 {
5939 struct nft_object_hash_key k = { .table = table };
5940 char search[NFT_OBJ_MAXNAMELEN];
5941 struct rhlist_head *tmp, *list;
5942 struct nft_object *obj;
5943
5944 nla_strscpy(search, nla, sizeof(search));
5945 k.name = search;
5946
5947 WARN_ON_ONCE(!rcu_read_lock_held() &&
5948 !lockdep_commit_lock_is_held(net));
5949
5950 rcu_read_lock();
5951 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5952 if (!list)
5953 goto out;
5954
5955 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5956 if (objtype == obj->ops->type->type &&
5957 nft_active_genmask(obj, genmask)) {
5958 rcu_read_unlock();
5959 return obj;
5960 }
5961 }
5962 out:
5963 rcu_read_unlock();
5964 return ERR_PTR(-ENOENT);
5965 }
5966 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5967
5968 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5969 const struct nlattr *nla,
5970 u32 objtype, u8 genmask)
5971 {
5972 struct nft_object *obj;
5973
5974 list_for_each_entry(obj, &table->objects, list) {
5975 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5976 objtype == obj->ops->type->type &&
5977 nft_active_genmask(obj, genmask))
5978 return obj;
5979 }
5980 return ERR_PTR(-ENOENT);
5981 }
5982
5983 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5984 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5985 .len = NFT_TABLE_MAXNAMELEN - 1 },
5986 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5987 .len = NFT_OBJ_MAXNAMELEN - 1 },
5988 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5989 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5990 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5991 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
5992 .len = NFT_USERDATA_MAXLEN },
5993 };
5994
5995 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5996 const struct nft_object_type *type,
5997 const struct nlattr *attr)
5998 {
5999 struct nlattr **tb;
6000 const struct nft_object_ops *ops;
6001 struct nft_object *obj;
6002 int err = -ENOMEM;
6003
6004 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
6005 if (!tb)
6006 goto err1;
6007
6008 if (attr) {
6009 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
6010 type->policy, NULL);
6011 if (err < 0)
6012 goto err2;
6013 } else {
6014 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
6015 }
6016
6017 if (type->select_ops) {
6018 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
6019 if (IS_ERR(ops)) {
6020 err = PTR_ERR(ops);
6021 goto err2;
6022 }
6023 } else {
6024 ops = type->ops;
6025 }
6026
6027 err = -ENOMEM;
6028 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6029 if (!obj)
6030 goto err2;
6031
6032 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
6033 if (err < 0)
6034 goto err3;
6035
6036 obj->ops = ops;
6037
6038 kfree(tb);
6039 return obj;
6040 err3:
6041 kfree(obj);
6042 err2:
6043 kfree(tb);
6044 err1:
6045 return ERR_PTR(err);
6046 }
6047
6048 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
6049 struct nft_object *obj, bool reset)
6050 {
6051 struct nlattr *nest;
6052
6053 nest = nla_nest_start_noflag(skb, attr);
6054 if (!nest)
6055 goto nla_put_failure;
6056 if (obj->ops->dump(skb, obj, reset) < 0)
6057 goto nla_put_failure;
6058 nla_nest_end(skb, nest);
6059 return 0;
6060
6061 nla_put_failure:
6062 return -1;
6063 }
6064
6065 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
6066 {
6067 const struct nft_object_type *type;
6068
6069 list_for_each_entry(type, &nf_tables_objects, list) {
6070 if (objtype == type->type)
6071 return type;
6072 }
6073 return NULL;
6074 }
6075
6076 static const struct nft_object_type *
6077 nft_obj_type_get(struct net *net, u32 objtype)
6078 {
6079 const struct nft_object_type *type;
6080
6081 type = __nft_obj_type_get(objtype);
6082 if (type != NULL && try_module_get(type->owner))
6083 return type;
6084
6085 lockdep_nfnl_nft_mutex_not_held();
6086 #ifdef CONFIG_MODULES
6087 if (type == NULL) {
6088 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
6089 return ERR_PTR(-EAGAIN);
6090 }
6091 #endif
6092 return ERR_PTR(-ENOENT);
6093 }
6094
6095 static int nf_tables_updobj(const struct nft_ctx *ctx,
6096 const struct nft_object_type *type,
6097 const struct nlattr *attr,
6098 struct nft_object *obj)
6099 {
6100 struct nft_object *newobj;
6101 struct nft_trans *trans;
6102 int err;
6103
6104 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
6105 sizeof(struct nft_trans_obj));
6106 if (!trans)
6107 return -ENOMEM;
6108
6109 newobj = nft_obj_init(ctx, type, attr);
6110 if (IS_ERR(newobj)) {
6111 err = PTR_ERR(newobj);
6112 goto err_free_trans;
6113 }
6114
6115 nft_trans_obj(trans) = obj;
6116 nft_trans_obj_update(trans) = true;
6117 nft_trans_obj_newobj(trans) = newobj;
6118 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6119
6120 return 0;
6121
6122 err_free_trans:
6123 kfree(trans);
6124 return err;
6125 }
6126
6127 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
6128 struct sk_buff *skb, const struct nlmsghdr *nlh,
6129 const struct nlattr * const nla[],
6130 struct netlink_ext_ack *extack)
6131 {
6132 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6133 const struct nft_object_type *type;
6134 u8 genmask = nft_genmask_next(net);
6135 int family = nfmsg->nfgen_family;
6136 struct nft_table *table;
6137 struct nft_object *obj;
6138 struct nft_ctx ctx;
6139 u32 objtype;
6140 int err;
6141
6142 if (!nla[NFTA_OBJ_TYPE] ||
6143 !nla[NFTA_OBJ_NAME] ||
6144 !nla[NFTA_OBJ_DATA])
6145 return -EINVAL;
6146
6147 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6148 NETLINK_CB(skb).portid);
6149 if (IS_ERR(table)) {
6150 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6151 return PTR_ERR(table);
6152 }
6153
6154 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6155 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6156 if (IS_ERR(obj)) {
6157 err = PTR_ERR(obj);
6158 if (err != -ENOENT) {
6159 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6160 return err;
6161 }
6162 } else {
6163 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6164 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6165 return -EEXIST;
6166 }
6167 if (nlh->nlmsg_flags & NLM_F_REPLACE)
6168 return -EOPNOTSUPP;
6169
6170 type = __nft_obj_type_get(objtype);
6171 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6172
6173 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6174 }
6175
6176 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6177
6178 type = nft_obj_type_get(net, objtype);
6179 if (IS_ERR(type))
6180 return PTR_ERR(type);
6181
6182 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6183 if (IS_ERR(obj)) {
6184 err = PTR_ERR(obj);
6185 goto err_init;
6186 }
6187 obj->key.table = table;
6188 obj->handle = nf_tables_alloc_handle(table);
6189
6190 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6191 if (!obj->key.name) {
6192 err = -ENOMEM;
6193 goto err_strdup;
6194 }
6195
6196 if (nla[NFTA_OBJ_USERDATA]) {
6197 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6198 if (obj->udata == NULL)
6199 goto err_userdata;
6200
6201 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6202 }
6203
6204 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6205 if (err < 0)
6206 goto err_trans;
6207
6208 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6209 nft_objname_ht_params);
6210 if (err < 0)
6211 goto err_obj_ht;
6212
6213 list_add_tail_rcu(&obj->list, &table->objects);
6214 table->use++;
6215 return 0;
6216 err_obj_ht:
6217 /* queued in transaction log */
6218 INIT_LIST_HEAD(&obj->list);
6219 return err;
6220 err_trans:
6221 kfree(obj->key.name);
6222 err_userdata:
6223 kfree(obj->udata);
6224 err_strdup:
6225 if (obj->ops->destroy)
6226 obj->ops->destroy(&ctx, obj);
6227 kfree(obj);
6228 err_init:
6229 module_put(type->owner);
6230 return err;
6231 }
6232
6233 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6234 u32 portid, u32 seq, int event, u32 flags,
6235 int family, const struct nft_table *table,
6236 struct nft_object *obj, bool reset)
6237 {
6238 struct nfgenmsg *nfmsg;
6239 struct nlmsghdr *nlh;
6240
6241 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6242 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6243 if (nlh == NULL)
6244 goto nla_put_failure;
6245
6246 nfmsg = nlmsg_data(nlh);
6247 nfmsg->nfgen_family = family;
6248 nfmsg->version = NFNETLINK_V0;
6249 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6250
6251 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6252 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6253 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6254 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6255 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6256 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6257 NFTA_OBJ_PAD))
6258 goto nla_put_failure;
6259
6260 if (obj->udata &&
6261 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6262 goto nla_put_failure;
6263
6264 nlmsg_end(skb, nlh);
6265 return 0;
6266
6267 nla_put_failure:
6268 nlmsg_trim(skb, nlh);
6269 return -1;
6270 }
6271
6272 struct nft_obj_filter {
6273 char *table;
6274 u32 type;
6275 };
6276
6277 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6278 {
6279 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6280 const struct nft_table *table;
6281 unsigned int idx = 0, s_idx = cb->args[0];
6282 struct nft_obj_filter *filter = cb->data;
6283 struct net *net = sock_net(skb->sk);
6284 int family = nfmsg->nfgen_family;
6285 struct nft_object *obj;
6286 bool reset = false;
6287
6288 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6289 reset = true;
6290
6291 rcu_read_lock();
6292 cb->seq = net->nft.base_seq;
6293
6294 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6295 if (family != NFPROTO_UNSPEC && family != table->family)
6296 continue;
6297
6298 list_for_each_entry_rcu(obj, &table->objects, list) {
6299 if (!nft_is_active(net, obj))
6300 goto cont;
6301 if (idx < s_idx)
6302 goto cont;
6303 if (idx > s_idx)
6304 memset(&cb->args[1], 0,
6305 sizeof(cb->args) - sizeof(cb->args[0]));
6306 if (filter && filter->table &&
6307 strcmp(filter->table, table->name))
6308 goto cont;
6309 if (filter &&
6310 filter->type != NFT_OBJECT_UNSPEC &&
6311 obj->ops->type->type != filter->type)
6312 goto cont;
6313
6314 if (reset) {
6315 char *buf = kasprintf(GFP_ATOMIC,
6316 "%s:%llu;?:0",
6317 table->name,
6318 table->handle);
6319
6320 audit_log_nfcfg(buf,
6321 family,
6322 obj->handle,
6323 AUDIT_NFT_OP_OBJ_RESET,
6324 GFP_ATOMIC);
6325 kfree(buf);
6326 }
6327
6328 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6329 cb->nlh->nlmsg_seq,
6330 NFT_MSG_NEWOBJ,
6331 NLM_F_MULTI | NLM_F_APPEND,
6332 table->family, table,
6333 obj, reset) < 0)
6334 goto done;
6335
6336 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6337 cont:
6338 idx++;
6339 }
6340 }
6341 done:
6342 rcu_read_unlock();
6343
6344 cb->args[0] = idx;
6345 return skb->len;
6346 }
6347
6348 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6349 {
6350 const struct nlattr * const *nla = cb->data;
6351 struct nft_obj_filter *filter = NULL;
6352
6353 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6354 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6355 if (!filter)
6356 return -ENOMEM;
6357
6358 if (nla[NFTA_OBJ_TABLE]) {
6359 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6360 if (!filter->table) {
6361 kfree(filter);
6362 return -ENOMEM;
6363 }
6364 }
6365
6366 if (nla[NFTA_OBJ_TYPE])
6367 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6368 }
6369
6370 cb->data = filter;
6371 return 0;
6372 }
6373
6374 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6375 {
6376 struct nft_obj_filter *filter = cb->data;
6377
6378 if (filter) {
6379 kfree(filter->table);
6380 kfree(filter);
6381 }
6382
6383 return 0;
6384 }
6385
6386 /* called with rcu_read_lock held */
6387 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6388 struct sk_buff *skb, const struct nlmsghdr *nlh,
6389 const struct nlattr * const nla[],
6390 struct netlink_ext_ack *extack)
6391 {
6392 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6393 u8 genmask = nft_genmask_cur(net);
6394 int family = nfmsg->nfgen_family;
6395 const struct nft_table *table;
6396 struct nft_object *obj;
6397 struct sk_buff *skb2;
6398 bool reset = false;
6399 u32 objtype;
6400 int err;
6401
6402 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6403 struct netlink_dump_control c = {
6404 .start = nf_tables_dump_obj_start,
6405 .dump = nf_tables_dump_obj,
6406 .done = nf_tables_dump_obj_done,
6407 .module = THIS_MODULE,
6408 .data = (void *)nla,
6409 };
6410
6411 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6412 }
6413
6414 if (!nla[NFTA_OBJ_NAME] ||
6415 !nla[NFTA_OBJ_TYPE])
6416 return -EINVAL;
6417
6418 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
6419 if (IS_ERR(table)) {
6420 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6421 return PTR_ERR(table);
6422 }
6423
