1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
34
35 enum {
36 NFT_VALIDATE_SKIP = 0,
37 NFT_VALIDATE_NEED,
38 NFT_VALIDATE_DO,
39 };
40
41 static struct rhltable nft_objname_ht;
42
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
58 };
59
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
67 };
68
nft_validate_state_update(struct net * net,u8 new_validate_state)69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 {
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 break;
75 case NFT_VALIDATE_NEED:
76 break;
77 case NFT_VALIDATE_DO:
78 if (new_validate_state == NFT_VALIDATE_NEED)
79 return;
80 }
81
82 net->nft.validate_state = new_validate_state;
83 }
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)87 static void nft_ctx_init(struct nft_ctx *ctx,
88 struct net *net,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
91 u8 family,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
95 {
96 ctx->net = net;
97 ctx->family = family;
98 ctx->level = 0;
99 ctx->table = table;
100 ctx->chain = chain;
101 ctx->nla = nla;
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->flags = nlh->nlmsg_flags;
105 ctx->seq = nlh->nlmsg_seq;
106 }
107
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
109 int msg_type, u32 size, gfp_t gfp)
110 {
111 struct nft_trans *trans;
112
113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 if (trans == NULL)
115 return NULL;
116
117 trans->msg_type = msg_type;
118 trans->ctx = *ctx;
119
120 return trans;
121 }
122
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 int msg_type, u32 size)
125 {
126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
127 }
128
nft_trans_destroy(struct nft_trans * trans)129 static void nft_trans_destroy(struct nft_trans *trans)
130 {
131 list_del(&trans->list);
132 kfree(trans);
133 }
134
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 {
137 struct net *net = ctx->net;
138 struct nft_trans *trans;
139
140 if (!nft_set_is_anonymous(set))
141 return;
142
143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 switch (trans->msg_type) {
145 case NFT_MSG_NEWSET:
146 if (nft_trans_set(trans) == set)
147 nft_trans_set_bound(trans) = true;
148 break;
149 case NFT_MSG_NEWSETELEM:
150 if (nft_trans_elem_set(trans) == set)
151 nft_trans_elem_set_bound(trans) = true;
152 break;
153 }
154 }
155 }
156
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)157 static int nft_netdev_register_hooks(struct net *net,
158 struct list_head *hook_list)
159 {
160 struct nft_hook *hook;
161 int err, j;
162
163 j = 0;
164 list_for_each_entry(hook, hook_list, list) {
165 err = nf_register_net_hook(net, &hook->ops);
166 if (err < 0)
167 goto err_register;
168
169 j++;
170 }
171 return 0;
172
173 err_register:
174 list_for_each_entry(hook, hook_list, list) {
175 if (j-- <= 0)
176 break;
177
178 nf_unregister_net_hook(net, &hook->ops);
179 }
180 return err;
181 }
182
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list)183 static void nft_netdev_unregister_hooks(struct net *net,
184 struct list_head *hook_list)
185 {
186 struct nft_hook *hook;
187
188 list_for_each_entry(hook, hook_list, list)
189 nf_unregister_net_hook(net, &hook->ops);
190 }
191
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)192 static int nf_tables_register_hook(struct net *net,
193 const struct nft_table *table,
194 struct nft_chain *chain)
195 {
196 struct nft_base_chain *basechain;
197 const struct nf_hook_ops *ops;
198
199 if (table->flags & NFT_TABLE_F_DORMANT ||
200 !nft_is_base_chain(chain))
201 return 0;
202
203 basechain = nft_base_chain(chain);
204 ops = &basechain->ops;
205
206 if (basechain->type->ops_register)
207 return basechain->type->ops_register(net, ops);
208
209 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
210 return nft_netdev_register_hooks(net, &basechain->hook_list);
211
212 return nf_register_net_hook(net, &basechain->ops);
213 }
214
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)215 static void nf_tables_unregister_hook(struct net *net,
216 const struct nft_table *table,
217 struct nft_chain *chain)
218 {
219 struct nft_base_chain *basechain;
220 const struct nf_hook_ops *ops;
221
222 if (table->flags & NFT_TABLE_F_DORMANT ||
223 !nft_is_base_chain(chain))
224 return;
225 basechain = nft_base_chain(chain);
226 ops = &basechain->ops;
227
228 if (basechain->type->ops_unregister)
229 return basechain->type->ops_unregister(net, ops);
230
231 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
232 nft_netdev_unregister_hooks(net, &basechain->hook_list);
233 else
234 nf_unregister_net_hook(net, &basechain->ops);
235 }
236
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
238 {
239 struct nft_trans *trans;
240
241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
242 if (trans == NULL)
243 return -ENOMEM;
244
245 if (msg_type == NFT_MSG_NEWTABLE)
246 nft_activate_next(ctx->net, ctx->table);
247
248 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
249 return 0;
250 }
251
nft_deltable(struct nft_ctx * ctx)252 static int nft_deltable(struct nft_ctx *ctx)
253 {
254 int err;
255
256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
257 if (err < 0)
258 return err;
259
260 nft_deactivate_next(ctx->net, ctx->table);
261 return err;
262 }
263
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
265 {
266 struct nft_trans *trans;
267
268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
269 if (trans == NULL)
270 return ERR_PTR(-ENOMEM);
271
272 if (msg_type == NFT_MSG_NEWCHAIN) {
273 nft_activate_next(ctx->net, ctx->chain);
274
275 if (ctx->nla[NFTA_CHAIN_ID]) {
276 nft_trans_chain_id(trans) =
277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
278 }
279 }
280
281 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
282 return trans;
283 }
284
nft_delchain(struct nft_ctx * ctx)285 static int nft_delchain(struct nft_ctx *ctx)
286 {
287 struct nft_trans *trans;
288
289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
290 if (IS_ERR(trans))
291 return PTR_ERR(trans);
292
293 ctx->table->use--;
294 nft_deactivate_next(ctx->net, ctx->chain);
295
296 return 0;
297 }
298
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)299 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
300 struct nft_rule *rule)
301 {
302 struct nft_expr *expr;
303
304 expr = nft_expr_first(rule);
305 while (nft_expr_more(rule, expr)) {
306 if (expr->ops->activate)
307 expr->ops->activate(ctx, expr);
308
309 expr = nft_expr_next(expr);
310 }
311 }
312
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
314 struct nft_rule *rule,
315 enum nft_trans_phase phase)
316 {
317 struct nft_expr *expr;
318
319 expr = nft_expr_first(rule);
320 while (nft_expr_more(rule, expr)) {
321 if (expr->ops->deactivate)
322 expr->ops->deactivate(ctx, expr, phase);
323
324 expr = nft_expr_next(expr);
325 }
326 }
327
328 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
330 {
331 /* You cannot delete the same rule twice */
332 if (nft_is_active_next(ctx->net, rule)) {
333 nft_deactivate_next(ctx->net, rule);
334 ctx->chain->use--;
335 return 0;
336 }
337 return -ENOENT;
338 }
339
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
341 struct nft_rule *rule)
342 {
343 struct nft_trans *trans;
344
345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
346 if (trans == NULL)
347 return NULL;
348
349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
350 nft_trans_rule_id(trans) =
351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
352 }
353 nft_trans_rule(trans) = rule;
354 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
355
356 return trans;
357 }
358
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
360 {
361 struct nft_flow_rule *flow;
362 struct nft_trans *trans;
363 int err;
364
365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
366 if (trans == NULL)
367 return -ENOMEM;
368
369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
370 flow = nft_flow_rule_create(ctx->net, rule);
371 if (IS_ERR(flow)) {
372 nft_trans_destroy(trans);
373 return PTR_ERR(flow);
374 }
375
376 nft_trans_flow_rule(trans) = flow;
377 }
378
379 err = nf_tables_delrule_deactivate(ctx, rule);
380 if (err < 0) {
381 nft_trans_destroy(trans);
382 return err;
383 }
384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
385
386 return 0;
387 }
388
nft_delrule_by_chain(struct nft_ctx * ctx)389 static int nft_delrule_by_chain(struct nft_ctx *ctx)
390 {
391 struct nft_rule *rule;
392 int err;
393
394 list_for_each_entry(rule, &ctx->chain->rules, list) {
395 if (!nft_is_active_next(ctx->net, rule))
396 continue;
397
398 err = nft_delrule(ctx, rule);
399 if (err < 0)
400 return err;
401 }
402 return 0;
403 }
404
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
406 struct nft_set *set)
407 {
408 struct nft_trans *trans;
409
410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
411 if (trans == NULL)
412 return -ENOMEM;
413
414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
415 nft_trans_set_id(trans) =
416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
417 nft_activate_next(ctx->net, set);
418 }
419 nft_trans_set(trans) = set;
420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
421
422 return 0;
423 }
424
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
426 {
427 int err;
428
429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
430 if (err < 0)
431 return err;
432
433 nft_deactivate_next(ctx->net, set);
434 ctx->table->use--;
435
436 return err;
437 }
438
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
440 struct nft_object *obj)
441 {
442 struct nft_trans *trans;
443
444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
445 if (trans == NULL)
446 return -ENOMEM;
447
448 if (msg_type == NFT_MSG_NEWOBJ)
449 nft_activate_next(ctx->net, obj);
450
451 nft_trans_obj(trans) = obj;
452 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
453
454 return 0;
455 }
456
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
458 {
459 int err;
460
461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
462 if (err < 0)
463 return err;
464
465 nft_deactivate_next(ctx->net, obj);
466 ctx->table->use--;
467
468 return err;
469 }
470
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
472 struct nft_flowtable *flowtable)
473 {
474 struct nft_trans *trans;
475
476 trans = nft_trans_alloc(ctx, msg_type,
477 sizeof(struct nft_trans_flowtable));
478 if (trans == NULL)
479 return -ENOMEM;
480
481 if (msg_type == NFT_MSG_NEWFLOWTABLE)
482 nft_activate_next(ctx->net, flowtable);
483
484 nft_trans_flowtable(trans) = flowtable;
485 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
486
487 return 0;
488 }
489
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)490 static int nft_delflowtable(struct nft_ctx *ctx,
491 struct nft_flowtable *flowtable)
492 {
493 int err;
494
495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
496 if (err < 0)
497 return err;
498
499 nft_deactivate_next(ctx->net, flowtable);
500 ctx->table->use--;
501
502 return err;
503 }
504
505 /*
506 * Tables
507 */
508
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask)509 static struct nft_table *nft_table_lookup(const struct net *net,
510 const struct nlattr *nla,
511 u8 family, u8 genmask)
512 {
513 struct nft_table *table;
514
515 if (nla == NULL)
516 return ERR_PTR(-EINVAL);
517
518 list_for_each_entry_rcu(table, &net->nft.tables, list,
519 lockdep_is_held(&net->nft.commit_mutex)) {
520 if (!nla_strcmp(nla, table->name) &&
521 table->family == family &&
522 nft_active_genmask(table, genmask))
523 return table;
524 }
525
526 return ERR_PTR(-ENOENT);
527 }
528
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,u8 genmask)529 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
530 const struct nlattr *nla,
531 u8 genmask)
532 {
533 struct nft_table *table;
534
535 list_for_each_entry(table, &net->nft.tables, list) {
536 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
537 nft_active_genmask(table, genmask))
538 return table;
539 }
540
541 return ERR_PTR(-ENOENT);
542 }
543
nf_tables_alloc_handle(struct nft_table * table)544 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
545 {
546 return ++table->hgenerator;
547 }
548
549 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
550
551 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)552 __nft_chain_type_get(u8 family, enum nft_chain_types type)
553 {
554 if (family >= NFPROTO_NUMPROTO ||
555 type >= NFT_CHAIN_T_MAX)
556 return NULL;
557
558 return chain_type[family][type];
559 }
560
561 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)562 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
563 {
564 const struct nft_chain_type *type;
565 int i;
566
567 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
568 type = __nft_chain_type_get(family, i);
569 if (!type)
570 continue;
571 if (!nla_strcmp(nla, type->name))
572 return type;
573 }
574 return NULL;
575 }
576
577 struct nft_module_request {
578 struct list_head list;
579 char module[MODULE_NAME_LEN];
580 bool done;
581 };
582
583 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)584 static int nft_request_module(struct net *net, const char *fmt, ...)
585 {
586 char module_name[MODULE_NAME_LEN];
587 struct nft_module_request *req;
588 va_list args;
589 int ret;
590
591 va_start(args, fmt);
592 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
593 va_end(args);
594 if (ret >= MODULE_NAME_LEN)
595 return 0;
596
597 list_for_each_entry(req, &net->nft.module_list, list) {
598 if (!strcmp(req->module, module_name)) {
599 if (req->done)
600 return 0;
601
602 /* A request to load this module already exists. */
603 return -EAGAIN;
604 }
605 }
606
607 req = kmalloc(sizeof(*req), GFP_KERNEL);
608 if (!req)
609 return -ENOMEM;
610
611 req->done = false;
612 strlcpy(req->module, module_name, MODULE_NAME_LEN);
613 list_add_tail(&req->list, &net->nft.module_list);
614
615 return -EAGAIN;
616 }
617 #endif
618
lockdep_nfnl_nft_mutex_not_held(void)619 static void lockdep_nfnl_nft_mutex_not_held(void)
620 {
621 #ifdef CONFIG_PROVE_LOCKING
622 if (debug_locks)
623 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
624 #endif
625 }
626
627 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)628 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
629 u8 family, bool autoload)
630 {
631 const struct nft_chain_type *type;
632
633 type = __nf_tables_chain_type_lookup(nla, family);
634 if (type != NULL)
635 return type;
636
637 lockdep_nfnl_nft_mutex_not_held();
638 #ifdef CONFIG_MODULES
639 if (autoload) {
640 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
641 nla_len(nla),
642 (const char *)nla_data(nla)) == -EAGAIN)
643 return ERR_PTR(-EAGAIN);
644 }
645 #endif
646 return ERR_PTR(-ENOENT);
647 }
648
649 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
650 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
651 .len = NFT_TABLE_MAXNAMELEN - 1 },
652 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
653 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
654 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
655 .len = NFT_USERDATA_MAXLEN }
656 };
657
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)658 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
659 u32 portid, u32 seq, int event, u32 flags,
660 int family, const struct nft_table *table)
661 {
662 struct nlmsghdr *nlh;
663 struct nfgenmsg *nfmsg;
664
665 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
666 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
667 if (nlh == NULL)
668 goto nla_put_failure;
669
670 nfmsg = nlmsg_data(nlh);
671 nfmsg->nfgen_family = family;
672 nfmsg->version = NFNETLINK_V0;
673 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
674
675 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
676 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
677 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
678 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
679 NFTA_TABLE_PAD))
680 goto nla_put_failure;
681
682 if (table->udata) {
683 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
684 goto nla_put_failure;
685 }
686
687 nlmsg_end(skb, nlh);
688 return 0;
689
690 nla_put_failure:
691 nlmsg_trim(skb, nlh);
692 return -1;
693 }
694
695 struct nftnl_skb_parms {
696 bool report;
697 };
698 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
699
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)700 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
701 struct list_head *notify_list)
702 {
703 NFT_CB(skb).report = report;
704 list_add_tail(&skb->list, notify_list);
705 }
706
nf_tables_table_notify(const struct nft_ctx * ctx,int event)707 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
708 {
709 struct sk_buff *skb;
710 int err;
711 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
712 ctx->table->name, ctx->table->handle);
713
714 audit_log_nfcfg(buf,
715 ctx->family,
716 ctx->table->use,
717 event == NFT_MSG_NEWTABLE ?
718 AUDIT_NFT_OP_TABLE_REGISTER :
719 AUDIT_NFT_OP_TABLE_UNREGISTER,
720 GFP_KERNEL);
721 kfree(buf);
722
723 if (!ctx->report &&
724 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
725 return;
726
727 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
728 if (skb == NULL)
729 goto err;
730
731 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
732 event, 0, ctx->family, ctx->table);
733 if (err < 0) {
734 kfree_skb(skb);
735 goto err;
736 }
737
738 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
739 return;
740 err:
741 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
742 }
743
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)744 static int nf_tables_dump_tables(struct sk_buff *skb,
745 struct netlink_callback *cb)
746 {
747 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
748 const struct nft_table *table;
749 unsigned int idx = 0, s_idx = cb->args[0];
750 struct net *net = sock_net(skb->sk);
751 int family = nfmsg->nfgen_family;
752
753 rcu_read_lock();
754 cb->seq = net->nft.base_seq;
755
756 list_for_each_entry_rcu(table, &net->nft.tables, list) {
757 if (family != NFPROTO_UNSPEC && family != table->family)
758 continue;
759
760 if (idx < s_idx)
761 goto cont;
762 if (idx > s_idx)
763 memset(&cb->args[1], 0,
764 sizeof(cb->args) - sizeof(cb->args[0]));
765 if (!nft_is_active(net, table))
766 continue;
767 if (nf_tables_fill_table_info(skb, net,
768 NETLINK_CB(cb->skb).portid,
769 cb->nlh->nlmsg_seq,
770 NFT_MSG_NEWTABLE, NLM_F_MULTI,
771 table->family, table) < 0)
772 goto done;
773
774 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
775 cont:
776 idx++;
777 }
778 done:
779 rcu_read_unlock();
780 cb->args[0] = idx;
781 return skb->len;
782 }
783
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)784 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
785 const struct nlmsghdr *nlh,
786 struct netlink_dump_control *c)
787 {
788 int err;
789
790 if (!try_module_get(THIS_MODULE))
791 return -EINVAL;
792
793 rcu_read_unlock();
794 err = netlink_dump_start(nlsk, skb, nlh, c);
795 rcu_read_lock();
796 module_put(THIS_MODULE);
797
798 return err;
799 }
800
801 /* called with rcu_read_lock held */
nf_tables_gettable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)802 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
803 struct sk_buff *skb, const struct nlmsghdr *nlh,
804 const struct nlattr * const nla[],
805 struct netlink_ext_ack *extack)
806 {
807 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
808 u8 genmask = nft_genmask_cur(net);
809 const struct nft_table *table;
810 struct sk_buff *skb2;
811 int family = nfmsg->nfgen_family;
812 int err;
813
814 if (nlh->nlmsg_flags & NLM_F_DUMP) {
815 struct netlink_dump_control c = {
816 .dump = nf_tables_dump_tables,
817 .module = THIS_MODULE,
818 };
819
820 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
821 }
822
823 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
824 if (IS_ERR(table)) {
825 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
826 return PTR_ERR(table);
827 }
828
829 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
830 if (!skb2)
831 return -ENOMEM;
832
833 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
834 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
835 family, table);
836 if (err < 0)
837 goto err_fill_table_info;
838
839 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
840
841 err_fill_table_info:
842 kfree_skb(skb2);
843 return err;
844 }
845
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)846 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
847 {
848 struct nft_chain *chain;
849 u32 i = 0;
850
851 list_for_each_entry(chain, &table->chains, list) {
852 if (!nft_is_active_next(net, chain))
853 continue;
854 if (!nft_is_base_chain(chain))
855 continue;
856
857 if (cnt && i++ == cnt)
858 break;
859
860 nf_tables_unregister_hook(net, table, chain);
861 }
862 }
863
nf_tables_table_enable(struct net * net,struct nft_table * table)864 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
865 {
866 struct nft_chain *chain;
867 int err, i = 0;
868
869 list_for_each_entry(chain, &table->chains, list) {
870 if (!nft_is_active_next(net, chain))
871 continue;
872 if (!nft_is_base_chain(chain))
873 continue;
874
875 err = nf_tables_register_hook(net, table, chain);
876 if (err < 0)
877 goto err_register_hooks;
878
879 i++;
880 }
881 return 0;
882
883 err_register_hooks:
884 if (i)
885 nft_table_disable(net, table, i);
886 return err;
887 }
888
nf_tables_table_disable(struct net * net,struct nft_table * table)889 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
890 {
891 nft_table_disable(net, table, 0);
892 }
893
nf_tables_updtable(struct nft_ctx * ctx)894 static int nf_tables_updtable(struct nft_ctx *ctx)
895 {
896 struct nft_trans *trans;
897 u32 flags;
898 int ret = 0;
899
900 if (!ctx->nla[NFTA_TABLE_FLAGS])
901 return 0;
902
903 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
904 if (flags & ~NFT_TABLE_F_DORMANT)
905 return -EINVAL;
906
907 if (flags == ctx->table->flags)
908 return 0;
909
910 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
911 sizeof(struct nft_trans_table));
912 if (trans == NULL)
913 return -ENOMEM;
914
915 if ((flags & NFT_TABLE_F_DORMANT) &&
916 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
917 nft_trans_table_enable(trans) = false;
918 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
919 ctx->table->flags & NFT_TABLE_F_DORMANT) {
920 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
921 ret = nf_tables_table_enable(ctx->net, ctx->table);
922 if (ret >= 0)
923 nft_trans_table_enable(trans) = true;
924 else
925 ctx->table->flags |= NFT_TABLE_F_DORMANT;
926 }
927 if (ret < 0)
928 goto err;
929
930 nft_trans_table_update(trans) = true;
931 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
932 return 0;
933 err:
934 nft_trans_destroy(trans);
935 return ret;
936 }
937
nft_chain_hash(const void * data,u32 len,u32 seed)938 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
939 {
940 const char *name = data;
941
942 return jhash(name, strlen(name), seed);
943 }
944
nft_chain_hash_obj(const void * data,u32 len,u32 seed)945 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
946 {
947 const struct nft_chain *chain = data;
948
949 return nft_chain_hash(chain->name, 0, seed);
950 }
951
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)952 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
953 const void *ptr)
954 {
955 const struct nft_chain *chain = ptr;
956 const char *name = arg->key;
957
958 return strcmp(chain->name, name);
959 }
960
nft_objname_hash(const void * data,u32 len,u32 seed)961 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
962 {
963 const struct nft_object_hash_key *k = data;
964
965 seed ^= hash_ptr(k->table, 32);
966
967 return jhash(k->name, strlen(k->name), seed);
968 }
969
nft_objname_hash_obj(const void * data,u32 len,u32 seed)970 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
971 {
972 const struct nft_object *obj = data;
973
974 return nft_objname_hash(&obj->key, 0, seed);
975 }
976
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)977 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
978 const void *ptr)
979 {
980 const struct nft_object_hash_key *k = arg->key;
981 const struct nft_object *obj = ptr;
982
983 if (obj->key.table != k->table)
984 return -1;
985
986 return strcmp(obj->key.name, k->name);
987 }
988
nf_tables_newtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)989 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
990 struct sk_buff *skb, const struct nlmsghdr *nlh,
991 const struct nlattr * const nla[],
992 struct netlink_ext_ack *extack)
993 {
994 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
995 u8 genmask = nft_genmask_next(net);
996 int family = nfmsg->nfgen_family;
997 const struct nlattr *attr;
998 struct nft_table *table;
999 struct nft_ctx ctx;
1000 u32 flags = 0;
1001 int err;
1002
1003 lockdep_assert_held(&net->nft.commit_mutex);
1004 attr = nla[NFTA_TABLE_NAME];
1005 table = nft_table_lookup(net, attr, family, genmask);
1006 if (IS_ERR(table)) {
1007 if (PTR_ERR(table) != -ENOENT)
1008 return PTR_ERR(table);
1009 } else {
1010 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1011 NL_SET_BAD_ATTR(extack, attr);
1012 return -EEXIST;
1013 }
1014 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1015 return -EOPNOTSUPP;
1016
1017 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1018 return nf_tables_updtable(&ctx);
1019 }
1020
1021 if (nla[NFTA_TABLE_FLAGS]) {
1022 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1023 if (flags & ~NFT_TABLE_F_DORMANT)
1024 return -EINVAL;
1025 }
1026
1027 err = -ENOMEM;
1028 table = kzalloc(sizeof(*table), GFP_KERNEL);
1029 if (table == NULL)
1030 goto err_kzalloc;
1031
1032 table->name = nla_strdup(attr, GFP_KERNEL);
1033 if (table->name == NULL)
1034 goto err_strdup;
1035
1036 if (nla[NFTA_TABLE_USERDATA]) {
1037 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1038 if (table->udata == NULL)
1039 goto err_table_udata;
1040
1041 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1042 }
1043
1044 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1045 if (err)
1046 goto err_chain_ht;
1047
1048 INIT_LIST_HEAD(&table->chains);
1049 INIT_LIST_HEAD(&table->sets);
1050 INIT_LIST_HEAD(&table->objects);
1051 INIT_LIST_HEAD(&table->flowtables);
1052 table->family = family;
1053 table->flags = flags;
1054 table->handle = ++table_handle;
1055
1056 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1057 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1058 if (err < 0)
1059 goto err_trans;
1060
1061 list_add_tail_rcu(&table->list, &net->nft.tables);
1062 return 0;
1063 err_trans:
1064 rhltable_destroy(&table->chains_ht);
1065 err_chain_ht:
1066 kfree(table->udata);
1067 err_table_udata:
1068 kfree(table->name);
1069 err_strdup:
1070 kfree(table);
1071 err_kzalloc:
1072 return err;
1073 }
1074
nft_flush_table(struct nft_ctx * ctx)1075 static int nft_flush_table(struct nft_ctx *ctx)
1076 {
1077 struct nft_flowtable *flowtable, *nft;
1078 struct nft_chain *chain, *nc;
1079 struct nft_object *obj, *ne;
1080 struct nft_set *set, *ns;
1081 int err;
1082
1083 list_for_each_entry(chain, &ctx->table->chains, list) {
1084 if (!nft_is_active_next(ctx->net, chain))
1085 continue;
1086
1087 if (nft_chain_is_bound(chain))
1088 continue;
1089
1090 ctx->chain = chain;
1091
1092 err = nft_delrule_by_chain(ctx);
1093 if (err < 0)
1094 goto out;
1095 }
1096
1097 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1098 if (!nft_is_active_next(ctx->net, set))
1099 continue;
1100
1101 if (nft_set_is_anonymous(set) &&
1102 !list_empty(&set->bindings))
1103 continue;
1104
1105 err = nft_delset(ctx, set);
1106 if (err < 0)
1107 goto out;
1108 }
1109
1110 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1111 if (!nft_is_active_next(ctx->net, flowtable))
1112 continue;
1113
1114 err = nft_delflowtable(ctx, flowtable);
1115 if (err < 0)
1116 goto out;
1117 }
1118
1119 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1120 if (!nft_is_active_next(ctx->net, obj))
1121 continue;
1122
1123 err = nft_delobj(ctx, obj);
1124 if (err < 0)
1125 goto out;
1126 }
1127
1128 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1129 if (!nft_is_active_next(ctx->net, chain))
1130 continue;
1131
1132 if (nft_chain_is_bound(chain))
1133 continue;
1134
1135 ctx->chain = chain;
1136
1137 err = nft_delchain(ctx);
1138 if (err < 0)
1139 goto out;
1140 }
1141
1142 err = nft_deltable(ctx);
1143 out:
1144 return err;
1145 }
1146
nft_flush(struct nft_ctx * ctx,int family)1147 static int nft_flush(struct nft_ctx *ctx, int family)
1148 {
1149 struct nft_table *table, *nt;
1150 const struct nlattr * const *nla = ctx->nla;
1151 int err = 0;
1152
1153 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1154 if (family != AF_UNSPEC && table->family != family)
1155 continue;
1156
1157 ctx->family = table->family;
1158
1159 if (!nft_is_active_next(ctx->net, table))
1160 continue;
1161
1162 if (nla[NFTA_TABLE_NAME] &&
1163 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1164 continue;
1165
1166 ctx->table = table;
1167
1168 err = nft_flush_table(ctx);
1169 if (err < 0)
1170 goto out;
1171 }
1172 out:
1173 return err;
1174 }
1175
nf_tables_deltable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1176 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1177 struct sk_buff *skb, const struct nlmsghdr *nlh,
1178 const struct nlattr * const nla[],
1179 struct netlink_ext_ack *extack)
1180 {
1181 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1182 u8 genmask = nft_genmask_next(net);
1183 int family = nfmsg->nfgen_family;
1184 const struct nlattr *attr;
1185 struct nft_table *table;
1186 struct nft_ctx ctx;
1187
1188 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1189 if (family == AF_UNSPEC ||
1190 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1191 return nft_flush(&ctx, family);
1192
1193 if (nla[NFTA_TABLE_HANDLE]) {
1194 attr = nla[NFTA_TABLE_HANDLE];
1195 table = nft_table_lookup_byhandle(net, attr, genmask);
1196 } else {
1197 attr = nla[NFTA_TABLE_NAME];
1198 table = nft_table_lookup(net, attr, family, genmask);
1199 }
1200
1201 if (IS_ERR(table)) {
1202 NL_SET_BAD_ATTR(extack, attr);
1203 return PTR_ERR(table);
1204 }
1205
1206 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1207 table->use > 0)
1208 return -EBUSY;
1209
1210 ctx.family = family;
1211 ctx.table = table;
1212
1213 return nft_flush_table(&ctx);
1214 }
1215
nf_tables_table_destroy(struct nft_ctx * ctx)1216 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1217 {
1218 if (WARN_ON(ctx->table->use > 0))
1219 return;
1220
1221 rhltable_destroy(&ctx->table->chains_ht);
1222 kfree(ctx->table->name);
1223 kfree(ctx->table->udata);
1224 kfree(ctx->table);
1225 }
1226
nft_register_chain_type(const struct nft_chain_type * ctype)1227 void nft_register_chain_type(const struct nft_chain_type *ctype)
1228 {
1229 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1230 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1231 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1232 return;
1233 }
1234 chain_type[ctype->family][ctype->type] = ctype;
1235 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1236 }
1237 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1238
nft_unregister_chain_type(const struct nft_chain_type * ctype)1239 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1240 {
1241 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1242 chain_type[ctype->family][ctype->type] = NULL;
1243 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1244 }
1245 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1246
1247 /*
1248 * Chains
1249 */
1250
1251 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1252 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1253 {
1254 struct nft_chain *chain;
1255
1256 list_for_each_entry(chain, &table->chains, list) {
1257 if (chain->handle == handle &&
1258 nft_active_genmask(chain, genmask))
1259 return chain;
1260 }
1261
1262 return ERR_PTR(-ENOENT);
1263 }
1264
lockdep_commit_lock_is_held(const struct net * net)1265 static bool lockdep_commit_lock_is_held(const struct net *net)
1266 {
1267 #ifdef CONFIG_PROVE_LOCKING
1268 return lockdep_is_held(&net->nft.commit_mutex);
1269 #else
1270 return true;
1271 #endif
1272 }
1273
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1274 static struct nft_chain *nft_chain_lookup(struct net *net,
1275 struct nft_table *table,
1276 const struct nlattr *nla, u8 genmask)
1277 {
1278 char search[NFT_CHAIN_MAXNAMELEN + 1];
1279 struct rhlist_head *tmp, *list;
1280 struct nft_chain *chain;
1281
1282 if (nla == NULL)
1283 return ERR_PTR(-EINVAL);
1284
1285 nla_strlcpy(search, nla, sizeof(search));
1286
1287 WARN_ON(!rcu_read_lock_held() &&
1288 !lockdep_commit_lock_is_held(net));
1289
1290 chain = ERR_PTR(-ENOENT);
1291 rcu_read_lock();
1292 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1293 if (!list)
1294 goto out_unlock;
1295
1296 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1297 if (nft_active_genmask(chain, genmask))
1298 goto out_unlock;
1299 }
1300 chain = ERR_PTR(-ENOENT);
1301 out_unlock:
1302 rcu_read_unlock();
1303 return chain;
1304 }
1305
1306 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1307 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1308 .len = NFT_TABLE_MAXNAMELEN - 1 },
1309 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1310 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1311 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1312 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1313 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1314 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1315 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1316 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1317 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1318 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1319 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1320 .len = NFT_USERDATA_MAXLEN },
1321 };
1322
1323 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1324 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1325 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1326 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1327 .len = IFNAMSIZ - 1 },
1328 };
1329
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1330 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1331 {
1332 struct nft_stats *cpu_stats, total;
1333 struct nlattr *nest;
1334 unsigned int seq;
1335 u64 pkts, bytes;
1336 int cpu;
1337
1338 if (!stats)
1339 return 0;
1340
1341 memset(&total, 0, sizeof(total));
1342 for_each_possible_cpu(cpu) {
1343 cpu_stats = per_cpu_ptr(stats, cpu);
1344 do {
1345 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1346 pkts = cpu_stats->pkts;
1347 bytes = cpu_stats->bytes;
1348 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1349 total.pkts += pkts;
1350 total.bytes += bytes;
1351 }
1352 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1353 if (nest == NULL)
1354 goto nla_put_failure;
1355
1356 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1357 NFTA_COUNTER_PAD) ||
1358 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1359 NFTA_COUNTER_PAD))
1360 goto nla_put_failure;
1361
1362 nla_nest_end(skb, nest);
1363 return 0;
1364
1365 nla_put_failure:
1366 return -ENOSPC;
1367 }
1368
nft_dump_basechain_hook(struct sk_buff * skb,int family,const struct nft_base_chain * basechain)1369 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1370 const struct nft_base_chain *basechain)
1371 {
1372 const struct nf_hook_ops *ops = &basechain->ops;
1373 struct nft_hook *hook, *first = NULL;
1374 struct nlattr *nest, *nest_devs;
1375 int n = 0;
1376
1377 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1378 if (nest == NULL)
1379 goto nla_put_failure;
1380 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1381 goto nla_put_failure;
1382 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1383 goto nla_put_failure;
1384
1385 if (nft_base_chain_netdev(family, ops->hooknum)) {
1386 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1387 list_for_each_entry(hook, &basechain->hook_list, list) {
1388 if (!first)
1389 first = hook;
1390
1391 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1392 hook->ops.dev->name))
1393 goto nla_put_failure;
1394 n++;
1395 }
1396 nla_nest_end(skb, nest_devs);
1397
1398 if (n == 1 &&
1399 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1400 goto nla_put_failure;
1401 }
1402 nla_nest_end(skb, nest);
1403
1404 return 0;
1405 nla_put_failure:
1406 return -1;
1407 }
1408
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain)1409 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1410 u32 portid, u32 seq, int event, u32 flags,
1411 int family, const struct nft_table *table,
1412 const struct nft_chain *chain)
1413 {
1414 struct nlmsghdr *nlh;
1415 struct nfgenmsg *nfmsg;
1416
1417 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1418 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1419 if (nlh == NULL)
1420 goto nla_put_failure;
1421
1422 nfmsg = nlmsg_data(nlh);
1423 nfmsg->nfgen_family = family;
1424 nfmsg->version = NFNETLINK_V0;
1425 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1426
1427 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1428 goto nla_put_failure;
1429 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1430 NFTA_CHAIN_PAD))
1431 goto nla_put_failure;
1432 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1433 goto nla_put_failure;
1434
1435 if (nft_is_base_chain(chain)) {
1436 const struct nft_base_chain *basechain = nft_base_chain(chain);
1437 struct nft_stats __percpu *stats;
1438
1439 if (nft_dump_basechain_hook(skb, family, basechain))
1440 goto nla_put_failure;
1441
1442 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1443 htonl(basechain->policy)))
1444 goto nla_put_failure;
1445
1446 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1447 goto nla_put_failure;
1448
1449 stats = rcu_dereference_check(basechain->stats,
1450 lockdep_commit_lock_is_held(net));
1451 if (nft_dump_stats(skb, stats))
1452 goto nla_put_failure;
1453 }
1454
1455 if (chain->flags &&
1456 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1457 goto nla_put_failure;
1458
1459 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1460 goto nla_put_failure;
1461
1462 if (chain->udata &&
1463 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1464 goto nla_put_failure;
1465
1466 nlmsg_end(skb, nlh);
1467 return 0;
1468
1469 nla_put_failure:
1470 nlmsg_trim(skb, nlh);
1471 return -1;
1472 }
1473
nf_tables_chain_notify(const struct nft_ctx * ctx,int event)1474 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1475 {
1476 struct sk_buff *skb;
1477 int err;
1478 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1479 ctx->table->name, ctx->table->handle,
1480 ctx->chain->name, ctx->chain->handle);
1481
1482 audit_log_nfcfg(buf,
1483 ctx->family,
1484 ctx->chain->use,
1485 event == NFT_MSG_NEWCHAIN ?
