]> git.proxmox.com Git - mirror_ubuntu-disco-kernel.git/blob - net/netfilter/nft_compat.c
projects / mirror_ubuntu-disco-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
[mirror_ubuntu-disco-kernel.git] / net / netfilter / nft_compat.c
1 /*
2 * (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 *
8 * This software has been sponsored by Sophos Astaro <http://www.sophos.com>
9 */
10
11 #include <linux/kernel.h>
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/netlink.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <linux/netfilter/nf_tables_compat.h>
19 #include <linux/netfilter/x_tables.h>
20 #include <linux/netfilter_ipv4/ip_tables.h>
21 #include <linux/netfilter_ipv6/ip6_tables.h>
22 #include <linux/netfilter_bridge/ebtables.h>
23 #include <linux/netfilter_arp/arp_tables.h>
24 #include <net/netfilter/nf_tables.h>
25 #include <net/netns/generic.h>
26
27 struct nft_xt {
28 struct list_head head;
29 struct nft_expr_ops ops;
30 refcount_t refcnt;
31
32 /* used only when transaction mutex is locked */
33 unsigned int listcnt;
34
35 /* Unlike other expressions, ops doesn't have static storage duration.
36 * nft core assumes they do. We use kfree_rcu so that nft core can
37 * can check expr->ops->size even after nft_compat->destroy() frees
38 * the nft_xt struct that holds the ops structure.
39 */
40 struct rcu_head rcu_head;
41 };
42
43 /* Used for matches where *info is larger than X byte */
44 #define NFT_MATCH_LARGE_THRESH 192
45
46 struct nft_xt_match_priv {
47 void *info;
48 };
49
50 struct nft_compat_net {
51 struct list_head nft_target_list;
52 struct list_head nft_match_list;
53 };
54
55 static unsigned int nft_compat_net_id __read_mostly;
56 static struct nft_expr_type nft_match_type;
57 static struct nft_expr_type nft_target_type;
58
59 static struct nft_compat_net *nft_compat_pernet(struct net *net)
60 {
61 return net_generic(net, nft_compat_net_id);
62 }
63
64 static void nft_xt_get(struct nft_xt *xt)
65 {
66 /* refcount_inc() warns on 0 -> 1 transition, but we can't
67 * init the reference count to 1 in .select_ops -- we can't
68 * undo such an increase when another expression inside the same
69 * rule fails afterwards.
70 */
71 if (xt->listcnt == 0)
72 refcount_set(&xt->refcnt, 1);
73 else
74 refcount_inc(&xt->refcnt);
75
76 xt->listcnt++;
77 }
78
79 static bool nft_xt_put(struct nft_xt *xt)
80 {
81 if (refcount_dec_and_test(&xt->refcnt)) {
82 WARN_ON_ONCE(!list_empty(&xt->head));
83 kfree_rcu(xt, rcu_head);
84 return true;
85 }
86
87 return false;
88 }
89
90 static int nft_compat_chain_validate_dependency(const struct nft_ctx *ctx,
91 const char *tablename)
92 {
93 enum nft_chain_types type = NFT_CHAIN_T_DEFAULT;
94 const struct nft_chain *chain = ctx->chain;
95 const struct nft_base_chain *basechain;
96
97 if (!tablename ||
98 !nft_is_base_chain(chain))
99 return 0;
100
101 basechain = nft_base_chain(chain);
102 if (strcmp(tablename, "nat") == 0) {
103 if (ctx->family != NFPROTO_BRIDGE)
104 type = NFT_CHAIN_T_NAT;
105 if (basechain->type->type != type)
106 return -EINVAL;
107 }
108
109 return 0;
110 }
111
112 union nft_entry {
113 struct ipt_entry e4;
114 struct ip6t_entry e6;
115 struct ebt_entry ebt;
116 struct arpt_entry arp;
117 };
118
119 static inline void
120 nft_compat_set_par(struct xt_action_param *par, void *xt, const void *xt_info)
121 {
122 par->target = xt;
123 par->targinfo = xt_info;
124 par->hotdrop = false;
125 }
126
127 static void nft_target_eval_xt(const struct nft_expr *expr,
128 struct nft_regs *regs,
129 const struct nft_pktinfo *pkt)
130 {
131 void *info = nft_expr_priv(expr);
132 struct xt_target *target = expr->ops->data;
133 struct sk_buff *skb = pkt->skb;
134 int ret;
135