6424 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6425 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6426 if (IS_ERR(obj)) {
6427 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6428 return PTR_ERR(obj);
6429 }
6430
6431 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6432 if (!skb2)
6433 return -ENOMEM;
6434
6435 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6436 reset = true;
6437
6438 if (reset) {
6439 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
6440 table->name, table->handle);
6441
6442 audit_log_nfcfg(buf,
6443 family,
6444 obj->handle,
6445 AUDIT_NFT_OP_OBJ_RESET,
6446 GFP_ATOMIC);
6447 kfree(buf);
6448 }
6449
6450 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6451 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6452 family, table, obj, reset);
6453 if (err < 0)
6454 goto err_fill_obj_info;
6455
6456 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6457
6458 err_fill_obj_info:
6459 kfree_skb(skb2);
6460 return err;
6461 }
6462
6463 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6464 {
6465 if (obj->ops->destroy)
6466 obj->ops->destroy(ctx, obj);
6467
6468 module_put(obj->ops->type->owner);
6469 kfree(obj->key.name);
6470 kfree(obj->udata);
6471 kfree(obj);
6472 }
6473
6474 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6475 struct sk_buff *skb, const struct nlmsghdr *nlh,
6476 const struct nlattr * const nla[],
6477 struct netlink_ext_ack *extack)
6478 {
6479 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6480 u8 genmask = nft_genmask_next(net);
6481 int family = nfmsg->nfgen_family;
6482 const struct nlattr *attr;
6483 struct nft_table *table;
6484 struct nft_object *obj;
6485 struct nft_ctx ctx;
6486 u32 objtype;
6487
6488 if (!nla[NFTA_OBJ_TYPE] ||
6489 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6490 return -EINVAL;
6491
6492 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
6493 NETLINK_CB(skb).portid);
6494 if (IS_ERR(table)) {
6495 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6496 return PTR_ERR(table);
6497 }
6498
6499 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6500 if (nla[NFTA_OBJ_HANDLE]) {
6501 attr = nla[NFTA_OBJ_HANDLE];
6502 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6503 } else {
6504 attr = nla[NFTA_OBJ_NAME];
6505 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6506 }
6507
6508 if (IS_ERR(obj)) {
6509 NL_SET_BAD_ATTR(extack, attr);
6510 return PTR_ERR(obj);
6511 }
6512 if (obj->use > 0) {
6513 NL_SET_BAD_ATTR(extack, attr);
6514 return -EBUSY;
6515 }
6516
6517 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6518
6519 return nft_delobj(&ctx, obj);
6520 }
6521
6522 void nft_obj_notify(struct net *net, const struct nft_table *table,
6523 struct nft_object *obj, u32 portid, u32 seq, int event,
6524 int family, int report, gfp_t gfp)
6525 {
6526 struct sk_buff *skb;
6527 int err;
6528 char *buf = kasprintf(gfp, "%s:%llu;?:0",
6529 table->name, table->handle);
6530
6531 audit_log_nfcfg(buf,
6532 family,
6533 obj->handle,
6534 event == NFT_MSG_NEWOBJ ?
6535 AUDIT_NFT_OP_OBJ_REGISTER :
6536 AUDIT_NFT_OP_OBJ_UNREGISTER,
6537 gfp);
6538 kfree(buf);
6539
6540 if (!report &&
6541 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6542 return;
6543
6544 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6545 if (skb == NULL)
6546 goto err;
6547
6548 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6549 table, obj, false);
6550 if (err < 0) {
6551 kfree_skb(skb);
6552 goto err;
6553 }
6554
6555 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6556 return;
6557 err:
6558 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6559 }
6560 EXPORT_SYMBOL_GPL(nft_obj_notify);
6561
6562 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6563 struct nft_object *obj, int event)
6564 {
6565 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6566 ctx->family, ctx->report, GFP_KERNEL);
6567 }
6568
6569 /*
6570 * Flow tables
6571 */
6572 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6573 {
6574 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6575 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6576 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6577 }
6578 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6579
6580 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6581 {
6582 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6583 list_del_rcu(&type->list);
6584 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6585 }
6586 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6587
6588 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6589 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6590 .len = NFT_NAME_MAXLEN - 1 },
6591 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6592 .len = NFT_NAME_MAXLEN - 1 },
6593 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6594 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6595 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6596 };
6597
6598 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6599 const struct nlattr *nla, u8 genmask)
6600 {
6601 struct nft_flowtable *flowtable;
6602
6603 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6604 if (!nla_strcmp(nla, flowtable->name) &&
6605 nft_active_genmask(flowtable, genmask))
6606 return flowtable;
6607 }
6608 return ERR_PTR(-ENOENT);
6609 }
6610 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6611
6612 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6613 struct nft_flowtable *flowtable,
6614 enum nft_trans_phase phase)
6615 {
6616 switch (phase) {
6617 case NFT_TRANS_PREPARE:
6618 case NFT_TRANS_ABORT:
6619 case NFT_TRANS_RELEASE:
6620 flowtable->use--;
6621 fallthrough;
6622 default:
6623 return;
6624 }
6625 }
6626 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6627
6628 static struct nft_flowtable *
6629 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6630 const struct nlattr *nla, u8 genmask)
6631 {
6632 struct nft_flowtable *flowtable;
6633
6634 list_for_each_entry(flowtable, &table->flowtables, list) {
6635 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6636 nft_active_genmask(flowtable, genmask))
6637 return flowtable;
6638 }
6639 return ERR_PTR(-ENOENT);
6640 }
6641
6642 struct nft_flowtable_hook {
6643 u32 num;
6644 int priority;
6645 struct list_head list;
6646 };
6647
6648 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6649 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6650 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6651 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6652 };
6653
6654 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6655 const struct nlattr *attr,
6656 struct nft_flowtable_hook *flowtable_hook,
6657 struct nft_flowtable *flowtable, bool add)
6658 {
6659 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6660 struct nft_hook *hook;
6661 int hooknum, priority;
6662 int err;
6663
6664 INIT_LIST_HEAD(&flowtable_hook->list);
6665
6666 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6667 nft_flowtable_hook_policy, NULL);
6668 if (err < 0)
6669 return err;
6670
6671 if (add) {
6672 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6673 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6674 return -EINVAL;
6675
6676 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6677 if (hooknum != NF_NETDEV_INGRESS)
6678 return -EOPNOTSUPP;
6679
6680 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6681
6682 flowtable_hook->priority = priority;
6683 flowtable_hook->num = hooknum;
6684 } else {
6685 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6686 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6687 if (hooknum != flowtable->hooknum)
6688 return -EOPNOTSUPP;
6689 }
6690
6691 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6692 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6693 if (priority != flowtable->data.priority)
6694 return -EOPNOTSUPP;
6695 }
6696
6697 flowtable_hook->priority = flowtable->data.priority;
6698 flowtable_hook->num = flowtable->hooknum;
6699 }
6700
6701 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6702 err = nf_tables_parse_netdev_hooks(ctx->net,
6703 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6704 &flowtable_hook->list);
6705 if (err < 0)
6706 return err;
6707 }
6708
6709 list_for_each_entry(hook, &flowtable_hook->list, list) {
6710 hook->ops.pf = NFPROTO_NETDEV;
6711 hook->ops.hooknum = flowtable_hook->num;
6712 hook->ops.priority = flowtable_hook->priority;
6713 hook->ops.priv = &flowtable->data;
6714 hook->ops.hook = flowtable->data.type->hook;
6715 }
6716
6717 return err;
6718 }
6719
6720 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6721 {
6722 const struct nf_flowtable_type *type;
6723
6724 list_for_each_entry(type, &nf_tables_flowtables, list) {
6725 if (family == type->family)
6726 return type;
6727 }
6728 return NULL;
6729 }
6730
6731 static const struct nf_flowtable_type *
6732 nft_flowtable_type_get(struct net *net, u8 family)
6733 {
6734 const struct nf_flowtable_type *type;
6735
6736 type = __nft_flowtable_type_get(family);
6737 if (type != NULL && try_module_get(type->owner))
6738 return type;
6739
6740 lockdep_nfnl_nft_mutex_not_held();
6741 #ifdef CONFIG_MODULES
6742 if (type == NULL) {
6743 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6744 return ERR_PTR(-EAGAIN);
6745 }
6746 #endif
6747 return ERR_PTR(-ENOENT);
6748 }
6749
6750 /* Only called from error and netdev event paths. */
6751 static void nft_unregister_flowtable_hook(struct net *net,
6752 struct nft_flowtable *flowtable,
6753 struct nft_hook *hook)
6754 {
6755 nf_unregister_net_hook(net, &hook->ops);
6756 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6757 FLOW_BLOCK_UNBIND);
6758 }
6759
6760 static void nft_unregister_flowtable_net_hooks(struct net *net,
6761 struct list_head *hook_list)
6762 {
6763 struct nft_hook *hook;
6764
6765 list_for_each_entry(hook, hook_list, list)
6766 nf_unregister_net_hook(net, &hook->ops);
6767 }
6768
6769 static int nft_register_flowtable_net_hooks(struct net *net,
6770 struct nft_table *table,
6771 struct list_head *hook_list,
6772 struct nft_flowtable *flowtable)
6773 {
6774 struct nft_hook *hook, *hook2, *next;
6775 struct nft_flowtable *ft;
6776 int err, i = 0;
6777
6778 list_for_each_entry(hook, hook_list, list) {
6779 list_for_each_entry(ft, &table->flowtables, list) {
6780 list_for_each_entry(hook2, &ft->hook_list, list) {
6781 if (hook->ops.dev == hook2->ops.dev &&
6782 hook->ops.pf == hook2->ops.pf) {
6783 err = -EEXIST;
6784 goto err_unregister_net_hooks;
6785 }
6786 }
6787 }
6788
6789 err = flowtable->data.type->setup(&flowtable->data,
6790 hook->ops.dev,
6791 FLOW_BLOCK_BIND);
6792 if (err < 0)
6793 goto err_unregister_net_hooks;
6794
6795 err = nf_register_net_hook(net, &hook->ops);
6796 if (err < 0) {
6797 flowtable->data.type->setup(&flowtable->data,
6798 hook->ops.dev,
6799 FLOW_BLOCK_UNBIND);
6800 goto err_unregister_net_hooks;
6801 }
6802
6803 i++;
6804 }
6805
6806 return 0;
6807
6808 err_unregister_net_hooks:
6809 list_for_each_entry_safe(hook, next, hook_list, list) {
6810 if (i-- <= 0)
6811 break;
6812
6813 nft_unregister_flowtable_hook(net, flowtable, hook);
6814 list_del_rcu(&hook->list);
6815 kfree_rcu(hook, rcu);
6816 }
6817
6818 return err;
6819 }
6820
6821 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6822 {
6823 struct nft_hook *hook, *next;
6824
6825 list_for_each_entry_safe(hook, next, hook_list, list) {
6826 list_del_rcu(&hook->list);
6827 kfree_rcu(hook, rcu);
6828 }
6829 }
6830
6831 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6832 struct nft_flowtable *flowtable)
6833 {
6834 const struct nlattr * const *nla = ctx->nla;
6835 struct nft_flowtable_hook flowtable_hook;
6836 struct nft_hook *hook, *next;
6837 struct nft_trans *trans;
6838 bool unregister = false;
6839 int err;
6840
6841 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6842 &flowtable_hook, flowtable, false);
6843 if (err < 0)
6844 return err;
6845
6846 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6847 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6848 list_del(&hook->list);
6849 kfree(hook);
6850 }
6851 }
6852
6853 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6854 &flowtable_hook.list, flowtable);
6855 if (err < 0)
6856 goto err_flowtable_update_hook;
6857
6858 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6859 sizeof(struct nft_trans_flowtable));
6860 if (!trans) {
6861 unregister = true;
6862 err = -ENOMEM;
6863 goto err_flowtable_update_hook;
6864 }
6865
6866 nft_trans_flowtable(trans) = flowtable;
6867 nft_trans_flowtable_update(trans) = true;
6868 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6869 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6870
6871 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6872
6873 return 0;
6874
6875 err_flowtable_update_hook:
6876 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6877 if (unregister)