1486 AUDIT_NFT_OP_CHAIN_REGISTER :
1487 AUDIT_NFT_OP_CHAIN_UNREGISTER,
1488 GFP_KERNEL);
1489 kfree(buf);
1490
1491 if (!ctx->report &&
1492 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1493 return;
1494
1495 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1496 if (skb == NULL)
1497 goto err;
1498
1499 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1500 event, 0, ctx->family, ctx->table,
1501 ctx->chain);
1502 if (err < 0) {
1503 kfree_skb(skb);
1504 goto err;
1505 }
1506
1507 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1508 return;
1509 err:
1510 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1511 }
1512
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1513 static int nf_tables_dump_chains(struct sk_buff *skb,
1514 struct netlink_callback *cb)
1515 {
1516 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1517 const struct nft_table *table;
1518 const struct nft_chain *chain;
1519 unsigned int idx = 0, s_idx = cb->args[0];
1520 struct net *net = sock_net(skb->sk);
1521 int family = nfmsg->nfgen_family;
1522
1523 rcu_read_lock();
1524 cb->seq = net->nft.base_seq;
1525
1526 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1527 if (family != NFPROTO_UNSPEC && family != table->family)
1528 continue;
1529
1530 list_for_each_entry_rcu(chain, &table->chains, list) {
1531 if (idx < s_idx)
1532 goto cont;
1533 if (idx > s_idx)
1534 memset(&cb->args[1], 0,
1535 sizeof(cb->args) - sizeof(cb->args[0]));
1536 if (!nft_is_active(net, chain))
1537 continue;
1538 if (nf_tables_fill_chain_info(skb, net,
1539 NETLINK_CB(cb->skb).portid,
1540 cb->nlh->nlmsg_seq,
1541 NFT_MSG_NEWCHAIN,
1542 NLM_F_MULTI,
1543 table->family, table,
1544 chain) < 0)
1545 goto done;
1546
1547 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1548 cont:
1549 idx++;
1550 }
1551 }
1552 done:
1553 rcu_read_unlock();
1554 cb->args[0] = idx;
1555 return skb->len;
1556 }
1557
1558 /* called with rcu_read_lock held */
nf_tables_getchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1559 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1560 struct sk_buff *skb, const struct nlmsghdr *nlh,
1561 const struct nlattr * const nla[],
1562 struct netlink_ext_ack *extack)
1563 {
1564 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1565 u8 genmask = nft_genmask_cur(net);
1566 const struct nft_chain *chain;
1567 struct nft_table *table;
1568 struct sk_buff *skb2;
1569 int family = nfmsg->nfgen_family;
1570 int err;
1571
1572 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1573 struct netlink_dump_control c = {
1574 .dump = nf_tables_dump_chains,
1575 .module = THIS_MODULE,
1576 };
1577
1578 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1579 }
1580
1581 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1582 if (IS_ERR(table)) {
1583 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1584 return PTR_ERR(table);
1585 }
1586
1587 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1588 if (IS_ERR(chain)) {
1589 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1590 return PTR_ERR(chain);
1591 }
1592
1593 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1594 if (!skb2)
1595 return -ENOMEM;
1596
1597 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1598 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1599 family, table, chain);
1600 if (err < 0)
1601 goto err_fill_chain_info;
1602
1603 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1604
1605 err_fill_chain_info:
1606 kfree_skb(skb2);
1607 return err;
1608 }
1609
1610 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1611 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1612 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1613 };
1614
nft_stats_alloc(const struct nlattr * attr)1615 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1616 {
1617 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1618 struct nft_stats __percpu *newstats;
1619 struct nft_stats *stats;
1620 int err;
1621
1622 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1623 nft_counter_policy, NULL);
1624 if (err < 0)
1625 return ERR_PTR(err);
1626
1627 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1628 return ERR_PTR(-EINVAL);
1629
1630 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1631 if (newstats == NULL)
1632 return ERR_PTR(-ENOMEM);
1633
1634 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1635 * are not exposed to userspace.
1636 */
1637 preempt_disable();
1638 stats = this_cpu_ptr(newstats);
1639 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1640 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1641 preempt_enable();
1642
1643 return newstats;
1644 }
1645
nft_chain_stats_replace(struct nft_trans * trans)1646 static void nft_chain_stats_replace(struct nft_trans *trans)
1647 {
1648 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1649
1650 if (!nft_trans_chain_stats(trans))
1651 return;
1652
1653 nft_trans_chain_stats(trans) =
1654 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1655 lockdep_commit_lock_is_held(trans->ctx.net));
1656
1657 if (!nft_trans_chain_stats(trans))
1658 static_branch_inc(&nft_counters_enabled);
1659 }
1660
nf_tables_chain_free_chain_rules(struct nft_chain * chain)1661 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1662 {
1663 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1664 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1665
1666 if (g0 != g1)
1667 kvfree(g1);
1668 kvfree(g0);
1669
1670 /* should be NULL either via abort or via successful commit */
1671 WARN_ON_ONCE(chain->rules_next);
1672 kvfree(chain->rules_next);
1673 }
1674
nf_tables_chain_destroy(struct nft_ctx * ctx)1675 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1676 {
1677 struct nft_chain *chain = ctx->chain;
1678 struct nft_hook *hook, *next;
1679
1680 if (WARN_ON(chain->use > 0))
1681 return;
1682
1683 /* no concurrent access possible anymore */
1684 nf_tables_chain_free_chain_rules(chain);
1685
1686 if (nft_is_base_chain(chain)) {
1687 struct nft_base_chain *basechain = nft_base_chain(chain);
1688
1689 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1690 list_for_each_entry_safe(hook, next,
1691 &basechain->hook_list, list) {
1692 list_del_rcu(&hook->list);
1693 kfree_rcu(hook, rcu);
1694 }
1695 }
1696 module_put(basechain->type->owner);
1697 if (rcu_access_pointer(basechain->stats)) {
1698 static_branch_dec(&nft_counters_enabled);
1699 free_percpu(rcu_dereference_raw(basechain->stats));
1700 }
1701 kfree(chain->name);
1702 kfree(chain->udata);
1703 kfree(basechain);
1704 } else {
1705 kfree(chain->name);
1706 kfree(chain->udata);
1707 kfree(chain);
1708 }
1709 }
1710
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr)1711 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1712 const struct nlattr *attr)
1713 {
1714 struct net_device *dev;
1715 char ifname[IFNAMSIZ];
1716 struct nft_hook *hook;
1717 int err;
1718
1719 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1720 if (!hook) {
1721 err = -ENOMEM;
1722 goto err_hook_alloc;
1723 }
1724
1725 nla_strlcpy(ifname, attr, IFNAMSIZ);
1726 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1727 * indirectly serializing all the other holders of the commit_mutex with
1728 * the rtnl_mutex.
1729 */
1730 dev = __dev_get_by_name(net, ifname);
1731 if (!dev) {
1732 err = -ENOENT;
1733 goto err_hook_dev;
1734 }
1735 hook->ops.dev = dev;
1736 hook->inactive = false;
1737
1738 return hook;
1739
1740 err_hook_dev:
1741 kfree(hook);
1742 err_hook_alloc:
1743 return ERR_PTR(err);
1744 }
1745
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)1746 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1747 const struct nft_hook *this)
1748 {
1749 struct nft_hook *hook;
1750
1751 list_for_each_entry(hook, hook_list, list) {
1752 if (this->ops.dev == hook->ops.dev)
1753 return hook;
1754 }
1755
1756 return NULL;
1757 }
1758
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list)1759 static int nf_tables_parse_netdev_hooks(struct net *net,
1760 const struct nlattr *attr,
1761 struct list_head *hook_list)
1762 {
1763 struct nft_hook *hook, *next;
1764 const struct nlattr *tmp;
1765 int rem, n = 0, err;
1766
1767 nla_for_each_nested(tmp, attr, rem) {
1768 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1769 err = -EINVAL;
1770 goto err_hook;
1771 }
1772
1773 hook = nft_netdev_hook_alloc(net, tmp);
1774 if (IS_ERR(hook)) {
1775 err = PTR_ERR(hook);
1776 goto err_hook;
1777 }
1778 if (nft_hook_list_find(hook_list, hook)) {
1779 kfree(hook);
1780 err = -EEXIST;
1781 goto err_hook;
1782 }
1783 list_add_tail(&hook->list, hook_list);
1784 n++;
1785
1786 if (n == NFT_NETDEVICE_MAX) {
1787 err = -EFBIG;
1788 goto err_hook;
1789 }
1790 }
1791
1792 return 0;
1793
1794 err_hook:
1795 list_for_each_entry_safe(hook, next, hook_list, list) {
1796 list_del(&hook->list);
1797 kfree(hook);
1798 }
1799 return err;
1800 }
1801
1802 struct nft_chain_hook {
1803 u32 num;
1804 s32 priority;
1805 const struct nft_chain_type *type;
1806 struct list_head list;
1807 };
1808
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list)1809 static int nft_chain_parse_netdev(struct net *net,
1810 struct nlattr *tb[],
1811 struct list_head *hook_list)
1812 {
1813 struct nft_hook *hook;
1814 int err;
1815
1816 if (tb[NFTA_HOOK_DEV]) {
1817 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1818 if (IS_ERR(hook))
1819 return PTR_ERR(hook);
1820
1821 list_add_tail(&hook->list, hook_list);
1822 } else if (tb[NFTA_HOOK_DEVS]) {
1823 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1824 hook_list);
1825 if (err < 0)
1826 return err;
1827
1828 if (list_empty(hook_list))
1829 return -EINVAL;
1830 } else {
1831 return -EINVAL;
1832 }
1833
1834 return 0;
1835 }
1836
nft_chain_parse_hook(struct net * net,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,bool autoload)1837 static int nft_chain_parse_hook(struct net *net,
1838 const struct nlattr * const nla[],
1839 struct nft_chain_hook *hook, u8 family,
1840 bool autoload)
1841 {
1842 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1843 const struct nft_chain_type *type;
1844 int err;
1845
1846 lockdep_assert_held(&net->nft.commit_mutex);
1847 lockdep_nfnl_nft_mutex_not_held();
1848
1849 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1850 nla[NFTA_CHAIN_HOOK],
1851 nft_hook_policy, NULL);
1852 if (err < 0)
1853 return err;
1854
1855 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1856 ha[NFTA_HOOK_PRIORITY] == NULL)
1857 return -EINVAL;
1858
1859 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1860 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1861
1862 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1863 if (!type)
1864 return -EOPNOTSUPP;
1865
1866 if (nla[NFTA_CHAIN_TYPE]) {
1867 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1868 family, autoload);
1869 if (IS_ERR(type))
1870 return PTR_ERR(type);
1871 }
1872 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1873 return -EOPNOTSUPP;
1874
1875 if (type->type == NFT_CHAIN_T_NAT &&
1876 hook->priority <= NF_IP_PRI_CONNTRACK)
1877 return -EOPNOTSUPP;
1878
1879 if (!try_module_get(type->owner))
1880 return -ENOENT;
1881
1882 hook->type = type;
1883
1884 INIT_LIST_HEAD(&hook->list);
1885 if (nft_base_chain_netdev(family, hook->num)) {
1886 err = nft_chain_parse_netdev(net, ha, &hook->list);
1887 if (err < 0) {
1888 module_put(type->owner);
1889 return err;
1890 }
1891 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1892 module_put(type->owner);
1893 return -EOPNOTSUPP;
1894 }
1895
1896 return 0;
1897 }
1898
nft_chain_release_hook(struct nft_chain_hook * hook)1899 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1900 {
1901 struct nft_hook *h, *next;
1902
1903 list_for_each_entry_safe(h, next, &hook->list, list) {
1904 list_del(&h->list);
1905 kfree(h);
1906 }
1907 module_put(hook->type->owner);
1908 }
1909
1910 struct nft_rules_old {
1911 struct rcu_head h;
1912 struct nft_rule **start;
1913 };
1914
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int alloc)1915 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1916 unsigned int alloc)
1917 {
1918 if (alloc > INT_MAX)
1919 return NULL;
1920
1921 alloc += 1; /* NULL, ends rules */
1922 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1923 return NULL;
1924
1925 alloc *= sizeof(struct nft_rule *);
1926 alloc += sizeof(struct nft_rules_old);
1927
1928 return kvmalloc(alloc, GFP_KERNEL);
1929 }
1930
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)1931 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1932 const struct nft_chain_hook *hook,
1933 struct nft_chain *chain)
1934 {
1935 ops->pf = family;
1936 ops->hooknum = hook->num;
1937 ops->priority = hook->priority;
1938 ops->priv = chain;
1939 ops->hook = hook->type->hooks[ops->hooknum];
1940 }
1941
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)1942 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1943 struct nft_chain_hook *hook, u32 flags)
1944 {
1945 struct nft_chain *chain;
1946 struct nft_hook *h;
1947
1948 basechain->type = hook->type;
1949 INIT_LIST_HEAD(&basechain->hook_list);
1950 chain = &basechain->chain;
1951
1952 if (nft_base_chain_netdev(family, hook->num)) {
1953 list_splice_init(&hook->list, &basechain->hook_list);
1954 list_for_each_entry(h, &basechain->hook_list, list)
1955 nft_basechain_hook_init(&h->ops, family, hook, chain);
1956
1957 basechain->ops.hooknum = hook->num;
1958 basechain->ops.priority = hook->priority;
1959 } else {
1960 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1961 }
1962
1963 chain->flags |= NFT_CHAIN_BASE | flags;
1964 basechain->policy = NF_ACCEPT;
1965 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1966 nft_chain_offload_priority(basechain) < 0)
1967 return -EOPNOTSUPP;
1968
1969 flow_block_init(&basechain->flow_block);
1970
1971 return 0;
1972 }
1973
nft_chain_add(struct nft_table * table,struct nft_chain * chain)1974 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
1975 {
1976 int err;
1977
1978 err = rhltable_insert_key(&table->chains_ht, chain->name,
1979 &chain->rhlhead, nft_chain_ht_params);
1980 if (err)
1981 return err;
1982
1983 list_add_tail_rcu(&chain->list, &table->chains);
1984
1985 return 0;
1986 }
1987
1988 static u64 chain_id;
1989
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags)1990 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1991 u8 policy, u32 flags)
1992 {
1993 const struct nlattr * const *nla = ctx->nla;
1994 struct nft_table *table = ctx->table;
1995 struct nft_base_chain *basechain;
1996 struct nft_stats __percpu *stats;
1997 struct net *net = ctx->net;
1998 char name[NFT_NAME_MAXLEN];
1999 struct nft_trans *trans;
2000 struct nft_chain *chain;
2001 struct nft_rule **rules;
2002 int err;
2003
2004 if (table->use == UINT_MAX)
2005 return -EOVERFLOW;
2006
2007 if (nla[NFTA_CHAIN_HOOK]) {
2008 struct nft_chain_hook hook;
2009
2010 if (flags & NFT_CHAIN_BINDING)
2011 return -EOPNOTSUPP;
2012
2013 err = nft_chain_parse_hook(net, nla, &hook, family, true);
2014 if (err < 0)
2015 return err;
2016
2017 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2018 if (basechain == NULL) {
2019 nft_chain_release_hook(&hook);
2020 return -ENOMEM;
2021 }
2022 chain = &basechain->chain;
2023
2024 if (nla[NFTA_CHAIN_COUNTERS]) {
2025 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2026 if (IS_ERR(stats)) {
2027 nft_chain_release_hook(&hook);
2028 kfree(basechain);
2029 return PTR_ERR(stats);
2030 }
2031 rcu_assign_pointer(basechain->stats, stats);
2032 static_branch_inc(&nft_counters_enabled);
2033 }
2034
2035 err = nft_basechain_init(basechain, family, &hook, flags);
2036 if (err < 0) {
2037 nft_chain_release_hook(&hook);
2038 kfree(basechain);
2039 return err;
2040 }
2041 } else {
2042 if (flags & NFT_CHAIN_BASE)
2043 return -EINVAL;
2044 if (flags & NFT_CHAIN_HW_OFFLOAD)
2045 return -EOPNOTSUPP;
2046
2047 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2048 if (chain == NULL)
2049 return -ENOMEM;
2050
2051 chain->flags = flags;
2052 }
2053 ctx->chain = chain;
2054
2055 INIT_LIST_HEAD(&chain->rules);
2056 chain->handle = nf_tables_alloc_handle(table);
2057 chain->table = table;
2058
2059 if (nla[NFTA_CHAIN_NAME]) {
2060 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2061 } else {
2062 if (!(flags & NFT_CHAIN_BINDING)) {
2063 err = -EINVAL;
2064 goto err_destroy_chain;
2065 }
2066
2067 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2068 chain->name = kstrdup(name, GFP_KERNEL);
2069 }
2070
2071 if (!chain->name) {
2072 err = -ENOMEM;
2073 goto err_destroy_chain;
2074 }
2075
2076 if (nla[NFTA_CHAIN_USERDATA]) {
2077 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2078 if (chain->udata == NULL) {
2079 err = -ENOMEM;
2080 goto err_destroy_chain;
2081 }
2082 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2083 }
2084
2085 rules = nf_tables_chain_alloc_rules(chain, 0);
2086 if (!rules) {
2087 err = -ENOMEM;
2088 goto err_destroy_chain;
2089 }
2090
2091 *rules = NULL;
2092 rcu_assign_pointer(chain->rules_gen_0, rules);
2093 rcu_assign_pointer(chain->rules_gen_1, rules);
2094
2095 err = nf_tables_register_hook(net, table, chain);
2096 if (err < 0)
2097 goto err_destroy_chain;
2098
2099 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2100 if (IS_ERR(trans)) {
2101 err = PTR_ERR(trans);
2102 goto err_unregister_hook;
2103 }
2104
2105 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2106 if (nft_is_base_chain(chain))
2107 nft_trans_chain_policy(trans) = policy;
2108
2109 err = nft_chain_add(table, chain);
2110 if (err < 0) {
2111 nft_trans_destroy(trans);
2112 goto err_unregister_hook;
2113 }
2114
2115 table->use++;
2116
2117 return 0;
2118 err_unregister_hook:
2119 nf_tables_unregister_hook(net, table, chain);
2120 err_destroy_chain:
2121 nf_tables_chain_destroy(ctx);
2122
2123 return err;
2124 }
2125
nft_hook_list_equal(struct list_head * hook_list1,struct list_head * hook_list2)2126 static bool nft_hook_list_equal(struct list_head *hook_list1,
2127 struct list_head *hook_list2)
2128 {
2129 struct nft_hook *hook;
2130 int n = 0, m = 0;
2131
2132 n = 0;
2133 list_for_each_entry(hook, hook_list2, list) {
2134 if (!nft_hook_list_find(hook_list1, hook))
2135 return false;
2136
2137 n++;
2138 }
2139 list_for_each_entry(hook, hook_list1, list)
2140 m++;
2141
2142 return n == m;
2143 }
2144
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2145 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2146 u32 flags, const struct nlattr *attr,
2147 struct netlink_ext_ack *extack)
2148 {
2149 const struct nlattr * const *nla = ctx->nla;
2150 struct nft_table *table = ctx->table;
2151 struct nft_chain *chain = ctx->chain;
2152 struct nft_base_chain *basechain;
2153 struct nft_stats *stats = NULL;
2154 struct nft_chain_hook hook;
2155 struct nf_hook_ops *ops;
2156 struct nft_trans *trans;
2157 int err;
2158
2159 if (chain->flags ^ flags)
2160 return -EOPNOTSUPP;
2161
2162 if (nla[NFTA_CHAIN_HOOK]) {
2163 if (!nft_is_base_chain(chain)) {
2164 NL_SET_BAD_ATTR(extack, attr);
2165 return -EEXIST;
2166 }
2167 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2168 false);
2169 if (err < 0)
2170 return err;
2171
2172 basechain = nft_base_chain(chain);
2173 if (basechain->type != hook.type) {
2174 nft_chain_release_hook(&hook);
2175 NL_SET_BAD_ATTR(extack, attr);
2176 return -EEXIST;
2177 }
2178
2179 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2180 if (!nft_hook_list_equal(&basechain->hook_list,
2181 &hook.list)) {
2182 nft_chain_release_hook(&hook);
2183 NL_SET_BAD_ATTR(extack, attr);
2184 return -EEXIST;
2185 }
2186 } else {
2187 ops = &basechain->ops;
2188 if (ops->hooknum != hook.num ||
2189 ops->priority != hook.priority) {
2190 nft_chain_release_hook(&hook);
2191 NL_SET_BAD_ATTR(extack, attr);
2192 return -EEXIST;
2193 }
2194 }
2195 nft_chain_release_hook(&hook);
2196 }
2197
2198 if (nla[NFTA_CHAIN_HANDLE] &&
2199 nla[NFTA_CHAIN_NAME]) {
2200 struct nft_chain *chain2;
2201
2202 chain2 = nft_chain_lookup(ctx->net, table,
2203 nla[NFTA_CHAIN_NAME], genmask);
2204 if (!IS_ERR(chain2)) {
2205 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2206 return -EEXIST;
2207 }
2208 }
2209
2210 if (nla[NFTA_CHAIN_COUNTERS]) {
2211 if (!nft_is_base_chain(chain))
2212 return -EOPNOTSUPP;
2213
2214 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2215 if (IS_ERR(stats))
2216 return PTR_ERR(stats);
2217 }
2218
2219 err = -ENOMEM;
2220 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2221 sizeof(struct nft_trans_chain));
2222 if (trans == NULL)
2223 goto err;
2224
2225 nft_trans_chain_stats(trans) = stats;
2226 nft_trans_chain_update(trans) = true;
2227
2228 if (nla[NFTA_CHAIN_POLICY])
2229 nft_trans_chain_policy(trans) = policy;
2230 else
2231 nft_trans_chain_policy(trans) = -1;
2232
2233 if (nla[NFTA_CHAIN_HANDLE] &&
2234 nla[NFTA_CHAIN_NAME]) {
2235 struct nft_trans *tmp;
2236 char *name;
2237
2238 err = -ENOMEM;
2239 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2240 if (!name)
2241 goto err;
2242
2243 err = -EEXIST;
2244 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2245 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2246 tmp->ctx.table == table &&
2247 nft_trans_chain_update(tmp) &&
2248 nft_trans_chain_name(tmp) &&
2249 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2250 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2251 kfree(name);
2252 goto err;
2253 }
2254 }
2255
2256 nft_trans_chain_name(trans) = name;
2257 }
2258 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2259
2260 return 0;
2261 err:
2262 free_percpu(stats);
2263 kfree(trans);
2264 return err;
2265 }
2266
nft_chain_lookup_byid(const struct net * net,const struct nlattr * nla)2267 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2268 const struct nlattr *nla)
2269 {
2270 u32 id = ntohl(nla_get_be32(nla));
2271 struct nft_trans *trans;
2272
2273 list_for_each_entry(trans, &net->nft.commit_list, list) {
2274 struct nft_chain *chain = trans->ctx.chain;
2275
2276 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2277 id == nft_trans_chain_id(trans))
2278 return chain;
2279 }
2280 return ERR_PTR(-ENOENT);
2281 }
2282
nf_tables_newchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2283 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2284 struct sk_buff *skb, const struct nlmsghdr *nlh,
2285 const struct nlattr * const nla[],
2286 struct netlink_ext_ack *extack)
2287 {
2288 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2289 u8 genmask = nft_genmask_next(net);
2290 int family = nfmsg->nfgen_family;
2291 struct nft_chain *chain = NULL;
2292 const struct nlattr *attr;
2293 struct nft_table *table;
2294 u8 policy = NF_ACCEPT;
2295 struct nft_ctx ctx;
2296 u64 handle = 0;
2297 u32 flags = 0;
2298
2299 lockdep_assert_held(&net->nft.commit_mutex);
2300
2301 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2302 if (IS_ERR(table)) {
2303 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2304 return PTR_ERR(table);
2305 }
2306
2307 chain = NULL;
2308 attr = nla[NFTA_CHAIN_NAME];
2309
2310 if (nla[NFTA_CHAIN_HANDLE]) {
2311 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2312 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2313 if (IS_ERR(chain)) {
2314 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2315 return PTR_ERR(chain);
2316 }
2317 attr = nla[NFTA_CHAIN_HANDLE];
2318 } else if (nla[NFTA_CHAIN_NAME]) {
2319 chain = nft_chain_lookup(net, table, attr, genmask);
2320 if (IS_ERR(chain)) {
2321 if (PTR_ERR(chain) != -ENOENT) {
2322 NL_SET_BAD_ATTR(extack, attr);
2323 return PTR_ERR(chain);
2324 }
2325 chain = NULL;
2326 }
2327 } else if (!nla[NFTA_CHAIN_ID]) {
2328 return -EINVAL;
2329 }
2330
2331 if (nla[NFTA_CHAIN_POLICY]) {
2332 if (chain != NULL &&
2333 !nft_is_base_chain(chain)) {
2334 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2335 return -EOPNOTSUPP;
2336 }
2337
2338 if (chain == NULL &&
2339 nla[NFTA_CHAIN_HOOK] == NULL) {
2340 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2341 return -EOPNOTSUPP;
2342 }
2343
2344 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2345 switch (policy) {
2346 case NF_DROP:
2347 case NF_ACCEPT:
2348 break;
2349 default:
2350 return -EINVAL;
2351 }
2352 }
2353
2354 if (nla[NFTA_CHAIN_FLAGS])
2355 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2356 else if (chain)
2357 flags = chain->flags;
2358
2359 if (flags & ~NFT_CHAIN_FLAGS)
2360 return -EOPNOTSUPP;
2361
2362 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2363
2364 if (chain != NULL) {
2365 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2366 NL_SET_BAD_ATTR(extack, attr);
2367 return -EEXIST;
2368 }
2369 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2370 return -EOPNOTSUPP;
2371
2372 flags |= chain->flags & NFT_CHAIN_BASE;
2373 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2374 extack);
2375 }
2376
2377 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2378 }
2379
nf_tables_delchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2380 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2381 struct sk_buff *skb, const struct nlmsghdr *nlh,
2382 const struct nlattr * const nla[],
2383 struct netlink_ext_ack *extack)
2384 {
2385 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2386 u8 genmask = nft_genmask_next(net);
2387 int family = nfmsg->nfgen_family;
2388 const struct nlattr *attr;
2389 struct nft_table *table;
2390 struct nft_chain *chain;
2391 struct nft_rule *rule;
2392 struct nft_ctx ctx;
2393 u64 handle;
2394 u32 use;
2395 int err;
2396
2397 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2398 if (IS_ERR(table)) {
2399 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2400 return PTR_ERR(table);
2401 }
2402
2403 if (nla[NFTA_CHAIN_HANDLE]) {
2404 attr = nla[NFTA_CHAIN_HANDLE];
2405 handle = be64_to_cpu(nla_get_be64(attr));
2406 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2407 } else {
2408 attr = nla[NFTA_CHAIN_NAME];
2409 chain = nft_chain_lookup(net, table, attr, genmask);
2410 }
2411 if (IS_ERR(chain)) {
2412 NL_SET_BAD_ATTR(extack, attr);
2413 return PTR_ERR(chain);
2414 }
2415
2416 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2417 chain->use > 0)
2418 return -EBUSY;
2419
2420 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2421
2422 use = chain->use;
2423 list_for_each_entry(rule, &chain->rules, list) {
2424 if (!nft_is_active_next(net, rule))
2425 continue;
2426 use--;
2427
2428 err = nft_delrule(&ctx, rule);
2429 if (err < 0)
2430 return err;
2431 }
2432
2433 /* There are rules and elements that are still holding references to us,
2434 * we cannot do a recursive removal in this case.