136 nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
137
138 ret = target->target(skb, &pkt->xt);
139
140 if (pkt->xt.hotdrop)
141 ret = NF_DROP;
142
143 switch (ret) {
144 case XT_CONTINUE:
145 regs->verdict.code = NFT_CONTINUE;
146 break;
147 default:
148 regs->verdict.code = ret;
149 break;
150 }
151 }
152
153 static void nft_target_eval_bridge(const struct nft_expr *expr,
154 struct nft_regs *regs,
155 const struct nft_pktinfo *pkt)
156 {
157 void *info = nft_expr_priv(expr);
158 struct xt_target *target = expr->ops->data;
159 struct sk_buff *skb = pkt->skb;
160 int ret;
161
162 nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info);
163
164 ret = target->target(skb, &pkt->xt);
165
166 if (pkt->xt.hotdrop)
167 ret = NF_DROP;
168
169 switch (ret) {
170 case EBT_ACCEPT:
171 regs->verdict.code = NF_ACCEPT;
172 break;
173 case EBT_DROP:
174 regs->verdict.code = NF_DROP;
175 break;
176 case EBT_CONTINUE:
177 regs->verdict.code = NFT_CONTINUE;
178 break;
179 case EBT_RETURN:
180 regs->verdict.code = NFT_RETURN;
181 break;
182 default:
183 regs->verdict.code = ret;
184 break;
185 }
186 }
187
188 static const struct nla_policy nft_target_policy[NFTA_TARGET_MAX + 1] = {
189 [NFTA_TARGET_NAME] = { .type = NLA_NUL_STRING },
190 [NFTA_TARGET_REV] = { .type = NLA_U32 },
191 [NFTA_TARGET_INFO] = { .type = NLA_BINARY },
192 };
193
194 static void
195 nft_target_set_tgchk_param(struct xt_tgchk_param *par,
196 const struct nft_ctx *ctx,
197 struct xt_target *target, void *info,
198 union nft_entry *entry, u16 proto, bool inv)
199 {
200 par->net = ctx->net;
201 par->table = ctx->table->name;
202 switch (ctx->family) {
203 case AF_INET:
204 entry->e4.ip.proto = proto;
205 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
206 break;
207 case AF_INET6:
208 if (proto)
209 entry->e6.ipv6.flags |= IP6T_F_PROTO;
210
211 entry->e6.ipv6.proto = proto;
212 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
213 break;
214 case NFPROTO_BRIDGE:
215 entry->ebt.ethproto = (__force __be16)proto;
216 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
217 break;
218 case NFPROTO_ARP:
219 break;
220 }
221 par->entryinfo = entry;
222 par->target = target;
223 par->targinfo = info;
224 if (nft_is_base_chain(ctx->chain)) {
225 const struct nft_base_chain *basechain =
226 nft_base_chain(ctx->chain);
227 const struct nf_hook_ops *ops = &basechain->ops;
228
229 par->hook_mask = 1 << ops->hooknum;
230 } else {
231 par->hook_mask = 0;
232 }
233 par->family = ctx->family;
234 par->nft_compat = true;
235 }
236
237 static void target_compat_from_user(struct xt_target *t, void *in, void *out)
238 {
239 int pad;
240
241 memcpy(out, in, t->targetsize);
242 pad = XT_ALIGN(t->targetsize) - t->targetsize;
243 if (pad > 0)
244 memset(out + t->targetsize, 0, pad);
245 }
246
247 static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] = {
248 [NFTA_RULE_COMPAT_PROTO] = { .type = NLA_U32 },
249 [NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 },
250 };
251
252 static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
253 {
254 struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
255 u32 flags;
256 int err;
257
258 err = nla_parse_nested(tb, NFTA_RULE_COMPAT_MAX, attr,
259 nft_rule_compat_policy, NULL);
260 if (err < 0)
261 return err;
262
263 if (!tb[NFTA_RULE_COMPAT_PROTO] || !tb[NFTA_RULE_COMPAT_FLAGS])
264 return -EINVAL;
265
266 flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS]));
267 if (flags & ~NFT_RULE_COMPAT_F_MASK)
268 return -EINVAL;
269 if (flags & NFT_RULE_COMPAT_F_INV)
270 *inv = true;
271
272 *proto = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
273 return 0;
274 }
275
276 static int
277 nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