6878 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6879 list_del_rcu(&hook->list);
6880 kfree_rcu(hook, rcu);
6881 }
6882
6883 return err;
6884
6885 }
6886
6887 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6888 struct sk_buff *skb,
6889 const struct nlmsghdr *nlh,
6890 const struct nlattr * const nla[],
6891 struct netlink_ext_ack *extack)
6892 {
6893 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6894 struct nft_flowtable_hook flowtable_hook;
6895 const struct nf_flowtable_type *type;
6896 u8 genmask = nft_genmask_next(net);
6897 int family = nfmsg->nfgen_family;
6898 struct nft_flowtable *flowtable;
6899 struct nft_hook *hook, *next;
6900 struct nft_table *table;
6901 struct nft_ctx ctx;
6902 int err;
6903
6904 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6905 !nla[NFTA_FLOWTABLE_NAME] ||
6906 !nla[NFTA_FLOWTABLE_HOOK])
6907 return -EINVAL;
6908
6909 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6910 genmask, NETLINK_CB(skb).portid);
6911 if (IS_ERR(table)) {
6912 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6913 return PTR_ERR(table);
6914 }
6915
6916 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6917 genmask);
6918 if (IS_ERR(flowtable)) {
6919 err = PTR_ERR(flowtable);
6920 if (err != -ENOENT) {
6921 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6922 return err;
6923 }
6924 } else {
6925 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6926 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6927 return -EEXIST;
6928 }
6929
6930 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6931
6932 return nft_flowtable_update(&ctx, nlh, flowtable);
6933 }
6934
6935 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6936
6937 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6938 if (!flowtable)
6939 return -ENOMEM;
6940
6941 flowtable->table = table;
6942 flowtable->handle = nf_tables_alloc_handle(table);
6943 INIT_LIST_HEAD(&flowtable->hook_list);
6944
6945 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6946 if (!flowtable->name) {
6947 err = -ENOMEM;
6948 goto err1;
6949 }
6950
6951 type = nft_flowtable_type_get(net, family);
6952 if (IS_ERR(type)) {
6953 err = PTR_ERR(type);
6954 goto err2;
6955 }
6956
6957 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6958 flowtable->data.flags =
6959 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6960 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6961 goto err3;
6962 }
6963
6964 write_pnet(&flowtable->data.net, net);
6965 flowtable->data.type = type;
6966 err = type->init(&flowtable->data);
6967 if (err < 0)
6968 goto err3;
6969
6970 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6971 &flowtable_hook, flowtable, true);
6972 if (err < 0)
6973 goto err4;
6974
6975 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6976 flowtable->data.priority = flowtable_hook.priority;
6977 flowtable->hooknum = flowtable_hook.num;
6978
6979 err = nft_register_flowtable_net_hooks(ctx.net, table,
6980 &flowtable->hook_list,
6981 flowtable);
6982 if (err < 0) {
6983 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6984 goto err4;
6985 }
6986
6987 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6988 if (err < 0)
6989 goto err5;
6990
6991 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6992 table->use++;
6993
6994 return 0;
6995 err5:
6996 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6997 nft_unregister_flowtable_hook(net, flowtable, hook);
6998 list_del_rcu(&hook->list);
6999 kfree_rcu(hook, rcu);
7000 }
7001 err4:
7002 flowtable->data.type->free(&flowtable->data);
7003 err3:
7004 module_put(type->owner);
7005 err2:
7006 kfree(flowtable->name);
7007 err1:
7008 kfree(flowtable);
7009 return err;
7010 }
7011
7012 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
7013 {
7014 struct nft_hook *this, *next;
7015
7016 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
7017 list_del(&this->list);
7018 kfree(this);
7019 }
7020 }
7021
7022 static int nft_delflowtable_hook(struct nft_ctx *ctx,
7023 struct nft_flowtable *flowtable)
7024 {
7025 const struct nlattr * const *nla = ctx->nla;
7026 struct nft_flowtable_hook flowtable_hook;
7027 struct nft_hook *this, *hook;
7028 struct nft_trans *trans;
7029 int err;
7030
7031 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
7032 &flowtable_hook, flowtable, false);
7033 if (err < 0)
7034 return err;
7035
7036 list_for_each_entry(this, &flowtable_hook.list, list) {
7037 hook = nft_hook_list_find(&flowtable->hook_list, this);
7038 if (!hook) {
7039 err = -ENOENT;
7040 goto err_flowtable_del_hook;
7041 }
7042 hook->inactive = true;
7043 }
7044
7045 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
7046 sizeof(struct nft_trans_flowtable));
7047 if (!trans) {
7048 err = -ENOMEM;
7049 goto err_flowtable_del_hook;
7050 }
7051
7052 nft_trans_flowtable(trans) = flowtable;
7053 nft_trans_flowtable_update(trans) = true;
7054 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
7055 nft_flowtable_hook_release(&flowtable_hook);
7056
7057 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
7058
7059 return 0;
7060
7061 err_flowtable_del_hook:
7062 list_for_each_entry(this, &flowtable_hook.list, list) {
7063 hook = nft_hook_list_find(&flowtable->hook_list, this);
7064 if (!hook)
7065 break;
7066
7067 hook->inactive = false;
7068 }
7069 nft_flowtable_hook_release(&flowtable_hook);
7070
7071 return err;
7072 }
7073
7074 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
7075 struct sk_buff *skb,
7076 const struct nlmsghdr *nlh,
7077 const struct nlattr * const nla[],
7078 struct netlink_ext_ack *extack)
7079 {
7080 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7081 u8 genmask = nft_genmask_next(net);
7082 int family = nfmsg->nfgen_family;
7083 struct nft_flowtable *flowtable;
7084 const struct nlattr *attr;
7085 struct nft_table *table;
7086 struct nft_ctx ctx;
7087
7088 if (!nla[NFTA_FLOWTABLE_TABLE] ||
7089 (!nla[NFTA_FLOWTABLE_NAME] &&
7090 !nla[NFTA_FLOWTABLE_HANDLE]))
7091 return -EINVAL;
7092
7093 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7094 genmask, NETLINK_CB(skb).portid);
7095 if (IS_ERR(table)) {
7096 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
7097 return PTR_ERR(table);
7098 }
7099
7100 if (nla[NFTA_FLOWTABLE_HANDLE]) {
7101 attr = nla[NFTA_FLOWTABLE_HANDLE];
7102 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
7103 } else {
7104 attr = nla[NFTA_FLOWTABLE_NAME];
7105 flowtable = nft_flowtable_lookup(table, attr, genmask);
7106 }
7107
7108 if (IS_ERR(flowtable)) {
7109 NL_SET_BAD_ATTR(extack, attr);
7110 return PTR_ERR(flowtable);
7111 }
7112
7113 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
7114
7115 if (nla[NFTA_FLOWTABLE_HOOK])
7116 return nft_delflowtable_hook(&ctx, flowtable);
7117
7118 if (flowtable->use > 0) {
7119 NL_SET_BAD_ATTR(extack, attr);
7120 return -EBUSY;
7121 }
7122
7123 return nft_delflowtable(&ctx, flowtable);
7124 }
7125
7126 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
7127 u32 portid, u32 seq, int event,
7128 u32 flags, int family,
7129 struct nft_flowtable *flowtable,
7130 struct list_head *hook_list)
7131 {
7132 struct nlattr *nest, *nest_devs;
7133 struct nfgenmsg *nfmsg;
7134 struct nft_hook *hook;
7135 struct nlmsghdr *nlh;
7136
7137 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7138 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
7139 if (nlh == NULL)
7140 goto nla_put_failure;
7141
7142 nfmsg = nlmsg_data(nlh);
7143 nfmsg->nfgen_family = family;
7144 nfmsg->version = NFNETLINK_V0;
7145 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7146
7147 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7148 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7149 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7150 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7151 NFTA_FLOWTABLE_PAD) ||
7152 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7153 goto nla_put_failure;
7154
7155 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7156 if (!nest)
7157 goto nla_put_failure;
7158 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7159 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7160 goto nla_put_failure;
7161
7162 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7163 if (!nest_devs)
7164 goto nla_put_failure;
7165
7166 list_for_each_entry_rcu(hook, hook_list, list) {
7167 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7168 goto nla_put_failure;
7169 }
7170 nla_nest_end(skb, nest_devs);
7171 nla_nest_end(skb, nest);
7172
7173 nlmsg_end(skb, nlh);
7174 return 0;
7175
7176 nla_put_failure:
7177 nlmsg_trim(skb, nlh);
7178 return -1;
7179 }
7180
7181 struct nft_flowtable_filter {
7182 char *table;
7183 };
7184
7185 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7186 struct netlink_callback *cb)
7187 {
7188 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7189 struct nft_flowtable_filter *filter = cb->data;
7190 unsigned int idx = 0, s_idx = cb->args[0];
7191 struct net *net = sock_net(skb->sk);
7192 int family = nfmsg->nfgen_family;
7193 struct nft_flowtable *flowtable;
7194 const struct nft_table *table;
7195
7196 rcu_read_lock();
7197 cb->seq = net->nft.base_seq;
7198
7199 list_for_each_entry_rcu(table, &net->nft.tables, list) {
7200 if (family != NFPROTO_UNSPEC && family != table->family)
7201 continue;
7202
7203 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7204 if (!nft_is_active(net, flowtable))
7205 goto cont;
7206 if (idx < s_idx)
7207 goto cont;
7208 if (idx > s_idx)
7209 memset(&cb->args[1], 0,
7210 sizeof(cb->args) - sizeof(cb->args[0]));
7211 if (filter && filter->table &&
7212 strcmp(filter->table, table->name))
7213 goto cont;
7214
7215 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7216 cb->nlh->nlmsg_seq,
7217 NFT_MSG_NEWFLOWTABLE,
7218 NLM_F_MULTI | NLM_F_APPEND,
7219 table->family,
7220 flowtable,
7221 &flowtable->hook_list) < 0)
7222 goto done;
7223
7224 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7225 cont:
7226 idx++;
7227 }
7228 }
7229 done:
7230 rcu_read_unlock();
7231
7232 cb->args[0] = idx;
7233 return skb->len;
7234 }
7235
7236 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7237 {
7238 const struct nlattr * const *nla = cb->data;
7239 struct nft_flowtable_filter *filter = NULL;
7240
7241 if (nla[NFTA_FLOWTABLE_TABLE]) {
7242 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7243 if (!filter)
7244 return -ENOMEM;
7245
7246 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7247 GFP_ATOMIC);
7248 if (!filter->table) {
7249 kfree(filter);
7250 return -ENOMEM;
7251 }
7252 }
7253
7254 cb->data = filter;
7255 return 0;
7256 }
7257
7258 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7259 {
7260 struct nft_flowtable_filter *filter = cb->data;
7261
7262 if (!filter)
7263 return 0;
7264
7265 kfree(filter->table);
7266 kfree(filter);
7267
7268 return 0;
7269 }
7270
7271 /* called with rcu_read_lock held */
7272 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7273 struct sk_buff *skb,
7274 const struct nlmsghdr *nlh,
7275 const struct nlattr * const nla[],
7276 struct netlink_ext_ack *extack)
7277 {
7278 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7279 u8 genmask = nft_genmask_cur(net);
7280 int family = nfmsg->nfgen_family;
7281 struct nft_flowtable *flowtable;
7282 const struct nft_table *table;
7283 struct sk_buff *skb2;
7284 int err;
7285
7286 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7287 struct netlink_dump_control c = {
7288 .start = nf_tables_dump_flowtable_start,
7289 .dump = nf_tables_dump_flowtable,
7290 .done = nf_tables_dump_flowtable_done,
7291 .module = THIS_MODULE,
7292 .data = (void *)nla,
7293 };
7294
7295 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7296 }
7297
7298 if (!nla[NFTA_FLOWTABLE_NAME])
7299 return -EINVAL;
7300
7301 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7302 genmask, 0);
7303 if (IS_ERR(table))
7304 return PTR_ERR(table);
7305
7306 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7307 genmask);
7308 if (IS_ERR(flowtable))
7309 return PTR_ERR(flowtable);
7310
7311 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7312 if (!skb2)
7313 return -ENOMEM;
7314
7315 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7316 nlh->nlmsg_seq,
7317 NFT_MSG_NEWFLOWTABLE, 0, family,
7318 flowtable, &flowtable->hook_list);
7319 if (err < 0)
7320 goto err_fill_flowtable_info;
7321
7322 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7323
7324 err_fill_flowtable_info:
7325 kfree_skb(skb2);
7326 return err;
7327 }
7328
7329 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7330 struct nft_flowtable *flowtable,
7331 struct list_head *hook_list,
7332 int event)
7333 {
7334 struct sk_buff *skb;
7335 int err;
7336 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
7337 flowtable->table->name, flowtable->table->handle,
7338 flowtable->name, flowtable->handle);
7339
7340 audit_log_nfcfg(buf,
7341 ctx->family,
7342 flowtable->hooknum,
7343 event == NFT_MSG_NEWFLOWTABLE ?