2435 */
2436 if (use > 0) {
2437 NL_SET_BAD_ATTR(extack, attr);
2438 return -EBUSY;
2439 }
2440
2441 return nft_delchain(&ctx);
2442 }
2443
2444 /*
2445 * Expressions
2446 */
2447
2448 /**
2449 * nft_register_expr - register nf_tables expr type
2450 * @type: expr type
2451 *
2452 * Registers the expr type for use with nf_tables. Returns zero on
2453 * success or a negative errno code otherwise.
2454 */
nft_register_expr(struct nft_expr_type * type)2455 int nft_register_expr(struct nft_expr_type *type)
2456 {
2457 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2458 if (type->family == NFPROTO_UNSPEC)
2459 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2460 else
2461 list_add_rcu(&type->list, &nf_tables_expressions);
2462 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2463 return 0;
2464 }
2465 EXPORT_SYMBOL_GPL(nft_register_expr);
2466
2467 /**
2468 * nft_unregister_expr - unregister nf_tables expr type
2469 * @type: expr type
2470 *
2471 * Unregisters the expr typefor use with nf_tables.
2472 */
nft_unregister_expr(struct nft_expr_type * type)2473 void nft_unregister_expr(struct nft_expr_type *type)
2474 {
2475 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2476 list_del_rcu(&type->list);
2477 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2478 }
2479 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2480
__nft_expr_type_get(u8 family,struct nlattr * nla)2481 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2482 struct nlattr *nla)
2483 {
2484 const struct nft_expr_type *type, *candidate = NULL;
2485
2486 list_for_each_entry(type, &nf_tables_expressions, list) {
2487 if (!nla_strcmp(nla, type->name)) {
2488 if (!type->family && !candidate)
2489 candidate = type;
2490 else if (type->family == family)
2491 candidate = type;
2492 }
2493 }
2494 return candidate;
2495 }
2496
2497 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)2498 static int nft_expr_type_request_module(struct net *net, u8 family,
2499 struct nlattr *nla)
2500 {
2501 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2502 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2503 return -EAGAIN;
2504
2505 return 0;
2506 }
2507 #endif
2508
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)2509 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2510 u8 family,
2511 struct nlattr *nla)
2512 {
2513 const struct nft_expr_type *type;
2514
2515 if (nla == NULL)
2516 return ERR_PTR(-EINVAL);
2517
2518 type = __nft_expr_type_get(family, nla);
2519 if (type != NULL && try_module_get(type->owner))
2520 return type;
2521
2522 lockdep_nfnl_nft_mutex_not_held();
2523 #ifdef CONFIG_MODULES
2524 if (type == NULL) {
2525 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2526 return ERR_PTR(-EAGAIN);
2527
2528 if (nft_request_module(net, "nft-expr-%.*s",
2529 nla_len(nla),
2530 (char *)nla_data(nla)) == -EAGAIN)
2531 return ERR_PTR(-EAGAIN);
2532 }
2533 #endif
2534 return ERR_PTR(-ENOENT);
2535 }
2536
2537 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2538 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2539 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2540 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2541 };
2542
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr)2543 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2544 const struct nft_expr *expr)
2545 {
2546 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2547 goto nla_put_failure;
2548
2549 if (expr->ops->dump) {
2550 struct nlattr *data = nla_nest_start_noflag(skb,
2551 NFTA_EXPR_DATA);
2552 if (data == NULL)
2553 goto nla_put_failure;
2554 if (expr->ops->dump(skb, expr) < 0)
2555 goto nla_put_failure;
2556 nla_nest_end(skb, data);
2557 }
2558
2559 return skb->len;
2560
2561 nla_put_failure:
2562 return -1;
2563 };
2564
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr)2565 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2566 const struct nft_expr *expr)
2567 {
2568 struct nlattr *nest;
2569
2570 nest = nla_nest_start_noflag(skb, attr);
2571 if (!nest)
2572 goto nla_put_failure;
2573 if (nf_tables_fill_expr_info(skb, expr) < 0)
2574 goto nla_put_failure;
2575 nla_nest_end(skb, nest);
2576 return 0;
2577
2578 nla_put_failure:
2579 return -1;
2580 }
2581
2582 struct nft_expr_info {
2583 const struct nft_expr_ops *ops;
2584 const struct nlattr *attr;
2585 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2586 };
2587
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)2588 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2589 const struct nlattr *nla,
2590 struct nft_expr_info *info)
2591 {
2592 const struct nft_expr_type *type;
2593 const struct nft_expr_ops *ops;
2594 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2595 int err;
2596
2597 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2598 nft_expr_policy, NULL);
2599 if (err < 0)
2600 return err;
2601
2602 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2603 if (IS_ERR(type))
2604 return PTR_ERR(type);
2605
2606 if (tb[NFTA_EXPR_DATA]) {
2607 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2608 tb[NFTA_EXPR_DATA],
2609 type->policy, NULL);
2610 if (err < 0)
2611 goto err1;
2612 } else
2613 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2614
2615 if (type->select_ops != NULL) {
2616 ops = type->select_ops(ctx,
2617 (const struct nlattr * const *)info->tb);
2618 if (IS_ERR(ops)) {
2619 err = PTR_ERR(ops);
2620 #ifdef CONFIG_MODULES
2621 if (err == -EAGAIN)
2622 if (nft_expr_type_request_module(ctx->net,
2623 ctx->family,
2624 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2625 err = -ENOENT;
2626 #endif
2627 goto err1;
2628 }
2629 } else
2630 ops = type->ops;
2631
2632 info->attr = nla;
2633 info->ops = ops;
2634
2635 return 0;
2636
2637 err1:
2638 module_put(type->owner);
2639 return err;
2640 }
2641
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * info,struct nft_expr * expr)2642 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2643 const struct nft_expr_info *info,
2644 struct nft_expr *expr)
2645 {
2646 const struct nft_expr_ops *ops = info->ops;
2647 int err;
2648
2649 expr->ops = ops;
2650 if (ops->init) {
2651 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2652 if (err < 0)
2653 goto err1;
2654 }
2655
2656 return 0;
2657 err1:
2658 expr->ops = NULL;
2659 return err;
2660 }
2661
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2662 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2663 struct nft_expr *expr)
2664 {
2665 const struct nft_expr_type *type = expr->ops->type;
2666
2667 if (expr->ops->destroy)
2668 expr->ops->destroy(ctx, expr);
2669 module_put(type->owner);
2670 }
2671
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)2672 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2673 const struct nlattr *nla)
2674 {
2675 struct nft_expr_info info;
2676 struct nft_expr *expr;
2677 struct module *owner;
2678 int err;
2679
2680 err = nf_tables_expr_parse(ctx, nla, &info);
2681 if (err < 0)
2682 goto err1;
2683
2684 err = -ENOMEM;
2685 expr = kzalloc(info.ops->size, GFP_KERNEL);
2686 if (expr == NULL)
2687 goto err2;
2688
2689 err = nf_tables_newexpr(ctx, &info, expr);
2690 if (err < 0)
2691 goto err3;
2692
2693 return expr;
2694 err3:
2695 kfree(expr);
2696 err2:
2697 owner = info.ops->type->owner;
2698 if (info.ops->type->release_ops)
2699 info.ops->type->release_ops(info.ops);
2700
2701 module_put(owner);
2702 err1:
2703 return ERR_PTR(err);
2704 }
2705
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src)2706 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2707 {
2708 int err;
2709
2710 if (src->ops->clone) {
2711 dst->ops = src->ops;
2712 err = src->ops->clone(dst, src);
2713 if (err < 0)
2714 return err;
2715 } else {
2716 memcpy(dst, src, src->ops->size);
2717 }
2718
2719 __module_get(src->ops->type->owner);
2720
2721 return 0;
2722 }
2723
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2724 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2725 {
2726 nf_tables_expr_destroy(ctx, expr);
2727 kfree(expr);
2728 }
2729
2730 /*
2731 * Rules
2732 */
2733
__nft_rule_lookup(const struct nft_chain * chain,u64 handle)2734 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2735 u64 handle)
2736 {
2737 struct nft_rule *rule;
2738
2739 // FIXME: this sucks
2740 list_for_each_entry_rcu(rule, &chain->rules, list) {
2741 if (handle == rule->handle)
2742 return rule;
2743 }
2744
2745 return ERR_PTR(-ENOENT);
2746 }
2747
nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)2748 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2749 const struct nlattr *nla)
2750 {
2751 if (nla == NULL)
2752 return ERR_PTR(-EINVAL);
2753
2754 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2755 }
2756
2757 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2758 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2759 .len = NFT_TABLE_MAXNAMELEN - 1 },
2760 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2761 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2762 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2763 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2764 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2765 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2766 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2767 .len = NFT_USERDATA_MAXLEN },
2768 [NFTA_RULE_ID] = { .type = NLA_U32 },
2769 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2770 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2771 };
2772
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,const struct nft_rule * prule)2773 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2774 u32 portid, u32 seq, int event,
2775 u32 flags, int family,
2776 const struct nft_table *table,
2777 const struct nft_chain *chain,
2778 const struct nft_rule *rule,
2779 const struct nft_rule *prule)
2780 {
2781 struct nlmsghdr *nlh;
2782 struct nfgenmsg *nfmsg;
2783 const struct nft_expr *expr, *next;
2784 struct nlattr *list;
2785 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2786
2787 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2788 if (nlh == NULL)
2789 goto nla_put_failure;
2790
2791 nfmsg = nlmsg_data(nlh);
2792 nfmsg->nfgen_family = family;
2793 nfmsg->version = NFNETLINK_V0;
2794 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2795
2796 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2797 goto nla_put_failure;
2798 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2799 goto nla_put_failure;
2800 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2801 NFTA_RULE_PAD))
2802 goto nla_put_failure;
2803
2804 if (event != NFT_MSG_DELRULE && prule) {
2805 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2806 cpu_to_be64(prule->handle),
2807 NFTA_RULE_PAD))
2808 goto nla_put_failure;
2809 }
2810
2811 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2812 if (list == NULL)
2813 goto nla_put_failure;
2814 nft_rule_for_each_expr(expr, next, rule) {
2815 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2816 goto nla_put_failure;
2817 }
2818 nla_nest_end(skb, list);
2819
2820 if (rule->udata) {
2821 struct nft_userdata *udata = nft_userdata(rule);
2822 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2823 udata->data) < 0)
2824 goto nla_put_failure;
2825 }
2826
2827 nlmsg_end(skb, nlh);
2828 return 0;
2829
2830 nla_put_failure:
2831 nlmsg_trim(skb, nlh);
2832 return -1;
2833 }
2834
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)2835 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2836 const struct nft_rule *rule, int event)
2837 {
2838 struct sk_buff *skb;
2839 int err;
2840 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2841 ctx->table->name, ctx->table->handle,
2842 ctx->chain->name, ctx->chain->handle);
2843
2844 audit_log_nfcfg(buf,
2845 ctx->family,
2846 rule->handle,
2847 event == NFT_MSG_NEWRULE ?
2848 AUDIT_NFT_OP_RULE_REGISTER :
2849 AUDIT_NFT_OP_RULE_UNREGISTER,
2850 GFP_KERNEL);
2851 kfree(buf);
2852
2853 if (!ctx->report &&
2854 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2855 return;
2856
2857 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2858 if (skb == NULL)
2859 goto err;
2860
2861 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2862 event, 0, ctx->family, ctx->table,
2863 ctx->chain, rule, NULL);
2864 if (err < 0) {
2865 kfree_skb(skb);
2866 goto err;
2867 }
2868
2869 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2870 return;
2871 err:
2872 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2873 }
2874
2875 struct nft_rule_dump_ctx {
2876 char *table;
2877 char *chain;
2878 };
2879
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)2880 static int __nf_tables_dump_rules(struct sk_buff *skb,
2881 unsigned int *idx,
2882 struct netlink_callback *cb,
2883 const struct nft_table *table,
2884 const struct nft_chain *chain)
2885 {
2886 struct net *net = sock_net(skb->sk);
2887 const struct nft_rule *rule, *prule;
2888 unsigned int s_idx = cb->args[0];
2889
2890 prule = NULL;
2891 list_for_each_entry_rcu(rule, &chain->rules, list) {
2892 if (!nft_is_active(net, rule))
2893 goto cont_skip;
2894 if (*idx < s_idx)
2895 goto cont;
2896 if (*idx > s_idx) {
2897 memset(&cb->args[1], 0,
2898 sizeof(cb->args) - sizeof(cb->args[0]));
2899 }
2900 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2901 cb->nlh->nlmsg_seq,
2902 NFT_MSG_NEWRULE,
2903 NLM_F_MULTI | NLM_F_APPEND,
2904 table->family,
2905 table, chain, rule, prule) < 0)
2906 return 1;
2907
2908 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2909 cont:
2910 prule = rule;
2911 cont_skip:
2912 (*idx)++;
2913 }
2914 return 0;
2915 }
2916
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)2917 static int nf_tables_dump_rules(struct sk_buff *skb,
2918 struct netlink_callback *cb)
2919 {
2920 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2921 const struct nft_rule_dump_ctx *ctx = cb->data;
2922 struct nft_table *table;
2923 const struct nft_chain *chain;
2924 unsigned int idx = 0;
2925 struct net *net = sock_net(skb->sk);
2926 int family = nfmsg->nfgen_family;
2927
2928 rcu_read_lock();
2929 cb->seq = net->nft.base_seq;
2930
2931 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2932 if (family != NFPROTO_UNSPEC && family != table->family)
2933 continue;
2934
2935 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2936 continue;
2937
2938 if (ctx && ctx->table && ctx->chain) {
2939 struct rhlist_head *list, *tmp;
2940
2941 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2942 nft_chain_ht_params);
2943 if (!list)
2944 goto done;
2945
2946 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2947 if (!nft_is_active(net, chain))
2948 continue;
2949 __nf_tables_dump_rules(skb, &idx,
2950 cb, table, chain);
2951 break;
2952 }
2953 goto done;
2954 }
2955
2956 list_for_each_entry_rcu(chain, &table->chains, list) {
2957 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2958 goto done;
2959 }
2960
2961 if (ctx && ctx->table)
2962 break;
2963 }
2964 done:
2965 rcu_read_unlock();
2966
2967 cb->args[0] = idx;
2968 return skb->len;
2969 }
2970
nf_tables_dump_rules_start(struct netlink_callback * cb)2971 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2972 {
2973 const struct nlattr * const *nla = cb->data;
2974 struct nft_rule_dump_ctx *ctx = NULL;
2975
2976 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2977 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2978 if (!ctx)
2979 return -ENOMEM;
2980
2981 if (nla[NFTA_RULE_TABLE]) {
2982 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2983 GFP_ATOMIC);
2984 if (!ctx->table) {
2985 kfree(ctx);
2986 return -ENOMEM;
2987 }
2988 }
2989 if (nla[NFTA_RULE_CHAIN]) {
2990 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2991 GFP_ATOMIC);
2992 if (!ctx->chain) {
2993 kfree(ctx->table);
2994 kfree(ctx);
2995 return -ENOMEM;
2996 }
2997 }
2998 }
2999
3000 cb->data = ctx;
3001 return 0;
3002 }
3003
nf_tables_dump_rules_done(struct netlink_callback * cb)3004 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3005 {
3006 struct nft_rule_dump_ctx *ctx = cb->data;
3007
3008 if (ctx) {
3009 kfree(ctx->table);
3010 kfree(ctx->chain);
3011 kfree(ctx);
3012 }
3013 return 0;
3014 }
3015
3016 /* called with rcu_read_lock held */
nf_tables_getrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3017 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3018 struct sk_buff *skb, const struct nlmsghdr *nlh,
3019 const struct nlattr * const nla[],
3020 struct netlink_ext_ack *extack)
3021 {
3022 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3023 u8 genmask = nft_genmask_cur(net);
3024 const struct nft_chain *chain;
3025 const struct nft_rule *rule;
3026 struct nft_table *table;
3027 struct sk_buff *skb2;
3028 int family = nfmsg->nfgen_family;
3029 int err;
3030
3031 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3032 struct netlink_dump_control c = {
3033 .start= nf_tables_dump_rules_start,
3034 .dump = nf_tables_dump_rules,
3035 .done = nf_tables_dump_rules_done,
3036 .module = THIS_MODULE,
3037 .data = (void *)nla,
3038 };
3039
3040 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3041 }
3042
3043 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3044 if (IS_ERR(table)) {
3045 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3046 return PTR_ERR(table);
3047 }
3048
3049 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3050 if (IS_ERR(chain)) {
3051 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3052 return PTR_ERR(chain);
3053 }
3054
3055 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3056 if (IS_ERR(rule)) {
3057 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3058 return PTR_ERR(rule);
3059 }
3060
3061 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3062 if (!skb2)
3063 return -ENOMEM;
3064
3065 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3066 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3067 family, table, chain, rule, NULL);
3068 if (err < 0)
3069 goto err_fill_rule_info;
3070
3071 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3072
3073 err_fill_rule_info:
3074 kfree_skb(skb2);
3075 return err;
3076 }
3077
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)3078 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3079 struct nft_rule *rule)
3080 {
3081 struct nft_expr *expr, *next;
3082
3083 /*
3084 * Careful: some expressions might not be initialized in case this
3085 * is called on error from nf_tables_newrule().
3086 */
3087 expr = nft_expr_first(rule);
3088 while (nft_expr_more(rule, expr)) {
3089 next = nft_expr_next(expr);
3090 nf_tables_expr_destroy(ctx, expr);
3091 expr = next;
3092 }
3093 kfree(rule);
3094 }
3095
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)3096 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3097 {
3098 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3099 nf_tables_rule_destroy(ctx, rule);
3100 }
3101
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)3102 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3103 {
3104 struct nft_expr *expr, *last;
3105 const struct nft_data *data;
3106 struct nft_rule *rule;
3107 int err;
3108
3109 if (ctx->level == NFT_JUMP_STACK_SIZE)
3110 return -EMLINK;
3111
3112 list_for_each_entry(rule, &chain->rules, list) {
3113 if (!nft_is_active_next(ctx->net, rule))
3114 continue;
3115
3116 nft_rule_for_each_expr(expr, last, rule) {
3117 if (!expr->ops->validate)
3118 continue;
3119
3120 err = expr->ops->validate(ctx, expr, &data);
3121 if (err < 0)
3122 return err;
3123 }
3124 }
3125
3126 return 0;
3127 }
3128 EXPORT_SYMBOL_GPL(nft_chain_validate);
3129
nft_table_validate(struct net * net,const struct nft_table * table)3130 static int nft_table_validate(struct net *net, const struct nft_table *table)
3131 {
3132 struct nft_chain *chain;
3133 struct nft_ctx ctx = {
3134 .net = net,
3135 .family = table->family,
3136 };
3137 int err;
3138
3139 list_for_each_entry(chain, &table->chains, list) {
3140 if (!nft_is_base_chain(chain))
3141 continue;
3142
3143 ctx.chain = chain;
3144 err = nft_chain_validate(&ctx, chain);
3145 if (err < 0)
3146 return err;
3147 }
3148
3149 return 0;
3150 }
3151
3152 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3153 const struct nlattr *nla);
3154
3155 #define NFT_RULE_MAXEXPRS 128
3156
nf_tables_newrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3157 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3158 struct sk_buff *skb, const struct nlmsghdr *nlh,
3159 const struct nlattr * const nla[],
3160 struct netlink_ext_ack *extack)
3161 {
3162 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3163 u8 genmask = nft_genmask_next(net);
3164 struct nft_expr_info *info = NULL;
3165 int family = nfmsg->nfgen_family;
3166 struct nft_flow_rule *flow;
3167 struct nft_table *table;
3168 struct nft_chain *chain;
3169 struct nft_rule *rule, *old_rule = NULL;
3170 struct nft_userdata *udata;
3171 struct nft_trans *trans = NULL;
3172 struct nft_expr *expr;
3173 struct nft_ctx ctx;
3174 struct nlattr *tmp;
3175 unsigned int size, i, n, ulen = 0, usize = 0;
3176 int err, rem;
3177 u64 handle, pos_handle;
3178
3179 lockdep_assert_held(&net->nft.commit_mutex);
3180
3181 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3182 if (IS_ERR(table)) {
3183 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3184 return PTR_ERR(table);
3185 }
3186
3187 if (nla[NFTA_RULE_CHAIN]) {
3188 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3189 genmask);
3190 if (IS_ERR(chain)) {
3191 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3192 return PTR_ERR(chain);
3193 }
3194 if (nft_chain_is_bound(chain))
3195 return -EOPNOTSUPP;
3196
3197 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3198 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3199 if (IS_ERR(chain)) {
3200 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3201 return PTR_ERR(chain);
3202 }
3203 } else {
3204 return -EINVAL;
3205 }
3206
3207 if (nla[NFTA_RULE_HANDLE]) {
3208 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3209 rule = __nft_rule_lookup(chain, handle);
3210 if (IS_ERR(rule)) {
3211 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3212 return PTR_ERR(rule);
3213 }
3214
3215 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3216 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3217 return -EEXIST;
3218 }
3219 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3220 old_rule = rule;
3221 else
3222 return -EOPNOTSUPP;
3223 } else {
3224 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3225 nlh->nlmsg_flags & NLM_F_REPLACE)
3226 return -EINVAL;
3227 handle = nf_tables_alloc_handle(table);
3228
3229 if (chain->use == UINT_MAX)
3230 return -EOVERFLOW;
3231
3232 if (nla[NFTA_RULE_POSITION]) {
3233 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3234 old_rule = __nft_rule_lookup(chain, pos_handle);
3235 if (IS_ERR(old_rule)) {
3236 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3237 return PTR_ERR(old_rule);
3238 }
3239 } else if (nla[NFTA_RULE_POSITION_ID]) {
3240 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3241 if (IS_ERR(old_rule)) {
3242 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3243 return PTR_ERR(old_rule);
3244 }
3245 }
3246 }
3247
3248 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3249
3250 n = 0;
3251 size = 0;
3252 if (nla[NFTA_RULE_EXPRESSIONS]) {
3253 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3254 sizeof(struct nft_expr_info),
3255 GFP_KERNEL);
3256 if (!info)
3257 return -ENOMEM;
3258
3259 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3260 err = -EINVAL;
3261 if (nla_type(tmp) != NFTA_LIST_ELEM)
3262 goto err1;
3263 if (n == NFT_RULE_MAXEXPRS)
3264 goto err1;
3265 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3266 if (err < 0)
3267 goto err1;
3268 size += info[n].ops->size;
3269 n++;
3270 }
3271 }
3272 /* Check for overflow of dlen field */
3273 err = -EFBIG;
3274 if (size >= 1 << 12)
3275 goto err1;
3276
3277 if (nla[NFTA_RULE_USERDATA]) {
3278 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3279 if (ulen > 0)
3280 usize = sizeof(struct nft_userdata) + ulen;
3281 }
3282
3283 err = -ENOMEM;
3284 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3285 if (rule == NULL)
3286 goto err1;
3287
3288 nft_activate_next(net, rule);
3289
3290 rule->handle = handle;
3291 rule->dlen = size;
3292 rule->udata = ulen ? 1 : 0;
3293
3294 if (ulen) {
3295 udata = nft_userdata(rule);
3296 udata->len = ulen - 1;
3297 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3298 }
3299
3300 expr = nft_expr_first(rule);
3301 for (i = 0; i < n; i++) {
3302 err = nf_tables_newexpr(&ctx, &info[i], expr);
3303 if (err < 0) {
3304 NL_SET_BAD_ATTR(extack, info[i].attr);
3305 goto err2;
3306 }
3307
3308 if (info[i].ops->validate)
3309 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3310
3311 info[i].ops = NULL;
3312 expr = nft_expr_next(expr);
3313 }
3314
3315 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3316 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3317 if (trans == NULL) {
3318 err = -ENOMEM;
3319 goto err2;
3320 }
3321 err = nft_delrule(&ctx, old_rule);
3322 if (err < 0) {
3323 nft_trans_destroy(trans);
3324 goto err2;
3325 }
3326
3327 list_add_tail_rcu(&rule->list, &old_rule->list);
3328 } else {
3329 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3330 if (!trans) {
3331 err = -ENOMEM;
3332 goto err2;
3333 }
3334
3335 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3336 if (old_rule)
3337 list_add_rcu(&rule->list, &old_rule->list);
3338 else
3339 list_add_tail_rcu(&rule->list, &chain->rules);
3340 } else {
3341 if (old_rule)
3342 list_add_tail_rcu(&rule->list, &old_rule->list);
3343 else
3344 list_add_rcu(&rule->list, &chain->rules);
3345 }
3346 }
3347 kvfree(info);
3348 chain->use++;
3349
3350 if (net->nft.validate_state == NFT_VALIDATE_DO)
3351 return nft_table_validate(net, table);
3352
3353 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3354 flow = nft_flow_rule_create(net, rule);
3355 if (IS_ERR(flow))
3356 return PTR_ERR(flow);
3357
3358 nft_trans_flow_rule(trans) = flow;
3359 }
3360
3361 return 0;
3362 err2:
3363 nf_tables_rule_release(&ctx, rule);
3364 err1:
3365 for (i = 0; i < n; i++) {
3366 if (info[i].ops) {
3367 module_put(info[i].ops->type->owner);
3368 if (info[i].ops->type->release_ops)
3369 info[i].ops->type->release_ops(info[i].ops);
3370 }
3371 }
3372 kvfree(info);
3373 return err;
3374 }
3375
nft_rule_lookup_byid(const struct net * net,const struct nlattr * nla)3376 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3377 const struct nlattr *nla)
3378 {
3379 u32 id = ntohl(nla_get_be32(nla));
3380 struct nft_trans *trans;
3381
3382 list_for_each_entry(trans, &net->nft.commit_list, list) {
3383 struct nft_rule *rule = nft_trans_rule(trans);
3384
3385 if (trans->msg_type == NFT_MSG_NEWRULE &&
3386 id == nft_trans_rule_id(trans))
3387 return rule;
3388 }
3389 return ERR_PTR(-ENOENT);
3390 }
3391
nf_tables_delrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3392 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3393 struct sk_buff *skb, const struct nlmsghdr *nlh,
3394 const struct nlattr * const nla[],
3395 struct netlink_ext_ack *extack)
3396 {
3397 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3398 u8 genmask = nft_genmask_next(net);
3399 struct nft_table *table;
3400 struct nft_chain *chain = NULL;
3401 struct nft_rule *rule;
3402 int family = nfmsg->nfgen_family, err = 0;
3403 struct nft_ctx ctx;
3404
3405 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3406 if (IS_ERR(table)) {
3407 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3408 return PTR_ERR(table);
3409 }
3410
3411 if (nla[NFTA_RULE_CHAIN]) {
3412 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3413 genmask);
3414 if (IS_ERR(chain)) {
3415 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3416 return PTR_ERR(chain);
3417 }
3418 if (nft_chain_is_bound(chain))
3419 return -EOPNOTSUPP;
3420 }
3421
3422 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3423
3424 if (chain) {
3425 if (nla[NFTA_RULE_HANDLE]) {
3426 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3427 if (IS_ERR(rule)) {
3428 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3429 return PTR_ERR(rule);
3430 }
3431
3432 err = nft_delrule(&ctx, rule);
3433 } else if (nla[NFTA_RULE_ID]) {
3434 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3435 if (IS_ERR(rule)) {
3436 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3437 return PTR_ERR(rule);
3438 }
3439
3440 err = nft_delrule(&ctx, rule);
3441 } else {
3442 err = nft_delrule_by_chain(&ctx);
3443 }
3444 } else {
3445 list_for_each_entry(chain, &table->chains, list) {
3446 if (!nft_is_active_next(net, chain))
3447 continue;
3448
3449 ctx.chain = chain;
3450 err = nft_delrule_by_chain(&ctx);
3451 if (err < 0)
3452 break;
3453 }
3454 }
3455
3456 return err;
3457 }
3458
3459 /*
3460 * Sets
3461 */
3462 static const struct nft_set_type *nft_set_types[] = {
3463 &nft_set_hash_fast_type,
3464 &nft_set_hash_type,
3465 &nft_set_rhash_type,
3466 &nft_set_bitmap_type,
3467 &nft_set_rbtree_type,
3468 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3469 &nft_set_pipapo_avx2_type,
3470 #endif
3471 &nft_set_pipapo_type,
3472 };
3473
3474 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3475 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3476 NFT_SET_EVAL)
3477
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)3478 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3479 {
3480 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3481 }
3482
3483 /*
3484 * Select a set implementation based on the data characteristics and the
3485 * given policy. The total memory use might not be known if no size is
3486 * given, in that case the amount of memory per element is used.
