1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
23 #include <net/sock.h>
24
25 static LIST_HEAD(nf_tables_expressions);
26 static LIST_HEAD(nf_tables_objects);
27 static LIST_HEAD(nf_tables_flowtables);
28 static LIST_HEAD(nf_tables_destroy_list);
29 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
30 static u64 table_handle;
31
32 enum {
33 NFT_VALIDATE_SKIP = 0,
34 NFT_VALIDATE_NEED,
35 NFT_VALIDATE_DO,
36 };
37
38 static struct rhltable nft_objname_ht;
39
40 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
41 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
42 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
43
44 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
45 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
46 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
47
48 static const struct rhashtable_params nft_chain_ht_params = {
49 .head_offset = offsetof(struct nft_chain, rhlhead),
50 .key_offset = offsetof(struct nft_chain, name),
51 .hashfn = nft_chain_hash,
52 .obj_hashfn = nft_chain_hash_obj,
53 .obj_cmpfn = nft_chain_hash_cmp,
54 .automatic_shrinking = true,
55 };
56
57 static const struct rhashtable_params nft_objname_ht_params = {
58 .head_offset = offsetof(struct nft_object, rhlhead),
59 .key_offset = offsetof(struct nft_object, key),
60 .hashfn = nft_objname_hash,
61 .obj_hashfn = nft_objname_hash_obj,
62 .obj_cmpfn = nft_objname_hash_cmp,
63 .automatic_shrinking = true,
64 };
65
nft_validate_state_update(struct net * net,u8 new_validate_state)66 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
67 {
68 switch (net->nft.validate_state) {
69 case NFT_VALIDATE_SKIP:
70 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
71 break;
72 case NFT_VALIDATE_NEED:
73 break;
74 case NFT_VALIDATE_DO:
75 if (new_validate_state == NFT_VALIDATE_NEED)
76 return;
77 }
78
79 net->nft.validate_state = new_validate_state;
80 }
81 static void nf_tables_trans_destroy_work(struct work_struct *w);
82 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
83
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)84 static void nft_ctx_init(struct nft_ctx *ctx,
85 struct net *net,
86 const struct sk_buff *skb,
87 const struct nlmsghdr *nlh,
88 u8 family,
89 struct nft_table *table,
90 struct nft_chain *chain,
91 const struct nlattr * const *nla)
92 {
93 ctx->net = net;
94 ctx->family = family;
95 ctx->level = 0;
96 ctx->table = table;
97 ctx->chain = chain;
98 ctx->nla = nla;
99 ctx->portid = NETLINK_CB(skb).portid;
100 ctx->report = nlmsg_report(nlh);
101 ctx->flags = nlh->nlmsg_flags;
102 ctx->seq = nlh->nlmsg_seq;
103 }
104
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)105 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
106 int msg_type, u32 size, gfp_t gfp)
107 {
108 struct nft_trans *trans;
109
110 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
111 if (trans == NULL)
112 return NULL;
113
114 trans->msg_type = msg_type;
115 trans->ctx = *ctx;
116
117 return trans;
118 }
119
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)120 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
121 int msg_type, u32 size)
122 {
123 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
124 }
125
nft_trans_destroy(struct nft_trans * trans)126 static void nft_trans_destroy(struct nft_trans *trans)
127 {
128 list_del(&trans->list);
129 kfree(trans);
130 }
131
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)132 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
133 {
134 struct net *net = ctx->net;
135 struct nft_trans *trans;
136
137 if (!nft_set_is_anonymous(set))
138 return;
139
140 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
141 switch (trans->msg_type) {
142 case NFT_MSG_NEWSET:
143 if (nft_trans_set(trans) == set)
144 nft_trans_set_bound(trans) = true;
145 break;
146 case NFT_MSG_NEWSETELEM:
147 if (nft_trans_elem_set(trans) == set)
148 nft_trans_elem_set_bound(trans) = true;
149 break;
150 }
151 }
152 }
153
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)154 static int nf_tables_register_hook(struct net *net,
155 const struct nft_table *table,
156 struct nft_chain *chain)
157 {
158 const struct nft_base_chain *basechain;
159 const struct nf_hook_ops *ops;
160
161 if (table->flags & NFT_TABLE_F_DORMANT ||
162 !nft_is_base_chain(chain))
163 return 0;
164
165 basechain = nft_base_chain(chain);
166 ops = &basechain->ops;
167
168 if (basechain->type->ops_register)
169 return basechain->type->ops_register(net, ops);
170
171 return nf_register_net_hook(net, ops);
172 }
173
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)174 static void nf_tables_unregister_hook(struct net *net,
175 const struct nft_table *table,
176 struct nft_chain *chain)
177 {
178 const struct nft_base_chain *basechain;
179 const struct nf_hook_ops *ops;
180
181 if (table->flags & NFT_TABLE_F_DORMANT ||
182 !nft_is_base_chain(chain))
183 return;
184 basechain = nft_base_chain(chain);
185 ops = &basechain->ops;
186
187 if (basechain->type->ops_unregister)
188 return basechain->type->ops_unregister(net, ops);
189
190 nf_unregister_net_hook(net, ops);
191 }
192
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)193 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
194 {
195 struct nft_trans *trans;
196
197 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
198 if (trans == NULL)
199 return -ENOMEM;
200
201 if (msg_type == NFT_MSG_NEWTABLE)
202 nft_activate_next(ctx->net, ctx->table);
203
204 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
205 return 0;
206 }
207
nft_deltable(struct nft_ctx * ctx)208 static int nft_deltable(struct nft_ctx *ctx)
209 {
210 int err;
211
212 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
213 if (err < 0)
214 return err;
215
216 nft_deactivate_next(ctx->net, ctx->table);
217 return err;
218 }
219
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)220 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
221 {
222 struct nft_trans *trans;
223
224 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
225 if (trans == NULL)
226 return ERR_PTR(-ENOMEM);
227
228 if (msg_type == NFT_MSG_NEWCHAIN)
229 nft_activate_next(ctx->net, ctx->chain);
230
231 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
232 return trans;
233 }
234
nft_delchain(struct nft_ctx * ctx)235 static int nft_delchain(struct nft_ctx *ctx)
236 {
237 struct nft_trans *trans;
238
239 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
240 if (IS_ERR(trans))
241 return PTR_ERR(trans);
242
243 ctx->table->use--;
244 nft_deactivate_next(ctx->net, ctx->chain);
245
246 return 0;
247 }
248
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)249 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
250 struct nft_rule *rule)
251 {
252 struct nft_expr *expr;
253
254 expr = nft_expr_first(rule);
255 while (expr != nft_expr_last(rule) && expr->ops) {
256 if (expr->ops->activate)
257 expr->ops->activate(ctx, expr);
258
259 expr = nft_expr_next(expr);
260 }
261 }
262
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)263 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
264 struct nft_rule *rule,
265 enum nft_trans_phase phase)
266 {
267 struct nft_expr *expr;
268
269 expr = nft_expr_first(rule);
270 while (expr != nft_expr_last(rule) && expr->ops) {
271 if (expr->ops->deactivate)
272 expr->ops->deactivate(ctx, expr, phase);
273
274 expr = nft_expr_next(expr);
275 }
276 }
277
278 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)279 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
280 {
281 /* You cannot delete the same rule twice */
282 if (nft_is_active_next(ctx->net, rule)) {
283 nft_deactivate_next(ctx->net, rule);
284 ctx->chain->use--;
285 return 0;
286 }
287 return -ENOENT;
288 }
289
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)290 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
291 struct nft_rule *rule)
292 {
293 struct nft_trans *trans;
294
295 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
296 if (trans == NULL)
297 return NULL;
298
299 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
300 nft_trans_rule_id(trans) =
301 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
302 }
303 nft_trans_rule(trans) = rule;
304 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
305
306 return trans;
307 }
308
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)309 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
310 {
311 struct nft_trans *trans;
312 int err;
313
314 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
315 if (trans == NULL)
316 return -ENOMEM;
317
318 err = nf_tables_delrule_deactivate(ctx, rule);
319 if (err < 0) {
320 nft_trans_destroy(trans);
321 return err;
322 }
323 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
324
325 return 0;
326 }
327
nft_delrule_by_chain(struct nft_ctx * ctx)328 static int nft_delrule_by_chain(struct nft_ctx *ctx)
329 {
330 struct nft_rule *rule;
331 int err;
332
333 list_for_each_entry(rule, &ctx->chain->rules, list) {
334 if (!nft_is_active_next(ctx->net, rule))
335 continue;
336
337 err = nft_delrule(ctx, rule);
338 if (err < 0)
339 return err;
340 }
341 return 0;
342 }
343
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)344 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
345 struct nft_set *set)
346 {
347 struct nft_trans *trans;
348
349 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
350 if (trans == NULL)
351 return -ENOMEM;
352
353 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
354 nft_trans_set_id(trans) =
355 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
356 nft_activate_next(ctx->net, set);
357 }
358 nft_trans_set(trans) = set;
359 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
360
361 return 0;
362 }
363
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)364 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
365 {
366 int err;
367
368 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
369 if (err < 0)
370 return err;
371
372 nft_deactivate_next(ctx->net, set);
373 ctx->table->use--;
374
375 return err;
376 }
377
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)378 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
379 struct nft_object *obj)
380 {
381 struct nft_trans *trans;
382
383 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
384 if (trans == NULL)
385 return -ENOMEM;
386
387 if (msg_type == NFT_MSG_NEWOBJ)
388 nft_activate_next(ctx->net, obj);
389
390 nft_trans_obj(trans) = obj;
391 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
392
393 return 0;
394 }
395
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)396 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
397 {
398 int err;
399
400 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
401 if (err < 0)
402 return err;
403
404 nft_deactivate_next(ctx->net, obj);
405 ctx->table->use--;
406
407 return err;
408 }
409
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)410 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
411 struct nft_flowtable *flowtable)
412 {
413 struct nft_trans *trans;
414
415 trans = nft_trans_alloc(ctx, msg_type,
416 sizeof(struct nft_trans_flowtable));
417 if (trans == NULL)
418 return -ENOMEM;
419
420 if (msg_type == NFT_MSG_NEWFLOWTABLE)
421 nft_activate_next(ctx->net, flowtable);
422
423 nft_trans_flowtable(trans) = flowtable;
424 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
425
426 return 0;
427 }
428
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)429 static int nft_delflowtable(struct nft_ctx *ctx,
430 struct nft_flowtable *flowtable)
431 {
432 int err;
433
434 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
435 if (err < 0)
436 return err;
437
438 nft_deactivate_next(ctx->net, flowtable);
439 ctx->table->use--;
440
441 return err;
442 }
443
444 /*
445 * Tables
446 */
447
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask)448 static struct nft_table *nft_table_lookup(const struct net *net,
449 const struct nlattr *nla,
450 u8 family, u8 genmask)
451 {
452 struct nft_table *table;
453
454 if (nla == NULL)
455 return ERR_PTR(-EINVAL);
456
457 list_for_each_entry_rcu(table, &net->nft.tables, list) {
458 if (!nla_strcmp(nla, table->name) &&
459 table->family == family &&
460 nft_active_genmask(table, genmask))
461 return table;
462 }
463
464 return ERR_PTR(-ENOENT);
465 }
466
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,u8 genmask)467 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
468 const struct nlattr *nla,
469 u8 genmask)
470 {
471 struct nft_table *table;
472
473 list_for_each_entry(table, &net->nft.tables, list) {
474 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
475 nft_active_genmask(table, genmask))
476 return table;
477 }
478
479 return ERR_PTR(-ENOENT);
480 }
481
nf_tables_alloc_handle(struct nft_table * table)482 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
483 {
484 return ++table->hgenerator;
485 }
486
487 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
488
489 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)490 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
491 {
492 int i;
493
494 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
495 if (chain_type[family][i] != NULL &&
496 !nla_strcmp(nla, chain_type[family][i]->name))
497 return chain_type[family][i];
498 }
499 return NULL;
500 }
501
502 /*
503 * Loading a module requires dropping mutex that guards the
504 * transaction.
505 * We first need to abort any pending transactions as once
506 * mutex is unlocked a different client could start a new
507 * transaction. It must not see any 'future generation'
508 * changes * as these changes will never happen.
509 */
510 #ifdef CONFIG_MODULES
511 static int __nf_tables_abort(struct net *net);
512
nft_request_module(struct net * net,const char * fmt,...)513 static void nft_request_module(struct net *net, const char *fmt, ...)
514 {
515 char module_name[MODULE_NAME_LEN];
516 va_list args;
517 int ret;
518
519 __nf_tables_abort(net);
520
521 va_start(args, fmt);
522 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
523 va_end(args);
524 if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
525 return;
526
527 mutex_unlock(&net->nft.commit_mutex);
528 request_module("%s", module_name);
529 mutex_lock(&net->nft.commit_mutex);
530 }
531 #endif
532
lockdep_nfnl_nft_mutex_not_held(void)533 static void lockdep_nfnl_nft_mutex_not_held(void)
534 {
535 #ifdef CONFIG_PROVE_LOCKING
536 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
537 #endif
538 }
539
540 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)541 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
542 u8 family, bool autoload)
543 {
544 const struct nft_chain_type *type;
545
546 type = __nf_tables_chain_type_lookup(nla, family);
547 if (type != NULL)
548 return type;
549
550 lockdep_nfnl_nft_mutex_not_held();
551 #ifdef CONFIG_MODULES
552 if (autoload) {
553 nft_request_module(net, "nft-chain-%u-%.*s", family,
554 nla_len(nla), (const char *)nla_data(nla));
555 type = __nf_tables_chain_type_lookup(nla, family);
556 if (type != NULL)
557 return ERR_PTR(-EAGAIN);
558 }
559 #endif
560 return ERR_PTR(-ENOENT);
561 }
562
563 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
564 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
565 .len = NFT_TABLE_MAXNAMELEN - 1 },
566 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
567 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
568 };
569
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)570 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
571 u32 portid, u32 seq, int event, u32 flags,
572 int family, const struct nft_table *table)
573 {
574 struct nlmsghdr *nlh;
575 struct nfgenmsg *nfmsg;
576
577 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
578 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
579 if (nlh == NULL)
580 goto nla_put_failure;
581
582 nfmsg = nlmsg_data(nlh);
583 nfmsg->nfgen_family = family;
584 nfmsg->version = NFNETLINK_V0;
585 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
586
587 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
588 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
589 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
590 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
591 NFTA_TABLE_PAD))
592 goto nla_put_failure;
593
594 nlmsg_end(skb, nlh);
595 return 0;
596
597 nla_put_failure:
598 nlmsg_trim(skb, nlh);
599 return -1;
600 }
601
nf_tables_table_notify(const struct nft_ctx * ctx,int event)602 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
603 {
604 struct sk_buff *skb;
605 int err;
606
607 if (!ctx->report &&
608 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
609 return;
610
611 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
612 if (skb == NULL)
613 goto err;
614
615 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
616 event, 0, ctx->family, ctx->table);
617 if (err < 0) {
618 kfree_skb(skb);
619 goto err;
620 }
621
622 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
623 ctx->report, GFP_KERNEL);
624 return;
625 err:
626 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
627 }
628
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)629 static int nf_tables_dump_tables(struct sk_buff *skb,
630 struct netlink_callback *cb)
631 {
632 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
633 const struct nft_table *table;
634 unsigned int idx = 0, s_idx = cb->args[0];
635 struct net *net = sock_net(skb->sk);
636 int family = nfmsg->nfgen_family;
637
638 rcu_read_lock();
639 cb->seq = net->nft.base_seq;
640
641 list_for_each_entry_rcu(table, &net->nft.tables, list) {
642 if (family != NFPROTO_UNSPEC && family != table->family)
643 continue;
644
645 if (idx < s_idx)
646 goto cont;
647 if (idx > s_idx)
648 memset(&cb->args[1], 0,
649 sizeof(cb->args) - sizeof(cb->args[0]));
650 if (!nft_is_active(net, table))
651 continue;
652 if (nf_tables_fill_table_info(skb, net,
653 NETLINK_CB(cb->skb).portid,
654 cb->nlh->nlmsg_seq,
655 NFT_MSG_NEWTABLE, NLM_F_MULTI,
656 table->family, table) < 0)
657 goto done;
658
659 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
660 cont:
661 idx++;
662 }
663 done:
664 rcu_read_unlock();
665 cb->args[0] = idx;
666 return skb->len;
667 }
668
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)669 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
670 const struct nlmsghdr *nlh,
671 struct netlink_dump_control *c)
672 {
673 int err;
674
675 if (!try_module_get(THIS_MODULE))
676 return -EINVAL;
677
678 rcu_read_unlock();
679 err = netlink_dump_start(nlsk, skb, nlh, c);
680 rcu_read_lock();
681 module_put(THIS_MODULE);
682
683 return err;
684 }
685
686 /* called with rcu_read_lock held */
nf_tables_gettable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)687 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
688 struct sk_buff *skb, const struct nlmsghdr *nlh,
689 const struct nlattr * const nla[],
690 struct netlink_ext_ack *extack)
691 {
692 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
693 u8 genmask = nft_genmask_cur(net);
694 const struct nft_table *table;
695 struct sk_buff *skb2;
696 int family = nfmsg->nfgen_family;
697 int err;
698
699 if (nlh->nlmsg_flags & NLM_F_DUMP) {
700 struct netlink_dump_control c = {
701 .dump = nf_tables_dump_tables,
702 .module = THIS_MODULE,
703 };
704
705 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
706 }
707
708 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
709 if (IS_ERR(table)) {
710 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
711 return PTR_ERR(table);
712 }
713
714 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
715 if (!skb2)
716 return -ENOMEM;
717
718 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
719 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
720 family, table);
721 if (err < 0)
722 goto err;
723
724 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
725
726 err:
727 kfree_skb(skb2);
728 return err;
729 }
730
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)731 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
732 {
733 struct nft_chain *chain;
734 u32 i = 0;
735
736 list_for_each_entry(chain, &table->chains, list) {
737 if (!nft_is_active_next(net, chain))
738 continue;
739 if (!nft_is_base_chain(chain))
740 continue;
741
742 if (cnt && i++ == cnt)
743 break;
744
745 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
746 }
747 }
748
nf_tables_table_enable(struct net * net,struct nft_table * table)749 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
750 {
751 struct nft_chain *chain;
752 int err, i = 0;
753
754 list_for_each_entry(chain, &table->chains, list) {
755 if (!nft_is_active_next(net, chain))
756 continue;
757 if (!nft_is_base_chain(chain))
758 continue;
759
760 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
761 if (err < 0)
762 goto err;
763
764 i++;
765 }
766 return 0;
767 err:
768 if (i)
769 nft_table_disable(net, table, i);
770 return err;
771 }
772
nf_tables_table_disable(struct net * net,struct nft_table * table)773 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
774 {
775 nft_table_disable(net, table, 0);
776 }
777
nf_tables_updtable(struct nft_ctx * ctx)778 static int nf_tables_updtable(struct nft_ctx *ctx)
779 {
780 struct nft_trans *trans;
781 u32 flags;
782 int ret = 0;
783
784 if (!ctx->nla[NFTA_TABLE_FLAGS])
785 return 0;
786
787 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
788 if (flags & ~NFT_TABLE_F_DORMANT)
789 return -EINVAL;
790
791 if (flags == ctx->table->flags)
792 return 0;
793
794 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
795 sizeof(struct nft_trans_table));
796 if (trans == NULL)
797 return -ENOMEM;
798
799 if ((flags & NFT_TABLE_F_DORMANT) &&
800 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
801 nft_trans_table_enable(trans) = false;
802 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
803 ctx->table->flags & NFT_TABLE_F_DORMANT) {
804 ret = nf_tables_table_enable(ctx->net, ctx->table);
805 if (ret >= 0) {
806 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
807 nft_trans_table_enable(trans) = true;
808 }
809 }
810 if (ret < 0)
811 goto err;
812
813 nft_trans_table_update(trans) = true;
814 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
815 return 0;
816 err:
817 nft_trans_destroy(trans);
818 return ret;
819 }
820
nft_chain_hash(const void * data,u32 len,u32 seed)821 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
822 {
823 const char *name = data;
824
825 return jhash(name, strlen(name), seed);
826 }
827
nft_chain_hash_obj(const void * data,u32 len,u32 seed)828 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
829 {
830 const struct nft_chain *chain = data;
831
832 return nft_chain_hash(chain->name, 0, seed);
833 }
834
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)835 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
836 const void *ptr)
837 {
838 const struct nft_chain *chain = ptr;
839 const char *name = arg->key;
840
841 return strcmp(chain->name, name);
842 }
843
nft_objname_hash(const void * data,u32 len,u32 seed)844 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
845 {
846 const struct nft_object_hash_key *k = data;
847
848 seed ^= hash_ptr(k->table, 32);
849
850 return jhash(k->name, strlen(k->name), seed);
851 }
852
nft_objname_hash_obj(const void * data,u32 len,u32 seed)853 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
854 {
855 const struct nft_object *obj = data;
856
857 return nft_objname_hash(&obj->key, 0, seed);
858 }
859
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)860 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
861 const void *ptr)
862 {
863 const struct nft_object_hash_key *k = arg->key;
864 const struct nft_object *obj = ptr;
865
866 if (obj->key.table != k->table)
867 return -1;
868
869 return strcmp(obj->key.name, k->name);
870 }
871
nf_tables_newtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)872 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
873 struct sk_buff *skb, const struct nlmsghdr *nlh,
874 const struct nlattr * const nla[],
875 struct netlink_ext_ack *extack)
876 {
877 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
878 u8 genmask = nft_genmask_next(net);
879 int family = nfmsg->nfgen_family;
880 const struct nlattr *attr;
881 struct nft_table *table;
882 u32 flags = 0;
883 struct nft_ctx ctx;
884 int err;
885
886 lockdep_assert_held(&net->nft.commit_mutex);
887 attr = nla[NFTA_TABLE_NAME];
888 table = nft_table_lookup(net, attr, family, genmask);
889 if (IS_ERR(table)) {
890 if (PTR_ERR(table) != -ENOENT)
891 return PTR_ERR(table);
892 } else {
893 if (nlh->nlmsg_flags & NLM_F_EXCL) {
894 NL_SET_BAD_ATTR(extack, attr);
895 return -EEXIST;
896 }
897 if (nlh->nlmsg_flags & NLM_F_REPLACE)
898 return -EOPNOTSUPP;
899
900 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
901 return nf_tables_updtable(&ctx);
902 }
903
904 if (nla[NFTA_TABLE_FLAGS]) {
905 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
906 if (flags & ~NFT_TABLE_F_DORMANT)
907 return -EINVAL;
908 }
909
910 err = -ENOMEM;
911 table = kzalloc(sizeof(*table), GFP_KERNEL);
912 if (table == NULL)
913 goto err_kzalloc;
914
915 table->name = nla_strdup(attr, GFP_KERNEL);
916 if (table->name == NULL)
917 goto err_strdup;
918
919 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
920 if (err)
921 goto err_chain_ht;
922
923 INIT_LIST_HEAD(&table->chains);
924 INIT_LIST_HEAD(&table->sets);
925 INIT_LIST_HEAD(&table->objects);
926 INIT_LIST_HEAD(&table->flowtables);
927 table->family = family;
928 table->flags = flags;
929 table->handle = ++table_handle;
930
931 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
932 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
933 if (err < 0)
934 goto err_trans;
935
936 list_add_tail_rcu(&table->list, &net->nft.tables);
937 return 0;
938 err_trans:
939 rhltable_destroy(&table->chains_ht);
940 err_chain_ht:
941 kfree(table->name);
942 err_strdup:
943 kfree(table);
944 err_kzalloc:
945 return err;
946 }
947
nft_flush_table(struct nft_ctx * ctx)948 static int nft_flush_table(struct nft_ctx *ctx)
949 {
950 struct nft_flowtable *flowtable, *nft;
951 struct nft_chain *chain, *nc;
952 struct nft_object *obj, *ne;
953 struct nft_set *set, *ns;
954 int err;
955
956 list_for_each_entry(chain, &ctx->table->chains, list) {
957 if (!nft_is_active_next(ctx->net, chain))
958 continue;
959
960 ctx->chain = chain;
961
962 err = nft_delrule_by_chain(ctx);
963 if (err < 0)
964 goto out;
965 }
966
967 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
968 if (!nft_is_active_next(ctx->net, set))
969 continue;
970
971 if (nft_set_is_anonymous(set) &&
972 !list_empty(&set->bindings))
973 continue;
974
975 err = nft_delset(ctx, set);
976 if (err < 0)
977 goto out;
978 }
979
980 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
981 err = nft_delflowtable(ctx, flowtable);
982 if (err < 0)
983 goto out;
984 }
985
986 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
987 err = nft_delobj(ctx, obj);
988 if (err < 0)
989 goto out;
990 }
991
992 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
993 if (!nft_is_active_next(ctx->net, chain))
994 continue;
995
996 ctx->chain = chain;
997
998 err = nft_delchain(ctx);
999 if (err < 0)
1000 goto out;
1001 }
1002
1003 err = nft_deltable(ctx);
1004 out:
1005 return err;
1006 }
1007
nft_flush(struct nft_ctx * ctx,int family)1008 static int nft_flush(struct nft_ctx *ctx, int family)
1009 {
1010 struct nft_table *table, *nt;
1011 const struct nlattr * const *nla = ctx->nla;
1012 int err = 0;
1013
1014 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1015 if (family != AF_UNSPEC && table->family != family)
1016 continue;
1017
1018 ctx->family = table->family;
1019
1020 if (!nft_is_active_next(ctx->net, table))
1021 continue;
1022
1023 if (nla[NFTA_TABLE_NAME] &&
1024 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1025 continue;
1026
1027 ctx->table = table;
1028
1029 err = nft_flush_table(ctx);
1030 if (err < 0)
1031 goto out;
1032 }
1033 out:
1034 return err;
1035 }
1036
nf_tables_deltable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1037 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1038 struct sk_buff *skb, const struct nlmsghdr *nlh,
1039 const struct nlattr * const nla[],
1040 struct netlink_ext_ack *extack)
1041 {
1042 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1043 u8 genmask = nft_genmask_next(net);
1044 int family = nfmsg->nfgen_family;
1045 const struct nlattr *attr;