278 const struct nlattr * const tb[])
279 {
280 void *info = nft_expr_priv(expr);
281 struct xt_target *target = expr->ops->data;
282 struct xt_tgchk_param par;
283 size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
284 struct nft_xt *nft_xt;
285 u16 proto = 0;
286 bool inv = false;
287 union nft_entry e = {};
288 int ret;
289
290 target_compat_from_user(target, nla_data(tb[NFTA_TARGET_INFO]), info);
291
292 if (ctx->nla[NFTA_RULE_COMPAT]) {
293 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
294 if (ret < 0)
295 return ret;
296 }
297
298 nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
299
300 ret = xt_check_target(&par, size, proto, inv);
301 if (ret < 0)
302 return ret;
303
304 /* The standard target cannot be used */
305 if (!target->target)
306 return -EINVAL;
307
308 nft_xt = container_of(expr->ops, struct nft_xt, ops);
309 nft_xt_get(nft_xt);
310 return 0;
311 }
312
313 static void
314 nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
315 {
316 struct xt_target *target = expr->ops->data;
317 void *info = nft_expr_priv(expr);
318 struct xt_tgdtor_param par;
319
320 par.net = ctx->net;
321 par.target = target;
322 par.targinfo = info;
323 par.family = ctx->family;
324 if (par.target->destroy != NULL)
325 par.target->destroy(&par);
326
327 if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
328 module_put(target->me);
329 }
330
331 static int nft_extension_dump_info(struct sk_buff *skb, int attr,
332 const void *info,
333 unsigned int size, unsigned int user_size)
334 {
335 unsigned int info_size, aligned_size = XT_ALIGN(size);
336 struct nlattr *nla;
337
338 nla = nla_reserve(skb, attr, aligned_size);
339 if (!nla)
340 return -1;
341
342 info_size = user_size ? : size;
343 memcpy(nla_data(nla), info, info_size);
344 memset(nla_data(nla) + info_size, 0, aligned_size - info_size);
345
346 return 0;
347 }
348
349 static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
350 {
351 const struct xt_target *target = expr->ops->data;
352 void *info = nft_expr_priv(expr);
353
354 if (nla_put_string(skb, NFTA_TARGET_NAME, target->name) ||
355 nla_put_be32(skb, NFTA_TARGET_REV, htonl(target->revision)) ||
356 nft_extension_dump_info(skb, NFTA_TARGET_INFO, info,
357 target->targetsize, target->usersize))
358 goto nla_put_failure;
359
360 return 0;
361
362 nla_put_failure:
363 return -1;
364 }
365
366 static int nft_target_validate(const struct nft_ctx *ctx,
367 const struct nft_expr *expr,
368 const struct nft_data **data)
369 {
370 struct xt_target *target = expr->ops->data;
371 unsigned int hook_mask = 0;
372 int ret;
373
374 if (nft_is_base_chain(ctx->chain)) {
375 const struct nft_base_chain *basechain =
376 nft_base_chain(ctx->chain);
377 const struct nf_hook_ops *ops = &basechain->ops;
378
379 hook_mask = 1 << ops->hooknum;
380 if (target->hooks && !(hook_mask & target->hooks))
381 return -EINVAL;
382
383 ret = nft_compat_chain_validate_dependency(ctx, target->table);
384 if (ret < 0)
385 return ret;
386 }
387 return 0;
388 }
389
390 static void __nft_match_eval(const struct nft_expr *expr,
391 struct nft_regs *regs,
392 const struct nft_pktinfo *pkt,
393 void *info)
394 {
395 struct xt_match *match = expr->ops->data;
396 struct sk_buff *skb = pkt->skb;
397 bool ret;
398
399 nft_compat_set_par((struct xt_action_param *)&pkt->xt, match, info);
400
401 ret = match->match(skb, (struct xt_action_param *)&pkt->xt);
402
403 if (pkt->xt.hotdrop) {
404 regs->verdict.code = NF_DROP;
405 return;
406 }
407
408 switch (ret ? 1 : 0) {
409 case 1:
410 regs->verdict.code = NFT_CONTINUE;
411 break;
412 case 0:
413 regs->verdict.code = NFT_BREAK;
414 break;
415 }
416 }
417