3487 */
3488 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,const struct nlattr * const nla[],const struct nft_set_desc * desc,enum nft_set_policies policy)3489 nft_select_set_ops(const struct nft_ctx *ctx,
3490 const struct nlattr * const nla[],
3491 const struct nft_set_desc *desc,
3492 enum nft_set_policies policy)
3493 {
3494 const struct nft_set_ops *ops, *bops;
3495 struct nft_set_estimate est, best;
3496 const struct nft_set_type *type;
3497 u32 flags = 0;
3498 int i;
3499
3500 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3501 lockdep_nfnl_nft_mutex_not_held();
3502
3503 if (nla[NFTA_SET_FLAGS] != NULL)
3504 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3505
3506 bops = NULL;
3507 best.size = ~0;
3508 best.lookup = ~0;
3509 best.space = ~0;
3510
3511 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3512 type = nft_set_types[i];
3513 ops = &type->ops;
3514
3515 if (!nft_set_ops_candidate(type, flags))
3516 continue;
3517 if (!ops->estimate(desc, flags, &est))
3518 continue;
3519
3520 switch (policy) {
3521 case NFT_SET_POL_PERFORMANCE:
3522 if (est.lookup < best.lookup)
3523 break;
3524 if (est.lookup == best.lookup &&
3525 est.space < best.space)
3526 break;
3527 continue;
3528 case NFT_SET_POL_MEMORY:
3529 if (!desc->size) {
3530 if (est.space < best.space)
3531 break;
3532 if (est.space == best.space &&
3533 est.lookup < best.lookup)
3534 break;
3535 } else if (est.size < best.size || !bops) {
3536 break;
3537 }
3538 continue;
3539 default:
3540 break;
3541 }
3542
3543 bops = ops;
3544 best = est;
3545 }
3546
3547 if (bops != NULL)
3548 return bops;
3549
3550 return ERR_PTR(-EOPNOTSUPP);
3551 }
3552
3553 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3554 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3555 .len = NFT_TABLE_MAXNAMELEN - 1 },
3556 [NFTA_SET_NAME] = { .type = NLA_STRING,
3557 .len = NFT_SET_MAXNAMELEN - 1 },
3558 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3559 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3560 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3561 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3562 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3563 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3564 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3565 [NFTA_SET_ID] = { .type = NLA_U32 },
3566 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3567 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3568 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3569 .len = NFT_USERDATA_MAXLEN },
3570 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3571 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3572 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3573 };
3574
3575 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3576 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3577 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3578 };
3579
nft_ctx_init_from_setattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)3580 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3581 const struct sk_buff *skb,
3582 const struct nlmsghdr *nlh,
3583 const struct nlattr * const nla[],
3584 struct netlink_ext_ack *extack,
3585 u8 genmask)
3586 {
3587 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3588 int family = nfmsg->nfgen_family;
3589 struct nft_table *table = NULL;
3590
3591 if (nla[NFTA_SET_TABLE] != NULL) {
3592 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3593 genmask);
3594 if (IS_ERR(table)) {
3595 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3596 return PTR_ERR(table);
3597 }
3598 }
3599
3600 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3601 return 0;
3602 }
3603
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3604 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3605 const struct nlattr *nla, u8 genmask)
3606 {
3607 struct nft_set *set;
3608
3609 if (nla == NULL)
3610 return ERR_PTR(-EINVAL);
3611
3612 list_for_each_entry_rcu(set, &table->sets, list) {
3613 if (!nla_strcmp(nla, set->name) &&
3614 nft_active_genmask(set, genmask))
3615 return set;
3616 }
3617 return ERR_PTR(-ENOENT);
3618 }
3619
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3620 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3621 const struct nlattr *nla,
3622 u8 genmask)
3623 {
3624 struct nft_set *set;
3625
3626 list_for_each_entry(set, &table->sets, list) {
3627 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3628 nft_active_genmask(set, genmask))
3629 return set;
3630 }
3631 return ERR_PTR(-ENOENT);
3632 }
3633
nft_set_lookup_byid(const struct net * net,const struct nlattr * nla,u8 genmask)3634 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3635 const struct nlattr *nla, u8 genmask)
3636 {
3637 struct nft_trans *trans;
3638 u32 id = ntohl(nla_get_be32(nla));
3639
3640 list_for_each_entry(trans, &net->nft.commit_list, list) {
3641 if (trans->msg_type == NFT_MSG_NEWSET) {
3642 struct nft_set *set = nft_trans_set(trans);
3643
3644 if (id == nft_trans_set_id(trans) &&
3645 nft_active_genmask(set, genmask))
3646 return set;
3647 }
3648 }
3649 return ERR_PTR(-ENOENT);
3650 }
3651
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)3652 struct nft_set *nft_set_lookup_global(const struct net *net,
3653 const struct nft_table *table,
3654 const struct nlattr *nla_set_name,
3655 const struct nlattr *nla_set_id,
3656 u8 genmask)
3657 {
3658 struct nft_set *set;
3659
3660 set = nft_set_lookup(table, nla_set_name, genmask);
3661 if (IS_ERR(set)) {
3662 if (!nla_set_id)
3663 return set;
3664
3665 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3666 }
3667 return set;
3668 }
3669 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3670
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)3671 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3672 const char *name)
3673 {
3674 const struct nft_set *i;
3675 const char *p;
3676 unsigned long *inuse;
3677 unsigned int n = 0, min = 0;
3678
3679 p = strchr(name, '%');
3680 if (p != NULL) {
3681 if (p[1] != 'd' || strchr(p + 2, '%'))
3682 return -EINVAL;
3683
3684 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3685 if (inuse == NULL)
3686 return -ENOMEM;
3687 cont:
3688 list_for_each_entry(i, &ctx->table->sets, list) {
3689 int tmp;
3690
3691 if (!nft_is_active_next(ctx->net, set))
3692 continue;
3693 if (!sscanf(i->name, name, &tmp))
3694 continue;
3695 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3696 continue;
3697
3698 set_bit(tmp - min, inuse);
3699 }
3700
3701 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3702 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3703 min += BITS_PER_BYTE * PAGE_SIZE;
3704 memset(inuse, 0, PAGE_SIZE);
3705 goto cont;
3706 }
3707 free_page((unsigned long)inuse);
3708 }
3709
3710 set->name = kasprintf(GFP_KERNEL, name, min + n);
3711 if (!set->name)
3712 return -ENOMEM;
3713
3714 list_for_each_entry(i, &ctx->table->sets, list) {
3715 if (!nft_is_active_next(ctx->net, i))
3716 continue;
3717 if (!strcmp(set->name, i->name)) {
3718 kfree(set->name);
3719 set->name = NULL;
3720 return -ENFILE;
3721 }
3722 }
3723 return 0;
3724 }
3725
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)3726 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3727 {
3728 u64 ms = be64_to_cpu(nla_get_be64(nla));
3729 u64 max = (u64)(~((u64)0));
3730
3731 max = div_u64(max, NSEC_PER_MSEC);
3732 if (ms >= max)
3733 return -ERANGE;
3734
3735 ms *= NSEC_PER_MSEC;
3736 *result = nsecs_to_jiffies64(ms);
3737 return 0;
3738 }
3739
nf_jiffies64_to_msecs(u64 input)3740 __be64 nf_jiffies64_to_msecs(u64 input)
3741 {
3742 return cpu_to_be64(jiffies64_to_msecs(input));
3743 }
3744
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)3745 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3746 const struct nft_set *set)
3747 {
3748 struct nlattr *concat, *field;
3749 int i;
3750
3751 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3752 if (!concat)
3753 return -ENOMEM;
3754
3755 for (i = 0; i < set->field_count; i++) {
3756 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3757 if (!field)
3758 return -ENOMEM;
3759
3760 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3761 htonl(set->field_len[i])))
3762 return -ENOMEM;
3763
3764 nla_nest_end(skb, field);
3765 }
3766
3767 nla_nest_end(skb, concat);
3768
3769 return 0;
3770 }
3771
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)3772 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3773 const struct nft_set *set, u16 event, u16 flags)
3774 {
3775 struct nfgenmsg *nfmsg;
3776 struct nlmsghdr *nlh;
3777 u32 portid = ctx->portid;
3778 struct nlattr *nest;
3779 u32 seq = ctx->seq;
3780
3781 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3782 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3783 flags);
3784 if (nlh == NULL)
3785 goto nla_put_failure;
3786
3787 nfmsg = nlmsg_data(nlh);
3788 nfmsg->nfgen_family = ctx->family;
3789 nfmsg->version = NFNETLINK_V0;
3790 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3791
3792 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3793 goto nla_put_failure;
3794 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3795 goto nla_put_failure;
3796 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3797 NFTA_SET_PAD))
3798 goto nla_put_failure;
3799 if (set->flags != 0)
3800 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3801 goto nla_put_failure;
3802
3803 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3804 goto nla_put_failure;
3805 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3806 goto nla_put_failure;
3807 if (set->flags & NFT_SET_MAP) {
3808 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3809 goto nla_put_failure;
3810 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3811 goto nla_put_failure;
3812 }
3813 if (set->flags & NFT_SET_OBJECT &&
3814 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3815 goto nla_put_failure;
3816
3817 if (set->timeout &&
3818 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3819 nf_jiffies64_to_msecs(set->timeout),
3820 NFTA_SET_PAD))
3821 goto nla_put_failure;
3822 if (set->gc_int &&
3823 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3824 goto nla_put_failure;
3825
3826 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3827 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3828 goto nla_put_failure;
3829 }
3830
3831 if (set->udata &&
3832 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3833 goto nla_put_failure;
3834
3835 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3836 if (!nest)
3837 goto nla_put_failure;
3838 if (set->size &&
3839 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3840 goto nla_put_failure;
3841
3842 if (set->field_count > 1 &&
3843 nf_tables_fill_set_concat(skb, set))
3844 goto nla_put_failure;
3845
3846 nla_nest_end(skb, nest);
3847
3848 if (set->expr) {
3849 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3850 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3851 goto nla_put_failure;
3852
3853 nla_nest_end(skb, nest);
3854 }
3855
3856 nlmsg_end(skb, nlh);
3857 return 0;
3858
3859 nla_put_failure:
3860 nlmsg_trim(skb, nlh);
3861 return -1;
3862 }
3863
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)3864 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3865 const struct nft_set *set, int event,
3866 gfp_t gfp_flags)
3867 {
3868 struct sk_buff *skb;
3869 u32 portid = ctx->portid;
3870 int err;
3871 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3872 ctx->table->name, ctx->table->handle,
3873 set->name, set->handle);
3874
3875 audit_log_nfcfg(buf,
3876 ctx->family,
3877 set->field_count,
3878 event == NFT_MSG_NEWSET ?
3879 AUDIT_NFT_OP_SET_REGISTER :
3880 AUDIT_NFT_OP_SET_UNREGISTER,
3881 gfp_flags);
3882 kfree(buf);
3883
3884 if (!ctx->report &&
3885 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3886 return;
3887
3888 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3889 if (skb == NULL)
3890 goto err;
3891
3892 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3893 if (err < 0) {
3894 kfree_skb(skb);
3895 goto err;
3896 }
3897
3898 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3899 return;
3900 err:
3901 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3902 }
3903
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)3904 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3905 {
3906 const struct nft_set *set;
3907 unsigned int idx, s_idx = cb->args[0];
3908 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3909 struct net *net = sock_net(skb->sk);
3910 struct nft_ctx *ctx = cb->data, ctx_set;
3911
3912 if (cb->args[1])
3913 return skb->len;
3914
3915 rcu_read_lock();
3916 cb->seq = net->nft.base_seq;
3917
3918 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3919 if (ctx->family != NFPROTO_UNSPEC &&
3920 ctx->family != table->family)
3921 continue;
3922
3923 if (ctx->table && ctx->table != table)
3924 continue;
3925
3926 if (cur_table) {
3927 if (cur_table != table)
3928 continue;
3929
3930 cur_table = NULL;
3931 }
3932 idx = 0;
3933 list_for_each_entry_rcu(set, &table->sets, list) {
3934 if (idx < s_idx)
3935 goto cont;
3936 if (!nft_is_active(net, set))
3937 goto cont;
3938
3939 ctx_set = *ctx;
3940 ctx_set.table = table;
3941 ctx_set.family = table->family;
3942
3943 if (nf_tables_fill_set(skb, &ctx_set, set,
3944 NFT_MSG_NEWSET,
3945 NLM_F_MULTI) < 0) {
3946 cb->args[0] = idx;
3947 cb->args[2] = (unsigned long) table;
3948 goto done;
3949 }
3950 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3951 cont:
3952 idx++;
3953 }
3954 if (s_idx)
3955 s_idx = 0;
3956 }
3957 cb->args[1] = 1;
3958 done:
3959 rcu_read_unlock();
3960 return skb->len;
3961 }
3962
nf_tables_dump_sets_start(struct netlink_callback * cb)3963 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3964 {
3965 struct nft_ctx *ctx_dump = NULL;
3966
3967 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3968 if (ctx_dump == NULL)
3969 return -ENOMEM;
3970
3971 cb->data = ctx_dump;
3972 return 0;
3973 }
3974
nf_tables_dump_sets_done(struct netlink_callback * cb)3975 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3976 {
3977 kfree(cb->data);
3978 return 0;
3979 }
3980
3981 /* called with rcu_read_lock held */
nf_tables_getset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3982 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3983 struct sk_buff *skb, const struct nlmsghdr *nlh,
3984 const struct nlattr * const nla[],
3985 struct netlink_ext_ack *extack)
3986 {
3987 u8 genmask = nft_genmask_cur(net);
3988 const struct nft_set *set;
3989 struct nft_ctx ctx;
3990 struct sk_buff *skb2;
3991 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3992 int err;
3993
3994 /* Verify existence before starting dump */
3995 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3996 genmask);
3997 if (err < 0)
3998 return err;
3999
4000 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4001 struct netlink_dump_control c = {
4002 .start = nf_tables_dump_sets_start,
4003 .dump = nf_tables_dump_sets,
4004 .done = nf_tables_dump_sets_done,
4005 .data = &ctx,
4006 .module = THIS_MODULE,
4007 };
4008
4009 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4010 }
4011
4012 /* Only accept unspec with dump */
4013 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4014 return -EAFNOSUPPORT;
4015 if (!nla[NFTA_SET_TABLE])
4016 return -EINVAL;
4017
4018 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4019 if (IS_ERR(set))
4020 return PTR_ERR(set);
4021
4022 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4023 if (skb2 == NULL)
4024 return -ENOMEM;
4025
4026 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4027 if (err < 0)
4028 goto err_fill_set_info;
4029
4030 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4031
4032 err_fill_set_info:
4033 kfree_skb(skb2);
4034 return err;
4035 }
4036
4037 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4038 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4039 };
4040
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)4041 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4042 struct nft_set_desc *desc)
4043 {
4044 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4045 u32 len;
4046 int err;
4047
4048 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4049 nft_concat_policy, NULL);
4050 if (err < 0)
4051 return err;
4052
4053 if (!tb[NFTA_SET_FIELD_LEN])
4054 return -EINVAL;
4055
4056 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4057
4058 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT)
4059 return -E2BIG;
4060
4061 desc->field_len[desc->field_count++] = len;
4062
4063 return 0;
4064 }
4065
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)4066 static int nft_set_desc_concat(struct nft_set_desc *desc,
4067 const struct nlattr *nla)
4068 {
4069 struct nlattr *attr;
4070 int rem, err;
4071
4072 nla_for_each_nested(attr, nla, rem) {
4073 if (nla_type(attr) != NFTA_LIST_ELEM)
4074 return -EINVAL;
4075
4076 err = nft_set_desc_concat_parse(attr, desc);
4077 if (err < 0)
4078 return err;
4079 }
4080
4081 return 0;
4082 }
4083
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)4084 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4085 const struct nlattr *nla)
4086 {
4087 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4088 int err;
4089
4090 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4091 nft_set_desc_policy, NULL);
4092 if (err < 0)
4093 return err;
4094
4095 if (da[NFTA_SET_DESC_SIZE] != NULL)
4096 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4097 if (da[NFTA_SET_DESC_CONCAT])
4098 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4099
4100 return err;
4101 }
4102
nf_tables_newset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4103 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4104 struct sk_buff *skb, const struct nlmsghdr *nlh,
4105 const struct nlattr * const nla[],
4106 struct netlink_ext_ack *extack)
4107 {
4108 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4109 u8 genmask = nft_genmask_next(net);
4110 int family = nfmsg->nfgen_family;
4111 const struct nft_set_ops *ops;
4112 struct nft_expr *expr = NULL;
4113 struct nft_table *table;
4114 struct nft_set *set;
4115 struct nft_ctx ctx;
4116 char *name;
4117 u64 size;
4118 u64 timeout;
4119 u32 ktype, dtype, flags, policy, gc_int, objtype;
4120 struct nft_set_desc desc;
4121 unsigned char *udata;
4122 u16 udlen;
4123 int err;
4124 int i;
4125
4126 if (nla[NFTA_SET_TABLE] == NULL ||
4127 nla[NFTA_SET_NAME] == NULL ||
4128 nla[NFTA_SET_KEY_LEN] == NULL ||
4129 nla[NFTA_SET_ID] == NULL)
4130 return -EINVAL;
4131
4132 memset(&desc, 0, sizeof(desc));
4133
4134 ktype = NFT_DATA_VALUE;
4135 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4136 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4137 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4138 return -EINVAL;
4139 }
4140
4141 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4142 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4143 return -EINVAL;
4144
4145 flags = 0;
4146 if (nla[NFTA_SET_FLAGS] != NULL) {
4147 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4148 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4149 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4150 NFT_SET_MAP | NFT_SET_EVAL |
4151 NFT_SET_OBJECT | NFT_SET_CONCAT))
4152 return -EOPNOTSUPP;
4153 /* Only one of these operations is supported */
4154 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4155 (NFT_SET_MAP | NFT_SET_OBJECT))
4156 return -EOPNOTSUPP;
4157 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4158 (NFT_SET_EVAL | NFT_SET_OBJECT))
4159 return -EOPNOTSUPP;
4160 }
4161
4162 dtype = 0;
4163 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4164 if (!(flags & NFT_SET_MAP))
4165 return -EINVAL;
4166
4167 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4168 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4169 dtype != NFT_DATA_VERDICT)
4170 return -EINVAL;
4171
4172 if (dtype != NFT_DATA_VERDICT) {
4173 if (nla[NFTA_SET_DATA_LEN] == NULL)
4174 return -EINVAL;
4175 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4176 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4177 return -EINVAL;
4178 } else
4179 desc.dlen = sizeof(struct nft_verdict);
4180 } else if (flags & NFT_SET_MAP)
4181 return -EINVAL;
4182
4183 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4184 if (!(flags & NFT_SET_OBJECT))
4185 return -EINVAL;
4186
4187 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4188 if (objtype == NFT_OBJECT_UNSPEC ||
4189 objtype > NFT_OBJECT_MAX)
4190 return -EOPNOTSUPP;
4191 } else if (flags & NFT_SET_OBJECT)
4192 return -EINVAL;
4193 else
4194 objtype = NFT_OBJECT_UNSPEC;
4195
4196 timeout = 0;
4197 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4198 if (!(flags & NFT_SET_TIMEOUT))
4199 return -EINVAL;
4200
4201 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4202 if (err)
4203 return err;
4204 }
4205 gc_int = 0;
4206 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4207 if (!(flags & NFT_SET_TIMEOUT))
4208 return -EINVAL;
4209 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4210 }
4211
4212 policy = NFT_SET_POL_PERFORMANCE;
4213 if (nla[NFTA_SET_POLICY] != NULL)
4214 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4215
4216 if (nla[NFTA_SET_DESC] != NULL) {
4217 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4218 if (err < 0)
4219 return err;
4220 }
4221
4222 if (nla[NFTA_SET_EXPR])
4223 desc.expr = true;
4224
4225 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4226 if (IS_ERR(table)) {
4227 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4228 return PTR_ERR(table);
4229 }
4230
4231 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4232
4233 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4234 if (IS_ERR(set)) {
4235 if (PTR_ERR(set) != -ENOENT) {
4236 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4237 return PTR_ERR(set);
4238 }
4239 } else {
4240 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4241 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4242 return -EEXIST;
4243 }
4244 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4245 return -EOPNOTSUPP;
4246
4247 return 0;
4248 }
4249
4250 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4251 return -ENOENT;
4252
4253 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4254 if (IS_ERR(ops))
4255 return PTR_ERR(ops);
4256
4257 udlen = 0;
4258 if (nla[NFTA_SET_USERDATA])
4259 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4260
4261 size = 0;
4262 if (ops->privsize != NULL)
4263 size = ops->privsize(nla, &desc);
4264
4265 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
4266 if (!set)
4267 return -ENOMEM;
4268
4269 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4270 if (!name) {
4271 err = -ENOMEM;
4272 goto err_set_name;
4273 }
4274
4275 err = nf_tables_set_alloc_name(&ctx, set, name);
4276 kfree(name);
4277 if (err < 0)
4278 goto err_set_alloc_name;
4279
4280 if (nla[NFTA_SET_EXPR]) {
4281 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4282 if (IS_ERR(expr)) {
4283 err = PTR_ERR(expr);
4284 goto err_set_alloc_name;
4285 }
4286 }
4287
4288 udata = NULL;
4289 if (udlen) {
4290 udata = set->data + size;
4291 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4292 }
4293
4294 INIT_LIST_HEAD(&set->bindings);
4295 set->table = table;
4296 write_pnet(&set->net, net);
4297 set->ops = ops;
4298 set->ktype = ktype;
4299 set->klen = desc.klen;
4300 set->dtype = dtype;
4301 set->objtype = objtype;
4302 set->dlen = desc.dlen;
4303 set->expr = expr;
4304 set->flags = flags;
4305 set->size = desc.size;
4306 set->policy = policy;
4307 set->udlen = udlen;
4308 set->udata = udata;
4309 set->timeout = timeout;
4310 set->gc_int = gc_int;
4311 set->handle = nf_tables_alloc_handle(table);
4312
4313 set->field_count = desc.field_count;
4314 for (i = 0; i < desc.field_count; i++)
4315 set->field_len[i] = desc.field_len[i];
4316
4317 err = ops->init(set, &desc, nla);
4318 if (err < 0)
4319 goto err_set_init;
4320
4321 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4322 if (err < 0)
4323 goto err_set_trans;
4324
4325 list_add_tail_rcu(&set->list, &table->sets);
4326 table->use++;
4327 return 0;
4328
4329 err_set_trans:
4330 ops->destroy(set);
4331 err_set_init:
4332 if (expr)
4333 nft_expr_destroy(&ctx, expr);
4334 err_set_alloc_name:
4335 kfree(set->name);
4336 err_set_name:
4337 kvfree(set);
4338 return err;
4339 }
4340
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)4341 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4342 {
4343 if (WARN_ON(set->use > 0))
4344 return;
4345
4346 if (set->expr)
4347 nft_expr_destroy(ctx, set->expr);
4348
4349 set->ops->destroy(set);
4350 kfree(set->name);
4351 kvfree(set);
4352 }
4353
nf_tables_delset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4354 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4355 struct sk_buff *skb, const struct nlmsghdr *nlh,
4356 const struct nlattr * const nla[],
4357 struct netlink_ext_ack *extack)
4358 {
4359 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4360 u8 genmask = nft_genmask_next(net);
4361 const struct nlattr *attr;
4362 struct nft_set *set;
4363 struct nft_ctx ctx;
4364 int err;
4365
4366 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4367 return -EAFNOSUPPORT;
4368 if (nla[NFTA_SET_TABLE] == NULL)
4369 return -EINVAL;
4370
4371 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4372 genmask);
4373 if (err < 0)
4374 return err;
4375
4376 if (nla[NFTA_SET_HANDLE]) {
4377 attr = nla[NFTA_SET_HANDLE];
4378 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4379 } else {
4380 attr = nla[NFTA_SET_NAME];
4381 set = nft_set_lookup(ctx.table, attr, genmask);
4382 }
4383
4384 if (IS_ERR(set)) {
4385 NL_SET_BAD_ATTR(extack, attr);
4386 return PTR_ERR(set);
4387 }
4388 if (set->use ||
4389 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4390 NL_SET_BAD_ATTR(extack, attr);
4391 return -EBUSY;
4392 }
4393
4394 return nft_delset(&ctx, set);
4395 }
4396
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4397 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4398 struct nft_set *set,
4399 const struct nft_set_iter *iter,
4400 struct nft_set_elem *elem)
4401 {
4402 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4403 enum nft_registers dreg;
4404
4405 dreg = nft_type_to_reg(set->dtype);
4406 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4407 set->dtype == NFT_DATA_VERDICT ?
4408 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4409 set->dlen);
4410 }
4411
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)4412 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4413 struct nft_set_binding *binding)
4414 {
4415 struct nft_set_binding *i;
4416 struct nft_set_iter iter;
4417
4418 if (set->use == UINT_MAX)
4419 return -EOVERFLOW;
4420
4421 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4422 return -EBUSY;
4423
4424 if (binding->flags & NFT_SET_MAP) {
4425 /* If the set is already bound to the same chain all
4426 * jumps are already validated for that chain.
