1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
28
29 unsigned int nf_tables_net_id __read_mostly;
30
31 static LIST_HEAD(nf_tables_expressions);
32 static LIST_HEAD(nf_tables_objects);
33 static LIST_HEAD(nf_tables_flowtables);
34 static LIST_HEAD(nf_tables_destroy_list);
35 static LIST_HEAD(nf_tables_gc_list);
36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
38
39 enum {
40 NFT_VALIDATE_SKIP = 0,
41 NFT_VALIDATE_NEED,
42 NFT_VALIDATE_DO,
43 };
44
45 static struct rhltable nft_objname_ht;
46
47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
54
55 static const struct rhashtable_params nft_chain_ht_params = {
56 .head_offset = offsetof(struct nft_chain, rhlhead),
57 .key_offset = offsetof(struct nft_chain, name),
58 .hashfn = nft_chain_hash,
59 .obj_hashfn = nft_chain_hash_obj,
60 .obj_cmpfn = nft_chain_hash_cmp,
61 .automatic_shrinking = true,
62 };
63
64 static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
71 };
72
73 struct nft_audit_data {
74 struct nft_table *table;
75 int entries;
76 int op;
77 struct list_head list;
78 };
79
80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
107 };
108
nft_validate_state_update(struct nft_table * table,u8 new_validate_state)109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
110 {
111 switch (table->validate_state) {
112 case NFT_VALIDATE_SKIP:
113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
114 break;
115 case NFT_VALIDATE_NEED:
116 break;
117 case NFT_VALIDATE_DO:
118 if (new_validate_state == NFT_VALIDATE_NEED)
119 return;
120 }
121
122 table->validate_state = new_validate_state;
123 }
124 static void nf_tables_trans_destroy_work(struct work_struct *w);
125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
126
127 static void nft_trans_gc_work(struct work_struct *work);
128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
129
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)130 static void nft_ctx_init(struct nft_ctx *ctx,
131 struct net *net,
132 const struct sk_buff *skb,
133 const struct nlmsghdr *nlh,
134 u8 family,
135 struct nft_table *table,
136 struct nft_chain *chain,
137 const struct nlattr * const *nla)
138 {
139 ctx->net = net;
140 ctx->family = family;
141 ctx->level = 0;
142 ctx->table = table;
143 ctx->chain = chain;
144 ctx->nla = nla;
145 ctx->portid = NETLINK_CB(skb).portid;
146 ctx->report = nlmsg_report(nlh);
147 ctx->flags = nlh->nlmsg_flags;
148 ctx->seq = nlh->nlmsg_seq;
149
150 bitmap_zero(ctx->reg_inited, NFT_REG32_NUM);
151 }
152
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)153 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
154 int msg_type, u32 size, gfp_t gfp)
155 {
156 struct nft_trans *trans;
157
158 trans = kzalloc(size, gfp);
159 if (trans == NULL)
160 return NULL;
161
162 INIT_LIST_HEAD(&trans->list);
163 trans->msg_type = msg_type;
164
165 trans->net = ctx->net;
166 trans->table = ctx->table;
167 trans->seq = ctx->seq;
168 trans->flags = ctx->flags;
169 trans->report = ctx->report;
170
171 return trans;
172 }
173
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)174 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
175 int msg_type, u32 size)
176 {
177 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
178 }
179
nft_trans_get_binding(struct nft_trans * trans)180 static struct nft_trans_binding *nft_trans_get_binding(struct nft_trans *trans)
181 {
182 switch (trans->msg_type) {
183 case NFT_MSG_NEWCHAIN:
184 case NFT_MSG_NEWSET:
185 return container_of(trans, struct nft_trans_binding, nft_trans);
186 }
187
188 return NULL;
189 }
190
nft_trans_list_del(struct nft_trans * trans)191 static void nft_trans_list_del(struct nft_trans *trans)
192 {
193 struct nft_trans_binding *trans_binding;
194
195 list_del(&trans->list);
196
197 trans_binding = nft_trans_get_binding(trans);
198 if (trans_binding)
199 list_del(&trans_binding->binding_list);
200 }
201
nft_trans_destroy(struct nft_trans * trans)202 static void nft_trans_destroy(struct nft_trans *trans)
203 {
204 nft_trans_list_del(trans);
205 kfree(trans);
206 }
207
__nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set,bool bind)208 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
209 bool bind)
210 {
211 struct nftables_pernet *nft_net;
212 struct net *net = ctx->net;
213 struct nft_trans *trans;
214
215 if (!nft_set_is_anonymous(set))
216 return;
217
218 nft_net = nft_pernet(net);
219 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
220 switch (trans->msg_type) {
221 case NFT_MSG_NEWSET:
222 if (nft_trans_set(trans) == set)
223 nft_trans_set_bound(trans) = bind;
224 break;
225 case NFT_MSG_NEWSETELEM:
226 if (nft_trans_elem_set(trans) == set)
227 nft_trans_elem_set_bound(trans) = bind;
228 break;
229 }
230 }
231 }
232
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)233 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
234 {
235 return __nft_set_trans_bind(ctx, set, true);
236 }
237
nft_set_trans_unbind(const struct nft_ctx * ctx,struct nft_set * set)238 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
239 {
240 return __nft_set_trans_bind(ctx, set, false);
241 }
242
__nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain,bool bind)243 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
244 struct nft_chain *chain, bool bind)
245 {
246 struct nftables_pernet *nft_net;
247 struct net *net = ctx->net;
248 struct nft_trans *trans;
249
250 if (!nft_chain_binding(chain))
251 return;
252
253 nft_net = nft_pernet(net);
254 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
255 switch (trans->msg_type) {
256 case NFT_MSG_NEWCHAIN:
257 if (nft_trans_chain(trans) == chain)
258 nft_trans_chain_bound(trans) = bind;
259 break;
260 case NFT_MSG_NEWRULE:
261 if (nft_trans_rule_chain(trans) == chain)
262 nft_trans_rule_bound(trans) = bind;
263 break;
264 }
265 }
266 }
267
nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain)268 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
269 struct nft_chain *chain)
270 {
271 __nft_chain_trans_bind(ctx, chain, true);
272 }
273
nf_tables_bind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)274 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
275 {
276 if (!nft_chain_binding(chain))
277 return 0;
278
279 if (nft_chain_binding(ctx->chain))
280 return -EOPNOTSUPP;
281
282 if (chain->bound)
283 return -EBUSY;
284
285 if (!nft_use_inc(&chain->use))
286 return -EMFILE;
287
288 chain->bound = true;
289 nft_chain_trans_bind(ctx, chain);
290
291 return 0;
292 }
293
nf_tables_unbind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)294 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
295 {
296 __nft_chain_trans_bind(ctx, chain, false);
297 }
298
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)299 static int nft_netdev_register_hooks(struct net *net,
300 struct list_head *hook_list)
301 {
302 struct nft_hook *hook;
303 int err, j;
304
305 j = 0;
306 list_for_each_entry(hook, hook_list, list) {
307 err = nf_register_net_hook(net, &hook->ops);
308 if (err < 0)
309 goto err_register;
310
311 j++;
312 }
313 return 0;
314
315 err_register:
316 list_for_each_entry(hook, hook_list, list) {
317 if (j-- <= 0)
318 break;
319
320 nf_unregister_net_hook(net, &hook->ops);
321 }
322 return err;
323 }
324
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)325 static void nft_netdev_unregister_hooks(struct net *net,
326 struct list_head *hook_list,
327 bool release_netdev)
328 {
329 struct nft_hook *hook, *next;
330
331 list_for_each_entry_safe(hook, next, hook_list, list) {
332 nf_unregister_net_hook(net, &hook->ops);
333 if (release_netdev) {
334 list_del(&hook->list);
335 kfree_rcu(hook, rcu);
336 }
337 }
338 }
339
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)340 static int nf_tables_register_hook(struct net *net,
341 const struct nft_table *table,
342 struct nft_chain *chain)
343 {
344 struct nft_base_chain *basechain;
345 const struct nf_hook_ops *ops;
346
347 if (table->flags & NFT_TABLE_F_DORMANT ||
348 !nft_is_base_chain(chain))
349 return 0;
350
351 basechain = nft_base_chain(chain);
352 ops = &basechain->ops;
353
354 if (basechain->type->ops_register)
355 return basechain->type->ops_register(net, ops);
356
357 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
358 return nft_netdev_register_hooks(net, &basechain->hook_list);
359
360 return nf_register_net_hook(net, &basechain->ops);
361 }
362
__nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain,bool release_netdev)363 static void __nf_tables_unregister_hook(struct net *net,
364 const struct nft_table *table,
365 struct nft_chain *chain,
366 bool release_netdev)
367 {
368 struct nft_base_chain *basechain;
369 const struct nf_hook_ops *ops;
370
371 if (table->flags & NFT_TABLE_F_DORMANT ||
372 !nft_is_base_chain(chain))
373 return;
374 basechain = nft_base_chain(chain);
375 ops = &basechain->ops;
376
377 if (basechain->type->ops_unregister)
378 return basechain->type->ops_unregister(net, ops);
379
380 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
381 nft_netdev_unregister_hooks(net, &basechain->hook_list,
382 release_netdev);
383 else
384 nf_unregister_net_hook(net, &basechain->ops);
385 }
386
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)387 static void nf_tables_unregister_hook(struct net *net,
388 const struct nft_table *table,
389 struct nft_chain *chain)
390 {
391 return __nf_tables_unregister_hook(net, table, chain, false);
392 }
393
nft_trans_commit_list_add_tail(struct net * net,struct nft_trans * trans)394 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
395 {
396 struct nftables_pernet *nft_net = nft_pernet(net);
397 struct nft_trans_binding *binding;
398 struct nft_trans_set *trans_set;
399
400 list_add_tail(&trans->list, &nft_net->commit_list);
401
402 binding = nft_trans_get_binding(trans);
403 if (!binding)
404 return;
405
406 switch (trans->msg_type) {
407 case NFT_MSG_NEWSET:
408 trans_set = nft_trans_container_set(trans);
409
410 if (!nft_trans_set_update(trans) &&
411 nft_set_is_anonymous(nft_trans_set(trans)))
412 list_add_tail(&binding->binding_list, &nft_net->binding_list);
413
414 list_add_tail(&trans_set->list_trans_newset, &nft_net->commit_set_list);
415 break;
416 case NFT_MSG_NEWCHAIN:
417 if (!nft_trans_chain_update(trans) &&
418 nft_chain_binding(nft_trans_chain(trans)))
419 list_add_tail(&binding->binding_list, &nft_net->binding_list);
420 break;
421 }
422 }
423
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)424 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
425 {
426 struct nft_trans *trans;
427
428 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
429 if (trans == NULL)
430 return -ENOMEM;
431
432 if (msg_type == NFT_MSG_NEWTABLE)
433 nft_activate_next(ctx->net, ctx->table);
434
435 nft_trans_commit_list_add_tail(ctx->net, trans);
436 return 0;
437 }
438
nft_deltable(struct nft_ctx * ctx)439 static int nft_deltable(struct nft_ctx *ctx)
440 {
441 int err;
442
443 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
444 if (err < 0)
445 return err;
446
447 nft_deactivate_next(ctx->net, ctx->table);
448 return err;
449 }
450
451 static struct nft_trans *
nft_trans_alloc_chain(const struct nft_ctx * ctx,int msg_type)452 nft_trans_alloc_chain(const struct nft_ctx *ctx, int msg_type)
453 {
454 struct nft_trans_chain *trans_chain;
455 struct nft_trans *trans;
456
457 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
458 if (!trans)
459 return NULL;
460
461 trans_chain = nft_trans_container_chain(trans);
462 INIT_LIST_HEAD(&trans_chain->nft_trans_binding.binding_list);
463 trans_chain->chain = ctx->chain;
464
465 return trans;
466 }
467
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)468 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
469 {
470 struct nft_trans *trans;
471
472 trans = nft_trans_alloc_chain(ctx, msg_type);
473 if (trans == NULL)
474 return ERR_PTR(-ENOMEM);
475
476 if (msg_type == NFT_MSG_NEWCHAIN) {
477 nft_activate_next(ctx->net, ctx->chain);
478
479 if (ctx->nla[NFTA_CHAIN_ID]) {
480 nft_trans_chain_id(trans) =
481 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
482 }
483 }
484 nft_trans_commit_list_add_tail(ctx->net, trans);
485
486 return trans;
487 }
488
nft_delchain(struct nft_ctx * ctx)489 static int nft_delchain(struct nft_ctx *ctx)
490 {
491 struct nft_trans *trans;
492
493 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
494 if (IS_ERR(trans))
495 return PTR_ERR(trans);
496
497 nft_use_dec(&ctx->table->use);
498 nft_deactivate_next(ctx->net, ctx->chain);
499
500 return 0;
501 }
502
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)503 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
504 {
505 struct nft_expr *expr;
506
507 expr = nft_expr_first(rule);
508 while (nft_expr_more(rule, expr)) {
509 if (expr->ops->activate)
510 expr->ops->activate(ctx, expr);
511
512 expr = nft_expr_next(expr);
513 }
514 }
515
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)516 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
517 enum nft_trans_phase phase)
518 {
519 struct nft_expr *expr;
520
521 expr = nft_expr_first(rule);
522 while (nft_expr_more(rule, expr)) {
523 if (expr->ops->deactivate)
524 expr->ops->deactivate(ctx, expr, phase);
525
526 expr = nft_expr_next(expr);
527 }
528 }
529
530 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)531 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
532 {
533 /* You cannot delete the same rule twice */
534 if (nft_is_active_next(ctx->net, rule)) {
535 nft_deactivate_next(ctx->net, rule);
536 nft_use_dec(&ctx->chain->use);
537 return 0;
538 }
539 return -ENOENT;
540 }
541
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)542 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
543 struct nft_rule *rule)
544 {
545 struct nft_trans *trans;
546
547 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
548 if (trans == NULL)
549 return NULL;
550
551 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
552 nft_trans_rule_id(trans) =
553 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
554 }
555 nft_trans_rule(trans) = rule;
556 nft_trans_rule_chain(trans) = ctx->chain;
557 nft_trans_commit_list_add_tail(ctx->net, trans);
558
559 return trans;
560 }
561
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)562 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
563 {
564 struct nft_flow_rule *flow;
565 struct nft_trans *trans;
566 int err;
567
568 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
569 if (trans == NULL)
570 return -ENOMEM;
571
572 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
573 flow = nft_flow_rule_create(ctx->net, rule);
574 if (IS_ERR(flow)) {
575 nft_trans_destroy(trans);
576 return PTR_ERR(flow);
577 }
578
579 nft_trans_flow_rule(trans) = flow;
580 }
581
582 err = nf_tables_delrule_deactivate(ctx, rule);
583 if (err < 0) {
584 nft_trans_destroy(trans);
585 return err;
586 }
587 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
588
589 return 0;
590 }
591
nft_delrule_by_chain(struct nft_ctx * ctx)592 static int nft_delrule_by_chain(struct nft_ctx *ctx)
593 {
594 struct nft_rule *rule;
595 int err;
596
597 list_for_each_entry(rule, &ctx->chain->rules, list) {
598 if (!nft_is_active_next(ctx->net, rule))
599 continue;
600
601 err = nft_delrule(ctx, rule);
602 if (err < 0)
603 return err;
604 }
605 return 0;
606 }
607
__nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set,const struct nft_set_desc * desc)608 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
609 struct nft_set *set,
610 const struct nft_set_desc *desc)
611 {
612 struct nft_trans_set *trans_set;
613 struct nft_trans *trans;
614
615 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
616 if (trans == NULL)
617 return -ENOMEM;
618
619 trans_set = nft_trans_container_set(trans);
620 INIT_LIST_HEAD(&trans_set->nft_trans_binding.binding_list);
621 INIT_LIST_HEAD(&trans_set->list_trans_newset);
622
623 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
624 nft_trans_set_id(trans) =
625 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
626 nft_activate_next(ctx->net, set);
627 }
628 nft_trans_set(trans) = set;
629 if (desc) {
630 nft_trans_set_update(trans) = true;
631 nft_trans_set_gc_int(trans) = desc->gc_int;
632 nft_trans_set_timeout(trans) = desc->timeout;
633 nft_trans_set_size(trans) = desc->size;
634 }
635 nft_trans_commit_list_add_tail(ctx->net, trans);
636
637 return 0;
638 }
639
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)640 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
641 struct nft_set *set)
642 {
643 return __nft_trans_set_add(ctx, msg_type, set, NULL);
644 }
645
nft_mapelem_deactivate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)646 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
647 struct nft_set *set,
648 const struct nft_set_iter *iter,
649 struct nft_elem_priv *elem_priv)
650 {
651 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
652
653 if (!nft_set_elem_active(ext, iter->genmask))
654 return 0;
655
656 nft_set_elem_change_active(ctx->net, set, ext);
657 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
658
659 return 0;
660 }
661
662 struct nft_set_elem_catchall {
663 struct list_head list;
664 struct rcu_head rcu;
665 struct nft_elem_priv *elem;
666 };
667
nft_map_catchall_deactivate(const struct nft_ctx * ctx,struct nft_set * set)668 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
669 struct nft_set *set)
670 {
671 u8 genmask = nft_genmask_next(ctx->net);
672 struct nft_set_elem_catchall *catchall;
673 struct nft_set_ext *ext;
674
675 list_for_each_entry(catchall, &set->catchall_list, list) {
676 ext = nft_set_elem_ext(set, catchall->elem);
677 if (!nft_set_elem_active(ext, genmask))
678 continue;
679
680 nft_set_elem_change_active(ctx->net, set, ext);
681 nft_setelem_data_deactivate(ctx->net, set, catchall->elem);
682 break;
683 }
684 }
685
nft_map_deactivate(const struct nft_ctx * ctx,struct nft_set * set)686 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
687 {
688 struct nft_set_iter iter = {
689 .genmask = nft_genmask_next(ctx->net),
690 .type = NFT_ITER_UPDATE,
691 .fn = nft_mapelem_deactivate,
692 };
693
694 set->ops->walk(ctx, set, &iter);
695 WARN_ON_ONCE(iter.err);
696
697 nft_map_catchall_deactivate(ctx, set);
698 }
699
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)700 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
701 {
702 int err;
703
704 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
705 if (err < 0)
706 return err;
707
708 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
709 nft_map_deactivate(ctx, set);
710
711 nft_deactivate_next(ctx->net, set);
712 nft_use_dec(&ctx->table->use);
713
714 return err;
715 }
716
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)717 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
718 struct nft_object *obj)
719 {
720 struct nft_trans *trans;
721
722 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
723 if (trans == NULL)
724 return -ENOMEM;
725
726 if (msg_type == NFT_MSG_NEWOBJ)
727 nft_activate_next(ctx->net, obj);
728
729 nft_trans_obj(trans) = obj;
730 nft_trans_commit_list_add_tail(ctx->net, trans);
731
732 return 0;
733 }
734
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)735 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
736 {
737 int err;
738
739 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
740 if (err < 0)
741 return err;
742
743 nft_deactivate_next(ctx->net, obj);
744 nft_use_dec(&ctx->table->use);
745
746 return err;
747 }
748
749 static struct nft_trans *
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)750 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
751 struct nft_flowtable *flowtable)
752 {
753 struct nft_trans *trans;
754
755 trans = nft_trans_alloc(ctx, msg_type,
756 sizeof(struct nft_trans_flowtable));
757 if (trans == NULL)
758 return ERR_PTR(-ENOMEM);
759
760 if (msg_type == NFT_MSG_NEWFLOWTABLE)
761 nft_activate_next(ctx->net, flowtable);
762
763 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
764 nft_trans_flowtable(trans) = flowtable;
765 nft_trans_commit_list_add_tail(ctx->net, trans);
766
767 return trans;
768 }
769
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)770 static int nft_delflowtable(struct nft_ctx *ctx,
771 struct nft_flowtable *flowtable)
772 {
773 struct nft_trans *trans;
774
775 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
776 if (IS_ERR(trans))
777 return PTR_ERR(trans);
778
779 nft_deactivate_next(ctx->net, flowtable);
780 nft_use_dec(&ctx->table->use);
781
782 return 0;
783 }
784
__nft_reg_track_clobber(struct nft_regs_track * track,u8 dreg)785 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
786 {
787 int i;
788
789 for (i = track->regs[dreg].num_reg; i > 0; i--)
790 __nft_reg_track_cancel(track, dreg - i);
791 }
792
__nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 num_reg)793 static void __nft_reg_track_update(struct nft_regs_track *track,
794 const struct nft_expr *expr,
795 u8 dreg, u8 num_reg)
796 {
797 track->regs[dreg].selector = expr;
798 track->regs[dreg].bitwise = NULL;
799 track->regs[dreg].num_reg = num_reg;
800 }
801
nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 len)802 void nft_reg_track_update(struct nft_regs_track *track,
803 const struct nft_expr *expr, u8 dreg, u8 len)
804 {
805 unsigned int regcount;
806 int i;
807
808 __nft_reg_track_clobber(track, dreg);
809
810 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
811 for (i = 0; i < regcount; i++, dreg++)
812 __nft_reg_track_update(track, expr, dreg, i);
813 }
814 EXPORT_SYMBOL_GPL(nft_reg_track_update);
815
nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg,u8 len)816 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
817 {
818 unsigned int regcount;
819 int i;
820
821 __nft_reg_track_clobber(track, dreg);
822
823 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
824 for (i = 0; i < regcount; i++, dreg++)
825 __nft_reg_track_cancel(track, dreg);
826 }
827 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
828
__nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg)829 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
830 {
831 track->regs[dreg].selector = NULL;
832 track->regs[dreg].bitwise = NULL;
833 track->regs[dreg].num_reg = 0;
834 }
835 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
836
837 /*
838 * Tables
839 */
840
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask,u32 nlpid)841 static struct nft_table *nft_table_lookup(const struct net *net,
842 const struct nlattr *nla,
843 u8 family, u8 genmask, u32 nlpid)
844 {
845 struct nftables_pernet *nft_net;
846 struct nft_table *table;
847
848 if (nla == NULL)
849 return ERR_PTR(-EINVAL);
850
851 nft_net = nft_pernet(net);
852 list_for_each_entry_rcu(table, &nft_net->tables, list,
853 lockdep_is_held(&nft_net->commit_mutex)) {
854 if (!nla_strcmp(nla, table->name) &&
855 table->family == family &&
856 nft_active_genmask(table, genmask)) {
857 if (nft_table_has_owner(table) &&
858 nlpid && table->nlpid != nlpid)
859 return ERR_PTR(-EPERM);
860
861 return table;
862 }
863 }
864
865 return ERR_PTR(-ENOENT);
866 }
867
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,int family,u8 genmask,u32 nlpid)868 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
869 const struct nlattr *nla,
870 int family, u8 genmask, u32 nlpid)
871 {
872 struct nftables_pernet *nft_net;
873 struct nft_table *table;
874
875 nft_net = nft_pernet(net);
876 list_for_each_entry(table, &nft_net->tables, list) {
877 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
878 table->family == family &&
879 nft_active_genmask(table, genmask)) {
880 if (nft_table_has_owner(table) &&
881 nlpid && table->nlpid != nlpid)
882 return ERR_PTR(-EPERM);
883
884 return table;
885 }
886 }
887
888 return ERR_PTR(-ENOENT);
889 }
890
nf_tables_alloc_handle(struct nft_table * table)891 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
892 {
893 return ++table->hgenerator;
894 }
895
896 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
897
898 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)899 __nft_chain_type_get(u8 family, enum nft_chain_types type)
900 {
901 if (family >= NFPROTO_NUMPROTO ||
902 type >= NFT_CHAIN_T_MAX)
903 return NULL;
904
905 return chain_type[family][type];
906 }
907
908 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)909 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
910 {
911 const struct nft_chain_type *type;
912 int i;
913
914 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
915 type = __nft_chain_type_get(family, i);
916 if (!type)
917 continue;
918 if (!nla_strcmp(nla, type->name))
919 return type;
920 }
921 return NULL;
922 }
923
924 struct nft_module_request {
925 struct list_head list;
926 char module[MODULE_NAME_LEN];
927 bool done;
928 };
929
930 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)931 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
932 ...)