1046 struct nft_table *table;
1047 struct nft_ctx ctx;
1048
1049 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1050 if (family == AF_UNSPEC ||
1051 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1052 return nft_flush(&ctx, family);
1053
1054 if (nla[NFTA_TABLE_HANDLE]) {
1055 attr = nla[NFTA_TABLE_HANDLE];
1056 table = nft_table_lookup_byhandle(net, attr, genmask);
1057 } else {
1058 attr = nla[NFTA_TABLE_NAME];
1059 table = nft_table_lookup(net, attr, family, genmask);
1060 }
1061
1062 if (IS_ERR(table)) {
1063 NL_SET_BAD_ATTR(extack, attr);
1064 return PTR_ERR(table);
1065 }
1066
1067 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1068 table->use > 0)
1069 return -EBUSY;
1070
1071 ctx.family = family;
1072 ctx.table = table;
1073
1074 return nft_flush_table(&ctx);
1075 }
1076
nf_tables_table_destroy(struct nft_ctx * ctx)1077 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1078 {
1079 if (WARN_ON(ctx->table->use > 0))
1080 return;
1081
1082 rhltable_destroy(&ctx->table->chains_ht);
1083 kfree(ctx->table->name);
1084 kfree(ctx->table);
1085 }
1086
nft_register_chain_type(const struct nft_chain_type * ctype)1087 void nft_register_chain_type(const struct nft_chain_type *ctype)
1088 {
1089 if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1090 return;
1091
1092 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1093 if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1094 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1095 return;
1096 }
1097 chain_type[ctype->family][ctype->type] = ctype;
1098 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1099 }
1100 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1101
nft_unregister_chain_type(const struct nft_chain_type * ctype)1102 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1103 {
1104 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1105 chain_type[ctype->family][ctype->type] = NULL;
1106 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1107 }
1108 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1109
1110 /*
1111 * Chains
1112 */
1113
1114 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1115 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1116 {
1117 struct nft_chain *chain;
1118
1119 list_for_each_entry(chain, &table->chains, list) {
1120 if (chain->handle == handle &&
1121 nft_active_genmask(chain, genmask))
1122 return chain;
1123 }
1124
1125 return ERR_PTR(-ENOENT);
1126 }
1127
lockdep_commit_lock_is_held(const struct net * net)1128 static bool lockdep_commit_lock_is_held(const struct net *net)
1129 {
1130 #ifdef CONFIG_PROVE_LOCKING
1131 return lockdep_is_held(&net->nft.commit_mutex);
1132 #else
1133 return true;
1134 #endif
1135 }
1136
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1137 static struct nft_chain *nft_chain_lookup(struct net *net,
1138 struct nft_table *table,
1139 const struct nlattr *nla, u8 genmask)
1140 {
1141 char search[NFT_CHAIN_MAXNAMELEN + 1];
1142 struct rhlist_head *tmp, *list;
1143 struct nft_chain *chain;
1144
1145 if (nla == NULL)
1146 return ERR_PTR(-EINVAL);
1147
1148 nla_strlcpy(search, nla, sizeof(search));
1149
1150 WARN_ON(!rcu_read_lock_held() &&
1151 !lockdep_commit_lock_is_held(net));
1152
1153 chain = ERR_PTR(-ENOENT);
1154 rcu_read_lock();
1155 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1156 if (!list)
1157 goto out_unlock;
1158
1159 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1160 if (nft_active_genmask(chain, genmask))
1161 goto out_unlock;
1162 }
1163 chain = ERR_PTR(-ENOENT);
1164 out_unlock:
1165 rcu_read_unlock();
1166 return chain;
1167 }
1168
1169 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1170 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1171 .len = NFT_TABLE_MAXNAMELEN - 1 },
1172 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1173 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1174 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1175 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1176 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1177 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
1178 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1179 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1180 };
1181
1182 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1183 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1184 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1185 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1186 .len = IFNAMSIZ - 1 },
1187 };
1188
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1189 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1190 {
1191 struct nft_stats *cpu_stats, total;
1192 struct nlattr *nest;
1193 unsigned int seq;
1194 u64 pkts, bytes;
1195 int cpu;
1196
1197 if (!stats)
1198 return 0;
1199
1200 memset(&total, 0, sizeof(total));
1201 for_each_possible_cpu(cpu) {
1202 cpu_stats = per_cpu_ptr(stats, cpu);
1203 do {
1204 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1205 pkts = cpu_stats->pkts;
1206 bytes = cpu_stats->bytes;
1207 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1208 total.pkts += pkts;
1209 total.bytes += bytes;
1210 }
1211 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1212 if (nest == NULL)
1213 goto nla_put_failure;
1214
1215 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1216 NFTA_COUNTER_PAD) ||
1217 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1218 NFTA_COUNTER_PAD))
1219 goto nla_put_failure;
1220
1221 nla_nest_end(skb, nest);
1222 return 0;
1223
1224 nla_put_failure:
1225 return -ENOSPC;
1226 }
1227
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain)1228 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1229 u32 portid, u32 seq, int event, u32 flags,
1230 int family, const struct nft_table *table,
1231 const struct nft_chain *chain)
1232 {
1233 struct nlmsghdr *nlh;
1234 struct nfgenmsg *nfmsg;
1235
1236 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1237 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1238 if (nlh == NULL)
1239 goto nla_put_failure;
1240
1241 nfmsg = nlmsg_data(nlh);
1242 nfmsg->nfgen_family = family;
1243 nfmsg->version = NFNETLINK_V0;
1244 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1245
1246 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1247 goto nla_put_failure;
1248 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1249 NFTA_CHAIN_PAD))
1250 goto nla_put_failure;
1251 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1252 goto nla_put_failure;
1253
1254 if (nft_is_base_chain(chain)) {
1255 const struct nft_base_chain *basechain = nft_base_chain(chain);
1256 const struct nf_hook_ops *ops = &basechain->ops;
1257 struct nft_stats __percpu *stats;
1258 struct nlattr *nest;
1259
1260 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1261 if (nest == NULL)
1262 goto nla_put_failure;
1263 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1264 goto nla_put_failure;
1265 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1266 goto nla_put_failure;
1267 if (basechain->dev_name[0] &&
1268 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1269 goto nla_put_failure;
1270 nla_nest_end(skb, nest);
1271
1272 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1273 htonl(basechain->policy)))
1274 goto nla_put_failure;
1275
1276 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1277 goto nla_put_failure;
1278
1279 stats = rcu_dereference_check(basechain->stats,
1280 lockdep_commit_lock_is_held(net));
1281 if (nft_dump_stats(skb, stats))
1282 goto nla_put_failure;
1283 }
1284
1285 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1286 goto nla_put_failure;
1287
1288 nlmsg_end(skb, nlh);
1289 return 0;
1290
1291 nla_put_failure:
1292 nlmsg_trim(skb, nlh);
1293 return -1;
1294 }
1295
nf_tables_chain_notify(const struct nft_ctx * ctx,int event)1296 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1297 {
1298 struct sk_buff *skb;
1299 int err;
1300
1301 if (!ctx->report &&
1302 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1303 return;
1304
1305 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1306 if (skb == NULL)
1307 goto err;
1308
1309 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1310 event, 0, ctx->family, ctx->table,
1311 ctx->chain);
1312 if (err < 0) {
1313 kfree_skb(skb);
1314 goto err;
1315 }
1316
1317 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1318 ctx->report, GFP_KERNEL);
1319 return;
1320 err:
1321 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1322 }
1323
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1324 static int nf_tables_dump_chains(struct sk_buff *skb,
1325 struct netlink_callback *cb)
1326 {
1327 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1328 const struct nft_table *table;
1329 const struct nft_chain *chain;
1330 unsigned int idx = 0, s_idx = cb->args[0];
1331 struct net *net = sock_net(skb->sk);
1332 int family = nfmsg->nfgen_family;
1333
1334 rcu_read_lock();
1335 cb->seq = net->nft.base_seq;
1336
1337 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1338 if (family != NFPROTO_UNSPEC && family != table->family)
1339 continue;
1340
1341 list_for_each_entry_rcu(chain, &table->chains, list) {
1342 if (idx < s_idx)
1343 goto cont;
1344 if (idx > s_idx)
1345 memset(&cb->args[1], 0,
1346 sizeof(cb->args) - sizeof(cb->args[0]));
1347 if (!nft_is_active(net, chain))
1348 continue;
1349 if (nf_tables_fill_chain_info(skb, net,
1350 NETLINK_CB(cb->skb).portid,
1351 cb->nlh->nlmsg_seq,
1352 NFT_MSG_NEWCHAIN,
1353 NLM_F_MULTI,
1354 table->family, table,
1355 chain) < 0)
1356 goto done;
1357
1358 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1359 cont:
1360 idx++;
1361 }
1362 }
1363 done:
1364 rcu_read_unlock();
1365 cb->args[0] = idx;
1366 return skb->len;
1367 }
1368
1369 /* called with rcu_read_lock held */
nf_tables_getchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1370 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1371 struct sk_buff *skb, const struct nlmsghdr *nlh,
1372 const struct nlattr * const nla[],
1373 struct netlink_ext_ack *extack)
1374 {
1375 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1376 u8 genmask = nft_genmask_cur(net);
1377 const struct nft_chain *chain;
1378 struct nft_table *table;
1379 struct sk_buff *skb2;
1380 int family = nfmsg->nfgen_family;
1381 int err;
1382
1383 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1384 struct netlink_dump_control c = {
1385 .dump = nf_tables_dump_chains,
1386 .module = THIS_MODULE,
1387 };
1388
1389 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1390 }
1391
1392 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1393 if (IS_ERR(table)) {
1394 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1395 return PTR_ERR(table);
1396 }
1397
1398 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1399 if (IS_ERR(chain)) {
1400 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1401 return PTR_ERR(chain);
1402 }
1403
1404 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1405 if (!skb2)
1406 return -ENOMEM;
1407
1408 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1409 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1410 family, table, chain);
1411 if (err < 0)
1412 goto err;
1413
1414 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1415
1416 err:
1417 kfree_skb(skb2);
1418 return err;
1419 }
1420
1421 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1422 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1423 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1424 };
1425
nft_stats_alloc(const struct nlattr * attr)1426 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1427 {
1428 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1429 struct nft_stats __percpu *newstats;
1430 struct nft_stats *stats;
1431 int err;
1432
1433 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1434 nft_counter_policy, NULL);
1435 if (err < 0)
1436 return ERR_PTR(err);
1437
1438 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1439 return ERR_PTR(-EINVAL);
1440
1441 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1442 if (newstats == NULL)
1443 return ERR_PTR(-ENOMEM);
1444
1445 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1446 * are not exposed to userspace.
1447 */
1448 preempt_disable();
1449 stats = this_cpu_ptr(newstats);
1450 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1451 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1452 preempt_enable();
1453
1454 return newstats;
1455 }
1456
nft_chain_stats_replace(struct nft_trans * trans)1457 static void nft_chain_stats_replace(struct nft_trans *trans)
1458 {
1459 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1460
1461 if (!nft_trans_chain_stats(trans))
1462 return;
1463
1464 rcu_swap_protected(chain->stats, nft_trans_chain_stats(trans),
1465 lockdep_commit_lock_is_held(trans->ctx.net));
1466
1467 if (!nft_trans_chain_stats(trans))
1468 static_branch_inc(&nft_counters_enabled);
1469 }
1470
nf_tables_chain_free_chain_rules(struct nft_chain * chain)1471 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1472 {
1473 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1474 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1475
1476 if (g0 != g1)
1477 kvfree(g1);
1478 kvfree(g0);
1479
1480 /* should be NULL either via abort or via successful commit */
1481 WARN_ON_ONCE(chain->rules_next);
1482 kvfree(chain->rules_next);
1483 }
1484
nf_tables_chain_destroy(struct nft_ctx * ctx)1485 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1486 {
1487 struct nft_chain *chain = ctx->chain;
1488
1489 if (WARN_ON(chain->use > 0))
1490 return;
1491
1492 /* no concurrent access possible anymore */
1493 nf_tables_chain_free_chain_rules(chain);
1494
1495 if (nft_is_base_chain(chain)) {
1496 struct nft_base_chain *basechain = nft_base_chain(chain);
1497
1498 module_put(basechain->type->owner);
1499 if (rcu_access_pointer(basechain->stats)) {
1500 static_branch_dec(&nft_counters_enabled);
1501 free_percpu(rcu_dereference_raw(basechain->stats));
1502 }
1503 kfree(chain->name);
1504 kfree(basechain);
1505 } else {
1506 kfree(chain->name);
1507 kfree(chain);
1508 }
1509 }
1510
1511 struct nft_chain_hook {
1512 u32 num;
1513 s32 priority;
1514 const struct nft_chain_type *type;
1515 struct net_device *dev;
1516 };
1517
nft_chain_parse_hook(struct net * net,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,bool autoload)1518 static int nft_chain_parse_hook(struct net *net,
1519 const struct nlattr * const nla[],
1520 struct nft_chain_hook *hook, u8 family,
1521 bool autoload)
1522 {
1523 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1524 const struct nft_chain_type *type;
1525 struct net_device *dev;
1526 int err;
1527
1528 lockdep_assert_held(&net->nft.commit_mutex);
1529 lockdep_nfnl_nft_mutex_not_held();
1530
1531 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1532 nla[NFTA_CHAIN_HOOK],
1533 nft_hook_policy, NULL);
1534 if (err < 0)
1535 return err;
1536
1537 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1538 ha[NFTA_HOOK_PRIORITY] == NULL)
1539 return -EINVAL;
1540
1541 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1542 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1543
1544 type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1545 if (nla[NFTA_CHAIN_TYPE]) {
1546 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1547 family, autoload);
1548 if (IS_ERR(type))
1549 return PTR_ERR(type);
1550 }
1551 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1552 return -EOPNOTSUPP;
1553
1554 if (type->type == NFT_CHAIN_T_NAT &&
1555 hook->priority <= NF_IP_PRI_CONNTRACK)
1556 return -EOPNOTSUPP;
1557
1558 if (!try_module_get(type->owner))
1559 return -ENOENT;
1560
1561 hook->type = type;
1562
1563 hook->dev = NULL;
1564 if (family == NFPROTO_NETDEV) {
1565 char ifname[IFNAMSIZ];
1566
1567 if (!ha[NFTA_HOOK_DEV]) {
1568 module_put(type->owner);
1569 return -EOPNOTSUPP;
1570 }
1571
1572 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1573 dev = __dev_get_by_name(net, ifname);
1574 if (!dev) {
1575 module_put(type->owner);
1576 return -ENOENT;
1577 }
1578 hook->dev = dev;
1579 } else if (ha[NFTA_HOOK_DEV]) {
1580 module_put(type->owner);
1581 return -EOPNOTSUPP;
1582 }
1583
1584 return 0;
1585 }
1586
nft_chain_release_hook(struct nft_chain_hook * hook)1587 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1588 {
1589 module_put(hook->type->owner);
1590 }
1591
1592 struct nft_rules_old {
1593 struct rcu_head h;
1594 struct nft_rule **start;
1595 };
1596
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int alloc)1597 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1598 unsigned int alloc)
1599 {
1600 if (alloc > INT_MAX)
1601 return NULL;
1602
1603 alloc += 1; /* NULL, ends rules */
1604 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1605 return NULL;
1606
1607 alloc *= sizeof(struct nft_rule *);
1608 alloc += sizeof(struct nft_rules_old);
1609
1610 return kvmalloc(alloc, GFP_KERNEL);
1611 }
1612
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags)1613 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1614 u8 policy, u32 flags)
1615 {
1616 const struct nlattr * const *nla = ctx->nla;
1617 struct nft_table *table = ctx->table;
1618 struct nft_base_chain *basechain;
1619 struct nft_stats __percpu *stats;
1620 struct net *net = ctx->net;
1621 struct nft_trans *trans;
1622 struct nft_chain *chain;
1623 struct nft_rule **rules;
1624 int err;
1625
1626 if (table->use == UINT_MAX)
1627 return -EOVERFLOW;
1628
1629 if (nla[NFTA_CHAIN_HOOK]) {
1630 struct nft_chain_hook hook;
1631 struct nf_hook_ops *ops;
1632
1633 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1634 if (err < 0)
1635 return err;
1636
1637 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1638 if (basechain == NULL) {
1639 nft_chain_release_hook(&hook);
1640 return -ENOMEM;
1641 }
1642
1643 if (hook.dev != NULL)
1644 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1645
1646 if (nla[NFTA_CHAIN_COUNTERS]) {
1647 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1648 if (IS_ERR(stats)) {
1649 nft_chain_release_hook(&hook);
1650 kfree(basechain);
1651 return PTR_ERR(stats);
1652 }
1653 rcu_assign_pointer(basechain->stats, stats);
1654 static_branch_inc(&nft_counters_enabled);
1655 }
1656
1657 basechain->type = hook.type;
1658 chain = &basechain->chain;
1659
1660 ops = &basechain->ops;
1661 ops->pf = family;
1662 ops->hooknum = hook.num;
1663 ops->priority = hook.priority;
1664 ops->priv = chain;
1665 ops->hook = hook.type->hooks[ops->hooknum];
1666 ops->dev = hook.dev;
1667
1668 chain->flags |= NFT_BASE_CHAIN | flags;
1669 basechain->policy = NF_ACCEPT;
1670 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1671 nft_chain_offload_priority(basechain) < 0)
1672 return -EOPNOTSUPP;
1673
1674 flow_block_init(&basechain->flow_block);
1675 } else {
1676 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1677 if (chain == NULL)
1678 return -ENOMEM;
1679 }
1680 ctx->chain = chain;
1681
1682 INIT_LIST_HEAD(&chain->rules);
1683 chain->handle = nf_tables_alloc_handle(table);
1684 chain->table = table;
1685 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1686 if (!chain->name) {
1687 err = -ENOMEM;
1688 goto err1;
1689 }
1690
1691 rules = nf_tables_chain_alloc_rules(chain, 0);
1692 if (!rules) {
1693 err = -ENOMEM;
1694 goto err1;
1695 }
1696
1697 *rules = NULL;
1698 rcu_assign_pointer(chain->rules_gen_0, rules);
1699 rcu_assign_pointer(chain->rules_gen_1, rules);
1700
1701 err = nf_tables_register_hook(net, table, chain);
1702 if (err < 0)
1703 goto err1;
1704
1705 err = rhltable_insert_key(&table->chains_ht, chain->name,
1706 &chain->rhlhead, nft_chain_ht_params);
1707 if (err)
1708 goto err2;
1709
1710 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1711 if (IS_ERR(trans)) {
1712 err = PTR_ERR(trans);
1713 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1714 nft_chain_ht_params);
1715 goto err2;
1716 }
1717
1718 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1719 if (nft_is_base_chain(chain))
1720 nft_trans_chain_policy(trans) = policy;
1721
1722 table->use++;
1723 list_add_tail_rcu(&chain->list, &table->chains);
1724
1725 return 0;
1726 err2:
1727 nf_tables_unregister_hook(net, table, chain);
1728 err1:
1729 nf_tables_chain_destroy(ctx);
1730
1731 return err;
1732 }
1733
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags)1734 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1735 u32 flags)
1736 {
1737 const struct nlattr * const *nla = ctx->nla;
1738 struct nft_table *table = ctx->table;
1739 struct nft_chain *chain = ctx->chain;
1740 struct nft_base_chain *basechain;
1741 struct nft_stats *stats = NULL;
1742 struct nft_chain_hook hook;
1743 struct nf_hook_ops *ops;
1744 struct nft_trans *trans;
1745 int err;
1746
1747 if (chain->flags ^ flags)
1748 return -EOPNOTSUPP;
1749
1750 if (nla[NFTA_CHAIN_HOOK]) {
1751 if (!nft_is_base_chain(chain))
1752 return -EBUSY;
1753
1754 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1755 false);
1756 if (err < 0)
1757 return err;
1758
1759 basechain = nft_base_chain(chain);
1760 if (basechain->type != hook.type) {
1761 nft_chain_release_hook(&hook);
1762 return -EBUSY;
1763 }
1764
1765 ops = &basechain->ops;
1766 if (ops->hooknum != hook.num ||
1767 ops->priority != hook.priority ||
1768 ops->dev != hook.dev) {
1769 nft_chain_release_hook(&hook);
1770 return -EBUSY;
1771 }
1772 nft_chain_release_hook(&hook);
1773 }
1774
1775 if (nla[NFTA_CHAIN_HANDLE] &&
1776 nla[NFTA_CHAIN_NAME]) {
1777 struct nft_chain *chain2;
1778
1779 chain2 = nft_chain_lookup(ctx->net, table,
1780 nla[NFTA_CHAIN_NAME], genmask);
1781 if (!IS_ERR(chain2))
1782 return -EEXIST;
1783 }
1784
1785 if (nla[NFTA_CHAIN_COUNTERS]) {
1786 if (!nft_is_base_chain(chain))
1787 return -EOPNOTSUPP;
1788
1789 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1790 if (IS_ERR(stats))
1791 return PTR_ERR(stats);
1792 }
1793
1794 err = -ENOMEM;
1795 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1796 sizeof(struct nft_trans_chain));
1797 if (trans == NULL)
1798 goto err;
1799
1800 nft_trans_chain_stats(trans) = stats;
1801 nft_trans_chain_update(trans) = true;
1802
1803 if (nla[NFTA_CHAIN_POLICY])
1804 nft_trans_chain_policy(trans) = policy;
1805 else
1806 nft_trans_chain_policy(trans) = -1;
1807
1808 if (nla[NFTA_CHAIN_HANDLE] &&
1809 nla[NFTA_CHAIN_NAME]) {
1810 struct nft_trans *tmp;
1811 char *name;
1812
1813 err = -ENOMEM;
1814 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1815 if (!name)
1816 goto err;
1817
1818 err = -EEXIST;
1819 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1820 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1821 tmp->ctx.table == table &&
1822 nft_trans_chain_update(tmp) &&
1823 nft_trans_chain_name(tmp) &&
1824 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1825 kfree(name);
1826 goto err;
1827 }
1828 }
1829
1830 nft_trans_chain_name(trans) = name;
1831 }
1832 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1833
1834 return 0;
1835 err:
1836 free_percpu(stats);
1837 kfree(trans);
1838 return err;
1839 }
1840
nf_tables_newchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1841 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1842 struct sk_buff *skb, const struct nlmsghdr *nlh,
1843 const struct nlattr * const nla[],
1844 struct netlink_ext_ack *extack)
1845 {
1846 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1847 u8 genmask = nft_genmask_next(net);
1848 int family = nfmsg->nfgen_family;
1849 const struct nlattr *attr;
1850 struct nft_table *table;
1851 struct nft_chain *chain;
1852 u8 policy = NF_ACCEPT;
1853 struct nft_ctx ctx;
1854 u64 handle = 0;
1855 u32 flags = 0;
1856
1857 lockdep_assert_held(&net->nft.commit_mutex);
1858
1859 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1860 if (IS_ERR(table)) {
1861 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1862 return PTR_ERR(table);
1863 }
1864
1865 chain = NULL;
1866 attr = nla[NFTA_CHAIN_NAME];
1867
1868 if (nla[NFTA_CHAIN_HANDLE]) {
1869 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1870 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1871 if (IS_ERR(chain)) {
1872 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1873 return PTR_ERR(chain);
1874 }
1875 attr = nla[NFTA_CHAIN_HANDLE];
1876 } else {
1877 chain = nft_chain_lookup(net, table, attr, genmask);
1878 if (IS_ERR(chain)) {
1879 if (PTR_ERR(chain) != -ENOENT) {
1880 NL_SET_BAD_ATTR(extack, attr);
1881 return PTR_ERR(chain);
1882 }
1883 chain = NULL;
1884 }
1885 }
1886
1887 if (nla[NFTA_CHAIN_POLICY]) {
1888 if (chain != NULL &&
1889 !nft_is_base_chain(chain)) {
1890 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1891 return -EOPNOTSUPP;
1892 }
1893
1894 if (chain == NULL &&
1895 nla[NFTA_CHAIN_HOOK] == NULL) {
1896 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1897 return -EOPNOTSUPP;
1898 }
1899
1900 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1901 switch (policy) {
1902 case NF_DROP:
1903 case NF_ACCEPT:
1904 break;
1905 default:
1906 return -EINVAL;
1907 }
1908 }
1909
1910 if (nla[NFTA_CHAIN_FLAGS])
1911 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
1912 else if (chain)
1913 flags = chain->flags;
1914
1915 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1916
1917 if (chain != NULL) {
1918 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1919 NL_SET_BAD_ATTR(extack, attr);
1920 return -EEXIST;
1921 }
1922 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1923 return -EOPNOTSUPP;
1924
1925 flags |= chain->flags & NFT_BASE_CHAIN;
1926 return nf_tables_updchain(&ctx, genmask, policy, flags);
1927 }
1928
1929 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
1930 }
1931
nf_tables_delchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1932 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1933 struct sk_buff *skb, const struct nlmsghdr *nlh,
1934 const struct nlattr * const nla[],
1935 struct netlink_ext_ack *extack)
1936 {
1937 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1938 u8 genmask = nft_genmask_next(net);
1939 int family = nfmsg->nfgen_family;
1940 const struct nlattr *attr;
1941 struct nft_table *table;
1942 struct nft_chain *chain;
1943 struct nft_rule *rule;
1944 struct nft_ctx ctx;
1945 u64 handle;
1946 u32 use;
1947 int err;
1948
1949 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1950 if (IS_ERR(table)) {
1951 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1952 return PTR_ERR(table);
1953 }
1954
1955 if (nla[NFTA_CHAIN_HANDLE]) {
1956 attr = nla[NFTA_CHAIN_HANDLE];
1957 handle = be64_to_cpu(nla_get_be64(attr));
1958 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1959 } else {
1960 attr = nla[NFTA_CHAIN_NAME];
1961 chain = nft_chain_lookup(net, table, attr, genmask);
1962 }
1963 if (IS_ERR(chain)) {
1964 NL_SET_BAD_ATTR(extack, attr);
1965 return PTR_ERR(chain);
1966 }
1967
1968 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1969 chain->use > 0)
1970 return -EBUSY;
1971
1972 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1973
1974 use = chain->use;
1975 list_for_each_entry(rule, &chain->rules, list) {
1976 if (!nft_is_active_next(net, rule))
1977 continue;
1978 use--;
1979
1980 err = nft_delrule(&ctx, rule);
1981 if (err < 0)
1982 return err;
1983 }
1984
1985 /* There are rules and elements that are still holding references to us,
1986 * we cannot do a recursive removal in this case.
1987 */
1988 if (use > 0) {
1989 NL_SET_BAD_ATTR(extack, attr);
1990 return -EBUSY;
1991 }
1992
1993 return nft_delchain(&ctx);
1994 }
1995
1996 /*
1997 * Expressions
1998 */
1999
2000 /**
2001 * nft_register_expr - register nf_tables expr type
2002 * @ops: expr type
2003 *
2004 * Registers the expr type for use with nf_tables. Returns zero on
2005 * success or a negative errno code otherwise.
2006 */
nft_register_expr(struct nft_expr_type * type)2007 int nft_register_expr(struct nft_expr_type *type)
2008 {
2009 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2010 if (type->family == NFPROTO_UNSPEC)
2011 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2012 else
2013 list_add_rcu(&type->list, &nf_tables_expressions);
2014 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2015 return 0;
2016 }
2017 EXPORT_SYMBOL_GPL(nft_register_expr);
2018
2019 /**
2020 * nft_unregister_expr - unregister nf_tables expr type
2021 * @ops: expr type
2022 *
2023 * Unregisters the expr typefor use with nf_tables.