418 static void nft_match_large_eval(const struct nft_expr *expr,
419 struct nft_regs *regs,
420 const struct nft_pktinfo *pkt)
421 {
422 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
423
424 __nft_match_eval(expr, regs, pkt, priv->info);
425 }
426
427 static void nft_match_eval(const struct nft_expr *expr,
428 struct nft_regs *regs,
429 const struct nft_pktinfo *pkt)
430 {
431 __nft_match_eval(expr, regs, pkt, nft_expr_priv(expr));
432 }
433
434 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
435 [NFTA_MATCH_NAME] = { .type = NLA_NUL_STRING },
436 [NFTA_MATCH_REV] = { .type = NLA_U32 },
437 [NFTA_MATCH_INFO] = { .type = NLA_BINARY },
438 };
439
440 /* struct xt_mtchk_param and xt_tgchk_param look very similar */
441 static void
442 nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
443 struct xt_match *match, void *info,
444 union nft_entry *entry, u16 proto, bool inv)
445 {
446 par->net = ctx->net;
447 par->table = ctx->table->name;
448 switch (ctx->family) {
449 case AF_INET:
450 entry->e4.ip.proto = proto;
451 entry->e4.ip.invflags = inv ? IPT_INV_PROTO : 0;
452 break;
453 case AF_INET6:
454 if (proto)
455 entry->e6.ipv6.flags |= IP6T_F_PROTO;
456
457 entry->e6.ipv6.proto = proto;
458 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
459 break;
460 case NFPROTO_BRIDGE:
461 entry->ebt.ethproto = (__force __be16)proto;
462 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
463 break;
464 case NFPROTO_ARP:
465 break;
466 }
467 par->entryinfo = entry;
468 par->match = match;
469 par->matchinfo = info;
470 if (nft_is_base_chain(ctx->chain)) {
471 const struct nft_base_chain *basechain =
472 nft_base_chain(ctx->chain);
473 const struct nf_hook_ops *ops = &basechain->ops;
474
475 par->hook_mask = 1 << ops->hooknum;
476 } else {
477 par->hook_mask = 0;
478 }
479 par->family = ctx->family;
480 par->nft_compat = true;
481 }
482
483 static void match_compat_from_user(struct xt_match *m, void *in, void *out)
484 {
485 int pad;
486
487 memcpy(out, in, m->matchsize);
488 pad = XT_ALIGN(m->matchsize) - m->matchsize;
489 if (pad > 0)
490 memset(out + m->matchsize, 0, pad);
491 }
492
493 static int
494 __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
495 const struct nlattr * const tb[],
496 void *info)
497 {
498 struct xt_match *match = expr->ops->data;
499 struct xt_mtchk_param par;
500 size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
501 struct nft_xt *nft_xt;
502 u16 proto = 0;
503 bool inv = false;
504 union nft_entry e = {};
505 int ret;
506
507 match_compat_from_user(match, nla_data(tb[NFTA_MATCH_INFO]), info);
508
509 if (ctx->nla[NFTA_RULE_COMPAT]) {
510 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
511 if (ret < 0)
512 return ret;
513 }
514
515 nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
516
517 ret = xt_check_match(&par, size, proto, inv);
518 if (ret < 0)
519 return ret;
520
521 nft_xt = container_of(expr->ops, struct nft_xt, ops);
522 nft_xt_get(nft_xt);
523 return 0;
524 }
525
526 static int
527 nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
528 const struct nlattr * const tb[])
529 {
530 return __nft_match_init(ctx, expr, tb, nft_expr_priv(expr));
531 }
532
533 static int
534 nft_match_large_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
535 const struct nlattr * const tb[])
536 {
537 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
538 struct xt_match *m = expr->ops->data;
539 int ret;
540
541 priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
542 if (!priv->info)
543 return -ENOMEM;
544
545 ret = __nft_match_init(ctx, expr, tb, priv->info);
546 if (ret)
547 kfree(priv->info);
548 return ret;
549 }
550
551 static void
552 __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