933 {
934 char module_name[MODULE_NAME_LEN];
935 struct nftables_pernet *nft_net;
936 struct nft_module_request *req;
937 va_list args;
938 int ret;
939
940 va_start(args, fmt);
941 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
942 va_end(args);
943 if (ret >= MODULE_NAME_LEN)
944 return 0;
945
946 nft_net = nft_pernet(net);
947 list_for_each_entry(req, &nft_net->module_list, list) {
948 if (!strcmp(req->module, module_name)) {
949 if (req->done)
950 return 0;
951
952 /* A request to load this module already exists. */
953 return -EAGAIN;
954 }
955 }
956
957 req = kmalloc(sizeof(*req), GFP_KERNEL);
958 if (!req)
959 return -ENOMEM;
960
961 req->done = false;
962 strscpy(req->module, module_name, MODULE_NAME_LEN);
963 list_add_tail(&req->list, &nft_net->module_list);
964
965 return -EAGAIN;
966 }
967 EXPORT_SYMBOL_GPL(nft_request_module);
968 #endif
969
lockdep_nfnl_nft_mutex_not_held(void)970 static void lockdep_nfnl_nft_mutex_not_held(void)
971 {
972 #ifdef CONFIG_PROVE_LOCKING
973 if (debug_locks)
974 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
975 #endif
976 }
977
978 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)979 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
980 u8 family, bool autoload)
981 {
982 const struct nft_chain_type *type;
983
984 type = __nf_tables_chain_type_lookup(nla, family);
985 if (type != NULL)
986 return type;
987
988 lockdep_nfnl_nft_mutex_not_held();
989 #ifdef CONFIG_MODULES
990 if (autoload) {
991 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
992 nla_len(nla),
993 (const char *)nla_data(nla)) == -EAGAIN)
994 return ERR_PTR(-EAGAIN);
995 }
996 #endif
997 return ERR_PTR(-ENOENT);
998 }
999
nft_base_seq(const struct net * net)1000 static __be16 nft_base_seq(const struct net *net)
1001 {
1002 struct nftables_pernet *nft_net = nft_pernet(net);
1003
1004 return htons(nft_net->base_seq & 0xffff);
1005 }
1006
1007 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
1008 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
1009 .len = NFT_TABLE_MAXNAMELEN - 1 },
1010 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
1011 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
1012 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
1013 .len = NFT_USERDATA_MAXLEN }
1014 };
1015
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)1016 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
1017 u32 portid, u32 seq, int event, u32 flags,
1018 int family, const struct nft_table *table)
1019 {
1020 struct nlmsghdr *nlh;
1021
1022 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1023 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1024 NFNETLINK_V0, nft_base_seq(net));
1025 if (!nlh)
1026 goto nla_put_failure;
1027
1028 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
1029 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
1030 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
1031 NFTA_TABLE_PAD))
1032 goto nla_put_failure;
1033
1034 if (event == NFT_MSG_DELTABLE) {
1035 nlmsg_end(skb, nlh);
1036 return 0;
1037 }
1038
1039 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
1040 htonl(table->flags & NFT_TABLE_F_MASK)))
1041 goto nla_put_failure;
1042
1043 if (nft_table_has_owner(table) &&
1044 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
1045 goto nla_put_failure;
1046
1047 if (table->udata) {
1048 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
1049 goto nla_put_failure;
1050 }
1051
1052 nlmsg_end(skb, nlh);
1053 return 0;
1054
1055 nla_put_failure:
1056 nlmsg_trim(skb, nlh);
1057 return -1;
1058 }
1059
1060 struct nftnl_skb_parms {
1061 bool report;
1062 };
1063 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1064
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)1065 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1066 struct list_head *notify_list)
1067 {
1068 NFT_CB(skb).report = report;
1069 list_add_tail(&skb->list, notify_list);
1070 }
1071
nf_tables_table_notify(const struct nft_ctx * ctx,int event)1072 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1073 {
1074 struct nftables_pernet *nft_net;
1075 struct sk_buff *skb;
1076 u16 flags = 0;
1077 int err;
1078
1079 if (!ctx->report &&
1080 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1081 return;
1082
1083 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1084 if (skb == NULL)
1085 goto err;
1086
1087 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1088 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1089
1090 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1091 event, flags, ctx->family, ctx->table);
1092 if (err < 0) {
1093 kfree_skb(skb);
1094 goto err;
1095 }
1096
1097 nft_net = nft_pernet(ctx->net);
1098 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1099 return;
1100 err:
1101 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1102 }
1103
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)1104 static int nf_tables_dump_tables(struct sk_buff *skb,
1105 struct netlink_callback *cb)
1106 {
1107 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1108 struct nftables_pernet *nft_net;
1109 const struct nft_table *table;
1110 unsigned int idx = 0, s_idx = cb->args[0];
1111 struct net *net = sock_net(skb->sk);
1112 int family = nfmsg->nfgen_family;
1113
1114 rcu_read_lock();
1115 nft_net = nft_pernet(net);
1116 cb->seq = READ_ONCE(nft_net->base_seq);
1117
1118 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1119 if (family != NFPROTO_UNSPEC && family != table->family)
1120 continue;
1121
1122 if (idx < s_idx)
1123 goto cont;
1124 if (idx > s_idx)
1125 memset(&cb->args[1], 0,
1126 sizeof(cb->args) - sizeof(cb->args[0]));
1127 if (!nft_is_active(net, table))
1128 continue;
1129 if (nf_tables_fill_table_info(skb, net,
1130 NETLINK_CB(cb->skb).portid,
1131 cb->nlh->nlmsg_seq,
1132 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1133 table->family, table) < 0)
1134 goto done;
1135
1136 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1137 cont:
1138 idx++;
1139 }
1140 done:
1141 rcu_read_unlock();
1142 cb->args[0] = idx;
1143 return skb->len;
1144 }
1145
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)1146 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1147 const struct nlmsghdr *nlh,
1148 struct netlink_dump_control *c)
1149 {
1150 int err;
1151
1152 if (!try_module_get(THIS_MODULE))
1153 return -EINVAL;
1154
1155 rcu_read_unlock();
1156 err = netlink_dump_start(nlsk, skb, nlh, c);
1157 rcu_read_lock();
1158 module_put(THIS_MODULE);
1159
1160 return err;
1161 }
1162
1163 /* called with rcu_read_lock held */
nf_tables_gettable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1164 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1165 const struct nlattr * const nla[])
1166 {
1167 struct netlink_ext_ack *extack = info->extack;
1168 u8 genmask = nft_genmask_cur(info->net);
1169 u8 family = info->nfmsg->nfgen_family;
1170 const struct nft_table *table;
1171 struct net *net = info->net;
1172 struct sk_buff *skb2;
1173 int err;
1174
1175 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1176 struct netlink_dump_control c = {
1177 .dump = nf_tables_dump_tables,
1178 .module = THIS_MODULE,
1179 };
1180
1181 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1182 }
1183
1184 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1185 if (IS_ERR(table)) {
1186 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1187 return PTR_ERR(table);
1188 }
1189
1190 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1191 if (!skb2)
1192 return -ENOMEM;
1193
1194 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1195 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1196 0, family, table);
1197 if (err < 0)
1198 goto err_fill_table_info;
1199
1200 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1201
1202 err_fill_table_info:
1203 kfree_skb(skb2);
1204 return err;
1205 }
1206
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)1207 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1208 {
1209 struct nft_chain *chain;
1210 u32 i = 0;
1211
1212 list_for_each_entry(chain, &table->chains, list) {
1213 if (!nft_is_active_next(net, chain))
1214 continue;
1215 if (!nft_is_base_chain(chain))
1216 continue;
1217
1218 if (cnt && i++ == cnt)
1219 break;
1220
1221 nf_tables_unregister_hook(net, table, chain);
1222 }
1223 }
1224
nf_tables_table_enable(struct net * net,struct nft_table * table)1225 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1226 {
1227 struct nft_chain *chain;
1228 int err, i = 0;
1229
1230 list_for_each_entry(chain, &table->chains, list) {
1231 if (!nft_is_active_next(net, chain))
1232 continue;
1233 if (!nft_is_base_chain(chain))
1234 continue;
1235
1236 err = nf_tables_register_hook(net, table, chain);
1237 if (err < 0)
1238 goto err_register_hooks;
1239
1240 i++;
1241 }
1242 return 0;
1243
1244 err_register_hooks:
1245 if (i)
1246 nft_table_disable(net, table, i);
1247 return err;
1248 }
1249
nf_tables_table_disable(struct net * net,struct nft_table * table)1250 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1251 {
1252 table->flags &= ~NFT_TABLE_F_DORMANT;
1253 nft_table_disable(net, table, 0);
1254 table->flags |= NFT_TABLE_F_DORMANT;
1255 }
1256
1257 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1258 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1259 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1260 #define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
1261 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1262 __NFT_TABLE_F_WAS_AWAKEN | \
1263 __NFT_TABLE_F_WAS_ORPHAN)
1264
nft_table_pending_update(const struct nft_ctx * ctx)1265 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1266 {
1267 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1268 struct nft_trans *trans;
1269
1270 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1271 return true;
1272
1273 list_for_each_entry(trans, &nft_net->commit_list, list) {
1274 if (trans->table == ctx->table &&
1275 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1276 nft_trans_chain_update(trans)) ||
1277 (trans->msg_type == NFT_MSG_DELCHAIN &&
1278 nft_is_base_chain(nft_trans_chain(trans)))))
1279 return true;
1280 }
1281
1282 return false;
1283 }
1284
nf_tables_updtable(struct nft_ctx * ctx)1285 static int nf_tables_updtable(struct nft_ctx *ctx)
1286 {
1287 struct nft_trans *trans;
1288 u32 flags;
1289 int ret;
1290
1291 if (!ctx->nla[NFTA_TABLE_FLAGS])
1292 return 0;
1293
1294 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1295 if (flags & ~NFT_TABLE_F_MASK)
1296 return -EOPNOTSUPP;
1297
1298 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1299 return 0;
1300
1301 if ((nft_table_has_owner(ctx->table) &&
1302 !(flags & NFT_TABLE_F_OWNER)) ||
1303 (flags & NFT_TABLE_F_OWNER &&
1304 !nft_table_is_orphan(ctx->table)))
1305 return -EOPNOTSUPP;
1306
1307 if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
1308 return -EOPNOTSUPP;
1309
1310 /* No dormant off/on/off/on games in single transaction */
1311 if (nft_table_pending_update(ctx))
1312 return -EINVAL;
1313
1314 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1315 sizeof(struct nft_trans_table));
1316 if (trans == NULL)
1317 return -ENOMEM;
1318
1319 if ((flags & NFT_TABLE_F_DORMANT) &&
1320 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1321 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1322 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1323 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1324 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1325 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1326 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1327 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1328 ret = nf_tables_table_enable(ctx->net, ctx->table);
1329 if (ret < 0)
1330 goto err_register_hooks;
1331
1332 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1333 }
1334 }
1335
1336 if ((flags & NFT_TABLE_F_OWNER) &&
1337 !nft_table_has_owner(ctx->table)) {
1338 ctx->table->nlpid = ctx->portid;
1339 ctx->table->flags |= NFT_TABLE_F_OWNER |
1340 __NFT_TABLE_F_WAS_ORPHAN;
1341 }
1342
1343 nft_trans_table_update(trans) = true;
1344 nft_trans_commit_list_add_tail(ctx->net, trans);
1345
1346 return 0;
1347
1348 err_register_hooks:
1349 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1350 nft_trans_destroy(trans);
1351 return ret;
1352 }
1353
nft_chain_hash(const void * data,u32 len,u32 seed)1354 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1355 {
1356 const char *name = data;
1357
1358 return jhash(name, strlen(name), seed);
1359 }
1360
nft_chain_hash_obj(const void * data,u32 len,u32 seed)1361 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1362 {
1363 const struct nft_chain *chain = data;
1364
1365 return nft_chain_hash(chain->name, 0, seed);
1366 }
1367
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1368 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1369 const void *ptr)
1370 {
1371 const struct nft_chain *chain = ptr;
1372 const char *name = arg->key;
1373
1374 return strcmp(chain->name, name);
1375 }
1376
nft_objname_hash(const void * data,u32 len,u32 seed)1377 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1378 {
1379 const struct nft_object_hash_key *k = data;
1380
1381 seed ^= hash_ptr(k->table, 32);
1382
1383 return jhash(k->name, strlen(k->name), seed);
1384 }
1385
nft_objname_hash_obj(const void * data,u32 len,u32 seed)1386 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1387 {
1388 const struct nft_object *obj = data;
1389
1390 return nft_objname_hash(&obj->key, 0, seed);
1391 }
1392
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1393 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1394 const void *ptr)
1395 {
1396 const struct nft_object_hash_key *k = arg->key;
1397 const struct nft_object *obj = ptr;
1398
1399 if (obj->key.table != k->table)
1400 return -1;
1401
1402 return strcmp(obj->key.name, k->name);
1403 }
1404
nft_supported_family(u8 family)1405 static bool nft_supported_family(u8 family)
1406 {
1407 return false
1408 #ifdef CONFIG_NF_TABLES_INET
1409 || family == NFPROTO_INET
1410 #endif
1411 #ifdef CONFIG_NF_TABLES_IPV4
1412 || family == NFPROTO_IPV4
1413 #endif
1414 #ifdef CONFIG_NF_TABLES_ARP
1415 || family == NFPROTO_ARP
1416 #endif
1417 #ifdef CONFIG_NF_TABLES_NETDEV
1418 || family == NFPROTO_NETDEV
1419 #endif
1420 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1421 || family == NFPROTO_BRIDGE
1422 #endif
1423 #ifdef CONFIG_NF_TABLES_IPV6
1424 || family == NFPROTO_IPV6
1425 #endif
1426 ;
1427 }
1428
nf_tables_newtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1429 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1430 const struct nlattr * const nla[])
1431 {
1432 struct nftables_pernet *nft_net = nft_pernet(info->net);
1433 struct netlink_ext_ack *extack = info->extack;
1434 u8 genmask = nft_genmask_next(info->net);
1435 u8 family = info->nfmsg->nfgen_family;
1436 struct net *net = info->net;
1437 const struct nlattr *attr;
1438 struct nft_table *table;
1439 struct nft_ctx ctx;
1440 u32 flags = 0;
1441 int err;
1442
1443 if (!nft_supported_family(family))
1444 return -EOPNOTSUPP;
1445
1446 lockdep_assert_held(&nft_net->commit_mutex);
1447 attr = nla[NFTA_TABLE_NAME];
1448 table = nft_table_lookup(net, attr, family, genmask,
1449 NETLINK_CB(skb).portid);
1450 if (IS_ERR(table)) {
1451 if (PTR_ERR(table) != -ENOENT)
1452 return PTR_ERR(table);
1453 } else {
1454 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1455 NL_SET_BAD_ATTR(extack, attr);
1456 return -EEXIST;
1457 }
1458 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1459 return -EOPNOTSUPP;
1460
1461 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1462
1463 return nf_tables_updtable(&ctx);
1464 }
1465
1466 if (nla[NFTA_TABLE_FLAGS]) {
1467 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1468 if (flags & ~NFT_TABLE_F_MASK)
1469 return -EOPNOTSUPP;
1470 }
1471
1472 err = -ENOMEM;
1473 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1474 if (table == NULL)
1475 goto err_kzalloc;
1476
1477 table->validate_state = nft_net->validate_state;
1478 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1479 if (table->name == NULL)
1480 goto err_strdup;
1481
1482 if (nla[NFTA_TABLE_USERDATA]) {
1483 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1484 if (table->udata == NULL)
1485 goto err_table_udata;
1486
1487 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1488 }
1489
1490 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1491 if (err)
1492 goto err_chain_ht;
1493
1494 INIT_LIST_HEAD(&table->chains);
1495 INIT_LIST_HEAD(&table->sets);
1496 INIT_LIST_HEAD(&table->objects);
1497 INIT_LIST_HEAD(&table->flowtables);
1498 table->family = family;
1499 table->flags = flags;
1500 table->handle = ++nft_net->table_handle;
1501 if (table->flags & NFT_TABLE_F_OWNER)
1502 table->nlpid = NETLINK_CB(skb).portid;
1503
1504 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1505 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1506 if (err < 0)
1507 goto err_trans;
1508
1509 list_add_tail_rcu(&table->list, &nft_net->tables);
1510 return 0;
1511 err_trans:
1512 rhltable_destroy(&table->chains_ht);
1513 err_chain_ht:
1514 kfree(table->udata);
1515 err_table_udata:
1516 kfree(table->name);
1517 err_strdup:
1518 kfree(table);
1519 err_kzalloc:
1520 return err;
1521 }
1522
nft_flush_table(struct nft_ctx * ctx)1523 static int nft_flush_table(struct nft_ctx *ctx)
1524 {
1525 struct nft_flowtable *flowtable, *nft;
1526 struct nft_chain *chain, *nc;
1527 struct nft_object *obj, *ne;
1528 struct nft_set *set, *ns;
1529 int err;
1530
1531 list_for_each_entry(chain, &ctx->table->chains, list) {
1532 if (!nft_is_active_next(ctx->net, chain))
1533 continue;
1534
1535 if (nft_chain_binding(chain))
1536 continue;
1537
1538 ctx->chain = chain;
1539
1540 err = nft_delrule_by_chain(ctx);
1541 if (err < 0)
1542 goto out;
1543 }
1544
1545 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1546 if (!nft_is_active_next(ctx->net, set))
1547 continue;
1548
1549 if (nft_set_is_anonymous(set))
1550 continue;
1551
1552 err = nft_delset(ctx, set);
1553 if (err < 0)
1554 goto out;
1555 }
1556
1557 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1558 if (!nft_is_active_next(ctx->net, flowtable))
1559 continue;
1560
1561 err = nft_delflowtable(ctx, flowtable);
1562 if (err < 0)
1563 goto out;
1564 }
1565
1566 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1567 if (!nft_is_active_next(ctx->net, obj))
1568 continue;
1569
1570 err = nft_delobj(ctx, obj);
1571 if (err < 0)
1572 goto out;
1573 }
1574
1575 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1576 if (!nft_is_active_next(ctx->net, chain))
1577 continue;
1578
1579 if (nft_chain_binding(chain))
1580 continue;
1581
1582 ctx->chain = chain;
1583
1584 err = nft_delchain(ctx);
1585 if (err < 0)
1586 goto out;
1587 }
1588
1589 err = nft_deltable(ctx);
1590 out:
1591 return err;
1592 }
1593
nft_flush(struct nft_ctx * ctx,int family)1594 static int nft_flush(struct nft_ctx *ctx, int family)
1595 {
1596 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1597 const struct nlattr * const *nla = ctx->nla;
1598 struct nft_table *table, *nt;
1599 int err = 0;
1600
1601 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1602 if (family != AF_UNSPEC && table->family != family)
1603 continue;
1604
1605 ctx->family = table->family;
1606
1607 if (!nft_is_active_next(ctx->net, table))
1608 continue;
1609
1610 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1611 continue;
1612
1613 if (nla[NFTA_TABLE_NAME] &&
1614 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1615 continue;
1616
1617 ctx->table = table;
1618
1619 err = nft_flush_table(ctx);
1620 if (err < 0)
1621 goto out;
1622 }
1623 out:
1624 return err;
1625 }
1626
nf_tables_deltable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1627 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1628 const struct nlattr * const nla[])
1629 {
1630 struct netlink_ext_ack *extack = info->extack;
1631 u8 genmask = nft_genmask_next(info->net);
1632 u8 family = info->nfmsg->nfgen_family;
1633 struct net *net = info->net;
1634 const struct nlattr *attr;
1635 struct nft_table *table;
1636 struct nft_ctx ctx;
1637
1638 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1639 if (family == AF_UNSPEC ||
1640 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1641 return nft_flush(&ctx, family);
1642
1643 if (nla[NFTA_TABLE_HANDLE]) {
1644 attr = nla[NFTA_TABLE_HANDLE];
1645 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1646 NETLINK_CB(skb).portid);
1647 } else {
1648 attr = nla[NFTA_TABLE_NAME];
1649 table = nft_table_lookup(net, attr, family, genmask,
1650 NETLINK_CB(skb).portid);
1651 }
1652
1653 if (IS_ERR(table)) {
1654 if (PTR_ERR(table) == -ENOENT &&
1655 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1656 return 0;
1657
1658 NL_SET_BAD_ATTR(extack, attr);
1659 return PTR_ERR(table);
1660 }
1661
1662 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1663 table->use > 0)
1664 return -EBUSY;
1665
1666 ctx.family = family;
1667 ctx.table = table;
1668
1669 return nft_flush_table(&ctx);
1670 }
1671
nf_tables_table_destroy(struct nft_table * table)1672 static void nf_tables_table_destroy(struct nft_table *table)
1673 {
1674 if (WARN_ON(table->use > 0))
1675 return;
1676
1677 rhltable_destroy(&table->chains_ht);
1678 kfree(table->name);
1679 kfree(table->udata);
1680 kfree(table);
1681 }
1682
nft_register_chain_type(const struct nft_chain_type * ctype)1683 void nft_register_chain_type(const struct nft_chain_type *ctype)
1684 {
1685 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1686 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1687 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1688 return;
1689 }
1690 chain_type[ctype->family][ctype->type] = ctype;
1691 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1692 }
1693 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1694
nft_unregister_chain_type(const struct nft_chain_type * ctype)1695 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1696 {
1697 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1698 chain_type[ctype->family][ctype->type] = NULL;
1699 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1700 }
1701 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1702
1703 /*
1704 * Chains
1705 */
1706
1707 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1708 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1709 {
1710 struct nft_chain *chain;
1711
1712 list_for_each_entry(chain, &table->chains, list) {
1713 if (chain->handle == handle &&
1714 nft_active_genmask(chain, genmask))
1715 return chain;
1716 }
1717
1718 return ERR_PTR(-ENOENT);
1719 }
1720
lockdep_commit_lock_is_held(const struct net * net)1721 static bool lockdep_commit_lock_is_held(const struct net *net)
1722 {
1723 #ifdef CONFIG_PROVE_LOCKING
1724 struct nftables_pernet *nft_net = nft_pernet(net);
1725
1726 return lockdep_is_held(&nft_net->commit_mutex);
1727 #else
1728 return true;
1729 #endif
1730 }
1731
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1732 static struct nft_chain *nft_chain_lookup(struct net *net,
1733 struct nft_table *table,
1734 const struct nlattr *nla, u8 genmask)
1735 {
1736 char search[NFT_CHAIN_MAXNAMELEN + 1];
1737 struct rhlist_head *tmp, *list;
1738 struct nft_chain *chain;
1739
1740 if (nla == NULL)
1741 return ERR_PTR(-EINVAL);
1742
1743 nla_strscpy(search, nla, sizeof(search));
1744
1745 WARN_ON(!rcu_read_lock_held() &&
1746 !lockdep_commit_lock_is_held(net));
1747
1748 chain = ERR_PTR(-ENOENT);
1749 rcu_read_lock();
1750 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1751 if (!list)
1752 goto out_unlock;
1753
1754 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1755 if (nft_active_genmask(chain, genmask))
1756 goto out_unlock;
1757 }
1758 chain = ERR_PTR(-ENOENT);
1759 out_unlock:
1760 rcu_read_unlock();
1761 return chain;
1762 }
1763
1764 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1765 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1766 .len = NFT_TABLE_MAXNAMELEN - 1 },
1767 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1768 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1769 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1770 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1771 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1772 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1773 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1774 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1775 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1776 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1777 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1778 .len = NFT_USERDATA_MAXLEN },
1779 };
1780
1781 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1782 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1783 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1784 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1785 .len = IFNAMSIZ - 1 },
1786 };
1787
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1788 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1789 {
1790 struct nft_stats *cpu_stats, total;
1791 struct nlattr *nest;
1792 unsigned int seq;
1793 u64 pkts, bytes;
1794 int cpu;
1795
1796 if (!stats)
1797 return 0;
1798
1799 memset(&total, 0, sizeof(total));
1800 for_each_possible_cpu(cpu) {
1801 cpu_stats = per_cpu_ptr(stats, cpu);
1802 do {
1803 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1804 pkts = cpu_stats->pkts;
1805 bytes = cpu_stats->bytes;
1806 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1807 total.pkts += pkts;
1808 total.bytes += bytes;
1809 }
1810 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1811 if (nest == NULL)
1812 goto nla_put_failure;
1813
1814 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1815 NFTA_COUNTER_PAD) ||
1816 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1817 NFTA_COUNTER_PAD))
1818 goto nla_put_failure;
1819
1820 nla_nest_end(skb, nest);
1821 return 0;
1822
1823 nla_put_failure:
1824 return -ENOSPC;
1825 }
1826
nft_dump_basechain_hook(struct sk_buff * skb,int family,const struct nft_base_chain * basechain,const struct list_head * hook_list)1827 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1828 const struct nft_base_chain *basechain,
1829 const struct list_head *hook_list)
1830 {
1831 const struct nf_hook_ops *ops = &basechain->ops;
1832 struct nft_hook *hook, *first = NULL;
1833 struct nlattr *nest, *nest_devs;
1834 int n = 0;
1835
1836 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1837 if (nest == NULL)
1838 goto nla_put_failure;
1839 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1840 goto nla_put_failure;
1841 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1842 goto nla_put_failure;
1843
1844 if (nft_base_chain_netdev(family, ops->hooknum)) {
1845 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1846 if (!nest_devs)
1847 goto nla_put_failure;
1848
1849 if (!hook_list)
1850 hook_list = &basechain->hook_list;
1851
1852 list_for_each_entry_rcu(hook, hook_list, list) {
1853 if (!first)
1854 first = hook;
1855
1856 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1857 hook->ops.dev->name))
1858 goto nla_put_failure;
1859 n++;
1860 }
1861 nla_nest_end(skb, nest_devs);
1862
1863 if (n == 1 &&
1864 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1865 goto nla_put_failure;
1866 }
1867 nla_nest_end(skb, nest);
1868
1869 return 0;
1870 nla_put_failure:
1871 return -1;
1872 }
1873
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct list_head * hook_list)1874 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1875 u32 portid, u32 seq, int event, u32 flags,
1876 int family, const struct nft_table *table,
1877 const struct nft_chain *chain,
1878 const struct list_head *hook_list)
1879 {
1880 struct nlmsghdr *nlh;
1881
1882 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1883 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1884 NFNETLINK_V0, nft_base_seq(net));
1885 if (!nlh)
1886 goto nla_put_failure;
1887
1888 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1889 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1890 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1891 NFTA_CHAIN_PAD))
1892 goto nla_put_failure;
1893
1894 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1895 nlmsg_end(skb, nlh);
1896 return 0;
1897 }
1898
1899 if (nft_is_base_chain(chain)) {
1900 const struct nft_base_chain *basechain = nft_base_chain(chain);
1901 struct nft_stats __percpu *stats;
1902
1903 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1904 goto nla_put_failure;
1905
1906 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1907 htonl(basechain->policy)))
1908 goto nla_put_failure;
1909
1910 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1911 goto nla_put_failure;
1912
1913 stats = rcu_dereference_check(basechain->stats,
1914 lockdep_commit_lock_is_held(net));
1915 if (nft_dump_stats(skb, stats))
1916 goto nla_put_failure;
1917 }
1918
1919 if (chain->flags &&
1920 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1921 goto nla_put_failure;
1922
1923 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1924 goto nla_put_failure;
1925
1926 if (chain->udata &&
1927 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1928 goto nla_put_failure;
1929
1930 nlmsg_end(skb, nlh);
1931 return 0;
1932
1933 nla_put_failure:
1934 nlmsg_trim(skb, nlh);
1935 return -1;
1936 }
1937
nf_tables_chain_notify(const struct nft_ctx * ctx,int event,const struct list_head * hook_list)1938 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1939 const struct list_head *hook_list)
1940 {
1941 struct nftables_pernet *nft_net;
1942 struct sk_buff *skb;
1943 u16 flags = 0;
1944 int err;
1945
1946 if (!ctx->report &&
1947 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1948 return;
1949
1950 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1951 if (skb == NULL)
1952 goto err;
1953
1954 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1955 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1956
1957 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1958 event, flags, ctx->family, ctx->table,
1959 ctx->chain, hook_list);
1960 if (err < 0) {
1961 kfree_skb(skb);
1962 goto err;
1963 }
1964
1965 nft_net = nft_pernet(ctx->net);
1966 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1967 return;
1968 err:
1969 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1970 }
1971
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1972 static int nf_tables_dump_chains(struct sk_buff *skb,
1973 struct netlink_callback *cb)
1974 {
1975 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1976 unsigned int idx = 0, s_idx = cb->args[0];
1977 struct net *net = sock_net(skb->sk);
1978 int family = nfmsg->nfgen_family;
1979 struct nftables_pernet *nft_net;
1980 const struct nft_table *table;
1981 const struct nft_chain *chain;
1982
1983 rcu_read_lock();
1984 nft_net = nft_pernet(net);
1985 cb->seq = READ_ONCE(nft_net->base_seq);
1986
1987 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1988 if (family != NFPROTO_UNSPEC && family != table->family)
1989 continue;
1990
1991 list_for_each_entry_rcu(chain, &table->chains, list) {
1992 if (idx < s_idx)
1993 goto cont;
1994 if (idx > s_idx)
1995 memset(&cb->args[1], 0,
1996 sizeof(cb->args) - sizeof(cb->args[0]));
1997 if (!nft_is_active(net, chain))
1998 continue;
1999 if (nf_tables_fill_chain_info(skb, net,
2000 NETLINK_CB(cb->skb).portid,
2001 cb->nlh->nlmsg_seq,
2002 NFT_MSG_NEWCHAIN,
2003 NLM_F_MULTI,
2004 table->family, table,
2005 chain, NULL) < 0)
2006 goto done;
2007
2008 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2009 cont:
2010 idx++;
2011 }
2012 }
2013 done:
2014 rcu_read_unlock();
2015 cb->args[0] = idx;
2016 return skb->len;
2017 }
2018
2019 /* called with rcu_read_lock held */
nf_tables_getchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2020 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
2021 const struct nlattr * const nla[])
2022 {
2023 struct netlink_ext_ack *extack = info->extack;
2024 u8 genmask = nft_genmask_cur(info->net);
2025 u8 family = info->nfmsg->nfgen_family;
2026 const struct nft_chain *chain;
2027 struct net *net = info->net;
2028 struct nft_table *table;
2029 struct sk_buff *skb2;
2030 int err;
2031
2032 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2033 struct netlink_dump_control c = {
2034 .dump = nf_tables_dump_chains,
2035 .module = THIS_MODULE,
2036 };
2037
2038 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
2039 }
2040
2041 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
2042 if (IS_ERR(table)) {
2043 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2044 return PTR_ERR(table);
2045 }
2046
2047 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
2048 if (IS_ERR(chain)) {
2049 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2050 return PTR_ERR(chain);
2051 }
2052
2053 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2054 if (!skb2)
2055 return -ENOMEM;
2056
2057 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
2058 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
2059 0, family, table, chain, NULL);
2060 if (err < 0)
2061 goto err_fill_chain_info;
2062
2063 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2064
2065 err_fill_chain_info:
2066 kfree_skb(skb2);
2067 return err;
2068 }
2069
2070 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2071 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2072 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2073 };
2074
nft_stats_alloc(const struct nlattr * attr)2075 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2076 {
2077 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2078 struct nft_stats __percpu *newstats;
2079 struct nft_stats *stats;
2080 int err;
2081
2082 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2083 nft_counter_policy, NULL);
2084 if (err < 0)
2085 return ERR_PTR(err);
2086
2087 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2088 return ERR_PTR(-EINVAL);
2089
2090 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2091 if (newstats == NULL)
2092 return ERR_PTR(-ENOMEM);
2093
2094 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2095 * are not exposed to userspace.