2024 */
nft_unregister_expr(struct nft_expr_type * type)2025 void nft_unregister_expr(struct nft_expr_type *type)
2026 {
2027 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2028 list_del_rcu(&type->list);
2029 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2030 }
2031 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2032
__nft_expr_type_get(u8 family,struct nlattr * nla)2033 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2034 struct nlattr *nla)
2035 {
2036 const struct nft_expr_type *type, *candidate = NULL;
2037
2038 list_for_each_entry(type, &nf_tables_expressions, list) {
2039 if (!nla_strcmp(nla, type->name)) {
2040 if (!type->family && !candidate)
2041 candidate = type;
2042 else if (type->family == family)
2043 candidate = type;
2044 }
2045 }
2046 return candidate;
2047 }
2048
2049 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)2050 static int nft_expr_type_request_module(struct net *net, u8 family,
2051 struct nlattr *nla)
2052 {
2053 nft_request_module(net, "nft-expr-%u-%.*s", family,
2054 nla_len(nla), (char *)nla_data(nla));
2055 if (__nft_expr_type_get(family, nla))
2056 return -EAGAIN;
2057
2058 return 0;
2059 }
2060 #endif
2061
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)2062 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2063 u8 family,
2064 struct nlattr *nla)
2065 {
2066 const struct nft_expr_type *type;
2067
2068 if (nla == NULL)
2069 return ERR_PTR(-EINVAL);
2070
2071 type = __nft_expr_type_get(family, nla);
2072 if (type != NULL && try_module_get(type->owner))
2073 return type;
2074
2075 lockdep_nfnl_nft_mutex_not_held();
2076 #ifdef CONFIG_MODULES
2077 if (type == NULL) {
2078 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2079 return ERR_PTR(-EAGAIN);
2080
2081 nft_request_module(net, "nft-expr-%.*s",
2082 nla_len(nla), (char *)nla_data(nla));
2083 if (__nft_expr_type_get(family, nla))
2084 return ERR_PTR(-EAGAIN);
2085 }
2086 #endif
2087 return ERR_PTR(-ENOENT);
2088 }
2089
2090 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2091 [NFTA_EXPR_NAME] = { .type = NLA_STRING },
2092 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2093 };
2094
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr)2095 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2096 const struct nft_expr *expr)
2097 {
2098 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2099 goto nla_put_failure;
2100
2101 if (expr->ops->dump) {
2102 struct nlattr *data = nla_nest_start_noflag(skb,
2103 NFTA_EXPR_DATA);
2104 if (data == NULL)
2105 goto nla_put_failure;
2106 if (expr->ops->dump(skb, expr) < 0)
2107 goto nla_put_failure;
2108 nla_nest_end(skb, data);
2109 }
2110
2111 return skb->len;
2112
2113 nla_put_failure:
2114 return -1;
2115 };
2116
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr)2117 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2118 const struct nft_expr *expr)
2119 {
2120 struct nlattr *nest;
2121
2122 nest = nla_nest_start_noflag(skb, attr);
2123 if (!nest)
2124 goto nla_put_failure;
2125 if (nf_tables_fill_expr_info(skb, expr) < 0)
2126 goto nla_put_failure;
2127 nla_nest_end(skb, nest);
2128 return 0;
2129
2130 nla_put_failure:
2131 return -1;
2132 }
2133
2134 struct nft_expr_info {
2135 const struct nft_expr_ops *ops;
2136 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2137 };
2138
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)2139 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2140 const struct nlattr *nla,
2141 struct nft_expr_info *info)
2142 {
2143 const struct nft_expr_type *type;
2144 const struct nft_expr_ops *ops;
2145 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2146 int err;
2147
2148 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2149 nft_expr_policy, NULL);
2150 if (err < 0)
2151 return err;
2152
2153 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2154 if (IS_ERR(type))
2155 return PTR_ERR(type);
2156
2157 if (tb[NFTA_EXPR_DATA]) {
2158 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2159 tb[NFTA_EXPR_DATA],
2160 type->policy, NULL);
2161 if (err < 0)
2162 goto err1;
2163 } else
2164 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2165
2166 if (type->select_ops != NULL) {
2167 ops = type->select_ops(ctx,
2168 (const struct nlattr * const *)info->tb);
2169 if (IS_ERR(ops)) {
2170 err = PTR_ERR(ops);
2171 #ifdef CONFIG_MODULES
2172 if (err == -EAGAIN)
2173 nft_expr_type_request_module(ctx->net,
2174 ctx->family,
2175 tb[NFTA_EXPR_NAME]);
2176 #endif
2177 goto err1;
2178 }
2179 } else
2180 ops = type->ops;
2181
2182 info->ops = ops;
2183 return 0;
2184
2185 err1:
2186 module_put(type->owner);
2187 return err;
2188 }
2189
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * info,struct nft_expr * expr)2190 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2191 const struct nft_expr_info *info,
2192 struct nft_expr *expr)
2193 {
2194 const struct nft_expr_ops *ops = info->ops;
2195 int err;
2196
2197 expr->ops = ops;
2198 if (ops->init) {
2199 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2200 if (err < 0)
2201 goto err1;
2202 }
2203
2204 return 0;
2205 err1:
2206 expr->ops = NULL;
2207 return err;
2208 }
2209
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2210 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2211 struct nft_expr *expr)
2212 {
2213 const struct nft_expr_type *type = expr->ops->type;
2214
2215 if (expr->ops->destroy)
2216 expr->ops->destroy(ctx, expr);
2217 module_put(type->owner);
2218 }
2219
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)2220 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2221 const struct nlattr *nla)
2222 {
2223 struct nft_expr_info info;
2224 struct nft_expr *expr;
2225 struct module *owner;
2226 int err;
2227
2228 err = nf_tables_expr_parse(ctx, nla, &info);
2229 if (err < 0)
2230 goto err1;
2231
2232 err = -ENOMEM;
2233 expr = kzalloc(info.ops->size, GFP_KERNEL);
2234 if (expr == NULL)
2235 goto err2;
2236
2237 err = nf_tables_newexpr(ctx, &info, expr);
2238 if (err < 0)
2239 goto err3;
2240
2241 return expr;
2242 err3:
2243 kfree(expr);
2244 err2:
2245 owner = info.ops->type->owner;
2246 if (info.ops->type->release_ops)
2247 info.ops->type->release_ops(info.ops);
2248
2249 module_put(owner);
2250 err1:
2251 return ERR_PTR(err);
2252 }
2253
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2254 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2255 {
2256 nf_tables_expr_destroy(ctx, expr);
2257 kfree(expr);
2258 }
2259
2260 /*
2261 * Rules
2262 */
2263
__nft_rule_lookup(const struct nft_chain * chain,u64 handle)2264 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2265 u64 handle)
2266 {
2267 struct nft_rule *rule;
2268
2269 // FIXME: this sucks
2270 list_for_each_entry_rcu(rule, &chain->rules, list) {
2271 if (handle == rule->handle)
2272 return rule;
2273 }
2274
2275 return ERR_PTR(-ENOENT);
2276 }
2277
nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)2278 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2279 const struct nlattr *nla)
2280 {
2281 if (nla == NULL)
2282 return ERR_PTR(-EINVAL);
2283
2284 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2285 }
2286
2287 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2288 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2289 .len = NFT_TABLE_MAXNAMELEN - 1 },
2290 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2291 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2292 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2293 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2294 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2295 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2296 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2297 .len = NFT_USERDATA_MAXLEN },
2298 [NFTA_RULE_ID] = { .type = NLA_U32 },
2299 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2300 };
2301
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,const struct nft_rule * prule)2302 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2303 u32 portid, u32 seq, int event,
2304 u32 flags, int family,
2305 const struct nft_table *table,
2306 const struct nft_chain *chain,
2307 const struct nft_rule *rule,
2308 const struct nft_rule *prule)
2309 {
2310 struct nlmsghdr *nlh;
2311 struct nfgenmsg *nfmsg;
2312 const struct nft_expr *expr, *next;
2313 struct nlattr *list;
2314 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2315
2316 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2317 if (nlh == NULL)
2318 goto nla_put_failure;
2319
2320 nfmsg = nlmsg_data(nlh);
2321 nfmsg->nfgen_family = family;
2322 nfmsg->version = NFNETLINK_V0;
2323 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2324
2325 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2326 goto nla_put_failure;
2327 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2328 goto nla_put_failure;
2329 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2330 NFTA_RULE_PAD))
2331 goto nla_put_failure;
2332
2333 if (event != NFT_MSG_DELRULE && prule) {
2334 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2335 cpu_to_be64(prule->handle),
2336 NFTA_RULE_PAD))
2337 goto nla_put_failure;
2338 }
2339
2340 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2341 if (list == NULL)
2342 goto nla_put_failure;
2343 nft_rule_for_each_expr(expr, next, rule) {
2344 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2345 goto nla_put_failure;
2346 }
2347 nla_nest_end(skb, list);
2348
2349 if (rule->udata) {
2350 struct nft_userdata *udata = nft_userdata(rule);
2351 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2352 udata->data) < 0)
2353 goto nla_put_failure;
2354 }
2355
2356 nlmsg_end(skb, nlh);
2357 return 0;
2358
2359 nla_put_failure:
2360 nlmsg_trim(skb, nlh);
2361 return -1;
2362 }
2363
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)2364 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2365 const struct nft_rule *rule, int event)
2366 {
2367 struct sk_buff *skb;
2368 int err;
2369
2370 if (!ctx->report &&
2371 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2372 return;
2373
2374 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2375 if (skb == NULL)
2376 goto err;
2377
2378 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2379 event, 0, ctx->family, ctx->table,
2380 ctx->chain, rule, NULL);
2381 if (err < 0) {
2382 kfree_skb(skb);
2383 goto err;
2384 }
2385
2386 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2387 ctx->report, GFP_KERNEL);
2388 return;
2389 err:
2390 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2391 }
2392
2393 struct nft_rule_dump_ctx {
2394 char *table;
2395 char *chain;
2396 };
2397
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)2398 static int __nf_tables_dump_rules(struct sk_buff *skb,
2399 unsigned int *idx,
2400 struct netlink_callback *cb,
2401 const struct nft_table *table,
2402 const struct nft_chain *chain)
2403 {
2404 struct net *net = sock_net(skb->sk);
2405 const struct nft_rule *rule, *prule;
2406 unsigned int s_idx = cb->args[0];
2407
2408 prule = NULL;
2409 list_for_each_entry_rcu(rule, &chain->rules, list) {
2410 if (!nft_is_active(net, rule))
2411 goto cont_skip;
2412 if (*idx < s_idx)
2413 goto cont;
2414 if (*idx > s_idx) {
2415 memset(&cb->args[1], 0,
2416 sizeof(cb->args) - sizeof(cb->args[0]));
2417 }
2418 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2419 cb->nlh->nlmsg_seq,
2420 NFT_MSG_NEWRULE,
2421 NLM_F_MULTI | NLM_F_APPEND,
2422 table->family,
2423 table, chain, rule, prule) < 0)
2424 return 1;
2425
2426 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2427 cont:
2428 prule = rule;
2429 cont_skip:
2430 (*idx)++;
2431 }
2432 return 0;
2433 }
2434
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)2435 static int nf_tables_dump_rules(struct sk_buff *skb,
2436 struct netlink_callback *cb)
2437 {
2438 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2439 const struct nft_rule_dump_ctx *ctx = cb->data;
2440 struct nft_table *table;
2441 const struct nft_chain *chain;
2442 unsigned int idx = 0;
2443 struct net *net = sock_net(skb->sk);
2444 int family = nfmsg->nfgen_family;
2445
2446 rcu_read_lock();
2447 cb->seq = net->nft.base_seq;
2448
2449 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2450 if (family != NFPROTO_UNSPEC && family != table->family)
2451 continue;
2452
2453 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2454 continue;
2455
2456 if (ctx && ctx->table && ctx->chain) {
2457 struct rhlist_head *list, *tmp;
2458
2459 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2460 nft_chain_ht_params);
2461 if (!list)
2462 goto done;
2463
2464 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2465 if (!nft_is_active(net, chain))
2466 continue;
2467 __nf_tables_dump_rules(skb, &idx,
2468 cb, table, chain);
2469 break;
2470 }
2471 goto done;
2472 }
2473
2474 list_for_each_entry_rcu(chain, &table->chains, list) {
2475 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2476 goto done;
2477 }
2478
2479 if (ctx && ctx->table)
2480 break;
2481 }
2482 done:
2483 rcu_read_unlock();
2484
2485 cb->args[0] = idx;
2486 return skb->len;
2487 }
2488
nf_tables_dump_rules_start(struct netlink_callback * cb)2489 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2490 {
2491 const struct nlattr * const *nla = cb->data;
2492 struct nft_rule_dump_ctx *ctx = NULL;
2493
2494 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2495 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2496 if (!ctx)
2497 return -ENOMEM;
2498
2499 if (nla[NFTA_RULE_TABLE]) {
2500 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2501 GFP_ATOMIC);
2502 if (!ctx->table) {
2503 kfree(ctx);
2504 return -ENOMEM;
2505 }
2506 }
2507 if (nla[NFTA_RULE_CHAIN]) {
2508 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2509 GFP_ATOMIC);
2510 if (!ctx->chain) {
2511 kfree(ctx->table);
2512 kfree(ctx);
2513 return -ENOMEM;
2514 }
2515 }
2516 }
2517
2518 cb->data = ctx;
2519 return 0;
2520 }
2521
nf_tables_dump_rules_done(struct netlink_callback * cb)2522 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2523 {
2524 struct nft_rule_dump_ctx *ctx = cb->data;
2525
2526 if (ctx) {
2527 kfree(ctx->table);
2528 kfree(ctx->chain);
2529 kfree(ctx);
2530 }
2531 return 0;
2532 }
2533
2534 /* called with rcu_read_lock held */
nf_tables_getrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2535 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2536 struct sk_buff *skb, const struct nlmsghdr *nlh,
2537 const struct nlattr * const nla[],
2538 struct netlink_ext_ack *extack)
2539 {
2540 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2541 u8 genmask = nft_genmask_cur(net);
2542 const struct nft_chain *chain;
2543 const struct nft_rule *rule;
2544 struct nft_table *table;
2545 struct sk_buff *skb2;
2546 int family = nfmsg->nfgen_family;
2547 int err;
2548
2549 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2550 struct netlink_dump_control c = {
2551 .start= nf_tables_dump_rules_start,
2552 .dump = nf_tables_dump_rules,
2553 .done = nf_tables_dump_rules_done,
2554 .module = THIS_MODULE,
2555 .data = (void *)nla,
2556 };
2557
2558 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2559 }
2560
2561 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2562 if (IS_ERR(table)) {
2563 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2564 return PTR_ERR(table);
2565 }
2566
2567 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2568 if (IS_ERR(chain)) {
2569 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2570 return PTR_ERR(chain);
2571 }
2572
2573 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2574 if (IS_ERR(rule)) {
2575 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2576 return PTR_ERR(rule);
2577 }
2578
2579 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2580 if (!skb2)
2581 return -ENOMEM;
2582
2583 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2584 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2585 family, table, chain, rule, NULL);
2586 if (err < 0)
2587 goto err;
2588
2589 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2590
2591 err:
2592 kfree_skb(skb2);
2593 return err;
2594 }
2595
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)2596 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2597 struct nft_rule *rule)
2598 {
2599 struct nft_expr *expr, *next;
2600
2601 /*
2602 * Careful: some expressions might not be initialized in case this
2603 * is called on error from nf_tables_newrule().
2604 */
2605 expr = nft_expr_first(rule);
2606 while (expr != nft_expr_last(rule) && expr->ops) {
2607 next = nft_expr_next(expr);
2608 nf_tables_expr_destroy(ctx, expr);
2609 expr = next;
2610 }
2611 kfree(rule);
2612 }
2613
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)2614 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2615 struct nft_rule *rule)
2616 {
2617 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2618 nf_tables_rule_destroy(ctx, rule);
2619 }
2620
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)2621 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2622 {
2623 struct nft_expr *expr, *last;
2624 const struct nft_data *data;
2625 struct nft_rule *rule;
2626 int err;
2627
2628 if (ctx->level == NFT_JUMP_STACK_SIZE)
2629 return -EMLINK;
2630
2631 list_for_each_entry(rule, &chain->rules, list) {
2632 if (!nft_is_active_next(ctx->net, rule))
2633 continue;
2634
2635 nft_rule_for_each_expr(expr, last, rule) {
2636 if (!expr->ops->validate)
2637 continue;
2638
2639 err = expr->ops->validate(ctx, expr, &data);
2640 if (err < 0)
2641 return err;
2642 }
2643 }
2644
2645 return 0;
2646 }
2647 EXPORT_SYMBOL_GPL(nft_chain_validate);
2648
nft_table_validate(struct net * net,const struct nft_table * table)2649 static int nft_table_validate(struct net *net, const struct nft_table *table)
2650 {
2651 struct nft_chain *chain;
2652 struct nft_ctx ctx = {
2653 .net = net,
2654 .family = table->family,
2655 };
2656 int err;
2657
2658 list_for_each_entry(chain, &table->chains, list) {
2659 if (!nft_is_base_chain(chain))
2660 continue;
2661
2662 ctx.chain = chain;
2663 err = nft_chain_validate(&ctx, chain);
2664 if (err < 0)
2665 return err;
2666 }
2667
2668 return 0;
2669 }
2670
2671 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2672 const struct nlattr *nla);
2673
2674 #define NFT_RULE_MAXEXPRS 128
2675
nf_tables_newrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2676 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2677 struct sk_buff *skb, const struct nlmsghdr *nlh,
2678 const struct nlattr * const nla[],
2679 struct netlink_ext_ack *extack)
2680 {
2681 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2682 u8 genmask = nft_genmask_next(net);
2683 struct nft_expr_info *info = NULL;
2684 int family = nfmsg->nfgen_family;
2685 struct nft_flow_rule *flow;
2686 struct nft_table *table;
2687 struct nft_chain *chain;
2688 struct nft_rule *rule, *old_rule = NULL;
2689 struct nft_userdata *udata;
2690 struct nft_trans *trans = NULL;
2691 struct nft_expr *expr;
2692 struct nft_ctx ctx;
2693 struct nlattr *tmp;
2694 unsigned int size, i, n, ulen = 0, usize = 0;
2695 int err, rem;
2696 u64 handle, pos_handle;
2697
2698 lockdep_assert_held(&net->nft.commit_mutex);
2699
2700 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2701 if (IS_ERR(table)) {
2702 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2703 return PTR_ERR(table);
2704 }
2705
2706 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2707 if (IS_ERR(chain)) {
2708 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2709 return PTR_ERR(chain);
2710 }
2711
2712 if (nla[NFTA_RULE_HANDLE]) {
2713 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2714 rule = __nft_rule_lookup(chain, handle);
2715 if (IS_ERR(rule)) {
2716 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2717 return PTR_ERR(rule);
2718 }
2719
2720 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2721 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2722 return -EEXIST;
2723 }
2724 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2725 old_rule = rule;
2726 else
2727 return -EOPNOTSUPP;
2728 } else {
2729 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2730 nlh->nlmsg_flags & NLM_F_REPLACE)
2731 return -EINVAL;
2732 handle = nf_tables_alloc_handle(table);
2733
2734 if (chain->use == UINT_MAX)
2735 return -EOVERFLOW;
2736
2737 if (nla[NFTA_RULE_POSITION]) {
2738 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2739 old_rule = __nft_rule_lookup(chain, pos_handle);
2740 if (IS_ERR(old_rule)) {
2741 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2742 return PTR_ERR(old_rule);
2743 }
2744 } else if (nla[NFTA_RULE_POSITION_ID]) {
2745 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2746 if (IS_ERR(old_rule)) {
2747 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2748 return PTR_ERR(old_rule);
2749 }
2750 }
2751 }
2752
2753 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2754
2755 n = 0;
2756 size = 0;
2757 if (nla[NFTA_RULE_EXPRESSIONS]) {
2758 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2759 sizeof(struct nft_expr_info),
2760 GFP_KERNEL);
2761 if (!info)
2762 return -ENOMEM;
2763
2764 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2765 err = -EINVAL;
2766 if (nla_type(tmp) != NFTA_LIST_ELEM)
2767 goto err1;
2768 if (n == NFT_RULE_MAXEXPRS)
2769 goto err1;
2770 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2771 if (err < 0)
2772 goto err1;
2773 size += info[n].ops->size;
2774 n++;
2775 }
2776 }
2777 /* Check for overflow of dlen field */
2778 err = -EFBIG;
2779 if (size >= 1 << 12)
2780 goto err1;
2781
2782 if (nla[NFTA_RULE_USERDATA]) {
2783 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2784 if (ulen > 0)
2785 usize = sizeof(struct nft_userdata) + ulen;
2786 }
2787
2788 err = -ENOMEM;
2789 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2790 if (rule == NULL)
2791 goto err1;
2792
2793 nft_activate_next(net, rule);
2794
2795 rule->handle = handle;
2796 rule->dlen = size;
2797 rule->udata = ulen ? 1 : 0;
2798
2799 if (ulen) {
2800 udata = nft_userdata(rule);
2801 udata->len = ulen - 1;
2802 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2803 }
2804
2805 expr = nft_expr_first(rule);
2806 for (i = 0; i < n; i++) {
2807 err = nf_tables_newexpr(&ctx, &info[i], expr);
2808 if (err < 0)
2809 goto err2;
2810
2811 if (info[i].ops->validate)
2812 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2813
2814 info[i].ops = NULL;
2815 expr = nft_expr_next(expr);
2816 }
2817
2818 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2819 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2820 if (trans == NULL) {
2821 err = -ENOMEM;
2822 goto err2;
2823 }
2824 err = nft_delrule(&ctx, old_rule);
2825 if (err < 0) {
2826 nft_trans_destroy(trans);
2827 goto err2;
2828 }
2829
2830 list_add_tail_rcu(&rule->list, &old_rule->list);
2831 } else {
2832 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2833 if (!trans) {
2834 err = -ENOMEM;
2835 goto err2;
2836 }
2837
2838 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2839 if (old_rule)
2840 list_add_rcu(&rule->list, &old_rule->list);
2841 else
2842 list_add_tail_rcu(&rule->list, &chain->rules);
2843 } else {
2844 if (old_rule)
2845 list_add_tail_rcu(&rule->list, &old_rule->list);
2846 else
2847 list_add_rcu(&rule->list, &chain->rules);
2848 }
2849 }
2850 kvfree(info);
2851 chain->use++;
2852
2853 if (net->nft.validate_state == NFT_VALIDATE_DO)
2854 return nft_table_validate(net, table);
2855
2856 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
2857 flow = nft_flow_rule_create(net, rule);
2858 if (IS_ERR(flow))
2859 return PTR_ERR(flow);
2860
2861 nft_trans_flow_rule(trans) = flow;
2862 }
2863
2864 return 0;
2865 err2:
2866 nf_tables_rule_release(&ctx, rule);
2867 err1:
2868 for (i = 0; i < n; i++) {
2869 if (info[i].ops) {
2870 module_put(info[i].ops->type->owner);
2871 if (info[i].ops->type->release_ops)
2872 info[i].ops->type->release_ops(info[i].ops);
2873 }
2874 }
2875 kvfree(info);
2876 return err;
2877 }
2878
nft_rule_lookup_byid(const struct net * net,const struct nlattr * nla)2879 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2880 const struct nlattr *nla)
2881 {
2882 u32 id = ntohl(nla_get_be32(nla));
2883 struct nft_trans *trans;
2884
2885 list_for_each_entry(trans, &net->nft.commit_list, list) {
2886 struct nft_rule *rule = nft_trans_rule(trans);
2887
2888 if (trans->msg_type == NFT_MSG_NEWRULE &&
2889 id == nft_trans_rule_id(trans))
2890 return rule;
2891 }
2892 return ERR_PTR(-ENOENT);
2893 }
2894
nf_tables_delrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2895 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2896 struct sk_buff *skb, const struct nlmsghdr *nlh,
2897 const struct nlattr * const nla[],
2898 struct netlink_ext_ack *extack)
2899 {
2900 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2901 u8 genmask = nft_genmask_next(net);
2902 struct nft_table *table;
2903 struct nft_chain *chain = NULL;
2904 struct nft_rule *rule;
2905 int family = nfmsg->nfgen_family, err = 0;
2906 struct nft_ctx ctx;
2907
2908 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2909 if (IS_ERR(table)) {
2910 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2911 return PTR_ERR(table);
2912 }
2913
2914 if (nla[NFTA_RULE_CHAIN]) {
2915 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2916 genmask);
2917 if (IS_ERR(chain)) {
2918 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2919 return PTR_ERR(chain);
2920 }
2921 }
2922
2923 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2924
2925 if (chain) {
2926 if (nla[NFTA_RULE_HANDLE]) {
2927 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2928 if (IS_ERR(rule)) {
2929 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2930 return PTR_ERR(rule);
2931 }
2932
2933 err = nft_delrule(&ctx, rule);
2934 } else if (nla[NFTA_RULE_ID]) {
2935 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2936 if (IS_ERR(rule)) {
2937 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2938 return PTR_ERR(rule);
2939 }
2940
2941 err = nft_delrule(&ctx, rule);
2942 } else {
2943 err = nft_delrule_by_chain(&ctx);
2944 }
2945 } else {
2946 list_for_each_entry(chain, &table->chains, list) {
2947 if (!nft_is_active_next(net, chain))
2948 continue;
2949
2950 ctx.chain = chain;
2951 err = nft_delrule_by_chain(&ctx);
2952 if (err < 0)
2953 break;
2954 }
2955 }
2956
2957 return err;
2958 }
2959
2960 /*
2961 * Sets
2962 */
2963
2964 static LIST_HEAD(nf_tables_set_types);
2965
nft_register_set(struct nft_set_type * type)2966 int nft_register_set(struct nft_set_type *type)
2967 {
2968 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2969 list_add_tail_rcu(&type->list, &nf_tables_set_types);
2970 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2971 return 0;
2972 }
2973 EXPORT_SYMBOL_GPL(nft_register_set);
2974
nft_unregister_set(struct nft_set_type * type)2975 void nft_unregister_set(struct nft_set_type *type)
2976 {
2977 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2978 list_del_rcu(&type->list);
2979 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2980 }
2981 EXPORT_SYMBOL_GPL(nft_unregister_set);
2982
2983 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
2984 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
2985 NFT_SET_EVAL)
2986
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)2987 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
2988 {
2989 return (flags & type->features) == (flags & NFT_SET_FEATURES);
2990 }
2991
2992 /*
2993 * Select a set implementation based on the data characteristics and the
2994 * given policy. The total memory use might not be known if no size is
2995 * given, in that case the amount of memory per element is used.