7344 AUDIT_NFT_OP_FLOWTABLE_REGISTER :
7345 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
7346 GFP_KERNEL);
7347 kfree(buf);
7348
7349 if (!ctx->report &&
7350 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7351 return;
7352
7353 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7354 if (skb == NULL)
7355 goto err;
7356
7357 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7358 ctx->seq, event, 0,
7359 ctx->family, flowtable, hook_list);
7360 if (err < 0) {
7361 kfree_skb(skb);
7362 goto err;
7363 }
7364
7365 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7366 return;
7367 err:
7368 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7369 }
7370
7371 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7372 {
7373 struct nft_hook *hook, *next;
7374
7375 flowtable->data.type->free(&flowtable->data);
7376 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7377 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7378 FLOW_BLOCK_UNBIND);
7379 list_del_rcu(&hook->list);
7380 kfree(hook);
7381 }
7382 kfree(flowtable->name);
7383 module_put(flowtable->data.type->owner);
7384 kfree(flowtable);
7385 }
7386
7387 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7388 u32 portid, u32 seq)
7389 {
7390 struct nlmsghdr *nlh;
7391 struct nfgenmsg *nfmsg;
7392 char buf[TASK_COMM_LEN];
7393 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7394
7395 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7396 if (nlh == NULL)
7397 goto nla_put_failure;
7398
7399 nfmsg = nlmsg_data(nlh);
7400 nfmsg->nfgen_family = AF_UNSPEC;
7401 nfmsg->version = NFNETLINK_V0;
7402 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7403
7404 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7405 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7406 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7407 goto nla_put_failure;
7408
7409 nlmsg_end(skb, nlh);
7410 return 0;
7411
7412 nla_put_failure:
7413 nlmsg_trim(skb, nlh);
7414 return -EMSGSIZE;
7415 }
7416
7417 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7418 struct nft_flowtable *flowtable)
7419 {
7420 struct nft_hook *hook;
7421
7422 list_for_each_entry(hook, &flowtable->hook_list, list) {
7423 if (hook->ops.dev != dev)
7424 continue;
7425
7426 /* flow_offload_netdev_event() cleans up entries for us. */
7427 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7428 list_del_rcu(&hook->list);
7429 kfree_rcu(hook, rcu);
7430 break;
7431 }
7432 }
7433
7434 static int nf_tables_flowtable_event(struct notifier_block *this,
7435 unsigned long event, void *ptr)
7436 {
7437 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7438 struct nft_flowtable *flowtable;
7439 struct nft_table *table;
7440 struct net *net;
7441
7442 if (event != NETDEV_UNREGISTER)
7443 return 0;
7444
7445 net = dev_net(dev);
7446 mutex_lock(&net->nft.commit_mutex);
7447 list_for_each_entry(table, &net->nft.tables, list) {
7448 list_for_each_entry(flowtable, &table->flowtables, list) {
7449 nft_flowtable_event(event, dev, flowtable);
7450 }
7451 }
7452 mutex_unlock(&net->nft.commit_mutex);
7453
7454 return NOTIFY_DONE;
7455 }
7456
7457 static struct notifier_block nf_tables_flowtable_notifier = {
7458 .notifier_call = nf_tables_flowtable_event,
7459 };
7460
7461 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7462 int event)
7463 {
7464 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7465 struct sk_buff *skb2;
7466 int err;
7467
7468 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
7469 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
7470
7471 if (!nlmsg_report(nlh) &&
7472 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7473 return;
7474
7475 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7476 if (skb2 == NULL)
7477 goto err;
7478
7479 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7480 nlh->nlmsg_seq);
7481 if (err < 0) {
7482 kfree_skb(skb2);
7483 goto err;
7484 }
7485
7486 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7487 nlmsg_report(nlh), GFP_KERNEL);
7488 return;
7489 err:
7490 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7491 -ENOBUFS);
7492 }
7493
7494 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7495 struct sk_buff *skb, const struct nlmsghdr *nlh,
7496 const struct nlattr * const nla[],
7497 struct netlink_ext_ack *extack)
7498 {
7499 struct sk_buff *skb2;
7500 int err;
7501
7502 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7503 if (skb2 == NULL)
7504 return -ENOMEM;
7505
7506 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7507 nlh->nlmsg_seq);
7508 if (err < 0)
7509 goto err_fill_gen_info;
7510
7511 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7512
7513 err_fill_gen_info:
7514 kfree_skb(skb2);
7515 return err;
7516 }
7517
7518 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7519 [NFT_MSG_NEWTABLE] = {
7520 .call_batch = nf_tables_newtable,
7521 .attr_count = NFTA_TABLE_MAX,
7522 .policy = nft_table_policy,
7523 },
7524 [NFT_MSG_GETTABLE] = {
7525 .call_rcu = nf_tables_gettable,
7526 .attr_count = NFTA_TABLE_MAX,
7527 .policy = nft_table_policy,
7528 },
7529 [NFT_MSG_DELTABLE] = {
7530 .call_batch = nf_tables_deltable,
7531 .attr_count = NFTA_TABLE_MAX,
7532 .policy = nft_table_policy,
7533 },
7534 [NFT_MSG_NEWCHAIN] = {
7535 .call_batch = nf_tables_newchain,
7536 .attr_count = NFTA_CHAIN_MAX,
7537 .policy = nft_chain_policy,
7538 },
7539 [NFT_MSG_GETCHAIN] = {
7540 .call_rcu = nf_tables_getchain,
7541 .attr_count = NFTA_CHAIN_MAX,
7542 .policy = nft_chain_policy,
7543 },
7544 [NFT_MSG_DELCHAIN] = {
7545 .call_batch = nf_tables_delchain,
7546 .attr_count = NFTA_CHAIN_MAX,
7547 .policy = nft_chain_policy,
7548 },
7549 [NFT_MSG_NEWRULE] = {
7550 .call_batch = nf_tables_newrule,
7551 .attr_count = NFTA_RULE_MAX,
7552 .policy = nft_rule_policy,
7553 },
7554 [NFT_MSG_GETRULE] = {
7555 .call_rcu = nf_tables_getrule,
7556 .attr_count = NFTA_RULE_MAX,
7557 .policy = nft_rule_policy,
7558 },
7559 [NFT_MSG_DELRULE] = {
7560 .call_batch = nf_tables_delrule,
7561 .attr_count = NFTA_RULE_MAX,
7562 .policy = nft_rule_policy,
7563 },
7564 [NFT_MSG_NEWSET] = {
7565 .call_batch = nf_tables_newset,
7566 .attr_count = NFTA_SET_MAX,
7567 .policy = nft_set_policy,
7568 },
7569 [NFT_MSG_GETSET] = {
7570 .call_rcu = nf_tables_getset,
7571 .attr_count = NFTA_SET_MAX,
7572 .policy = nft_set_policy,
7573 },
7574 [NFT_MSG_DELSET] = {
7575 .call_batch = nf_tables_delset,
7576 .attr_count = NFTA_SET_MAX,
7577 .policy = nft_set_policy,
7578 },
7579 [NFT_MSG_NEWSETELEM] = {
7580 .call_batch = nf_tables_newsetelem,
7581 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7582 .policy = nft_set_elem_list_policy,
7583 },
7584 [NFT_MSG_GETSETELEM] = {
7585 .call_rcu = nf_tables_getsetelem,
7586 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7587 .policy = nft_set_elem_list_policy,
7588 },
7589 [NFT_MSG_DELSETELEM] = {
7590 .call_batch = nf_tables_delsetelem,
7591 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7592 .policy = nft_set_elem_list_policy,
7593 },
7594 [NFT_MSG_GETGEN] = {
7595 .call_rcu = nf_tables_getgen,
7596 },
7597 [NFT_MSG_NEWOBJ] = {
7598 .call_batch = nf_tables_newobj,
7599 .attr_count = NFTA_OBJ_MAX,
7600 .policy = nft_obj_policy,
7601 },
7602 [NFT_MSG_GETOBJ] = {
7603 .call_rcu = nf_tables_getobj,
7604 .attr_count = NFTA_OBJ_MAX,
7605 .policy = nft_obj_policy,
7606 },
7607 [NFT_MSG_DELOBJ] = {
7608 .call_batch = nf_tables_delobj,
7609 .attr_count = NFTA_OBJ_MAX,
7610 .policy = nft_obj_policy,
7611 },
7612 [NFT_MSG_GETOBJ_RESET] = {
7613 .call_rcu = nf_tables_getobj,
7614 .attr_count = NFTA_OBJ_MAX,
7615 .policy = nft_obj_policy,
7616 },
7617 [NFT_MSG_NEWFLOWTABLE] = {
7618 .call_batch = nf_tables_newflowtable,
7619 .attr_count = NFTA_FLOWTABLE_MAX,
7620 .policy = nft_flowtable_policy,
7621 },
7622 [NFT_MSG_GETFLOWTABLE] = {
7623 .call_rcu = nf_tables_getflowtable,
7624 .attr_count = NFTA_FLOWTABLE_MAX,
7625 .policy = nft_flowtable_policy,
7626 },
7627 [NFT_MSG_DELFLOWTABLE] = {
7628 .call_batch = nf_tables_delflowtable,
7629 .attr_count = NFTA_FLOWTABLE_MAX,
7630 .policy = nft_flowtable_policy,
7631 },
7632 };
7633
7634 static int nf_tables_validate(struct net *net)
7635 {
7636 struct nft_table *table;
7637
7638 switch (net->nft.validate_state) {
7639 case NFT_VALIDATE_SKIP:
7640 break;
7641 case NFT_VALIDATE_NEED:
7642 nft_validate_state_update(net, NFT_VALIDATE_DO);
7643 fallthrough;
7644 case NFT_VALIDATE_DO:
7645 list_for_each_entry(table, &net->nft.tables, list) {
7646 if (nft_table_validate(net, table) < 0)
7647 return -EAGAIN;
7648 }
7649 break;
7650 }
7651
7652 return 0;
7653 }
7654
7655 /* a drop policy has to be deferred until all rules have been activated,
7656 * otherwise a large ruleset that contains a drop-policy base chain will
7657 * cause all packets to get dropped until the full transaction has been
7658 * processed.
7659 *
7660 * We defer the drop policy until the transaction has been finalized.