2096 */
2097 preempt_disable();
2098 stats = this_cpu_ptr(newstats);
2099 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2100 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2101 preempt_enable();
2102
2103 return newstats;
2104 }
2105
nft_chain_stats_replace(struct nft_trans_chain * trans)2106 static void nft_chain_stats_replace(struct nft_trans_chain *trans)
2107 {
2108 const struct nft_trans *t = &trans->nft_trans_binding.nft_trans;
2109 struct nft_base_chain *chain = nft_base_chain(trans->chain);
2110
2111 if (!trans->stats)
2112 return;
2113
2114 trans->stats =
2115 rcu_replace_pointer(chain->stats, trans->stats,
2116 lockdep_commit_lock_is_held(t->net));
2117
2118 if (!trans->stats)
2119 static_branch_inc(&nft_counters_enabled);
2120 }
2121
nf_tables_chain_free_chain_rules(struct nft_chain * chain)2122 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2123 {
2124 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2125 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2126
2127 if (g0 != g1)
2128 kvfree(g1);
2129 kvfree(g0);
2130
2131 /* should be NULL either via abort or via successful commit */
2132 WARN_ON_ONCE(chain->blob_next);
2133 kvfree(chain->blob_next);
2134 }
2135
nf_tables_chain_destroy(struct nft_chain * chain)2136 void nf_tables_chain_destroy(struct nft_chain *chain)
2137 {
2138 const struct nft_table *table = chain->table;
2139 struct nft_hook *hook, *next;
2140
2141 if (WARN_ON(chain->use > 0))
2142 return;
2143
2144 /* no concurrent access possible anymore */
2145 nf_tables_chain_free_chain_rules(chain);
2146
2147 if (nft_is_base_chain(chain)) {
2148 struct nft_base_chain *basechain = nft_base_chain(chain);
2149
2150 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2151 list_for_each_entry_safe(hook, next,
2152 &basechain->hook_list, list) {
2153 list_del_rcu(&hook->list);
2154 kfree_rcu(hook, rcu);
2155 }
2156 }
2157 module_put(basechain->type->owner);
2158 if (rcu_access_pointer(basechain->stats)) {
2159 static_branch_dec(&nft_counters_enabled);
2160 free_percpu(rcu_dereference_raw(basechain->stats));
2161 }
2162 kfree(chain->name);
2163 kfree(chain->udata);
2164 kfree(basechain);
2165 } else {
2166 kfree(chain->name);
2167 kfree(chain->udata);
2168 kfree(chain);
2169 }
2170 }
2171
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr)2172 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2173 const struct nlattr *attr)
2174 {
2175 struct net_device *dev;
2176 char ifname[IFNAMSIZ];
2177 struct nft_hook *hook;
2178 int err;
2179
2180 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2181 if (!hook) {
2182 err = -ENOMEM;
2183 goto err_hook_alloc;
2184 }
2185
2186 nla_strscpy(ifname, attr, IFNAMSIZ);
2187 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2188 * indirectly serializing all the other holders of the commit_mutex with
2189 * the rtnl_mutex.
2190 */
2191 dev = __dev_get_by_name(net, ifname);
2192 if (!dev) {
2193 err = -ENOENT;
2194 goto err_hook_dev;
2195 }
2196 hook->ops.dev = dev;
2197
2198 return hook;
2199
2200 err_hook_dev:
2201 kfree(hook);
2202 err_hook_alloc:
2203 return ERR_PTR(err);
2204 }
2205
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)2206 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2207 const struct nft_hook *this)
2208 {
2209 struct nft_hook *hook;
2210
2211 list_for_each_entry(hook, hook_list, list) {
2212 if (this->ops.dev == hook->ops.dev)
2213 return hook;
2214 }
2215
2216 return NULL;
2217 }
2218
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list,struct netlink_ext_ack * extack)2219 static int nf_tables_parse_netdev_hooks(struct net *net,
2220 const struct nlattr *attr,
2221 struct list_head *hook_list,
2222 struct netlink_ext_ack *extack)
2223 {
2224 struct nft_hook *hook, *next;
2225 const struct nlattr *tmp;
2226 int rem, n = 0, err;
2227
2228 nla_for_each_nested(tmp, attr, rem) {
2229 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2230 err = -EINVAL;
2231 goto err_hook;
2232 }
2233
2234 hook = nft_netdev_hook_alloc(net, tmp);
2235 if (IS_ERR(hook)) {
2236 NL_SET_BAD_ATTR(extack, tmp);
2237 err = PTR_ERR(hook);
2238 goto err_hook;
2239 }
2240 if (nft_hook_list_find(hook_list, hook)) {
2241 NL_SET_BAD_ATTR(extack, tmp);
2242 kfree(hook);
2243 err = -EEXIST;
2244 goto err_hook;
2245 }
2246 list_add_tail(&hook->list, hook_list);
2247 n++;
2248
2249 if (n == NFT_NETDEVICE_MAX) {
2250 err = -EFBIG;
2251 goto err_hook;
2252 }
2253 }
2254
2255 return 0;
2256
2257 err_hook:
2258 list_for_each_entry_safe(hook, next, hook_list, list) {
2259 list_del(&hook->list);
2260 kfree(hook);
2261 }
2262 return err;
2263 }
2264
2265 struct nft_chain_hook {
2266 u32 num;
2267 s32 priority;
2268 const struct nft_chain_type *type;
2269 struct list_head list;
2270 };
2271
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list,struct netlink_ext_ack * extack,u32 flags)2272 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2273 struct list_head *hook_list,
2274 struct netlink_ext_ack *extack, u32 flags)
2275 {
2276 struct nft_hook *hook;
2277 int err;
2278
2279 if (tb[NFTA_HOOK_DEV]) {
2280 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2281 if (IS_ERR(hook)) {
2282 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2283 return PTR_ERR(hook);
2284 }
2285
2286 list_add_tail(&hook->list, hook_list);
2287 } else if (tb[NFTA_HOOK_DEVS]) {
2288 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2289 hook_list, extack);
2290 if (err < 0)
2291 return err;
2292
2293 }
2294
2295 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2296 list_empty(hook_list))
2297 return -EINVAL;
2298
2299 return 0;
2300 }
2301
nft_chain_parse_hook(struct net * net,struct nft_base_chain * basechain,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,u32 flags,struct netlink_ext_ack * extack)2302 static int nft_chain_parse_hook(struct net *net,
2303 struct nft_base_chain *basechain,
2304 const struct nlattr * const nla[],
2305 struct nft_chain_hook *hook, u8 family,
2306 u32 flags, struct netlink_ext_ack *extack)
2307 {
2308 struct nftables_pernet *nft_net = nft_pernet(net);
2309 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2310 const struct nft_chain_type *type;
2311 int err;
2312
2313 lockdep_assert_held(&nft_net->commit_mutex);
2314 lockdep_nfnl_nft_mutex_not_held();
2315
2316 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2317 nla[NFTA_CHAIN_HOOK],
2318 nft_hook_policy, NULL);
2319 if (err < 0)
2320 return err;
2321
2322 if (!basechain) {
2323 if (!ha[NFTA_HOOK_HOOKNUM] ||
2324 !ha[NFTA_HOOK_PRIORITY]) {
2325 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2326 return -ENOENT;
2327 }
2328
2329 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2330 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2331
2332 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2333 if (!type)
2334 return -EOPNOTSUPP;
2335
2336 if (nla[NFTA_CHAIN_TYPE]) {
2337 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2338 family, true);
2339 if (IS_ERR(type)) {
2340 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2341 return PTR_ERR(type);
2342 }
2343 }
2344 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2345 return -EOPNOTSUPP;
2346
2347 if (type->type == NFT_CHAIN_T_NAT &&
2348 hook->priority <= NF_IP_PRI_CONNTRACK)
2349 return -EOPNOTSUPP;
2350 } else {
2351 if (ha[NFTA_HOOK_HOOKNUM]) {
2352 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2353 if (hook->num != basechain->ops.hooknum)
2354 return -EOPNOTSUPP;
2355 }
2356 if (ha[NFTA_HOOK_PRIORITY]) {
2357 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2358 if (hook->priority != basechain->ops.priority)
2359 return -EOPNOTSUPP;
2360 }
2361
2362 if (nla[NFTA_CHAIN_TYPE]) {
2363 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2364 family);
2365 if (!type) {
2366 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2367 return -ENOENT;
2368 }
2369 } else {
2370 type = basechain->type;
2371 }
2372 }
2373
2374 if (!try_module_get(type->owner)) {
2375 if (nla[NFTA_CHAIN_TYPE])
2376 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2377 return -ENOENT;
2378 }
2379
2380 hook->type = type;
2381
2382 INIT_LIST_HEAD(&hook->list);
2383 if (nft_base_chain_netdev(family, hook->num)) {
2384 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2385 if (err < 0) {
2386 module_put(type->owner);
2387 return err;
2388 }
2389 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2390 module_put(type->owner);
2391 return -EOPNOTSUPP;
2392 }
2393
2394 return 0;
2395 }
2396
nft_chain_release_hook(struct nft_chain_hook * hook)2397 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2398 {
2399 struct nft_hook *h, *next;
2400
2401 list_for_each_entry_safe(h, next, &hook->list, list) {
2402 list_del(&h->list);
2403 kfree(h);
2404 }
2405 module_put(hook->type->owner);
2406 }
2407
nft_last_rule(const struct nft_chain * chain,const void * ptr)2408 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2409 {
2410 struct nft_rule_dp_last *lrule;
2411
2412 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2413
2414 lrule = (struct nft_rule_dp_last *)ptr;
2415 lrule->end.is_last = 1;
2416 lrule->chain = chain;
2417 /* blob size does not include the trailer rule */
2418 }
2419
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int size)2420 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2421 unsigned int size)
2422 {
2423 struct nft_rule_blob *blob;
2424
2425 if (size > INT_MAX)
2426 return NULL;
2427
2428 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2429
2430 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2431 if (!blob)
2432 return NULL;
2433
2434 blob->size = 0;
2435 nft_last_rule(chain, blob->data);
2436
2437 return blob;
2438 }
2439
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)2440 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2441 const struct nft_chain_hook *hook,
2442 struct nft_chain *chain)
2443 {
2444 ops->pf = family;
2445 ops->hooknum = hook->num;
2446 ops->priority = hook->priority;
2447 ops->priv = chain;
2448 ops->hook = hook->type->hooks[ops->hooknum];
2449 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2450 }
2451
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)2452 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2453 struct nft_chain_hook *hook, u32 flags)
2454 {
2455 struct nft_chain *chain;
2456 struct nft_hook *h;
2457
2458 basechain->type = hook->type;
2459 INIT_LIST_HEAD(&basechain->hook_list);
2460 chain = &basechain->chain;
2461
2462 if (nft_base_chain_netdev(family, hook->num)) {
2463 list_splice_init(&hook->list, &basechain->hook_list);
2464 list_for_each_entry(h, &basechain->hook_list, list)
2465 nft_basechain_hook_init(&h->ops, family, hook, chain);
2466 }
2467 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2468
2469 chain->flags |= NFT_CHAIN_BASE | flags;
2470 basechain->policy = NF_ACCEPT;
2471 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2472 !nft_chain_offload_support(basechain)) {
2473 list_splice_init(&basechain->hook_list, &hook->list);
2474 return -EOPNOTSUPP;
2475 }
2476
2477 flow_block_init(&basechain->flow_block);
2478
2479 return 0;
2480 }
2481
nft_chain_add(struct nft_table * table,struct nft_chain * chain)2482 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2483 {
2484 int err;
2485
2486 err = rhltable_insert_key(&table->chains_ht, chain->name,
2487 &chain->rhlhead, nft_chain_ht_params);
2488 if (err)
2489 return err;
2490
2491 list_add_tail_rcu(&chain->list, &table->chains);
2492
2493 return 0;
2494 }
2495
2496 static u64 chain_id;
2497
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags,struct netlink_ext_ack * extack)2498 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2499 u8 policy, u32 flags,
2500 struct netlink_ext_ack *extack)
2501 {
2502 const struct nlattr * const *nla = ctx->nla;
2503 struct nft_table *table = ctx->table;
2504 struct nft_base_chain *basechain;
2505 struct net *net = ctx->net;
2506 char name[NFT_NAME_MAXLEN];
2507 struct nft_rule_blob *blob;
2508 struct nft_trans *trans;
2509 struct nft_chain *chain;
2510 int err;
2511
2512 if (nla[NFTA_CHAIN_HOOK]) {
2513 struct nft_stats __percpu *stats = NULL;
2514 struct nft_chain_hook hook = {};
2515
2516 if (table->flags & __NFT_TABLE_F_UPDATE)
2517 return -EINVAL;
2518
2519 if (flags & NFT_CHAIN_BINDING)
2520 return -EOPNOTSUPP;
2521
2522 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2523 extack);
2524 if (err < 0)
2525 return err;
2526
2527 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2528 if (basechain == NULL) {
2529 nft_chain_release_hook(&hook);
2530 return -ENOMEM;
2531 }
2532 chain = &basechain->chain;
2533
2534 if (nla[NFTA_CHAIN_COUNTERS]) {
2535 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2536 if (IS_ERR(stats)) {
2537 nft_chain_release_hook(&hook);
2538 kfree(basechain);
2539 return PTR_ERR(stats);
2540 }
2541 rcu_assign_pointer(basechain->stats, stats);
2542 }
2543
2544 err = nft_basechain_init(basechain, family, &hook, flags);
2545 if (err < 0) {
2546 nft_chain_release_hook(&hook);
2547 kfree(basechain);
2548 free_percpu(stats);
2549 return err;
2550 }
2551 if (stats)
2552 static_branch_inc(&nft_counters_enabled);
2553 } else {
2554 if (flags & NFT_CHAIN_BASE)
2555 return -EINVAL;
2556 if (flags & NFT_CHAIN_HW_OFFLOAD)
2557 return -EOPNOTSUPP;
2558
2559 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2560 if (chain == NULL)
2561 return -ENOMEM;
2562
2563 chain->flags = flags;
2564 }
2565 ctx->chain = chain;
2566
2567 INIT_LIST_HEAD(&chain->rules);
2568 chain->handle = nf_tables_alloc_handle(table);
2569 chain->table = table;
2570
2571 if (nla[NFTA_CHAIN_NAME]) {
2572 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2573 } else {
2574 if (!(flags & NFT_CHAIN_BINDING)) {
2575 err = -EINVAL;
2576 goto err_destroy_chain;
2577 }
2578
2579 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2580 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2581 }
2582
2583 if (!chain->name) {
2584 err = -ENOMEM;
2585 goto err_destroy_chain;
2586 }
2587
2588 if (nla[NFTA_CHAIN_USERDATA]) {
2589 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2590 if (chain->udata == NULL) {
2591 err = -ENOMEM;
2592 goto err_destroy_chain;
2593 }
2594 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2595 }
2596
2597 blob = nf_tables_chain_alloc_rules(chain, 0);
2598 if (!blob) {
2599 err = -ENOMEM;
2600 goto err_destroy_chain;
2601 }
2602
2603 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2604 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2605
2606 if (!nft_use_inc(&table->use)) {
2607 err = -EMFILE;
2608 goto err_destroy_chain;
2609 }
2610
2611 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2612 if (IS_ERR(trans)) {
2613 err = PTR_ERR(trans);
2614 goto err_trans;
2615 }
2616
2617 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2618 if (nft_is_base_chain(chain))
2619 nft_trans_chain_policy(trans) = policy;
2620
2621 err = nft_chain_add(table, chain);
2622 if (err < 0)
2623 goto err_chain_add;
2624
2625 /* This must be LAST to ensure no packets are walking over this chain. */
2626 err = nf_tables_register_hook(net, table, chain);
2627 if (err < 0)
2628 goto err_register_hook;
2629
2630 return 0;
2631
2632 err_register_hook:
2633 nft_chain_del(chain);
2634 err_chain_add:
2635 nft_trans_destroy(trans);
2636 err_trans:
2637 nft_use_dec_restore(&table->use);
2638 err_destroy_chain:
2639 nf_tables_chain_destroy(chain);
2640
2641 return err;
2642 }
2643
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2644 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2645 u32 flags, const struct nlattr *attr,
2646 struct netlink_ext_ack *extack)
2647 {
2648 const struct nlattr * const *nla = ctx->nla;
2649 struct nft_base_chain *basechain = NULL;
2650 struct nft_table *table = ctx->table;
2651 struct nft_chain *chain = ctx->chain;
2652 struct nft_chain_hook hook = {};
2653 struct nft_stats *stats = NULL;
2654 struct nft_hook *h, *next;
2655 struct nf_hook_ops *ops;
2656 struct nft_trans *trans;
2657 bool unregister = false;
2658 int err;
2659
2660 if (chain->flags ^ flags)
2661 return -EOPNOTSUPP;
2662
2663 INIT_LIST_HEAD(&hook.list);
2664
2665 if (nla[NFTA_CHAIN_HOOK]) {
2666 if (!nft_is_base_chain(chain)) {
2667 NL_SET_BAD_ATTR(extack, attr);
2668 return -EEXIST;
2669 }
2670
2671 basechain = nft_base_chain(chain);
2672 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2673 ctx->family, flags, extack);
2674 if (err < 0)
2675 return err;
2676
2677 if (basechain->type != hook.type) {
2678 nft_chain_release_hook(&hook);
2679 NL_SET_BAD_ATTR(extack, attr);
2680 return -EEXIST;
2681 }
2682
2683 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2684 list_for_each_entry_safe(h, next, &hook.list, list) {
2685 h->ops.pf = basechain->ops.pf;
2686 h->ops.hooknum = basechain->ops.hooknum;
2687 h->ops.priority = basechain->ops.priority;
2688 h->ops.priv = basechain->ops.priv;
2689 h->ops.hook = basechain->ops.hook;
2690
2691 if (nft_hook_list_find(&basechain->hook_list, h)) {
2692 list_del(&h->list);
2693 kfree(h);
2694 }
2695 }
2696 } else {
2697 ops = &basechain->ops;
2698 if (ops->hooknum != hook.num ||
2699 ops->priority != hook.priority) {
2700 nft_chain_release_hook(&hook);
2701 NL_SET_BAD_ATTR(extack, attr);
2702 return -EEXIST;
2703 }
2704 }
2705 }
2706
2707 if (nla[NFTA_CHAIN_HANDLE] &&
2708 nla[NFTA_CHAIN_NAME]) {
2709 struct nft_chain *chain2;
2710
2711 chain2 = nft_chain_lookup(ctx->net, table,
2712 nla[NFTA_CHAIN_NAME], genmask);
2713 if (!IS_ERR(chain2)) {
2714 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2715 err = -EEXIST;
2716 goto err_hooks;
2717 }
2718 }
2719
2720 if (table->flags & __NFT_TABLE_F_UPDATE &&
2721 !list_empty(&hook.list)) {
2722 NL_SET_BAD_ATTR(extack, attr);
2723 err = -EOPNOTSUPP;
2724 goto err_hooks;
2725 }
2726
2727 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2728 nft_is_base_chain(chain) &&
2729 !list_empty(&hook.list)) {
2730 basechain = nft_base_chain(chain);
2731 ops = &basechain->ops;
2732
2733 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2734 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2735 if (err < 0)
2736 goto err_hooks;
2737 }
2738 }
2739
2740 unregister = true;
2741
2742 if (nla[NFTA_CHAIN_COUNTERS]) {
2743 if (!nft_is_base_chain(chain)) {
2744 err = -EOPNOTSUPP;
2745 goto err_hooks;
2746 }
2747
2748 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2749 if (IS_ERR(stats)) {
2750 err = PTR_ERR(stats);
2751 goto err_hooks;
2752 }
2753 }
2754
2755 err = -ENOMEM;
2756 trans = nft_trans_alloc_chain(ctx, NFT_MSG_NEWCHAIN);
2757 if (trans == NULL)
2758 goto err_trans;
2759
2760 nft_trans_chain_stats(trans) = stats;
2761 nft_trans_chain_update(trans) = true;
2762
2763 if (nla[NFTA_CHAIN_POLICY])
2764 nft_trans_chain_policy(trans) = policy;
2765 else
2766 nft_trans_chain_policy(trans) = -1;
2767
2768 if (nla[NFTA_CHAIN_HANDLE] &&
2769 nla[NFTA_CHAIN_NAME]) {
2770 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2771 struct nft_trans *tmp;
2772 char *name;
2773
2774 err = -ENOMEM;
2775 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2776 if (!name)
2777 goto err_trans;
2778
2779 err = -EEXIST;
2780 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2781 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2782 tmp->table == table &&
2783 nft_trans_chain_update(tmp) &&
2784 nft_trans_chain_name(tmp) &&
2785 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2786 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2787 kfree(name);
2788 goto err_trans;
2789 }
2790 }
2791
2792 nft_trans_chain_name(trans) = name;
2793 }
2794
2795 nft_trans_basechain(trans) = basechain;
2796 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2797 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2798 if (nla[NFTA_CHAIN_HOOK])
2799 module_put(hook.type->owner);
2800
2801 nft_trans_commit_list_add_tail(ctx->net, trans);
2802
2803 return 0;
2804
2805 err_trans:
2806 free_percpu(stats);
2807 kfree(trans);
2808 err_hooks:
2809 if (nla[NFTA_CHAIN_HOOK]) {
2810 list_for_each_entry_safe(h, next, &hook.list, list) {
2811 if (unregister)
2812 nf_unregister_net_hook(ctx->net, &h->ops);
2813 list_del(&h->list);
2814 kfree_rcu(h, rcu);
2815 }
2816 module_put(hook.type->owner);
2817 }
2818
2819 return err;
2820 }
2821
nft_chain_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)2822 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2823 const struct nft_table *table,
2824 const struct nlattr *nla, u8 genmask)
2825 {
2826 struct nftables_pernet *nft_net = nft_pernet(net);
2827 u32 id = ntohl(nla_get_be32(nla));
2828 struct nft_trans *trans;
2829
2830 list_for_each_entry(trans, &nft_net->commit_list, list) {
2831 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2832 nft_trans_chain(trans)->table == table &&
2833 id == nft_trans_chain_id(trans) &&
2834 nft_active_genmask(nft_trans_chain(trans), genmask))
2835 return nft_trans_chain(trans);
2836 }
2837 return ERR_PTR(-ENOENT);
2838 }
2839
nf_tables_newchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2840 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2841 const struct nlattr * const nla[])
2842 {
2843 struct nftables_pernet *nft_net = nft_pernet(info->net);
2844 struct netlink_ext_ack *extack = info->extack;
2845 u8 genmask = nft_genmask_next(info->net);
2846 u8 family = info->nfmsg->nfgen_family;
2847 struct nft_chain *chain = NULL;
2848 struct net *net = info->net;
2849 const struct nlattr *attr;
2850 struct nft_table *table;
2851 u8 policy = NF_ACCEPT;
2852 struct nft_ctx ctx;
2853 u64 handle = 0;
2854 u32 flags = 0;
2855
2856 lockdep_assert_held(&nft_net->commit_mutex);
2857
2858 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2859 NETLINK_CB(skb).portid);
2860 if (IS_ERR(table)) {
2861 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2862 return PTR_ERR(table);
2863 }
2864
2865 chain = NULL;
2866 attr = nla[NFTA_CHAIN_NAME];
2867
2868 if (nla[NFTA_CHAIN_HANDLE]) {
2869 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2870 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2871 if (IS_ERR(chain)) {
2872 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2873 return PTR_ERR(chain);
2874 }
2875 attr = nla[NFTA_CHAIN_HANDLE];
2876 } else if (nla[NFTA_CHAIN_NAME]) {
2877 chain = nft_chain_lookup(net, table, attr, genmask);
2878 if (IS_ERR(chain)) {
2879 if (PTR_ERR(chain) != -ENOENT) {
2880 NL_SET_BAD_ATTR(extack, attr);
2881 return PTR_ERR(chain);
2882 }
2883 chain = NULL;
2884 }
2885 } else if (!nla[NFTA_CHAIN_ID]) {
2886 return -EINVAL;
2887 }
2888
2889 if (nla[NFTA_CHAIN_POLICY]) {
2890 if (chain != NULL &&
2891 !nft_is_base_chain(chain)) {
2892 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2893 return -EOPNOTSUPP;
2894 }
2895
2896 if (chain == NULL &&
2897 nla[NFTA_CHAIN_HOOK] == NULL) {