2996 */
2997 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,const struct nlattr * const nla[],const struct nft_set_desc * desc,enum nft_set_policies policy)2998 nft_select_set_ops(const struct nft_ctx *ctx,
2999 const struct nlattr * const nla[],
3000 const struct nft_set_desc *desc,
3001 enum nft_set_policies policy)
3002 {
3003 const struct nft_set_ops *ops, *bops;
3004 struct nft_set_estimate est, best;
3005 const struct nft_set_type *type;
3006 u32 flags = 0;
3007
3008 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3009 lockdep_nfnl_nft_mutex_not_held();
3010 #ifdef CONFIG_MODULES
3011 if (list_empty(&nf_tables_set_types)) {
3012 nft_request_module(ctx->net, "nft-set");
3013 if (!list_empty(&nf_tables_set_types))
3014 return ERR_PTR(-EAGAIN);
3015 }
3016 #endif
3017 if (nla[NFTA_SET_FLAGS] != NULL)
3018 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3019
3020 bops = NULL;
3021 best.size = ~0;
3022 best.lookup = ~0;
3023 best.space = ~0;
3024
3025 list_for_each_entry(type, &nf_tables_set_types, list) {
3026 ops = &type->ops;
3027
3028 if (!nft_set_ops_candidate(type, flags))
3029 continue;
3030 if (!ops->estimate(desc, flags, &est))
3031 continue;
3032
3033 switch (policy) {
3034 case NFT_SET_POL_PERFORMANCE:
3035 if (est.lookup < best.lookup)
3036 break;
3037 if (est.lookup == best.lookup &&
3038 est.space < best.space)
3039 break;
3040 continue;
3041 case NFT_SET_POL_MEMORY:
3042 if (!desc->size) {
3043 if (est.space < best.space)
3044 break;
3045 if (est.space == best.space &&
3046 est.lookup < best.lookup)
3047 break;
3048 } else if (est.size < best.size || !bops) {
3049 break;
3050 }
3051 continue;
3052 default:
3053 break;
3054 }
3055
3056 if (!try_module_get(type->owner))
3057 continue;
3058 if (bops != NULL)
3059 module_put(to_set_type(bops)->owner);
3060
3061 bops = ops;
3062 best = est;
3063 }
3064
3065 if (bops != NULL)
3066 return bops;
3067
3068 return ERR_PTR(-EOPNOTSUPP);
3069 }
3070
3071 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3072 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3073 .len = NFT_TABLE_MAXNAMELEN - 1 },
3074 [NFTA_SET_NAME] = { .type = NLA_STRING,
3075 .len = NFT_SET_MAXNAMELEN - 1 },
3076 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3077 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3078 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3079 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3080 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3081 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3082 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3083 [NFTA_SET_ID] = { .type = NLA_U32 },
3084 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3085 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3086 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3087 .len = NFT_USERDATA_MAXLEN },
3088 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3089 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3090 };
3091
3092 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3093 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3094 };
3095
nft_ctx_init_from_setattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)3096 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3097 const struct sk_buff *skb,
3098 const struct nlmsghdr *nlh,
3099 const struct nlattr * const nla[],
3100 struct netlink_ext_ack *extack,
3101 u8 genmask)
3102 {
3103 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3104 int family = nfmsg->nfgen_family;
3105 struct nft_table *table = NULL;
3106
3107 if (nla[NFTA_SET_TABLE] != NULL) {
3108 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3109 genmask);
3110 if (IS_ERR(table)) {
3111 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3112 return PTR_ERR(table);
3113 }
3114 }
3115
3116 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3117 return 0;
3118 }
3119
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3120 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3121 const struct nlattr *nla, u8 genmask)
3122 {
3123 struct nft_set *set;
3124
3125 if (nla == NULL)
3126 return ERR_PTR(-EINVAL);
3127
3128 list_for_each_entry_rcu(set, &table->sets, list) {
3129 if (!nla_strcmp(nla, set->name) &&
3130 nft_active_genmask(set, genmask))
3131 return set;
3132 }
3133 return ERR_PTR(-ENOENT);
3134 }
3135
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3136 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3137 const struct nlattr *nla,
3138 u8 genmask)
3139 {
3140 struct nft_set *set;
3141
3142 list_for_each_entry(set, &table->sets, list) {
3143 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3144 nft_active_genmask(set, genmask))
3145 return set;
3146 }
3147 return ERR_PTR(-ENOENT);
3148 }
3149
nft_set_lookup_byid(const struct net * net,const struct nlattr * nla,u8 genmask)3150 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3151 const struct nlattr *nla, u8 genmask)
3152 {
3153 struct nft_trans *trans;
3154 u32 id = ntohl(nla_get_be32(nla));
3155
3156 list_for_each_entry(trans, &net->nft.commit_list, list) {
3157 if (trans->msg_type == NFT_MSG_NEWSET) {
3158 struct nft_set *set = nft_trans_set(trans);
3159
3160 if (id == nft_trans_set_id(trans) &&
3161 nft_active_genmask(set, genmask))
3162 return set;
3163 }
3164 }
3165 return ERR_PTR(-ENOENT);
3166 }
3167
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)3168 struct nft_set *nft_set_lookup_global(const struct net *net,
3169 const struct nft_table *table,
3170 const struct nlattr *nla_set_name,
3171 const struct nlattr *nla_set_id,
3172 u8 genmask)
3173 {
3174 struct nft_set *set;
3175
3176 set = nft_set_lookup(table, nla_set_name, genmask);
3177 if (IS_ERR(set)) {
3178 if (!nla_set_id)
3179 return set;
3180
3181 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3182 }
3183 return set;
3184 }
3185 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3186
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)3187 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3188 const char *name)
3189 {
3190 const struct nft_set *i;
3191 const char *p;
3192 unsigned long *inuse;
3193 unsigned int n = 0, min = 0;
3194
3195 p = strchr(name, '%');
3196 if (p != NULL) {
3197 if (p[1] != 'd' || strchr(p + 2, '%'))
3198 return -EINVAL;
3199
3200 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3201 if (inuse == NULL)
3202 return -ENOMEM;
3203 cont:
3204 list_for_each_entry(i, &ctx->table->sets, list) {
3205 int tmp;
3206
3207 if (!nft_is_active_next(ctx->net, set))
3208 continue;
3209 if (!sscanf(i->name, name, &tmp))
3210 continue;
3211 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3212 continue;
3213
3214 set_bit(tmp - min, inuse);
3215 }
3216
3217 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3218 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3219 min += BITS_PER_BYTE * PAGE_SIZE;
3220 memset(inuse, 0, PAGE_SIZE);
3221 goto cont;
3222 }
3223 free_page((unsigned long)inuse);
3224 }
3225
3226 set->name = kasprintf(GFP_KERNEL, name, min + n);
3227 if (!set->name)
3228 return -ENOMEM;
3229
3230 list_for_each_entry(i, &ctx->table->sets, list) {
3231 if (!nft_is_active_next(ctx->net, i))
3232 continue;
3233 if (!strcmp(set->name, i->name)) {
3234 kfree(set->name);
3235 return -ENFILE;
3236 }
3237 }
3238 return 0;
3239 }
3240
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)3241 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3242 {
3243 u64 ms = be64_to_cpu(nla_get_be64(nla));
3244 u64 max = (u64)(~((u64)0));
3245
3246 max = div_u64(max, NSEC_PER_MSEC);
3247 if (ms >= max)
3248 return -ERANGE;
3249
3250 ms *= NSEC_PER_MSEC;
3251 *result = nsecs_to_jiffies64(ms);
3252 return 0;
3253 }
3254
nf_jiffies64_to_msecs(u64 input)3255 static __be64 nf_jiffies64_to_msecs(u64 input)
3256 {
3257 return cpu_to_be64(jiffies64_to_msecs(input));
3258 }
3259
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)3260 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3261 const struct nft_set *set, u16 event, u16 flags)
3262 {
3263 struct nfgenmsg *nfmsg;
3264 struct nlmsghdr *nlh;
3265 struct nlattr *desc;
3266 u32 portid = ctx->portid;
3267 u32 seq = ctx->seq;
3268
3269 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3270 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3271 flags);
3272 if (nlh == NULL)
3273 goto nla_put_failure;
3274
3275 nfmsg = nlmsg_data(nlh);
3276 nfmsg->nfgen_family = ctx->family;
3277 nfmsg->version = NFNETLINK_V0;
3278 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3279
3280 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3281 goto nla_put_failure;
3282 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3283 goto nla_put_failure;
3284 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3285 NFTA_SET_PAD))
3286 goto nla_put_failure;
3287 if (set->flags != 0)
3288 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3289 goto nla_put_failure;
3290
3291 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3292 goto nla_put_failure;
3293 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3294 goto nla_put_failure;
3295 if (set->flags & NFT_SET_MAP) {
3296 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3297 goto nla_put_failure;
3298 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3299 goto nla_put_failure;
3300 }
3301 if (set->flags & NFT_SET_OBJECT &&
3302 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3303 goto nla_put_failure;
3304
3305 if (set->timeout &&
3306 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3307 nf_jiffies64_to_msecs(set->timeout),
3308 NFTA_SET_PAD))
3309 goto nla_put_failure;
3310 if (set->gc_int &&
3311 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3312 goto nla_put_failure;
3313
3314 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3315 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3316 goto nla_put_failure;
3317 }
3318
3319 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3320 goto nla_put_failure;
3321
3322 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3323 if (desc == NULL)
3324 goto nla_put_failure;
3325 if (set->size &&
3326 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3327 goto nla_put_failure;
3328 nla_nest_end(skb, desc);
3329
3330 nlmsg_end(skb, nlh);
3331 return 0;
3332
3333 nla_put_failure:
3334 nlmsg_trim(skb, nlh);
3335 return -1;
3336 }
3337
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)3338 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3339 const struct nft_set *set, int event,
3340 gfp_t gfp_flags)
3341 {
3342 struct sk_buff *skb;
3343 u32 portid = ctx->portid;
3344 int err;
3345
3346 if (!ctx->report &&
3347 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3348 return;
3349
3350 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3351 if (skb == NULL)
3352 goto err;
3353
3354 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3355 if (err < 0) {
3356 kfree_skb(skb);
3357 goto err;
3358 }
3359
3360 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3361 gfp_flags);
3362 return;
3363 err:
3364 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3365 }
3366
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)3367 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3368 {
3369 const struct nft_set *set;
3370 unsigned int idx, s_idx = cb->args[0];
3371 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3372 struct net *net = sock_net(skb->sk);
3373 struct nft_ctx *ctx = cb->data, ctx_set;
3374
3375 if (cb->args[1])
3376 return skb->len;
3377
3378 rcu_read_lock();
3379 cb->seq = net->nft.base_seq;
3380
3381 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3382 if (ctx->family != NFPROTO_UNSPEC &&
3383 ctx->family != table->family)
3384 continue;
3385
3386 if (ctx->table && ctx->table != table)
3387 continue;
3388
3389 if (cur_table) {
3390 if (cur_table != table)
3391 continue;
3392
3393 cur_table = NULL;
3394 }
3395 idx = 0;
3396 list_for_each_entry_rcu(set, &table->sets, list) {
3397 if (idx < s_idx)
3398 goto cont;
3399 if (!nft_is_active(net, set))
3400 goto cont;
3401
3402 ctx_set = *ctx;
3403 ctx_set.table = table;
3404 ctx_set.family = table->family;
3405
3406 if (nf_tables_fill_set(skb, &ctx_set, set,
3407 NFT_MSG_NEWSET,
3408 NLM_F_MULTI) < 0) {
3409 cb->args[0] = idx;
3410 cb->args[2] = (unsigned long) table;
3411 goto done;
3412 }
3413 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3414 cont:
3415 idx++;
3416 }
3417 if (s_idx)
3418 s_idx = 0;
3419 }
3420 cb->args[1] = 1;
3421 done:
3422 rcu_read_unlock();
3423 return skb->len;
3424 }
3425
nf_tables_dump_sets_start(struct netlink_callback * cb)3426 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3427 {
3428 struct nft_ctx *ctx_dump = NULL;
3429
3430 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3431 if (ctx_dump == NULL)
3432 return -ENOMEM;
3433
3434 cb->data = ctx_dump;
3435 return 0;
3436 }
3437
nf_tables_dump_sets_done(struct netlink_callback * cb)3438 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3439 {
3440 kfree(cb->data);
3441 return 0;
3442 }
3443
3444 /* called with rcu_read_lock held */
nf_tables_getset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3445 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3446 struct sk_buff *skb, const struct nlmsghdr *nlh,
3447 const struct nlattr * const nla[],
3448 struct netlink_ext_ack *extack)
3449 {
3450 u8 genmask = nft_genmask_cur(net);
3451 const struct nft_set *set;
3452 struct nft_ctx ctx;
3453 struct sk_buff *skb2;
3454 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3455 int err;
3456
3457 /* Verify existence before starting dump */
3458 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3459 genmask);
3460 if (err < 0)
3461 return err;
3462
3463 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3464 struct netlink_dump_control c = {
3465 .start = nf_tables_dump_sets_start,
3466 .dump = nf_tables_dump_sets,
3467 .done = nf_tables_dump_sets_done,
3468 .data = &ctx,
3469 .module = THIS_MODULE,
3470 };
3471
3472 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3473 }
3474
3475 /* Only accept unspec with dump */
3476 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3477 return -EAFNOSUPPORT;
3478 if (!nla[NFTA_SET_TABLE])
3479 return -EINVAL;
3480
3481 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3482 if (IS_ERR(set))
3483 return PTR_ERR(set);
3484
3485 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3486 if (skb2 == NULL)
3487 return -ENOMEM;
3488
3489 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3490 if (err < 0)
3491 goto err;
3492
3493 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3494
3495 err:
3496 kfree_skb(skb2);
3497 return err;
3498 }
3499
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)3500 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3501 const struct nlattr *nla)
3502 {
3503 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3504 int err;
3505
3506 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3507 nft_set_desc_policy, NULL);
3508 if (err < 0)
3509 return err;
3510
3511 if (da[NFTA_SET_DESC_SIZE] != NULL)
3512 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3513
3514 return 0;
3515 }
3516
nf_tables_newset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3517 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3518 struct sk_buff *skb, const struct nlmsghdr *nlh,
3519 const struct nlattr * const nla[],
3520 struct netlink_ext_ack *extack)
3521 {
3522 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3523 u8 genmask = nft_genmask_next(net);
3524 int family = nfmsg->nfgen_family;
3525 const struct nft_set_ops *ops;
3526 struct nft_table *table;
3527 struct nft_set *set;
3528 struct nft_ctx ctx;
3529 char *name;
3530 u64 size;
3531 u64 timeout;
3532 u32 ktype, dtype, flags, policy, gc_int, objtype;
3533 struct nft_set_desc desc;
3534 unsigned char *udata;
3535 u16 udlen;
3536 int err;
3537
3538 if (nla[NFTA_SET_TABLE] == NULL ||
3539 nla[NFTA_SET_NAME] == NULL ||
3540 nla[NFTA_SET_KEY_LEN] == NULL ||
3541 nla[NFTA_SET_ID] == NULL)
3542 return -EINVAL;
3543
3544 memset(&desc, 0, sizeof(desc));
3545
3546 ktype = NFT_DATA_VALUE;
3547 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3548 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3549 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3550 return -EINVAL;
3551 }
3552
3553 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3554 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3555 return -EINVAL;
3556
3557 flags = 0;
3558 if (nla[NFTA_SET_FLAGS] != NULL) {
3559 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3560 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3561 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3562 NFT_SET_MAP | NFT_SET_EVAL |
3563 NFT_SET_OBJECT))
3564 return -EINVAL;
3565 /* Only one of these operations is supported */
3566 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3567 (NFT_SET_MAP | NFT_SET_OBJECT))
3568 return -EOPNOTSUPP;
3569 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3570 (NFT_SET_EVAL | NFT_SET_OBJECT))
3571 return -EOPNOTSUPP;
3572 }
3573
3574 dtype = 0;
3575 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3576 if (!(flags & NFT_SET_MAP))
3577 return -EINVAL;
3578
3579 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3580 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3581 dtype != NFT_DATA_VERDICT)
3582 return -EINVAL;
3583
3584 if (dtype != NFT_DATA_VERDICT) {
3585 if (nla[NFTA_SET_DATA_LEN] == NULL)
3586 return -EINVAL;
3587 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3588 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3589 return -EINVAL;
3590 } else
3591 desc.dlen = sizeof(struct nft_verdict);
3592 } else if (flags & NFT_SET_MAP)
3593 return -EINVAL;
3594
3595 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3596 if (!(flags & NFT_SET_OBJECT))
3597 return -EINVAL;
3598
3599 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3600 if (objtype == NFT_OBJECT_UNSPEC ||
3601 objtype > NFT_OBJECT_MAX)
3602 return -EINVAL;
3603 } else if (flags & NFT_SET_OBJECT)
3604 return -EINVAL;
3605 else
3606 objtype = NFT_OBJECT_UNSPEC;
3607
3608 timeout = 0;
3609 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3610 if (!(flags & NFT_SET_TIMEOUT))
3611 return -EINVAL;
3612
3613 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3614 if (err)
3615 return err;
3616 }
3617 gc_int = 0;
3618 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3619 if (!(flags & NFT_SET_TIMEOUT))
3620 return -EINVAL;
3621 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3622 }
3623
3624 policy = NFT_SET_POL_PERFORMANCE;
3625 if (nla[NFTA_SET_POLICY] != NULL)
3626 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3627
3628 if (nla[NFTA_SET_DESC] != NULL) {
3629 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3630 if (err < 0)
3631 return err;
3632 }
3633
3634 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3635 if (IS_ERR(table)) {
3636 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3637 return PTR_ERR(table);
3638 }
3639
3640 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3641
3642 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3643 if (IS_ERR(set)) {
3644 if (PTR_ERR(set) != -ENOENT) {
3645 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3646 return PTR_ERR(set);
3647 }
3648 } else {
3649 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3650 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3651 return -EEXIST;
3652 }
3653 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3654 return -EOPNOTSUPP;
3655
3656 return 0;
3657 }
3658
3659 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3660 return -ENOENT;
3661
3662 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3663 if (IS_ERR(ops))
3664 return PTR_ERR(ops);
3665
3666 udlen = 0;
3667 if (nla[NFTA_SET_USERDATA])
3668 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3669
3670 size = 0;
3671 if (ops->privsize != NULL)
3672 size = ops->privsize(nla, &desc);
3673
3674 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3675 if (!set) {
3676 err = -ENOMEM;
3677 goto err1;
3678 }
3679
3680 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3681 if (!name) {
3682 err = -ENOMEM;
3683 goto err2;
3684 }
3685
3686 err = nf_tables_set_alloc_name(&ctx, set, name);
3687 kfree(name);
3688 if (err < 0)
3689 goto err2;
3690
3691 udata = NULL;
3692 if (udlen) {
3693 udata = set->data + size;
3694 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3695 }
3696
3697 INIT_LIST_HEAD(&set->bindings);
3698 set->table = table;
3699 write_pnet(&set->net, net);
3700 set->ops = ops;
3701 set->ktype = ktype;
3702 set->klen = desc.klen;
3703 set->dtype = dtype;
3704 set->objtype = objtype;
3705 set->dlen = desc.dlen;
3706 set->flags = flags;
3707 set->size = desc.size;
3708 set->policy = policy;
3709 set->udlen = udlen;
3710 set->udata = udata;
3711 set->timeout = timeout;
3712 set->gc_int = gc_int;
3713 set->handle = nf_tables_alloc_handle(table);
3714
3715 err = ops->init(set, &desc, nla);
3716 if (err < 0)
3717 goto err3;
3718
3719 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3720 if (err < 0)
3721 goto err4;
3722
3723 list_add_tail_rcu(&set->list, &table->sets);
3724 table->use++;
3725 return 0;
3726
3727 err4:
3728 ops->destroy(set);
3729 err3:
3730 kfree(set->name);
3731 err2:
3732 kvfree(set);
3733 err1:
3734 module_put(to_set_type(ops)->owner);
3735 return err;
3736 }
3737
nft_set_destroy(struct nft_set * set)3738 static void nft_set_destroy(struct nft_set *set)
3739 {
3740 if (WARN_ON(set->use > 0))
3741 return;
3742
3743 set->ops->destroy(set);
3744 module_put(to_set_type(set->ops)->owner);
3745 kfree(set->name);
3746 kvfree(set);
3747 }
3748
nf_tables_delset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3749 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3750 struct sk_buff *skb, const struct nlmsghdr *nlh,
3751 const struct nlattr * const nla[],
3752 struct netlink_ext_ack *extack)
3753 {
3754 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3755 u8 genmask = nft_genmask_next(net);
3756 const struct nlattr *attr;
3757 struct nft_set *set;
3758 struct nft_ctx ctx;
3759 int err;
3760
3761 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3762 return -EAFNOSUPPORT;
3763 if (nla[NFTA_SET_TABLE] == NULL)
3764 return -EINVAL;
3765
3766 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3767 genmask);
3768 if (err < 0)
3769 return err;
3770
3771 if (nla[NFTA_SET_HANDLE]) {
3772 attr = nla[NFTA_SET_HANDLE];
3773 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3774 } else {
3775 attr = nla[NFTA_SET_NAME];
3776 set = nft_set_lookup(ctx.table, attr, genmask);
3777 }
3778
3779 if (IS_ERR(set)) {
3780 NL_SET_BAD_ATTR(extack, attr);
3781 return PTR_ERR(set);
3782 }
3783 if (set->use ||
3784 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3785 NL_SET_BAD_ATTR(extack, attr);
3786 return -EBUSY;
3787 }
3788
3789 return nft_delset(&ctx, set);
3790 }
3791
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)3792 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3793 struct nft_set *set,
3794 const struct nft_set_iter *iter,
3795 struct nft_set_elem *elem)
3796 {
3797 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3798 enum nft_registers dreg;
3799
3800 dreg = nft_type_to_reg(set->dtype);
3801 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3802 set->dtype == NFT_DATA_VERDICT ?
3803 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3804 set->dlen);
3805 }
3806
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)3807 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3808 struct nft_set_binding *binding)
3809 {
3810 struct nft_set_binding *i;
3811 struct nft_set_iter iter;
3812
3813 if (set->use == UINT_MAX)
3814 return -EOVERFLOW;
3815
3816 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3817 return -EBUSY;
3818
3819 if (binding->flags & NFT_SET_MAP) {
3820 /* If the set is already bound to the same chain all
3821 * jumps are already validated for that chain.