7661 */
7662 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7663 {
7664 struct nft_base_chain *basechain;
7665
7666 if (nft_trans_chain_policy(trans) != NF_DROP)
7667 return;
7668
7669 if (!nft_is_base_chain(trans->ctx.chain))
7670 return;
7671
7672 basechain = nft_base_chain(trans->ctx.chain);
7673 basechain->policy = NF_DROP;
7674 }
7675
7676 static void nft_chain_commit_update(struct nft_trans *trans)
7677 {
7678 struct nft_base_chain *basechain;
7679
7680 if (nft_trans_chain_name(trans)) {
7681 rhltable_remove(&trans->ctx.table->chains_ht,
7682 &trans->ctx.chain->rhlhead,
7683 nft_chain_ht_params);
7684 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7685 rhltable_insert_key(&trans->ctx.table->chains_ht,
7686 trans->ctx.chain->name,
7687 &trans->ctx.chain->rhlhead,
7688 nft_chain_ht_params);
7689 }
7690
7691 if (!nft_is_base_chain(trans->ctx.chain))
7692 return;
7693
7694 nft_chain_stats_replace(trans);
7695
7696 basechain = nft_base_chain(trans->ctx.chain);
7697
7698 switch (nft_trans_chain_policy(trans)) {
7699 case NF_DROP:
7700 case NF_ACCEPT:
7701 basechain->policy = nft_trans_chain_policy(trans);
7702 break;
7703 }
7704 }
7705
7706 static void nft_obj_commit_update(struct nft_trans *trans)
7707 {
7708 struct nft_object *newobj;
7709 struct nft_object *obj;
7710
7711 obj = nft_trans_obj(trans);
7712 newobj = nft_trans_obj_newobj(trans);
7713
7714 if (obj->ops->update)
7715 obj->ops->update(obj, newobj);
7716
7717 kfree(newobj);
7718 }
7719
7720 static void nft_commit_release(struct nft_trans *trans)
7721 {
7722 switch (trans->msg_type) {
7723 case NFT_MSG_DELTABLE:
7724 nf_tables_table_destroy(&trans->ctx);
7725 break;
7726 case NFT_MSG_NEWCHAIN:
7727 free_percpu(nft_trans_chain_stats(trans));
7728 kfree(nft_trans_chain_name(trans));
7729 break;
7730 case NFT_MSG_DELCHAIN:
7731 nf_tables_chain_destroy(&trans->ctx);
7732 break;
7733 case NFT_MSG_DELRULE:
7734 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7735 break;
7736 case NFT_MSG_DELSET:
7737 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7738 break;
7739 case NFT_MSG_DELSETELEM:
7740 nf_tables_set_elem_destroy(&trans->ctx,
7741 nft_trans_elem_set(trans),
7742 nft_trans_elem(trans).priv);
7743 break;
7744 case NFT_MSG_DELOBJ:
7745 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7746 break;
7747 case NFT_MSG_DELFLOWTABLE:
7748 if (nft_trans_flowtable_update(trans))
7749 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7750 else
7751 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7752 break;
7753 }
7754
7755 if (trans->put_net)
7756 put_net(trans->ctx.net);
7757
7758 kfree(trans);
7759 }
7760
7761 static void nf_tables_trans_destroy_work(struct work_struct *w)
7762 {
7763 struct nft_trans *trans, *next;
7764 LIST_HEAD(head);
7765
7766 spin_lock(&nf_tables_destroy_list_lock);
7767 list_splice_init(&nf_tables_destroy_list, &head);
7768 spin_unlock(&nf_tables_destroy_list_lock);
7769
7770 if (list_empty(&head))
7771 return;
7772
7773 synchronize_rcu();
7774
7775 list_for_each_entry_safe(trans, next, &head, list) {
7776 list_del(&trans->list);
7777 nft_commit_release(trans);
7778 }
7779 }
7780
7781 void nf_tables_trans_destroy_flush_work(void)
7782 {
7783 flush_work(&trans_destroy_work);
7784 }
7785 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7786
7787 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7788 {
7789 struct nft_rule *rule;
7790 unsigned int alloc = 0;
7791 int i;
7792
7793 /* already handled or inactive chain? */
7794 if (chain->rules_next || !nft_is_active_next(net, chain))
7795 return 0;
7796
7797 rule = list_entry(&chain->rules, struct nft_rule, list);
7798 i = 0;
7799
7800 list_for_each_entry_continue(rule, &chain->rules, list) {
7801 if (nft_is_active_next(net, rule))
7802 alloc++;
7803 }
7804
7805 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7806 if (!chain->rules_next)
7807 return -ENOMEM;
7808
7809 list_for_each_entry_continue(rule, &chain->rules, list) {
7810 if (nft_is_active_next(net, rule))
7811 chain->rules_next[i++] = rule;
7812 }
7813
7814 chain->rules_next[i] = NULL;
7815 return 0;
7816 }
7817
7818 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7819 {
7820 struct nft_trans *trans, *next;
7821
7822 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7823 struct nft_chain *chain = trans->ctx.chain;
7824
7825 if (trans->msg_type == NFT_MSG_NEWRULE ||
7826 trans->msg_type == NFT_MSG_DELRULE) {
7827 kvfree(chain->rules_next);
7828 chain->rules_next = NULL;
7829 }
7830 }
7831 }
7832
7833 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7834 {
7835 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7836
7837 kvfree(o->start);
7838 }
7839
7840 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7841 {
7842 struct nft_rule **r = rules;
7843 struct nft_rules_old *old;
7844
7845 while (*r)
7846 r++;
7847
7848 r++; /* rcu_head is after end marker */
7849 old = (void *) r;
7850 old->start = rules;
7851
7852 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7853 }
7854
7855 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7856 {
7857 struct nft_rule **g0, **g1;
7858 bool next_genbit;
7859
7860 next_genbit = nft_gencursor_next(net);
7861
7862 g0 = rcu_dereference_protected(chain->rules_gen_0,
7863 lockdep_commit_lock_is_held(net));
7864 g1 = rcu_dereference_protected(chain->rules_gen_1,
7865 lockdep_commit_lock_is_held(net));
7866
7867 /* No changes to this chain? */
7868 if (chain->rules_next == NULL) {
7869 /* chain had no change in last or next generation */
7870 if (g0 == g1)
7871 return;
7872 /*
7873 * chain had no change in this generation; make sure next
7874 * one uses same rules as current generation.
7875 */
7876 if (next_genbit) {
7877 rcu_assign_pointer(chain->rules_gen_1, g0);
7878 nf_tables_commit_chain_free_rules_old(g1);
7879 } else {
7880 rcu_assign_pointer(chain->rules_gen_0, g1);
7881 nf_tables_commit_chain_free_rules_old(g0);
7882 }
7883
7884 return;
7885 }
7886
7887 if (next_genbit)
7888 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7889 else
7890 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7891
7892 chain->rules_next = NULL;
7893
7894 if (g0 == g1)
7895 return;
7896
7897 if (next_genbit)
7898 nf_tables_commit_chain_free_rules_old(g1);
7899 else
7900 nf_tables_commit_chain_free_rules_old(g0);
7901 }
7902
7903 static void nft_obj_del(struct nft_object *obj)
7904 {
7905 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7906 list_del_rcu(&obj->list);
7907 }
7908
7909 void nft_chain_del(struct nft_chain *chain)
7910 {
7911 struct nft_table *table = chain->table;
7912
7913 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7914 nft_chain_ht_params));
7915 list_del_rcu(&chain->list);
7916 }
7917
7918 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7919 struct list_head *hook_list)
7920 {
7921 struct nft_hook *hook, *next;
7922
7923 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7924 if (hook->inactive)
7925 list_move(&hook->list, hook_list);
7926 }
7927 }
7928
7929 static void nf_tables_module_autoload_cleanup(struct net *net)
7930 {
7931 struct nft_module_request *req, *next;
7932
7933 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7934 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7935 WARN_ON_ONCE(!req->done);
7936 list_del(&req->list);
7937 kfree(req);
7938 }
7939 }
7940
7941 static void nf_tables_commit_release(struct net *net)
7942 {
7943 struct nft_trans *trans;
7944
7945 /* all side effects have to be made visible.
7946 * For example, if a chain named 'foo' has been deleted, a
7947 * new transaction must not find it anymore.
7948 *
7949 * Memory reclaim happens asynchronously from work queue
7950 * to prevent expensive synchronize_rcu() in commit phase.
7951 */
7952 if (list_empty(&net->nft.commit_list)) {
7953 nf_tables_module_autoload_cleanup(net);
7954 mutex_unlock(&net->nft.commit_mutex);
7955 return;
7956 }
7957
7958 trans = list_last_entry(&net->nft.commit_list,
7959 struct nft_trans, list);
7960 get_net(trans->ctx.net);
7961 WARN_ON_ONCE(trans->put_net);
7962
7963 trans->put_net = true;
7964 spin_lock(&nf_tables_destroy_list_lock);
7965 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7966 spin_unlock(&nf_tables_destroy_list_lock);
7967
7968 nf_tables_module_autoload_cleanup(net);
7969 schedule_work(&trans_destroy_work);
7970
7971 mutex_unlock(&net->nft.commit_mutex);
7972 }
7973
7974 static void nft_commit_notify(struct net *net, u32 portid)
7975 {
7976 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7977 unsigned char *data;
7978 int len;
7979
7980 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7981 if (!batch_skb) {
7982 new_batch:
7983 batch_skb = skb;
7984 len = NLMSG_GOODSIZE - skb->len;
7985 list_del(&skb->list);
7986 continue;
7987 }
7988 len -= skb->len;
7989 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7990 data = skb_put(batch_skb, skb->len);
7991 memcpy(data, skb->data, skb->len);
7992 list_del(&skb->list);
7993 kfree_skb(skb);
7994 continue;
7995 }
7996 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7997 NFT_CB(batch_skb).report, GFP_KERNEL);
7998 goto new_batch;
7999 }
8000
8001 if (batch_skb) {
8002 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
8003 NFT_CB(batch_skb).report, GFP_KERNEL);
8004 }
8005
8006 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8007 }
8008
8009 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
8010 {
8011 struct nft_trans *trans, *next;
8012 struct nft_trans_elem *te;
8013 struct nft_chain *chain;
8014 struct nft_table *table;
8015 int err;
8016
8017 if (list_empty(&net->nft.commit_list)) {
8018 mutex_unlock(&net->nft.commit_mutex);
8019 return 0;
8020 }
8021
8022 /* 0. Validate ruleset, otherwise roll back for error reporting. */
8023 if (nf_tables_validate(net) < 0)
8024 return -EAGAIN;
8025
8026 err = nft_flow_rule_offload_commit(net);
8027 if (err < 0)
8028 return err;
8029
8030 /* 1. Allocate space for next generation rules_gen_X[] */
8031 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8032 int ret;
8033
8034 if (trans->msg_type == NFT_MSG_NEWRULE ||
8035 trans->msg_type == NFT_MSG_DELRULE) {
8036 chain = trans->ctx.chain;
8037
8038 ret = nf_tables_commit_chain_prepare(net, chain);
8039 if (ret < 0) {
8040 nf_tables_commit_chain_prepare_cancel(net);
8041 return ret;
8042 }
8043 }
8044 }
8045
8046 /* step 2. Make rules_gen_X visible to packet path */
8047 list_for_each_entry(table, &net->nft.tables, list) {
8048 list_for_each_entry(chain, &table->chains, list)
8049 nf_tables_commit_chain(net, chain);
8050 }
8051
8052 /*
8053 * Bump generation counter, invalidate any dump in progress.
8054 * Cannot fail after this point.
8055 */
8056 while (++net->nft.base_seq == 0);
8057
8058 /* step 3. Start new generation, rules_gen_X now in use. */
8059 net->nft.gencursor = nft_gencursor_next(net);
8060
8061 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
8062 switch (trans->msg_type) {
8063 case NFT_MSG_NEWTABLE:
8064 if (nft_trans_table_update(trans)) {
8065 if (!nft_trans_table_enable(trans)) {
8066 nf_tables_table_disable(net,
8067 trans->ctx.table);
8068 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8069 }
8070 } else {
8071 nft_clear(net, trans->ctx.table);
8072 }
8073 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
8074 nft_trans_destroy(trans);
8075 break;
8076 case NFT_MSG_DELTABLE:
8077 list_del_rcu(&trans->ctx.table->list);
8078 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
8079 break;
8080 case NFT_MSG_NEWCHAIN:
8081 if (nft_trans_chain_update(trans)) {
8082 nft_chain_commit_update(trans);
8083 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8084 /* trans destroyed after rcu grace period */
8085 } else {
8086 nft_chain_commit_drop_policy(trans);
8087 nft_clear(net, trans->ctx.chain);
8088 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
8089 nft_trans_destroy(trans);
8090 }
8091 break;
8092 case NFT_MSG_DELCHAIN:
8093 nft_chain_del(trans->ctx.chain);
8094 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
8095 nf_tables_unregister_hook(trans->ctx.net,
8096 trans->ctx.table,
8097 trans->ctx.chain);
8098 break;
8099 case NFT_MSG_NEWRULE:
8100 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8101 nf_tables_rule_notify(&trans->ctx,
8102 nft_trans_rule(trans),
8103 NFT_MSG_NEWRULE);
8104 nft_trans_destroy(trans);
8105 break;
8106 case NFT_MSG_DELRULE:
8107 list_del_rcu(&nft_trans_rule(trans)->list);
8108 nf_tables_rule_notify(&trans->ctx,
8109 nft_trans_rule(trans),
8110 NFT_MSG_DELRULE);
8111 nft_rule_expr_deactivate(&trans->ctx,
8112 nft_trans_rule(trans),
8113 NFT_TRANS_COMMIT);
8114 break;
8115 case NFT_MSG_NEWSET:
8116 nft_clear(net, nft_trans_set(trans));
8117 /* This avoids hitting -EBUSY when deleting the table
8118 * from the transaction.