2898 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2899 return -EOPNOTSUPP;
2900 }
2901
2902 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2903 switch (policy) {
2904 case NF_DROP:
2905 case NF_ACCEPT:
2906 break;
2907 default:
2908 return -EINVAL;
2909 }
2910 }
2911
2912 if (nla[NFTA_CHAIN_FLAGS])
2913 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2914 else if (chain)
2915 flags = chain->flags;
2916
2917 if (flags & ~NFT_CHAIN_FLAGS)
2918 return -EOPNOTSUPP;
2919
2920 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2921
2922 if (chain != NULL) {
2923 if (chain->flags & NFT_CHAIN_BINDING)
2924 return -EINVAL;
2925
2926 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2927 NL_SET_BAD_ATTR(extack, attr);
2928 return -EEXIST;
2929 }
2930 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2931 return -EOPNOTSUPP;
2932
2933 flags |= chain->flags & NFT_CHAIN_BASE;
2934 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2935 extack);
2936 }
2937
2938 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2939 }
2940
nft_delchain_hook(struct nft_ctx * ctx,struct nft_base_chain * basechain,struct netlink_ext_ack * extack)2941 static int nft_delchain_hook(struct nft_ctx *ctx,
2942 struct nft_base_chain *basechain,
2943 struct netlink_ext_ack *extack)
2944 {
2945 const struct nft_chain *chain = &basechain->chain;
2946 const struct nlattr * const *nla = ctx->nla;
2947 struct nft_chain_hook chain_hook = {};
2948 struct nft_hook *this, *hook;
2949 LIST_HEAD(chain_del_list);
2950 struct nft_trans *trans;
2951 int err;
2952
2953 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
2954 return -EOPNOTSUPP;
2955
2956 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2957 ctx->family, chain->flags, extack);
2958 if (err < 0)
2959 return err;
2960
2961 list_for_each_entry(this, &chain_hook.list, list) {
2962 hook = nft_hook_list_find(&basechain->hook_list, this);
2963 if (!hook) {
2964 err = -ENOENT;
2965 goto err_chain_del_hook;
2966 }
2967 list_move(&hook->list, &chain_del_list);
2968 }
2969
2970 trans = nft_trans_alloc_chain(ctx, NFT_MSG_DELCHAIN);
2971 if (!trans) {
2972 err = -ENOMEM;
2973 goto err_chain_del_hook;
2974 }
2975
2976 nft_trans_basechain(trans) = basechain;
2977 nft_trans_chain_update(trans) = true;
2978 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2979 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2980 nft_chain_release_hook(&chain_hook);
2981
2982 nft_trans_commit_list_add_tail(ctx->net, trans);
2983
2984 return 0;
2985
2986 err_chain_del_hook:
2987 list_splice(&chain_del_list, &basechain->hook_list);
2988 nft_chain_release_hook(&chain_hook);
2989
2990 return err;
2991 }
2992
nf_tables_delchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2993 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2994 const struct nlattr * const nla[])
2995 {
2996 struct netlink_ext_ack *extack = info->extack;
2997 u8 genmask = nft_genmask_next(info->net);
2998 u8 family = info->nfmsg->nfgen_family;
2999 struct net *net = info->net;
3000 const struct nlattr *attr;
3001 struct nft_table *table;
3002 struct nft_chain *chain;
3003 struct nft_rule *rule;
3004 struct nft_ctx ctx;
3005 u64 handle;
3006 u32 use;
3007 int err;
3008
3009 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
3010 NETLINK_CB(skb).portid);
3011 if (IS_ERR(table)) {
3012 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
3013 return PTR_ERR(table);
3014 }
3015
3016 if (nla[NFTA_CHAIN_HANDLE]) {
3017 attr = nla[NFTA_CHAIN_HANDLE];
3018 handle = be64_to_cpu(nla_get_be64(attr));
3019 chain = nft_chain_lookup_byhandle(table, handle, genmask);
3020 } else {
3021 attr = nla[NFTA_CHAIN_NAME];
3022 chain = nft_chain_lookup(net, table, attr, genmask);
3023 }
3024 if (IS_ERR(chain)) {
3025 if (PTR_ERR(chain) == -ENOENT &&
3026 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
3027 return 0;
3028
3029 NL_SET_BAD_ATTR(extack, attr);
3030 return PTR_ERR(chain);
3031 }
3032
3033 if (nft_chain_binding(chain))
3034 return -EOPNOTSUPP;
3035
3036 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
3037
3038 if (nla[NFTA_CHAIN_HOOK]) {
3039 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
3040 chain->flags & NFT_CHAIN_HW_OFFLOAD)
3041 return -EOPNOTSUPP;
3042
3043 if (nft_is_base_chain(chain)) {
3044 struct nft_base_chain *basechain = nft_base_chain(chain);
3045
3046 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
3047 return nft_delchain_hook(&ctx, basechain, extack);
3048 }
3049 }
3050
3051 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
3052 chain->use > 0)
3053 return -EBUSY;
3054
3055 use = chain->use;
3056 list_for_each_entry(rule, &chain->rules, list) {
3057 if (!nft_is_active_next(net, rule))
3058 continue;
3059 use--;
3060
3061 err = nft_delrule(&ctx, rule);
3062 if (err < 0)
3063 return err;
3064 }
3065
3066 /* There are rules and elements that are still holding references to us,
3067 * we cannot do a recursive removal in this case.
3068 */
3069 if (use > 0) {
3070 NL_SET_BAD_ATTR(extack, attr);
3071 return -EBUSY;
3072 }
3073
3074 return nft_delchain(&ctx);
3075 }
3076
3077 /*
3078 * Expressions
3079 */
3080
3081 /**
3082 * nft_register_expr - register nf_tables expr type
3083 * @type: expr type
3084 *
3085 * Registers the expr type for use with nf_tables. Returns zero on
3086 * success or a negative errno code otherwise.
3087 */
nft_register_expr(struct nft_expr_type * type)3088 int nft_register_expr(struct nft_expr_type *type)
3089 {
3090 if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
3091 return -ENOMEM;
3092
3093 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3094 if (type->family == NFPROTO_UNSPEC)
3095 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3096 else
3097 list_add_rcu(&type->list, &nf_tables_expressions);
3098 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3099 return 0;
3100 }
3101 EXPORT_SYMBOL_GPL(nft_register_expr);
3102
3103 /**
3104 * nft_unregister_expr - unregister nf_tables expr type
3105 * @type: expr type
3106 *
3107 * Unregisters the expr typefor use with nf_tables.
3108 */
nft_unregister_expr(struct nft_expr_type * type)3109 void nft_unregister_expr(struct nft_expr_type *type)
3110 {
3111 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3112 list_del_rcu(&type->list);
3113 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3114 }
3115 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3116
__nft_expr_type_get(u8 family,struct nlattr * nla)3117 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3118 struct nlattr *nla)
3119 {
3120 const struct nft_expr_type *type, *candidate = NULL;
3121
3122 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3123 if (!nla_strcmp(nla, type->name)) {
3124 if (!type->family && !candidate)
3125 candidate = type;
3126 else if (type->family == family)
3127 candidate = type;
3128 }
3129 }
3130 return candidate;
3131 }
3132
3133 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)3134 static int nft_expr_type_request_module(struct net *net, u8 family,
3135 struct nlattr *nla)
3136 {
3137 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3138 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3139 return -EAGAIN;
3140
3141 return 0;
3142 }
3143 #endif
3144
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)3145 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3146 u8 family,
3147 struct nlattr *nla)
3148 {
3149 const struct nft_expr_type *type;
3150
3151 if (nla == NULL)
3152 return ERR_PTR(-EINVAL);
3153
3154 rcu_read_lock();
3155 type = __nft_expr_type_get(family, nla);
3156 if (type != NULL && try_module_get(type->owner)) {
3157 rcu_read_unlock();
3158 return type;
3159 }
3160 rcu_read_unlock();
3161
3162 lockdep_nfnl_nft_mutex_not_held();
3163 #ifdef CONFIG_MODULES
3164 if (type == NULL) {
3165 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3166 return ERR_PTR(-EAGAIN);
3167
3168 if (nft_request_module(net, "nft-expr-%.*s",
3169 nla_len(nla),
3170 (char *)nla_data(nla)) == -EAGAIN)
3171 return ERR_PTR(-EAGAIN);
3172 }
3173 #endif
3174 return ERR_PTR(-ENOENT);
3175 }
3176
3177 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3178 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3179 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3180 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3181 };
3182
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr,bool reset)3183 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3184 const struct nft_expr *expr, bool reset)
3185 {
3186 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3187 goto nla_put_failure;
3188
3189 if (expr->ops->dump) {
3190 struct nlattr *data = nla_nest_start_noflag(skb,
3191 NFTA_EXPR_DATA);
3192 if (data == NULL)
3193 goto nla_put_failure;
3194 if (expr->ops->dump(skb, expr, reset) < 0)
3195 goto nla_put_failure;
3196 nla_nest_end(skb, data);
3197 }
3198
3199 return skb->len;
3200
3201 nla_put_failure:
3202 return -1;
3203 };
3204
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr,bool reset)3205 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3206 const struct nft_expr *expr, bool reset)
3207 {
3208 struct nlattr *nest;
3209
3210 nest = nla_nest_start_noflag(skb, attr);
3211 if (!nest)
3212 goto nla_put_failure;
3213 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3214 goto nla_put_failure;
3215 nla_nest_end(skb, nest);
3216 return 0;
3217
3218 nla_put_failure:
3219 return -1;
3220 }
3221
3222 struct nft_expr_info {
3223 const struct nft_expr_ops *ops;
3224 const struct nlattr *attr;
3225 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3226 };
3227
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3228 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3229 const struct nlattr *nla,
3230 struct nft_expr_info *info)
3231 {
3232 const struct nft_expr_type *type;
3233 const struct nft_expr_ops *ops;
3234 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3235 int err;
3236
3237 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3238 nft_expr_policy, NULL);
3239 if (err < 0)
3240 return err;
3241
3242 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3243 if (IS_ERR(type))
3244 return PTR_ERR(type);
3245
3246 if (tb[NFTA_EXPR_DATA]) {
3247 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3248 tb[NFTA_EXPR_DATA],
3249 type->policy, NULL);
3250 if (err < 0)
3251 goto err1;
3252 } else
3253 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3254
3255 if (type->select_ops != NULL) {
3256 ops = type->select_ops(ctx,
3257 (const struct nlattr * const *)info->tb);
3258 if (IS_ERR(ops)) {
3259 err = PTR_ERR(ops);
3260 #ifdef CONFIG_MODULES
3261 if (err == -EAGAIN)
3262 if (nft_expr_type_request_module(ctx->net,
3263 ctx->family,
3264 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3265 err = -ENOENT;
3266 #endif
3267 goto err1;
3268 }
3269 } else
3270 ops = type->ops;
3271
3272 info->attr = nla;
3273 info->ops = ops;
3274
3275 return 0;
3276
3277 err1:
3278 module_put(type->owner);
3279 return err;
3280 }
3281
nft_expr_inner_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3282 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3283 struct nft_expr_info *info)
3284 {
3285 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3286 const struct nft_expr_type *type;
3287 int err;
3288
3289 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3290 nft_expr_policy, NULL);
3291 if (err < 0)
3292 return err;
3293
3294 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3295 return -EINVAL;
3296
3297 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3298 if (!type)
3299 return -ENOENT;
3300
3301 if (!type->inner_ops)
3302 return -EOPNOTSUPP;
3303
3304 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3305 tb[NFTA_EXPR_DATA],
3306 type->policy, NULL);
3307 if (err < 0)
3308 goto err_nla_parse;
3309
3310 info->attr = nla;
3311 info->ops = type->inner_ops;
3312
3313 return 0;
3314
3315 err_nla_parse:
3316 return err;
3317 }
3318
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * expr_info,struct nft_expr * expr)3319 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3320 const struct nft_expr_info *expr_info,
3321 struct nft_expr *expr)
3322 {
3323 const struct nft_expr_ops *ops = expr_info->ops;
3324 int err;
3325
3326 expr->ops = ops;
3327 if (ops->init) {
3328 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3329 if (err < 0)
3330 goto err1;
3331 }
3332
3333 return 0;
3334 err1:
3335 expr->ops = NULL;
3336 return err;
3337 }
3338
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3339 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3340 struct nft_expr *expr)
3341 {
3342 const struct nft_expr_type *type = expr->ops->type;
3343
3344 if (expr->ops->destroy)
3345 expr->ops->destroy(ctx, expr);
3346 module_put(type->owner);
3347 }
3348
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)3349 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3350 const struct nlattr *nla)
3351 {
3352 struct nft_expr_info expr_info;
3353 struct nft_expr *expr;
3354 struct module *owner;
3355 int err;
3356
3357 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3358 if (err < 0)
3359 goto err_expr_parse;
3360
3361 err = -EOPNOTSUPP;
3362 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3363 goto err_expr_stateful;
3364
3365 err = -ENOMEM;
3366 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3367 if (expr == NULL)
3368 goto err_expr_stateful;
3369
3370 err = nf_tables_newexpr(ctx, &expr_info, expr);
3371 if (err < 0)
3372 goto err_expr_new;
3373
3374 return expr;
3375 err_expr_new:
3376 kfree(expr);
3377 err_expr_stateful:
3378 owner = expr_info.ops->type->owner;
3379 if (expr_info.ops->type->release_ops)
3380 expr_info.ops->type->release_ops(expr_info.ops);
3381
3382 module_put(owner);
3383 err_expr_parse:
3384 return ERR_PTR(err);
3385 }
3386
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src,gfp_t gfp)3387 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
3388 {
3389 int err;
3390
3391 if (WARN_ON_ONCE(!src->ops->clone))
3392 return -EINVAL;
3393
3394 dst->ops = src->ops;
3395 err = src->ops->clone(dst, src, gfp);
3396 if (err < 0)
3397 return err;
3398
3399 __module_get(src->ops->type->owner);
3400
3401 return 0;
3402 }
3403
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3404 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3405 {
3406 nf_tables_expr_destroy(ctx, expr);
3407 kfree(expr);
3408 }
3409
3410 /*
3411 * Rules
3412 */
3413
__nft_rule_lookup(const struct nft_chain * chain,u64 handle)3414 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
3415 u64 handle)
3416 {
3417 struct nft_rule *rule;
3418
3419 // FIXME: this sucks
3420 list_for_each_entry_rcu(rule, &chain->rules, list) {
3421 if (handle == rule->handle)
3422 return rule;
3423 }
3424
3425 return ERR_PTR(-ENOENT);
3426 }
3427
nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)3428 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
3429 const struct nlattr *nla)
3430 {
3431 if (nla == NULL)
3432 return ERR_PTR(-EINVAL);
3433
3434 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
3435 }
3436
3437 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3438 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3439 .len = NFT_TABLE_MAXNAMELEN - 1 },
3440 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3441 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3442 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3443 [NFTA_RULE_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
3444 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3445 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3446 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3447 .len = NFT_USERDATA_MAXLEN },
3448 [NFTA_RULE_ID] = { .type = NLA_U32 },
3449 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3450 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3451 };
3452
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,u64 handle,bool reset)3453 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3454 u32 portid, u32 seq, int event,
3455 u32 flags, int family,
3456 const struct nft_table *table,
3457 const struct nft_chain *chain,
3458 const struct nft_rule *rule, u64 handle,
3459 bool reset)
3460 {
3461 struct nlmsghdr *nlh;
3462 const struct nft_expr *expr, *next;
3463 struct nlattr *list;
3464 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3465
3466 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3467 nft_base_seq(net));
3468 if (!nlh)
3469 goto nla_put_failure;
3470
3471 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3472 goto nla_put_failure;
3473 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3474 goto nla_put_failure;
3475 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3476 NFTA_RULE_PAD))
3477 goto nla_put_failure;
3478
3479 if (event != NFT_MSG_DELRULE && handle) {
3480 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3481 NFTA_RULE_PAD))
3482 goto nla_put_failure;
3483 }
3484
3485 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3486 nft_flow_rule_stats(chain, rule);
3487
3488 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3489 if (list == NULL)
3490 goto nla_put_failure;
3491 nft_rule_for_each_expr(expr, next, rule) {
3492 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3493 goto nla_put_failure;
3494 }
3495 nla_nest_end(skb, list);
3496
3497 if (rule->udata) {
3498 struct nft_userdata *udata = nft_userdata(rule);
3499 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3500 udata->data) < 0)
3501 goto nla_put_failure;
3502 }
3503
3504 nlmsg_end(skb, nlh);
3505 return 0;
3506
3507 nla_put_failure:
3508 nlmsg_trim(skb, nlh);
3509 return -1;
3510 }
3511
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)3512 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3513 const struct nft_rule *rule, int event)
3514 {
3515 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3516 const struct nft_rule *prule;
3517 struct sk_buff *skb;
3518 u64 handle = 0;
3519 u16 flags = 0;
3520 int err;
3521
3522 if (!ctx->report &&
3523 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3524 return;
3525
3526 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3527 if (skb == NULL)
3528 goto err;
3529
3530 if (event == NFT_MSG_NEWRULE &&
3531 !list_is_first(&rule->list, &ctx->chain->rules) &&
3532 !list_is_last(&rule->list, &ctx->chain->rules)) {
3533 prule = list_prev_entry(rule, list);
3534 handle = prule->handle;
3535 }
3536 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3537 flags |= NLM_F_APPEND;
3538 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3539 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3540
3541 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3542 event, flags, ctx->family, ctx->table,
3543 ctx->chain, rule, handle, false);
3544 if (err < 0) {
3545 kfree_skb(skb);
3546 goto err;
3547 }
3548
3549 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3550 return;
3551 err:
3552 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3553 }
3554
audit_log_rule_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)3555 static void audit_log_rule_reset(const struct nft_table *table,
3556 unsigned int base_seq,
3557 unsigned int nentries)
3558 {
3559 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3560 table->name, base_seq);
3561
3562 audit_log_nfcfg(buf, table->family, nentries,
3563 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3564 kfree(buf);
3565 }
3566
3567 struct nft_rule_dump_ctx {
3568 unsigned int s_idx;
3569 char *table;
3570 char *chain;
3571 bool reset;
3572 };
3573
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)3574 static int __nf_tables_dump_rules(struct sk_buff *skb,
3575 unsigned int *idx,
3576 struct netlink_callback *cb,
3577 const struct nft_table *table,
3578 const struct nft_chain *chain)
3579 {
3580 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3581 struct net *net = sock_net(skb->sk);
3582 const struct nft_rule *rule, *prule;
3583 unsigned int entries = 0;
3584 int ret = 0;
3585 u64 handle;
3586
3587 prule = NULL;
3588 list_for_each_entry_rcu(rule, &chain->rules, list) {
3589 if (!nft_is_active(net, rule))
3590 goto cont_skip;
3591 if (*idx < ctx->s_idx)
3592 goto cont;
3593 if (prule)
3594 handle = prule->handle;
3595 else
3596 handle = 0;
3597
3598 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3599 cb->nlh->nlmsg_seq,
3600 NFT_MSG_NEWRULE,
3601 NLM_F_MULTI | NLM_F_APPEND,
3602 table->family,
3603 table, chain, rule, handle, ctx->reset) < 0) {
3604 ret = 1;
3605 break;
3606 }
3607 entries++;
3608 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3609 cont:
3610 prule = rule;
3611 cont_skip:
3612 (*idx)++;
3613 }
3614
3615 if (ctx->reset && entries)
3616 audit_log_rule_reset(table, cb->seq, entries);
3617
3618 return ret;
3619 }
3620
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)3621 static int nf_tables_dump_rules(struct sk_buff *skb,
3622 struct netlink_callback *cb)
3623 {
3624 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3625 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3626 struct nft_table *table;
3627 const struct nft_chain *chain;
3628 unsigned int idx = 0;
3629 struct net *net = sock_net(skb->sk);
3630 int family = nfmsg->nfgen_family;
3631 struct nftables_pernet *nft_net;
3632
3633 rcu_read_lock();
3634 nft_net = nft_pernet(net);
3635 cb->seq = READ_ONCE(nft_net->base_seq);
3636
3637 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3638 if (family != NFPROTO_UNSPEC && family != table->family)
3639 continue;
3640
3641 if (ctx->table && strcmp(ctx->table, table->name) != 0)
3642 continue;
3643
3644 if (ctx->table && ctx->chain) {
3645 struct rhlist_head *list, *tmp;
3646
3647 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3648 nft_chain_ht_params);
3649 if (!list)
3650 goto done;
3651
3652 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3653 if (!nft_is_active(net, chain))
3654 continue;
3655 __nf_tables_dump_rules(skb, &idx,
3656 cb, table, chain);
3657 break;
3658 }
3659 goto done;
3660 }
3661
3662 list_for_each_entry_rcu(chain, &table->chains, list) {
3663 if (__nf_tables_dump_rules(skb, &idx,
3664 cb, table, chain))
3665 goto done;
3666 }
3667
3668 if (ctx->table)
3669 break;
3670 }
3671 done:
3672 rcu_read_unlock();
3673
3674 ctx->s_idx = idx;
3675 return skb->len;
3676 }
3677
nf_tables_dumpreset_rules(struct sk_buff * skb,struct netlink_callback * cb)3678 static int nf_tables_dumpreset_rules(struct sk_buff *skb,
3679 struct netlink_callback *cb)
3680 {
3681 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
3682 int ret;
3683
3684 /* Mutex is held is to prevent that two concurrent dump-and-reset calls
3685 * do not underrun counters and quotas. The commit_mutex is used for
3686 * the lack a better lock, this is not transaction path.