3822 */
3823 list_for_each_entry(i, &set->bindings, list) {
3824 if (i->flags & NFT_SET_MAP &&
3825 i->chain == binding->chain)
3826 goto bind;
3827 }
3828
3829 iter.genmask = nft_genmask_next(ctx->net);
3830 iter.skip = 0;
3831 iter.count = 0;
3832 iter.err = 0;
3833 iter.fn = nf_tables_bind_check_setelem;
3834
3835 set->ops->walk(ctx, set, &iter);
3836 if (iter.err < 0)
3837 return iter.err;
3838 }
3839 bind:
3840 binding->chain = ctx->chain;
3841 list_add_tail_rcu(&binding->list, &set->bindings);
3842 nft_set_trans_bind(ctx, set);
3843 set->use++;
3844
3845 return 0;
3846 }
3847 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3848
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)3849 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3850 struct nft_set_binding *binding, bool event)
3851 {
3852 list_del_rcu(&binding->list);
3853
3854 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3855 list_del_rcu(&set->list);
3856 if (event)
3857 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3858 GFP_KERNEL);
3859 }
3860 }
3861
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)3862 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3863 struct nft_set_binding *binding,
3864 enum nft_trans_phase phase)
3865 {
3866 switch (phase) {
3867 case NFT_TRANS_PREPARE:
3868 set->use--;
3869 return;
3870 case NFT_TRANS_ABORT:
3871 case NFT_TRANS_RELEASE:
3872 set->use--;
3873 /* fall through */
3874 default:
3875 nf_tables_unbind_set(ctx, set, binding,
3876 phase == NFT_TRANS_COMMIT);
3877 }
3878 }
3879 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3880
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)3881 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3882 {
3883 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3884 nft_set_destroy(set);
3885 }
3886 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3887
3888 const struct nft_set_ext_type nft_set_ext_types[] = {
3889 [NFT_SET_EXT_KEY] = {
3890 .align = __alignof__(u32),
3891 },
3892 [NFT_SET_EXT_DATA] = {
3893 .align = __alignof__(u32),
3894 },
3895 [NFT_SET_EXT_EXPR] = {
3896 .align = __alignof__(struct nft_expr),
3897 },
3898 [NFT_SET_EXT_OBJREF] = {
3899 .len = sizeof(struct nft_object *),
3900 .align = __alignof__(struct nft_object *),
3901 },
3902 [NFT_SET_EXT_FLAGS] = {
3903 .len = sizeof(u8),
3904 .align = __alignof__(u8),
3905 },
3906 [NFT_SET_EXT_TIMEOUT] = {
3907 .len = sizeof(u64),
3908 .align = __alignof__(u64),
3909 },
3910 [NFT_SET_EXT_EXPIRATION] = {
3911 .len = sizeof(u64),
3912 .align = __alignof__(u64),
3913 },
3914 [NFT_SET_EXT_USERDATA] = {
3915 .len = sizeof(struct nft_userdata),
3916 .align = __alignof__(struct nft_userdata),
3917 },
3918 };
3919 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3920
3921 /*
3922 * Set elements
3923 */
3924
3925 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3926 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3927 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3928 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3929 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3930 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
3931 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3932 .len = NFT_USERDATA_MAXLEN },
3933 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3934 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
3935 };
3936
3937 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3938 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3939 .len = NFT_TABLE_MAXNAMELEN - 1 },
3940 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3941 .len = NFT_SET_MAXNAMELEN - 1 },
3942 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3943 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3944 };
3945
nft_ctx_init_from_elemattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)3946 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3947 const struct sk_buff *skb,
3948 const struct nlmsghdr *nlh,
3949 const struct nlattr * const nla[],
3950 struct netlink_ext_ack *extack,
3951 u8 genmask)
3952 {
3953 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3954 int family = nfmsg->nfgen_family;
3955 struct nft_table *table;
3956
3957 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3958 genmask);
3959 if (IS_ERR(table)) {
3960 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3961 return PTR_ERR(table);
3962 }
3963
3964 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3965 return 0;
3966 }
3967
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_elem * elem)3968 static int nf_tables_fill_setelem(struct sk_buff *skb,
3969 const struct nft_set *set,
3970 const struct nft_set_elem *elem)
3971 {
3972 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3973 unsigned char *b = skb_tail_pointer(skb);
3974 struct nlattr *nest;
3975
3976 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3977 if (nest == NULL)
3978 goto nla_put_failure;
3979
3980 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
3981 NFT_DATA_VALUE, set->klen) < 0)
3982 goto nla_put_failure;
3983
3984 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
3985 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
3986 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
3987 set->dlen) < 0)
3988 goto nla_put_failure;
3989
3990 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
3991 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
3992 goto nla_put_failure;
3993
3994 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
3995 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
3996 (*nft_set_ext_obj(ext))->key.name) < 0)
3997 goto nla_put_failure;
3998
3999 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4000 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4001 htonl(*nft_set_ext_flags(ext))))
4002 goto nla_put_failure;
4003
4004 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4005 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4006 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4007 NFTA_SET_ELEM_PAD))
4008 goto nla_put_failure;
4009
4010 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4011 u64 expires, now = get_jiffies_64();
4012
4013 expires = *nft_set_ext_expiration(ext);
4014 if (time_before64(now, expires))
4015 expires -= now;
4016 else
4017 expires = 0;
4018
4019 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4020 nf_jiffies64_to_msecs(expires),
4021 NFTA_SET_ELEM_PAD))
4022 goto nla_put_failure;
4023 }
4024
4025 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4026 struct nft_userdata *udata;
4027
4028 udata = nft_set_ext_userdata(ext);
4029 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4030 udata->len + 1, udata->data))
4031 goto nla_put_failure;
4032 }
4033
4034 nla_nest_end(skb, nest);
4035 return 0;
4036
4037 nla_put_failure:
4038 nlmsg_trim(skb, b);
4039 return -EMSGSIZE;
4040 }
4041
4042 struct nft_set_dump_args {
4043 const struct netlink_callback *cb;
4044 struct nft_set_iter iter;
4045 struct sk_buff *skb;
4046 };
4047
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4048 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4049 struct nft_set *set,
4050 const struct nft_set_iter *iter,
4051 struct nft_set_elem *elem)
4052 {
4053 struct nft_set_dump_args *args;
4054
4055 args = container_of(iter, struct nft_set_dump_args, iter);
4056 return nf_tables_fill_setelem(args->skb, set, elem);
4057 }
4058
4059 struct nft_set_dump_ctx {
4060 const struct nft_set *set;
4061 struct nft_ctx ctx;
4062 };
4063
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)4064 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4065 {
4066 struct nft_set_dump_ctx *dump_ctx = cb->data;
4067 struct net *net = sock_net(skb->sk);
4068 struct nft_table *table;
4069 struct nft_set *set;
4070 struct nft_set_dump_args args;
4071 bool set_found = false;
4072 struct nfgenmsg *nfmsg;
4073 struct nlmsghdr *nlh;
4074 struct nlattr *nest;
4075 u32 portid, seq;
4076 int event;
4077
4078 rcu_read_lock();
4079 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4080 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4081 dump_ctx->ctx.family != table->family)
4082 continue;
4083
4084 if (table != dump_ctx->ctx.table)
4085 continue;
4086
4087 list_for_each_entry_rcu(set, &table->sets, list) {
4088 if (set == dump_ctx->set) {
4089 set_found = true;
4090 break;
4091 }
4092 }
4093 break;
4094 }
4095
4096 if (!set_found) {
4097 rcu_read_unlock();
4098 return -ENOENT;
4099 }
4100
4101 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4102 portid = NETLINK_CB(cb->skb).portid;
4103 seq = cb->nlh->nlmsg_seq;
4104
4105 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4106 NLM_F_MULTI);
4107 if (nlh == NULL)
4108 goto nla_put_failure;
4109
4110 nfmsg = nlmsg_data(nlh);
4111 nfmsg->nfgen_family = table->family;
4112 nfmsg->version = NFNETLINK_V0;
4113 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4114
4115 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4116 goto nla_put_failure;
4117 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4118 goto nla_put_failure;
4119
4120 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4121 if (nest == NULL)
4122 goto nla_put_failure;
4123
4124 args.cb = cb;
4125 args.skb = skb;
4126 args.iter.genmask = nft_genmask_cur(net);
4127 args.iter.skip = cb->args[0];
4128 args.iter.count = 0;
4129 args.iter.err = 0;
4130 args.iter.fn = nf_tables_dump_setelem;
4131 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4132 rcu_read_unlock();
4133
4134 nla_nest_end(skb, nest);
4135 nlmsg_end(skb, nlh);
4136
4137 if (args.iter.err && args.iter.err != -EMSGSIZE)
4138 return args.iter.err;
4139 if (args.iter.count == cb->args[0])
4140 return 0;
4141
4142 cb->args[0] = args.iter.count;
4143 return skb->len;
4144
4145 nla_put_failure:
4146 rcu_read_unlock();
4147 return -ENOSPC;
4148 }
4149
nf_tables_dump_set_start(struct netlink_callback * cb)4150 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4151 {
4152 struct nft_set_dump_ctx *dump_ctx = cb->data;
4153
4154 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4155
4156 return cb->data ? 0 : -ENOMEM;
4157 }
4158
nf_tables_dump_set_done(struct netlink_callback * cb)4159 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4160 {
4161 kfree(cb->data);
4162 return 0;
4163 }
4164
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_set_elem * elem)4165 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4166 const struct nft_ctx *ctx, u32 seq,
4167 u32 portid, int event, u16 flags,
4168 const struct nft_set *set,
4169 const struct nft_set_elem *elem)
4170 {
4171 struct nfgenmsg *nfmsg;
4172 struct nlmsghdr *nlh;
4173 struct nlattr *nest;
4174 int err;
4175
4176 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4177 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4178 flags);
4179 if (nlh == NULL)
4180 goto nla_put_failure;
4181
4182 nfmsg = nlmsg_data(nlh);
4183 nfmsg->nfgen_family = ctx->family;
4184 nfmsg->version = NFNETLINK_V0;
4185 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4186
4187 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4188 goto nla_put_failure;
4189 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4190 goto nla_put_failure;
4191
4192 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4193 if (nest == NULL)
4194 goto nla_put_failure;
4195
4196 err = nf_tables_fill_setelem(skb, set, elem);
4197 if (err < 0)
4198 goto nla_put_failure;
4199
4200 nla_nest_end(skb, nest);
4201
4202 nlmsg_end(skb, nlh);
4203 return 0;
4204
4205 nla_put_failure:
4206 nlmsg_trim(skb, nlh);
4207 return -1;
4208 }
4209
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)4210 static int nft_setelem_parse_flags(const struct nft_set *set,
4211 const struct nlattr *attr, u32 *flags)
4212 {
4213 if (attr == NULL)
4214 return 0;
4215
4216 *flags = ntohl(nla_get_be32(attr));
4217 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4218 return -EINVAL;
4219 if (!(set->flags & NFT_SET_INTERVAL) &&
4220 *flags & NFT_SET_ELEM_INTERVAL_END)
4221 return -EINVAL;
4222
4223 return 0;
4224 }
4225
nft_get_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)4226 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4227 const struct nlattr *attr)
4228 {
4229 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4230 struct nft_data_desc desc;
4231 struct nft_set_elem elem;
4232 struct sk_buff *skb;
4233 uint32_t flags = 0;
4234 void *priv;
4235 int err;
4236
4237 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4238 nft_set_elem_policy, NULL);
4239 if (err < 0)
4240 return err;
4241
4242 if (!nla[NFTA_SET_ELEM_KEY])
4243 return -EINVAL;
4244
4245 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4246 if (err < 0)
4247 return err;
4248
4249 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4250 nla[NFTA_SET_ELEM_KEY]);
4251 if (err < 0)
4252 return err;
4253
4254 err = -EINVAL;
4255 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4256 return err;
4257
4258 priv = set->ops->get(ctx->net, set, &elem, flags);
4259 if (IS_ERR(priv))
4260 return PTR_ERR(priv);
4261
4262 elem.priv = priv;
4263
4264 err = -ENOMEM;
4265 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4266 if (skb == NULL)
4267 goto err1;
4268
4269 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4270 NFT_MSG_NEWSETELEM, 0, set, &elem);
4271 if (err < 0)
4272 goto err2;
4273
4274 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4275 /* This avoids a loop in nfnetlink. */
4276 if (err < 0)
4277 goto err1;
4278
4279 return 0;
4280 err2:
4281 kfree_skb(skb);
4282 err1:
4283 /* this avoids a loop in nfnetlink. */
4284 return err == -EAGAIN ? -ENOBUFS : err;
4285 }
4286
4287 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4288 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4289 struct sk_buff *skb, const struct nlmsghdr *nlh,
4290 const struct nlattr * const nla[],
4291 struct netlink_ext_ack *extack)
4292 {
4293 u8 genmask = nft_genmask_cur(net);
4294 struct nft_set *set;
4295 struct nlattr *attr;
4296 struct nft_ctx ctx;
4297 int rem, err = 0;
4298
4299 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4300 genmask);
4301 if (err < 0)
4302 return err;
4303
4304 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4305 if (IS_ERR(set))
4306 return PTR_ERR(set);
4307
4308 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4309 struct netlink_dump_control c = {
4310 .start = nf_tables_dump_set_start,
4311 .dump = nf_tables_dump_set,
4312 .done = nf_tables_dump_set_done,
4313 .module = THIS_MODULE,
4314 };
4315 struct nft_set_dump_ctx dump_ctx = {
4316 .set = set,
4317 .ctx = ctx,
4318 };
4319
4320 c.data = &dump_ctx;
4321 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4322 }
4323
4324 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4325 return -EINVAL;
4326
4327 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4328 err = nft_get_set_elem(&ctx, set, attr);
4329 if (err < 0)
4330 break;
4331 }
4332
4333 return err;
4334 }
4335
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_set_elem * elem,int event,u16 flags)4336 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4337 const struct nft_set *set,
4338 const struct nft_set_elem *elem,
4339 int event, u16 flags)
4340 {
4341 struct net *net = ctx->net;
4342 u32 portid = ctx->portid;
4343 struct sk_buff *skb;
4344 int err;
4345
4346 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4347 return;
4348
4349 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4350 if (skb == NULL)
4351 goto err;
4352
4353 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4354 set, elem);
4355 if (err < 0) {
4356 kfree_skb(skb);
4357 goto err;
4358 }
4359
4360 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4361 GFP_KERNEL);
4362 return;
4363 err:
4364 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4365 }
4366
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)4367 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4368 int msg_type,
4369 struct nft_set *set)
4370 {
4371 struct nft_trans *trans;
4372
4373 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4374 if (trans == NULL)
4375 return NULL;
4376
4377 nft_trans_elem_set(trans) = set;
4378 return trans;
4379 }
4380
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)4381 void *nft_set_elem_init(const struct nft_set *set,
4382 const struct nft_set_ext_tmpl *tmpl,
4383 const u32 *key, const u32 *data,
4384 u64 timeout, u64 expiration, gfp_t gfp)
4385 {
4386 struct nft_set_ext *ext;
4387 void *elem;
4388
4389 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4390 if (elem == NULL)
4391 return NULL;
4392
4393 ext = nft_set_elem_ext(set, elem);
4394 nft_set_ext_init(ext, tmpl);
4395
4396 memcpy(nft_set_ext_key(ext), key, set->klen);
4397 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4398 memcpy(nft_set_ext_data(ext), data, set->dlen);
4399 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4400 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4401 if (expiration == 0)
4402 *nft_set_ext_expiration(ext) += timeout;
4403 }
4404 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4405 *nft_set_ext_timeout(ext) = timeout;
4406
4407 return elem;
4408 }
4409
nft_set_elem_destroy(const struct nft_set * set,void * elem,bool destroy_expr)4410 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4411 bool destroy_expr)
4412 {
4413 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4414 struct nft_ctx ctx = {
4415 .net = read_pnet(&set->net),
4416 .family = set->table->family,
4417 };
4418
4419 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4420 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4421 nft_data_release(nft_set_ext_data(ext), set->dtype);
4422 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4423 struct nft_expr *expr = nft_set_ext_expr(ext);
4424
4425 if (expr->ops->destroy_clone) {
4426 expr->ops->destroy_clone(&ctx, expr);
4427 module_put(expr->ops->type->owner);
4428 } else {
4429 nf_tables_expr_destroy(&ctx, expr);
4430 }
4431 }
4432 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4433 (*nft_set_ext_obj(ext))->use--;
4434 kfree(elem);
4435 }
4436 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4437
4438 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4439 * the refcounting from the preparation phase.
4440 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,void * elem)4441 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4442 const struct nft_set *set, void *elem)
4443 {
4444 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4445
4446 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4447 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4448 kfree(elem);
4449 }
4450
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)4451 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4452 const struct nlattr *attr, u32 nlmsg_flags)
4453 {
4454 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4455 u8 genmask = nft_genmask_next(ctx->net);
4456 struct nft_data_desc d1, d2;
4457 struct nft_set_ext_tmpl tmpl;
4458 struct nft_set_ext *ext, *ext2;
4459 struct nft_set_elem elem;
4460 struct nft_set_binding *binding;
4461 struct nft_object *obj = NULL;
4462 struct nft_userdata *udata;
4463 struct nft_data data;
4464 enum nft_registers dreg;
4465 struct nft_trans *trans;
4466 u32 flags = 0;
4467 u64 timeout;
4468 u64 expiration;
4469 u8 ulen;
4470 int err;
4471
4472 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4473 nft_set_elem_policy, NULL);
4474 if (err < 0)
4475 return err;
4476
4477 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4478 return -EINVAL;
4479
4480 nft_set_ext_prepare(&tmpl);
4481
4482 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4483 if (err < 0)
4484 return err;
4485 if (flags != 0)
4486 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4487
4488 if (set->flags & NFT_SET_MAP) {
4489 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4490 !(flags & NFT_SET_ELEM_INTERVAL_END))
4491 return -EINVAL;
4492 if (nla[NFTA_SET_ELEM_DATA] != NULL &&
4493 flags & NFT_SET_ELEM_INTERVAL_END)
4494 return -EINVAL;
4495 } else {
4496 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4497 return -EINVAL;
4498 }
4499
4500 timeout = 0;
4501 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4502 if (!(set->flags & NFT_SET_TIMEOUT))
4503 return -EINVAL;
4504 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4505 &timeout);
4506 if (err)
4507 return err;
4508 } else if (set->flags & NFT_SET_TIMEOUT) {
4509 timeout = set->timeout;
4510 }
4511
4512 expiration = 0;
4513 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4514 if (!(set->flags & NFT_SET_TIMEOUT))
4515 return -EINVAL;
4516 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4517 &expiration);
4518 if (err)
4519 return err;
4520 }
4521
4522 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4523 nla[NFTA_SET_ELEM_KEY]);
4524 if (err < 0)
4525 goto err1;
4526 err = -EINVAL;
4527 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4528 goto err2;
4529
4530 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4531 if (timeout > 0) {
4532 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4533 if (timeout != set->timeout)
4534 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4535 }
4536
4537 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4538 if (!(set->flags & NFT_SET_OBJECT)) {
4539 err = -EINVAL;
4540 goto err2;
4541 }
4542 obj = nft_obj_lookup(ctx->net, ctx->table,
4543 nla[NFTA_SET_ELEM_OBJREF],
4544 set->objtype, genmask);
4545 if (IS_ERR(obj)) {
4546 err = PTR_ERR(obj);
4547 goto err2;
4548 }
4549 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4550 }
4551
4552 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4553 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4554 nla[NFTA_SET_ELEM_DATA]);
4555 if (err < 0)
4556 goto err2;
4557
4558 err = -EINVAL;
4559 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4560 goto err3;
4561
4562 dreg = nft_type_to_reg(set->dtype);
4563 list_for_each_entry(binding, &set->bindings, list) {
4564 struct nft_ctx bind_ctx = {
4565 .net = ctx->net,
4566 .family = ctx->family,
4567 .table = ctx->table,
4568 .chain = (struct nft_chain *)binding->chain,
4569 };
4570
4571 if (!(binding->flags & NFT_SET_MAP))
4572 continue;
4573
4574 err = nft_validate_register_store(&bind_ctx, dreg,
4575 &data,
4576 d2.type, d2.len);
4577 if (err < 0)
4578 goto err3;
4579
4580 if (d2.type == NFT_DATA_VERDICT &&
4581 (data.verdict.code == NFT_GOTO ||
4582 data.verdict.code == NFT_JUMP))
4583 nft_validate_state_update(ctx->net,
4584 NFT_VALIDATE_NEED);
4585 }
4586
4587 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4588 }
4589
4590 /* The full maximum length of userdata can exceed the maximum
4591 * offset value (U8_MAX) for following extensions, therefor it
4592 * must be the last extension added.
4593 */
4594 ulen = 0;
4595 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4596 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4597 if (ulen > 0)
4598 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4599 ulen);
4600 }
4601
4602 err = -ENOMEM;
4603 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4604 timeout, expiration, GFP_KERNEL);
4605 if (elem.priv == NULL)
4606 goto err3;
4607
4608 ext = nft_set_elem_ext(set, elem.priv);
4609 if (flags)
4610 *nft_set_ext_flags(ext) = flags;
4611 if (ulen > 0) {
4612 udata = nft_set_ext_userdata(ext);
4613 udata->len = ulen - 1;
4614 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4615 }
4616 if (obj) {
4617 *nft_set_ext_obj(ext) = obj;
4618 obj->use++;
4619 }
4620
4621 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4622 if (trans == NULL)
4623 goto err4;
4624
4625 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4626 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4627 if (err) {
4628 if (err == -EEXIST) {
4629 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4630 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4631 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4632 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4633 err = -EBUSY;
4634 goto err5;
4635 }
4636 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4637 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4638 memcmp(nft_set_ext_data(ext),
4639 nft_set_ext_data(ext2), set->dlen) != 0) ||
4640 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4641 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4642 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4643 err = -EBUSY;
4644 else if (!(nlmsg_flags & NLM_F_EXCL))
4645 err = 0;
4646 }
4647 goto err5;
4648 }
4649
4650 if (set->size &&
4651 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4652 err = -ENFILE;
4653 goto err6;
4654 }
4655
4656 nft_trans_elem(trans) = elem;
4657 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4658 return 0;
4659
4660 err6:
4661 set->ops->remove(ctx->net, set, &elem);
4662 err5:
4663 kfree(trans);
4664 err4:
4665 if (obj)
4666 obj->use--;
4667 kfree(elem.priv);
4668 err3:
4669 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4670 nft_data_release(&data, d2.type);
4671 err2:
4672 nft_data_release(&elem.key.val, d1.type);
4673 err1:
4674 return err;
4675 }
4676
nf_tables_newsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4677 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4678 struct sk_buff *skb, const struct nlmsghdr *nlh,
4679 const struct nlattr * const nla[],
4680 struct netlink_ext_ack *extack)
4681 {
4682 u8 genmask = nft_genmask_next(net);
4683 const struct nlattr *attr;
4684 struct nft_set *set;
4685 struct nft_ctx ctx;
4686 int rem, err;
4687
4688 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4689 return -EINVAL;
4690
4691 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4692 genmask);
4693 if (err < 0)
4694 return err;
4695
4696 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4697 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4698 if (IS_ERR(set))
4699 return PTR_ERR(set);
4700
4701 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4702 return -EBUSY;
4703
4704 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4705 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4706 if (err < 0)
4707 return err;
4708 }
4709
4710 if (net->nft.validate_state == NFT_VALIDATE_DO)
4711 return nft_table_validate(net, ctx.table);
4712
4713 return 0;
4714 }
4715
4716 /**
4717 * nft_data_hold - hold a nft_data item
4718 *
4719 * @data: struct nft_data to release
4720 * @type: type of data
4721 *
4722 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4723 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4724 * NFT_GOTO verdicts. This function must be called on active data objects
4725 * from the second phase of the commit protocol.
4726 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)4727 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4728 {
4729 if (type == NFT_DATA_VERDICT) {
4730 switch (data->verdict.code) {
4731 case NFT_JUMP:
4732 case NFT_GOTO:
4733 data->verdict.chain->use++;
4734 break;
4735 }
4736 }
4737 }
4738
nft_set_elem_activate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)4739 static void nft_set_elem_activate(const struct net *net,
4740 const struct nft_set *set,
4741 struct nft_set_elem *elem)
4742 {
4743 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4744
4745 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4746 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4747 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4748 (*nft_set_ext_obj(ext))->use++;
4749 }
4750
nft_set_elem_deactivate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)4751 static void nft_set_elem_deactivate(const struct net *net,
4752 const struct nft_set *set,
4753 struct nft_set_elem *elem)
4754 {
4755 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4756
4757 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4758 nft_data_release(nft_set_ext_data(ext), set->dtype);
4759 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4760 (*nft_set_ext_obj(ext))->use--;
4761 }
4762
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)4763 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4764 const struct nlattr *attr)
4765 {
4766 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4767 struct nft_set_ext_tmpl tmpl;
4768 struct nft_data_desc desc;
4769 struct nft_set_elem elem;
4770 struct nft_set_ext *ext;
4771 struct nft_trans *trans;
4772 u32 flags = 0;
4773 void *priv;
4774 int err;
4775
4776 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4777 nft_set_elem_policy, NULL);
4778 if (err < 0)
4779 goto err1;
4780
4781 err = -EINVAL;
4782 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4783 goto err1;
4784
4785 nft_set_ext_prepare(&tmpl);
4786
4787 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4788 if (err < 0)
4789 return err;
4790 if (flags != 0)
4791 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4792
4793 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4794 nla[NFTA_SET_ELEM_KEY]);
4795 if (err < 0)
4796 goto err1;
4797
4798 err = -EINVAL;
4799 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4800 goto err2;
4801
4802 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4803
4804 err = -ENOMEM;
4805 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4806 0, GFP_KERNEL);
4807 if (elem.priv == NULL)
4808 goto err2;
4809
4810 ext = nft_set_elem_ext(set, elem.priv);
4811 if (flags)
4812 *nft_set_ext_flags(ext) = flags;
4813
4814 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4815 if (trans == NULL) {
4816 err = -ENOMEM;
4817 goto err3;
4818 }
4819
4820 priv = set->ops->deactivate(ctx->net, set, &elem);
4821 if (priv == NULL) {
4822 err = -ENOENT;
4823 goto err4;
4824 }
4825 kfree(elem.priv);
4826 elem.priv = priv;
4827
4828 nft_set_elem_deactivate(ctx->net, set, &elem);
4829
4830 nft_trans_elem(trans) = elem;
4831 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4832 return 0;
4833
4834 err4:
4835 kfree(trans);
4836 err3:
4837 kfree(elem.priv);
4838 err2:
4839 nft_data_release(&elem.key.val, desc.type);
4840 err1:
4841 return err;
4842 }
4843
nft_flush_set(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4844 static int nft_flush_set(const struct nft_ctx *ctx,
4845 struct nft_set *set,
4846 const struct nft_set_iter *iter,
4847 struct nft_set_elem *elem)
4848 {
4849 struct nft_trans *trans;
4850 int err;
4851
4852 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4853 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4854 if (!trans)
4855 return -ENOMEM;
4856
4857 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4858 err = -ENOENT;
4859 goto err1;
4860 }
4861 set->ndeact++;
4862
4863 nft_set_elem_deactivate(ctx->net, set, elem);
4864 nft_trans_elem_set(trans) = set;
4865 nft_trans_elem(trans) = *elem;
4866 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4867
4868 return 0;
4869 err1:
4870 kfree(trans);
4871 return err;
4872 }
4873
nf_tables_delsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4874 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4875 struct sk_buff *skb, const struct nlmsghdr *nlh,
4876 const struct nlattr * const nla[],
4877 struct netlink_ext_ack *extack)
4878 {
4879 u8 genmask = nft_genmask_next(net);
4880 const struct nlattr *attr;
4881 struct nft_set *set;
4882 struct nft_ctx ctx;
4883 int rem, err = 0;
4884
4885 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4886 genmask);
4887 if (err < 0)
4888 return err;
4889
4890 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4891 if (IS_ERR(set))
4892 return PTR_ERR(set);
4893 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4894 return -EBUSY;
4895
4896 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4897 struct nft_set_iter iter = {
4898 .genmask = genmask,
4899 .fn = nft_flush_set,
4900 };
4901 set->ops->walk(&ctx, set, &iter);
4902
4903 return iter.err;
4904 }
4905
4906 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4907 err = nft_del_setelem(&ctx, set, attr);
4908 if (err < 0)
4909 break;
4910
4911 set->ndeact++;
4912 }
4913 return err;
4914 }
4915
nft_set_gc_batch_release(struct rcu_head * rcu)4916 void nft_set_gc_batch_release(struct rcu_head *rcu)
4917 {
4918 struct nft_set_gc_batch *gcb;
4919 unsigned int i;
4920
4921 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4922 for (i = 0; i < gcb->head.cnt; i++)
4923 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4924 kfree(gcb);
4925 }
4926 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4927
nft_set_gc_batch_alloc(const struct nft_set * set,gfp_t gfp)4928 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4929 gfp_t gfp)
4930 {
4931 struct nft_set_gc_batch *gcb;
4932
4933 gcb = kzalloc(sizeof(*gcb), gfp);
4934 if (gcb == NULL)
4935 return gcb;
4936 gcb->head.set = set;
4937 return gcb;
4938 }
4939 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4940
4941 /*
4942 * Stateful objects
4943 */
4944
4945 /**
4946 * nft_register_obj- register nf_tables stateful object type
4947 * @obj: object type
4948 *
4949 * Registers the object type for use with nf_tables. Returns zero on
4950 * success or a negative errno code otherwise.
4951 */
nft_register_obj(struct nft_object_type * obj_type)4952 int nft_register_obj(struct nft_object_type *obj_type)
4953 {
4954 if (obj_type->type == NFT_OBJECT_UNSPEC)
4955 return -EINVAL;
4956
4957 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4958 list_add_rcu(&obj_type->list, &nf_tables_objects);
4959 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4960 return 0;
4961 }
4962 EXPORT_SYMBOL_GPL(nft_register_obj);
4963
4964 /**
4965 * nft_unregister_obj - unregister nf_tables object type
4966 * @obj: object type
4967 *
4968 * Unregisters the object type for use with nf_tables.