4427 */
4428 list_for_each_entry(i, &set->bindings, list) {
4429 if (i->flags & NFT_SET_MAP &&
4430 i->chain == binding->chain)
4431 goto bind;
4432 }
4433
4434 iter.genmask = nft_genmask_next(ctx->net);
4435 iter.skip = 0;
4436 iter.count = 0;
4437 iter.err = 0;
4438 iter.fn = nf_tables_bind_check_setelem;
4439
4440 set->ops->walk(ctx, set, &iter);
4441 if (iter.err < 0)
4442 return iter.err;
4443 }
4444 bind:
4445 binding->chain = ctx->chain;
4446 list_add_tail_rcu(&binding->list, &set->bindings);
4447 nft_set_trans_bind(ctx, set);
4448 set->use++;
4449
4450 return 0;
4451 }
4452 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4453
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)4454 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4455 struct nft_set_binding *binding, bool event)
4456 {
4457 list_del_rcu(&binding->list);
4458
4459 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4460 list_del_rcu(&set->list);
4461 if (event)
4462 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4463 GFP_KERNEL);
4464 }
4465 }
4466
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)4467 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4468 struct nft_set_binding *binding,
4469 enum nft_trans_phase phase)
4470 {
4471 switch (phase) {
4472 case NFT_TRANS_PREPARE:
4473 set->use--;
4474 return;
4475 case NFT_TRANS_ABORT:
4476 case NFT_TRANS_RELEASE:
4477 set->use--;
4478 fallthrough;
4479 default:
4480 nf_tables_unbind_set(ctx, set, binding,
4481 phase == NFT_TRANS_COMMIT);
4482 }
4483 }
4484 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4485
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)4486 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4487 {
4488 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4489 nft_set_destroy(ctx, set);
4490 }
4491 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4492
4493 const struct nft_set_ext_type nft_set_ext_types[] = {
4494 [NFT_SET_EXT_KEY] = {
4495 .align = __alignof__(u32),
4496 },
4497 [NFT_SET_EXT_DATA] = {
4498 .align = __alignof__(u32),
4499 },
4500 [NFT_SET_EXT_EXPR] = {
4501 .align = __alignof__(struct nft_expr),
4502 },
4503 [NFT_SET_EXT_OBJREF] = {
4504 .len = sizeof(struct nft_object *),
4505 .align = __alignof__(struct nft_object *),
4506 },
4507 [NFT_SET_EXT_FLAGS] = {
4508 .len = sizeof(u8),
4509 .align = __alignof__(u8),
4510 },
4511 [NFT_SET_EXT_TIMEOUT] = {
4512 .len = sizeof(u64),
4513 .align = __alignof__(u64),
4514 },
4515 [NFT_SET_EXT_EXPIRATION] = {
4516 .len = sizeof(u64),
4517 .align = __alignof__(u64),
4518 },
4519 [NFT_SET_EXT_USERDATA] = {
4520 .len = sizeof(struct nft_userdata),
4521 .align = __alignof__(struct nft_userdata),
4522 },
4523 [NFT_SET_EXT_KEY_END] = {
4524 .align = __alignof__(u32),
4525 },
4526 };
4527
4528 /*
4529 * Set elements
4530 */
4531
4532 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4533 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4534 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4535 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4536 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4537 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4538 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4539 .len = NFT_USERDATA_MAXLEN },
4540 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4541 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4542 .len = NFT_OBJ_MAXNAMELEN - 1 },
4543 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4544 };
4545
4546 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4547 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4548 .len = NFT_TABLE_MAXNAMELEN - 1 },
4549 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4550 .len = NFT_SET_MAXNAMELEN - 1 },
4551 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4552 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4553 };
4554
nft_ctx_init_from_elemattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)4555 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4556 const struct sk_buff *skb,
4557 const struct nlmsghdr *nlh,
4558 const struct nlattr * const nla[],
4559 struct netlink_ext_ack *extack,
4560 u8 genmask)
4561 {
4562 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4563 int family = nfmsg->nfgen_family;
4564 struct nft_table *table;
4565
4566 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4567 genmask);
4568 if (IS_ERR(table)) {
4569 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4570 return PTR_ERR(table);
4571 }
4572
4573 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4574 return 0;
4575 }
4576
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_elem * elem)4577 static int nf_tables_fill_setelem(struct sk_buff *skb,
4578 const struct nft_set *set,
4579 const struct nft_set_elem *elem)
4580 {
4581 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4582 unsigned char *b = skb_tail_pointer(skb);
4583 struct nlattr *nest;
4584
4585 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4586 if (nest == NULL)
4587 goto nla_put_failure;
4588
4589 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4590 NFT_DATA_VALUE, set->klen) < 0)
4591 goto nla_put_failure;
4592
4593 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4594 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4595 NFT_DATA_VALUE, set->klen) < 0)
4596 goto nla_put_failure;
4597
4598 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4599 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4600 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4601 set->dlen) < 0)
4602 goto nla_put_failure;
4603
4604 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4605 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4606 goto nla_put_failure;
4607
4608 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4609 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4610 (*nft_set_ext_obj(ext))->key.name) < 0)
4611 goto nla_put_failure;
4612
4613 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4614 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4615 htonl(*nft_set_ext_flags(ext))))
4616 goto nla_put_failure;
4617
4618 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4619 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4620 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4621 NFTA_SET_ELEM_PAD))
4622 goto nla_put_failure;
4623
4624 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4625 u64 expires, now = get_jiffies_64();
4626
4627 expires = *nft_set_ext_expiration(ext);
4628 if (time_before64(now, expires))
4629 expires -= now;
4630 else
4631 expires = 0;
4632
4633 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4634 nf_jiffies64_to_msecs(expires),
4635 NFTA_SET_ELEM_PAD))
4636 goto nla_put_failure;
4637 }
4638
4639 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4640 struct nft_userdata *udata;
4641
4642 udata = nft_set_ext_userdata(ext);
4643 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4644 udata->len + 1, udata->data))
4645 goto nla_put_failure;
4646 }
4647
4648 nla_nest_end(skb, nest);
4649 return 0;
4650
4651 nla_put_failure:
4652 nlmsg_trim(skb, b);
4653 return -EMSGSIZE;
4654 }
4655
4656 struct nft_set_dump_args {
4657 const struct netlink_callback *cb;
4658 struct nft_set_iter iter;
4659 struct sk_buff *skb;
4660 };
4661
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4662 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4663 struct nft_set *set,
4664 const struct nft_set_iter *iter,
4665 struct nft_set_elem *elem)
4666 {
4667 struct nft_set_dump_args *args;
4668
4669 args = container_of(iter, struct nft_set_dump_args, iter);
4670 return nf_tables_fill_setelem(args->skb, set, elem);
4671 }
4672
4673 struct nft_set_dump_ctx {
4674 const struct nft_set *set;
4675 struct nft_ctx ctx;
4676 };
4677
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)4678 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4679 {
4680 struct nft_set_dump_ctx *dump_ctx = cb->data;
4681 struct net *net = sock_net(skb->sk);
4682 struct nft_table *table;
4683 struct nft_set *set;
4684 struct nft_set_dump_args args;
4685 bool set_found = false;
4686 struct nfgenmsg *nfmsg;
4687 struct nlmsghdr *nlh;
4688 struct nlattr *nest;
4689 u32 portid, seq;
4690 int event;
4691
4692 rcu_read_lock();
4693 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4694 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4695 dump_ctx->ctx.family != table->family)
4696 continue;
4697
4698 if (table != dump_ctx->ctx.table)
4699 continue;
4700
4701 list_for_each_entry_rcu(set, &table->sets, list) {
4702 if (set == dump_ctx->set) {
4703 set_found = true;
4704 break;
4705 }
4706 }
4707 break;
4708 }
4709
4710 if (!set_found) {
4711 rcu_read_unlock();
4712 return -ENOENT;
4713 }
4714
4715 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4716 portid = NETLINK_CB(cb->skb).portid;
4717 seq = cb->nlh->nlmsg_seq;
4718
4719 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4720 NLM_F_MULTI);
4721 if (nlh == NULL)
4722 goto nla_put_failure;
4723
4724 nfmsg = nlmsg_data(nlh);
4725 nfmsg->nfgen_family = table->family;
4726 nfmsg->version = NFNETLINK_V0;
4727 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4728
4729 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4730 goto nla_put_failure;
4731 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4732 goto nla_put_failure;
4733
4734 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4735 if (nest == NULL)
4736 goto nla_put_failure;
4737
4738 args.cb = cb;
4739 args.skb = skb;
4740 args.iter.genmask = nft_genmask_cur(net);
4741 args.iter.skip = cb->args[0];
4742 args.iter.count = 0;
4743 args.iter.err = 0;
4744 args.iter.fn = nf_tables_dump_setelem;
4745 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4746 rcu_read_unlock();
4747
4748 nla_nest_end(skb, nest);
4749 nlmsg_end(skb, nlh);
4750
4751 if (args.iter.err && args.iter.err != -EMSGSIZE)
4752 return args.iter.err;
4753 if (args.iter.count == cb->args[0])
4754 return 0;
4755
4756 cb->args[0] = args.iter.count;
4757 return skb->len;
4758
4759 nla_put_failure:
4760 rcu_read_unlock();
4761 return -ENOSPC;
4762 }
4763
nf_tables_dump_set_start(struct netlink_callback * cb)4764 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4765 {
4766 struct nft_set_dump_ctx *dump_ctx = cb->data;
4767
4768 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4769
4770 return cb->data ? 0 : -ENOMEM;
4771 }
4772
nf_tables_dump_set_done(struct netlink_callback * cb)4773 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4774 {
4775 kfree(cb->data);
4776 return 0;
4777 }
4778
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_set_elem * elem)4779 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4780 const struct nft_ctx *ctx, u32 seq,
4781 u32 portid, int event, u16 flags,
4782 const struct nft_set *set,
4783 const struct nft_set_elem *elem)
4784 {
4785 struct nfgenmsg *nfmsg;
4786 struct nlmsghdr *nlh;
4787 struct nlattr *nest;
4788 int err;
4789
4790 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4791 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4792 flags);
4793 if (nlh == NULL)
4794 goto nla_put_failure;
4795
4796 nfmsg = nlmsg_data(nlh);
4797 nfmsg->nfgen_family = ctx->family;
4798 nfmsg->version = NFNETLINK_V0;
4799 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4800
4801 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4802 goto nla_put_failure;
4803 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4804 goto nla_put_failure;
4805
4806 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4807 if (nest == NULL)
4808 goto nla_put_failure;
4809
4810 err = nf_tables_fill_setelem(skb, set, elem);
4811 if (err < 0)
4812 goto nla_put_failure;
4813
4814 nla_nest_end(skb, nest);
4815
4816 nlmsg_end(skb, nlh);
4817 return 0;
4818
4819 nla_put_failure:
4820 nlmsg_trim(skb, nlh);
4821 return -1;
4822 }
4823
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)4824 static int nft_setelem_parse_flags(const struct nft_set *set,
4825 const struct nlattr *attr, u32 *flags)
4826 {
4827 if (attr == NULL)
4828 return 0;
4829
4830 *flags = ntohl(nla_get_be32(attr));
4831 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4832 return -EINVAL;
4833 if (!(set->flags & NFT_SET_INTERVAL) &&
4834 *flags & NFT_SET_ELEM_INTERVAL_END)
4835 return -EINVAL;
4836
4837 return 0;
4838 }
4839
nft_setelem_parse_key(struct nft_ctx * ctx,struct nft_set * set,struct nft_data * key,struct nlattr * attr)4840 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4841 struct nft_data *key, struct nlattr *attr)
4842 {
4843 struct nft_data_desc desc;
4844 int err;
4845
4846 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4847 if (err < 0)
4848 return err;
4849
4850 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4851 nft_data_release(key, desc.type);
4852 return -EINVAL;
4853 }
4854
4855 return 0;
4856 }
4857
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)4858 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4859 struct nft_data_desc *desc,
4860 struct nft_data *data,
4861 struct nlattr *attr)
4862 {
4863 int err;
4864
4865 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4866 if (err < 0)
4867 return err;
4868
4869 if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
4870 nft_data_release(data, desc->type);
4871 return -EINVAL;
4872 }
4873
4874 return 0;
4875 }
4876
nft_get_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)4877 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4878 const struct nlattr *attr)
4879 {
4880 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4881 struct nft_set_elem elem;
4882 struct sk_buff *skb;
4883 uint32_t flags = 0;
4884 void *priv;
4885 int err;
4886
4887 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4888 nft_set_elem_policy, NULL);
4889 if (err < 0)
4890 return err;
4891
4892 if (!nla[NFTA_SET_ELEM_KEY])
4893 return -EINVAL;
4894
4895 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4896 if (err < 0)
4897 return err;
4898
4899 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4900 nla[NFTA_SET_ELEM_KEY]);
4901 if (err < 0)
4902 return err;
4903
4904 if (nla[NFTA_SET_ELEM_KEY_END]) {
4905 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4906 nla[NFTA_SET_ELEM_KEY_END]);
4907 if (err < 0)
4908 return err;
4909 }
4910
4911 priv = set->ops->get(ctx->net, set, &elem, flags);
4912 if (IS_ERR(priv))
4913 return PTR_ERR(priv);
4914
4915 elem.priv = priv;
4916
4917 err = -ENOMEM;
4918 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4919 if (skb == NULL)
4920 return err;
4921
4922 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4923 NFT_MSG_NEWSETELEM, 0, set, &elem);
4924 if (err < 0)
4925 goto err_fill_setelem;
4926
4927 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
4928
4929 err_fill_setelem:
4930 kfree_skb(skb);
4931 return err;
4932 }
4933
4934 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4935 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4936 struct sk_buff *skb, const struct nlmsghdr *nlh,
4937 const struct nlattr * const nla[],
4938 struct netlink_ext_ack *extack)
4939 {
4940 u8 genmask = nft_genmask_cur(net);
4941 struct nft_set *set;
4942 struct nlattr *attr;
4943 struct nft_ctx ctx;
4944 int rem, err = 0;
4945
4946 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4947 genmask);
4948 if (err < 0)
4949 return err;
4950
4951 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4952 if (IS_ERR(set))
4953 return PTR_ERR(set);
4954
4955 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4956 struct netlink_dump_control c = {
4957 .start = nf_tables_dump_set_start,
4958 .dump = nf_tables_dump_set,
4959 .done = nf_tables_dump_set_done,
4960 .module = THIS_MODULE,
4961 };
4962 struct nft_set_dump_ctx dump_ctx = {
4963 .set = set,
4964 .ctx = ctx,
4965 };
4966
4967 c.data = &dump_ctx;
4968 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4969 }
4970
4971 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4972 return -EINVAL;
4973
4974 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4975 err = nft_get_set_elem(&ctx, set, attr);
4976 if (err < 0)
4977 break;
4978 }
4979
4980 return err;
4981 }
4982
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_set_elem * elem,int event,u16 flags)4983 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4984 const struct nft_set *set,
4985 const struct nft_set_elem *elem,
4986 int event, u16 flags)
4987 {
4988 struct net *net = ctx->net;
4989 u32 portid = ctx->portid;
4990 struct sk_buff *skb;
4991 int err;
4992 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
4993 ctx->table->name, ctx->table->handle,
4994 set->name, set->handle);
4995
4996 audit_log_nfcfg(buf,
4997 ctx->family,
4998 set->handle,
4999 event == NFT_MSG_NEWSETELEM ?
5000 AUDIT_NFT_OP_SETELEM_REGISTER :
5001 AUDIT_NFT_OP_SETELEM_UNREGISTER,
5002 GFP_KERNEL);
5003 kfree(buf);
5004
5005 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5006 return;
5007
5008 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5009 if (skb == NULL)
5010 goto err;
5011
5012 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5013 set, elem);
5014 if (err < 0) {
5015 kfree_skb(skb);
5016 goto err;
5017 }
5018
5019 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5020 return;
5021 err:
5022 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5023 }
5024
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)5025 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5026 int msg_type,
5027 struct nft_set *set)
5028 {
5029 struct nft_trans *trans;
5030
5031 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5032 if (trans == NULL)
5033 return NULL;
5034
5035 nft_trans_elem_set(trans) = set;
5036 return trans;
5037 }
5038
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)5039 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5040 const struct nft_set *set,
5041 const struct nlattr *attr)
5042 {
5043 struct nft_expr *expr;
5044 int err;
5045
5046 expr = nft_expr_init(ctx, attr);
5047 if (IS_ERR(expr))
5048 return expr;
5049
5050 err = -EOPNOTSUPP;
5051 if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
5052 goto err_set_elem_expr;
5053
5054 if (expr->ops->type->flags & NFT_EXPR_GC) {
5055 if (set->flags & NFT_SET_TIMEOUT)
5056 goto err_set_elem_expr;
5057 if (!set->ops->gc_init)
5058 goto err_set_elem_expr;
5059 set->ops->gc_init(set);
5060 }
5061
5062 return expr;
5063
5064 err_set_elem_expr:
5065 nft_expr_destroy(ctx, expr);
5066 return ERR_PTR(err);
5067 }
5068
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)5069 void *nft_set_elem_init(const struct nft_set *set,
5070 const struct nft_set_ext_tmpl *tmpl,
5071 const u32 *key, const u32 *key_end,
5072 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5073 {
5074 struct nft_set_ext *ext;
5075 void *elem;
5076
5077 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5078 if (elem == NULL)
5079 return NULL;
5080
5081 ext = nft_set_elem_ext(set, elem);
5082 nft_set_ext_init(ext, tmpl);
5083
5084 memcpy(nft_set_ext_key(ext), key, set->klen);
5085 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5086 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5087 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5088 memcpy(nft_set_ext_data(ext), data, set->dlen);
5089 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5090 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5091 if (expiration == 0)
5092 *nft_set_ext_expiration(ext) += timeout;
5093 }
5094 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5095 *nft_set_ext_timeout(ext) = timeout;
5096
5097 return elem;
5098 }
5099
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)5100 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5101 struct nft_expr *expr)
5102 {
5103 if (expr->ops->destroy_clone) {
5104 expr->ops->destroy_clone(ctx, expr);
5105 module_put(expr->ops->type->owner);
5106 } else {
5107 nf_tables_expr_destroy(ctx, expr);
5108 }
5109 }
5110
nft_set_elem_destroy(const struct nft_set * set,void * elem,bool destroy_expr)5111 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5112 bool destroy_expr)
5113 {
5114 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5115 struct nft_ctx ctx = {
5116 .net = read_pnet(&set->net),
5117 .family = set->table->family,
5118 };
5119
5120 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5121 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5122 nft_data_release(nft_set_ext_data(ext), set->dtype);
5123 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5124 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5125
5126 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5127 (*nft_set_ext_obj(ext))->use--;
5128 kfree(elem);
5129 }
5130 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5131
5132 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5133 * the refcounting from the preparation phase.
5134 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,void * elem)5135 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5136 const struct nft_set *set, void *elem)
5137 {
5138 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5139
5140 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5141 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5142
5143 kfree(elem);
5144 }
5145
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)5146 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5147 const struct nlattr *attr, u32 nlmsg_flags)
5148 {
5149 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5150 u8 genmask = nft_genmask_next(ctx->net);
5151 struct nft_set_ext_tmpl tmpl;
5152 struct nft_set_ext *ext, *ext2;
5153 struct nft_set_elem elem;
5154 struct nft_set_binding *binding;
5155 struct nft_object *obj = NULL;
5156 struct nft_expr *expr = NULL;
5157 struct nft_userdata *udata;
5158 struct nft_data_desc desc;
5159 enum nft_registers dreg;
5160 struct nft_trans *trans;
5161 u32 flags = 0;
5162 u64 timeout;
5163 u64 expiration;
5164 u8 ulen;
5165 int err;
5166
5167 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5168 nft_set_elem_policy, NULL);
5169 if (err < 0)
5170 return err;
5171
5172 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5173 return -EINVAL;
5174
5175 nft_set_ext_prepare(&tmpl);
5176
5177 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5178 if (err < 0)
5179 return err;
5180 if (flags != 0)
5181 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5182
5183 if (set->flags & NFT_SET_MAP) {
5184 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5185 !(flags & NFT_SET_ELEM_INTERVAL_END))
5186 return -EINVAL;
5187 } else {
5188 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5189 return -EINVAL;
5190 }
5191
5192 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5193 (nla[NFTA_SET_ELEM_DATA] ||
5194 nla[NFTA_SET_ELEM_OBJREF] ||
5195 nla[NFTA_SET_ELEM_TIMEOUT] ||
5196 nla[NFTA_SET_ELEM_EXPIRATION] ||
5197 nla[NFTA_SET_ELEM_USERDATA] ||
5198 nla[NFTA_SET_ELEM_EXPR]))
5199 return -EINVAL;
5200
5201 timeout = 0;
5202 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5203 if (!(set->flags & NFT_SET_TIMEOUT))
5204 return -EINVAL;
5205 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5206 &timeout);
5207 if (err)
5208 return err;
5209 } else if (set->flags & NFT_SET_TIMEOUT) {
5210 timeout = set->timeout;
5211 }
5212
5213 expiration = 0;
5214 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5215 if (!(set->flags & NFT_SET_TIMEOUT))
5216 return -EINVAL;
5217 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5218 &expiration);
5219 if (err)
5220 return err;
5221 }
5222
5223 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5224 expr = nft_set_elem_expr_alloc(ctx, set,
5225 nla[NFTA_SET_ELEM_EXPR]);
5226 if (IS_ERR(expr))
5227 return PTR_ERR(expr);
5228
5229 err = -EOPNOTSUPP;
5230 if (set->expr && set->expr->ops != expr->ops)
5231 goto err_set_elem_expr;
5232 } else if (set->expr) {
5233 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5234 if (!expr)
5235 return -ENOMEM;
5236
5237 err = nft_expr_clone(expr, set->expr);
5238 if (err < 0)
5239 goto err_set_elem_expr;
5240 }
5241
5242 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5243 nla[NFTA_SET_ELEM_KEY]);
5244 if (err < 0)
5245 goto err_set_elem_expr;
5246
5247 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5248
5249 if (nla[NFTA_SET_ELEM_KEY_END]) {
5250 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5251 nla[NFTA_SET_ELEM_KEY_END]);
5252 if (err < 0)
5253 goto err_parse_key;
5254
5255 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5256 }
5257
5258 if (timeout > 0) {
5259 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5260 if (timeout != set->timeout)
5261 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5262 }
5263
5264 if (expr)
5265 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5266 expr->ops->size);
5267
5268 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5269 if (!(set->flags & NFT_SET_OBJECT)) {
5270 err = -EINVAL;
5271 goto err_parse_key_end;
5272 }
5273 obj = nft_obj_lookup(ctx->net, ctx->table,
5274 nla[NFTA_SET_ELEM_OBJREF],
5275 set->objtype, genmask);
5276 if (IS_ERR(obj)) {
5277 err = PTR_ERR(obj);
5278 goto err_parse_key_end;
5279 }
5280 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5281 }
5282
5283 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5284 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5285 nla[NFTA_SET_ELEM_DATA]);
5286 if (err < 0)
5287 goto err_parse_key_end;
5288
5289 dreg = nft_type_to_reg(set->dtype);
5290 list_for_each_entry(binding, &set->bindings, list) {
5291 struct nft_ctx bind_ctx = {
5292 .net = ctx->net,
5293 .family = ctx->family,
5294 .table = ctx->table,
5295 .chain = (struct nft_chain *)binding->chain,
5296 };
5297
5298 if (!(binding->flags & NFT_SET_MAP))
5299 continue;
5300
5301 err = nft_validate_register_store(&bind_ctx, dreg,
5302 &elem.data.val,
5303 desc.type, desc.len);
5304 if (err < 0)
5305 goto err_parse_data;
5306
5307 if (desc.type == NFT_DATA_VERDICT &&
5308 (elem.data.val.verdict.code == NFT_GOTO ||
5309 elem.data.val.verdict.code == NFT_JUMP))
5310 nft_validate_state_update(ctx->net,
5311 NFT_VALIDATE_NEED);
5312 }
5313
5314 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5315 }
5316
5317 /* The full maximum length of userdata can exceed the maximum
5318 * offset value (U8_MAX) for following extensions, therefor it
5319 * must be the last extension added.
5320 */
5321 ulen = 0;
5322 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5323 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5324 if (ulen > 0)
5325 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5326 ulen);
5327 }
5328
5329 err = -ENOMEM;
5330 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5331 elem.key_end.val.data, elem.data.val.data,
5332 timeout, expiration, GFP_KERNEL);
5333 if (elem.priv == NULL)
5334 goto err_parse_data;
5335
5336 ext = nft_set_elem_ext(set, elem.priv);
5337 if (flags)
5338 *nft_set_ext_flags(ext) = flags;
5339 if (ulen > 0) {
5340 udata = nft_set_ext_userdata(ext);
5341 udata->len = ulen - 1;
5342 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5343 }
5344 if (obj) {
5345 *nft_set_ext_obj(ext) = obj;
5346 obj->use++;
5347 }
5348 if (expr) {
5349 memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
5350 kfree(expr);
5351 expr = NULL;
5352 }
5353
5354 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5355 if (trans == NULL)
5356 goto err_trans;
5357
5358 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5359 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5360 if (err) {
5361 if (err == -EEXIST) {
5362 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5363 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5364 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5365 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5366 goto err_element_clash;
5367 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5368 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5369 memcmp(nft_set_ext_data(ext),
5370 nft_set_ext_data(ext2), set->dlen) != 0) ||
5371 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5372 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5373 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5374 goto err_element_clash;
5375 else if (!(nlmsg_flags & NLM_F_EXCL))
5376 err = 0;
5377 } else if (err == -ENOTEMPTY) {
5378 /* ENOTEMPTY reports overlapping between this element
5379 * and an existing one.
5380 */
5381 err = -EEXIST;
5382 }
5383 goto err_element_clash;
5384 }
5385
5386 if (set->size &&
5387 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5388 err = -ENFILE;
5389 goto err_set_full;
5390 }
5391
5392 nft_trans_elem(trans) = elem;
5393 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5394 return 0;
5395
5396 err_set_full:
5397 set->ops->remove(ctx->net, set, &elem);
5398 err_element_clash:
5399 kfree(trans);
5400 err_trans:
5401 if (obj)
5402 obj->use--;
5403
5404 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5405 err_parse_data:
5406 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5407 nft_data_release(&elem.data.val, desc.type);
5408 err_parse_key_end:
5409 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5410 err_parse_key:
5411 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5412 err_set_elem_expr:
5413 if (expr != NULL)
5414 nft_expr_destroy(ctx, expr);
5415
5416 return err;
5417 }
5418
nf_tables_newsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5419 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5420 struct sk_buff *skb, const struct nlmsghdr *nlh,
5421 const struct nlattr * const nla[],
5422 struct netlink_ext_ack *extack)
5423 {
5424 u8 genmask = nft_genmask_next(net);
5425 const struct nlattr *attr;
5426 struct nft_set *set;
5427 struct nft_ctx ctx;
5428 int rem, err;
5429
5430 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5431 return -EINVAL;
5432
5433 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5434 genmask);
5435 if (err < 0)
5436 return err;
5437
5438 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5439 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5440 if (IS_ERR(set))
5441 return PTR_ERR(set);
5442
5443 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5444 return -EBUSY;
5445
5446 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5447 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5448 if (err < 0)
5449 return err;
5450 }
5451
5452 if (net->nft.validate_state == NFT_VALIDATE_DO)
5453 return nft_table_validate(net, ctx.table);
5454
5455 return 0;
5456 }
5457
5458 /**
5459 * nft_data_hold - hold a nft_data item
5460 *
5461 * @data: struct nft_data to release
5462 * @type: type of data
5463 *
5464 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5465 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5466 * NFT_GOTO verdicts. This function must be called on active data objects
5467 * from the second phase of the commit protocol.
5468 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)5469 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5470 {
5471 struct nft_chain *chain;
5472 struct nft_rule *rule;
5473
5474 if (type == NFT_DATA_VERDICT) {
5475 switch (data->verdict.code) {
5476 case NFT_JUMP:
5477 case NFT_GOTO:
5478 chain = data->verdict.chain;
5479 chain->use++;
5480
5481 if (!nft_chain_is_bound(chain))
5482 break;
5483
5484 chain->table->use++;
5485 list_for_each_entry(rule, &chain->rules, list)
5486 chain->use++;
5487
5488 nft_chain_add(chain->table, chain);
5489 break;
5490 }
5491 }
5492 }
5493
nft_set_elem_activate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)5494 static void nft_set_elem_activate(const struct net *net,
5495 const struct nft_set *set,
5496 struct nft_set_elem *elem)
5497 {
5498 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5499
5500 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5501 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5502 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5503 (*nft_set_ext_obj(ext))->use++;
5504 }
5505
nft_set_elem_deactivate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)5506 static void nft_set_elem_deactivate(const struct net *net,
5507 const struct nft_set *set,
5508 struct nft_set_elem *elem)
5509 {
5510 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5511
5512 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5513 nft_data_release(nft_set_ext_data(ext), set->dtype);
5514 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5515 (*nft_set_ext_obj(ext))->use--;
5516 }
5517
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)5518 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5519 const struct nlattr *attr)
5520 {
5521 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5522 struct nft_set_ext_tmpl tmpl;
5523 struct nft_set_elem elem;
5524 struct nft_set_ext *ext;
5525 struct nft_trans *trans;
5526 u32 flags = 0;
5527 void *priv;
5528 int err;
5529
5530 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5531 nft_set_elem_policy, NULL);
5532 if (err < 0)
5533 return err;
5534
5535 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5536 return -EINVAL;
5537
5538 nft_set_ext_prepare(&tmpl);
5539
5540 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5541 if (err < 0)
5542 return err;
5543 if (flags != 0)
5544 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5545
5546 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5547 nla[NFTA_SET_ELEM_KEY]);
5548 if (err < 0)
5549 return err;
5550
5551 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5552
5553 if (nla[NFTA_SET_ELEM_KEY_END]) {
5554 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5555 nla[NFTA_SET_ELEM_KEY_END]);
5556 if (err < 0)
5557 return err;
5558
5559 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5560 }
5561
5562 err = -ENOMEM;
5563 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5564 elem.key_end.val.data, NULL, 0, 0,
5565 GFP_KERNEL);
5566 if (elem.priv == NULL)
5567 goto fail_elem;
5568
5569 ext = nft_set_elem_ext(set, elem.priv);
5570 if (flags)
5571 *nft_set_ext_flags(ext) = flags;
5572
5573 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5574 if (trans == NULL)
5575 goto fail_trans;
5576
5577 priv = set->ops->deactivate(ctx->net, set, &elem);
5578 if (priv == NULL) {
5579 err = -ENOENT;
5580 goto fail_ops;
5581 }
5582 kfree(elem.priv);
5583 elem.priv = priv;
5584
5585 nft_set_elem_deactivate(ctx->net, set, &elem);
5586
5587 nft_trans_elem(trans) = elem;
5588 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5589 return 0;
5590
5591 fail_ops:
5592 kfree(trans);
5593 fail_trans:
5594 kfree(elem.priv);
5595 fail_elem:
5596 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5597 return err;
5598 }
5599
nft_flush_set(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)5600 static int nft_flush_set(const struct nft_ctx *ctx,
5601 struct nft_set *set,
5602 const struct nft_set_iter *iter,
5603 struct nft_set_elem *elem)
5604 {
5605 struct nft_trans *trans;
5606 int err;
5607
5608 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5609 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5610 if (!trans)
5611 return -ENOMEM;
5612
5613 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5614 err = -ENOENT;
5615 goto err1;
5616 }
5617 set->ndeact++;
5618
5619 nft_set_elem_deactivate(ctx->net, set, elem);
5620 nft_trans_elem_set(trans) = set;
5621 nft_trans_elem(trans) = *elem;
5622 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5623
5624 return 0;
5625 err1:
5626 kfree(trans);
5627 return err;
5628 }
5629
nf_tables_delsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5630 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5631 struct sk_buff *skb, const struct nlmsghdr *nlh,
5632 const struct nlattr * const nla[],
5633 struct netlink_ext_ack *extack)
5634 {
5635 u8 genmask = nft_genmask_next(net);
5636 const struct nlattr *attr;
5637 struct nft_set *set;
5638 struct nft_ctx ctx;
5639 int rem, err = 0;
5640
5641 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5642 genmask);
5643 if (err < 0)
5644 return err;
5645
5646 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5647 if (IS_ERR(set))
5648 return PTR_ERR(set);
5649 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5650 return -EBUSY;
5651
5652 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5653 struct nft_set_iter iter = {
5654 .genmask = genmask,
5655 .fn = nft_flush_set,
5656 };
5657 set->ops->walk(&ctx, set, &iter);
5658
5659 return iter.err;
5660 }
5661
5662 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5663 err = nft_del_setelem(&ctx, set, attr);
5664 if (err < 0)
5665 break;
5666
5667 set->ndeact++;
5668 }
5669 return err;
5670 }
5671
nft_set_gc_batch_release(struct rcu_head * rcu)5672 void nft_set_gc_batch_release(struct rcu_head *rcu)
5673 {
5674 struct nft_set_gc_batch *gcb;
5675 unsigned int i;
5676
5677 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5678 for (i = 0; i < gcb->head.cnt; i++)
5679 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5680 kfree(gcb);
5681 }
5682
nft_set_gc_batch_alloc(const struct nft_set * set,gfp_t gfp)5683 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5684 gfp_t gfp)
5685 {
5686 struct nft_set_gc_batch *gcb;
5687
5688 gcb = kzalloc(sizeof(*gcb), gfp);
5689 if (gcb == NULL)
5690 return gcb;
5691 gcb->head.set = set;
5692 return gcb;
5693 }
5694
5695 /*
5696 * Stateful objects
5697 */
5698
5699 /**
5700 * nft_register_obj- register nf_tables stateful object type
5701 * @obj_type: object type
5702 *
5703 * Registers the object type for use with nf_tables. Returns zero on
5704 * success or a negative errno code otherwise.
5705 */
nft_register_obj(struct nft_object_type * obj_type)5706 int nft_register_obj(struct nft_object_type *obj_type)
5707 {
5708 if (obj_type->type == NFT_OBJECT_UNSPEC)
5709 return -EINVAL;
5710
5711 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5712 list_add_rcu(&obj_type->list, &nf_tables_objects);
5713 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5714 return 0;
5715 }
5716 EXPORT_SYMBOL_GPL(nft_register_obj);
5717
5718 /**
5719 * nft_unregister_obj - unregister nf_tables object type
5720 * @obj_type: object type
5721 *
5722 * Unregisters the object type for use with nf_tables.