3687 */
3688 mutex_lock(&nft_net->commit_mutex);
3689 ret = nf_tables_dump_rules(skb, cb);
3690 mutex_unlock(&nft_net->commit_mutex);
3691
3692 return ret;
3693 }
3694
nf_tables_dump_rules_start(struct netlink_callback * cb)3695 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3696 {
3697 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3698 const struct nlattr * const *nla = cb->data;
3699
3700 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
3701
3702 if (nla[NFTA_RULE_TABLE]) {
3703 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], GFP_ATOMIC);
3704 if (!ctx->table)
3705 return -ENOMEM;
3706 }
3707 if (nla[NFTA_RULE_CHAIN]) {
3708 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], GFP_ATOMIC);
3709 if (!ctx->chain) {
3710 kfree(ctx->table);
3711 return -ENOMEM;
3712 }
3713 }
3714 return 0;
3715 }
3716
nf_tables_dumpreset_rules_start(struct netlink_callback * cb)3717 static int nf_tables_dumpreset_rules_start(struct netlink_callback *cb)
3718 {
3719 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3720
3721 ctx->reset = true;
3722
3723 return nf_tables_dump_rules_start(cb);
3724 }
3725
nf_tables_dump_rules_done(struct netlink_callback * cb)3726 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3727 {
3728 struct nft_rule_dump_ctx *ctx = (void *)cb->ctx;
3729
3730 kfree(ctx->table);
3731 kfree(ctx->chain);
3732 return 0;
3733 }
3734
3735 /* called with rcu_read_lock held */
3736 static struct sk_buff *
nf_tables_getrule_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)3737 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3738 const struct nlattr * const nla[], bool reset)
3739 {
3740 struct netlink_ext_ack *extack = info->extack;
3741 u8 genmask = nft_genmask_cur(info->net);
3742 u8 family = info->nfmsg->nfgen_family;
3743 const struct nft_chain *chain;
3744 const struct nft_rule *rule;
3745 struct net *net = info->net;
3746 struct nft_table *table;
3747 struct sk_buff *skb2;
3748 int err;
3749
3750 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3751 if (IS_ERR(table)) {
3752 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3753 return ERR_CAST(table);
3754 }
3755
3756 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3757 if (IS_ERR(chain)) {
3758 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3759 return ERR_CAST(chain);
3760 }
3761
3762 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3763 if (IS_ERR(rule)) {
3764 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3765 return ERR_CAST(rule);
3766 }
3767
3768 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3769 if (!skb2)
3770 return ERR_PTR(-ENOMEM);
3771
3772 err = nf_tables_fill_rule_info(skb2, net, portid,
3773 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3774 family, table, chain, rule, 0, reset);
3775 if (err < 0) {
3776 kfree_skb(skb2);
3777 return ERR_PTR(err);
3778 }
3779
3780 return skb2;
3781 }
3782
nf_tables_getrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3783 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3784 const struct nlattr * const nla[])
3785 {
3786 u32 portid = NETLINK_CB(skb).portid;
3787 struct net *net = info->net;
3788 struct sk_buff *skb2;
3789
3790 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3791 struct netlink_dump_control c = {
3792 .start= nf_tables_dump_rules_start,
3793 .dump = nf_tables_dump_rules,
3794 .done = nf_tables_dump_rules_done,
3795 .module = THIS_MODULE,
3796 .data = (void *)nla,
3797 };
3798
3799 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3800 }
3801
3802 skb2 = nf_tables_getrule_single(portid, info, nla, false);
3803 if (IS_ERR(skb2))
3804 return PTR_ERR(skb2);
3805
3806 return nfnetlink_unicast(skb2, net, portid);
3807 }
3808
nf_tables_getrule_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3809 static int nf_tables_getrule_reset(struct sk_buff *skb,
3810 const struct nfnl_info *info,
3811 const struct nlattr * const nla[])
3812 {
3813 struct nftables_pernet *nft_net = nft_pernet(info->net);
3814 u32 portid = NETLINK_CB(skb).portid;
3815 struct net *net = info->net;
3816 struct sk_buff *skb2;
3817 char *buf;
3818
3819 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3820 struct netlink_dump_control c = {
3821 .start= nf_tables_dumpreset_rules_start,
3822 .dump = nf_tables_dumpreset_rules,
3823 .done = nf_tables_dump_rules_done,
3824 .module = THIS_MODULE,
3825 .data = (void *)nla,
3826 };
3827
3828 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3829 }
3830
3831 if (!try_module_get(THIS_MODULE))
3832 return -EINVAL;
3833 rcu_read_unlock();
3834 mutex_lock(&nft_net->commit_mutex);
3835 skb2 = nf_tables_getrule_single(portid, info, nla, true);
3836 mutex_unlock(&nft_net->commit_mutex);
3837 rcu_read_lock();
3838 module_put(THIS_MODULE);
3839
3840 if (IS_ERR(skb2))
3841 return PTR_ERR(skb2);
3842
3843 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3844 nla_len(nla[NFTA_RULE_TABLE]),
3845 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3846 nft_net->base_seq);
3847 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3848 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3849 kfree(buf);
3850
3851 return nfnetlink_unicast(skb2, net, portid);
3852 }
3853
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)3854 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3855 {
3856 struct nft_expr *expr, *next;
3857
3858 /*
3859 * Careful: some expressions might not be initialized in case this
3860 * is called on error from nf_tables_newrule().
3861 */
3862 expr = nft_expr_first(rule);
3863 while (nft_expr_more(rule, expr)) {
3864 next = nft_expr_next(expr);
3865 nf_tables_expr_destroy(ctx, expr);
3866 expr = next;
3867 }
3868 kfree(rule);
3869 }
3870
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)3871 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3872 {
3873 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3874 nf_tables_rule_destroy(ctx, rule);
3875 }
3876
3877 /** nft_chain_validate - loop detection and hook validation
3878 *
3879 * @ctx: context containing call depth and base chain
3880 * @chain: chain to validate
3881 *
3882 * Walk through the rules of the given chain and chase all jumps/gotos
3883 * and set lookups until either the jump limit is hit or all reachable
3884 * chains have been validated.
3885 */
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)3886 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3887 {
3888 struct nft_expr *expr, *last;
3889 struct nft_rule *rule;
3890 int err;
3891
3892 if (ctx->level == NFT_JUMP_STACK_SIZE)
3893 return -EMLINK;
3894
3895 list_for_each_entry(rule, &chain->rules, list) {
3896 if (fatal_signal_pending(current))
3897 return -EINTR;
3898
3899 if (!nft_is_active_next(ctx->net, rule))
3900 continue;
3901
3902 nft_rule_for_each_expr(expr, last, rule) {
3903 if (!expr->ops->validate)
3904 continue;
3905
3906 /* This may call nft_chain_validate() recursively,
3907 * callers that do so must increment ctx->level.
3908 */
3909 err = expr->ops->validate(ctx, expr);
3910 if (err < 0)
3911 return err;
3912 }
3913 }
3914
3915 return 0;
3916 }
3917 EXPORT_SYMBOL_GPL(nft_chain_validate);
3918
nft_table_validate(struct net * net,const struct nft_table * table)3919 static int nft_table_validate(struct net *net, const struct nft_table *table)
3920 {
3921 struct nft_chain *chain;
3922 struct nft_ctx ctx = {
3923 .net = net,
3924 .family = table->family,
3925 };
3926 int err;
3927
3928 list_for_each_entry(chain, &table->chains, list) {
3929 if (!nft_is_base_chain(chain))
3930 continue;
3931
3932 ctx.chain = chain;
3933 err = nft_chain_validate(&ctx, chain);
3934 if (err < 0)
3935 return err;
3936
3937 cond_resched();
3938 }
3939
3940 return 0;
3941 }
3942
nft_setelem_validate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)3943 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3944 const struct nft_set_iter *iter,
3945 struct nft_elem_priv *elem_priv)
3946 {
3947 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
3948 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3949 const struct nft_data *data;
3950 int err;
3951
3952 if (!nft_set_elem_active(ext, iter->genmask))
3953 return 0;
3954
3955 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3956 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3957 return 0;
3958
3959 data = nft_set_ext_data(ext);
3960 switch (data->verdict.code) {
3961 case NFT_JUMP:
3962 case NFT_GOTO:
3963 pctx->level++;
3964 err = nft_chain_validate(ctx, data->verdict.chain);
3965 if (err < 0)
3966 return err;
3967 pctx->level--;
3968 break;
3969 default:
3970 break;
3971 }
3972
3973 return 0;
3974 }
3975
nft_set_catchall_validate(const struct nft_ctx * ctx,struct nft_set * set)3976 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3977 {
3978 struct nft_set_iter dummy_iter = {
3979 .genmask = nft_genmask_next(ctx->net),
3980 };
3981 struct nft_set_elem_catchall *catchall;
3982
3983 struct nft_set_ext *ext;
3984 int ret = 0;
3985
3986 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3987 ext = nft_set_elem_ext(set, catchall->elem);
3988 if (!nft_set_elem_active(ext, dummy_iter.genmask))
3989 continue;
3990
3991 ret = nft_setelem_validate(ctx, set, &dummy_iter, catchall->elem);
3992 if (ret < 0)
3993 return ret;
3994 }
3995
3996 return ret;
3997 }
3998
3999 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4000 const struct nft_chain *chain,
4001 const struct nlattr *nla);
4002
4003 #define NFT_RULE_MAXEXPRS 128
4004
nf_tables_newrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4005 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
4006 const struct nlattr * const nla[])
4007 {
4008 struct nftables_pernet *nft_net = nft_pernet(info->net);
4009 struct netlink_ext_ack *extack = info->extack;
4010 unsigned int size, i, n, ulen = 0, usize = 0;
4011 u8 genmask = nft_genmask_next(info->net);
4012 struct nft_rule *rule, *old_rule = NULL;
4013 struct nft_expr_info *expr_info = NULL;
4014 u8 family = info->nfmsg->nfgen_family;
4015 struct nft_flow_rule *flow = NULL;
4016 struct net *net = info->net;
4017 struct nft_userdata *udata;
4018 struct nft_table *table;
4019 struct nft_chain *chain;
4020 struct nft_trans *trans;
4021 u64 handle, pos_handle;
4022 struct nft_expr *expr;
4023 struct nft_ctx ctx;
4024 struct nlattr *tmp;
4025 int err, rem;
4026
4027 lockdep_assert_held(&nft_net->commit_mutex);
4028
4029 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4030 NETLINK_CB(skb).portid);
4031 if (IS_ERR(table)) {
4032 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4033 return PTR_ERR(table);
4034 }
4035
4036 if (nla[NFTA_RULE_CHAIN]) {
4037 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4038 genmask);
4039 if (IS_ERR(chain)) {
4040 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4041 return PTR_ERR(chain);
4042 }
4043
4044 } else if (nla[NFTA_RULE_CHAIN_ID]) {
4045 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
4046 genmask);
4047 if (IS_ERR(chain)) {
4048 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
4049 return PTR_ERR(chain);
4050 }
4051 } else {
4052 return -EINVAL;
4053 }
4054
4055 if (nft_chain_is_bound(chain))
4056 return -EOPNOTSUPP;
4057
4058 if (nla[NFTA_RULE_HANDLE]) {
4059 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
4060 rule = __nft_rule_lookup(chain, handle);
4061 if (IS_ERR(rule)) {
4062 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4063 return PTR_ERR(rule);
4064 }
4065
4066 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
4067 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4068 return -EEXIST;
4069 }
4070 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4071 old_rule = rule;
4072 else
4073 return -EOPNOTSUPP;
4074 } else {
4075 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
4076 info->nlh->nlmsg_flags & NLM_F_REPLACE)
4077 return -EINVAL;
4078 handle = nf_tables_alloc_handle(table);
4079
4080 if (nla[NFTA_RULE_POSITION]) {
4081 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4082 old_rule = __nft_rule_lookup(chain, pos_handle);
4083 if (IS_ERR(old_rule)) {
4084 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4085 return PTR_ERR(old_rule);
4086 }
4087 } else if (nla[NFTA_RULE_POSITION_ID]) {
4088 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4089 if (IS_ERR(old_rule)) {
4090 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4091 return PTR_ERR(old_rule);
4092 }
4093 }
4094 }
4095
4096 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4097
4098 n = 0;
4099 size = 0;
4100 if (nla[NFTA_RULE_EXPRESSIONS]) {
4101 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4102 sizeof(struct nft_expr_info),
4103 GFP_KERNEL);
4104 if (!expr_info)
4105 return -ENOMEM;
4106
4107 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4108 err = -EINVAL;
4109 if (nla_type(tmp) != NFTA_LIST_ELEM)
4110 goto err_release_expr;
4111 if (n == NFT_RULE_MAXEXPRS)
4112 goto err_release_expr;
4113 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4114 if (err < 0) {
4115 NL_SET_BAD_ATTR(extack, tmp);
4116 goto err_release_expr;
4117 }
4118 size += expr_info[n].ops->size;
4119 n++;
4120 }
4121 }
4122 /* Check for overflow of dlen field */
4123 err = -EFBIG;
4124 if (size >= 1 << 12)
4125 goto err_release_expr;
4126
4127 if (nla[NFTA_RULE_USERDATA]) {
4128 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4129 if (ulen > 0)
4130 usize = sizeof(struct nft_userdata) + ulen;
4131 }
4132
4133 err = -ENOMEM;
4134 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4135 if (rule == NULL)
4136 goto err_release_expr;
4137
4138 nft_activate_next(net, rule);
4139
4140 rule->handle = handle;
4141 rule->dlen = size;
4142 rule->udata = ulen ? 1 : 0;
4143
4144 if (ulen) {
4145 udata = nft_userdata(rule);
4146 udata->len = ulen - 1;
4147 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4148 }
4149
4150 expr = nft_expr_first(rule);
4151 for (i = 0; i < n; i++) {
4152 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4153 if (err < 0) {
4154 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4155 goto err_release_rule;
4156 }
4157
4158 if (expr_info[i].ops->validate)
4159 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4160
4161 expr_info[i].ops = NULL;
4162 expr = nft_expr_next(expr);
4163 }
4164
4165 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4166 flow = nft_flow_rule_create(net, rule);
4167 if (IS_ERR(flow)) {
4168 err = PTR_ERR(flow);
4169 goto err_release_rule;
4170 }
4171 }
4172
4173 if (!nft_use_inc(&chain->use)) {
4174 err = -EMFILE;
4175 goto err_release_rule;
4176 }
4177
4178 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4179 if (nft_chain_binding(chain)) {
4180 err = -EOPNOTSUPP;
4181 goto err_destroy_flow_rule;
4182 }
4183
4184 err = nft_delrule(&ctx, old_rule);
4185 if (err < 0)
4186 goto err_destroy_flow_rule;
4187
4188 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4189 if (trans == NULL) {
4190 err = -ENOMEM;
4191 goto err_destroy_flow_rule;
4192 }
4193 list_add_tail_rcu(&rule->list, &old_rule->list);
4194 } else {
4195 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4196 if (!trans) {
4197 err = -ENOMEM;
4198 goto err_destroy_flow_rule;
4199 }
4200
4201 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4202 if (old_rule)
4203 list_add_rcu(&rule->list, &old_rule->list);
4204 else
4205 list_add_tail_rcu(&rule->list, &chain->rules);
4206 } else {
4207 if (old_rule)
4208 list_add_tail_rcu(&rule->list, &old_rule->list);
4209 else
4210 list_add_rcu(&rule->list, &chain->rules);
4211 }
4212 }
4213 kvfree(expr_info);
4214
4215 if (flow)
4216 nft_trans_flow_rule(trans) = flow;
4217
4218 if (table->validate_state == NFT_VALIDATE_DO)
4219 return nft_table_validate(net, table);
4220
4221 return 0;
4222
4223 err_destroy_flow_rule:
4224 nft_use_dec_restore(&chain->use);
4225 if (flow)
4226 nft_flow_rule_destroy(flow);
4227 err_release_rule:
4228 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4229 nf_tables_rule_destroy(&ctx, rule);
4230 err_release_expr:
4231 for (i = 0; i < n; i++) {
4232 if (expr_info[i].ops) {
4233 module_put(expr_info[i].ops->type->owner);
4234 if (expr_info[i].ops->type->release_ops)
4235 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4236 }
4237 }
4238 kvfree(expr_info);
4239
4240 return err;
4241 }
4242
nft_rule_lookup_byid(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)4243 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4244 const struct nft_chain *chain,
4245 const struct nlattr *nla)
4246 {
4247 struct nftables_pernet *nft_net = nft_pernet(net);
4248 u32 id = ntohl(nla_get_be32(nla));
4249 struct nft_trans *trans;
4250
4251 list_for_each_entry(trans, &nft_net->commit_list, list) {
4252 if (trans->msg_type == NFT_MSG_NEWRULE &&
4253 nft_trans_rule_chain(trans) == chain &&
4254 id == nft_trans_rule_id(trans))
4255 return nft_trans_rule(trans);
4256 }
4257 return ERR_PTR(-ENOENT);
4258 }
4259
nf_tables_delrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4260 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4261 const struct nlattr * const nla[])
4262 {
4263 struct netlink_ext_ack *extack = info->extack;
4264 u8 genmask = nft_genmask_next(info->net);
4265 u8 family = info->nfmsg->nfgen_family;
4266 struct nft_chain *chain = NULL;
4267 struct net *net = info->net;
4268 struct nft_table *table;
4269 struct nft_rule *rule;
4270 struct nft_ctx ctx;
4271 int err = 0;
4272
4273 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4274 NETLINK_CB(skb).portid);
4275 if (IS_ERR(table)) {
4276 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4277 return PTR_ERR(table);
4278 }
4279
4280 if (nla[NFTA_RULE_CHAIN]) {
4281 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4282 genmask);
4283 if (IS_ERR(chain)) {
4284 if (PTR_ERR(chain) == -ENOENT &&
4285 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4286 return 0;
4287
4288 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4289 return PTR_ERR(chain);
4290 }
4291 if (nft_chain_binding(chain))
4292 return -EOPNOTSUPP;
4293 }
4294
4295 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4296
4297 if (chain) {
4298 if (nla[NFTA_RULE_HANDLE]) {
4299 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
4300 if (IS_ERR(rule)) {
4301 if (PTR_ERR(rule) == -ENOENT &&
4302 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4303 return 0;
4304
4305 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4306 return PTR_ERR(rule);
4307 }
4308
4309 err = nft_delrule(&ctx, rule);
4310 } else if (nla[NFTA_RULE_ID]) {
4311 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4312 if (IS_ERR(rule)) {
4313 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4314 return PTR_ERR(rule);
4315 }
4316
4317 err = nft_delrule(&ctx, rule);
4318 } else {
4319 err = nft_delrule_by_chain(&ctx);
4320 }
4321 } else {
4322 list_for_each_entry(chain, &table->chains, list) {
4323 if (!nft_is_active_next(net, chain))
4324 continue;
4325 if (nft_chain_binding(chain))
4326 continue;
4327
4328 ctx.chain = chain;
4329 err = nft_delrule_by_chain(&ctx);
4330 if (err < 0)
4331 break;
4332 }
4333 }
4334
4335 return err;
4336 }
4337
4338 /*
4339 * Sets
4340 */
4341 static const struct nft_set_type *nft_set_types[] = {
4342 &nft_set_hash_fast_type,
4343 &nft_set_hash_type,
4344 &nft_set_rhash_type,
4345 &nft_set_bitmap_type,
4346 &nft_set_rbtree_type,
4347 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4348 &nft_set_pipapo_avx2_type,
4349 #endif
4350 &nft_set_pipapo_type,
4351 };
4352
4353 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4354 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4355 NFT_SET_EVAL)
4356
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)4357 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4358 {
4359 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4360 }
4361
4362 /*
4363 * Select a set implementation based on the data characteristics and the
4364 * given policy. The total memory use might not be known if no size is
4365 * given, in that case the amount of memory per element is used.