4969 */
nft_unregister_obj(struct nft_object_type * obj_type)4970 void nft_unregister_obj(struct nft_object_type *obj_type)
4971 {
4972 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4973 list_del_rcu(&obj_type->list);
4974 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
4975 }
4976 EXPORT_SYMBOL_GPL(nft_unregister_obj);
4977
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)4978 struct nft_object *nft_obj_lookup(const struct net *net,
4979 const struct nft_table *table,
4980 const struct nlattr *nla, u32 objtype,
4981 u8 genmask)
4982 {
4983 struct nft_object_hash_key k = { .table = table };
4984 char search[NFT_OBJ_MAXNAMELEN];
4985 struct rhlist_head *tmp, *list;
4986 struct nft_object *obj;
4987
4988 nla_strlcpy(search, nla, sizeof(search));
4989 k.name = search;
4990
4991 WARN_ON_ONCE(!rcu_read_lock_held() &&
4992 !lockdep_commit_lock_is_held(net));
4993
4994 rcu_read_lock();
4995 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
4996 if (!list)
4997 goto out;
4998
4999 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5000 if (objtype == obj->ops->type->type &&
5001 nft_active_genmask(obj, genmask)) {
5002 rcu_read_unlock();
5003 return obj;
5004 }
5005 }
5006 out:
5007 rcu_read_unlock();
5008 return ERR_PTR(-ENOENT);
5009 }
5010 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5011
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)5012 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5013 const struct nlattr *nla,
5014 u32 objtype, u8 genmask)
5015 {
5016 struct nft_object *obj;
5017
5018 list_for_each_entry(obj, &table->objects, list) {
5019 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5020 objtype == obj->ops->type->type &&
5021 nft_active_genmask(obj, genmask))
5022 return obj;
5023 }
5024 return ERR_PTR(-ENOENT);
5025 }
5026
5027 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5028 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5029 .len = NFT_TABLE_MAXNAMELEN - 1 },
5030 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5031 .len = NFT_OBJ_MAXNAMELEN - 1 },
5032 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5033 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5034 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5035 };
5036
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)5037 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5038 const struct nft_object_type *type,
5039 const struct nlattr *attr)
5040 {
5041 struct nlattr **tb;
5042 const struct nft_object_ops *ops;
5043 struct nft_object *obj;
5044 int err = -ENOMEM;
5045
5046 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5047 if (!tb)
5048 goto err1;
5049
5050 if (attr) {
5051 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5052 type->policy, NULL);
5053 if (err < 0)
5054 goto err2;
5055 } else {
5056 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5057 }
5058
5059 if (type->select_ops) {
5060 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5061 if (IS_ERR(ops)) {
5062 err = PTR_ERR(ops);
5063 goto err2;
5064 }
5065 } else {
5066 ops = type->ops;
5067 }
5068
5069 err = -ENOMEM;
5070 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5071 if (!obj)
5072 goto err2;
5073
5074 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5075 if (err < 0)
5076 goto err3;
5077
5078 obj->ops = ops;
5079
5080 kfree(tb);
5081 return obj;
5082 err3:
5083 kfree(obj);
5084 err2:
5085 kfree(tb);
5086 err1:
5087 return ERR_PTR(err);
5088 }
5089
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)5090 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5091 struct nft_object *obj, bool reset)
5092 {
5093 struct nlattr *nest;
5094
5095 nest = nla_nest_start_noflag(skb, attr);
5096 if (!nest)
5097 goto nla_put_failure;
5098 if (obj->ops->dump(skb, obj, reset) < 0)
5099 goto nla_put_failure;
5100 nla_nest_end(skb, nest);
5101 return 0;
5102
5103 nla_put_failure:
5104 return -1;
5105 }
5106
__nft_obj_type_get(u32 objtype)5107 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5108 {
5109 const struct nft_object_type *type;
5110
5111 list_for_each_entry(type, &nf_tables_objects, list) {
5112 if (objtype == type->type)
5113 return type;
5114 }
5115 return NULL;
5116 }
5117
5118 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype)5119 nft_obj_type_get(struct net *net, u32 objtype)
5120 {
5121 const struct nft_object_type *type;
5122
5123 type = __nft_obj_type_get(objtype);
5124 if (type != NULL && try_module_get(type->owner))
5125 return type;
5126
5127 lockdep_nfnl_nft_mutex_not_held();
5128 #ifdef CONFIG_MODULES
5129 if (type == NULL) {
5130 nft_request_module(net, "nft-obj-%u", objtype);
5131 if (__nft_obj_type_get(objtype))
5132 return ERR_PTR(-EAGAIN);
5133 }
5134 #endif
5135 return ERR_PTR(-ENOENT);
5136 }
5137
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)5138 static int nf_tables_updobj(const struct nft_ctx *ctx,
5139 const struct nft_object_type *type,
5140 const struct nlattr *attr,
5141 struct nft_object *obj)
5142 {
5143 struct nft_object *newobj;
5144 struct nft_trans *trans;
5145 int err;
5146
5147 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5148 sizeof(struct nft_trans_obj));
5149 if (!trans)
5150 return -ENOMEM;
5151
5152 newobj = nft_obj_init(ctx, type, attr);
5153 if (IS_ERR(newobj)) {
5154 err = PTR_ERR(newobj);
5155 goto err_free_trans;
5156 }
5157
5158 nft_trans_obj(trans) = obj;
5159 nft_trans_obj_update(trans) = true;
5160 nft_trans_obj_newobj(trans) = newobj;
5161 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5162
5163 return 0;
5164
5165 err_free_trans:
5166 kfree(trans);
5167 return err;
5168 }
5169
nf_tables_newobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5170 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5171 struct sk_buff *skb, const struct nlmsghdr *nlh,
5172 const struct nlattr * const nla[],
5173 struct netlink_ext_ack *extack)
5174 {
5175 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5176 const struct nft_object_type *type;
5177 u8 genmask = nft_genmask_next(net);
5178 int family = nfmsg->nfgen_family;
5179 struct nft_table *table;
5180 struct nft_object *obj;
5181 struct nft_ctx ctx;
5182 u32 objtype;
5183 int err;
5184
5185 if (!nla[NFTA_OBJ_TYPE] ||
5186 !nla[NFTA_OBJ_NAME] ||
5187 !nla[NFTA_OBJ_DATA])
5188 return -EINVAL;
5189
5190 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5191 if (IS_ERR(table)) {
5192 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5193 return PTR_ERR(table);
5194 }
5195
5196 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5197 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5198 if (IS_ERR(obj)) {
5199 err = PTR_ERR(obj);
5200 if (err != -ENOENT) {
5201 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5202 return err;
5203 }
5204 } else {
5205 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5206 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5207 return -EEXIST;
5208 }
5209 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5210 return -EOPNOTSUPP;
5211
5212 type = nft_obj_type_get(net, objtype);
5213 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5214
5215 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5216 }
5217
5218 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5219
5220 type = nft_obj_type_get(net, objtype);
5221 if (IS_ERR(type))
5222 return PTR_ERR(type);
5223
5224 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5225 if (IS_ERR(obj)) {
5226 err = PTR_ERR(obj);
5227 goto err1;
5228 }
5229 obj->key.table = table;
5230 obj->handle = nf_tables_alloc_handle(table);
5231
5232 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5233 if (!obj->key.name) {
5234 err = -ENOMEM;
5235 goto err2;
5236 }
5237
5238 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5239 if (err < 0)
5240 goto err3;
5241
5242 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5243 nft_objname_ht_params);
5244 if (err < 0)
5245 goto err4;
5246
5247 list_add_tail_rcu(&obj->list, &table->objects);
5248 table->use++;
5249 return 0;
5250 err4:
5251 /* queued in transaction log */
5252 INIT_LIST_HEAD(&obj->list);
5253 return err;
5254 err3:
5255 kfree(obj->key.name);
5256 err2:
5257 if (obj->ops->destroy)
5258 obj->ops->destroy(&ctx, obj);
5259 kfree(obj);
5260 err1:
5261 module_put(type->owner);
5262 return err;
5263 }
5264
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)5265 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5266 u32 portid, u32 seq, int event, u32 flags,
5267 int family, const struct nft_table *table,
5268 struct nft_object *obj, bool reset)
5269 {
5270 struct nfgenmsg *nfmsg;
5271 struct nlmsghdr *nlh;
5272
5273 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5274 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5275 if (nlh == NULL)
5276 goto nla_put_failure;
5277
5278 nfmsg = nlmsg_data(nlh);
5279 nfmsg->nfgen_family = family;
5280 nfmsg->version = NFNETLINK_V0;
5281 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5282
5283 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5284 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5285 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5286 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5287 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5288 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5289 NFTA_OBJ_PAD))
5290 goto nla_put_failure;
5291
5292 nlmsg_end(skb, nlh);
5293 return 0;
5294
5295 nla_put_failure:
5296 nlmsg_trim(skb, nlh);
5297 return -1;
5298 }
5299
5300 struct nft_obj_filter {
5301 char *table;
5302 u32 type;
5303 };
5304
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)5305 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5306 {
5307 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5308 const struct nft_table *table;
5309 unsigned int idx = 0, s_idx = cb->args[0];
5310 struct nft_obj_filter *filter = cb->data;
5311 struct net *net = sock_net(skb->sk);
5312 int family = nfmsg->nfgen_family;
5313 struct nft_object *obj;
5314 bool reset = false;
5315
5316 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5317 reset = true;
5318
5319 rcu_read_lock();
5320 cb->seq = net->nft.base_seq;
5321
5322 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5323 if (family != NFPROTO_UNSPEC && family != table->family)
5324 continue;
5325
5326 list_for_each_entry_rcu(obj, &table->objects, list) {
5327 if (!nft_is_active(net, obj))
5328 goto cont;
5329 if (idx < s_idx)
5330 goto cont;
5331 if (idx > s_idx)
5332 memset(&cb->args[1], 0,
5333 sizeof(cb->args) - sizeof(cb->args[0]));
5334 if (filter && filter->table &&
5335 strcmp(filter->table, table->name))
5336 goto cont;
5337 if (filter &&
5338 filter->type != NFT_OBJECT_UNSPEC &&
5339 obj->ops->type->type != filter->type)
5340 goto cont;
5341
5342 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5343 cb->nlh->nlmsg_seq,
5344 NFT_MSG_NEWOBJ,
5345 NLM_F_MULTI | NLM_F_APPEND,
5346 table->family, table,
5347 obj, reset) < 0)
5348 goto done;
5349
5350 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5351 cont:
5352 idx++;
5353 }
5354 }
5355 done:
5356 rcu_read_unlock();
5357
5358 cb->args[0] = idx;
5359 return skb->len;
5360 }
5361
nf_tables_dump_obj_start(struct netlink_callback * cb)5362 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5363 {
5364 const struct nlattr * const *nla = cb->data;
5365 struct nft_obj_filter *filter = NULL;
5366
5367 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5368 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5369 if (!filter)
5370 return -ENOMEM;
5371
5372 if (nla[NFTA_OBJ_TABLE]) {
5373 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5374 if (!filter->table) {
5375 kfree(filter);
5376 return -ENOMEM;
5377 }
5378 }
5379
5380 if (nla[NFTA_OBJ_TYPE])
5381 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5382 }
5383
5384 cb->data = filter;
5385 return 0;
5386 }
5387
nf_tables_dump_obj_done(struct netlink_callback * cb)5388 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5389 {
5390 struct nft_obj_filter *filter = cb->data;
5391
5392 if (filter) {
5393 kfree(filter->table);
5394 kfree(filter);
5395 }
5396
5397 return 0;
5398 }
5399
5400 /* called with rcu_read_lock held */
nf_tables_getobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5401 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5402 struct sk_buff *skb, const struct nlmsghdr *nlh,
5403 const struct nlattr * const nla[],
5404 struct netlink_ext_ack *extack)
5405 {
5406 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5407 u8 genmask = nft_genmask_cur(net);
5408 int family = nfmsg->nfgen_family;
5409 const struct nft_table *table;
5410 struct nft_object *obj;
5411 struct sk_buff *skb2;
5412 bool reset = false;
5413 u32 objtype;
5414 int err;
5415
5416 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5417 struct netlink_dump_control c = {
5418 .start = nf_tables_dump_obj_start,
5419 .dump = nf_tables_dump_obj,
5420 .done = nf_tables_dump_obj_done,
5421 .module = THIS_MODULE,
5422 .data = (void *)nla,
5423 };
5424
5425 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5426 }
5427
5428 if (!nla[NFTA_OBJ_NAME] ||
5429 !nla[NFTA_OBJ_TYPE])
5430 return -EINVAL;
5431
5432 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5433 if (IS_ERR(table)) {
5434 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5435 return PTR_ERR(table);
5436 }
5437
5438 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5439 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5440 if (IS_ERR(obj)) {
5441 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5442 return PTR_ERR(obj);
5443 }
5444
5445 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5446 if (!skb2)
5447 return -ENOMEM;
5448
5449 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5450 reset = true;
5451
5452 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5453 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5454 family, table, obj, reset);
5455 if (err < 0)
5456 goto err;
5457
5458 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5459 err:
5460 kfree_skb(skb2);
5461 return err;
5462 }
5463
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)5464 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5465 {
5466 if (obj->ops->destroy)
5467 obj->ops->destroy(ctx, obj);
5468
5469 module_put(obj->ops->type->owner);
5470 kfree(obj->key.name);
5471 kfree(obj);
5472 }
5473
nf_tables_delobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5474 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5475 struct sk_buff *skb, const struct nlmsghdr *nlh,
5476 const struct nlattr * const nla[],
5477 struct netlink_ext_ack *extack)
5478 {
5479 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5480 u8 genmask = nft_genmask_next(net);
5481 int family = nfmsg->nfgen_family;
5482 const struct nlattr *attr;
5483 struct nft_table *table;
5484 struct nft_object *obj;
5485 struct nft_ctx ctx;
5486 u32 objtype;
5487
5488 if (!nla[NFTA_OBJ_TYPE] ||
5489 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5490 return -EINVAL;
5491
5492 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5493 if (IS_ERR(table)) {
5494 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5495 return PTR_ERR(table);
5496 }
5497
5498 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5499 if (nla[NFTA_OBJ_HANDLE]) {
5500 attr = nla[NFTA_OBJ_HANDLE];
5501 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5502 } else {
5503 attr = nla[NFTA_OBJ_NAME];
5504 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5505 }
5506
5507 if (IS_ERR(obj)) {
5508 NL_SET_BAD_ATTR(extack, attr);
5509 return PTR_ERR(obj);
5510 }
5511 if (obj->use > 0) {
5512 NL_SET_BAD_ATTR(extack, attr);
5513 return -EBUSY;
5514 }
5515
5516 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5517
5518 return nft_delobj(&ctx, obj);
5519 }
5520
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,int family,int report,gfp_t gfp)5521 void nft_obj_notify(struct net *net, const struct nft_table *table,
5522 struct nft_object *obj, u32 portid, u32 seq, int event,
5523 int family, int report, gfp_t gfp)
5524 {
5525 struct sk_buff *skb;
5526 int err;
5527
5528 if (!report &&
5529 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5530 return;
5531
5532 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5533 if (skb == NULL)
5534 goto err;
5535
5536 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5537 table, obj, false);
5538 if (err < 0) {
5539 kfree_skb(skb);
5540 goto err;
5541 }
5542
5543 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5544 return;
5545 err:
5546 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5547 }
5548 EXPORT_SYMBOL_GPL(nft_obj_notify);
5549
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)5550 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5551 struct nft_object *obj, int event)
5552 {
5553 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5554 ctx->family, ctx->report, GFP_KERNEL);
5555 }
5556
5557 /*
5558 * Flow tables
5559 */
nft_register_flowtable_type(struct nf_flowtable_type * type)5560 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5561 {
5562 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5563 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5564 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5565 }
5566 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5567
nft_unregister_flowtable_type(struct nf_flowtable_type * type)5568 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5569 {
5570 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5571 list_del_rcu(&type->list);
5572 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5573 }
5574 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5575
5576 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5577 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5578 .len = NFT_NAME_MAXLEN - 1 },
5579 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5580 .len = NFT_NAME_MAXLEN - 1 },
5581 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5582 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5583 };
5584
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)5585 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5586 const struct nlattr *nla, u8 genmask)
5587 {
5588 struct nft_flowtable *flowtable;
5589
5590 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5591 if (!nla_strcmp(nla, flowtable->name) &&
5592 nft_active_genmask(flowtable, genmask))
5593 return flowtable;
5594 }
5595 return ERR_PTR(-ENOENT);
5596 }
5597 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5598
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)5599 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5600 struct nft_flowtable *flowtable,
5601 enum nft_trans_phase phase)
5602 {
5603 switch (phase) {
5604 case NFT_TRANS_PREPARE:
5605 case NFT_TRANS_ABORT:
5606 case NFT_TRANS_RELEASE:
5607 flowtable->use--;
5608 /* fall through */
5609 default:
5610 return;
5611 }
5612 }
5613 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5614
5615 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)5616 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5617 const struct nlattr *nla, u8 genmask)
5618 {
5619 struct nft_flowtable *flowtable;
5620
5621 list_for_each_entry(flowtable, &table->flowtables, list) {
5622 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5623 nft_active_genmask(flowtable, genmask))
5624 return flowtable;
5625 }
5626 return ERR_PTR(-ENOENT);
5627 }
5628
nf_tables_parse_devices(const struct nft_ctx * ctx,const struct nlattr * attr,struct net_device * dev_array[],int * len)5629 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5630 const struct nlattr *attr,
5631 struct net_device *dev_array[], int *len)
5632 {
5633 const struct nlattr *tmp;
5634 struct net_device *dev;
5635 char ifname[IFNAMSIZ];
5636 int rem, n = 0, err;
5637
5638 nla_for_each_nested(tmp, attr, rem) {
5639 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5640 err = -EINVAL;
5641 goto err1;
5642 }
5643
5644 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5645 dev = __dev_get_by_name(ctx->net, ifname);
5646 if (!dev) {
5647 err = -ENOENT;
5648 goto err1;
5649 }
5650
5651 dev_array[n++] = dev;
5652 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5653 err = -EFBIG;
5654 goto err1;
5655 }
5656 }
5657 if (!len)
5658 return -EINVAL;
5659
5660 err = 0;
5661 err1:
5662 *len = n;
5663 return err;
5664 }
5665
5666 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5667 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5668 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5669 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5670 };
5671
nf_tables_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * attr,struct nft_flowtable * flowtable)5672 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5673 const struct nlattr *attr,
5674 struct nft_flowtable *flowtable)
5675 {
5676 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5677 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5678 struct nf_hook_ops *ops;
5679 int hooknum, priority;
5680 int err, n = 0, i;
5681
5682 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5683 nft_flowtable_hook_policy, NULL);
5684 if (err < 0)
5685 return err;
5686
5687 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5688 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5689 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5690 return -EINVAL;
5691
5692 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5693 if (hooknum != NF_NETDEV_INGRESS)
5694 return -EINVAL;
5695
5696 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5697
5698 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5699 dev_array, &n);
5700 if (err < 0)
5701 return err;
5702
5703 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5704 if (!ops)
5705 return -ENOMEM;
5706
5707 flowtable->hooknum = hooknum;
5708 flowtable->priority = priority;
5709 flowtable->ops = ops;
5710 flowtable->ops_len = n;
5711
5712 for (i = 0; i < n; i++) {
5713 flowtable->ops[i].pf = NFPROTO_NETDEV;
5714 flowtable->ops[i].hooknum = hooknum;
5715 flowtable->ops[i].priority = priority;
5716 flowtable->ops[i].priv = &flowtable->data;
5717 flowtable->ops[i].hook = flowtable->data.type->hook;
5718 flowtable->ops[i].dev = dev_array[i];
5719 }
5720
5721 return err;
5722 }
5723
__nft_flowtable_type_get(u8 family)5724 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5725 {
5726 const struct nf_flowtable_type *type;
5727
5728 list_for_each_entry(type, &nf_tables_flowtables, list) {
5729 if (family == type->family)
5730 return type;
5731 }
5732 return NULL;
5733 }
5734
5735 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)5736 nft_flowtable_type_get(struct net *net, u8 family)
5737 {
5738 const struct nf_flowtable_type *type;
5739
5740 type = __nft_flowtable_type_get(family);
5741 if (type != NULL && try_module_get(type->owner))
5742 return type;
5743
5744 lockdep_nfnl_nft_mutex_not_held();
5745 #ifdef CONFIG_MODULES
5746 if (type == NULL) {
5747 nft_request_module(net, "nf-flowtable-%u", family);
5748 if (__nft_flowtable_type_get(family))
5749 return ERR_PTR(-EAGAIN);
5750 }
5751 #endif
5752 return ERR_PTR(-ENOENT);
5753 }
5754
nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable)5755 static void nft_unregister_flowtable_net_hooks(struct net *net,
5756 struct nft_flowtable *flowtable)
5757 {
5758 int i;
5759
5760 for (i = 0; i < flowtable->ops_len; i++) {
5761 if (!flowtable->ops[i].dev)
5762 continue;
5763
5764 nf_unregister_net_hook(net, &flowtable->ops[i]);
5765 }
5766 }
5767
nf_tables_newflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5768 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5769 struct sk_buff *skb,
5770 const struct nlmsghdr *nlh,
5771 const struct nlattr * const nla[],
5772 struct netlink_ext_ack *extack)
5773 {
5774 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5775 const struct nf_flowtable_type *type;
5776 struct nft_flowtable *flowtable, *ft;
5777 u8 genmask = nft_genmask_next(net);
5778 int family = nfmsg->nfgen_family;
5779 struct nft_table *table;
5780 struct nft_ctx ctx;
5781 int err, i, k;
5782
5783 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5784 !nla[NFTA_FLOWTABLE_NAME] ||
5785 !nla[NFTA_FLOWTABLE_HOOK])
5786 return -EINVAL;
5787
5788 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5789 genmask);
5790 if (IS_ERR(table)) {
5791 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5792 return PTR_ERR(table);
5793 }
5794
5795 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5796 genmask);
5797 if (IS_ERR(flowtable)) {
5798 err = PTR_ERR(flowtable);
5799 if (err != -ENOENT) {
5800 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5801 return err;
5802 }
5803 } else {
5804 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5805 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5806 return -EEXIST;
5807 }
5808
5809 return 0;
5810 }
5811
5812 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5813
5814 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5815 if (!flowtable)
5816 return -ENOMEM;
5817
5818 flowtable->table = table;
5819 flowtable->handle = nf_tables_alloc_handle(table);
5820
5821 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5822 if (!flowtable->name) {
5823 err = -ENOMEM;
5824 goto err1;
5825 }
5826
5827 type = nft_flowtable_type_get(net, family);
5828 if (IS_ERR(type)) {
5829 err = PTR_ERR(type);
5830 goto err2;
5831 }
5832
5833 flowtable->data.type = type;
5834 err = type->init(&flowtable->data);
5835 if (err < 0)
5836 goto err3;
5837
5838 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5839 flowtable);
5840 if (err < 0)
5841 goto err4;
5842
5843 for (i = 0; i < flowtable->ops_len; i++) {
5844 if (!flowtable->ops[i].dev)
5845 continue;
5846
5847 list_for_each_entry(ft, &table->flowtables, list) {
5848 for (k = 0; k < ft->ops_len; k++) {
5849 if (!ft->ops[k].dev)
5850 continue;
5851
5852 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5853 flowtable->ops[i].pf == ft->ops[k].pf) {
5854 err = -EBUSY;
5855 goto err5;
5856 }
5857 }
5858 }
5859
5860 err = nf_register_net_hook(net, &flowtable->ops[i]);
5861 if (err < 0)
5862 goto err5;
5863 }
5864
5865 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5866 if (err < 0)
5867 goto err6;
5868
5869 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5870 table->use++;
5871
5872 return 0;
5873 err6:
5874 i = flowtable->ops_len;
5875 err5:
5876 for (k = i - 1; k >= 0; k--)
5877 nf_unregister_net_hook(net, &flowtable->ops[k]);
5878
5879 kfree(flowtable->ops);
5880 err4:
5881 flowtable->data.type->free(&flowtable->data);
5882 err3:
5883 module_put(type->owner);
5884 err2:
5885 kfree(flowtable->name);
5886 err1:
5887 kfree(flowtable);
5888 return err;
5889 }
5890
nf_tables_delflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5891 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5892 struct sk_buff *skb,
5893 const struct nlmsghdr *nlh,
5894 const struct nlattr * const nla[],
5895 struct netlink_ext_ack *extack)
5896 {
5897 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5898 u8 genmask = nft_genmask_next(net);
5899 int family = nfmsg->nfgen_family;
5900 struct nft_flowtable *flowtable;
5901 const struct nlattr *attr;