8119 */
8120 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
8121 !list_empty(&nft_trans_set(trans)->bindings))
8122 trans->ctx.table->use--;
8123
8124 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8125 NFT_MSG_NEWSET, GFP_KERNEL);
8126 nft_trans_destroy(trans);
8127 break;
8128 case NFT_MSG_DELSET:
8129 list_del_rcu(&nft_trans_set(trans)->list);
8130 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
8131 NFT_MSG_DELSET, GFP_KERNEL);
8132 break;
8133 case NFT_MSG_NEWSETELEM:
8134 te = (struct nft_trans_elem *)trans->data;
8135
8136 te->set->ops->activate(net, te->set, &te->elem);
8137 nf_tables_setelem_notify(&trans->ctx, te->set,
8138 &te->elem,
8139 NFT_MSG_NEWSETELEM, 0);
8140 nft_trans_destroy(trans);
8141 break;
8142 case NFT_MSG_DELSETELEM:
8143 te = (struct nft_trans_elem *)trans->data;
8144
8145 nf_tables_setelem_notify(&trans->ctx, te->set,
8146 &te->elem,
8147 NFT_MSG_DELSETELEM, 0);
8148 te->set->ops->remove(net, te->set, &te->elem);
8149 atomic_dec(&te->set->nelems);
8150 te->set->ndeact--;
8151 break;
8152 case NFT_MSG_NEWOBJ:
8153 if (nft_trans_obj_update(trans)) {
8154 nft_obj_commit_update(trans);
8155 nf_tables_obj_notify(&trans->ctx,
8156 nft_trans_obj(trans),
8157 NFT_MSG_NEWOBJ);
8158 } else {
8159 nft_clear(net, nft_trans_obj(trans));
8160 nf_tables_obj_notify(&trans->ctx,
8161 nft_trans_obj(trans),
8162 NFT_MSG_NEWOBJ);
8163 nft_trans_destroy(trans);
8164 }
8165 break;
8166 case NFT_MSG_DELOBJ:
8167 nft_obj_del(nft_trans_obj(trans));
8168 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8169 NFT_MSG_DELOBJ);
8170 break;
8171 case NFT_MSG_NEWFLOWTABLE:
8172 if (nft_trans_flowtable_update(trans)) {
8173 nf_tables_flowtable_notify(&trans->ctx,
8174 nft_trans_flowtable(trans),
8175 &nft_trans_flowtable_hooks(trans),
8176 NFT_MSG_NEWFLOWTABLE);
8177 list_splice(&nft_trans_flowtable_hooks(trans),
8178 &nft_trans_flowtable(trans)->hook_list);
8179 } else {
8180 nft_clear(net, nft_trans_flowtable(trans));
8181 nf_tables_flowtable_notify(&trans->ctx,
8182 nft_trans_flowtable(trans),
8183 &nft_trans_flowtable(trans)->hook_list,
8184 NFT_MSG_NEWFLOWTABLE);
8185 }
8186 nft_trans_destroy(trans);
8187 break;
8188 case NFT_MSG_DELFLOWTABLE:
8189 if (nft_trans_flowtable_update(trans)) {
8190 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8191 &nft_trans_flowtable_hooks(trans));
8192 nf_tables_flowtable_notify(&trans->ctx,
8193 nft_trans_flowtable(trans),
8194 &nft_trans_flowtable_hooks(trans),
8195 NFT_MSG_DELFLOWTABLE);
8196 nft_unregister_flowtable_net_hooks(net,
8197 &nft_trans_flowtable_hooks(trans));
8198 } else {
8199 list_del_rcu(&nft_trans_flowtable(trans)->list);
8200 nf_tables_flowtable_notify(&trans->ctx,
8201 nft_trans_flowtable(trans),
8202 &nft_trans_flowtable(trans)->hook_list,
8203 NFT_MSG_DELFLOWTABLE);
8204 nft_unregister_flowtable_net_hooks(net,
8205 &nft_trans_flowtable(trans)->hook_list);
8206 }
8207 break;
8208 }
8209 }
8210
8211 nft_commit_notify(net, NETLINK_CB(skb).portid);
8212 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8213 nf_tables_commit_release(net);
8214
8215 return 0;
8216 }
8217
8218 static void nf_tables_module_autoload(struct net *net)
8219 {
8220 struct nft_module_request *req, *next;
8221 LIST_HEAD(module_list);
8222
8223 list_splice_init(&net->nft.module_list, &module_list);
8224 mutex_unlock(&net->nft.commit_mutex);
8225 list_for_each_entry_safe(req, next, &module_list, list) {
8226 request_module("%s", req->module);
8227 req->done = true;
8228 }
8229 mutex_lock(&net->nft.commit_mutex);
8230 list_splice(&module_list, &net->nft.module_list);
8231 }
8232
8233 static void nf_tables_abort_release(struct nft_trans *trans)
8234 {
8235 switch (trans->msg_type) {
8236 case NFT_MSG_NEWTABLE:
8237 nf_tables_table_destroy(&trans->ctx);
8238 break;
8239 case NFT_MSG_NEWCHAIN:
8240 nf_tables_chain_destroy(&trans->ctx);
8241 break;
8242 case NFT_MSG_NEWRULE:
8243 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8244 break;
8245 case NFT_MSG_NEWSET:
8246 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8247 break;
8248 case NFT_MSG_NEWSETELEM:
8249 nft_set_elem_destroy(nft_trans_elem_set(trans),
8250 nft_trans_elem(trans).priv, true);
8251 break;
8252 case NFT_MSG_NEWOBJ:
8253 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8254 break;
8255 case NFT_MSG_NEWFLOWTABLE:
8256 if (nft_trans_flowtable_update(trans))
8257 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8258 else
8259 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8260 break;
8261 }
8262 kfree(trans);
8263 }
8264
8265 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8266 {
8267 struct nft_trans *trans, *next;
8268 struct nft_trans_elem *te;
8269 struct nft_hook *hook;
8270
8271 if (action == NFNL_ABORT_VALIDATE &&
8272 nf_tables_validate(net) < 0)
8273 return -EAGAIN;
8274
8275 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8276 list) {
8277 switch (trans->msg_type) {
8278 case NFT_MSG_NEWTABLE:
8279 if (nft_trans_table_update(trans)) {
8280 if (nft_trans_table_enable(trans)) {
8281 nf_tables_table_disable(net,
8282 trans->ctx.table);
8283 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8284 }
8285 nft_trans_destroy(trans);
8286 } else {
8287 list_del_rcu(&trans->ctx.table->list);
8288 }
8289 break;
8290 case NFT_MSG_DELTABLE:
8291 nft_clear(trans->ctx.net, trans->ctx.table);
8292 nft_trans_destroy(trans);
8293 break;
8294 case NFT_MSG_NEWCHAIN:
8295 if (nft_trans_chain_update(trans)) {
8296 free_percpu(nft_trans_chain_stats(trans));
8297 kfree(nft_trans_chain_name(trans));
8298 nft_trans_destroy(trans);
8299 } else {
8300 if (nft_chain_is_bound(trans->ctx.chain)) {
8301 nft_trans_destroy(trans);
8302 break;
8303 }
8304 trans->ctx.table->use--;
8305 nft_chain_del(trans->ctx.chain);
8306 nf_tables_unregister_hook(trans->ctx.net,
8307 trans->ctx.table,
8308 trans->ctx.chain);
8309 }
8310 break;
8311 case NFT_MSG_DELCHAIN:
8312 trans->ctx.table->use++;
8313 nft_clear(trans->ctx.net, trans->ctx.chain);
8314 nft_trans_destroy(trans);
8315 break;
8316 case NFT_MSG_NEWRULE:
8317 trans->ctx.chain->use--;
8318 list_del_rcu(&nft_trans_rule(trans)->list);
8319 nft_rule_expr_deactivate(&trans->ctx,
8320 nft_trans_rule(trans),
8321 NFT_TRANS_ABORT);
8322 break;
8323 case NFT_MSG_DELRULE:
8324 trans->ctx.chain->use++;
8325 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8326 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8327 nft_trans_destroy(trans);
8328 break;
8329 case NFT_MSG_NEWSET:
8330 trans->ctx.table->use--;
8331 if (nft_trans_set_bound(trans)) {
8332 nft_trans_destroy(trans);
8333 break;
8334 }
8335 list_del_rcu(&nft_trans_set(trans)->list);
8336 break;
8337 case NFT_MSG_DELSET:
8338 trans->ctx.table->use++;
8339 nft_clear(trans->ctx.net, nft_trans_set(trans));
8340 nft_trans_destroy(trans);
8341 break;
8342 case NFT_MSG_NEWSETELEM:
8343 if (nft_trans_elem_set_bound(trans)) {
8344 nft_trans_destroy(trans);
8345 break;
8346 }
8347 te = (struct nft_trans_elem *)trans->data;
8348 te->set->ops->remove(net, te->set, &te->elem);
8349 atomic_dec(&te->set->nelems);
8350 break;
8351 case NFT_MSG_DELSETELEM:
8352 te = (struct nft_trans_elem *)trans->data;
8353
8354 nft_set_elem_activate(net, te->set, &te->elem);
8355 te->set->ops->activate(net, te->set, &te->elem);
8356 te->set->ndeact--;
8357
8358 nft_trans_destroy(trans);
8359 break;
8360 case NFT_MSG_NEWOBJ:
8361 if (nft_trans_obj_update(trans)) {
8362 kfree(nft_trans_obj_newobj(trans));
8363 nft_trans_destroy(trans);
8364 } else {
8365 trans->ctx.table->use--;
8366 nft_obj_del(nft_trans_obj(trans));
8367 }
8368 break;
8369 case NFT_MSG_DELOBJ:
8370 trans->ctx.table->use++;
8371 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8372 nft_trans_destroy(trans);
8373 break;
8374 case NFT_MSG_NEWFLOWTABLE:
8375 if (nft_trans_flowtable_update(trans)) {
8376 nft_unregister_flowtable_net_hooks(net,
8377 &nft_trans_flowtable_hooks(trans));
8378 } else {
8379 trans->ctx.table->use--;
8380 list_del_rcu(&nft_trans_flowtable(trans)->list);
8381 nft_unregister_flowtable_net_hooks(net,
8382 &nft_trans_flowtable(trans)->hook_list);
8383 }
8384 break;
8385 case NFT_MSG_DELFLOWTABLE:
8386 if (nft_trans_flowtable_update(trans)) {
8387 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8388 hook->inactive = false;
8389 } else {
8390 trans->ctx.table->use++;
8391 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8392 }
8393 nft_trans_destroy(trans);
8394 break;
8395 }
8396 }
8397
8398 synchronize_rcu();
8399
8400 list_for_each_entry_safe_reverse(trans, next,
8401 &net->nft.commit_list, list) {
8402 list_del(&trans->list);
8403 nf_tables_abort_release(trans);
8404 }
8405
8406 if (action == NFNL_ABORT_AUTOLOAD)
8407 nf_tables_module_autoload(net);
8408 else
8409 nf_tables_module_autoload_cleanup(net);
8410
8411 return 0;
8412 }
8413
8414 static void nf_tables_cleanup(struct net *net)
8415 {
8416 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8417 }
8418
8419 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8420 enum nfnl_abort_action action)
8421 {
8422 int ret = __nf_tables_abort(net, action);
8423
8424 mutex_unlock(&net->nft.commit_mutex);
8425
8426 return ret;
8427 }
8428
8429 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8430 {
8431 bool genid_ok;
8432
8433 mutex_lock(&net->nft.commit_mutex);
8434
8435 genid_ok = genid == 0 || net->nft.base_seq == genid;
8436 if (!genid_ok)
8437 mutex_unlock(&net->nft.commit_mutex);
8438
8439 /* else, commit mutex has to be released by commit or abort function */
8440 return genid_ok;
8441 }
8442
8443 static const struct nfnetlink_subsystem nf_tables_subsys = {
8444 .name = "nf_tables",
8445 .subsys_id = NFNL_SUBSYS_NFTABLES,
8446 .cb_count = NFT_MSG_MAX,
8447 .cb = nf_tables_cb,
8448 .commit = nf_tables_commit,
8449 .abort = nf_tables_abort,
8450 .cleanup = nf_tables_cleanup,
8451 .valid_genid = nf_tables_valid_genid,
8452 .owner = THIS_MODULE,
8453 };
8454
8455 int nft_chain_validate_dependency(const struct nft_chain *chain,
8456 enum nft_chain_types type)
8457 {
8458 const struct nft_base_chain *basechain;
8459
8460 if (nft_is_base_chain(chain)) {
8461 basechain = nft_base_chain(chain);
8462 if (basechain->type->type != type)
8463 return -EOPNOTSUPP;
8464 }
8465 return 0;
8466 }
8467 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8468
8469 int nft_chain_validate_hooks(const struct nft_chain *chain,
8470 unsigned int hook_flags)
8471 {
8472 struct nft_base_chain *basechain;
8473
8474 if (nft_is_base_chain(chain)) {
8475 basechain = nft_base_chain(chain);
8476
8477 if ((1 << basechain->ops.hooknum) & hook_flags)
8478 return 0;
8479
8480 return -EOPNOTSUPP;
8481 }
8482
8483 return 0;
8484 }
8485 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8486
8487 /*
8488 * Loop detection - walk through the ruleset beginning at the destination chain
8489 * of a new jump until either the source chain is reached (loop) or all
8490 * reachable chains have been traversed.