4366 */
4367 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,u32 flags,const struct nft_set_desc * desc)4368 nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
4369 const struct nft_set_desc *desc)
4370 {
4371 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4372 const struct nft_set_ops *ops, *bops;
4373 struct nft_set_estimate est, best;
4374 const struct nft_set_type *type;
4375 int i;
4376
4377 lockdep_assert_held(&nft_net->commit_mutex);
4378 lockdep_nfnl_nft_mutex_not_held();
4379
4380 bops = NULL;
4381 best.size = ~0;
4382 best.lookup = ~0;
4383 best.space = ~0;
4384
4385 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4386 type = nft_set_types[i];
4387 ops = &type->ops;
4388
4389 if (!nft_set_ops_candidate(type, flags))
4390 continue;
4391 if (!ops->estimate(desc, flags, &est))
4392 continue;
4393
4394 switch (desc->policy) {
4395 case NFT_SET_POL_PERFORMANCE:
4396 if (est.lookup < best.lookup)
4397 break;
4398 if (est.lookup == best.lookup &&
4399 est.space < best.space)
4400 break;
4401 continue;
4402 case NFT_SET_POL_MEMORY:
4403 if (!desc->size) {
4404 if (est.space < best.space)
4405 break;
4406 if (est.space == best.space &&
4407 est.lookup < best.lookup)
4408 break;
4409 } else if (est.size < best.size || !bops) {
4410 break;
4411 }
4412 continue;
4413 default:
4414 break;
4415 }
4416
4417 bops = ops;
4418 best = est;
4419 }
4420
4421 if (bops != NULL)
4422 return bops;
4423
4424 return ERR_PTR(-EOPNOTSUPP);
4425 }
4426
4427 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4428 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4429 .len = NFT_TABLE_MAXNAMELEN - 1 },
4430 [NFTA_SET_NAME] = { .type = NLA_STRING,
4431 .len = NFT_SET_MAXNAMELEN - 1 },
4432 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4433 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4434 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4435 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4436 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4437 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4438 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4439 [NFTA_SET_ID] = { .type = NLA_U32 },
4440 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4441 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4442 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4443 .len = NFT_USERDATA_MAXLEN },
4444 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4445 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4446 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4447 [NFTA_SET_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
4448 };
4449
4450 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4451 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4452 };
4453
4454 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4455 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4456 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy),
4457 };
4458
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4459 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4460 const struct nlattr *nla, u8 genmask)
4461 {
4462 struct nft_set *set;
4463
4464 if (nla == NULL)
4465 return ERR_PTR(-EINVAL);
4466
4467 list_for_each_entry_rcu(set, &table->sets, list) {
4468 if (!nla_strcmp(nla, set->name) &&
4469 nft_active_genmask(set, genmask))
4470 return set;
4471 }
4472 return ERR_PTR(-ENOENT);
4473 }
4474
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4475 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4476 const struct nlattr *nla,
4477 u8 genmask)
4478 {
4479 struct nft_set *set;
4480
4481 list_for_each_entry(set, &table->sets, list) {
4482 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4483 nft_active_genmask(set, genmask))
4484 return set;
4485 }
4486 return ERR_PTR(-ENOENT);
4487 }
4488
nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4489 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4490 const struct nft_table *table,
4491 const struct nlattr *nla, u8 genmask)
4492 {
4493 struct nftables_pernet *nft_net = nft_pernet(net);
4494 u32 id = ntohl(nla_get_be32(nla));
4495 struct nft_trans_set *trans;
4496
4497 /* its likely the id we need is at the tail, not at start */
4498 list_for_each_entry_reverse(trans, &nft_net->commit_set_list, list_trans_newset) {
4499 struct nft_set *set = trans->set;
4500
4501 if (id == trans->set_id &&
4502 set->table == table &&
4503 nft_active_genmask(set, genmask))
4504 return set;
4505 }
4506 return ERR_PTR(-ENOENT);
4507 }
4508
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)4509 struct nft_set *nft_set_lookup_global(const struct net *net,
4510 const struct nft_table *table,
4511 const struct nlattr *nla_set_name,
4512 const struct nlattr *nla_set_id,
4513 u8 genmask)
4514 {
4515 struct nft_set *set;
4516
4517 set = nft_set_lookup(table, nla_set_name, genmask);
4518 if (IS_ERR(set)) {
4519 if (!nla_set_id)
4520 return set;
4521
4522 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4523 }
4524 return set;
4525 }
4526 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4527
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)4528 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4529 const char *name)
4530 {
4531 const struct nft_set *i;
4532 const char *p;
4533 unsigned long *inuse;
4534 unsigned int n = 0, min = 0;
4535
4536 p = strchr(name, '%');
4537 if (p != NULL) {
4538 if (p[1] != 'd' || strchr(p + 2, '%'))
4539 return -EINVAL;
4540
4541 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4542 return -EINVAL;
4543
4544 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4545 if (inuse == NULL)
4546 return -ENOMEM;
4547 cont:
4548 list_for_each_entry(i, &ctx->table->sets, list) {
4549 int tmp;
4550
4551 if (!nft_is_active_next(ctx->net, i))
4552 continue;
4553 if (!sscanf(i->name, name, &tmp))
4554 continue;
4555 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4556 continue;
4557
4558 set_bit(tmp - min, inuse);
4559 }
4560
4561 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4562 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4563 min += BITS_PER_BYTE * PAGE_SIZE;
4564 memset(inuse, 0, PAGE_SIZE);
4565 goto cont;
4566 }
4567 free_page((unsigned long)inuse);
4568 }
4569
4570 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4571 if (!set->name)
4572 return -ENOMEM;
4573
4574 list_for_each_entry(i, &ctx->table->sets, list) {
4575 if (!nft_is_active_next(ctx->net, i))
4576 continue;
4577 if (!strcmp(set->name, i->name)) {
4578 kfree(set->name);
4579 set->name = NULL;
4580 return -ENFILE;
4581 }
4582 }
4583 return 0;
4584 }
4585
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)4586 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4587 {
4588 u64 ms = be64_to_cpu(nla_get_be64(nla));
4589 u64 max = (u64)(~((u64)0));
4590
4591 max = div_u64(max, NSEC_PER_MSEC);
4592 if (ms >= max)
4593 return -ERANGE;
4594
4595 ms *= NSEC_PER_MSEC;
4596 *result = nsecs_to_jiffies64(ms) ? : !!ms;
4597 return 0;
4598 }
4599
nf_jiffies64_to_msecs(u64 input)4600 __be64 nf_jiffies64_to_msecs(u64 input)
4601 {
4602 return cpu_to_be64(jiffies64_to_msecs(input));
4603 }
4604
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)4605 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4606 const struct nft_set *set)
4607 {
4608 struct nlattr *concat, *field;
4609 int i;
4610
4611 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4612 if (!concat)
4613 return -ENOMEM;
4614
4615 for (i = 0; i < set->field_count; i++) {
4616 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4617 if (!field)
4618 return -ENOMEM;
4619
4620 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4621 htonl(set->field_len[i])))
4622 return -ENOMEM;
4623
4624 nla_nest_end(skb, field);
4625 }
4626
4627 nla_nest_end(skb, concat);
4628
4629 return 0;
4630 }
4631
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)4632 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4633 const struct nft_set *set, u16 event, u16 flags)
4634 {
4635 u64 timeout = READ_ONCE(set->timeout);
4636 u32 gc_int = READ_ONCE(set->gc_int);
4637 u32 portid = ctx->portid;
4638 struct nlmsghdr *nlh;
4639 struct nlattr *nest;
4640 u32 seq = ctx->seq;
4641 int i;
4642
4643 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4644 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4645 NFNETLINK_V0, nft_base_seq(ctx->net));
4646 if (!nlh)
4647 goto nla_put_failure;
4648
4649 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4650 goto nla_put_failure;
4651 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4652 goto nla_put_failure;
4653 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4654 NFTA_SET_PAD))
4655 goto nla_put_failure;
4656
4657 if (event == NFT_MSG_DELSET) {
4658 nlmsg_end(skb, nlh);
4659 return 0;
4660 }
4661
4662 if (set->flags != 0)
4663 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4664 goto nla_put_failure;
4665
4666 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4667 goto nla_put_failure;
4668 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4669 goto nla_put_failure;
4670 if (set->flags & NFT_SET_MAP) {
4671 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4672 goto nla_put_failure;
4673 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4674 goto nla_put_failure;
4675 }
4676 if (set->flags & NFT_SET_OBJECT &&
4677 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4678 goto nla_put_failure;
4679
4680 if (timeout &&
4681 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4682 nf_jiffies64_to_msecs(timeout),
4683 NFTA_SET_PAD))
4684 goto nla_put_failure;
4685 if (gc_int &&
4686 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4687 goto nla_put_failure;
4688
4689 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4690 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4691 goto nla_put_failure;
4692 }
4693
4694 if (set->udata &&
4695 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4696 goto nla_put_failure;
4697
4698 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4699 if (!nest)
4700 goto nla_put_failure;
4701 if (set->size &&
4702 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
4703 goto nla_put_failure;
4704
4705 if (set->field_count > 1 &&
4706 nf_tables_fill_set_concat(skb, set))
4707 goto nla_put_failure;
4708
4709 nla_nest_end(skb, nest);
4710
4711 if (set->num_exprs == 1) {
4712 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4713 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4714 goto nla_put_failure;
4715
4716 nla_nest_end(skb, nest);
4717 } else if (set->num_exprs > 1) {
4718 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4719 if (nest == NULL)
4720 goto nla_put_failure;
4721
4722 for (i = 0; i < set->num_exprs; i++) {
4723 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4724 set->exprs[i], false) < 0)
4725 goto nla_put_failure;
4726 }
4727 nla_nest_end(skb, nest);
4728 }
4729
4730 nlmsg_end(skb, nlh);
4731 return 0;
4732
4733 nla_put_failure:
4734 nlmsg_trim(skb, nlh);
4735 return -1;
4736 }
4737
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)4738 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4739 const struct nft_set *set, int event,
4740 gfp_t gfp_flags)
4741 {
4742 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4743 u32 portid = ctx->portid;
4744 struct sk_buff *skb;
4745 u16 flags = 0;
4746 int err;
4747
4748 if (!ctx->report &&
4749 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4750 return;
4751
4752 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4753 if (skb == NULL)
4754 goto err;
4755
4756 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4757 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4758
4759 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4760 if (err < 0) {
4761 kfree_skb(skb);
4762 goto err;
4763 }
4764
4765 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4766 return;
4767 err:
4768 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4769 }
4770
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)4771 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4772 {
4773 const struct nft_set *set;
4774 unsigned int idx, s_idx = cb->args[0];
4775 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4776 struct net *net = sock_net(skb->sk);
4777 struct nft_ctx *ctx = cb->data, ctx_set;
4778 struct nftables_pernet *nft_net;
4779
4780 if (cb->args[1])
4781 return skb->len;
4782
4783 rcu_read_lock();
4784 nft_net = nft_pernet(net);
4785 cb->seq = READ_ONCE(nft_net->base_seq);
4786
4787 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4788 if (ctx->family != NFPROTO_UNSPEC &&
4789 ctx->family != table->family)
4790 continue;
4791
4792 if (ctx->table && ctx->table != table)
4793 continue;
4794
4795 if (cur_table) {
4796 if (cur_table != table)
4797 continue;
4798
4799 cur_table = NULL;
4800 }
4801 idx = 0;
4802 list_for_each_entry_rcu(set, &table->sets, list) {
4803 if (idx < s_idx)
4804 goto cont;
4805 if (!nft_is_active(net, set))
4806 goto cont;
4807
4808 ctx_set = *ctx;
4809 ctx_set.table = table;
4810 ctx_set.family = table->family;
4811
4812 if (nf_tables_fill_set(skb, &ctx_set, set,
4813 NFT_MSG_NEWSET,
4814 NLM_F_MULTI) < 0) {
4815 cb->args[0] = idx;
4816 cb->args[2] = (unsigned long) table;
4817 goto done;
4818 }
4819 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4820 cont:
4821 idx++;
4822 }
4823 if (s_idx)
4824 s_idx = 0;
4825 }
4826 cb->args[1] = 1;
4827 done:
4828 rcu_read_unlock();
4829 return skb->len;
4830 }
4831
nf_tables_dump_sets_start(struct netlink_callback * cb)4832 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4833 {
4834 struct nft_ctx *ctx_dump = NULL;
4835
4836 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4837 if (ctx_dump == NULL)
4838 return -ENOMEM;
4839
4840 cb->data = ctx_dump;
4841 return 0;
4842 }
4843
nf_tables_dump_sets_done(struct netlink_callback * cb)4844 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4845 {
4846 kfree(cb->data);
4847 return 0;
4848 }
4849
4850 /* called with rcu_read_lock held */
nf_tables_getset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4851 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4852 const struct nlattr * const nla[])
4853 {
4854 struct netlink_ext_ack *extack = info->extack;
4855 u8 genmask = nft_genmask_cur(info->net);
4856 u8 family = info->nfmsg->nfgen_family;
4857 struct nft_table *table = NULL;
4858 struct net *net = info->net;
4859 const struct nft_set *set;
4860 struct sk_buff *skb2;
4861 struct nft_ctx ctx;
4862 int err;
4863
4864 if (nla[NFTA_SET_TABLE]) {
4865 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4866 genmask, 0);
4867 if (IS_ERR(table)) {
4868 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4869 return PTR_ERR(table);
4870 }
4871 }
4872
4873 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4874
4875 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4876 struct netlink_dump_control c = {
4877 .start = nf_tables_dump_sets_start,
4878 .dump = nf_tables_dump_sets,
4879 .done = nf_tables_dump_sets_done,
4880 .data = &ctx,
4881 .module = THIS_MODULE,
4882 };
4883
4884 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4885 }
4886
4887 /* Only accept unspec with dump */
4888 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4889 return -EAFNOSUPPORT;
4890 if (!nla[NFTA_SET_TABLE])
4891 return -EINVAL;
4892
4893 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4894 if (IS_ERR(set)) {
4895 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4896 return PTR_ERR(set);
4897 }
4898
4899 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4900 if (skb2 == NULL)
4901 return -ENOMEM;
4902
4903 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4904 if (err < 0)
4905 goto err_fill_set_info;
4906
4907 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4908
4909 err_fill_set_info:
4910 kfree_skb(skb2);
4911 return err;
4912 }
4913
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)4914 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4915 struct nft_set_desc *desc)
4916 {
4917 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4918 u32 len;
4919 int err;
4920
4921 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4922 return -E2BIG;
4923
4924 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4925 nft_concat_policy, NULL);
4926 if (err < 0)
4927 return err;
4928
4929 if (!tb[NFTA_SET_FIELD_LEN])
4930 return -EINVAL;
4931
4932 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4933 if (!len || len > U8_MAX)
4934 return -EINVAL;
4935
4936 desc->field_len[desc->field_count++] = len;
4937
4938 return 0;
4939 }
4940
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)4941 static int nft_set_desc_concat(struct nft_set_desc *desc,
4942 const struct nlattr *nla)
4943 {
4944 u32 num_regs = 0, key_num_regs = 0;
4945 struct nlattr *attr;
4946 int rem, err, i;
4947
4948 nla_for_each_nested(attr, nla, rem) {
4949 if (nla_type(attr) != NFTA_LIST_ELEM)
4950 return -EINVAL;
4951
4952 err = nft_set_desc_concat_parse(attr, desc);
4953 if (err < 0)
4954 return err;
4955 }
4956
4957 for (i = 0; i < desc->field_count; i++)
4958 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4959
4960 key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4961 if (key_num_regs != num_regs)
4962 return -EINVAL;
4963
4964 if (num_regs > NFT_REG32_COUNT)
4965 return -E2BIG;
4966
4967 return 0;
4968 }
4969
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)4970 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4971 const struct nlattr *nla)
4972 {
4973 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4974 int err;
4975
4976 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4977 nft_set_desc_policy, NULL);
4978 if (err < 0)
4979 return err;
4980
4981 if (da[NFTA_SET_DESC_SIZE] != NULL)
4982 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4983 if (da[NFTA_SET_DESC_CONCAT])
4984 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4985
4986 return err;
4987 }
4988
nft_set_expr_alloc(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * const * nla,struct nft_expr ** exprs,int * num_exprs,u32 flags)4989 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4990 const struct nlattr * const *nla,
4991 struct nft_expr **exprs, int *num_exprs,
4992 u32 flags)
4993 {
4994 struct nft_expr *expr;
4995 int err, i;
4996
4997 if (nla[NFTA_SET_EXPR]) {
4998 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4999 if (IS_ERR(expr)) {
5000 err = PTR_ERR(expr);
5001 goto err_set_expr_alloc;
5002 }
5003 exprs[0] = expr;
5004 (*num_exprs)++;
5005 } else if (nla[NFTA_SET_EXPRESSIONS]) {
5006 struct nlattr *tmp;
5007 int left;
5008
5009 if (!(flags & NFT_SET_EXPR)) {
5010 err = -EINVAL;
5011 goto err_set_expr_alloc;
5012 }
5013 i = 0;
5014 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
5015 if (i == NFT_SET_EXPR_MAX) {
5016 err = -E2BIG;
5017 goto err_set_expr_alloc;
5018 }
5019 if (nla_type(tmp) != NFTA_LIST_ELEM) {
5020 err = -EINVAL;
5021 goto err_set_expr_alloc;
5022 }
5023 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
5024 if (IS_ERR(expr)) {
5025 err = PTR_ERR(expr);
5026 goto err_set_expr_alloc;
5027 }
5028 exprs[i++] = expr;
5029 (*num_exprs)++;
5030 }
5031 }
5032
5033 return 0;
5034
5035 err_set_expr_alloc:
5036 for (i = 0; i < *num_exprs; i++)
5037 nft_expr_destroy(ctx, exprs[i]);
5038
5039 return err;
5040 }
5041
nft_set_is_same(const struct nft_set * set,const struct nft_set_desc * desc,struct nft_expr * exprs[],u32 num_exprs,u32 flags)5042 static bool nft_set_is_same(const struct nft_set *set,
5043 const struct nft_set_desc *desc,
5044 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
5045 {
5046 int i;
5047
5048 if (set->ktype != desc->ktype ||
5049 set->dtype != desc->dtype ||
5050 set->flags != flags ||
5051 set->klen != desc->klen ||
5052 set->dlen != desc->dlen ||
5053 set->field_count != desc->field_count ||
5054 set->num_exprs != num_exprs)
5055 return false;
5056
5057 for (i = 0; i < desc->field_count; i++) {
5058 if (set->field_len[i] != desc->field_len[i])
5059 return false;
5060 }
5061
5062 for (i = 0; i < num_exprs; i++) {
5063 if (set->exprs[i]->ops != exprs[i]->ops)
5064 return false;
5065 }
5066
5067 return true;
5068 }
5069
nf_tables_newset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5070 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5071 const struct nlattr * const nla[])
5072 {
5073 struct netlink_ext_ack *extack = info->extack;
5074 u8 genmask = nft_genmask_next(info->net);
5075 u8 family = info->nfmsg->nfgen_family;
5076 const struct nft_set_ops *ops;
5077 struct net *net = info->net;
5078 struct nft_set_desc desc;
5079 struct nft_table *table;
5080 unsigned char *udata;
5081 struct nft_set *set;
5082 struct nft_ctx ctx;
5083 size_t alloc_size;
5084 int num_exprs = 0;
5085 char *name;
5086 int err, i;
5087 u16 udlen;
5088 u32 flags;
5089 u64 size;
5090
5091 if (nla[NFTA_SET_TABLE] == NULL ||
5092 nla[NFTA_SET_NAME] == NULL ||
5093 nla[NFTA_SET_KEY_LEN] == NULL ||
5094 nla[NFTA_SET_ID] == NULL)
5095 return -EINVAL;
5096
5097 memset(&desc, 0, sizeof(desc));
5098
5099 desc.ktype = NFT_DATA_VALUE;
5100 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5101 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5102 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5103 return -EINVAL;
5104 }
5105
5106 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5107 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5108 return -EINVAL;
5109
5110 flags = 0;
5111 if (nla[NFTA_SET_FLAGS] != NULL) {
5112 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5113 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5114 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5115 NFT_SET_MAP | NFT_SET_EVAL |
5116 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5117 return -EOPNOTSUPP;
5118 /* Only one of these operations is supported */
5119 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5120 (NFT_SET_MAP | NFT_SET_OBJECT))
5121 return -EOPNOTSUPP;
5122 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5123 (NFT_SET_EVAL | NFT_SET_OBJECT))
5124 return -EOPNOTSUPP;
5125 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5126 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5127 return -EOPNOTSUPP;
5128 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5129 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5130 return -EOPNOTSUPP;
5131 }
5132
5133 desc.dtype = 0;
5134 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5135 if (!(flags & NFT_SET_MAP))
5136 return -EINVAL;
5137
5138 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5139 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5140 desc.dtype != NFT_DATA_VERDICT)
5141 return -EINVAL;
5142
5143 if (desc.dtype != NFT_DATA_VERDICT) {
5144 if (nla[NFTA_SET_DATA_LEN] == NULL)
5145 return -EINVAL;
5146 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5147 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5148 return -EINVAL;
5149 } else
5150 desc.dlen = sizeof(struct nft_verdict);
5151 } else if (flags & NFT_SET_MAP)
5152 return -EINVAL;
5153
5154 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5155 if (!(flags & NFT_SET_OBJECT))
5156 return -EINVAL;
5157
5158 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5159 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5160 desc.objtype > NFT_OBJECT_MAX)
5161 return -EOPNOTSUPP;
5162 } else if (flags & NFT_SET_OBJECT)
5163 return -EINVAL;
5164 else
5165 desc.objtype = NFT_OBJECT_UNSPEC;
5166
5167 desc.timeout = 0;
5168 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5169 if (!(flags & NFT_SET_TIMEOUT))
5170 return -EINVAL;
5171
5172 if (flags & NFT_SET_ANONYMOUS)
5173 return -EOPNOTSUPP;
5174
5175 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5176 if (err)
5177 return err;
5178 }
5179 desc.gc_int = 0;
5180 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5181 if (!(flags & NFT_SET_TIMEOUT))
5182 return -EINVAL;
5183
5184 if (flags & NFT_SET_ANONYMOUS)
5185 return -EOPNOTSUPP;
5186
5187 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5188 }
5189
5190 desc.policy = NFT_SET_POL_PERFORMANCE;
5191 if (nla[NFTA_SET_POLICY] != NULL) {
5192 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5193 switch (desc.policy) {
5194 case NFT_SET_POL_PERFORMANCE:
5195 case NFT_SET_POL_MEMORY:
5196 break;
5197 default:
5198 return -EOPNOTSUPP;
5199 }
5200 }
5201
5202 if (nla[NFTA_SET_DESC] != NULL) {
5203 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5204 if (err < 0)
5205 return err;
5206
5207 if (desc.field_count > 1) {
5208 if (!(flags & NFT_SET_CONCAT))
5209 return -EINVAL;
5210 } else if (flags & NFT_SET_CONCAT) {
5211 return -EINVAL;
5212 }
5213 } else if (flags & NFT_SET_CONCAT) {
5214 return -EINVAL;
5215 }
5216
5217 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5218 desc.expr = true;
5219
5220 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5221 NETLINK_CB(skb).portid);
5222 if (IS_ERR(table)) {
5223 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5224 return PTR_ERR(table);
5225 }
5226
5227 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5228
5229 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5230 if (IS_ERR(set)) {
5231 if (PTR_ERR(set) != -ENOENT) {
5232 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5233 return PTR_ERR(set);
5234 }
5235 } else {
5236 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5237
5238 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5239 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5240 return -EEXIST;
5241 }
5242 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5243 return -EOPNOTSUPP;
5244
5245 if (nft_set_is_anonymous(set))
5246 return -EOPNOTSUPP;
5247
5248 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5249 if (err < 0)
5250 return err;
5251
5252 err = 0;
5253 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5254 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5255 err = -EEXIST;
5256 }
5257
5258 for (i = 0; i < num_exprs; i++)
5259 nft_expr_destroy(&ctx, exprs[i]);
5260
5261 if (err < 0)
5262 return err;
5263
5264 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5265 }
5266
5267 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5268 return -ENOENT;
5269
5270 ops = nft_select_set_ops(&ctx, flags, &desc);
5271 if (IS_ERR(ops))
5272 return PTR_ERR(ops);
5273
5274 udlen = 0;
5275 if (nla[NFTA_SET_USERDATA])
5276 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5277
5278 size = 0;
5279 if (ops->privsize != NULL)
5280 size = ops->privsize(nla, &desc);
5281 alloc_size = sizeof(*set) + size + udlen;
5282 if (alloc_size < size || alloc_size > INT_MAX)
5283 return -ENOMEM;
5284
5285 if (!nft_use_inc(&table->use))
5286 return -EMFILE;
5287
5288 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5289 if (!set) {
5290 err = -ENOMEM;
5291 goto err_alloc;
5292 }
5293
5294 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5295 if (!name) {
5296 err = -ENOMEM;
5297 goto err_set_name;
5298 }
5299
5300 err = nf_tables_set_alloc_name(&ctx, set, name);
5301 kfree(name);
5302 if (err < 0)
5303 goto err_set_name;
5304
5305 udata = NULL;
5306 if (udlen) {
5307 udata = set->data + size;
5308 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5309 }
5310
5311 INIT_LIST_HEAD(&set->bindings);
5312 INIT_LIST_HEAD(&set->catchall_list);
5313 refcount_set(&set->refs, 1);
5314 set->table = table;
5315 write_pnet(&set->net, net);
5316 set->ops = ops;
5317 set->ktype = desc.ktype;
5318 set->klen = desc.klen;
5319 set->dtype = desc.dtype;
5320 set->objtype = desc.objtype;
5321 set->dlen = desc.dlen;
5322 set->flags = flags;
5323 set->size = desc.size;
5324 set->policy = desc.policy;
5325 set->udlen = udlen;
5326 set->udata = udata;
5327 set->timeout = desc.timeout;
5328 set->gc_int = desc.gc_int;
5329
5330 set->field_count = desc.field_count;
5331 for (i = 0; i < desc.field_count; i++)
5332 set->field_len[i] = desc.field_len[i];
5333
5334 err = ops->init(set, &desc, nla);
5335 if (err < 0)
5336 goto err_set_init;
5337
5338 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5339 if (err < 0)
5340 goto err_set_destroy;
5341
5342 set->num_exprs = num_exprs;
5343 set->handle = nf_tables_alloc_handle(table);
5344 INIT_LIST_HEAD(&set->pending_update);
5345
5346 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5347 if (err < 0)
5348 goto err_set_expr_alloc;
5349
5350 list_add_tail_rcu(&set->list, &table->sets);
5351
5352 return 0;
5353
5354 err_set_expr_alloc:
5355 for (i = 0; i < set->num_exprs; i++)
5356 nft_expr_destroy(&ctx, set->exprs[i]);
5357 err_set_destroy:
5358 ops->destroy(&ctx, set);
5359 err_set_init:
5360 kfree(set->name);
5361 err_set_name:
5362 kvfree(set);
5363 err_alloc:
5364 nft_use_dec_restore(&table->use);
5365
5366 return err;
5367 }
5368
nft_set_catchall_destroy(const struct nft_ctx * ctx,struct nft_set * set)5369 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5370 struct nft_set *set)
5371 {
5372 struct nft_set_elem_catchall *next, *catchall;
5373
5374 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5375 list_del_rcu(&catchall->list);
5376 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5377 kfree_rcu(catchall, rcu);
5378 }
5379 }
5380
nft_set_put(struct nft_set * set)5381 static void nft_set_put(struct nft_set *set)
5382 {
5383 if (refcount_dec_and_test(&set->refs)) {
5384 kfree(set->name);
5385 kvfree(set);
5386 }
5387 }
5388
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)5389 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5390 {
5391 int i;
5392
5393 if (WARN_ON(set->use > 0))
5394 return;
5395
5396 for (i = 0; i < set->num_exprs; i++)
5397 nft_expr_destroy(ctx, set->exprs[i]);
5398
5399 set->ops->destroy(ctx, set);
5400 nft_set_catchall_destroy(ctx, set);
5401 nft_set_put(set);
5402 }
5403
nf_tables_delset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5404 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5405 const struct nlattr * const nla[])
5406 {
5407 struct netlink_ext_ack *extack = info->extack;
5408 u8 genmask = nft_genmask_next(info->net);
5409 u8 family = info->nfmsg->nfgen_family;
5410 struct net *net = info->net;
5411 const struct nlattr *attr;
5412 struct nft_table *table;
5413 struct nft_set *set;
5414 struct nft_ctx ctx;
5415
5416 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5417 return -EAFNOSUPPORT;
5418
5419 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5420 genmask, NETLINK_CB(skb).portid);
5421 if (IS_ERR(table)) {
5422 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5423 return PTR_ERR(table);
5424 }
5425
5426 if (nla[NFTA_SET_HANDLE]) {
5427 attr = nla[NFTA_SET_HANDLE];
5428 set = nft_set_lookup_byhandle(table, attr, genmask);
5429 } else {
5430 attr = nla[NFTA_SET_NAME];
5431 set = nft_set_lookup(table, attr, genmask);
5432 }
5433
5434 if (IS_ERR(set)) {
5435 if (PTR_ERR(set) == -ENOENT &&
5436 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5437 return 0;
5438
5439 NL_SET_BAD_ATTR(extack, attr);
5440 return PTR_ERR(set);
5441 }
5442 if (set->use ||
5443 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5444 atomic_read(&set->nelems) > 0)) {
5445 NL_SET_BAD_ATTR(extack, attr);
5446 return -EBUSY;
5447 }
5448
5449 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5450
5451 return nft_delset(&ctx, set);
5452 }
5453
5454 static int nft_validate_register_store(const struct nft_ctx *ctx,
5455 enum nft_registers reg,
5456 const struct nft_data *data,
5457 enum nft_data_types type,
5458 unsigned int len);
5459
nft_setelem_data_validate(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)5460 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5461 struct nft_set *set,
5462 struct nft_elem_priv *elem_priv)
5463 {
5464 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5465 enum nft_registers dreg;
5466
5467 dreg = nft_type_to_reg(set->dtype);
5468 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5469 set->dtype == NFT_DATA_VERDICT ?