5902 struct nft_table *table;
5903 struct nft_ctx ctx;
5904
5905 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5906 (!nla[NFTA_FLOWTABLE_NAME] &&
5907 !nla[NFTA_FLOWTABLE_HANDLE]))
5908 return -EINVAL;
5909
5910 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5911 genmask);
5912 if (IS_ERR(table)) {
5913 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5914 return PTR_ERR(table);
5915 }
5916
5917 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5918 attr = nla[NFTA_FLOWTABLE_HANDLE];
5919 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5920 } else {
5921 attr = nla[NFTA_FLOWTABLE_NAME];
5922 flowtable = nft_flowtable_lookup(table, attr, genmask);
5923 }
5924
5925 if (IS_ERR(flowtable)) {
5926 NL_SET_BAD_ATTR(extack, attr);
5927 return PTR_ERR(flowtable);
5928 }
5929 if (flowtable->use > 0) {
5930 NL_SET_BAD_ATTR(extack, attr);
5931 return -EBUSY;
5932 }
5933
5934 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5935
5936 return nft_delflowtable(&ctx, flowtable);
5937 }
5938
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable)5939 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5940 u32 portid, u32 seq, int event,
5941 u32 flags, int family,
5942 struct nft_flowtable *flowtable)
5943 {
5944 struct nlattr *nest, *nest_devs;
5945 struct nfgenmsg *nfmsg;
5946 struct nlmsghdr *nlh;
5947 int i;
5948
5949 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5950 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5951 if (nlh == NULL)
5952 goto nla_put_failure;
5953
5954 nfmsg = nlmsg_data(nlh);
5955 nfmsg->nfgen_family = family;
5956 nfmsg->version = NFNETLINK_V0;
5957 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5958
5959 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5960 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
5961 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
5962 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
5963 NFTA_FLOWTABLE_PAD))
5964 goto nla_put_failure;
5965
5966 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
5967 if (!nest)
5968 goto nla_put_failure;
5969 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
5970 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
5971 goto nla_put_failure;
5972
5973 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
5974 if (!nest_devs)
5975 goto nla_put_failure;
5976
5977 for (i = 0; i < flowtable->ops_len; i++) {
5978 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
5979
5980 if (dev &&
5981 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
5982 goto nla_put_failure;
5983 }
5984 nla_nest_end(skb, nest_devs);
5985 nla_nest_end(skb, nest);
5986
5987 nlmsg_end(skb, nlh);
5988 return 0;
5989
5990 nla_put_failure:
5991 nlmsg_trim(skb, nlh);
5992 return -1;
5993 }
5994
5995 struct nft_flowtable_filter {
5996 char *table;
5997 };
5998
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)5999 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6000 struct netlink_callback *cb)
6001 {
6002 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6003 struct nft_flowtable_filter *filter = cb->data;
6004 unsigned int idx = 0, s_idx = cb->args[0];
6005 struct net *net = sock_net(skb->sk);
6006 int family = nfmsg->nfgen_family;
6007 struct nft_flowtable *flowtable;
6008 const struct nft_table *table;
6009
6010 rcu_read_lock();
6011 cb->seq = net->nft.base_seq;
6012
6013 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6014 if (family != NFPROTO_UNSPEC && family != table->family)
6015 continue;
6016
6017 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6018 if (!nft_is_active(net, flowtable))
6019 goto cont;
6020 if (idx < s_idx)
6021 goto cont;
6022 if (idx > s_idx)
6023 memset(&cb->args[1], 0,
6024 sizeof(cb->args) - sizeof(cb->args[0]));
6025 if (filter && filter->table &&
6026 strcmp(filter->table, table->name))
6027 goto cont;
6028
6029 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6030 cb->nlh->nlmsg_seq,
6031 NFT_MSG_NEWFLOWTABLE,
6032 NLM_F_MULTI | NLM_F_APPEND,
6033 table->family, flowtable) < 0)
6034 goto done;
6035
6036 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6037 cont:
6038 idx++;
6039 }
6040 }
6041 done:
6042 rcu_read_unlock();
6043
6044 cb->args[0] = idx;
6045 return skb->len;
6046 }
6047
nf_tables_dump_flowtable_start(struct netlink_callback * cb)6048 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6049 {
6050 const struct nlattr * const *nla = cb->data;
6051 struct nft_flowtable_filter *filter = NULL;
6052
6053 if (nla[NFTA_FLOWTABLE_TABLE]) {
6054 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6055 if (!filter)
6056 return -ENOMEM;
6057
6058 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6059 GFP_ATOMIC);
6060 if (!filter->table) {
6061 kfree(filter);
6062 return -ENOMEM;
6063 }
6064 }
6065
6066 cb->data = filter;
6067 return 0;
6068 }
6069
nf_tables_dump_flowtable_done(struct netlink_callback * cb)6070 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6071 {
6072 struct nft_flowtable_filter *filter = cb->data;
6073
6074 if (!filter)
6075 return 0;
6076
6077 kfree(filter->table);
6078 kfree(filter);
6079
6080 return 0;
6081 }
6082
6083 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6084 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6085 struct sk_buff *skb,
6086 const struct nlmsghdr *nlh,
6087 const struct nlattr * const nla[],
6088 struct netlink_ext_ack *extack)
6089 {
6090 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6091 u8 genmask = nft_genmask_cur(net);
6092 int family = nfmsg->nfgen_family;
6093 struct nft_flowtable *flowtable;
6094 const struct nft_table *table;
6095 struct sk_buff *skb2;
6096 int err;
6097
6098 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6099 struct netlink_dump_control c = {
6100 .start = nf_tables_dump_flowtable_start,
6101 .dump = nf_tables_dump_flowtable,
6102 .done = nf_tables_dump_flowtable_done,
6103 .module = THIS_MODULE,
6104 .data = (void *)nla,
6105 };
6106
6107 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6108 }
6109
6110 if (!nla[NFTA_FLOWTABLE_NAME])
6111 return -EINVAL;
6112
6113 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6114 genmask);
6115 if (IS_ERR(table))
6116 return PTR_ERR(table);
6117
6118 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6119 genmask);
6120 if (IS_ERR(flowtable))
6121 return PTR_ERR(flowtable);
6122
6123 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6124 if (!skb2)
6125 return -ENOMEM;
6126
6127 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6128 nlh->nlmsg_seq,
6129 NFT_MSG_NEWFLOWTABLE, 0, family,
6130 flowtable);
6131 if (err < 0)
6132 goto err;
6133
6134 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6135 err:
6136 kfree_skb(skb2);
6137 return err;
6138 }
6139
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,int event)6140 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6141 struct nft_flowtable *flowtable,
6142 int event)
6143 {
6144 struct sk_buff *skb;
6145 int err;
6146
6147 if (ctx->report &&
6148 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6149 return;
6150
6151 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6152 if (skb == NULL)
6153 goto err;
6154
6155 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6156 ctx->seq, event, 0,
6157 ctx->family, flowtable);
6158 if (err < 0) {
6159 kfree_skb(skb);
6160 goto err;
6161 }
6162
6163 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6164 ctx->report, GFP_KERNEL);
6165 return;
6166 err:
6167 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6168 }
6169
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)6170 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6171 {
6172 kfree(flowtable->ops);
6173 kfree(flowtable->name);
6174 flowtable->data.type->free(&flowtable->data);
6175 module_put(flowtable->data.type->owner);
6176 kfree(flowtable);
6177 }
6178
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)6179 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6180 u32 portid, u32 seq)
6181 {
6182 struct nlmsghdr *nlh;
6183 struct nfgenmsg *nfmsg;
6184 char buf[TASK_COMM_LEN];
6185 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6186
6187 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6188 if (nlh == NULL)
6189 goto nla_put_failure;
6190
6191 nfmsg = nlmsg_data(nlh);
6192 nfmsg->nfgen_family = AF_UNSPEC;
6193 nfmsg->version = NFNETLINK_V0;
6194 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6195
6196 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6197 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6198 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6199 goto nla_put_failure;
6200
6201 nlmsg_end(skb, nlh);
6202 return 0;
6203
6204 nla_put_failure:
6205 nlmsg_trim(skb, nlh);
6206 return -EMSGSIZE;
6207 }
6208
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)6209 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6210 struct nft_flowtable *flowtable)
6211 {
6212 int i;
6213
6214 for (i = 0; i < flowtable->ops_len; i++) {
6215 if (flowtable->ops[i].dev != dev)
6216 continue;
6217
6218 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6219 flowtable->ops[i].dev = NULL;
6220 break;
6221 }
6222 }
6223
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)6224 static int nf_tables_flowtable_event(struct notifier_block *this,
6225 unsigned long event, void *ptr)
6226 {
6227 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6228 struct nft_flowtable *flowtable;
6229 struct nft_table *table;
6230 struct net *net;
6231
6232 if (event != NETDEV_UNREGISTER)
6233 return 0;
6234
6235 net = dev_net(dev);
6236 mutex_lock(&net->nft.commit_mutex);
6237 list_for_each_entry(table, &net->nft.tables, list) {
6238 list_for_each_entry(flowtable, &table->flowtables, list) {
6239 nft_flowtable_event(event, dev, flowtable);
6240 }
6241 }
6242 mutex_unlock(&net->nft.commit_mutex);
6243
6244 return NOTIFY_DONE;
6245 }
6246
6247 static struct notifier_block nf_tables_flowtable_notifier = {
6248 .notifier_call = nf_tables_flowtable_event,
6249 };
6250
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)6251 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6252 int event)
6253 {
6254 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6255 struct sk_buff *skb2;
6256 int err;
6257
6258 if (nlmsg_report(nlh) &&
6259 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6260 return;
6261
6262 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6263 if (skb2 == NULL)
6264 goto err;
6265
6266 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6267 nlh->nlmsg_seq);
6268 if (err < 0) {
6269 kfree_skb(skb2);
6270 goto err;
6271 }
6272
6273 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6274 nlmsg_report(nlh), GFP_KERNEL);
6275 return;
6276 err:
6277 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6278 -ENOBUFS);
6279 }
6280
nf_tables_getgen(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6281 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6282 struct sk_buff *skb, const struct nlmsghdr *nlh,
6283 const struct nlattr * const nla[],
6284 struct netlink_ext_ack *extack)
6285 {
6286 struct sk_buff *skb2;
6287 int err;
6288
6289 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6290 if (skb2 == NULL)
6291 return -ENOMEM;
6292
6293 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6294 nlh->nlmsg_seq);
6295 if (err < 0)
6296 goto err;
6297
6298 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6299 err:
6300 kfree_skb(skb2);
6301 return err;
6302 }
6303
6304 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6305 [NFT_MSG_NEWTABLE] = {
6306 .call_batch = nf_tables_newtable,
6307 .attr_count = NFTA_TABLE_MAX,
6308 .policy = nft_table_policy,
6309 },
6310 [NFT_MSG_GETTABLE] = {
6311 .call_rcu = nf_tables_gettable,
6312 .attr_count = NFTA_TABLE_MAX,
6313 .policy = nft_table_policy,
6314 },
6315 [NFT_MSG_DELTABLE] = {
6316 .call_batch = nf_tables_deltable,
6317 .attr_count = NFTA_TABLE_MAX,
6318 .policy = nft_table_policy,
6319 },
6320 [NFT_MSG_NEWCHAIN] = {
6321 .call_batch = nf_tables_newchain,
6322 .attr_count = NFTA_CHAIN_MAX,
6323 .policy = nft_chain_policy,
6324 },
6325 [NFT_MSG_GETCHAIN] = {
6326 .call_rcu = nf_tables_getchain,
6327 .attr_count = NFTA_CHAIN_MAX,
6328 .policy = nft_chain_policy,
6329 },
6330 [NFT_MSG_DELCHAIN] = {
6331 .call_batch = nf_tables_delchain,
6332 .attr_count = NFTA_CHAIN_MAX,
6333 .policy = nft_chain_policy,
6334 },
6335 [NFT_MSG_NEWRULE] = {
6336 .call_batch = nf_tables_newrule,
6337 .attr_count = NFTA_RULE_MAX,
6338 .policy = nft_rule_policy,
6339 },
6340 [NFT_MSG_GETRULE] = {
6341 .call_rcu = nf_tables_getrule,
6342 .attr_count = NFTA_RULE_MAX,
6343 .policy = nft_rule_policy,
6344 },
6345 [NFT_MSG_DELRULE] = {
6346 .call_batch = nf_tables_delrule,
6347 .attr_count = NFTA_RULE_MAX,
6348 .policy = nft_rule_policy,
6349 },
6350 [NFT_MSG_NEWSET] = {
6351 .call_batch = nf_tables_newset,
6352 .attr_count = NFTA_SET_MAX,
6353 .policy = nft_set_policy,
6354 },
6355 [NFT_MSG_GETSET] = {
6356 .call_rcu = nf_tables_getset,
6357 .attr_count = NFTA_SET_MAX,
6358 .policy = nft_set_policy,
6359 },
6360 [NFT_MSG_DELSET] = {
6361 .call_batch = nf_tables_delset,
6362 .attr_count = NFTA_SET_MAX,
6363 .policy = nft_set_policy,
6364 },
6365 [NFT_MSG_NEWSETELEM] = {
6366 .call_batch = nf_tables_newsetelem,
6367 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6368 .policy = nft_set_elem_list_policy,
6369 },
6370 [NFT_MSG_GETSETELEM] = {
6371 .call_rcu = nf_tables_getsetelem,
6372 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6373 .policy = nft_set_elem_list_policy,
6374 },
6375 [NFT_MSG_DELSETELEM] = {
6376 .call_batch = nf_tables_delsetelem,
6377 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6378 .policy = nft_set_elem_list_policy,
6379 },
6380 [NFT_MSG_GETGEN] = {
6381 .call_rcu = nf_tables_getgen,
6382 },
6383 [NFT_MSG_NEWOBJ] = {
6384 .call_batch = nf_tables_newobj,
6385 .attr_count = NFTA_OBJ_MAX,
6386 .policy = nft_obj_policy,
6387 },
6388 [NFT_MSG_GETOBJ] = {
6389 .call_rcu = nf_tables_getobj,
6390 .attr_count = NFTA_OBJ_MAX,
6391 .policy = nft_obj_policy,
6392 },
6393 [NFT_MSG_DELOBJ] = {
6394 .call_batch = nf_tables_delobj,
6395 .attr_count = NFTA_OBJ_MAX,
6396 .policy = nft_obj_policy,
6397 },
6398 [NFT_MSG_GETOBJ_RESET] = {
6399 .call_rcu = nf_tables_getobj,
6400 .attr_count = NFTA_OBJ_MAX,
6401 .policy = nft_obj_policy,
6402 },
6403 [NFT_MSG_NEWFLOWTABLE] = {
6404 .call_batch = nf_tables_newflowtable,
6405 .attr_count = NFTA_FLOWTABLE_MAX,
6406 .policy = nft_flowtable_policy,
6407 },
6408 [NFT_MSG_GETFLOWTABLE] = {
6409 .call_rcu = nf_tables_getflowtable,
6410 .attr_count = NFTA_FLOWTABLE_MAX,
6411 .policy = nft_flowtable_policy,
6412 },
6413 [NFT_MSG_DELFLOWTABLE] = {
6414 .call_batch = nf_tables_delflowtable,
6415 .attr_count = NFTA_FLOWTABLE_MAX,
6416 .policy = nft_flowtable_policy,
6417 },
6418 };
6419
nf_tables_validate(struct net * net)6420 static int nf_tables_validate(struct net *net)
6421 {
6422 struct nft_table *table;
6423
6424 switch (net->nft.validate_state) {
6425 case NFT_VALIDATE_SKIP:
6426 break;
6427 case NFT_VALIDATE_NEED:
6428 nft_validate_state_update(net, NFT_VALIDATE_DO);
6429 /* fall through */
6430 case NFT_VALIDATE_DO:
6431 list_for_each_entry(table, &net->nft.tables, list) {
6432 if (nft_table_validate(net, table) < 0)
6433 return -EAGAIN;
6434 }
6435 break;
6436 }
6437
6438 return 0;
6439 }
6440
6441 /* a drop policy has to be deferred until all rules have been activated,
6442 * otherwise a large ruleset that contains a drop-policy base chain will
6443 * cause all packets to get dropped until the full transaction has been
6444 * processed.
6445 *
6446 * We defer the drop policy until the transaction has been finalized.
6447 */
nft_chain_commit_drop_policy(struct nft_trans * trans)6448 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6449 {
6450 struct nft_base_chain *basechain;
6451
6452 if (nft_trans_chain_policy(trans) != NF_DROP)
6453 return;
6454
6455 if (!nft_is_base_chain(trans->ctx.chain))
6456 return;
6457
6458 basechain = nft_base_chain(trans->ctx.chain);
6459 basechain->policy = NF_DROP;
6460 }
6461
nft_chain_commit_update(struct nft_trans * trans)6462 static void nft_chain_commit_update(struct nft_trans *trans)
6463 {
6464 struct nft_base_chain *basechain;
6465
6466 if (nft_trans_chain_name(trans)) {
6467 rhltable_remove(&trans->ctx.table->chains_ht,
6468 &trans->ctx.chain->rhlhead,
6469 nft_chain_ht_params);
6470 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6471 rhltable_insert_key(&trans->ctx.table->chains_ht,
6472 trans->ctx.chain->name,
6473 &trans->ctx.chain->rhlhead,
6474 nft_chain_ht_params);
6475 }
6476
6477 if (!nft_is_base_chain(trans->ctx.chain))
6478 return;
6479
6480 nft_chain_stats_replace(trans);
6481
6482 basechain = nft_base_chain(trans->ctx.chain);
6483
6484 switch (nft_trans_chain_policy(trans)) {
6485 case NF_DROP:
6486 case NF_ACCEPT:
6487 basechain->policy = nft_trans_chain_policy(trans);
6488 break;
6489 }
6490 }
6491
nft_obj_commit_update(struct nft_trans * trans)6492 static void nft_obj_commit_update(struct nft_trans *trans)
6493 {
6494 struct nft_object *newobj;
6495 struct nft_object *obj;
6496
6497 obj = nft_trans_obj(trans);
6498 newobj = nft_trans_obj_newobj(trans);
6499
6500 if (obj->ops->update)
6501 obj->ops->update(obj, newobj);
6502
6503 kfree(newobj);
6504 }
6505
nft_commit_release(struct nft_trans * trans)6506 static void nft_commit_release(struct nft_trans *trans)
6507 {
6508 switch (trans->msg_type) {
6509 case NFT_MSG_DELTABLE:
6510 nf_tables_table_destroy(&trans->ctx);
6511 break;
6512 case NFT_MSG_NEWCHAIN:
6513 free_percpu(nft_trans_chain_stats(trans));
6514 kfree(nft_trans_chain_name(trans));
6515 break;
6516 case NFT_MSG_DELCHAIN:
6517 nf_tables_chain_destroy(&trans->ctx);
6518 break;
6519 case NFT_MSG_DELRULE:
6520 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6521 break;
6522 case NFT_MSG_DELSET:
6523 nft_set_destroy(nft_trans_set(trans));
6524 break;
6525 case NFT_MSG_DELSETELEM:
6526 nf_tables_set_elem_destroy(&trans->ctx,
6527 nft_trans_elem_set(trans),
6528 nft_trans_elem(trans).priv);
6529 break;
6530 case NFT_MSG_DELOBJ:
6531 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6532 break;
6533 case NFT_MSG_DELFLOWTABLE:
6534 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6535 break;
6536 }
6537
6538 if (trans->put_net)
6539 put_net(trans->ctx.net);
6540
6541 kfree(trans);
6542 }
6543
nf_tables_trans_destroy_work(struct work_struct * w)6544 static void nf_tables_trans_destroy_work(struct work_struct *w)
6545 {
6546 struct nft_trans *trans, *next;
6547 LIST_HEAD(head);
6548
6549 spin_lock(&nf_tables_destroy_list_lock);
6550 list_splice_init(&nf_tables_destroy_list, &head);
6551 spin_unlock(&nf_tables_destroy_list_lock);
6552
6553 if (list_empty(&head))
6554 return;
6555
6556 synchronize_rcu();
6557
6558 list_for_each_entry_safe(trans, next, &head, list) {
6559 list_del(&trans->list);
6560 nft_commit_release(trans);
6561 }
6562 }
6563
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)6564 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6565 {
6566 struct nft_rule *rule;
6567 unsigned int alloc = 0;
6568 int i;
6569
6570 /* already handled or inactive chain? */
6571 if (chain->rules_next || !nft_is_active_next(net, chain))
6572 return 0;
6573
6574 rule = list_entry(&chain->rules, struct nft_rule, list);
6575 i = 0;
6576
6577 list_for_each_entry_continue(rule, &chain->rules, list) {
6578 if (nft_is_active_next(net, rule))
6579 alloc++;
6580 }
6581
6582 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6583 if (!chain->rules_next)
6584 return -ENOMEM;
6585
6586 list_for_each_entry_continue(rule, &chain->rules, list) {
6587 if (nft_is_active_next(net, rule))
6588 chain->rules_next[i++] = rule;
6589 }
6590
6591 chain->rules_next[i] = NULL;
6592 return 0;
6593 }
6594
nf_tables_commit_chain_prepare_cancel(struct net * net)6595 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6596 {
6597 struct nft_trans *trans, *next;
6598
6599 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6600 struct nft_chain *chain = trans->ctx.chain;
6601
6602 if (trans->msg_type == NFT_MSG_NEWRULE ||
6603 trans->msg_type == NFT_MSG_DELRULE) {
6604 kvfree(chain->rules_next);
6605 chain->rules_next = NULL;
6606 }
6607 }
6608 }
6609
__nf_tables_commit_chain_free_rules_old(struct rcu_head * h)6610 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6611 {
6612 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6613
6614 kvfree(o->start);
6615 }
6616
nf_tables_commit_chain_free_rules_old(struct nft_rule ** rules)6617 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6618 {
6619 struct nft_rule **r = rules;
6620 struct nft_rules_old *old;
6621
6622 while (*r)
6623 r++;
6624
6625 r++; /* rcu_head is after end marker */
6626 old = (void *) r;
6627 old->start = rules;
6628
6629 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6630 }
6631
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)6632 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6633 {
6634 struct nft_rule **g0, **g1;
6635 bool next_genbit;
6636
6637 next_genbit = nft_gencursor_next(net);
6638
6639 g0 = rcu_dereference_protected(chain->rules_gen_0,
6640 lockdep_commit_lock_is_held(net));
6641 g1 = rcu_dereference_protected(chain->rules_gen_1,
6642 lockdep_commit_lock_is_held(net));
6643
6644 /* No changes to this chain? */
6645 if (chain->rules_next == NULL) {
6646 /* chain had no change in last or next generation */
6647 if (g0 == g1)
6648 return;
6649 /*
6650 * chain had no change in this generation; make sure next
6651 * one uses same rules as current generation.
6652 */
6653 if (next_genbit) {
6654 rcu_assign_pointer(chain->rules_gen_1, g0);
6655 nf_tables_commit_chain_free_rules_old(g1);
6656 } else {
6657 rcu_assign_pointer(chain->rules_gen_0, g1);
6658 nf_tables_commit_chain_free_rules_old(g0);
6659 }
6660
6661 return;
6662 }
6663
6664 if (next_genbit)
6665 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6666 else
6667 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6668
6669 chain->rules_next = NULL;
6670
6671 if (g0 == g1)
6672 return;
6673
6674 if (next_genbit)
6675 nf_tables_commit_chain_free_rules_old(g1);
6676 else
6677 nf_tables_commit_chain_free_rules_old(g0);
6678 }
6679
nft_obj_del(struct nft_object * obj)6680 static void nft_obj_del(struct nft_object *obj)
6681 {
6682 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6683 list_del_rcu(&obj->list);
6684 }
6685
nft_chain_del(struct nft_chain * chain)6686 static void nft_chain_del(struct nft_chain *chain)
6687 {
6688 struct nft_table *table = chain->table;
6689
6690 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6691 nft_chain_ht_params));
6692 list_del_rcu(&chain->list);
6693 }
6694
nf_tables_commit_release(struct net * net)6695 static void nf_tables_commit_release(struct net *net)
6696 {
6697 struct nft_trans *trans;
6698
6699 /* all side effects have to be made visible.
6700 * For example, if a chain named 'foo' has been deleted, a
6701 * new transaction must not find it anymore.
6702 *
6703 * Memory reclaim happens asynchronously from work queue
6704 * to prevent expensive synchronize_rcu() in commit phase.
6705 */
6706 if (list_empty(&net->nft.commit_list)) {
6707 mutex_unlock(&net->nft.commit_mutex);
6708 return;
6709 }
6710
6711 trans = list_last_entry(&net->nft.commit_list,
6712 struct nft_trans, list);
6713 get_net(trans->ctx.net);
6714 WARN_ON_ONCE(trans->put_net);
6715
6716 trans->put_net = true;
6717 spin_lock(&nf_tables_destroy_list_lock);
6718 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6719 spin_unlock(&nf_tables_destroy_list_lock);
6720
6721 mutex_unlock(&net->nft.commit_mutex);
6722
6723 schedule_work(&trans_destroy_work);
6724 }
6725
nf_tables_commit(struct net * net,struct sk_buff * skb)6726 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6727 {
6728 struct nft_trans *trans, *next;
6729 struct nft_trans_elem *te;
6730 struct nft_chain *chain;
6731 struct nft_table *table;
6732 int err;
6733
6734 if (list_empty(&net->nft.commit_list)) {
6735 mutex_unlock(&net->nft.commit_mutex);
6736 return 0;
6737 }
6738
6739 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6740 if (nf_tables_validate(net) < 0)
6741 return -EAGAIN;
6742
6743 err = nft_flow_rule_offload_commit(net);
6744 if (err < 0)
6745 return err;
6746
6747 /* 1. Allocate space for next generation rules_gen_X[] */
6748 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6749 int ret;
6750
6751 if (trans->msg_type == NFT_MSG_NEWRULE ||
6752 trans->msg_type == NFT_MSG_DELRULE) {
6753 chain = trans->ctx.chain;
6754
6755 ret = nf_tables_commit_chain_prepare(net, chain);
6756 if (ret < 0) {
6757 nf_tables_commit_chain_prepare_cancel(net);
6758 return ret;
6759 }
6760 }
6761 }
6762
6763 /* step 2. Make rules_gen_X visible to packet path */
6764 list_for_each_entry(table, &net->nft.tables, list) {
6765 list_for_each_entry(chain, &table->chains, list)
6766 nf_tables_commit_chain(net, chain);
6767 }
6768
6769 /*
6770 * Bump generation counter, invalidate any dump in progress.
6771 * Cannot fail after this point.
6772 */
6773 while (++net->nft.base_seq == 0);
6774
6775 /* step 3. Start new generation, rules_gen_X now in use. */
6776 net->nft.gencursor = nft_gencursor_next(net);
6777
6778 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6779 switch (trans->msg_type) {
6780 case NFT_MSG_NEWTABLE:
6781 if (nft_trans_table_update(trans)) {
6782 if (!nft_trans_table_enable(trans)) {
6783 nf_tables_table_disable(net,
6784 trans->ctx.table);
6785 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6786 }
6787 } else {
6788 nft_clear(net, trans->ctx.table);
6789 }
6790 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6791 nft_trans_destroy(trans);
6792 break;
6793 case NFT_MSG_DELTABLE:
6794 list_del_rcu(&trans->ctx.table->list);
6795 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6796 break;
6797 case NFT_MSG_NEWCHAIN:
6798 if (nft_trans_chain_update(trans)) {
6799 nft_chain_commit_update(trans);
6800 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6801 /* trans destroyed after rcu grace period */
6802 } else {
6803 nft_chain_commit_drop_policy(trans);
6804 nft_clear(net, trans->ctx.chain);
6805 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6806 nft_trans_destroy(trans);
6807 }
6808 break;
6809 case NFT_MSG_DELCHAIN:
6810 nft_chain_del(trans->ctx.chain);
6811 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6812 nf_tables_unregister_hook(trans->ctx.net,
6813 trans->ctx.table,
6814 trans->ctx.chain);
6815 break;
6816 case NFT_MSG_NEWRULE:
6817 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6818 nf_tables_rule_notify(&trans->ctx,
6819 nft_trans_rule(trans),
6820 NFT_MSG_NEWRULE);
6821 nft_trans_destroy(trans);
6822 break;
6823 case NFT_MSG_DELRULE:
6824 list_del_rcu(&nft_trans_rule(trans)->list);
6825 nf_tables_rule_notify(&trans->ctx,
6826 nft_trans_rule(trans),
6827 NFT_MSG_DELRULE);
6828 nft_rule_expr_deactivate(&trans->ctx,
6829 nft_trans_rule(trans),
6830 NFT_TRANS_COMMIT);
6831 break;
6832 case NFT_MSG_NEWSET:
6833 nft_clear(net, nft_trans_set(trans));
6834 /* This avoids hitting -EBUSY when deleting the table
6835 * from the transaction.