553 void *info)
554 {
555 struct xt_match *match = expr->ops->data;
556 struct module *me = match->me;
557 struct xt_mtdtor_param par;
558
559 par.net = ctx->net;
560 par.match = match;
561 par.matchinfo = info;
562 par.family = ctx->family;
563 if (par.match->destroy != NULL)
564 par.match->destroy(&par);
565
566 if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
567 module_put(me);
568 }
569
570 static void
571 nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
572 {
573 __nft_match_destroy(ctx, expr, nft_expr_priv(expr));
574 }
575
576 static void nft_compat_deactivate(const struct nft_ctx *ctx,
577 const struct nft_expr *expr,
578 enum nft_trans_phase phase)
579 {
580 struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
581
582 if (phase == NFT_TRANS_ABORT || phase == NFT_TRANS_COMMIT) {
583 if (--xt->listcnt == 0)
584 list_del_init(&xt->head);
585 }
586 }
587
588 static void
589 nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
590 {
591 struct nft_xt_match_priv *priv = nft_expr_priv(expr);
592
593 __nft_match_destroy(ctx, expr, priv->info);
594 kfree(priv->info);
595 }
596
597 static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
598 void *info)
599 {
600 struct xt_match *match = expr->ops->data;
601
602 if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
603 nla_put_be32(skb, NFTA_MATCH_REV, htonl(match->revision)) ||
604 nft_extension_dump_info(skb, NFTA_MATCH_INFO, info,
605 match->matchsize, match->usersize))
606 goto nla_put_failure;
607
608 return 0;
609
610 nla_put_failure:
611 return -1;
612 }
613
614 static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
615 {
616 return __nft_match_dump(skb, expr, nft_expr_priv(expr));
617 }
618
619 static int nft_match_large_dump(struct sk_buff *skb, const struct nft_expr *e)
620 {
621 struct nft_xt_match_priv *priv = nft_expr_priv(e);
622
623 return __nft_match_dump(skb, e, priv->info);
624 }
625
626 static int nft_match_validate(const struct nft_ctx *ctx,
627 const struct nft_expr *expr,
628 const struct nft_data **data)
629 {
630 struct xt_match *match = expr->ops->data;
631 unsigned int hook_mask = 0;
632 int ret;
633
634 if (nft_is_base_chain(ctx->chain)) {
635 const struct nft_base_chain *basechain =
636 nft_base_chain(ctx->chain);
637 const struct nf_hook_ops *ops = &basechain->ops;
638
639 hook_mask = 1 << ops->hooknum;
640 if (match->hooks && !(hook_mask & match->hooks))
641 return -EINVAL;
642
643 ret = nft_compat_chain_validate_dependency(ctx, match->table);
644 if (ret < 0)
645 return ret;
646 }
647 return 0;
648 }
649
650 static int
651 nfnl_compat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
652 int event, u16 family, const char *name,
653 int rev, int target)
654 {
655 struct nlmsghdr *nlh;
656 struct nfgenmsg *nfmsg;
657 unsigned int flags = portid ? NLM_F_MULTI : 0;
658
659 event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event);
660 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
661 if (nlh == NULL)
662 goto nlmsg_failure;
663
664 nfmsg = nlmsg_data(nlh);
665 nfmsg->nfgen_family = family;
666 nfmsg->version = NFNETLINK_V0;
667 nfmsg->res_id = 0;
668
669 if (nla_put_string(skb, NFTA_COMPAT_NAME, name) ||
670 nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) ||
671 nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target)))
672 goto nla_put_failure;
673
674 nlmsg_end(skb, nlh);
675 return skb->len;
676
677 nlmsg_failure:
678 nla_put_failure:
679 nlmsg_cancel(skb, nlh);
680 return -1;
681 }
682
683 static int nfnl_compat_get_rcu(struct net *net, struct sock *nfnl,
684 struct sk_buff *skb, const struct nlmsghdr *nlh,
685 const struct nlattr * const tb[],
686 struct netlink_ext_ack *extack)