8491 *
8492 * The loop check is performed whenever a new jump verdict is added to an
8493 * expression or verdict map or a verdict map is bound to a new chain.
8494 */
8495
8496 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8497 const struct nft_chain *chain);
8498
8499 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8500 struct nft_set *set,
8501 const struct nft_set_iter *iter,
8502 struct nft_set_elem *elem)
8503 {
8504 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8505 const struct nft_data *data;
8506
8507 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8508 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8509 return 0;
8510
8511 data = nft_set_ext_data(ext);
8512 switch (data->verdict.code) {
8513 case NFT_JUMP:
8514 case NFT_GOTO:
8515 return nf_tables_check_loops(ctx, data->verdict.chain);
8516 default:
8517 return 0;
8518 }
8519 }
8520
8521 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8522 const struct nft_chain *chain)
8523 {
8524 const struct nft_rule *rule;
8525 const struct nft_expr *expr, *last;
8526 struct nft_set *set;
8527 struct nft_set_binding *binding;
8528 struct nft_set_iter iter;
8529
8530 if (ctx->chain == chain)
8531 return -ELOOP;
8532
8533 list_for_each_entry(rule, &chain->rules, list) {
8534 nft_rule_for_each_expr(expr, last, rule) {
8535 struct nft_immediate_expr *priv;
8536 const struct nft_data *data;
8537 int err;
8538
8539 if (strcmp(expr->ops->type->name, "immediate"))
8540 continue;
8541
8542 priv = nft_expr_priv(expr);
8543 if (priv->dreg != NFT_REG_VERDICT)
8544 continue;
8545
8546 data = &priv->data;
8547 switch (data->verdict.code) {
8548 case NFT_JUMP:
8549 case NFT_GOTO:
8550 err = nf_tables_check_loops(ctx,
8551 data->verdict.chain);
8552 if (err < 0)
8553 return err;
8554 default:
8555 break;
8556 }
8557 }
8558 }
8559
8560 list_for_each_entry(set, &ctx->table->sets, list) {
8561 if (!nft_is_active_next(ctx->net, set))
8562 continue;
8563 if (!(set->flags & NFT_SET_MAP) ||
8564 set->dtype != NFT_DATA_VERDICT)
8565 continue;
8566
8567 list_for_each_entry(binding, &set->bindings, list) {
8568 if (!(binding->flags & NFT_SET_MAP) ||
8569 binding->chain != chain)
8570 continue;
8571
8572 iter.genmask = nft_genmask_next(ctx->net);
8573 iter.skip = 0;
8574 iter.count = 0;
8575 iter.err = 0;
8576 iter.fn = nf_tables_loop_check_setelem;
8577
8578 set->ops->walk(ctx, set, &iter);
8579 if (iter.err < 0)
8580 return iter.err;
8581 }
8582 }
8583
8584 return 0;
8585 }
8586
8587 /**
8588 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8589 *
8590 * @attr: netlink attribute to fetch value from
8591 * @max: maximum value to be stored in dest
8592 * @dest: pointer to the variable
8593 *
8594 * Parse, check and store a given u32 netlink attribute into variable.
8595 * This function returns -ERANGE if the value goes over maximum value.
8596 * Otherwise a 0 is returned and the attribute value is stored in the
8597 * destination variable.
8598 */
8599 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8600 {
8601 u32 val;
8602
8603 val = ntohl(nla_get_be32(attr));
8604 if (val > max)
8605 return -ERANGE;
8606
8607 *dest = val;
8608 return 0;
8609 }
8610 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8611
8612 /**
8613 * nft_parse_register - parse a register value from a netlink attribute
8614 *
8615 * @attr: netlink attribute
8616 *
8617 * Parse and translate a register value from a netlink attribute.
8618 * Registers used to be 128 bit wide, these register numbers will be
8619 * mapped to the corresponding 32 bit register numbers.
8620 */
8621 static unsigned int nft_parse_register(const struct nlattr *attr)
8622 {
8623 unsigned int reg;
8624
8625 reg = ntohl(nla_get_be32(attr));
8626 switch (reg) {
8627 case NFT_REG_VERDICT...NFT_REG_4:
8628 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8629 default:
8630 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8631 }
8632 }
8633
8634 /**
8635 * nft_dump_register - dump a register value to a netlink attribute
8636 *
8637 * @skb: socket buffer
8638 * @attr: attribute number
8639 * @reg: register number
8640 *
8641 * Construct a netlink attribute containing the register number. For
8642 * compatibility reasons, register numbers being a multiple of 4 are
8643 * translated to the corresponding 128 bit register numbers.
8644 */
8645 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8646 {
8647 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8648 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8649 else
8650 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8651
8652 return nla_put_be32(skb, attr, htonl(reg));
8653 }
8654 EXPORT_SYMBOL_GPL(nft_dump_register);
8655
8656 /**
8657 * nft_validate_register_load - validate a load from a register
8658 *
8659 * @reg: the register number
8660 * @len: the length of the data
8661 *
8662 * Validate that the input register is one of the general purpose
8663 * registers and that the length of the load is within the bounds.
8664 */
8665 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8666 {
8667 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8668 return -EINVAL;
8669 if (len == 0)
8670 return -EINVAL;
8671 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8672 return -ERANGE;
8673
8674 return 0;
8675 }
8676
8677 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
8678 {
8679 u32 reg;
8680 int err;
8681
8682 reg = nft_parse_register(attr);
8683 err = nft_validate_register_load(reg, len);
8684 if (err < 0)
8685 return err;
8686
8687 *sreg = reg;
8688 return 0;
8689 }
8690 EXPORT_SYMBOL_GPL(nft_parse_register_load);
8691
8692 /**
8693 * nft_validate_register_store - validate an expressions' register store
8694 *
8695 * @ctx: context of the expression performing the load
8696 * @reg: the destination register number
8697 * @data: the data to load
8698 * @type: the data type
8699 * @len: the length of the data
8700 *
8701 * Validate that a data load uses the appropriate data type for
8702 * the destination register and the length is within the bounds.
8703 * A value of NULL for the data means that its runtime gathered
8704 * data.
8705 */
8706 static int nft_validate_register_store(const struct nft_ctx *ctx,
8707 enum nft_registers reg,
8708 const struct nft_data *data,
8709 enum nft_data_types type,
8710 unsigned int len)
8711 {
8712 int err;
8713
8714 switch (reg) {
8715 case NFT_REG_VERDICT:
8716 if (type != NFT_DATA_VERDICT)
8717 return -EINVAL;
8718
8719 if (data != NULL &&
8720 (data->verdict.code == NFT_GOTO ||
8721 data->verdict.code == NFT_JUMP)) {
8722 err = nf_tables_check_loops(ctx, data->verdict.chain);
8723 if (err < 0)
8724 return err;
8725 }
8726
8727 return 0;
8728 default:
8729 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8730 return -EINVAL;
8731 if (len == 0)
8732 return -EINVAL;
8733 if (reg * NFT_REG32_SIZE + len >
8734 sizeof_field(struct nft_regs, data))
8735 return -ERANGE;
8736
8737 if (data != NULL && type != NFT_DATA_VALUE)
8738 return -EINVAL;
8739 return 0;
8740 }
8741 }
8742
8743 int nft_parse_register_store(const struct nft_ctx *ctx,
8744 const struct nlattr *attr, u8 *dreg,
8745 const struct nft_data *data,
8746 enum nft_data_types type, unsigned int len)
8747 {
8748 int err;
8749 u32 reg;
8750
8751 reg = nft_parse_register(attr);
8752 err = nft_validate_register_store(ctx, reg, data, type, len);
8753 if (err < 0)
8754 return err;
8755
8756 *dreg = reg;
8757 return 0;
8758 }
8759 EXPORT_SYMBOL_GPL(nft_parse_register_store);
8760
8761 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8762 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8763 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8764 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8765 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8766 };
8767
8768 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8769 struct nft_data_desc *desc, const struct nlattr *nla)
8770 {
8771 u8 genmask = nft_genmask_next(ctx->net);
8772 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8773 struct nft_chain *chain;
8774 int err;
8775
8776 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8777 nft_verdict_policy, NULL);
8778 if (err < 0)
8779 return err;
8780
8781 if (!tb[NFTA_VERDICT_CODE])
8782 return -EINVAL;
8783 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8784
8785 switch (data->verdict.code) {
8786 default:
8787 switch (data->verdict.code & NF_VERDICT_MASK) {
8788 case NF_ACCEPT:
8789 case NF_DROP:
8790 case NF_QUEUE:
8791 break;
8792 default:
8793 return -EINVAL;
8794 }
8795 fallthrough;
8796 case NFT_CONTINUE:
8797 case NFT_BREAK:
8798 case NFT_RETURN:
8799 break;
8800 case NFT_JUMP:
8801 case NFT_GOTO:
8802 if (tb[NFTA_VERDICT_CHAIN]) {
8803 chain = nft_chain_lookup(ctx->net, ctx->table,
8804 tb[NFTA_VERDICT_CHAIN],
8805 genmask);
8806 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8807 chain = nft_chain_lookup_byid(ctx->net,
8808 tb[NFTA_VERDICT_CHAIN_ID]);
8809 if (IS_ERR(chain))
8810 return PTR_ERR(chain);
8811 } else {
8812 return -EINVAL;
8813 }
8814
8815 if (IS_ERR(chain))
8816 return PTR_ERR(chain);
8817 if (nft_is_base_chain(chain))
8818 return -EOPNOTSUPP;
8819
8820 chain->use++;
8821 data->verdict.chain = chain;
8822 break;
8823 }
8824
8825 desc->len = sizeof(data->verdict);
8826 desc->type = NFT_DATA_VERDICT;
8827 return 0;
8828 }
8829
8830 static void nft_verdict_uninit(const struct nft_data *data)
8831 {
8832 struct nft_chain *chain;
8833 struct nft_rule *rule;
8834
8835 switch (data->verdict.code) {
8836 case NFT_JUMP:
8837 case NFT_GOTO:
8838 chain = data->verdict.chain;
8839 chain->use--;
8840
8841 if (!nft_chain_is_bound(chain))
8842 break;
8843
8844 chain->table->use--;
8845 list_for_each_entry(rule, &chain->rules, list)
8846 chain->use--;
8847
8848 nft_chain_del(chain);
8849 break;
8850 }
8851 }
8852
8853 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8854 {
8855 struct nlattr *nest;
8856
8857 nest = nla_nest_start_noflag(skb, type);
8858 if (!nest)
8859 goto nla_put_failure;
8860
8861 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8862 goto nla_put_failure;
8863
8864 switch (v->code) {
8865 case NFT_JUMP:
8866 case NFT_GOTO:
8867 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8868 v->chain->name))
8869 goto nla_put_failure;
8870 }
8871 nla_nest_end(skb, nest);
8872 return 0;
8873
8874 nla_put_failure:
8875 return -1;
8876 }
8877
8878 static int nft_value_init(const struct nft_ctx *ctx,
8879 struct nft_data *data, unsigned int size,
8880 struct nft_data_desc *desc, const struct nlattr *nla)
8881 {
8882 unsigned int len;
8883
8884 len = nla_len(nla);
8885 if (len == 0)
8886 return -EINVAL;
8887 if (len > size)
8888 return -EOVERFLOW;
8889
8890 nla_memcpy(data->data, nla, len);
8891 desc->type = NFT_DATA_VALUE;
8892 desc->len = len;
8893 return 0;
8894 }
8895
8896 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8897 unsigned int len)
8898 {
8899 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8900 }
8901
8902 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8903 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8904 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8905 };
8906
8907 /**
8908 * nft_data_init - parse nf_tables data netlink attributes
8909 *
8910 * @ctx: context of the expression using the data
8911 * @data: destination struct nft_data
8912 * @size: maximum data length
8913 * @desc: data description
8914 * @nla: netlink attribute containing data
8915 *
8916 * Parse the netlink data attributes and initialize a struct nft_data.