6836 */
6837 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6838 !list_empty(&nft_trans_set(trans)->bindings))
6839 trans->ctx.table->use--;
6840
6841 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6842 NFT_MSG_NEWSET, GFP_KERNEL);
6843 nft_trans_destroy(trans);
6844 break;
6845 case NFT_MSG_DELSET:
6846 list_del_rcu(&nft_trans_set(trans)->list);
6847 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6848 NFT_MSG_DELSET, GFP_KERNEL);
6849 break;
6850 case NFT_MSG_NEWSETELEM:
6851 te = (struct nft_trans_elem *)trans->data;
6852
6853 te->set->ops->activate(net, te->set, &te->elem);
6854 nf_tables_setelem_notify(&trans->ctx, te->set,
6855 &te->elem,
6856 NFT_MSG_NEWSETELEM, 0);
6857 nft_trans_destroy(trans);
6858 break;
6859 case NFT_MSG_DELSETELEM:
6860 te = (struct nft_trans_elem *)trans->data;
6861
6862 nf_tables_setelem_notify(&trans->ctx, te->set,
6863 &te->elem,
6864 NFT_MSG_DELSETELEM, 0);
6865 te->set->ops->remove(net, te->set, &te->elem);
6866 atomic_dec(&te->set->nelems);
6867 te->set->ndeact--;
6868 break;
6869 case NFT_MSG_NEWOBJ:
6870 if (nft_trans_obj_update(trans)) {
6871 nft_obj_commit_update(trans);
6872 nf_tables_obj_notify(&trans->ctx,
6873 nft_trans_obj(trans),
6874 NFT_MSG_NEWOBJ);
6875 } else {
6876 nft_clear(net, nft_trans_obj(trans));
6877 nf_tables_obj_notify(&trans->ctx,
6878 nft_trans_obj(trans),
6879 NFT_MSG_NEWOBJ);
6880 nft_trans_destroy(trans);
6881 }
6882 break;
6883 case NFT_MSG_DELOBJ:
6884 nft_obj_del(nft_trans_obj(trans));
6885 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6886 NFT_MSG_DELOBJ);
6887 break;
6888 case NFT_MSG_NEWFLOWTABLE:
6889 nft_clear(net, nft_trans_flowtable(trans));
6890 nf_tables_flowtable_notify(&trans->ctx,
6891 nft_trans_flowtable(trans),
6892 NFT_MSG_NEWFLOWTABLE);
6893 nft_trans_destroy(trans);
6894 break;
6895 case NFT_MSG_DELFLOWTABLE:
6896 list_del_rcu(&nft_trans_flowtable(trans)->list);
6897 nf_tables_flowtable_notify(&trans->ctx,
6898 nft_trans_flowtable(trans),
6899 NFT_MSG_DELFLOWTABLE);
6900 nft_unregister_flowtable_net_hooks(net,
6901 nft_trans_flowtable(trans));
6902 break;
6903 }
6904 }
6905
6906 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6907 nf_tables_commit_release(net);
6908
6909 return 0;
6910 }
6911
nf_tables_abort_release(struct nft_trans * trans)6912 static void nf_tables_abort_release(struct nft_trans *trans)
6913 {
6914 switch (trans->msg_type) {
6915 case NFT_MSG_NEWTABLE:
6916 nf_tables_table_destroy(&trans->ctx);
6917 break;
6918 case NFT_MSG_NEWCHAIN:
6919 nf_tables_chain_destroy(&trans->ctx);
6920 break;
6921 case NFT_MSG_NEWRULE:
6922 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6923 break;
6924 case NFT_MSG_NEWSET:
6925 nft_set_destroy(nft_trans_set(trans));
6926 break;
6927 case NFT_MSG_NEWSETELEM:
6928 nft_set_elem_destroy(nft_trans_elem_set(trans),
6929 nft_trans_elem(trans).priv, true);
6930 break;
6931 case NFT_MSG_NEWOBJ:
6932 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6933 break;
6934 case NFT_MSG_NEWFLOWTABLE:
6935 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6936 break;
6937 }
6938 kfree(trans);
6939 }
6940
__nf_tables_abort(struct net * net)6941 static int __nf_tables_abort(struct net *net)
6942 {
6943 struct nft_trans *trans, *next;
6944 struct nft_trans_elem *te;
6945
6946 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
6947 list) {
6948 switch (trans->msg_type) {
6949 case NFT_MSG_NEWTABLE:
6950 if (nft_trans_table_update(trans)) {
6951 if (nft_trans_table_enable(trans)) {
6952 nf_tables_table_disable(net,
6953 trans->ctx.table);
6954 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6955 }
6956 nft_trans_destroy(trans);
6957 } else {
6958 list_del_rcu(&trans->ctx.table->list);
6959 }
6960 break;
6961 case NFT_MSG_DELTABLE:
6962 nft_clear(trans->ctx.net, trans->ctx.table);
6963 nft_trans_destroy(trans);
6964 break;
6965 case NFT_MSG_NEWCHAIN:
6966 if (nft_trans_chain_update(trans)) {
6967 free_percpu(nft_trans_chain_stats(trans));
6968 kfree(nft_trans_chain_name(trans));
6969 nft_trans_destroy(trans);
6970 } else {
6971 trans->ctx.table->use--;
6972 nft_chain_del(trans->ctx.chain);
6973 nf_tables_unregister_hook(trans->ctx.net,
6974 trans->ctx.table,
6975 trans->ctx.chain);
6976 }
6977 break;
6978 case NFT_MSG_DELCHAIN:
6979 trans->ctx.table->use++;
6980 nft_clear(trans->ctx.net, trans->ctx.chain);
6981 nft_trans_destroy(trans);
6982 break;
6983 case NFT_MSG_NEWRULE:
6984 trans->ctx.chain->use--;
6985 list_del_rcu(&nft_trans_rule(trans)->list);
6986 nft_rule_expr_deactivate(&trans->ctx,
6987 nft_trans_rule(trans),
6988 NFT_TRANS_ABORT);
6989 break;
6990 case NFT_MSG_DELRULE:
6991 trans->ctx.chain->use++;
6992 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6993 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
6994 nft_trans_destroy(trans);
6995 break;
6996 case NFT_MSG_NEWSET:
6997 trans->ctx.table->use--;
6998 if (nft_trans_set_bound(trans)) {
6999 nft_trans_destroy(trans);
7000 break;
7001 }
7002 list_del_rcu(&nft_trans_set(trans)->list);
7003 break;
7004 case NFT_MSG_DELSET:
7005 trans->ctx.table->use++;
7006 nft_clear(trans->ctx.net, nft_trans_set(trans));
7007 nft_trans_destroy(trans);
7008 break;
7009 case NFT_MSG_NEWSETELEM:
7010 if (nft_trans_elem_set_bound(trans)) {
7011 nft_trans_destroy(trans);
7012 break;
7013 }
7014 te = (struct nft_trans_elem *)trans->data;
7015 te->set->ops->remove(net, te->set, &te->elem);
7016 atomic_dec(&te->set->nelems);
7017 break;
7018 case NFT_MSG_DELSETELEM:
7019 te = (struct nft_trans_elem *)trans->data;
7020
7021 nft_set_elem_activate(net, te->set, &te->elem);
7022 te->set->ops->activate(net, te->set, &te->elem);
7023 te->set->ndeact--;
7024
7025 nft_trans_destroy(trans);
7026 break;
7027 case NFT_MSG_NEWOBJ:
7028 if (nft_trans_obj_update(trans)) {
7029 kfree(nft_trans_obj_newobj(trans));
7030 nft_trans_destroy(trans);
7031 } else {
7032 trans->ctx.table->use--;
7033 nft_obj_del(nft_trans_obj(trans));
7034 }
7035 break;
7036 case NFT_MSG_DELOBJ:
7037 trans->ctx.table->use++;
7038 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7039 nft_trans_destroy(trans);
7040 break;
7041 case NFT_MSG_NEWFLOWTABLE:
7042 trans->ctx.table->use--;
7043 list_del_rcu(&nft_trans_flowtable(trans)->list);
7044 nft_unregister_flowtable_net_hooks(net,
7045 nft_trans_flowtable(trans));
7046 break;
7047 case NFT_MSG_DELFLOWTABLE:
7048 trans->ctx.table->use++;
7049 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7050 nft_trans_destroy(trans);
7051 break;
7052 }
7053 }
7054
7055 synchronize_rcu();
7056
7057 list_for_each_entry_safe_reverse(trans, next,
7058 &net->nft.commit_list, list) {
7059 list_del(&trans->list);
7060 nf_tables_abort_release(trans);
7061 }
7062
7063 return 0;
7064 }
7065
nf_tables_cleanup(struct net * net)7066 static void nf_tables_cleanup(struct net *net)
7067 {
7068 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7069 }
7070
nf_tables_abort(struct net * net,struct sk_buff * skb)7071 static int nf_tables_abort(struct net *net, struct sk_buff *skb)
7072 {
7073 int ret = __nf_tables_abort(net);
7074
7075 mutex_unlock(&net->nft.commit_mutex);
7076
7077 return ret;
7078 }
7079
nf_tables_valid_genid(struct net * net,u32 genid)7080 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7081 {
7082 bool genid_ok;
7083
7084 mutex_lock(&net->nft.commit_mutex);
7085
7086 genid_ok = genid == 0 || net->nft.base_seq == genid;
7087 if (!genid_ok)
7088 mutex_unlock(&net->nft.commit_mutex);
7089
7090 /* else, commit mutex has to be released by commit or abort function */
7091 return genid_ok;
7092 }
7093
7094 static const struct nfnetlink_subsystem nf_tables_subsys = {
7095 .name = "nf_tables",
7096 .subsys_id = NFNL_SUBSYS_NFTABLES,
7097 .cb_count = NFT_MSG_MAX,
7098 .cb = nf_tables_cb,
7099 .commit = nf_tables_commit,
7100 .abort = nf_tables_abort,
7101 .cleanup = nf_tables_cleanup,
7102 .valid_genid = nf_tables_valid_genid,
7103 .owner = THIS_MODULE,
7104 };
7105
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)7106 int nft_chain_validate_dependency(const struct nft_chain *chain,
7107 enum nft_chain_types type)
7108 {
7109 const struct nft_base_chain *basechain;
7110
7111 if (nft_is_base_chain(chain)) {
7112 basechain = nft_base_chain(chain);
7113 if (basechain->type->type != type)
7114 return -EOPNOTSUPP;
7115 }
7116 return 0;
7117 }
7118 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7119
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)7120 int nft_chain_validate_hooks(const struct nft_chain *chain,
7121 unsigned int hook_flags)
7122 {
7123 struct nft_base_chain *basechain;
7124
7125 if (nft_is_base_chain(chain)) {
7126 basechain = nft_base_chain(chain);
7127
7128 if ((1 << basechain->ops.hooknum) & hook_flags)
7129 return 0;
7130
7131 return -EOPNOTSUPP;
7132 }
7133
7134 return 0;
7135 }
7136 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7137
7138 /*
7139 * Loop detection - walk through the ruleset beginning at the destination chain
7140 * of a new jump until either the source chain is reached (loop) or all
7141 * reachable chains have been traversed.
7142 *
7143 * The loop check is performed whenever a new jump verdict is added to an
7144 * expression or verdict map or a verdict map is bound to a new chain.
7145 */
7146
7147 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7148 const struct nft_chain *chain);
7149
nf_tables_loop_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)7150 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7151 struct nft_set *set,
7152 const struct nft_set_iter *iter,
7153 struct nft_set_elem *elem)
7154 {
7155 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7156 const struct nft_data *data;
7157
7158 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7159 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7160 return 0;
7161
7162 data = nft_set_ext_data(ext);
7163 switch (data->verdict.code) {
7164 case NFT_JUMP:
7165 case NFT_GOTO:
7166 return nf_tables_check_loops(ctx, data->verdict.chain);
7167 default:
7168 return 0;
7169 }
7170 }
7171
nf_tables_check_loops(const struct nft_ctx * ctx,const struct nft_chain * chain)7172 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7173 const struct nft_chain *chain)
7174 {
7175 const struct nft_rule *rule;
7176 const struct nft_expr *expr, *last;
7177 struct nft_set *set;
7178 struct nft_set_binding *binding;
7179 struct nft_set_iter iter;
7180
7181 if (ctx->chain == chain)
7182 return -ELOOP;
7183
7184 list_for_each_entry(rule, &chain->rules, list) {
7185 nft_rule_for_each_expr(expr, last, rule) {
7186 struct nft_immediate_expr *priv;
7187 const struct nft_data *data;
7188 int err;
7189
7190 if (strcmp(expr->ops->type->name, "immediate"))
7191 continue;
7192
7193 priv = nft_expr_priv(expr);
7194 if (priv->dreg != NFT_REG_VERDICT)
7195 continue;
7196
7197 data = &priv->data;
7198 switch (data->verdict.code) {
7199 case NFT_JUMP:
7200 case NFT_GOTO:
7201 err = nf_tables_check_loops(ctx,
7202 data->verdict.chain);
7203 if (err < 0)
7204 return err;
7205 default:
7206 break;
7207 }
7208 }
7209 }
7210
7211 list_for_each_entry(set, &ctx->table->sets, list) {
7212 if (!nft_is_active_next(ctx->net, set))
7213 continue;
7214 if (!(set->flags & NFT_SET_MAP) ||
7215 set->dtype != NFT_DATA_VERDICT)
7216 continue;
7217
7218 list_for_each_entry(binding, &set->bindings, list) {
7219 if (!(binding->flags & NFT_SET_MAP) ||
7220 binding->chain != chain)
7221 continue;
7222
7223 iter.genmask = nft_genmask_next(ctx->net);
7224 iter.skip = 0;
7225 iter.count = 0;
7226 iter.err = 0;
7227 iter.fn = nf_tables_loop_check_setelem;
7228
7229 set->ops->walk(ctx, set, &iter);
7230 if (iter.err < 0)
7231 return iter.err;
7232 }
7233 }
7234
7235 return 0;
7236 }
7237
7238 /**
7239 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7240 *
7241 * @attr: netlink attribute to fetch value from
7242 * @max: maximum value to be stored in dest
7243 * @dest: pointer to the variable
7244 *
7245 * Parse, check and store a given u32 netlink attribute into variable.
7246 * This function returns -ERANGE if the value goes over maximum value.
7247 * Otherwise a 0 is returned and the attribute value is stored in the
7248 * destination variable.
7249 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)7250 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7251 {
7252 u32 val;
7253
7254 val = ntohl(nla_get_be32(attr));
7255 if (val > max)
7256 return -ERANGE;
7257
7258 *dest = val;
7259 return 0;
7260 }
7261 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7262
7263 /**
7264 * nft_parse_register - parse a register value from a netlink attribute
7265 *
7266 * @attr: netlink attribute
7267 *
7268 * Parse and translate a register value from a netlink attribute.
7269 * Registers used to be 128 bit wide, these register numbers will be
7270 * mapped to the corresponding 32 bit register numbers.
7271 */
nft_parse_register(const struct nlattr * attr)7272 unsigned int nft_parse_register(const struct nlattr *attr)
7273 {
7274 unsigned int reg;
7275
7276 reg = ntohl(nla_get_be32(attr));
7277 switch (reg) {
7278 case NFT_REG_VERDICT...NFT_REG_4:
7279 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7280 default:
7281 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7282 }
7283 }
7284 EXPORT_SYMBOL_GPL(nft_parse_register);
7285
7286 /**
7287 * nft_dump_register - dump a register value to a netlink attribute
7288 *
7289 * @skb: socket buffer
7290 * @attr: attribute number
7291 * @reg: register number
7292 *
7293 * Construct a netlink attribute containing the register number. For
7294 * compatibility reasons, register numbers being a multiple of 4 are
7295 * translated to the corresponding 128 bit register numbers.
7296 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)7297 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7298 {
7299 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7300 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7301 else
7302 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7303
7304 return nla_put_be32(skb, attr, htonl(reg));
7305 }
7306 EXPORT_SYMBOL_GPL(nft_dump_register);
7307
7308 /**
7309 * nft_validate_register_load - validate a load from a register
7310 *
7311 * @reg: the register number
7312 * @len: the length of the data
7313 *
7314 * Validate that the input register is one of the general purpose
7315 * registers and that the length of the load is within the bounds.
7316 */
nft_validate_register_load(enum nft_registers reg,unsigned int len)7317 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7318 {
7319 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7320 return -EINVAL;
7321 if (len == 0)
7322 return -EINVAL;
7323 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7324 return -ERANGE;
7325
7326 return 0;
7327 }
7328 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7329
7330 /**
7331 * nft_validate_register_store - validate an expressions' register store
7332 *
7333 * @ctx: context of the expression performing the load
7334 * @reg: the destination register number
7335 * @data: the data to load
7336 * @type: the data type
7337 * @len: the length of the data
7338 *
7339 * Validate that a data load uses the appropriate data type for
7340 * the destination register and the length is within the bounds.
7341 * A value of NULL for the data means that its runtime gathered
7342 * data.
7343 */
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)7344 int nft_validate_register_store(const struct nft_ctx *ctx,
7345 enum nft_registers reg,
7346 const struct nft_data *data,
7347 enum nft_data_types type, unsigned int len)
7348 {
7349 int err;
7350
7351 switch (reg) {
7352 case NFT_REG_VERDICT:
7353 if (type != NFT_DATA_VERDICT)
7354 return -EINVAL;
7355
7356 if (data != NULL &&
7357 (data->verdict.code == NFT_GOTO ||
7358 data->verdict.code == NFT_JUMP)) {
7359 err = nf_tables_check_loops(ctx, data->verdict.chain);
7360 if (err < 0)
7361 return err;
7362 }
7363
7364 return 0;
7365 default:
7366 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7367 return -EINVAL;
7368 if (len == 0)
7369 return -EINVAL;
7370 if (reg * NFT_REG32_SIZE + len >
7371 FIELD_SIZEOF(struct nft_regs, data))
7372 return -ERANGE;
7373
7374 if (data != NULL && type != NFT_DATA_VALUE)
7375 return -EINVAL;
7376 return 0;
7377 }
7378 }
7379 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7380
7381 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7382 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7383 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7384 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7385 };
7386
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)7387 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7388 struct nft_data_desc *desc, const struct nlattr *nla)
7389 {
7390 u8 genmask = nft_genmask_next(ctx->net);
7391 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7392 struct nft_chain *chain;
7393 int err;
7394
7395 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7396 nft_verdict_policy, NULL);
7397 if (err < 0)
7398 return err;
7399
7400 if (!tb[NFTA_VERDICT_CODE])
7401 return -EINVAL;
7402 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7403
7404 switch (data->verdict.code) {
7405 default:
7406 switch (data->verdict.code & NF_VERDICT_MASK) {
7407 case NF_ACCEPT:
7408 case NF_DROP:
7409 case NF_QUEUE:
7410 break;
7411 default:
7412 return -EINVAL;
7413 }
7414 /* fall through */
7415 case NFT_CONTINUE:
7416 case NFT_BREAK:
7417 case NFT_RETURN:
7418 break;
7419 case NFT_JUMP:
7420 case NFT_GOTO:
7421 if (!tb[NFTA_VERDICT_CHAIN])
7422 return -EINVAL;
7423 chain = nft_chain_lookup(ctx->net, ctx->table,
7424 tb[NFTA_VERDICT_CHAIN], genmask);
7425 if (IS_ERR(chain))
7426 return PTR_ERR(chain);
7427 if (nft_is_base_chain(chain))
7428 return -EOPNOTSUPP;
7429
7430 chain->use++;
7431 data->verdict.chain = chain;
7432 break;
7433 }
7434
7435 desc->len = sizeof(data->verdict);
7436 desc->type = NFT_DATA_VERDICT;
7437 return 0;
7438 }
7439
nft_verdict_uninit(const struct nft_data * data)7440 static void nft_verdict_uninit(const struct nft_data *data)
7441 {
7442 switch (data->verdict.code) {
7443 case NFT_JUMP:
7444 case NFT_GOTO:
7445 data->verdict.chain->use--;
7446 break;
7447 }
7448 }
7449
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)7450 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7451 {
7452 struct nlattr *nest;
7453
7454 nest = nla_nest_start_noflag(skb, type);
7455 if (!nest)
7456 goto nla_put_failure;
7457
7458 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7459 goto nla_put_failure;
7460
7461 switch (v->code) {
7462 case NFT_JUMP:
7463 case NFT_GOTO:
7464 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7465 v->chain->name))
7466 goto nla_put_failure;
7467 }
7468 nla_nest_end(skb, nest);
7469 return 0;
7470
7471 nla_put_failure:
7472 return -1;
7473 }
7474
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)7475 static int nft_value_init(const struct nft_ctx *ctx,
7476 struct nft_data *data, unsigned int size,
7477 struct nft_data_desc *desc, const struct nlattr *nla)
7478 {
7479 unsigned int len;
7480
7481 len = nla_len(nla);
7482 if (len == 0)
7483 return -EINVAL;
7484 if (len > size)
7485 return -EOVERFLOW;
7486
7487 nla_memcpy(data->data, nla, len);
7488 desc->type = NFT_DATA_VALUE;
7489 desc->len = len;
7490 return 0;
7491 }
7492
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)7493 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7494 unsigned int len)
7495 {
7496 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7497 }
7498
7499 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7500 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7501 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7502 };
7503
7504 /**
7505 * nft_data_init - parse nf_tables data netlink attributes
7506 *
7507 * @ctx: context of the expression using the data
7508 * @data: destination struct nft_data
7509 * @size: maximum data length
7510 * @desc: data description
7511 * @nla: netlink attribute containing data
7512 *
7513 * Parse the netlink data attributes and initialize a struct nft_data.
7514 * The type and length of data are returned in the data description.
7515 *
7516 * The caller can indicate that it only wants to accept data of type
7517 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7518 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)7519 int nft_data_init(const struct nft_ctx *ctx,
7520 struct nft_data *data, unsigned int size,
7521 struct nft_data_desc *desc, const struct nlattr *nla)
7522 {
7523 struct nlattr *tb[NFTA_DATA_MAX + 1];
7524 int err;
7525
7526 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7527 nft_data_policy, NULL);
7528 if (err < 0)
7529 return err;
7530
7531 if (tb[NFTA_DATA_VALUE])
7532 return nft_value_init(ctx, data, size, desc,
7533 tb[NFTA_DATA_VALUE]);
7534 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7535 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7536 return -EINVAL;
7537 }
7538 EXPORT_SYMBOL_GPL(nft_data_init);
7539
7540 /**
7541 * nft_data_release - release a nft_data item
7542 *
7543 * @data: struct nft_data to release
7544 * @type: type of data
7545 *
7546 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7547 * all others need to be released by calling this function.
7548 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)7549 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7550 {
7551 if (type < NFT_DATA_VERDICT)
7552 return;
7553 switch (type) {
7554 case NFT_DATA_VERDICT:
7555 return nft_verdict_uninit(data);
7556 default:
7557 WARN_ON(1);
7558 }
7559 }
7560 EXPORT_SYMBOL_GPL(nft_data_release);
7561
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)7562 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7563 enum nft_data_types type, unsigned int len)
7564 {
7565 struct nlattr *nest;
7566 int err;
7567
7568 nest = nla_nest_start_noflag(skb, attr);
7569 if (nest == NULL)
7570 return -1;
7571
7572 switch (type) {
7573 case NFT_DATA_VALUE:
7574 err = nft_value_dump(skb, data, len);
7575 break;
7576 case NFT_DATA_VERDICT:
7577 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7578 break;
7579 default:
7580 err = -EINVAL;
7581 WARN_ON(1);
7582 }
7583
7584 nla_nest_end(skb, nest);
7585 return err;
7586 }
7587 EXPORT_SYMBOL_GPL(nft_data_dump);
7588
__nft_release_basechain(struct nft_ctx * ctx)7589 int __nft_release_basechain(struct nft_ctx *ctx)
7590 {
7591 struct nft_rule *rule, *nr;
7592
7593 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7594 return 0;
7595
7596 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7597 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7598 list_del(&rule->list);
7599 ctx->chain->use--;
7600 nf_tables_rule_release(ctx, rule);
7601 }
7602 nft_chain_del(ctx->chain);
7603 ctx->table->use--;
7604 nf_tables_chain_destroy(ctx);
7605
7606 return 0;
7607 }
7608 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7609
__nft_release_tables(struct net * net)7610 static void __nft_release_tables(struct net *net)
7611 {
7612 struct nft_flowtable *flowtable, *nf;
7613 struct nft_table *table, *nt;
7614 struct nft_chain *chain, *nc;
7615 struct nft_object *obj, *ne;
7616 struct nft_rule *rule, *nr;
7617 struct nft_set *set, *ns;
7618 struct nft_ctx ctx = {
7619 .net = net,
7620 .family = NFPROTO_NETDEV,
7621 };
7622
7623 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7624 ctx.family = table->family;
7625
7626 list_for_each_entry(chain, &table->chains, list)
7627 nf_tables_unregister_hook(net, table, chain);
7628 /* No packets are walking on these chains anymore. */
7629 ctx.table = table;
7630 list_for_each_entry(chain, &table->chains, list) {
7631 ctx.chain = chain;
7632 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7633 list_del(&rule->list);
7634 chain->use--;
7635 nf_tables_rule_release(&ctx, rule);
7636 }
7637 }
7638 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7639 list_del(&flowtable->list);
7640 table->use--;
7641 nf_tables_flowtable_destroy(flowtable);
7642 }
7643 list_for_each_entry_safe(set, ns, &table->sets, list) {
7644 list_del(&set->list);
7645 table->use--;
7646 nft_set_destroy(set);
7647 }
7648 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7649 nft_obj_del(obj);
7650 table->use--;
7651 nft_obj_destroy(&ctx, obj);
7652 }
7653 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7654 ctx.chain = chain;
7655 nft_chain_del(chain);
7656 table->use--;
7657 nf_tables_chain_destroy(&ctx);
7658 }
7659 list_del(&table->list);
7660 nf_tables_table_destroy(&ctx);
7661 }
7662 }
7663
nf_tables_init_net(struct net * net)7664 static int __net_init nf_tables_init_net(struct net *net)
7665 {
7666 INIT_LIST_HEAD(&net->nft.tables);
7667 INIT_LIST_HEAD(&net->nft.commit_list);
7668 mutex_init(&net->nft.commit_mutex);
7669 net->nft.base_seq = 1;
7670 net->nft.validate_state = NFT_VALIDATE_SKIP;
7671
7672 return 0;
7673 }
7674
nf_tables_exit_net(struct net * net)7675 static void __net_exit nf_tables_exit_net(struct net *net)
7676 {
7677 mutex_lock(&net->nft.commit_mutex);
7678 if (!list_empty(&net->nft.commit_list))
7679 __nf_tables_abort(net);
7680 __nft_release_tables(net);
7681 mutex_unlock(&net->nft.commit_mutex);
7682 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7683 }
7684
7685 static struct pernet_operations nf_tables_net_ops = {
7686 .init = nf_tables_init_net,
7687 .exit = nf_tables_exit_net,
7688 };
7689
nf_tables_module_init(void)7690 static int __init nf_tables_module_init(void)
7691 {
7692 int err;
7693
7694 spin_lock_init(&nf_tables_destroy_list_lock);
7695 err = register_pernet_subsys(&nf_tables_net_ops);
7696 if (err < 0)
7697 return err;
7698
7699 err = nft_chain_filter_init();
7700 if (err < 0)
7701 goto err1;
7702
7703 err = nf_tables_core_module_init();
7704 if (err < 0)
7705 goto err2;
7706
7707 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7708 if (err < 0)
7709 goto err3;
7710
7711 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7712 if (err < 0)
7713 goto err4;
7714
7715 err = nft_offload_init();
7716 if (err < 0)
7717 goto err5;
7718
7719 /* must be last */
7720 err = nfnetlink_subsys_register(&nf_tables_subsys);
7721 if (err < 0)
7722 goto err6;
7723
7724 nft_chain_route_init();
7725
7726 return err;
7727 err6:
7728 nft_offload_exit();
7729 err5:
7730 rhltable_destroy(&nft_objname_ht);
7731 err4:
7732 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7733 err3:
7734 nf_tables_core_module_exit();
7735 err2:
7736 nft_chain_filter_fini();
7737 err1:
7738 unregister_pernet_subsys(&nf_tables_net_ops);
7739 return err;
7740 }
7741
nf_tables_module_exit(void)7742 static void __exit nf_tables_module_exit(void)
7743 {
7744 nfnetlink_subsys_unregister(&nf_tables_subsys);
7745 nft_offload_exit();
7746 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7747 nft_chain_filter_fini();
7748 nft_chain_route_fini();
7749 unregister_pernet_subsys(&nf_tables_net_ops);
7750 cancel_work_sync(&trans_destroy_work);
7751 rcu_barrier();
7752 rhltable_destroy(&nft_objname_ht);
7753 nf_tables_core_module_exit();
7754 }
7755
7756 module_init(nf_tables_module_init);
7757 module_exit(nf_tables_module_exit);
7758
7759 MODULE_LICENSE("GPL");
7760 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7761 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
7762