687 {
688 int ret = 0, target;
689 struct nfgenmsg *nfmsg;
690 const char *fmt;
691 const char *name;
692 u32 rev;
693 struct sk_buff *skb2;
694
695 if (tb[NFTA_COMPAT_NAME] == NULL ||
696 tb[NFTA_COMPAT_REV] == NULL ||
697 tb[NFTA_COMPAT_TYPE] == NULL)
698 return -EINVAL;
699
700 name = nla_data(tb[NFTA_COMPAT_NAME]);
701 rev = ntohl(nla_get_be32(tb[NFTA_COMPAT_REV]));
702 target = ntohl(nla_get_be32(tb[NFTA_COMPAT_TYPE]));
703
704 nfmsg = nlmsg_data(nlh);
705
706 switch(nfmsg->nfgen_family) {
707 case AF_INET:
708 fmt = "ipt_%s";
709 break;
710 case AF_INET6:
711 fmt = "ip6t_%s";
712 break;
713 case NFPROTO_BRIDGE:
714 fmt = "ebt_%s";
715 break;
716 case NFPROTO_ARP:
717 fmt = "arpt_%s";
718 break;
719 default:
720 pr_err("nft_compat: unsupported protocol %d\n",
721 nfmsg->nfgen_family);
722 return -EINVAL;
723 }
724
725 if (!try_module_get(THIS_MODULE))
726 return -EINVAL;
727
728 rcu_read_unlock();
729 try_then_request_module(xt_find_revision(nfmsg->nfgen_family, name,
730 rev, target, &ret),
731 fmt, name);
732 if (ret < 0)
733 goto out_put;
734
735 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
736 if (skb2 == NULL) {
737 ret = -ENOMEM;
738 goto out_put;
739 }
740
741 /* include the best revision for this extension in the message */
742 if (nfnl_compat_fill_info(skb2, NETLINK_CB(skb).portid,
743 nlh->nlmsg_seq,
744 NFNL_MSG_TYPE(nlh->nlmsg_type),
745 NFNL_MSG_COMPAT_GET,
746 nfmsg->nfgen_family,
747 name, ret, target) <= 0) {
748 kfree_skb(skb2);
749 goto out_put;
750 }
751
752 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
753 MSG_DONTWAIT);
754 if (ret > 0)
755 ret = 0;
756 out_put:
757 rcu_read_lock();
758 module_put(THIS_MODULE);
759 return ret == -EAGAIN ? -ENOBUFS : ret;
760 }
761
762 static const struct nla_policy nfnl_compat_policy_get[NFTA_COMPAT_MAX+1] = {
763 [NFTA_COMPAT_NAME] = { .type = NLA_NUL_STRING,
764 .len = NFT_COMPAT_NAME_MAX-1 },
765 [NFTA_COMPAT_REV] = { .type = NLA_U32 },
766 [NFTA_COMPAT_TYPE] = { .type = NLA_U32 },
767 };
768
769 static const struct nfnl_callback nfnl_nft_compat_cb[NFNL_MSG_COMPAT_MAX] = {
770 [NFNL_MSG_COMPAT_GET] = { .call_rcu = nfnl_compat_get_rcu,
771 .attr_count = NFTA_COMPAT_MAX,
772 .policy = nfnl_compat_policy_get },
773 };
774
775 static const struct nfnetlink_subsystem nfnl_compat_subsys = {
776 .name = "nft-compat",
777 .subsys_id = NFNL_SUBSYS_NFT_COMPAT,
778 .cb_count = NFNL_MSG_COMPAT_MAX,
779 .cb = nfnl_nft_compat_cb,
780 };
781
782 static bool nft_match_cmp(const struct xt_match *match,
783 const char *name, u32 rev, u32 family)
784 {
785 return strcmp(match->name, name) == 0 && match->revision == rev &&
786 (match->family == NFPROTO_UNSPEC || match->family == family);
787 }
788
789 static const struct nft_expr_ops *
790 nft_match_select_ops(const struct nft_ctx *ctx,
791 const struct nlattr * const tb[])
792 {
793 struct nft_compat_net *cn;
794 struct nft_xt *nft_match;
795 struct xt_match *match;
796 unsigned int matchsize;
797 char *mt_name;
798 u32 rev, family;
799 int err;
800
801 if (tb[NFTA_MATCH_NAME] == NULL ||
802 tb[NFTA_MATCH_REV] == NULL ||
803 tb[NFTA_MATCH_INFO] == NULL)
804 return ERR_PTR(-EINVAL);
805
806 mt_name = nla_data(tb[NFTA_MATCH_NAME]);
807 rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
808 family = ctx->family;
809
810 cn = nft_compat_pernet(ctx->net);
811
812 /* Re-use the existing match if it's already loaded. */
813 list_for_each_entry(nft_match, &cn->nft_match_list, head) {
814 struct xt_match *match = nft_match->ops.data;
815
816 if (nft_match_cmp(match, mt_name, rev, family))
817 return &nft_match->ops;
818 }
819
820 match = xt_request_find_match(family, mt_name, rev);
821 if (IS_ERR(match))
822 return ERR_PTR(-ENOENT);