5470 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5471 set->dlen);
5472 }
5473
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5474 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5475 struct nft_set *set,
5476 const struct nft_set_iter *iter,
5477 struct nft_elem_priv *elem_priv)
5478 {
5479 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5480
5481 if (!nft_set_elem_active(ext, iter->genmask))
5482 return 0;
5483
5484 return nft_setelem_data_validate(ctx, set, elem_priv);
5485 }
5486
nft_set_catchall_bind_check(const struct nft_ctx * ctx,struct nft_set * set)5487 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5488 struct nft_set *set)
5489 {
5490 u8 genmask = nft_genmask_next(ctx->net);
5491 struct nft_set_elem_catchall *catchall;
5492 struct nft_set_ext *ext;
5493 int ret = 0;
5494
5495 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5496 ext = nft_set_elem_ext(set, catchall->elem);
5497 if (!nft_set_elem_active(ext, genmask))
5498 continue;
5499
5500 ret = nft_setelem_data_validate(ctx, set, catchall->elem);
5501 if (ret < 0)
5502 break;
5503 }
5504
5505 return ret;
5506 }
5507
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)5508 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5509 struct nft_set_binding *binding)
5510 {
5511 struct nft_set_binding *i;
5512 struct nft_set_iter iter;
5513
5514 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5515 return -EBUSY;
5516
5517 if (binding->flags & NFT_SET_MAP) {
5518 /* If the set is already bound to the same chain all
5519 * jumps are already validated for that chain.
5520 */
5521 list_for_each_entry(i, &set->bindings, list) {
5522 if (i->flags & NFT_SET_MAP &&
5523 i->chain == binding->chain)
5524 goto bind;
5525 }
5526
5527 iter.genmask = nft_genmask_next(ctx->net);
5528 iter.type = NFT_ITER_UPDATE;
5529 iter.skip = 0;
5530 iter.count = 0;
5531 iter.err = 0;
5532 iter.fn = nf_tables_bind_check_setelem;
5533
5534 set->ops->walk(ctx, set, &iter);
5535 if (!iter.err)
5536 iter.err = nft_set_catchall_bind_check(ctx, set);
5537
5538 if (iter.err < 0)
5539 return iter.err;
5540 }
5541 bind:
5542 if (!nft_use_inc(&set->use))
5543 return -EMFILE;
5544
5545 binding->chain = ctx->chain;
5546 list_add_tail_rcu(&binding->list, &set->bindings);
5547 nft_set_trans_bind(ctx, set);
5548
5549 return 0;
5550 }
5551 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5552
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)5553 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5554 struct nft_set_binding *binding, bool event)
5555 {
5556 list_del_rcu(&binding->list);
5557
5558 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5559 list_del_rcu(&set->list);
5560 set->dead = 1;
5561 if (event)
5562 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5563 GFP_KERNEL);
5564 }
5565 }
5566
5567 static void nft_setelem_data_activate(const struct net *net,
5568 const struct nft_set *set,
5569 struct nft_elem_priv *elem_priv);
5570
nft_mapelem_activate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5571 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5572 struct nft_set *set,
5573 const struct nft_set_iter *iter,
5574 struct nft_elem_priv *elem_priv)
5575 {
5576 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5577
5578 /* called from abort path, reverse check to undo changes. */
5579 if (nft_set_elem_active(ext, iter->genmask))
5580 return 0;
5581
5582 nft_clear(ctx->net, ext);
5583 nft_setelem_data_activate(ctx->net, set, elem_priv);
5584
5585 return 0;
5586 }
5587
nft_map_catchall_activate(const struct nft_ctx * ctx,struct nft_set * set)5588 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5589 struct nft_set *set)
5590 {
5591 u8 genmask = nft_genmask_next(ctx->net);
5592 struct nft_set_elem_catchall *catchall;
5593 struct nft_set_ext *ext;
5594
5595 list_for_each_entry(catchall, &set->catchall_list, list) {
5596 ext = nft_set_elem_ext(set, catchall->elem);
5597 if (!nft_set_elem_active(ext, genmask))
5598 continue;
5599
5600 nft_clear(ctx->net, ext);
5601 nft_setelem_data_activate(ctx->net, set, catchall->elem);
5602 break;
5603 }
5604 }
5605
nft_map_activate(const struct nft_ctx * ctx,struct nft_set * set)5606 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5607 {
5608 struct nft_set_iter iter = {
5609 .genmask = nft_genmask_next(ctx->net),
5610 .type = NFT_ITER_UPDATE,
5611 .fn = nft_mapelem_activate,
5612 };
5613
5614 set->ops->walk(ctx, set, &iter);
5615 WARN_ON_ONCE(iter.err);
5616
5617 nft_map_catchall_activate(ctx, set);
5618 }
5619
nf_tables_activate_set(const struct nft_ctx * ctx,struct nft_set * set)5620 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5621 {
5622 if (nft_set_is_anonymous(set)) {
5623 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5624 nft_map_activate(ctx, set);
5625
5626 nft_clear(ctx->net, set);
5627 }
5628
5629 nft_use_inc_restore(&set->use);
5630 }
5631 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5632
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)5633 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5634 struct nft_set_binding *binding,
5635 enum nft_trans_phase phase)
5636 {
5637 switch (phase) {
5638 case NFT_TRANS_PREPARE_ERROR:
5639 nft_set_trans_unbind(ctx, set);
5640 if (nft_set_is_anonymous(set))
5641 nft_deactivate_next(ctx->net, set);
5642 else
5643 list_del_rcu(&binding->list);
5644
5645 nft_use_dec(&set->use);
5646 break;
5647 case NFT_TRANS_PREPARE:
5648 if (nft_set_is_anonymous(set)) {
5649 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5650 nft_map_deactivate(ctx, set);
5651
5652 nft_deactivate_next(ctx->net, set);
5653 }
5654 nft_use_dec(&set->use);
5655 return;
5656 case NFT_TRANS_ABORT:
5657 case NFT_TRANS_RELEASE:
5658 if (nft_set_is_anonymous(set) &&
5659 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5660 nft_map_deactivate(ctx, set);
5661
5662 nft_use_dec(&set->use);
5663 fallthrough;
5664 default:
5665 nf_tables_unbind_set(ctx, set, binding,
5666 phase == NFT_TRANS_COMMIT);
5667 }
5668 }
5669 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5670
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)5671 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5672 {
5673 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5674 nft_set_destroy(ctx, set);
5675 }
5676 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5677
5678 const struct nft_set_ext_type nft_set_ext_types[] = {
5679 [NFT_SET_EXT_KEY] = {
5680 .align = __alignof__(u32),
5681 },
5682 [NFT_SET_EXT_DATA] = {
5683 .align = __alignof__(u32),
5684 },
5685 [NFT_SET_EXT_EXPRESSIONS] = {
5686 .align = __alignof__(struct nft_set_elem_expr),
5687 },
5688 [NFT_SET_EXT_OBJREF] = {
5689 .len = sizeof(struct nft_object *),
5690 .align = __alignof__(struct nft_object *),
5691 },
5692 [NFT_SET_EXT_FLAGS] = {
5693 .len = sizeof(u8),
5694 .align = __alignof__(u8),
5695 },
5696 [NFT_SET_EXT_TIMEOUT] = {
5697 .len = sizeof(struct nft_timeout),
5698 .align = __alignof__(struct nft_timeout),
5699 },
5700 [NFT_SET_EXT_USERDATA] = {
5701 .len = sizeof(struct nft_userdata),
5702 .align = __alignof__(struct nft_userdata),
5703 },
5704 [NFT_SET_EXT_KEY_END] = {
5705 .align = __alignof__(u32),
5706 },
5707 };
5708
5709 /*
5710 * Set elements
5711 */
5712
5713 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5714 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5715 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5716 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5717 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5718 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5719 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5720 .len = NFT_USERDATA_MAXLEN },
5721 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5722 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5723 .len = NFT_OBJ_MAXNAMELEN - 1 },
5724 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5725 [NFTA_SET_ELEM_EXPRESSIONS] = NLA_POLICY_NESTED_ARRAY(nft_expr_policy),
5726 };
5727
5728 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5729 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5730 .len = NFT_TABLE_MAXNAMELEN - 1 },
5731 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5732 .len = NFT_SET_MAXNAMELEN - 1 },
5733 [NFTA_SET_ELEM_LIST_ELEMENTS] = NLA_POLICY_NESTED_ARRAY(nft_set_elem_policy),
5734 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5735 };
5736
nft_set_elem_expr_dump(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_ext * ext,bool reset)5737 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5738 const struct nft_set *set,
5739 const struct nft_set_ext *ext,
5740 bool reset)
5741 {
5742 struct nft_set_elem_expr *elem_expr;
5743 u32 size, num_exprs = 0;
5744 struct nft_expr *expr;
5745 struct nlattr *nest;
5746
5747 elem_expr = nft_set_ext_expr(ext);
5748 nft_setelem_expr_foreach(expr, elem_expr, size)
5749 num_exprs++;
5750
5751 if (num_exprs == 1) {
5752 expr = nft_setelem_expr_at(elem_expr, 0);
5753 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5754 return -1;
5755
5756 return 0;
5757 } else if (num_exprs > 1) {
5758 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5759 if (nest == NULL)
5760 goto nla_put_failure;
5761
5762 nft_setelem_expr_foreach(expr, elem_expr, size) {
5763 expr = nft_setelem_expr_at(elem_expr, size);
5764 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5765 goto nla_put_failure;
5766 }
5767 nla_nest_end(skb, nest);
5768 }
5769 return 0;
5770
5771 nla_put_failure:
5772 return -1;
5773 }
5774
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)5775 static int nf_tables_fill_setelem(struct sk_buff *skb,
5776 const struct nft_set *set,
5777 const struct nft_elem_priv *elem_priv,
5778 bool reset)
5779 {
5780 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5781 unsigned char *b = skb_tail_pointer(skb);
5782 struct nlattr *nest;
5783
5784 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5785 if (nest == NULL)
5786 goto nla_put_failure;
5787
5788 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5789 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5790 NFT_DATA_VALUE, set->klen) < 0)
5791 goto nla_put_failure;
5792
5793 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5794 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5795 NFT_DATA_VALUE, set->klen) < 0)
5796 goto nla_put_failure;
5797
5798 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5799 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5800 nft_set_datatype(set), set->dlen) < 0)
5801 goto nla_put_failure;
5802
5803 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5804 nft_set_elem_expr_dump(skb, set, ext, reset))
5805 goto nla_put_failure;
5806
5807 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5808 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5809 (*nft_set_ext_obj(ext))->key.name) < 0)
5810 goto nla_put_failure;
5811
5812 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5813 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5814 htonl(*nft_set_ext_flags(ext))))
5815 goto nla_put_failure;
5816
5817 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
5818 u64 timeout = READ_ONCE(nft_set_ext_timeout(ext)->timeout);
5819 u64 set_timeout = READ_ONCE(set->timeout);
5820 __be64 msecs = 0;
5821
5822 if (set_timeout != timeout) {
5823 msecs = nf_jiffies64_to_msecs(timeout);
5824 if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, msecs,
5825 NFTA_SET_ELEM_PAD))
5826 goto nla_put_failure;
5827 }
5828
5829 if (timeout > 0) {
5830 u64 expires, now = get_jiffies_64();
5831
5832 expires = READ_ONCE(nft_set_ext_timeout(ext)->expiration);
5833 if (time_before64(now, expires))
5834 expires -= now;
5835 else
5836 expires = 0;
5837
5838 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5839 nf_jiffies64_to_msecs(expires),
5840 NFTA_SET_ELEM_PAD))
5841 goto nla_put_failure;
5842 }
5843 }
5844
5845 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5846 struct nft_userdata *udata;
5847
5848 udata = nft_set_ext_userdata(ext);
5849 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5850 udata->len + 1, udata->data))
5851 goto nla_put_failure;
5852 }
5853
5854 nla_nest_end(skb, nest);
5855 return 0;
5856
5857 nla_put_failure:
5858 nlmsg_trim(skb, b);
5859 return -EMSGSIZE;
5860 }
5861
5862 struct nft_set_dump_args {
5863 const struct netlink_callback *cb;
5864 struct nft_set_iter iter;
5865 struct sk_buff *skb;
5866 bool reset;
5867 };
5868
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)5869 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5870 struct nft_set *set,
5871 const struct nft_set_iter *iter,
5872 struct nft_elem_priv *elem_priv)
5873 {
5874 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
5875 struct nft_set_dump_args *args;
5876
5877 if (!nft_set_elem_active(ext, iter->genmask))
5878 return 0;
5879
5880 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5881 return 0;
5882
5883 args = container_of(iter, struct nft_set_dump_args, iter);
5884 return nf_tables_fill_setelem(args->skb, set, elem_priv, args->reset);
5885 }
5886
audit_log_nft_set_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)5887 static void audit_log_nft_set_reset(const struct nft_table *table,
5888 unsigned int base_seq,
5889 unsigned int nentries)
5890 {
5891 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5892
5893 audit_log_nfcfg(buf, table->family, nentries,
5894 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5895 kfree(buf);
5896 }
5897
5898 struct nft_set_dump_ctx {
5899 const struct nft_set *set;
5900 struct nft_ctx ctx;
5901 bool reset;
5902 };
5903
nft_set_catchall_dump(struct net * net,struct sk_buff * skb,const struct nft_set * set,bool reset,unsigned int base_seq)5904 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5905 const struct nft_set *set, bool reset,
5906 unsigned int base_seq)
5907 {
5908 struct nft_set_elem_catchall *catchall;
5909 u8 genmask = nft_genmask_cur(net);
5910 struct nft_set_ext *ext;
5911 int ret = 0;
5912
5913 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5914 ext = nft_set_elem_ext(set, catchall->elem);
5915 if (!nft_set_elem_active(ext, genmask) ||
5916 nft_set_elem_expired(ext))
5917 continue;
5918
5919 ret = nf_tables_fill_setelem(skb, set, catchall->elem, reset);
5920 if (reset && !ret)
5921 audit_log_nft_set_reset(set->table, base_seq, 1);
5922 break;
5923 }
5924
5925 return ret;
5926 }
5927
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)5928 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5929 {
5930 struct nft_set_dump_ctx *dump_ctx = cb->data;
5931 struct net *net = sock_net(skb->sk);
5932 struct nftables_pernet *nft_net;
5933 struct nft_table *table;
5934 struct nft_set *set;
5935 struct nft_set_dump_args args;
5936 bool set_found = false;
5937 struct nlmsghdr *nlh;
5938 struct nlattr *nest;
5939 u32 portid, seq;
5940 int event;
5941
5942 rcu_read_lock();
5943 nft_net = nft_pernet(net);
5944 cb->seq = READ_ONCE(nft_net->base_seq);
5945
5946 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5947 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5948 dump_ctx->ctx.family != table->family)
5949 continue;
5950
5951 if (table != dump_ctx->ctx.table)
5952 continue;
5953
5954 list_for_each_entry_rcu(set, &table->sets, list) {
5955 if (set == dump_ctx->set) {
5956 set_found = true;
5957 break;
5958 }
5959 }
5960 break;
5961 }
5962
5963 if (!set_found) {
5964 rcu_read_unlock();
5965 return -ENOENT;
5966 }
5967
5968 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5969 portid = NETLINK_CB(cb->skb).portid;
5970 seq = cb->nlh->nlmsg_seq;
5971
5972 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5973 table->family, NFNETLINK_V0, nft_base_seq(net));
5974 if (!nlh)
5975 goto nla_put_failure;
5976
5977 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5978 goto nla_put_failure;
5979 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5980 goto nla_put_failure;
5981
5982 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5983 if (nest == NULL)
5984 goto nla_put_failure;
5985
5986 args.cb = cb;
5987 args.skb = skb;
5988 args.reset = dump_ctx->reset;
5989 args.iter.genmask = nft_genmask_cur(net);
5990 args.iter.type = NFT_ITER_READ;
5991 args.iter.skip = cb->args[0];
5992 args.iter.count = 0;
5993 args.iter.err = 0;
5994 args.iter.fn = nf_tables_dump_setelem;
5995 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5996
5997 if (!args.iter.err && args.iter.count == cb->args[0])
5998 args.iter.err = nft_set_catchall_dump(net, skb, set,
5999 dump_ctx->reset, cb->seq);
6000 nla_nest_end(skb, nest);
6001 nlmsg_end(skb, nlh);
6002
6003 rcu_read_unlock();
6004
6005 if (args.iter.err && args.iter.err != -EMSGSIZE)
6006 return args.iter.err;
6007 if (args.iter.count == cb->args[0])
6008 return 0;
6009
6010 cb->args[0] = args.iter.count;
6011 return skb->len;
6012
6013 nla_put_failure:
6014 rcu_read_unlock();
6015 return -ENOSPC;
6016 }
6017
nf_tables_dumpreset_set(struct sk_buff * skb,struct netlink_callback * cb)6018 static int nf_tables_dumpreset_set(struct sk_buff *skb,
6019 struct netlink_callback *cb)
6020 {
6021 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
6022 struct nft_set_dump_ctx *dump_ctx = cb->data;
6023 int ret, skip = cb->args[0];
6024
6025 mutex_lock(&nft_net->commit_mutex);
6026
6027 ret = nf_tables_dump_set(skb, cb);
6028
6029 if (cb->args[0] > skip)
6030 audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
6031 cb->args[0] - skip);
6032
6033 mutex_unlock(&nft_net->commit_mutex);
6034
6035 return ret;
6036 }
6037
nf_tables_dump_set_start(struct netlink_callback * cb)6038 static int nf_tables_dump_set_start(struct netlink_callback *cb)
6039 {
6040 struct nft_set_dump_ctx *dump_ctx = cb->data;
6041
6042 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
6043
6044 return cb->data ? 0 : -ENOMEM;
6045 }
6046
nf_tables_dump_set_done(struct netlink_callback * cb)6047 static int nf_tables_dump_set_done(struct netlink_callback *cb)
6048 {
6049 kfree(cb->data);
6050 return 0;
6051 }
6052
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool reset)6053 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
6054 const struct nft_ctx *ctx, u32 seq,
6055 u32 portid, int event, u16 flags,
6056 const struct nft_set *set,
6057 const struct nft_elem_priv *elem_priv,
6058 bool reset)
6059 {
6060 struct nlmsghdr *nlh;
6061 struct nlattr *nest;
6062 int err;
6063
6064 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6065 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6066 NFNETLINK_V0, nft_base_seq(ctx->net));
6067 if (!nlh)
6068 goto nla_put_failure;
6069
6070 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6071 goto nla_put_failure;
6072 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6073 goto nla_put_failure;
6074
6075 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6076 if (nest == NULL)
6077 goto nla_put_failure;
6078
6079 err = nf_tables_fill_setelem(skb, set, elem_priv, reset);
6080 if (err < 0)
6081 goto nla_put_failure;
6082
6083 nla_nest_end(skb, nest);
6084
6085 nlmsg_end(skb, nlh);
6086 return 0;
6087
6088 nla_put_failure:
6089 nlmsg_trim(skb, nlh);
6090 return -1;
6091 }
6092
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)6093 static int nft_setelem_parse_flags(const struct nft_set *set,
6094 const struct nlattr *attr, u32 *flags)
6095 {
6096 if (attr == NULL)
6097 return 0;
6098
6099 *flags = ntohl(nla_get_be32(attr));
6100 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6101 return -EOPNOTSUPP;
6102 if (!(set->flags & NFT_SET_INTERVAL) &&
6103 *flags & NFT_SET_ELEM_INTERVAL_END)
6104 return -EINVAL;
6105 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6106 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6107 return -EINVAL;
6108
6109 return 0;
6110 }
6111
nft_setelem_parse_key(struct nft_ctx * ctx,const struct nft_set * set,struct nft_data * key,struct nlattr * attr)6112 static int nft_setelem_parse_key(struct nft_ctx *ctx, const struct nft_set *set,
6113 struct nft_data *key, struct nlattr *attr)
6114 {
6115 struct nft_data_desc desc = {
6116 .type = NFT_DATA_VALUE,
6117 .size = NFT_DATA_VALUE_MAXLEN,
6118 .len = set->klen,
6119 };
6120
6121 return nft_data_init(ctx, key, &desc, attr);
6122 }
6123
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)6124 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6125 struct nft_data_desc *desc,
6126 struct nft_data *data,
6127 struct nlattr *attr)
6128 {
6129 u32 dtype;
6130
6131 if (set->dtype == NFT_DATA_VERDICT)
6132 dtype = NFT_DATA_VERDICT;
6133 else
6134 dtype = NFT_DATA_VALUE;
6135
6136 desc->type = dtype;
6137 desc->size = NFT_DATA_VALUE_MAXLEN;
6138 desc->len = set->dlen;
6139 desc->flags = NFT_DATA_DESC_SETELEM;
6140
6141 return nft_data_init(ctx, data, desc, attr);
6142 }
6143
nft_setelem_catchall_get(const struct net * net,const struct nft_set * set)6144 static void *nft_setelem_catchall_get(const struct net *net,
6145 const struct nft_set *set)
6146 {
6147 struct nft_set_elem_catchall *catchall;
6148 u8 genmask = nft_genmask_cur(net);
6149 struct nft_set_ext *ext;
6150 void *priv = NULL;
6151
6152 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6153 ext = nft_set_elem_ext(set, catchall->elem);
6154 if (!nft_set_elem_active(ext, genmask) ||
6155 nft_set_elem_expired(ext))
6156 continue;
6157
6158 priv = catchall->elem;
6159 break;
6160 }
6161
6162 return priv;
6163 }
6164
nft_setelem_get(struct nft_ctx * ctx,const struct nft_set * set,struct nft_set_elem * elem,u32 flags)6165 static int nft_setelem_get(struct nft_ctx *ctx, const struct nft_set *set,
6166 struct nft_set_elem *elem, u32 flags)
6167 {
6168 void *priv;
6169
6170 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6171 priv = set->ops->get(ctx->net, set, elem, flags);
6172 if (IS_ERR(priv))
6173 return PTR_ERR(priv);
6174 } else {
6175 priv = nft_setelem_catchall_get(ctx->net, set);
6176 if (!priv)
6177 return -ENOENT;
6178 }
6179 elem->priv = priv;
6180
6181 return 0;
6182 }
6183
nft_get_set_elem(struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr,bool reset)6184 static int nft_get_set_elem(struct nft_ctx *ctx, const struct nft_set *set,
6185 const struct nlattr *attr, bool reset)
6186 {
6187 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6188 struct nft_set_elem elem;
6189 struct sk_buff *skb;
6190 uint32_t flags = 0;
6191 int err;
6192
6193 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6194 nft_set_elem_policy, NULL);
6195 if (err < 0)
6196 return err;
6197
6198 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6199 if (err < 0)
6200 return err;
6201
6202 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6203 return -EINVAL;
6204
6205 if (nla[NFTA_SET_ELEM_KEY]) {
6206 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6207 nla[NFTA_SET_ELEM_KEY]);
6208 if (err < 0)
6209 return err;
6210 }
6211
6212 if (nla[NFTA_SET_ELEM_KEY_END]) {
6213 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6214 nla[NFTA_SET_ELEM_KEY_END]);
6215 if (err < 0)
6216 return err;
6217 }
6218
6219 err = nft_setelem_get(ctx, set, &elem, flags);
6220 if (err < 0)
6221 return err;
6222
6223 err = -ENOMEM;
6224 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6225 if (skb == NULL)
6226 return err;
6227
6228 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6229 NFT_MSG_NEWSETELEM, 0, set, elem.priv,
6230 reset);
6231 if (err < 0)
6232 goto err_fill_setelem;
6233
6234 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6235
6236 err_fill_setelem:
6237 kfree_skb(skb);
6238 return err;
6239 }
6240
nft_set_dump_ctx_init(struct nft_set_dump_ctx * dump_ctx,const struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)6241 static int nft_set_dump_ctx_init(struct nft_set_dump_ctx *dump_ctx,
6242 const struct sk_buff *skb,
6243 const struct nfnl_info *info,
6244 const struct nlattr * const nla[],
6245 bool reset)
6246 {
6247 struct netlink_ext_ack *extack = info->extack;
6248 u8 genmask = nft_genmask_cur(info->net);
6249 u8 family = info->nfmsg->nfgen_family;
6250 struct net *net = info->net;
6251 struct nft_table *table;
6252 struct nft_set *set;
6253
6254 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6255 genmask, 0);
6256 if (IS_ERR(table)) {
6257 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6258 return PTR_ERR(table);
6259 }
6260