5723 */
nft_unregister_obj(struct nft_object_type * obj_type)5724 void nft_unregister_obj(struct nft_object_type *obj_type)
5725 {
5726 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5727 list_del_rcu(&obj_type->list);
5728 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5729 }
5730 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5731
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)5732 struct nft_object *nft_obj_lookup(const struct net *net,
5733 const struct nft_table *table,
5734 const struct nlattr *nla, u32 objtype,
5735 u8 genmask)
5736 {
5737 struct nft_object_hash_key k = { .table = table };
5738 char search[NFT_OBJ_MAXNAMELEN];
5739 struct rhlist_head *tmp, *list;
5740 struct nft_object *obj;
5741
5742 nla_strlcpy(search, nla, sizeof(search));
5743 k.name = search;
5744
5745 WARN_ON_ONCE(!rcu_read_lock_held() &&
5746 !lockdep_commit_lock_is_held(net));
5747
5748 rcu_read_lock();
5749 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5750 if (!list)
5751 goto out;
5752
5753 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5754 if (objtype == obj->ops->type->type &&
5755 nft_active_genmask(obj, genmask)) {
5756 rcu_read_unlock();
5757 return obj;
5758 }
5759 }
5760 out:
5761 rcu_read_unlock();
5762 return ERR_PTR(-ENOENT);
5763 }
5764 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5765
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)5766 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5767 const struct nlattr *nla,
5768 u32 objtype, u8 genmask)
5769 {
5770 struct nft_object *obj;
5771
5772 list_for_each_entry(obj, &table->objects, list) {
5773 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5774 objtype == obj->ops->type->type &&
5775 nft_active_genmask(obj, genmask))
5776 return obj;
5777 }
5778 return ERR_PTR(-ENOENT);
5779 }
5780
5781 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5782 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5783 .len = NFT_TABLE_MAXNAMELEN - 1 },
5784 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5785 .len = NFT_OBJ_MAXNAMELEN - 1 },
5786 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5787 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5788 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5789 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
5790 .len = NFT_USERDATA_MAXLEN },
5791 };
5792
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)5793 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5794 const struct nft_object_type *type,
5795 const struct nlattr *attr)
5796 {
5797 struct nlattr **tb;
5798 const struct nft_object_ops *ops;
5799 struct nft_object *obj;
5800 int err = -ENOMEM;
5801
5802 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5803 if (!tb)
5804 goto err1;
5805
5806 if (attr) {
5807 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5808 type->policy, NULL);
5809 if (err < 0)
5810 goto err2;
5811 } else {
5812 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5813 }
5814
5815 if (type->select_ops) {
5816 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5817 if (IS_ERR(ops)) {
5818 err = PTR_ERR(ops);
5819 goto err2;
5820 }
5821 } else {
5822 ops = type->ops;
5823 }
5824
5825 err = -ENOMEM;
5826 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5827 if (!obj)
5828 goto err2;
5829
5830 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5831 if (err < 0)
5832 goto err3;
5833
5834 obj->ops = ops;
5835
5836 kfree(tb);
5837 return obj;
5838 err3:
5839 kfree(obj);
5840 err2:
5841 kfree(tb);
5842 err1:
5843 return ERR_PTR(err);
5844 }
5845
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)5846 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5847 struct nft_object *obj, bool reset)
5848 {
5849 struct nlattr *nest;
5850
5851 nest = nla_nest_start_noflag(skb, attr);
5852 if (!nest)
5853 goto nla_put_failure;
5854 if (obj->ops->dump(skb, obj, reset) < 0)
5855 goto nla_put_failure;
5856 nla_nest_end(skb, nest);
5857 return 0;
5858
5859 nla_put_failure:
5860 return -1;
5861 }
5862
__nft_obj_type_get(u32 objtype)5863 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5864 {
5865 const struct nft_object_type *type;
5866
5867 list_for_each_entry(type, &nf_tables_objects, list) {
5868 if (objtype == type->type)
5869 return type;
5870 }
5871 return NULL;
5872 }
5873
5874 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype)5875 nft_obj_type_get(struct net *net, u32 objtype)
5876 {
5877 const struct nft_object_type *type;
5878
5879 type = __nft_obj_type_get(objtype);
5880 if (type != NULL && try_module_get(type->owner))
5881 return type;
5882
5883 lockdep_nfnl_nft_mutex_not_held();
5884 #ifdef CONFIG_MODULES
5885 if (type == NULL) {
5886 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5887 return ERR_PTR(-EAGAIN);
5888 }
5889 #endif
5890 return ERR_PTR(-ENOENT);
5891 }
5892
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)5893 static int nf_tables_updobj(const struct nft_ctx *ctx,
5894 const struct nft_object_type *type,
5895 const struct nlattr *attr,
5896 struct nft_object *obj)
5897 {
5898 struct nft_object *newobj;
5899 struct nft_trans *trans;
5900 int err;
5901
5902 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5903 sizeof(struct nft_trans_obj));
5904 if (!trans)
5905 return -ENOMEM;
5906
5907 newobj = nft_obj_init(ctx, type, attr);
5908 if (IS_ERR(newobj)) {
5909 err = PTR_ERR(newobj);
5910 goto err_free_trans;
5911 }
5912
5913 nft_trans_obj(trans) = obj;
5914 nft_trans_obj_update(trans) = true;
5915 nft_trans_obj_newobj(trans) = newobj;
5916 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5917
5918 return 0;
5919
5920 err_free_trans:
5921 kfree(trans);
5922 return err;
5923 }
5924
nf_tables_newobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5925 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5926 struct sk_buff *skb, const struct nlmsghdr *nlh,
5927 const struct nlattr * const nla[],
5928 struct netlink_ext_ack *extack)
5929 {
5930 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5931 const struct nft_object_type *type;
5932 u8 genmask = nft_genmask_next(net);
5933 int family = nfmsg->nfgen_family;
5934 struct nft_table *table;
5935 struct nft_object *obj;
5936 struct nft_ctx ctx;
5937 u32 objtype;
5938 int err;
5939
5940 if (!nla[NFTA_OBJ_TYPE] ||
5941 !nla[NFTA_OBJ_NAME] ||
5942 !nla[NFTA_OBJ_DATA])
5943 return -EINVAL;
5944
5945 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5946 if (IS_ERR(table)) {
5947 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5948 return PTR_ERR(table);
5949 }
5950
5951 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5952 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5953 if (IS_ERR(obj)) {
5954 err = PTR_ERR(obj);
5955 if (err != -ENOENT) {
5956 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5957 return err;
5958 }
5959 } else {
5960 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5961 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5962 return -EEXIST;
5963 }
5964 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5965 return -EOPNOTSUPP;
5966
5967 type = __nft_obj_type_get(objtype);
5968 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5969
5970 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5971 }
5972
5973 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5974
5975 type = nft_obj_type_get(net, objtype);
5976 if (IS_ERR(type))
5977 return PTR_ERR(type);
5978
5979 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5980 if (IS_ERR(obj)) {
5981 err = PTR_ERR(obj);
5982 goto err_init;
5983 }
5984 obj->key.table = table;
5985 obj->handle = nf_tables_alloc_handle(table);
5986
5987 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5988 if (!obj->key.name) {
5989 err = -ENOMEM;
5990 goto err_strdup;
5991 }
5992
5993 if (nla[NFTA_OBJ_USERDATA]) {
5994 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
5995 if (obj->udata == NULL)
5996 goto err_userdata;
5997
5998 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
5999 }
6000
6001 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6002 if (err < 0)
6003 goto err_trans;
6004
6005 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6006 nft_objname_ht_params);
6007 if (err < 0)
6008 goto err_obj_ht;
6009
6010 list_add_tail_rcu(&obj->list, &table->objects);
6011 table->use++;
6012 return 0;
6013 err_obj_ht:
6014 /* queued in transaction log */
6015 INIT_LIST_HEAD(&obj->list);
6016 return err;
6017 err_trans:
6018 kfree(obj->key.name);
6019 err_userdata:
6020 kfree(obj->udata);
6021 err_strdup:
6022 if (obj->ops->destroy)
6023 obj->ops->destroy(&ctx, obj);
6024 kfree(obj);
6025 err_init:
6026 module_put(type->owner);
6027 return err;
6028 }
6029
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)6030 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6031 u32 portid, u32 seq, int event, u32 flags,
6032 int family, const struct nft_table *table,
6033 struct nft_object *obj, bool reset)
6034 {
6035 struct nfgenmsg *nfmsg;
6036 struct nlmsghdr *nlh;
6037
6038 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6039 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6040 if (nlh == NULL)
6041 goto nla_put_failure;
6042
6043 nfmsg = nlmsg_data(nlh);
6044 nfmsg->nfgen_family = family;
6045 nfmsg->version = NFNETLINK_V0;
6046 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6047
6048 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6049 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6050 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6051 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6052 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6053 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6054 NFTA_OBJ_PAD))
6055 goto nla_put_failure;
6056
6057 if (obj->udata &&
6058 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6059 goto nla_put_failure;
6060
6061 nlmsg_end(skb, nlh);
6062 return 0;
6063
6064 nla_put_failure:
6065 nlmsg_trim(skb, nlh);
6066 return -1;
6067 }
6068
6069 struct nft_obj_filter {
6070 char *table;
6071 u32 type;
6072 };
6073
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)6074 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6075 {
6076 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6077 const struct nft_table *table;
6078 unsigned int idx = 0, s_idx = cb->args[0];
6079 struct nft_obj_filter *filter = cb->data;
6080 struct net *net = sock_net(skb->sk);
6081 int family = nfmsg->nfgen_family;
6082 struct nft_object *obj;
6083 bool reset = false;
6084
6085 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6086 reset = true;
6087
6088 rcu_read_lock();
6089 cb->seq = net->nft.base_seq;
6090
6091 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6092 if (family != NFPROTO_UNSPEC && family != table->family)
6093 continue;
6094
6095 list_for_each_entry_rcu(obj, &table->objects, list) {
6096 if (!nft_is_active(net, obj))
6097 goto cont;
6098 if (idx < s_idx)
6099 goto cont;
6100 if (idx > s_idx)
6101 memset(&cb->args[1], 0,
6102 sizeof(cb->args) - sizeof(cb->args[0]));
6103 if (filter && filter->table &&
6104 strcmp(filter->table, table->name))
6105 goto cont;
6106 if (filter &&
6107 filter->type != NFT_OBJECT_UNSPEC &&
6108 obj->ops->type->type != filter->type)
6109 goto cont;
6110
6111 if (reset) {
6112 char *buf = kasprintf(GFP_ATOMIC,
6113 "%s:%llu;?:0",
6114 table->name,
6115 table->handle);
6116
6117 audit_log_nfcfg(buf,
6118 family,
6119 obj->handle,
6120 AUDIT_NFT_OP_OBJ_RESET,
6121 GFP_ATOMIC);
6122 kfree(buf);
6123 }
6124
6125 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6126 cb->nlh->nlmsg_seq,
6127 NFT_MSG_NEWOBJ,
6128 NLM_F_MULTI | NLM_F_APPEND,
6129 table->family, table,
6130 obj, reset) < 0)
6131 goto done;
6132
6133 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6134 cont:
6135 idx++;
6136 }
6137 }
6138 done:
6139 rcu_read_unlock();
6140
6141 cb->args[0] = idx;
6142 return skb->len;
6143 }
6144
nf_tables_dump_obj_start(struct netlink_callback * cb)6145 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6146 {
6147 const struct nlattr * const *nla = cb->data;
6148 struct nft_obj_filter *filter = NULL;
6149
6150 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6151 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6152 if (!filter)
6153 return -ENOMEM;
6154
6155 if (nla[NFTA_OBJ_TABLE]) {
6156 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6157 if (!filter->table) {
6158 kfree(filter);
6159 return -ENOMEM;
6160 }
6161 }
6162
6163 if (nla[NFTA_OBJ_TYPE])
6164 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6165 }
6166
6167 cb->data = filter;
6168 return 0;
6169 }
6170
nf_tables_dump_obj_done(struct netlink_callback * cb)6171 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6172 {
6173 struct nft_obj_filter *filter = cb->data;
6174
6175 if (filter) {
6176 kfree(filter->table);
6177 kfree(filter);
6178 }
6179
6180 return 0;
6181 }
6182
6183 /* called with rcu_read_lock held */
nf_tables_getobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6184 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6185 struct sk_buff *skb, const struct nlmsghdr *nlh,
6186 const struct nlattr * const nla[],
6187 struct netlink_ext_ack *extack)
6188 {
6189 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6190 u8 genmask = nft_genmask_cur(net);
6191 int family = nfmsg->nfgen_family;
6192 const struct nft_table *table;
6193 struct nft_object *obj;
6194 struct sk_buff *skb2;
6195 bool reset = false;
6196 u32 objtype;
6197 int err;
6198
6199 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6200 struct netlink_dump_control c = {
6201 .start = nf_tables_dump_obj_start,
6202 .dump = nf_tables_dump_obj,
6203 .done = nf_tables_dump_obj_done,
6204 .module = THIS_MODULE,
6205 .data = (void *)nla,
6206 };
6207
6208 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6209 }
6210
6211 if (!nla[NFTA_OBJ_NAME] ||
6212 !nla[NFTA_OBJ_TYPE])
6213 return -EINVAL;
6214
6215 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6216 if (IS_ERR(table)) {
6217 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6218 return PTR_ERR(table);
6219 }
6220
6221 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6222 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6223 if (IS_ERR(obj)) {
6224 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6225 return PTR_ERR(obj);
6226 }
6227
6228 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6229 if (!skb2)
6230 return -ENOMEM;
6231
6232 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6233 reset = true;
6234
6235 if (reset) {
6236 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
6237 table->name, table->handle);
6238
6239 audit_log_nfcfg(buf,
6240 family,
6241 obj->handle,
6242 AUDIT_NFT_OP_OBJ_RESET,
6243 GFP_ATOMIC);
6244 kfree(buf);
6245 }
6246
6247 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6248 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6249 family, table, obj, reset);
6250 if (err < 0)
6251 goto err_fill_obj_info;
6252
6253 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6254
6255 err_fill_obj_info:
6256 kfree_skb(skb2);
6257 return err;
6258 }
6259
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)6260 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6261 {
6262 if (obj->ops->destroy)
6263 obj->ops->destroy(ctx, obj);
6264
6265 module_put(obj->ops->type->owner);
6266 kfree(obj->key.name);
6267 kfree(obj->udata);
6268 kfree(obj);
6269 }
6270
nf_tables_delobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6271 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6272 struct sk_buff *skb, const struct nlmsghdr *nlh,
6273 const struct nlattr * const nla[],
6274 struct netlink_ext_ack *extack)
6275 {
6276 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6277 u8 genmask = nft_genmask_next(net);
6278 int family = nfmsg->nfgen_family;
6279 const struct nlattr *attr;
6280 struct nft_table *table;
6281 struct nft_object *obj;
6282 struct nft_ctx ctx;
6283 u32 objtype;
6284
6285 if (!nla[NFTA_OBJ_TYPE] ||
6286 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6287 return -EINVAL;
6288
6289 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6290 if (IS_ERR(table)) {
6291 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6292 return PTR_ERR(table);
6293 }
6294
6295 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6296 if (nla[NFTA_OBJ_HANDLE]) {
6297 attr = nla[NFTA_OBJ_HANDLE];
6298 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6299 } else {
6300 attr = nla[NFTA_OBJ_NAME];
6301 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6302 }
6303
6304 if (IS_ERR(obj)) {
6305 NL_SET_BAD_ATTR(extack, attr);
6306 return PTR_ERR(obj);
6307 }
6308 if (obj->use > 0) {
6309 NL_SET_BAD_ATTR(extack, attr);
6310 return -EBUSY;
6311 }
6312
6313 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6314
6315 return nft_delobj(&ctx, obj);
6316 }
6317
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,int family,int report,gfp_t gfp)6318 void nft_obj_notify(struct net *net, const struct nft_table *table,
6319 struct nft_object *obj, u32 portid, u32 seq, int event,
6320 int family, int report, gfp_t gfp)
6321 {
6322 struct sk_buff *skb;
6323 int err;
6324 char *buf = kasprintf(gfp, "%s:%llu;?:0",
6325 table->name, table->handle);
6326
6327 audit_log_nfcfg(buf,
6328 family,
6329 obj->handle,
6330 event == NFT_MSG_NEWOBJ ?
6331 AUDIT_NFT_OP_OBJ_REGISTER :
6332 AUDIT_NFT_OP_OBJ_UNREGISTER,
6333 gfp);
6334 kfree(buf);
6335
6336 if (!report &&
6337 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6338 return;
6339
6340 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6341 if (skb == NULL)
6342 goto err;
6343
6344 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6345 table, obj, false);
6346 if (err < 0) {
6347 kfree_skb(skb);
6348 goto err;
6349 }
6350
6351 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6352 return;
6353 err:
6354 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6355 }
6356 EXPORT_SYMBOL_GPL(nft_obj_notify);
6357
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)6358 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6359 struct nft_object *obj, int event)
6360 {
6361 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6362 ctx->family, ctx->report, GFP_KERNEL);
6363 }
6364
6365 /*
6366 * Flow tables
6367 */
nft_register_flowtable_type(struct nf_flowtable_type * type)6368 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6369 {
6370 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6371 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6372 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6373 }
6374 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6375
nft_unregister_flowtable_type(struct nf_flowtable_type * type)6376 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6377 {
6378 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6379 list_del_rcu(&type->list);
6380 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6381 }
6382 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6383
6384 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6385 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6386 .len = NFT_NAME_MAXLEN - 1 },
6387 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6388 .len = NFT_NAME_MAXLEN - 1 },
6389 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6390 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6391 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6392 };
6393
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)6394 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6395 const struct nlattr *nla, u8 genmask)
6396 {
6397 struct nft_flowtable *flowtable;
6398
6399 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6400 if (!nla_strcmp(nla, flowtable->name) &&
6401 nft_active_genmask(flowtable, genmask))
6402 return flowtable;
6403 }
6404 return ERR_PTR(-ENOENT);
6405 }
6406 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6407
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)6408 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6409 struct nft_flowtable *flowtable,
6410 enum nft_trans_phase phase)
6411 {
6412 switch (phase) {
6413 case NFT_TRANS_PREPARE:
6414 case NFT_TRANS_ABORT:
6415 case NFT_TRANS_RELEASE:
6416 flowtable->use--;
6417 fallthrough;
6418 default:
6419 return;
6420 }
6421 }
6422 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6423
6424 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)6425 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6426 const struct nlattr *nla, u8 genmask)
6427 {
6428 struct nft_flowtable *flowtable;
6429
6430 list_for_each_entry(flowtable, &table->flowtables, list) {
6431 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6432 nft_active_genmask(flowtable, genmask))
6433 return flowtable;
6434 }
6435 return ERR_PTR(-ENOENT);
6436 }
6437
6438 struct nft_flowtable_hook {
6439 u32 num;
6440 int priority;
6441 struct list_head list;
6442 };
6443
6444 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6445 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6446 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6447 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6448 };
6449
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * attr,struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,bool add)6450 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6451 const struct nlattr *attr,
6452 struct nft_flowtable_hook *flowtable_hook,
6453 struct nft_flowtable *flowtable, bool add)
6454 {
6455 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6456 struct nft_hook *hook;
6457 int hooknum, priority;
6458 int err;
6459
6460 INIT_LIST_HEAD(&flowtable_hook->list);
6461
6462 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6463 nft_flowtable_hook_policy, NULL);
6464 if (err < 0)
6465 return err;
6466
6467 if (add) {
6468 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6469 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6470 return -EINVAL;
6471
6472 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6473 if (hooknum != NF_NETDEV_INGRESS)
6474 return -EOPNOTSUPP;
6475
6476 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6477
6478 flowtable_hook->priority = priority;
6479 flowtable_hook->num = hooknum;
6480 } else {
6481 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6482 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6483 if (hooknum != flowtable->hooknum)
6484 return -EOPNOTSUPP;
6485 }
6486
6487 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6488 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6489 if (priority != flowtable->data.priority)
6490 return -EOPNOTSUPP;
6491 }
6492
6493 flowtable_hook->priority = flowtable->data.priority;
6494 flowtable_hook->num = flowtable->hooknum;
6495 }
6496
6497 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6498 err = nf_tables_parse_netdev_hooks(ctx->net,
6499 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6500 &flowtable_hook->list);
6501 if (err < 0)
6502 return err;
6503 }
6504
6505 list_for_each_entry(hook, &flowtable_hook->list, list) {
6506 hook->ops.pf = NFPROTO_NETDEV;
6507 hook->ops.hooknum = flowtable_hook->num;
6508 hook->ops.priority = flowtable_hook->priority;
6509 hook->ops.priv = &flowtable->data;
6510 hook->ops.hook = flowtable->data.type->hook;
6511 }
6512
6513 return err;
6514 }
6515
__nft_flowtable_type_get(u8 family)6516 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6517 {
6518 const struct nf_flowtable_type *type;
6519
6520 list_for_each_entry(type, &nf_tables_flowtables, list) {
6521 if (family == type->family)
6522 return type;
6523 }
6524 return NULL;
6525 }
6526
6527 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)6528 nft_flowtable_type_get(struct net *net, u8 family)
6529 {
6530 const struct nf_flowtable_type *type;
6531
6532 type = __nft_flowtable_type_get(family);
6533 if (type != NULL && try_module_get(type->owner))
6534 return type;
6535
6536 lockdep_nfnl_nft_mutex_not_held();
6537 #ifdef CONFIG_MODULES
6538 if (type == NULL) {
6539 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6540 return ERR_PTR(-EAGAIN);
6541 }
6542 #endif
6543 return ERR_PTR(-ENOENT);
6544 }
6545
6546 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_hook(struct net * net,struct nft_flowtable * flowtable,struct nft_hook * hook)6547 static void nft_unregister_flowtable_hook(struct net *net,
6548 struct nft_flowtable *flowtable,
6549 struct nft_hook *hook)
6550 {
6551 nf_unregister_net_hook(net, &hook->ops);
6552 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6553 FLOW_BLOCK_UNBIND);
6554 }
6555
nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list)6556 static void nft_unregister_flowtable_net_hooks(struct net *net,
6557 struct list_head *hook_list)
6558 {
6559 struct nft_hook *hook;
6560
6561 list_for_each_entry(hook, hook_list, list)
6562 nf_unregister_net_hook(net, &hook->ops);
6563 }
6564
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)6565 static int nft_register_flowtable_net_hooks(struct net *net,
6566 struct nft_table *table,
6567 struct list_head *hook_list,
6568 struct nft_flowtable *flowtable)
6569 {
6570 struct nft_hook *hook, *hook2, *next;
6571 struct nft_flowtable *ft;
6572 int err, i = 0;
6573
6574 list_for_each_entry(hook, hook_list, list) {
6575 list_for_each_entry(ft, &table->flowtables, list) {
6576 list_for_each_entry(hook2, &ft->hook_list, list) {
6577 if (hook->ops.dev == hook2->ops.dev &&
6578 hook->ops.pf == hook2->ops.pf) {
6579 err = -EEXIST;
6580 goto err_unregister_net_hooks;
6581 }
6582 }
6583 }
6584
6585 err = flowtable->data.type->setup(&flowtable->data,
6586 hook->ops.dev,
6587 FLOW_BLOCK_BIND);
6588 if (err < 0)
6589 goto err_unregister_net_hooks;
6590
6591 err = nf_register_net_hook(net, &hook->ops);
6592 if (err < 0) {
6593 flowtable->data.type->setup(&flowtable->data,
6594 hook->ops.dev,
6595 FLOW_BLOCK_UNBIND);
6596 goto err_unregister_net_hooks;
6597 }
6598
6599 i++;
6600 }
6601
6602 return 0;
6603
6604 err_unregister_net_hooks:
6605 list_for_each_entry_safe(hook, next, hook_list, list) {
6606 if (i-- <= 0)
6607 break;
6608
6609 nft_unregister_flowtable_hook(net, flowtable, hook);
6610 list_del_rcu(&hook->list);
6611 kfree_rcu(hook, rcu);
6612 }
6613
6614 return err;
6615 }
6616
nft_flowtable_hooks_destroy(struct list_head * hook_list)6617 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6618 {
6619 struct nft_hook *hook, *next;
6620
6621 list_for_each_entry_safe(hook, next, hook_list, list) {
6622 list_del_rcu(&hook->list);
6623 kfree_rcu(hook, rcu);
6624 }
6625 }
6626
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable)6627 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6628 struct nft_flowtable *flowtable)
6629 {
6630 const struct nlattr * const *nla = ctx->nla;
6631 struct nft_flowtable_hook flowtable_hook;
6632 struct nft_hook *hook, *next;
6633 struct nft_trans *trans;
6634 bool unregister = false;
6635 int err;
6636
6637 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6638 &flowtable_hook, flowtable, false);
6639 if (err < 0)
6640 return err;
6641
6642 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6643 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6644 list_del(&hook->list);
6645 kfree(hook);
6646 }
6647 }
6648
6649 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6650 &flowtable_hook.list, flowtable);
6651 if (err < 0)
6652 goto err_flowtable_update_hook;
6653
6654 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6655 sizeof(struct nft_trans_flowtable));
6656 if (!trans) {
6657 unregister = true;
6658 err = -ENOMEM;
6659 goto err_flowtable_update_hook;
6660 }
6661
6662 nft_trans_flowtable(trans) = flowtable;
6663 nft_trans_flowtable_update(trans) = true;
6664 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6665 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6666
6667 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6668
6669 return 0;
6670
6671 err_flowtable_update_hook:
6672 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6673 if (unregister)
6674 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6675 list_del_rcu(&hook->list);
6676 kfree_rcu(hook, rcu);
6677 }
6678
6679 return err;
6680
6681 }
6682
nf_tables_newflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6683 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6684 struct sk_buff *skb,
6685 const struct nlmsghdr *nlh,
6686 const struct nlattr * const nla[],
6687 struct netlink_ext_ack *extack)
6688 {
6689 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6690 struct nft_flowtable_hook flowtable_hook;
6691 const struct nf_flowtable_type *type;
6692 u8 genmask = nft_genmask_next(net);
6693 int family = nfmsg->nfgen_family;
6694 struct nft_flowtable *flowtable;
6695 struct nft_hook *hook, *next;
6696 struct nft_table *table;
6697 struct nft_ctx ctx;
6698 int err;
6699
6700 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6701 !nla[NFTA_FLOWTABLE_NAME] ||
6702 !nla[NFTA_FLOWTABLE_HOOK])
6703 return -EINVAL;
6704
6705 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6706 genmask);
6707 if (IS_ERR(table)) {
6708 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6709 return PTR_ERR(table);
6710 }
6711
6712 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6713 genmask);
6714 if (IS_ERR(flowtable)) {
6715 err = PTR_ERR(flowtable);
6716 if (err != -ENOENT) {
6717 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6718 return err;
6719 }
6720 } else {
6721 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6722 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6723 return -EEXIST;
6724 }
6725
6726 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6727
6728 return nft_flowtable_update(&ctx, nlh, flowtable);
6729 }
6730
6731 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6732
6733 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6734 if (!flowtable)
6735 return -ENOMEM;
6736
6737 flowtable->table = table;
6738 flowtable->handle = nf_tables_alloc_handle(table);
6739 INIT_LIST_HEAD(&flowtable->hook_list);
6740
6741 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6742 if (!flowtable->name) {
6743 err = -ENOMEM;
6744 goto err1;
6745 }
6746
6747 type = nft_flowtable_type_get(net, family);
6748 if (IS_ERR(type)) {
6749 err = PTR_ERR(type);
6750 goto err2;
6751 }
6752
6753 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6754 flowtable->data.flags =
6755 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6756 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK)
6757 goto err3;
6758 }
6759
6760 write_pnet(&flowtable->data.net, net);
6761 flowtable->data.type = type;
6762 err = type->init(&flowtable->data);
6763 if (err < 0)
6764 goto err3;
6765
6766 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6767 &flowtable_hook, flowtable, true);
6768 if (err < 0)
6769 goto err4;
6770
6771 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6772 flowtable->data.priority = flowtable_hook.priority;
6773 flowtable->hooknum = flowtable_hook.num;
6774
6775 err = nft_register_flowtable_net_hooks(ctx.net, table,
6776 &flowtable->hook_list,
6777 flowtable);
6778 if (err < 0) {
6779 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6780 goto err4;
6781 }
6782
6783 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6784 if (err < 0)
6785 goto err5;
6786
6787 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6788 table->use++;
6789
6790 return 0;
6791 err5:
6792 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6793 nft_unregister_flowtable_hook(net, flowtable, hook);
6794 list_del_rcu(&hook->list);
6795 kfree_rcu(hook, rcu);
6796 }
6797 err4:
6798 flowtable->data.type->free(&flowtable->data);
6799 err3:
6800 module_put(type->owner);
6801 err2:
6802 kfree(flowtable->name);
6803 err1:
6804 kfree(flowtable);
6805 return err;
6806 }
6807
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)6808 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
6809 {
6810 struct nft_hook *this, *next;
6811
6812 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
6813 list_del(&this->list);
6814 kfree(this);
6815 }
6816 }
6817
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable)6818 static int nft_delflowtable_hook(struct nft_ctx *ctx,
6819 struct nft_flowtable *flowtable)
6820 {
6821 const struct nlattr * const *nla = ctx->nla;
6822 struct nft_flowtable_hook flowtable_hook;
6823 struct nft_hook *this, *hook;
6824 struct nft_trans *trans;
6825 int err;
6826
6827 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6828 &flowtable_hook, flowtable, false);
6829 if (err < 0)
6830 return err;
6831
6832 list_for_each_entry(this, &flowtable_hook.list, list) {
6833 hook = nft_hook_list_find(&flowtable->hook_list, this);
6834 if (!hook) {
6835 err = -ENOENT;
6836 goto err_flowtable_del_hook;
6837 }
6838 hook->inactive = true;
6839 }
6840
6841 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
6842 sizeof(struct nft_trans_flowtable));
6843 if (!trans) {
6844 err = -ENOMEM;
6845 goto err_flowtable_del_hook;
6846 }
6847
6848 nft_trans_flowtable(trans) = flowtable;
6849 nft_trans_flowtable_update(trans) = true;
6850 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6851 nft_flowtable_hook_release(&flowtable_hook);
6852
6853 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6854
6855 return 0;
6856
6857 err_flowtable_del_hook:
6858 list_for_each_entry(this, &flowtable_hook.list, list) {
6859 hook = nft_hook_list_find(&flowtable->hook_list, this);
6860 if (!hook)
6861 break;
6862
6863 hook->inactive = false;
6864 }
6865 nft_flowtable_hook_release(&flowtable_hook);
6866
6867 return err;
6868 }
6869
nf_tables_delflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6870 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6871 struct sk_buff *skb,
6872 const struct nlmsghdr *nlh,
6873 const struct nlattr * const nla[],
6874 struct netlink_ext_ack *extack)
6875 {
6876 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6877 u8 genmask = nft_genmask_next(net);
6878 int family = nfmsg->nfgen_family;
6879 struct nft_flowtable *flowtable;
6880 const struct nlattr *attr;
6881 struct nft_table *table;
6882 struct nft_ctx ctx;
6883
6884 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6885 (!nla[NFTA_FLOWTABLE_NAME] &&
6886 !nla[NFTA_FLOWTABLE_HANDLE]))
6887 return -EINVAL;
6888
6889 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6890 genmask);
6891 if (IS_ERR(table)) {
6892 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6893 return PTR_ERR(table);
6894 }
6895
6896 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6897 attr = nla[NFTA_FLOWTABLE_HANDLE];
6898 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6899 } else {
6900 attr = nla[NFTA_FLOWTABLE_NAME];
6901 flowtable = nft_flowtable_lookup(table, attr, genmask);
6902 }
6903
6904 if (IS_ERR(flowtable)) {
6905 NL_SET_BAD_ATTR(extack, attr);
6906 return PTR_ERR(flowtable);
6907 }
6908
6909 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6910
6911 if (nla[NFTA_FLOWTABLE_HOOK])
6912 return nft_delflowtable_hook(&ctx, flowtable);
6913
6914 if (flowtable->use > 0) {
6915 NL_SET_BAD_ATTR(extack, attr);
6916 return -EBUSY;
6917 }
6918
6919 return nft_delflowtable(&ctx, flowtable);
6920 }
6921
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)6922 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6923 u32 portid, u32 seq, int event,
6924 u32 flags, int family,
6925 struct nft_flowtable *flowtable,
6926 struct list_head *hook_list)
6927 {
6928 struct nlattr *nest, *nest_devs;
6929 struct nfgenmsg *nfmsg;
6930 struct nft_hook *hook;
6931 struct nlmsghdr *nlh;
6932
6933 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6934 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6935 if (nlh == NULL)
6936 goto nla_put_failure;
6937
6938 nfmsg = nlmsg_data(nlh);
6939 nfmsg->nfgen_family = family;
6940 nfmsg->version = NFNETLINK_V0;
6941 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6942
6943 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
6944 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6945 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6946 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6947 NFTA_FLOWTABLE_PAD) ||
6948 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
6949 goto nla_put_failure;
6950
6951 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6952 if (!nest)
6953 goto nla_put_failure;
6954 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6955 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
6956 goto nla_put_failure;
6957
6958 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6959 if (!nest_devs)
6960 goto nla_put_failure;
6961
6962 list_for_each_entry_rcu(hook, hook_list, list) {
6963 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
6964 goto nla_put_failure;
6965 }
6966 nla_nest_end(skb, nest_devs);
6967 nla_nest_end(skb, nest);
6968
6969 nlmsg_end(skb, nlh);
6970 return 0;
6971
6972 nla_put_failure:
6973 nlmsg_trim(skb, nlh);
6974 return -1;
6975 }
6976
6977 struct nft_flowtable_filter {
6978 char *table;
6979 };
6980
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)6981 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6982 struct netlink_callback *cb)
6983 {
6984 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6985 struct nft_flowtable_filter *filter = cb->data;
6986 unsigned int idx = 0, s_idx = cb->args[0];
6987 struct net *net = sock_net(skb->sk);
6988 int family = nfmsg->nfgen_family;
6989 struct nft_flowtable *flowtable;
6990 const struct nft_table *table;
6991
6992 rcu_read_lock();
6993 cb->seq = net->nft.base_seq;
6994
6995 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6996 if (family != NFPROTO_UNSPEC && family != table->family)
6997 continue;
6998
6999 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7000 if (!nft_is_active(net, flowtable))
7001 goto cont;
7002 if (idx < s_idx)
7003 goto cont;
7004 if (idx > s_idx)
7005 memset(&cb->args[1], 0,
7006 sizeof(cb->args) - sizeof(cb->args[0]));
7007 if (filter && filter->table &&
7008 strcmp(filter->table, table->name))
7009 goto cont;
7010
7011 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7012 cb->nlh->nlmsg_seq,
7013 NFT_MSG_NEWFLOWTABLE,
7014 NLM_F_MULTI | NLM_F_APPEND,
7015 table->family,
7016 flowtable,
7017 &flowtable->hook_list) < 0)
7018 goto done;
7019
7020 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7021 cont:
7022 idx++;
7023 }
7024 }
7025 done:
7026 rcu_read_unlock();
7027
7028 cb->args[0] = idx;
7029 return skb->len;
7030 }
7031
nf_tables_dump_flowtable_start(struct netlink_callback * cb)7032 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7033 {
7034 const struct nlattr * const *nla = cb->data;
7035 struct nft_flowtable_filter *filter = NULL;
7036
7037 if (nla[NFTA_FLOWTABLE_TABLE]) {
7038 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7039 if (!filter)
7040 return -ENOMEM;
7041
7042 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7043 GFP_ATOMIC);
7044 if (!filter->table) {
7045 kfree(filter);
7046 return -ENOMEM;
7047 }
7048 }
7049
7050 cb->data = filter;
7051 return 0;
7052 }
7053
nf_tables_dump_flowtable_done(struct netlink_callback * cb)7054 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7055 {
7056 struct nft_flowtable_filter *filter = cb->data;
7057
7058 if (!filter)
7059 return 0;
7060
7061 kfree(filter->table);
7062 kfree(filter);
7063
7064 return 0;
7065 }
7066
7067 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)7068 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7069 struct sk_buff *skb,
7070 const struct nlmsghdr *nlh,
7071 const struct nlattr * const nla[],
7072 struct netlink_ext_ack *extack)
7073 {
7074 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7075 u8 genmask = nft_genmask_cur(net);
7076 int family = nfmsg->nfgen_family;
7077 struct nft_flowtable *flowtable;
7078 const struct nft_table *table;
7079 struct sk_buff *skb2;
7080 int err;
7081
7082 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7083 struct netlink_dump_control c = {
7084 .start = nf_tables_dump_flowtable_start,
7085 .dump = nf_tables_dump_flowtable,
7086 .done = nf_tables_dump_flowtable_done,
7087 .module = THIS_MODULE,
7088 .data = (void *)nla,
7089 };
7090
7091 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7092 }
7093
7094 if (!nla[NFTA_FLOWTABLE_NAME])
7095 return -EINVAL;
7096
7097 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7098 genmask);
7099 if (IS_ERR(table))
7100 return PTR_ERR(table);
7101
7102 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7103 genmask);
7104 if (IS_ERR(flowtable))
7105 return PTR_ERR(flowtable);
7106
7107 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7108 if (!skb2)
7109 return -ENOMEM;
7110
7111 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7112 nlh->nlmsg_seq,
7113 NFT_MSG_NEWFLOWTABLE, 0, family,
7114 flowtable, &flowtable->hook_list);
7115 if (err < 0)
7116 goto err_fill_flowtable_info;
7117
7118 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7119
7120 err_fill_flowtable_info:
7121 kfree_skb(skb2);
7122 return err;
7123 }
7124
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)7125 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7126 struct nft_flowtable *flowtable,
7127 struct list_head *hook_list,
7128 int event)
7129 {
7130 struct sk_buff *skb;
7131 int err;
7132 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
7133 flowtable->table->name, flowtable->table->handle,
7134 flowtable->name, flowtable->handle);
7135
7136 audit_log_nfcfg(buf,
7137 ctx->family,
7138 flowtable->hooknum,
7139 event == NFT_MSG_NEWFLOWTABLE ?