823
824 if (match->matchsize > nla_len(tb[NFTA_MATCH_INFO])) {
825 err = -EINVAL;
826 goto err;
827 }
828
829 /* This is the first time we use this match, allocate operations */
830 nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
831 if (nft_match == NULL) {
832 err = -ENOMEM;
833 goto err;
834 }
835
836 refcount_set(&nft_match->refcnt, 0);
837 nft_match->ops.type = &nft_match_type;
838 nft_match->ops.eval = nft_match_eval;
839 nft_match->ops.init = nft_match_init;
840 nft_match->ops.destroy = nft_match_destroy;
841 nft_match->ops.deactivate = nft_compat_deactivate;
842 nft_match->ops.dump = nft_match_dump;
843 nft_match->ops.validate = nft_match_validate;
844 nft_match->ops.data = match;
845
846 matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
847 if (matchsize > NFT_MATCH_LARGE_THRESH) {
848 matchsize = NFT_EXPR_SIZE(sizeof(struct nft_xt_match_priv));
849
850 nft_match->ops.eval = nft_match_large_eval;
851 nft_match->ops.init = nft_match_large_init;
852 nft_match->ops.destroy = nft_match_large_destroy;
853 nft_match->ops.dump = nft_match_large_dump;
854 }
855
856 nft_match->ops.size = matchsize;
857
858 nft_match->listcnt = 0;
859 list_add(&nft_match->head, &cn->nft_match_list);
860
861 return &nft_match->ops;
862 err:
863 module_put(match->me);
864 return ERR_PTR(err);
865 }
866
867 static struct nft_expr_type nft_match_type __read_mostly = {
868 .name = "match",
869 .select_ops = nft_match_select_ops,
870 .policy = nft_match_policy,
871 .maxattr = NFTA_MATCH_MAX,
872 .owner = THIS_MODULE,
873 };
874
875 static bool nft_target_cmp(const struct xt_target *tg,
876 const char *name, u32 rev, u32 family)
877 {
878 return strcmp(tg->name, name) == 0 && tg->revision == rev &&
879 (tg->family == NFPROTO_UNSPEC || tg->family == family);
880 }
881
882 static const struct nft_expr_ops *
883 nft_target_select_ops(const struct nft_ctx *ctx,
884 const struct nlattr * const tb[])
885 {
886 struct nft_compat_net *cn;
887 struct nft_xt *nft_target;
888 struct xt_target *target;
889 char *tg_name;
890 u32 rev, family;
891 int err;
892
893 if (tb[NFTA_TARGET_NAME] == NULL ||
894 tb[NFTA_TARGET_REV] == NULL ||
895 tb[NFTA_TARGET_INFO] == NULL)
896 return ERR_PTR(-EINVAL);
897
898 tg_name = nla_data(tb[NFTA_TARGET_NAME]);
899 rev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));
900 family = ctx->family;
901
902 if (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||
903 strcmp(tg_name, XT_STANDARD_TARGET) == 0 ||
904 strcmp(tg_name, "standard") == 0)
905 return ERR_PTR(-EINVAL);
906
907 cn = nft_compat_pernet(ctx->net);
908 /* Re-use the existing target if it's already loaded. */
909 list_for_each_entry(nft_target, &cn->nft_target_list, head) {
910 struct xt_target *target = nft_target->ops.data;
911
912 if (!target->target)
913 continue;
914
915 if (nft_target_cmp(target, tg_name, rev, family))
916 return &nft_target->ops;
917 }
918
919 target = xt_request_find_target(family, tg_name, rev);
920 if (IS_ERR(target))
921 return ERR_PTR(-ENOENT);
922
923 if (!target->target) {
924 err = -EINVAL;
925 goto err;
926 }
927
928 if (target->targetsize > nla_len(tb[NFTA_TARGET_INFO])) {
929 err = -EINVAL;
930 goto err;
931 }
932
933 /* This is the first time we use this target, allocate operations */
934 nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
935 if (nft_target == NULL) {
936 err = -ENOMEM;
937 goto err;
938 }
939
940 refcount_set(&nft_target->refcnt, 0);
941 nft_target->ops.type = &nft_target_type;
942 nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
943 nft_target->ops.init = nft_target_init;
944 nft_target->ops.destroy = nft_target_destroy;
945 nft_target->ops.deactivate = nft_compat_deactivate;