8917 * The type and length of data are returned in the data description.
8918 *
8919 * The caller can indicate that it only wants to accept data of type
8920 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8921 */
8922 int nft_data_init(const struct nft_ctx *ctx,
8923 struct nft_data *data, unsigned int size,
8924 struct nft_data_desc *desc, const struct nlattr *nla)
8925 {
8926 struct nlattr *tb[NFTA_DATA_MAX + 1];
8927 int err;
8928
8929 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8930 nft_data_policy, NULL);
8931 if (err < 0)
8932 return err;
8933
8934 if (tb[NFTA_DATA_VALUE])
8935 return nft_value_init(ctx, data, size, desc,
8936 tb[NFTA_DATA_VALUE]);
8937 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8938 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8939 return -EINVAL;
8940 }
8941 EXPORT_SYMBOL_GPL(nft_data_init);
8942
8943 /**
8944 * nft_data_release - release a nft_data item
8945 *
8946 * @data: struct nft_data to release
8947 * @type: type of data
8948 *
8949 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8950 * all others need to be released by calling this function.
8951 */
8952 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8953 {
8954 if (type < NFT_DATA_VERDICT)
8955 return;
8956 switch (type) {
8957 case NFT_DATA_VERDICT:
8958 return nft_verdict_uninit(data);
8959 default:
8960 WARN_ON(1);
8961 }
8962 }
8963 EXPORT_SYMBOL_GPL(nft_data_release);
8964
8965 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8966 enum nft_data_types type, unsigned int len)
8967 {
8968 struct nlattr *nest;
8969 int err;
8970
8971 nest = nla_nest_start_noflag(skb, attr);
8972 if (nest == NULL)
8973 return -1;
8974
8975 switch (type) {
8976 case NFT_DATA_VALUE:
8977 err = nft_value_dump(skb, data, len);
8978 break;
8979 case NFT_DATA_VERDICT:
8980 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8981 break;
8982 default:
8983 err = -EINVAL;
8984 WARN_ON(1);
8985 }
8986
8987 nla_nest_end(skb, nest);
8988 return err;
8989 }
8990 EXPORT_SYMBOL_GPL(nft_data_dump);
8991
8992 int __nft_release_basechain(struct nft_ctx *ctx)
8993 {
8994 struct nft_rule *rule, *nr;
8995
8996 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8997 return 0;
8998
8999 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
9000 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
9001 list_del(&rule->list);
9002 ctx->chain->use--;
9003 nf_tables_rule_release(ctx, rule);
9004 }
9005 nft_chain_del(ctx->chain);
9006 ctx->table->use--;
9007 nf_tables_chain_destroy(ctx);
9008
9009 return 0;
9010 }
9011 EXPORT_SYMBOL_GPL(__nft_release_basechain);
9012
9013 static void __nft_release_hook(struct net *net, struct nft_table *table)
9014 {
9015 struct nft_chain *chain;
9016
9017 list_for_each_entry(chain, &table->chains, list)
9018 nf_tables_unregister_hook(net, table, chain);
9019 }
9020
9021 static void __nft_release_hooks(struct net *net)
9022 {
9023 struct nft_table *table;
9024
9025 list_for_each_entry(table, &net->nft.tables, list)
9026 __nft_release_hook(net, table);
9027 }
9028
9029 static void __nft_release_table(struct net *net, struct nft_table *table)
9030 {
9031 struct nft_flowtable *flowtable, *nf;
9032 struct nft_chain *chain, *nc;
9033 struct nft_object *obj, *ne;
9034 struct nft_rule *rule, *nr;
9035 struct nft_set *set, *ns;
9036 struct nft_ctx ctx = {
9037 .net = net,
9038 .family = NFPROTO_NETDEV,
9039 };
9040
9041 ctx.family = table->family;
9042 ctx.table = table;
9043 list_for_each_entry(chain, &table->chains, list) {
9044 ctx.chain = chain;
9045 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
9046 list_del(&rule->list);
9047 chain->use--;
9048 nf_tables_rule_release(&ctx, rule);
9049 }
9050 }
9051 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
9052 list_del(&flowtable->list);
9053 table->use--;
9054 nf_tables_flowtable_destroy(flowtable);
9055 }
9056 list_for_each_entry_safe(set, ns, &table->sets, list) {
9057 list_del(&set->list);
9058 table->use--;
9059 nft_set_destroy(&ctx, set);
9060 }
9061 list_for_each_entry_safe(obj, ne, &table->objects, list) {
9062 nft_obj_del(obj);
9063 table->use--;
9064 nft_obj_destroy(&ctx, obj);
9065 }
9066 list_for_each_entry_safe(chain, nc, &table->chains, list) {
9067 ctx.chain = chain;
9068 nft_chain_del(chain);
9069 table->use--;
9070 nf_tables_chain_destroy(&ctx);
9071 }
9072 list_del(&table->list);
9073 nf_tables_table_destroy(&ctx);
9074 }
9075
9076 static void __nft_release_tables(struct net *net, u32 nlpid)
9077 {
9078 struct nft_table *table, *nt;
9079
9080 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9081 if (nft_table_has_owner(table) &&
9082 nlpid != table->nlpid)
9083 continue;
9084
9085 __nft_release_table(net, table);
9086 }
9087 }
9088
9089 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
9090 void *ptr)
9091 {
9092 struct netlink_notify *n = ptr;
9093 struct nft_table *table, *nt;
9094 struct net *net = n->net;
9095 bool release = false;
9096
9097 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
9098 return NOTIFY_DONE;
9099
9100 mutex_lock(&net->nft.commit_mutex);
9101 list_for_each_entry(table, &net->nft.tables, list) {
9102 if (nft_table_has_owner(table) &&
9103 n->portid == table->nlpid) {
9104 __nft_release_hook(net, table);
9105 release = true;
9106 }
9107 }
9108 if (release) {
9109 synchronize_rcu();
9110 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
9111 if (nft_table_has_owner(table) &&
9112 n->portid == table->nlpid)
9113 __nft_release_table(net, table);
9114 }
9115 }
9116 mutex_unlock(&net->nft.commit_mutex);
9117
9118 return NOTIFY_DONE;
9119 }
9120
9121 static struct notifier_block nft_nl_notifier = {
9122 .notifier_call = nft_rcv_nl_event,
9123 };
9124
9125 static int __net_init nf_tables_init_net(struct net *net)
9126 {
9127 INIT_LIST_HEAD(&net->nft.tables);
9128 INIT_LIST_HEAD(&net->nft.commit_list);
9129 INIT_LIST_HEAD(&net->nft.module_list);
9130 INIT_LIST_HEAD(&net->nft.notify_list);
9131 mutex_init(&net->nft.commit_mutex);
9132 net->nft.base_seq = 1;
9133 net->nft.validate_state = NFT_VALIDATE_SKIP;
9134
9135 return 0;
9136 }
9137
9138 static void __net_exit nf_tables_pre_exit_net(struct net *net)
9139 {
9140 __nft_release_hooks(net);
9141 }
9142
9143 static void __net_exit nf_tables_exit_net(struct net *net)
9144 {
9145 mutex_lock(&net->nft.commit_mutex);
9146 if (!list_empty(&net->nft.commit_list))
9147 __nf_tables_abort(net, NFNL_ABORT_NONE);
9148 __nft_release_tables(net, 0);
9149 mutex_unlock(&net->nft.commit_mutex);
9150 WARN_ON_ONCE(!list_empty(&net->nft.tables));
9151 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
9152 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
9153 }
9154
9155 static struct pernet_operations nf_tables_net_ops = {
9156 .init = nf_tables_init_net,
9157 .pre_exit = nf_tables_pre_exit_net,
9158 .exit = nf_tables_exit_net,
9159 };
9160
9161 static int __init nf_tables_module_init(void)
9162 {
9163 int err;
9164
9165 spin_lock_init(&nf_tables_destroy_list_lock);
9166 err = register_pernet_subsys(&nf_tables_net_ops);
9167 if (err < 0)
9168 return err;
9169
9170 err = nft_chain_filter_init();
9171 if (err < 0)
9172 goto err_chain_filter;
9173
9174 err = nf_tables_core_module_init();
9175 if (err < 0)
9176 goto err_core_module;
9177
9178 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
9179 if (err < 0)
9180 goto err_netdev_notifier;
9181
9182 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
9183 if (err < 0)
9184 goto err_rht_objname;
9185
9186 err = nft_offload_init();
9187 if (err < 0)
9188 goto err_offload;
9189
9190 err = netlink_register_notifier(&nft_nl_notifier);
9191 if (err < 0)
9192 goto err_netlink_notifier;
9193
9194 /* must be last */
9195 err = nfnetlink_subsys_register(&nf_tables_subsys);
9196 if (err < 0)
9197 goto err_nfnl_subsys;
9198
9199 nft_chain_route_init();
9200
9201 return err;
9202
9203 err_nfnl_subsys:
9204 netlink_unregister_notifier(&nft_nl_notifier);
9205 err_netlink_notifier:
9206 nft_offload_exit();
9207 err_offload:
9208 rhltable_destroy(&nft_objname_ht);
9209 err_rht_objname:
9210 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9211 err_netdev_notifier:
9212 nf_tables_core_module_exit();
9213 err_core_module:
9214 nft_chain_filter_fini();
9215 err_chain_filter:
9216 unregister_pernet_subsys(&nf_tables_net_ops);
9217 return err;
9218 }
9219
9220 static void __exit nf_tables_module_exit(void)
9221 {
9222 nfnetlink_subsys_unregister(&nf_tables_subsys);
9223 netlink_unregister_notifier(&nft_nl_notifier);
9224 nft_offload_exit();
9225 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9226 nft_chain_filter_fini();
9227 nft_chain_route_fini();
9228 unregister_pernet_subsys(&nf_tables_net_ops);
9229 cancel_work_sync(&trans_destroy_work);
9230 rcu_barrier();
9231 rhltable_destroy(&nft_objname_ht);
9232 nf_tables_core_module_exit();
9233 }
9234
9235 module_init(nf_tables_module_init);
9236 module_exit(nf_tables_module_exit);
9237
9238 MODULE_LICENSE("GPL");
9239 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9240 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
Ubuntu Jammy Linux kernel mirror