7140 AUDIT_NFT_OP_FLOWTABLE_REGISTER :
7141 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
7142 GFP_KERNEL);
7143 kfree(buf);
7144
7145 if (!ctx->report &&
7146 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7147 return;
7148
7149 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7150 if (skb == NULL)
7151 goto err;
7152
7153 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7154 ctx->seq, event, 0,
7155 ctx->family, flowtable, hook_list);
7156 if (err < 0) {
7157 kfree_skb(skb);
7158 goto err;
7159 }
7160
7161 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7162 return;
7163 err:
7164 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7165 }
7166
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)7167 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7168 {
7169 struct nft_hook *hook, *next;
7170
7171 flowtable->data.type->free(&flowtable->data);
7172 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7173 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7174 FLOW_BLOCK_UNBIND);
7175 list_del_rcu(&hook->list);
7176 kfree(hook);
7177 }
7178 kfree(flowtable->name);
7179 module_put(flowtable->data.type->owner);
7180 kfree(flowtable);
7181 }
7182
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)7183 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7184 u32 portid, u32 seq)
7185 {
7186 struct nlmsghdr *nlh;
7187 struct nfgenmsg *nfmsg;
7188 char buf[TASK_COMM_LEN];
7189 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7190
7191 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7192 if (nlh == NULL)
7193 goto nla_put_failure;
7194
7195 nfmsg = nlmsg_data(nlh);
7196 nfmsg->nfgen_family = AF_UNSPEC;
7197 nfmsg->version = NFNETLINK_V0;
7198 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7199
7200 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7201 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7202 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7203 goto nla_put_failure;
7204
7205 nlmsg_end(skb, nlh);
7206 return 0;
7207
7208 nla_put_failure:
7209 nlmsg_trim(skb, nlh);
7210 return -EMSGSIZE;
7211 }
7212
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)7213 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7214 struct nft_flowtable *flowtable)
7215 {
7216 struct nft_hook *hook;
7217
7218 list_for_each_entry(hook, &flowtable->hook_list, list) {
7219 if (hook->ops.dev != dev)
7220 continue;
7221
7222 /* flow_offload_netdev_event() cleans up entries for us. */
7223 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7224 list_del_rcu(&hook->list);
7225 kfree_rcu(hook, rcu);
7226 break;
7227 }
7228 }
7229
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)7230 static int nf_tables_flowtable_event(struct notifier_block *this,
7231 unsigned long event, void *ptr)
7232 {
7233 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7234 struct nft_flowtable *flowtable;
7235 struct nft_table *table;
7236 struct net *net;
7237
7238 if (event != NETDEV_UNREGISTER)
7239 return 0;
7240
7241 net = dev_net(dev);
7242 mutex_lock(&net->nft.commit_mutex);
7243 list_for_each_entry(table, &net->nft.tables, list) {
7244 list_for_each_entry(flowtable, &table->flowtables, list) {
7245 nft_flowtable_event(event, dev, flowtable);
7246 }
7247 }
7248 mutex_unlock(&net->nft.commit_mutex);
7249
7250 return NOTIFY_DONE;
7251 }
7252
7253 static struct notifier_block nf_tables_flowtable_notifier = {
7254 .notifier_call = nf_tables_flowtable_event,
7255 };
7256
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)7257 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7258 int event)
7259 {
7260 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7261 struct sk_buff *skb2;
7262 int err;
7263
7264 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
7265 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
7266
7267 if (!nlmsg_report(nlh) &&
7268 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7269 return;
7270
7271 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7272 if (skb2 == NULL)
7273 goto err;
7274
7275 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7276 nlh->nlmsg_seq);
7277 if (err < 0) {
7278 kfree_skb(skb2);
7279 goto err;
7280 }
7281
7282 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7283 nlmsg_report(nlh), GFP_KERNEL);
7284 return;
7285 err:
7286 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7287 -ENOBUFS);
7288 }
7289
nf_tables_getgen(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)7290 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7291 struct sk_buff *skb, const struct nlmsghdr *nlh,
7292 const struct nlattr * const nla[],
7293 struct netlink_ext_ack *extack)
7294 {
7295 struct sk_buff *skb2;
7296 int err;
7297
7298 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7299 if (skb2 == NULL)
7300 return -ENOMEM;
7301
7302 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7303 nlh->nlmsg_seq);
7304 if (err < 0)
7305 goto err_fill_gen_info;
7306
7307 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7308
7309 err_fill_gen_info:
7310 kfree_skb(skb2);
7311 return err;
7312 }
7313
7314 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7315 [NFT_MSG_NEWTABLE] = {
7316 .call_batch = nf_tables_newtable,
7317 .attr_count = NFTA_TABLE_MAX,
7318 .policy = nft_table_policy,
7319 },
7320 [NFT_MSG_GETTABLE] = {
7321 .call_rcu = nf_tables_gettable,
7322 .attr_count = NFTA_TABLE_MAX,
7323 .policy = nft_table_policy,
7324 },
7325 [NFT_MSG_DELTABLE] = {
7326 .call_batch = nf_tables_deltable,
7327 .attr_count = NFTA_TABLE_MAX,
7328 .policy = nft_table_policy,
7329 },
7330 [NFT_MSG_NEWCHAIN] = {
7331 .call_batch = nf_tables_newchain,
7332 .attr_count = NFTA_CHAIN_MAX,
7333 .policy = nft_chain_policy,
7334 },
7335 [NFT_MSG_GETCHAIN] = {
7336 .call_rcu = nf_tables_getchain,
7337 .attr_count = NFTA_CHAIN_MAX,
7338 .policy = nft_chain_policy,
7339 },
7340 [NFT_MSG_DELCHAIN] = {
7341 .call_batch = nf_tables_delchain,
7342 .attr_count = NFTA_CHAIN_MAX,
7343 .policy = nft_chain_policy,
7344 },
7345 [NFT_MSG_NEWRULE] = {
7346 .call_batch = nf_tables_newrule,
7347 .attr_count = NFTA_RULE_MAX,
7348 .policy = nft_rule_policy,
7349 },
7350 [NFT_MSG_GETRULE] = {
7351 .call_rcu = nf_tables_getrule,
7352 .attr_count = NFTA_RULE_MAX,
7353 .policy = nft_rule_policy,
7354 },
7355 [NFT_MSG_DELRULE] = {
7356 .call_batch = nf_tables_delrule,
7357 .attr_count = NFTA_RULE_MAX,
7358 .policy = nft_rule_policy,
7359 },
7360 [NFT_MSG_NEWSET] = {
7361 .call_batch = nf_tables_newset,
7362 .attr_count = NFTA_SET_MAX,
7363 .policy = nft_set_policy,
7364 },
7365 [NFT_MSG_GETSET] = {
7366 .call_rcu = nf_tables_getset,
7367 .attr_count = NFTA_SET_MAX,
7368 .policy = nft_set_policy,
7369 },
7370 [NFT_MSG_DELSET] = {
7371 .call_batch = nf_tables_delset,
7372 .attr_count = NFTA_SET_MAX,
7373 .policy = nft_set_policy,
7374 },
7375 [NFT_MSG_NEWSETELEM] = {
7376 .call_batch = nf_tables_newsetelem,
7377 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7378 .policy = nft_set_elem_list_policy,
7379 },
7380 [NFT_MSG_GETSETELEM] = {
7381 .call_rcu = nf_tables_getsetelem,
7382 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7383 .policy = nft_set_elem_list_policy,
7384 },
7385 [NFT_MSG_DELSETELEM] = {
7386 .call_batch = nf_tables_delsetelem,
7387 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7388 .policy = nft_set_elem_list_policy,
7389 },
7390 [NFT_MSG_GETGEN] = {
7391 .call_rcu = nf_tables_getgen,
7392 },
7393 [NFT_MSG_NEWOBJ] = {
7394 .call_batch = nf_tables_newobj,
7395 .attr_count = NFTA_OBJ_MAX,
7396 .policy = nft_obj_policy,
7397 },
7398 [NFT_MSG_GETOBJ] = {
7399 .call_rcu = nf_tables_getobj,
7400 .attr_count = NFTA_OBJ_MAX,
7401 .policy = nft_obj_policy,
7402 },
7403 [NFT_MSG_DELOBJ] = {
7404 .call_batch = nf_tables_delobj,
7405 .attr_count = NFTA_OBJ_MAX,
7406 .policy = nft_obj_policy,
7407 },
7408 [NFT_MSG_GETOBJ_RESET] = {
7409 .call_rcu = nf_tables_getobj,
7410 .attr_count = NFTA_OBJ_MAX,
7411 .policy = nft_obj_policy,
7412 },
7413 [NFT_MSG_NEWFLOWTABLE] = {
7414 .call_batch = nf_tables_newflowtable,
7415 .attr_count = NFTA_FLOWTABLE_MAX,
7416 .policy = nft_flowtable_policy,
7417 },
7418 [NFT_MSG_GETFLOWTABLE] = {
7419 .call_rcu = nf_tables_getflowtable,
7420 .attr_count = NFTA_FLOWTABLE_MAX,
7421 .policy = nft_flowtable_policy,
7422 },
7423 [NFT_MSG_DELFLOWTABLE] = {
7424 .call_batch = nf_tables_delflowtable,
7425 .attr_count = NFTA_FLOWTABLE_MAX,
7426 .policy = nft_flowtable_policy,
7427 },
7428 };
7429
nf_tables_validate(struct net * net)7430 static int nf_tables_validate(struct net *net)
7431 {
7432 struct nft_table *table;
7433
7434 switch (net->nft.validate_state) {
7435 case NFT_VALIDATE_SKIP:
7436 break;
7437 case NFT_VALIDATE_NEED:
7438 nft_validate_state_update(net, NFT_VALIDATE_DO);
7439 fallthrough;
7440 case NFT_VALIDATE_DO:
7441 list_for_each_entry(table, &net->nft.tables, list) {
7442 if (nft_table_validate(net, table) < 0)
7443 return -EAGAIN;
7444 }
7445 break;
7446 }
7447
7448 return 0;
7449 }
7450
7451 /* a drop policy has to be deferred until all rules have been activated,
7452 * otherwise a large ruleset that contains a drop-policy base chain will
7453 * cause all packets to get dropped until the full transaction has been
7454 * processed.
7455 *
7456 * We defer the drop policy until the transaction has been finalized.
7457 */
nft_chain_commit_drop_policy(struct nft_trans * trans)7458 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7459 {
7460 struct nft_base_chain *basechain;
7461
7462 if (nft_trans_chain_policy(trans) != NF_DROP)
7463 return;
7464
7465 if (!nft_is_base_chain(trans->ctx.chain))
7466 return;
7467
7468 basechain = nft_base_chain(trans->ctx.chain);
7469 basechain->policy = NF_DROP;
7470 }
7471
nft_chain_commit_update(struct nft_trans * trans)7472 static void nft_chain_commit_update(struct nft_trans *trans)
7473 {
7474 struct nft_base_chain *basechain;
7475
7476 if (nft_trans_chain_name(trans)) {
7477 rhltable_remove(&trans->ctx.table->chains_ht,
7478 &trans->ctx.chain->rhlhead,
7479 nft_chain_ht_params);
7480 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7481 rhltable_insert_key(&trans->ctx.table->chains_ht,
7482 trans->ctx.chain->name,
7483 &trans->ctx.chain->rhlhead,
7484 nft_chain_ht_params);
7485 }
7486
7487 if (!nft_is_base_chain(trans->ctx.chain))
7488 return;
7489
7490 nft_chain_stats_replace(trans);
7491
7492 basechain = nft_base_chain(trans->ctx.chain);
7493
7494 switch (nft_trans_chain_policy(trans)) {
7495 case NF_DROP:
7496 case NF_ACCEPT:
7497 basechain->policy = nft_trans_chain_policy(trans);
7498 break;
7499 }
7500 }
7501
nft_obj_commit_update(struct nft_trans * trans)7502 static void nft_obj_commit_update(struct nft_trans *trans)
7503 {
7504 struct nft_object *newobj;
7505 struct nft_object *obj;
7506
7507 obj = nft_trans_obj(trans);
7508 newobj = nft_trans_obj_newobj(trans);
7509
7510 if (obj->ops->update)
7511 obj->ops->update(obj, newobj);
7512
7513 kfree(newobj);
7514 }
7515
nft_commit_release(struct nft_trans * trans)7516 static void nft_commit_release(struct nft_trans *trans)
7517 {
7518 switch (trans->msg_type) {
7519 case NFT_MSG_DELTABLE:
7520 nf_tables_table_destroy(&trans->ctx);
7521 break;
7522 case NFT_MSG_NEWCHAIN:
7523 free_percpu(nft_trans_chain_stats(trans));
7524 kfree(nft_trans_chain_name(trans));
7525 break;
7526 case NFT_MSG_DELCHAIN:
7527 nf_tables_chain_destroy(&trans->ctx);
7528 break;
7529 case NFT_MSG_DELRULE:
7530 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7531 break;
7532 case NFT_MSG_DELSET:
7533 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7534 break;
7535 case NFT_MSG_DELSETELEM:
7536 nf_tables_set_elem_destroy(&trans->ctx,
7537 nft_trans_elem_set(trans),
7538 nft_trans_elem(trans).priv);
7539 break;
7540 case NFT_MSG_DELOBJ:
7541 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7542 break;
7543 case NFT_MSG_DELFLOWTABLE:
7544 if (nft_trans_flowtable_update(trans))
7545 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7546 else
7547 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7548 break;
7549 }
7550
7551 if (trans->put_net)
7552 put_net(trans->ctx.net);
7553
7554 kfree(trans);
7555 }
7556
nf_tables_trans_destroy_work(struct work_struct * w)7557 static void nf_tables_trans_destroy_work(struct work_struct *w)
7558 {
7559 struct nft_trans *trans, *next;
7560 LIST_HEAD(head);
7561
7562 spin_lock(&nf_tables_destroy_list_lock);
7563 list_splice_init(&nf_tables_destroy_list, &head);
7564 spin_unlock(&nf_tables_destroy_list_lock);
7565
7566 if (list_empty(&head))
7567 return;
7568
7569 synchronize_rcu();
7570
7571 list_for_each_entry_safe(trans, next, &head, list) {
7572 list_del(&trans->list);
7573 nft_commit_release(trans);
7574 }
7575 }
7576
nf_tables_trans_destroy_flush_work(void)7577 void nf_tables_trans_destroy_flush_work(void)
7578 {
7579 flush_work(&trans_destroy_work);
7580 }
7581 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7582
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)7583 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7584 {
7585 struct nft_rule *rule;
7586 unsigned int alloc = 0;
7587 int i;
7588
7589 /* already handled or inactive chain? */
7590 if (chain->rules_next || !nft_is_active_next(net, chain))
7591 return 0;
7592
7593 rule = list_entry(&chain->rules, struct nft_rule, list);
7594 i = 0;
7595
7596 list_for_each_entry_continue(rule, &chain->rules, list) {
7597 if (nft_is_active_next(net, rule))
7598 alloc++;
7599 }
7600
7601 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7602 if (!chain->rules_next)
7603 return -ENOMEM;
7604
7605 list_for_each_entry_continue(rule, &chain->rules, list) {
7606 if (nft_is_active_next(net, rule))
7607 chain->rules_next[i++] = rule;
7608 }
7609
7610 chain->rules_next[i] = NULL;
7611 return 0;
7612 }
7613
nf_tables_commit_chain_prepare_cancel(struct net * net)7614 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7615 {
7616 struct nft_trans *trans, *next;
7617
7618 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7619 struct nft_chain *chain = trans->ctx.chain;
7620
7621 if (trans->msg_type == NFT_MSG_NEWRULE ||
7622 trans->msg_type == NFT_MSG_DELRULE) {
7623 kvfree(chain->rules_next);
7624 chain->rules_next = NULL;
7625 }
7626 }
7627 }
7628
__nf_tables_commit_chain_free_rules_old(struct rcu_head * h)7629 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7630 {
7631 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7632
7633 kvfree(o->start);
7634 }
7635
nf_tables_commit_chain_free_rules_old(struct nft_rule ** rules)7636 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7637 {
7638 struct nft_rule **r = rules;
7639 struct nft_rules_old *old;
7640
7641 while (*r)
7642 r++;
7643
7644 r++; /* rcu_head is after end marker */
7645 old = (void *) r;
7646 old->start = rules;
7647
7648 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7649 }
7650
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)7651 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7652 {
7653 struct nft_rule **g0, **g1;
7654 bool next_genbit;
7655
7656 next_genbit = nft_gencursor_next(net);
7657
7658 g0 = rcu_dereference_protected(chain->rules_gen_0,
7659 lockdep_commit_lock_is_held(net));
7660 g1 = rcu_dereference_protected(chain->rules_gen_1,
7661 lockdep_commit_lock_is_held(net));
7662
7663 /* No changes to this chain? */
7664 if (chain->rules_next == NULL) {
7665 /* chain had no change in last or next generation */
7666 if (g0 == g1)
7667 return;
7668 /*
7669 * chain had no change in this generation; make sure next
7670 * one uses same rules as current generation.
7671 */
7672 if (next_genbit) {
7673 rcu_assign_pointer(chain->rules_gen_1, g0);
7674 nf_tables_commit_chain_free_rules_old(g1);
7675 } else {
7676 rcu_assign_pointer(chain->rules_gen_0, g1);
7677 nf_tables_commit_chain_free_rules_old(g0);
7678 }
7679
7680 return;
7681 }
7682
7683 if (next_genbit)
7684 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7685 else
7686 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7687
7688 chain->rules_next = NULL;
7689
7690 if (g0 == g1)
7691 return;
7692
7693 if (next_genbit)
7694 nf_tables_commit_chain_free_rules_old(g1);
7695 else
7696 nf_tables_commit_chain_free_rules_old(g0);
7697 }
7698
nft_obj_del(struct nft_object * obj)7699 static void nft_obj_del(struct nft_object *obj)
7700 {
7701 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7702 list_del_rcu(&obj->list);
7703 }
7704
nft_chain_del(struct nft_chain * chain)7705 void nft_chain_del(struct nft_chain *chain)
7706 {
7707 struct nft_table *table = chain->table;
7708
7709 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7710 nft_chain_ht_params));
7711 list_del_rcu(&chain->list);
7712 }
7713
nft_flowtable_hooks_del(struct nft_flowtable * flowtable,struct list_head * hook_list)7714 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7715 struct list_head *hook_list)
7716 {
7717 struct nft_hook *hook, *next;
7718
7719 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7720 if (hook->inactive)
7721 list_move(&hook->list, hook_list);
7722 }
7723 }
7724
nf_tables_module_autoload_cleanup(struct net * net)7725 static void nf_tables_module_autoload_cleanup(struct net *net)
7726 {
7727 struct nft_module_request *req, *next;
7728
7729 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7730 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7731 WARN_ON_ONCE(!req->done);
7732 list_del(&req->list);
7733 kfree(req);
7734 }
7735 }
7736
nf_tables_commit_release(struct net * net)7737 static void nf_tables_commit_release(struct net *net)
7738 {
7739 struct nft_trans *trans;
7740
7741 /* all side effects have to be made visible.
7742 * For example, if a chain named 'foo' has been deleted, a
7743 * new transaction must not find it anymore.
7744 *
7745 * Memory reclaim happens asynchronously from work queue
7746 * to prevent expensive synchronize_rcu() in commit phase.
7747 */
7748 if (list_empty(&net->nft.commit_list)) {
7749 nf_tables_module_autoload_cleanup(net);
7750 mutex_unlock(&net->nft.commit_mutex);
7751 return;
7752 }
7753
7754 trans = list_last_entry(&net->nft.commit_list,
7755 struct nft_trans, list);
7756 get_net(trans->ctx.net);
7757 WARN_ON_ONCE(trans->put_net);
7758
7759 trans->put_net = true;
7760 spin_lock(&nf_tables_destroy_list_lock);
7761 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7762 spin_unlock(&nf_tables_destroy_list_lock);
7763
7764 nf_tables_module_autoload_cleanup(net);
7765 schedule_work(&trans_destroy_work);
7766
7767 mutex_unlock(&net->nft.commit_mutex);
7768 }
7769
nft_commit_notify(struct net * net,u32 portid)7770 static void nft_commit_notify(struct net *net, u32 portid)
7771 {
7772 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7773 unsigned char *data;
7774 int len;
7775
7776 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7777 if (!batch_skb) {
7778 new_batch:
7779 batch_skb = skb;
7780 len = NLMSG_GOODSIZE - skb->len;
7781 list_del(&skb->list);
7782 continue;
7783 }
7784 len -= skb->len;
7785 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7786 data = skb_put(batch_skb, skb->len);
7787 memcpy(data, skb->data, skb->len);
7788 list_del(&skb->list);
7789 kfree_skb(skb);
7790 continue;
7791 }
7792 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7793 NFT_CB(batch_skb).report, GFP_KERNEL);
7794 goto new_batch;
7795 }
7796
7797 if (batch_skb) {
7798 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7799 NFT_CB(batch_skb).report, GFP_KERNEL);
7800 }
7801
7802 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
7803 }
7804
nf_tables_commit(struct net * net,struct sk_buff * skb)7805 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7806 {
7807 struct nft_trans *trans, *next;
7808 struct nft_trans_elem *te;
7809 struct nft_chain *chain;
7810 struct nft_table *table;
7811 int err;
7812
7813 if (list_empty(&net->nft.commit_list)) {
7814 mutex_unlock(&net->nft.commit_mutex);
7815 return 0;
7816 }
7817
7818 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7819 if (nf_tables_validate(net) < 0)
7820 return -EAGAIN;
7821
7822 err = nft_flow_rule_offload_commit(net);
7823 if (err < 0)
7824 return err;
7825
7826 /* 1. Allocate space for next generation rules_gen_X[] */
7827 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7828 int ret;
7829
7830 if (trans->msg_type == NFT_MSG_NEWRULE ||
7831 trans->msg_type == NFT_MSG_DELRULE) {
7832 chain = trans->ctx.chain;
7833
7834 ret = nf_tables_commit_chain_prepare(net, chain);
7835 if (ret < 0) {
7836 nf_tables_commit_chain_prepare_cancel(net);
7837 return ret;
7838 }
7839 }
7840 }
7841
7842 /* step 2. Make rules_gen_X visible to packet path */
7843 list_for_each_entry(table, &net->nft.tables, list) {
7844 list_for_each_entry(chain, &table->chains, list)
7845 nf_tables_commit_chain(net, chain);
7846 }
7847
7848 /*
7849 * Bump generation counter, invalidate any dump in progress.
7850 * Cannot fail after this point.
7851 */
7852 while (++net->nft.base_seq == 0);
7853
7854 /* step 3. Start new generation, rules_gen_X now in use. */
7855 net->nft.gencursor = nft_gencursor_next(net);
7856
7857 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7858 switch (trans->msg_type) {
7859 case NFT_MSG_NEWTABLE:
7860 if (nft_trans_table_update(trans)) {
7861 if (!nft_trans_table_enable(trans)) {
7862 nf_tables_table_disable(net,
7863 trans->ctx.table);
7864 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7865 }
7866 } else {
7867 nft_clear(net, trans->ctx.table);
7868 }
7869 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7870 nft_trans_destroy(trans);
7871 break;
7872 case NFT_MSG_DELTABLE:
7873 list_del_rcu(&trans->ctx.table->list);
7874 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7875 break;
7876 case NFT_MSG_NEWCHAIN:
7877 if (nft_trans_chain_update(trans)) {
7878 nft_chain_commit_update(trans);
7879 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7880 /* trans destroyed after rcu grace period */
7881 } else {
7882 nft_chain_commit_drop_policy(trans);
7883 nft_clear(net, trans->ctx.chain);
7884 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7885 nft_trans_destroy(trans);
7886 }
7887 break;
7888 case NFT_MSG_DELCHAIN:
7889 nft_chain_del(trans->ctx.chain);
7890 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7891 nf_tables_unregister_hook(trans->ctx.net,
7892 trans->ctx.table,
7893 trans->ctx.chain);
7894 break;
7895 case NFT_MSG_NEWRULE:
7896 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7897 nf_tables_rule_notify(&trans->ctx,
7898 nft_trans_rule(trans),
7899 NFT_MSG_NEWRULE);
7900 nft_trans_destroy(trans);
7901 break;
7902 case NFT_MSG_DELRULE:
7903 list_del_rcu(&nft_trans_rule(trans)->list);
7904 nf_tables_rule_notify(&trans->ctx,
7905 nft_trans_rule(trans),
7906 NFT_MSG_DELRULE);
7907 nft_rule_expr_deactivate(&trans->ctx,
7908 nft_trans_rule(trans),
7909 NFT_TRANS_COMMIT);
7910 break;
7911 case NFT_MSG_NEWSET:
7912 nft_clear(net, nft_trans_set(trans));
7913 /* This avoids hitting -EBUSY when deleting the table
7914 * from the transaction.