946 nft_target->ops.dump = nft_target_dump;
947 nft_target->ops.validate = nft_target_validate;
948 nft_target->ops.data = target;
949
950 if (family == NFPROTO_BRIDGE)
951 nft_target->ops.eval = nft_target_eval_bridge;
952 else
953 nft_target->ops.eval = nft_target_eval_xt;
954
955 nft_target->listcnt = 0;
956 list_add(&nft_target->head, &cn->nft_target_list);
957
958 return &nft_target->ops;
959 err:
960 module_put(target->me);
961 return ERR_PTR(err);
962 }
963
964 static struct nft_expr_type nft_target_type __read_mostly = {
965 .name = "target",
966 .select_ops = nft_target_select_ops,
967 .policy = nft_target_policy,
968 .maxattr = NFTA_TARGET_MAX,
969 .owner = THIS_MODULE,
970 };
971
972 static int __net_init nft_compat_init_net(struct net *net)
973 {
974 struct nft_compat_net *cn = nft_compat_pernet(net);
975
976 INIT_LIST_HEAD(&cn->nft_target_list);
977 INIT_LIST_HEAD(&cn->nft_match_list);
978
979 return 0;
980 }
981
982 static void __net_exit nft_compat_exit_net(struct net *net)
983 {
984 struct nft_compat_net *cn = nft_compat_pernet(net);
985 struct nft_xt *xt, *next;
986
987 if (list_empty(&cn->nft_match_list) &&
988 list_empty(&cn->nft_target_list))
989 return;
990
991 /* If there was an error that caused nft_xt expr to not be initialized
992 * fully and noone else requested the same expression later, the lists
993 * contain 0-refcount entries that still hold module reference.
994 *
995 * Clean them here.
996 */
997 mutex_lock(&net->nft.commit_mutex);
998 list_for_each_entry_safe(xt, next, &cn->nft_target_list, head) {
999 struct xt_target *target = xt->ops.data;
1000
1001 list_del_init(&xt->head);
1002
1003 if (refcount_read(&xt->refcnt))
1004 continue;
1005 module_put(target->me);
1006 kfree(xt);
1007 }
1008
1009 list_for_each_entry_safe(xt, next, &cn->nft_match_list, head) {
1010 struct xt_match *match = xt->ops.data;
1011
1012 list_del_init(&xt->head);
1013
1014 if (refcount_read(&xt->refcnt))
1015 continue;
1016 module_put(match->me);
1017 kfree(xt);
1018 }
1019 mutex_unlock(&net->nft.commit_mutex);
1020 }
1021
1022 static struct pernet_operations nft_compat_net_ops = {
1023 .init = nft_compat_init_net,
1024 .exit = nft_compat_exit_net,
1025 .id = &nft_compat_net_id,
1026 .size = sizeof(struct nft_compat_net),
1027 };
1028
1029 static int __init nft_compat_module_init(void)
1030 {
1031 int ret;
1032
1033 ret = register_pernet_subsys(&nft_compat_net_ops);
1034 if (ret < 0)
1035 goto err_target;
1036
1037 ret = nft_register_expr(&nft_match_type);
1038 if (ret < 0)
1039 goto err_pernet;
1040
1041 ret = nft_register_expr(&nft_target_type);
1042 if (ret < 0)
1043 goto err_match;
1044
1045 ret = nfnetlink_subsys_register(&nfnl_compat_subsys);
1046 if (ret < 0) {
1047 pr_err("nft_compat: cannot register with nfnetlink.\n");
1048 goto err_target;
1049 }
1050
1051 return ret;
1052 err_target:
1053 nft_unregister_expr(&nft_target_type);
1054 err_match:
1055 nft_unregister_expr(&nft_match_type);
1056 err_pernet:
1057 unregister_pernet_subsys(&nft_compat_net_ops);
1058 return ret;
1059 }
1060
1061 static void __exit nft_compat_module_exit(void)
1062 {
1063 nfnetlink_subsys_unregister(&nfnl_compat_subsys);
1064 nft_unregister_expr(&nft_target_type);
1065 nft_unregister_expr(&nft_match_type);
1066 unregister_pernet_subsys(&nft_compat_net_ops);
1067 }
1068
1069 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFT_COMPAT);
1070
1071 module_init(nft_compat_module_init);
1072 module_exit(nft_compat_module_exit);
1073
1074 MODULE_LICENSE("GPL");
1075 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
1076 MODULE_ALIAS_NFT_EXPR("match");
1077 MODULE_ALIAS_NFT_EXPR("target");
Ubuntu Disco kernel mirror for Proxmox VE and PMG