7915 */
7916 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7917 !list_empty(&nft_trans_set(trans)->bindings))
7918 trans->ctx.table->use--;
7919
7920 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7921 NFT_MSG_NEWSET, GFP_KERNEL);
7922 nft_trans_destroy(trans);
7923 break;
7924 case NFT_MSG_DELSET:
7925 list_del_rcu(&nft_trans_set(trans)->list);
7926 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7927 NFT_MSG_DELSET, GFP_KERNEL);
7928 break;
7929 case NFT_MSG_NEWSETELEM:
7930 te = (struct nft_trans_elem *)trans->data;
7931
7932 te->set->ops->activate(net, te->set, &te->elem);
7933 nf_tables_setelem_notify(&trans->ctx, te->set,
7934 &te->elem,
7935 NFT_MSG_NEWSETELEM, 0);
7936 nft_trans_destroy(trans);
7937 break;
7938 case NFT_MSG_DELSETELEM:
7939 te = (struct nft_trans_elem *)trans->data;
7940
7941 nf_tables_setelem_notify(&trans->ctx, te->set,
7942 &te->elem,
7943 NFT_MSG_DELSETELEM, 0);
7944 te->set->ops->remove(net, te->set, &te->elem);
7945 atomic_dec(&te->set->nelems);
7946 te->set->ndeact--;
7947 break;
7948 case NFT_MSG_NEWOBJ:
7949 if (nft_trans_obj_update(trans)) {
7950 nft_obj_commit_update(trans);
7951 nf_tables_obj_notify(&trans->ctx,
7952 nft_trans_obj(trans),
7953 NFT_MSG_NEWOBJ);
7954 } else {
7955 nft_clear(net, nft_trans_obj(trans));
7956 nf_tables_obj_notify(&trans->ctx,
7957 nft_trans_obj(trans),
7958 NFT_MSG_NEWOBJ);
7959 nft_trans_destroy(trans);
7960 }
7961 break;
7962 case NFT_MSG_DELOBJ:
7963 nft_obj_del(nft_trans_obj(trans));
7964 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
7965 NFT_MSG_DELOBJ);
7966 break;
7967 case NFT_MSG_NEWFLOWTABLE:
7968 if (nft_trans_flowtable_update(trans)) {
7969 nf_tables_flowtable_notify(&trans->ctx,
7970 nft_trans_flowtable(trans),
7971 &nft_trans_flowtable_hooks(trans),
7972 NFT_MSG_NEWFLOWTABLE);
7973 list_splice(&nft_trans_flowtable_hooks(trans),
7974 &nft_trans_flowtable(trans)->hook_list);
7975 } else {
7976 nft_clear(net, nft_trans_flowtable(trans));
7977 nf_tables_flowtable_notify(&trans->ctx,
7978 nft_trans_flowtable(trans),
7979 &nft_trans_flowtable(trans)->hook_list,
7980 NFT_MSG_NEWFLOWTABLE);
7981 }
7982 nft_trans_destroy(trans);
7983 break;
7984 case NFT_MSG_DELFLOWTABLE:
7985 if (nft_trans_flowtable_update(trans)) {
7986 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
7987 &nft_trans_flowtable_hooks(trans));
7988 nf_tables_flowtable_notify(&trans->ctx,
7989 nft_trans_flowtable(trans),
7990 &nft_trans_flowtable_hooks(trans),
7991 NFT_MSG_DELFLOWTABLE);
7992 nft_unregister_flowtable_net_hooks(net,
7993 &nft_trans_flowtable_hooks(trans));
7994 } else {
7995 list_del_rcu(&nft_trans_flowtable(trans)->list);
7996 nf_tables_flowtable_notify(&trans->ctx,
7997 nft_trans_flowtable(trans),
7998 &nft_trans_flowtable(trans)->hook_list,
7999 NFT_MSG_DELFLOWTABLE);
8000 nft_unregister_flowtable_net_hooks(net,
8001 &nft_trans_flowtable(trans)->hook_list);
8002 }
8003 break;
8004 }
8005 }
8006
8007 nft_commit_notify(net, NETLINK_CB(skb).portid);
8008 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8009 nf_tables_commit_release(net);
8010
8011 return 0;
8012 }
8013
nf_tables_module_autoload(struct net * net)8014 static void nf_tables_module_autoload(struct net *net)
8015 {
8016 struct nft_module_request *req, *next;
8017 LIST_HEAD(module_list);
8018
8019 list_splice_init(&net->nft.module_list, &module_list);
8020 mutex_unlock(&net->nft.commit_mutex);
8021 list_for_each_entry_safe(req, next, &module_list, list) {
8022 request_module("%s", req->module);
8023 req->done = true;
8024 }
8025 mutex_lock(&net->nft.commit_mutex);
8026 list_splice(&module_list, &net->nft.module_list);
8027 }
8028
nf_tables_abort_release(struct nft_trans * trans)8029 static void nf_tables_abort_release(struct nft_trans *trans)
8030 {
8031 switch (trans->msg_type) {
8032 case NFT_MSG_NEWTABLE:
8033 nf_tables_table_destroy(&trans->ctx);
8034 break;
8035 case NFT_MSG_NEWCHAIN:
8036 nf_tables_chain_destroy(&trans->ctx);
8037 break;
8038 case NFT_MSG_NEWRULE:
8039 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8040 break;
8041 case NFT_MSG_NEWSET:
8042 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8043 break;
8044 case NFT_MSG_NEWSETELEM:
8045 nft_set_elem_destroy(nft_trans_elem_set(trans),
8046 nft_trans_elem(trans).priv, true);
8047 break;
8048 case NFT_MSG_NEWOBJ:
8049 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8050 break;
8051 case NFT_MSG_NEWFLOWTABLE:
8052 if (nft_trans_flowtable_update(trans))
8053 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8054 else
8055 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8056 break;
8057 }
8058 kfree(trans);
8059 }
8060
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)8061 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8062 {
8063 struct nft_trans *trans, *next;
8064 struct nft_trans_elem *te;
8065 struct nft_hook *hook;
8066
8067 if (action == NFNL_ABORT_VALIDATE &&
8068 nf_tables_validate(net) < 0)
8069 return -EAGAIN;
8070
8071 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8072 list) {
8073 switch (trans->msg_type) {
8074 case NFT_MSG_NEWTABLE:
8075 if (nft_trans_table_update(trans)) {
8076 if (nft_trans_table_enable(trans)) {
8077 nf_tables_table_disable(net,
8078 trans->ctx.table);
8079 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8080 }
8081 nft_trans_destroy(trans);
8082 } else {
8083 list_del_rcu(&trans->ctx.table->list);
8084 }
8085 break;
8086 case NFT_MSG_DELTABLE:
8087 nft_clear(trans->ctx.net, trans->ctx.table);
8088 nft_trans_destroy(trans);
8089 break;
8090 case NFT_MSG_NEWCHAIN:
8091 if (nft_trans_chain_update(trans)) {
8092 free_percpu(nft_trans_chain_stats(trans));
8093 kfree(nft_trans_chain_name(trans));
8094 nft_trans_destroy(trans);
8095 } else {
8096 if (nft_chain_is_bound(trans->ctx.chain)) {
8097 nft_trans_destroy(trans);
8098 break;
8099 }
8100 trans->ctx.table->use--;
8101 nft_chain_del(trans->ctx.chain);
8102 nf_tables_unregister_hook(trans->ctx.net,
8103 trans->ctx.table,
8104 trans->ctx.chain);
8105 }
8106 break;
8107 case NFT_MSG_DELCHAIN:
8108 trans->ctx.table->use++;
8109 nft_clear(trans->ctx.net, trans->ctx.chain);
8110 nft_trans_destroy(trans);
8111 break;
8112 case NFT_MSG_NEWRULE:
8113 trans->ctx.chain->use--;
8114 list_del_rcu(&nft_trans_rule(trans)->list);
8115 nft_rule_expr_deactivate(&trans->ctx,
8116 nft_trans_rule(trans),
8117 NFT_TRANS_ABORT);
8118 break;
8119 case NFT_MSG_DELRULE:
8120 trans->ctx.chain->use++;
8121 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8122 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8123 nft_trans_destroy(trans);
8124 break;
8125 case NFT_MSG_NEWSET:
8126 trans->ctx.table->use--;
8127 if (nft_trans_set_bound(trans)) {
8128 nft_trans_destroy(trans);
8129 break;
8130 }
8131 list_del_rcu(&nft_trans_set(trans)->list);
8132 break;
8133 case NFT_MSG_DELSET:
8134 trans->ctx.table->use++;
8135 nft_clear(trans->ctx.net, nft_trans_set(trans));
8136 nft_trans_destroy(trans);
8137 break;
8138 case NFT_MSG_NEWSETELEM:
8139 if (nft_trans_elem_set_bound(trans)) {
8140 nft_trans_destroy(trans);
8141 break;
8142 }
8143 te = (struct nft_trans_elem *)trans->data;
8144 te->set->ops->remove(net, te->set, &te->elem);
8145 atomic_dec(&te->set->nelems);
8146 break;
8147 case NFT_MSG_DELSETELEM:
8148 te = (struct nft_trans_elem *)trans->data;
8149
8150 nft_set_elem_activate(net, te->set, &te->elem);
8151 te->set->ops->activate(net, te->set, &te->elem);
8152 te->set->ndeact--;
8153
8154 nft_trans_destroy(trans);
8155 break;
8156 case NFT_MSG_NEWOBJ:
8157 if (nft_trans_obj_update(trans)) {
8158 kfree(nft_trans_obj_newobj(trans));
8159 nft_trans_destroy(trans);
8160 } else {
8161 trans->ctx.table->use--;
8162 nft_obj_del(nft_trans_obj(trans));
8163 }
8164 break;
8165 case NFT_MSG_DELOBJ:
8166 trans->ctx.table->use++;
8167 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8168 nft_trans_destroy(trans);
8169 break;
8170 case NFT_MSG_NEWFLOWTABLE:
8171 if (nft_trans_flowtable_update(trans)) {
8172 nft_unregister_flowtable_net_hooks(net,
8173 &nft_trans_flowtable_hooks(trans));
8174 } else {
8175 trans->ctx.table->use--;
8176 list_del_rcu(&nft_trans_flowtable(trans)->list);
8177 nft_unregister_flowtable_net_hooks(net,
8178 &nft_trans_flowtable(trans)->hook_list);
8179 }
8180 break;
8181 case NFT_MSG_DELFLOWTABLE:
8182 if (nft_trans_flowtable_update(trans)) {
8183 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8184 hook->inactive = false;
8185 } else {
8186 trans->ctx.table->use++;
8187 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8188 }
8189 nft_trans_destroy(trans);
8190 break;
8191 }
8192 }
8193
8194 synchronize_rcu();
8195
8196 list_for_each_entry_safe_reverse(trans, next,
8197 &net->nft.commit_list, list) {
8198 list_del(&trans->list);
8199 nf_tables_abort_release(trans);
8200 }
8201
8202 if (action == NFNL_ABORT_AUTOLOAD)
8203 nf_tables_module_autoload(net);
8204 else
8205 nf_tables_module_autoload_cleanup(net);
8206
8207 return 0;
8208 }
8209
nf_tables_cleanup(struct net * net)8210 static void nf_tables_cleanup(struct net *net)
8211 {
8212 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8213 }
8214
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)8215 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8216 enum nfnl_abort_action action)
8217 {
8218 int ret = __nf_tables_abort(net, action);
8219
8220 mutex_unlock(&net->nft.commit_mutex);
8221
8222 return ret;
8223 }
8224
nf_tables_valid_genid(struct net * net,u32 genid)8225 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8226 {
8227 bool genid_ok;
8228
8229 mutex_lock(&net->nft.commit_mutex);
8230
8231 genid_ok = genid == 0 || net->nft.base_seq == genid;
8232 if (!genid_ok)
8233 mutex_unlock(&net->nft.commit_mutex);
8234
8235 /* else, commit mutex has to be released by commit or abort function */
8236 return genid_ok;
8237 }
8238
8239 static const struct nfnetlink_subsystem nf_tables_subsys = {
8240 .name = "nf_tables",
8241 .subsys_id = NFNL_SUBSYS_NFTABLES,
8242 .cb_count = NFT_MSG_MAX,
8243 .cb = nf_tables_cb,
8244 .commit = nf_tables_commit,
8245 .abort = nf_tables_abort,
8246 .cleanup = nf_tables_cleanup,
8247 .valid_genid = nf_tables_valid_genid,
8248 .owner = THIS_MODULE,
8249 };
8250
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)8251 int nft_chain_validate_dependency(const struct nft_chain *chain,
8252 enum nft_chain_types type)
8253 {
8254 const struct nft_base_chain *basechain;
8255
8256 if (nft_is_base_chain(chain)) {
8257 basechain = nft_base_chain(chain);
8258 if (basechain->type->type != type)
8259 return -EOPNOTSUPP;
8260 }
8261 return 0;
8262 }
8263 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8264
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)8265 int nft_chain_validate_hooks(const struct nft_chain *chain,
8266 unsigned int hook_flags)
8267 {
8268 struct nft_base_chain *basechain;
8269
8270 if (nft_is_base_chain(chain)) {
8271 basechain = nft_base_chain(chain);
8272
8273 if ((1 << basechain->ops.hooknum) & hook_flags)
8274 return 0;
8275
8276 return -EOPNOTSUPP;
8277 }
8278
8279 return 0;
8280 }
8281 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8282
8283 /*
8284 * Loop detection - walk through the ruleset beginning at the destination chain
8285 * of a new jump until either the source chain is reached (loop) or all
8286 * reachable chains have been traversed.
8287 *
8288 * The loop check is performed whenever a new jump verdict is added to an
8289 * expression or verdict map or a verdict map is bound to a new chain.
8290 */
8291
8292 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8293 const struct nft_chain *chain);
8294
nf_tables_loop_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)8295 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8296 struct nft_set *set,
8297 const struct nft_set_iter *iter,
8298 struct nft_set_elem *elem)
8299 {
8300 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8301 const struct nft_data *data;
8302
8303 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8304 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8305 return 0;
8306
8307 data = nft_set_ext_data(ext);
8308 switch (data->verdict.code) {
8309 case NFT_JUMP:
8310 case NFT_GOTO:
8311 return nf_tables_check_loops(ctx, data->verdict.chain);
8312 default:
8313 return 0;
8314 }
8315 }
8316
nf_tables_check_loops(const struct nft_ctx * ctx,const struct nft_chain * chain)8317 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8318 const struct nft_chain *chain)
8319 {
8320 const struct nft_rule *rule;
8321 const struct nft_expr *expr, *last;
8322 struct nft_set *set;
8323 struct nft_set_binding *binding;
8324 struct nft_set_iter iter;
8325
8326 if (ctx->chain == chain)
8327 return -ELOOP;
8328
8329 list_for_each_entry(rule, &chain->rules, list) {
8330 nft_rule_for_each_expr(expr, last, rule) {
8331 struct nft_immediate_expr *priv;
8332 const struct nft_data *data;
8333 int err;
8334
8335 if (strcmp(expr->ops->type->name, "immediate"))
8336 continue;
8337
8338 priv = nft_expr_priv(expr);
8339 if (priv->dreg != NFT_REG_VERDICT)
8340 continue;
8341
8342 data = &priv->data;
8343 switch (data->verdict.code) {
8344 case NFT_JUMP:
8345 case NFT_GOTO:
8346 err = nf_tables_check_loops(ctx,
8347 data->verdict.chain);
8348 if (err < 0)
8349 return err;
8350 default:
8351 break;
8352 }
8353 }
8354 }
8355
8356 list_for_each_entry(set, &ctx->table->sets, list) {
8357 if (!nft_is_active_next(ctx->net, set))
8358 continue;
8359 if (!(set->flags & NFT_SET_MAP) ||
8360 set->dtype != NFT_DATA_VERDICT)
8361 continue;
8362
8363 list_for_each_entry(binding, &set->bindings, list) {
8364 if (!(binding->flags & NFT_SET_MAP) ||
8365 binding->chain != chain)
8366 continue;
8367
8368 iter.genmask = nft_genmask_next(ctx->net);
8369 iter.skip = 0;
8370 iter.count = 0;
8371 iter.err = 0;
8372 iter.fn = nf_tables_loop_check_setelem;
8373
8374 set->ops->walk(ctx, set, &iter);
8375 if (iter.err < 0)
8376 return iter.err;
8377 }
8378 }
8379
8380 return 0;
8381 }
8382
8383 /**
8384 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8385 *
8386 * @attr: netlink attribute to fetch value from
8387 * @max: maximum value to be stored in dest
8388 * @dest: pointer to the variable
8389 *
8390 * Parse, check and store a given u32 netlink attribute into variable.
8391 * This function returns -ERANGE if the value goes over maximum value.
8392 * Otherwise a 0 is returned and the attribute value is stored in the
8393 * destination variable.
8394 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)8395 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8396 {
8397 u32 val;
8398
8399 val = ntohl(nla_get_be32(attr));
8400 if (val > max)
8401 return -ERANGE;
8402
8403 *dest = val;
8404 return 0;
8405 }
8406 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8407
8408 /**
8409 * nft_parse_register - parse a register value from a netlink attribute
8410 *
8411 * @attr: netlink attribute
8412 *
8413 * Parse and translate a register value from a netlink attribute.
8414 * Registers used to be 128 bit wide, these register numbers will be
8415 * mapped to the corresponding 32 bit register numbers.
8416 */
nft_parse_register(const struct nlattr * attr)8417 unsigned int nft_parse_register(const struct nlattr *attr)
8418 {
8419 unsigned int reg;
8420
8421 reg = ntohl(nla_get_be32(attr));
8422 switch (reg) {
8423 case NFT_REG_VERDICT...NFT_REG_4:
8424 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8425 default:
8426 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8427 }
8428 }
8429 EXPORT_SYMBOL_GPL(nft_parse_register);
8430
8431 /**
8432 * nft_dump_register - dump a register value to a netlink attribute
8433 *
8434 * @skb: socket buffer
8435 * @attr: attribute number
8436 * @reg: register number
8437 *
8438 * Construct a netlink attribute containing the register number. For
8439 * compatibility reasons, register numbers being a multiple of 4 are
8440 * translated to the corresponding 128 bit register numbers.
8441 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)8442 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8443 {
8444 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8445 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8446 else
8447 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8448
8449 return nla_put_be32(skb, attr, htonl(reg));
8450 }
8451 EXPORT_SYMBOL_GPL(nft_dump_register);
8452
8453 /**
8454 * nft_validate_register_load - validate a load from a register
8455 *
8456 * @reg: the register number
8457 * @len: the length of the data
8458 *
8459 * Validate that the input register is one of the general purpose
8460 * registers and that the length of the load is within the bounds.
8461 */
nft_validate_register_load(enum nft_registers reg,unsigned int len)8462 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8463 {
8464 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8465 return -EINVAL;
8466 if (len == 0)
8467 return -EINVAL;
8468 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8469 return -ERANGE;
8470
8471 return 0;
8472 }
8473 EXPORT_SYMBOL_GPL(nft_validate_register_load);
8474
8475 /**
8476 * nft_validate_register_store - validate an expressions' register store
8477 *
8478 * @ctx: context of the expression performing the load
8479 * @reg: the destination register number
8480 * @data: the data to load
8481 * @type: the data type
8482 * @len: the length of the data
8483 *
8484 * Validate that a data load uses the appropriate data type for
8485 * the destination register and the length is within the bounds.
8486 * A value of NULL for the data means that its runtime gathered
8487 * data.
8488 */
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)8489 int nft_validate_register_store(const struct nft_ctx *ctx,
8490 enum nft_registers reg,
8491 const struct nft_data *data,
8492 enum nft_data_types type, unsigned int len)
8493 {
8494 int err;
8495
8496 switch (reg) {
8497 case NFT_REG_VERDICT:
8498 if (type != NFT_DATA_VERDICT)
8499 return -EINVAL;
8500
8501 if (data != NULL &&
8502 (data->verdict.code == NFT_GOTO ||
8503 data->verdict.code == NFT_JUMP)) {
8504 err = nf_tables_check_loops(ctx, data->verdict.chain);
8505 if (err < 0)
8506 return err;
8507 }
8508
8509 return 0;
8510 default:
8511 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8512 return -EINVAL;
8513 if (len == 0)
8514 return -EINVAL;
8515 if (reg * NFT_REG32_SIZE + len >
8516 sizeof_field(struct nft_regs, data))
8517 return -ERANGE;
8518
8519 if (data != NULL && type != NFT_DATA_VALUE)
8520 return -EINVAL;
8521 return 0;
8522 }
8523 }
8524 EXPORT_SYMBOL_GPL(nft_validate_register_store);
8525
8526 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8527 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8528 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8529 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8530 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8531 };
8532
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)8533 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8534 struct nft_data_desc *desc, const struct nlattr *nla)
8535 {
8536 u8 genmask = nft_genmask_next(ctx->net);
8537 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8538 struct nft_chain *chain;
8539 int err;
8540
8541 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8542 nft_verdict_policy, NULL);
8543 if (err < 0)
8544 return err;
8545
8546 if (!tb[NFTA_VERDICT_CODE])
8547 return -EINVAL;
8548 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8549
8550 switch (data->verdict.code) {
8551 default:
8552 switch (data->verdict.code & NF_VERDICT_MASK) {
8553 case NF_ACCEPT:
8554 case NF_DROP:
8555 case NF_QUEUE:
8556 break;
8557 default:
8558 return -EINVAL;
8559 }
8560 fallthrough;
8561 case NFT_CONTINUE:
8562 case NFT_BREAK:
8563 case NFT_RETURN:
8564 break;
8565 case NFT_JUMP:
8566 case NFT_GOTO:
8567 if (tb[NFTA_VERDICT_CHAIN]) {
8568 chain = nft_chain_lookup(ctx->net, ctx->table,
8569 tb[NFTA_VERDICT_CHAIN],
8570 genmask);
8571 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8572 chain = nft_chain_lookup_byid(ctx->net,
8573 tb[NFTA_VERDICT_CHAIN_ID]);
8574 if (IS_ERR(chain))
8575 return PTR_ERR(chain);
8576 } else {
8577 return -EINVAL;
8578 }
8579
8580 if (IS_ERR(chain))
8581 return PTR_ERR(chain);
8582 if (nft_is_base_chain(chain))
8583 return -EOPNOTSUPP;
8584
8585 chain->use++;
8586 data->verdict.chain = chain;
8587 break;
8588 }
8589
8590 desc->len = sizeof(data->verdict);
8591 desc->type = NFT_DATA_VERDICT;
8592 return 0;
8593 }
8594
nft_verdict_uninit(const struct nft_data * data)8595 static void nft_verdict_uninit(const struct nft_data *data)
8596 {
8597 struct nft_chain *chain;
8598 struct nft_rule *rule;
8599
8600 switch (data->verdict.code) {
8601 case NFT_JUMP:
8602 case NFT_GOTO:
8603 chain = data->verdict.chain;
8604 chain->use--;
8605
8606 if (!nft_chain_is_bound(chain))
8607 break;
8608
8609 chain->table->use--;
8610 list_for_each_entry(rule, &chain->rules, list)
8611 chain->use--;
8612
8613 nft_chain_del(chain);
8614 break;
8615 }
8616 }
8617
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)8618 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8619 {
8620 struct nlattr *nest;
8621
8622 nest = nla_nest_start_noflag(skb, type);
8623 if (!nest)
8624 goto nla_put_failure;
8625
8626 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8627 goto nla_put_failure;
8628
8629 switch (v->code) {
8630 case NFT_JUMP:
8631 case NFT_GOTO:
8632 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8633 v->chain->name))
8634 goto nla_put_failure;
8635 }
8636 nla_nest_end(skb, nest);
8637 return 0;
8638
8639 nla_put_failure:
8640 return -1;
8641 }
8642
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)8643 static int nft_value_init(const struct nft_ctx *ctx,
8644 struct nft_data *data, unsigned int size,
8645 struct nft_data_desc *desc, const struct nlattr *nla)
8646 {
8647 unsigned int len;
8648
8649 len = nla_len(nla);
8650 if (len == 0)
8651 return -EINVAL;
8652 if (len > size)
8653 return -EOVERFLOW;
8654
8655 nla_memcpy(data->data, nla, len);
8656 desc->type = NFT_DATA_VALUE;
8657 desc->len = len;
8658 return 0;
8659 }
8660
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)8661 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8662 unsigned int len)
8663 {
8664 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8665 }
8666
8667 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8668 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8669 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8670 };
8671
8672 /**
8673 * nft_data_init - parse nf_tables data netlink attributes
8674 *
8675 * @ctx: context of the expression using the data
8676 * @data: destination struct nft_data
8677 * @size: maximum data length
8678 * @desc: data description
8679 * @nla: netlink attribute containing data
8680 *
8681 * Parse the netlink data attributes and initialize a struct nft_data.
8682 * The type and length of data are returned in the data description.
8683 *
8684 * The caller can indicate that it only wants to accept data of type
8685 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8686 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)8687 int nft_data_init(const struct nft_ctx *ctx,
8688 struct nft_data *data, unsigned int size,
8689 struct nft_data_desc *desc, const struct nlattr *nla)
8690 {
8691 struct nlattr *tb[NFTA_DATA_MAX + 1];
8692 int err;
8693
8694 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8695 nft_data_policy, NULL);
8696 if (err < 0)
8697 return err;
8698
8699 if (tb[NFTA_DATA_VALUE])
8700 return nft_value_init(ctx, data, size, desc,
8701 tb[NFTA_DATA_VALUE]);
8702 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8703 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8704 return -EINVAL;
8705 }
8706 EXPORT_SYMBOL_GPL(nft_data_init);
8707
8708 /**
8709 * nft_data_release - release a nft_data item
8710 *
8711 * @data: struct nft_data to release
8712 * @type: type of data
8713 *
8714 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8715 * all others need to be released by calling this function.
8716 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)8717 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8718 {
8719 if (type < NFT_DATA_VERDICT)
8720 return;
8721 switch (type) {
8722 case NFT_DATA_VERDICT:
8723 return nft_verdict_uninit(data);
8724 default:
8725 WARN_ON(1);
8726 }
8727 }
8728 EXPORT_SYMBOL_GPL(nft_data_release);
8729
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)8730 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8731 enum nft_data_types type, unsigned int len)
8732 {
8733 struct nlattr *nest;
8734 int err;
8735
8736 nest = nla_nest_start_noflag(skb, attr);
8737 if (nest == NULL)
8738 return -1;
8739
8740 switch (type) {
8741 case NFT_DATA_VALUE:
8742 err = nft_value_dump(skb, data, len);
8743 break;
8744 case NFT_DATA_VERDICT:
8745 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8746 break;
8747 default:
8748 err = -EINVAL;
8749 WARN_ON(1);
8750 }
8751
8752 nla_nest_end(skb, nest);
8753 return err;
8754 }
8755 EXPORT_SYMBOL_GPL(nft_data_dump);
8756
__nft_release_basechain(struct nft_ctx * ctx)8757 int __nft_release_basechain(struct nft_ctx *ctx)
8758 {
8759 struct nft_rule *rule, *nr;
8760
8761 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8762 return 0;
8763
8764 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8765 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8766 list_del(&rule->list);
8767 ctx->chain->use--;
8768 nf_tables_rule_release(ctx, rule);
8769 }
8770 nft_chain_del(ctx->chain);
8771 ctx->table->use--;
8772 nf_tables_chain_destroy(ctx);
8773
8774 return 0;
8775 }
8776 EXPORT_SYMBOL_GPL(__nft_release_basechain);
8777
__nft_release_tables(struct net * net)8778 static void __nft_release_tables(struct net *net)
8779 {
8780 struct nft_flowtable *flowtable, *nf;
8781 struct nft_table *table, *nt;
8782 struct nft_chain *chain, *nc;
8783 struct nft_object *obj, *ne;
8784 struct nft_rule *rule, *nr;
8785 struct nft_set *set, *ns;
8786 struct nft_ctx ctx = {
8787 .net = net,
8788 .family = NFPROTO_NETDEV,
8789 };
8790
8791 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8792 ctx.family = table->family;
8793
8794 list_for_each_entry(chain, &table->chains, list)
8795 nf_tables_unregister_hook(net, table, chain);
8796 /* No packets are walking on these chains anymore. */
8797 ctx.table = table;
8798 list_for_each_entry(chain, &table->chains, list) {
8799 ctx.chain = chain;
8800 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8801 list_del(&rule->list);
8802 chain->use--;
8803 nf_tables_rule_release(&ctx, rule);
8804 }
8805 }
8806 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8807 list_del(&flowtable->list);
8808 table->use--;
8809 nf_tables_flowtable_destroy(flowtable);
8810 }
8811 list_for_each_entry_safe(set, ns, &table->sets, list) {
8812 list_del(&set->list);
8813 table->use--;
8814 nft_set_destroy(&ctx, set);
8815 }
8816 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8817 nft_obj_del(obj);
8818 table->use--;
8819 nft_obj_destroy(&ctx, obj);
8820 }
8821 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8822 ctx.chain = chain;
8823 nft_chain_del(chain);
8824 table->use--;
8825 nf_tables_chain_destroy(&ctx);
8826 }
8827 list_del(&table->list);
8828 nf_tables_table_destroy(&ctx);
8829 }
8830 }
8831
nf_tables_init_net(struct net * net)8832 static int __net_init nf_tables_init_net(struct net *net)
8833 {
8834 INIT_LIST_HEAD(&net->nft.tables);
8835 INIT_LIST_HEAD(&net->nft.commit_list);
8836 INIT_LIST_HEAD(&net->nft.module_list);
8837 INIT_LIST_HEAD(&net->nft.notify_list);
8838 mutex_init(&net->nft.commit_mutex);
8839 net->nft.base_seq = 1;
8840 net->nft.validate_state = NFT_VALIDATE_SKIP;
8841
8842 return 0;
8843 }
8844
nf_tables_exit_net(struct net * net)8845 static void __net_exit nf_tables_exit_net(struct net *net)
8846 {
8847 mutex_lock(&net->nft.commit_mutex);
8848 if (!list_empty(&net->nft.commit_list))
8849 __nf_tables_abort(net, NFNL_ABORT_NONE);
8850 __nft_release_tables(net);
8851 mutex_unlock(&net->nft.commit_mutex);
8852 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8853 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8854 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8855 }
8856
8857 static struct pernet_operations nf_tables_net_ops = {
8858 .init = nf_tables_init_net,
8859 .exit = nf_tables_exit_net,
8860 };
8861
nf_tables_module_init(void)8862 static int __init nf_tables_module_init(void)
8863 {
8864 int err;
8865
8866 spin_lock_init(&nf_tables_destroy_list_lock);
8867 err = register_pernet_subsys(&nf_tables_net_ops);
8868 if (err < 0)
8869 return err;
8870
8871 err = nft_chain_filter_init();
8872 if (err < 0)
8873 goto err1;
8874
8875 err = nf_tables_core_module_init();
8876 if (err < 0)
8877 goto err2;
8878
8879 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8880 if (err < 0)
8881 goto err3;
8882
8883 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8884 if (err < 0)
8885 goto err4;
8886
8887 err = nft_offload_init();
8888 if (err < 0)
8889 goto err5;
8890
8891 /* must be last */
8892 err = nfnetlink_subsys_register(&nf_tables_subsys);
8893 if (err < 0)
8894 goto err6;
8895
8896 nft_chain_route_init();
8897
8898 return err;
8899 err6:
8900 nft_offload_exit();
8901 err5:
8902 rhltable_destroy(&nft_objname_ht);
8903 err4:
8904 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8905 err3:
8906 nf_tables_core_module_exit();
8907 err2:
8908 nft_chain_filter_fini();
8909 err1:
8910 unregister_pernet_subsys(&nf_tables_net_ops);
8911 return err;
8912 }
8913
nf_tables_module_exit(void)8914 static void __exit nf_tables_module_exit(void)
8915 {
8916 nfnetlink_subsys_unregister(&nf_tables_subsys);
8917 nft_offload_exit();
8918 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8919 nft_chain_filter_fini();
8920 nft_chain_route_fini();
8921 unregister_pernet_subsys(&nf_tables_net_ops);
8922 cancel_work_sync(&trans_destroy_work);
8923 rcu_barrier();
8924 rhltable_destroy(&nft_objname_ht);
8925 nf_tables_core_module_exit();
8926 }
8927
8928 module_init(nf_tables_module_init);
8929 module_exit(nf_tables_module_exit);
8930
8931 MODULE_LICENSE("GPL");
8932 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
8933 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
8934