6261 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6262 if (IS_ERR(set)) {
6263 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
6264 return PTR_ERR(set);
6265 }
6266
6267 nft_ctx_init(&dump_ctx->ctx, net, skb,
6268 info->nlh, family, table, NULL, nla);
6269 dump_ctx->set = set;
6270 dump_ctx->reset = reset;
6271 return 0;
6272 }
6273
6274 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6275 static int nf_tables_getsetelem(struct sk_buff *skb,
6276 const struct nfnl_info *info,
6277 const struct nlattr * const nla[])
6278 {
6279 struct netlink_ext_ack *extack = info->extack;
6280 struct nft_set_dump_ctx dump_ctx;
6281 struct nlattr *attr;
6282 int rem, err = 0;
6283
6284 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6285 struct netlink_dump_control c = {
6286 .start = nf_tables_dump_set_start,
6287 .dump = nf_tables_dump_set,
6288 .done = nf_tables_dump_set_done,
6289 .module = THIS_MODULE,
6290 };
6291
6292 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6293 if (err)
6294 return err;
6295
6296 c.data = &dump_ctx;
6297 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6298 }
6299
6300 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6301 return -EINVAL;
6302
6303 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, false);
6304 if (err)
6305 return err;
6306
6307 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6308 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, false);
6309 if (err < 0) {
6310 NL_SET_BAD_ATTR(extack, attr);
6311 break;
6312 }
6313 }
6314
6315 return err;
6316 }
6317
nf_tables_getsetelem_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6318 static int nf_tables_getsetelem_reset(struct sk_buff *skb,
6319 const struct nfnl_info *info,
6320 const struct nlattr * const nla[])
6321 {
6322 struct nftables_pernet *nft_net = nft_pernet(info->net);
6323 struct netlink_ext_ack *extack = info->extack;
6324 struct nft_set_dump_ctx dump_ctx;
6325 int rem, err = 0, nelems = 0;
6326 struct nlattr *attr;
6327
6328 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6329 struct netlink_dump_control c = {
6330 .start = nf_tables_dump_set_start,
6331 .dump = nf_tables_dumpreset_set,
6332 .done = nf_tables_dump_set_done,
6333 .module = THIS_MODULE,
6334 };
6335
6336 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6337 if (err)
6338 return err;
6339
6340 c.data = &dump_ctx;
6341 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6342 }
6343
6344 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6345 return -EINVAL;
6346
6347 if (!try_module_get(THIS_MODULE))
6348 return -EINVAL;
6349 rcu_read_unlock();
6350 mutex_lock(&nft_net->commit_mutex);
6351 rcu_read_lock();
6352
6353 err = nft_set_dump_ctx_init(&dump_ctx, skb, info, nla, true);
6354 if (err)
6355 goto out_unlock;
6356
6357 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6358 err = nft_get_set_elem(&dump_ctx.ctx, dump_ctx.set, attr, true);
6359 if (err < 0) {
6360 NL_SET_BAD_ATTR(extack, attr);
6361 break;
6362 }
6363 nelems++;
6364 }
6365 audit_log_nft_set_reset(dump_ctx.ctx.table, nft_net->base_seq, nelems);
6366
6367 out_unlock:
6368 rcu_read_unlock();
6369 mutex_unlock(&nft_net->commit_mutex);
6370 rcu_read_lock();
6371 module_put(THIS_MODULE);
6372
6373 return err;
6374 }
6375
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv,int event)6376 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6377 const struct nft_set *set,
6378 const struct nft_elem_priv *elem_priv,
6379 int event)
6380 {
6381 struct nftables_pernet *nft_net;
6382 struct net *net = ctx->net;
6383 u32 portid = ctx->portid;
6384 struct sk_buff *skb;
6385 u16 flags = 0;
6386 int err;
6387
6388 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6389 return;
6390
6391 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6392 if (skb == NULL)
6393 goto err;
6394
6395 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6396 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6397
6398 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6399 set, elem_priv, false);
6400 if (err < 0) {
6401 kfree_skb(skb);
6402 goto err;
6403 }
6404
6405 nft_net = nft_pernet(net);
6406 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6407 return;
6408 err:
6409 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6410 }
6411
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)6412 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6413 int msg_type,
6414 struct nft_set *set)
6415 {
6416 struct nft_trans *trans;
6417
6418 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6419 if (trans == NULL)
6420 return NULL;
6421
6422 nft_trans_elem_set(trans) = set;
6423 return trans;
6424 }
6425
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)6426 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6427 const struct nft_set *set,
6428 const struct nlattr *attr)
6429 {
6430 struct nft_expr *expr;
6431 int err;
6432
6433 expr = nft_expr_init(ctx, attr);
6434 if (IS_ERR(expr))
6435 return expr;
6436
6437 err = -EOPNOTSUPP;
6438 if (expr->ops->type->flags & NFT_EXPR_GC) {
6439 if (set->flags & NFT_SET_TIMEOUT)
6440 goto err_set_elem_expr;
6441 if (!set->ops->gc_init)
6442 goto err_set_elem_expr;
6443 set->ops->gc_init(set);
6444 }
6445
6446 return expr;
6447
6448 err_set_elem_expr:
6449 nft_expr_destroy(ctx, expr);
6450 return ERR_PTR(err);
6451 }
6452
nft_set_ext_check(const struct nft_set_ext_tmpl * tmpl,u8 id,u32 len)6453 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6454 {
6455 len += nft_set_ext_types[id].len;
6456 if (len > tmpl->ext_len[id] ||
6457 len > U8_MAX)
6458 return -1;
6459
6460 return 0;
6461 }
6462
nft_set_ext_memcpy(const struct nft_set_ext_tmpl * tmpl,u8 id,void * to,const void * from,u32 len)6463 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6464 void *to, const void *from, u32 len)
6465 {
6466 if (nft_set_ext_check(tmpl, id, len) < 0)
6467 return -1;
6468
6469 memcpy(to, from, len);
6470
6471 return 0;
6472 }
6473
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)6474 struct nft_elem_priv *nft_set_elem_init(const struct nft_set *set,
6475 const struct nft_set_ext_tmpl *tmpl,
6476 const u32 *key, const u32 *key_end,
6477 const u32 *data,
6478 u64 timeout, u64 expiration, gfp_t gfp)
6479 {
6480 struct nft_set_ext *ext;
6481 void *elem;
6482
6483 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6484 if (elem == NULL)
6485 return ERR_PTR(-ENOMEM);
6486
6487 ext = nft_set_elem_ext(set, elem);
6488 nft_set_ext_init(ext, tmpl);
6489
6490 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6491 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6492 nft_set_ext_key(ext), key, set->klen) < 0)
6493 goto err_ext_check;
6494
6495 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6496 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6497 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6498 goto err_ext_check;
6499
6500 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6501 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6502 nft_set_ext_data(ext), data, set->dlen) < 0)
6503 goto err_ext_check;
6504
6505 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
6506 nft_set_ext_timeout(ext)->timeout = timeout;
6507
6508 if (expiration == 0)
6509 expiration = timeout;
6510
6511 nft_set_ext_timeout(ext)->expiration = get_jiffies_64() + expiration;
6512 }
6513
6514 return elem;
6515
6516 err_ext_check:
6517 kfree(elem);
6518
6519 return ERR_PTR(-EINVAL);
6520 }
6521
__nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)6522 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6523 struct nft_expr *expr)
6524 {
6525 if (expr->ops->destroy_clone) {
6526 expr->ops->destroy_clone(ctx, expr);
6527 module_put(expr->ops->type->owner);
6528 } else {
6529 nf_tables_expr_destroy(ctx, expr);
6530 }
6531 }
6532
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_set_elem_expr * elem_expr)6533 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6534 struct nft_set_elem_expr *elem_expr)
6535 {
6536 struct nft_expr *expr;
6537 u32 size;
6538
6539 nft_setelem_expr_foreach(expr, elem_expr, size)
6540 __nft_set_elem_expr_destroy(ctx, expr);
6541 }
6542
6543 /* Drop references and destroy. Called from gc, dynset and abort path. */
nft_set_elem_destroy(const struct nft_set * set,const struct nft_elem_priv * elem_priv,bool destroy_expr)6544 void nft_set_elem_destroy(const struct nft_set *set,
6545 const struct nft_elem_priv *elem_priv,
6546 bool destroy_expr)
6547 {
6548 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6549 struct nft_ctx ctx = {
6550 .net = read_pnet(&set->net),
6551 .family = set->table->family,
6552 };
6553
6554 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6555 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6556 nft_data_release(nft_set_ext_data(ext), set->dtype);
6557 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6558 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6559 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6560 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6561
6562 kfree(elem_priv);
6563 }
6564 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6565
6566 /* Destroy element. References have been already dropped in the preparation
6567 * path via nft_setelem_data_deactivate().
6568 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_elem_priv * elem_priv)6569 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6570 const struct nft_set *set,
6571 const struct nft_elem_priv *elem_priv)
6572 {
6573 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6574
6575 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6576 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6577
6578 kfree(elem_priv);
6579 }
6580
nft_set_elem_expr_clone(const struct nft_ctx * ctx,struct nft_set * set,struct nft_expr * expr_array[])6581 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6582 struct nft_expr *expr_array[])
6583 {
6584 struct nft_expr *expr;
6585 int err, i, k;
6586
6587 for (i = 0; i < set->num_exprs; i++) {
6588 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6589 if (!expr)
6590 goto err_expr;
6591
6592 err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT);
6593 if (err < 0) {
6594 kfree(expr);
6595 goto err_expr;
6596 }
6597 expr_array[i] = expr;
6598 }
6599
6600 return 0;
6601
6602 err_expr:
6603 for (k = i - 1; k >= 0; k--)
6604 nft_expr_destroy(ctx, expr_array[k]);
6605
6606 return -ENOMEM;
6607 }
6608
nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext_tmpl * tmpl,const struct nft_set_ext * ext,struct nft_expr * expr_array[],u32 num_exprs)6609 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6610 const struct nft_set_ext_tmpl *tmpl,
6611 const struct nft_set_ext *ext,
6612 struct nft_expr *expr_array[],
6613 u32 num_exprs)
6614 {
6615 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6616 u32 len = sizeof(struct nft_set_elem_expr);
6617 struct nft_expr *expr;
6618 int i, err;
6619
6620 if (num_exprs == 0)
6621 return 0;
6622
6623 for (i = 0; i < num_exprs; i++)
6624 len += expr_array[i]->ops->size;
6625
6626 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6627 return -EINVAL;
6628
6629 for (i = 0; i < num_exprs; i++) {
6630 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6631 err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT);
6632 if (err < 0)
6633 goto err_elem_expr_setup;
6634
6635 elem_expr->size += expr_array[i]->ops->size;
6636 nft_expr_destroy(ctx, expr_array[i]);
6637 expr_array[i] = NULL;
6638 }
6639
6640 return 0;
6641
6642 err_elem_expr_setup:
6643 for (; i < num_exprs; i++) {
6644 nft_expr_destroy(ctx, expr_array[i]);
6645 expr_array[i] = NULL;
6646 }
6647
6648 return -ENOMEM;
6649 }
6650
nft_set_catchall_lookup(const struct net * net,const struct nft_set * set)6651 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6652 const struct nft_set *set)
6653 {
6654 struct nft_set_elem_catchall *catchall;
6655 u8 genmask = nft_genmask_cur(net);
6656 struct nft_set_ext *ext;
6657
6658 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6659 ext = nft_set_elem_ext(set, catchall->elem);
6660 if (nft_set_elem_active(ext, genmask) &&
6661 !nft_set_elem_expired(ext) &&
6662 !nft_set_elem_is_dead(ext))
6663 return ext;
6664 }
6665
6666 return NULL;
6667 }
6668 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6669
nft_setelem_catchall_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** priv)6670 static int nft_setelem_catchall_insert(const struct net *net,
6671 struct nft_set *set,
6672 const struct nft_set_elem *elem,
6673 struct nft_elem_priv **priv)
6674 {
6675 struct nft_set_elem_catchall *catchall;
6676 u8 genmask = nft_genmask_next(net);
6677 struct nft_set_ext *ext;
6678
6679 list_for_each_entry(catchall, &set->catchall_list, list) {
6680 ext = nft_set_elem_ext(set, catchall->elem);
6681 if (nft_set_elem_active(ext, genmask)) {
6682 *priv = catchall->elem;
6683 return -EEXIST;
6684 }
6685 }
6686
6687 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL_ACCOUNT);
6688 if (!catchall)
6689 return -ENOMEM;
6690
6691 catchall->elem = elem->priv;
6692 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6693
6694 return 0;
6695 }
6696
nft_setelem_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_elem_priv ** elem_priv,unsigned int flags)6697 static int nft_setelem_insert(const struct net *net,
6698 struct nft_set *set,
6699 const struct nft_set_elem *elem,
6700 struct nft_elem_priv **elem_priv,
6701 unsigned int flags)
6702 {
6703 int ret;
6704
6705 if (flags & NFT_SET_ELEM_CATCHALL)
6706 ret = nft_setelem_catchall_insert(net, set, elem, elem_priv);
6707 else
6708 ret = set->ops->insert(net, set, elem, elem_priv);
6709
6710 return ret;
6711 }
6712
nft_setelem_is_catchall(const struct nft_set * set,const struct nft_elem_priv * elem_priv)6713 static bool nft_setelem_is_catchall(const struct nft_set *set,
6714 const struct nft_elem_priv *elem_priv)
6715 {
6716 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6717
6718 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6719 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6720 return true;
6721
6722 return false;
6723 }
6724
nft_setelem_activate(struct net * net,struct nft_set * set,struct nft_elem_priv * elem_priv)6725 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6726 struct nft_elem_priv *elem_priv)
6727 {
6728 struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
6729
6730 if (nft_setelem_is_catchall(set, elem_priv)) {
6731 nft_clear(net, ext);
6732 } else {
6733 set->ops->activate(net, set, elem_priv);
6734 }
6735 }
6736
nft_setelem_catchall_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6737 static int nft_setelem_catchall_deactivate(const struct net *net,
6738 struct nft_set *set,
6739 struct nft_set_elem *elem)
6740 {
6741 struct nft_set_elem_catchall *catchall;
6742 struct nft_set_ext *ext;
6743
6744 list_for_each_entry(catchall, &set->catchall_list, list) {
6745 ext = nft_set_elem_ext(set, catchall->elem);
6746 if (!nft_is_active_next(net, ext))
6747 continue;
6748
6749 kfree(elem->priv);
6750 elem->priv = catchall->elem;
6751 nft_set_elem_change_active(net, set, ext);
6752 return 0;
6753 }
6754
6755 return -ENOENT;
6756 }
6757
__nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6758 static int __nft_setelem_deactivate(const struct net *net,
6759 struct nft_set *set,
6760 struct nft_set_elem *elem)
6761 {
6762 void *priv;
6763
6764 priv = set->ops->deactivate(net, set, elem);
6765 if (!priv)
6766 return -ENOENT;
6767
6768 kfree(elem->priv);
6769 elem->priv = priv;
6770 set->ndeact++;
6771
6772 return 0;
6773 }
6774
nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem,u32 flags)6775 static int nft_setelem_deactivate(const struct net *net,
6776 struct nft_set *set,
6777 struct nft_set_elem *elem, u32 flags)
6778 {
6779 int ret;
6780
6781 if (flags & NFT_SET_ELEM_CATCHALL)
6782 ret = nft_setelem_catchall_deactivate(net, set, elem);
6783 else
6784 ret = __nft_setelem_deactivate(net, set, elem);
6785
6786 return ret;
6787 }
6788
nft_setelem_catchall_destroy(struct nft_set_elem_catchall * catchall)6789 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6790 {
6791 list_del_rcu(&catchall->list);
6792 kfree_rcu(catchall, rcu);
6793 }
6794
nft_setelem_catchall_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6795 static void nft_setelem_catchall_remove(const struct net *net,
6796 const struct nft_set *set,
6797 struct nft_elem_priv *elem_priv)
6798 {
6799 struct nft_set_elem_catchall *catchall, *next;
6800
6801 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6802 if (catchall->elem == elem_priv) {
6803 nft_setelem_catchall_destroy(catchall);
6804 break;
6805 }
6806 }
6807 }
6808
nft_setelem_remove(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)6809 static void nft_setelem_remove(const struct net *net,
6810 const struct nft_set *set,
6811 struct nft_elem_priv *elem_priv)
6812 {
6813 if (nft_setelem_is_catchall(set, elem_priv))
6814 nft_setelem_catchall_remove(net, set, elem_priv);
6815 else
6816 set->ops->remove(net, set, elem_priv);
6817 }
6818
nft_setelem_valid_key_end(const struct nft_set * set,struct nlattr ** nla,u32 flags)6819 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6820 struct nlattr **nla, u32 flags)
6821 {
6822 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6823 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6824 if (flags & NFT_SET_ELEM_INTERVAL_END)
6825 return false;
6826
6827 if (nla[NFTA_SET_ELEM_KEY_END] &&
6828 flags & NFT_SET_ELEM_CATCHALL)
6829 return false;
6830 } else {
6831 if (nla[NFTA_SET_ELEM_KEY_END])
6832 return false;
6833 }
6834
6835 return true;
6836 }
6837
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)6838 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6839 const struct nlattr *attr, u32 nlmsg_flags)
6840 {
6841 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6842 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6843 u8 genmask = nft_genmask_next(ctx->net);
6844 u32 flags = 0, size = 0, num_exprs = 0;
6845 struct nft_set_ext_tmpl tmpl;
6846 struct nft_set_ext *ext, *ext2;
6847 struct nft_set_elem elem;
6848 struct nft_set_binding *binding;
6849 struct nft_elem_priv *elem_priv;
6850 struct nft_object *obj = NULL;
6851 struct nft_userdata *udata;
6852 struct nft_data_desc desc;
6853 enum nft_registers dreg;
6854 struct nft_trans *trans;
6855 u8 update_flags;
6856 u64 expiration;
6857 u64 timeout;
6858 int err, i;
6859 u8 ulen;
6860
6861 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6862 nft_set_elem_policy, NULL);
6863 if (err < 0)
6864 return err;
6865
6866 nft_set_ext_prepare(&tmpl);
6867
6868 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6869 if (err < 0)
6870 return err;
6871
6872 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6873 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6874 return -EINVAL;
6875
6876 if (flags != 0) {
6877 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6878 if (err < 0)
6879 return err;
6880 }
6881
6882 if (set->flags & NFT_SET_MAP) {
6883 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6884 !(flags & NFT_SET_ELEM_INTERVAL_END))
6885 return -EINVAL;
6886 } else {
6887 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6888 return -EINVAL;
6889 }
6890
6891 if (set->flags & NFT_SET_OBJECT) {
6892 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6893 !(flags & NFT_SET_ELEM_INTERVAL_END))
6894 return -EINVAL;
6895 } else {
6896 if (nla[NFTA_SET_ELEM_OBJREF])
6897 return -EINVAL;
6898 }
6899
6900 if (!nft_setelem_valid_key_end(set, nla, flags))
6901 return -EINVAL;
6902
6903 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6904 (nla[NFTA_SET_ELEM_DATA] ||
6905 nla[NFTA_SET_ELEM_OBJREF] ||
6906 nla[NFTA_SET_ELEM_TIMEOUT] ||
6907 nla[NFTA_SET_ELEM_EXPIRATION] ||
6908 nla[NFTA_SET_ELEM_USERDATA] ||
6909 nla[NFTA_SET_ELEM_EXPR] ||
6910 nla[NFTA_SET_ELEM_KEY_END] ||
6911 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6912 return -EINVAL;
6913
6914 timeout = 0;
6915 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6916 if (!(set->flags & NFT_SET_TIMEOUT))
6917 return -EINVAL;
6918 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6919 &timeout);
6920 if (err)
6921 return err;
6922 } else if (set->flags & NFT_SET_TIMEOUT &&
6923 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6924 timeout = set->timeout;
6925 }
6926
6927 expiration = 0;
6928 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6929 if (!(set->flags & NFT_SET_TIMEOUT))
6930 return -EINVAL;
6931 if (timeout == 0)
6932 return -EOPNOTSUPP;
6933
6934 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6935 &expiration);
6936 if (err)
6937 return err;
6938
6939 if (expiration > timeout)
6940 return -ERANGE;
6941 }
6942
6943 if (nla[NFTA_SET_ELEM_EXPR]) {
6944 struct nft_expr *expr;
6945
6946 if (set->num_exprs && set->num_exprs != 1)
6947 return -EOPNOTSUPP;
6948
6949 expr = nft_set_elem_expr_alloc(ctx, set,
6950 nla[NFTA_SET_ELEM_EXPR]);
6951 if (IS_ERR(expr))
6952 return PTR_ERR(expr);
6953
6954 expr_array[0] = expr;
6955 num_exprs = 1;
6956
6957 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6958 err = -EOPNOTSUPP;
6959 goto err_set_elem_expr;
6960 }
6961 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6962 struct nft_expr *expr;
6963 struct nlattr *tmp;
6964 int left;
6965
6966 i = 0;
6967 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6968 if (i == NFT_SET_EXPR_MAX ||
6969 (set->num_exprs && set->num_exprs == i)) {
6970 err = -E2BIG;
6971 goto err_set_elem_expr;
6972 }
6973 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6974 err = -EINVAL;
6975 goto err_set_elem_expr;
6976 }
6977 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6978 if (IS_ERR(expr)) {
6979 err = PTR_ERR(expr);
6980 goto err_set_elem_expr;
6981 }
6982 expr_array[i] = expr;
6983 num_exprs++;
6984
6985 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6986 err = -EOPNOTSUPP;
6987 goto err_set_elem_expr;
6988 }
6989 i++;
6990 }
6991 if (set->num_exprs && set->num_exprs != i) {
6992 err = -EOPNOTSUPP;
6993 goto err_set_elem_expr;
6994 }
6995 } else if (set->num_exprs > 0 &&
6996 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6997 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6998 if (err < 0)
6999 goto err_set_elem_expr_clone;
7000
7001 num_exprs = set->num_exprs;
7002 }
7003
7004 if (nla[NFTA_SET_ELEM_KEY]) {
7005 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7006 nla[NFTA_SET_ELEM_KEY]);
7007 if (err < 0)
7008 goto err_set_elem_expr;
7009
7010 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7011 if (err < 0)
7012 goto err_parse_key;
7013 }
7014
7015 if (nla[NFTA_SET_ELEM_KEY_END]) {
7016 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7017 nla[NFTA_SET_ELEM_KEY_END]);
7018 if (err < 0)
7019 goto err_parse_key;
7020
7021 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7022 if (err < 0)
7023 goto err_parse_key_end;
7024 }
7025
7026 if (set->flags & NFT_SET_TIMEOUT) {
7027 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
7028 if (err < 0)
7029 goto err_parse_key_end;
7030 }
7031
7032 if (num_exprs) {
7033 for (i = 0; i < num_exprs; i++)
7034 size += expr_array[i]->ops->size;
7035
7036 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
7037 sizeof(struct nft_set_elem_expr) + size);
7038 if (err < 0)
7039 goto err_parse_key_end;
7040 }
7041
7042 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
7043 obj = nft_obj_lookup(ctx->net, ctx->table,
7044 nla[NFTA_SET_ELEM_OBJREF],
7045 set->objtype, genmask);
7046 if (IS_ERR(obj)) {
7047 err = PTR_ERR(obj);
7048 obj = NULL;
7049 goto err_parse_key_end;
7050 }
7051
7052 if (!nft_use_inc(&obj->use)) {
7053 err = -EMFILE;
7054 obj = NULL;
7055 goto err_parse_key_end;
7056 }
7057
7058 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
7059 if (err < 0)
7060 goto err_parse_key_end;
7061 }
7062
7063 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
7064 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
7065 nla[NFTA_SET_ELEM_DATA]);
7066 if (err < 0)
7067 goto err_parse_key_end;
7068
7069 dreg = nft_type_to_reg(set->dtype);
7070 list_for_each_entry(binding, &set->bindings, list) {
7071 struct nft_ctx bind_ctx = {
7072 .net = ctx->net,
7073 .family = ctx->family,
7074 .table = ctx->table,
7075 .chain = (struct nft_chain *)binding->chain,
7076 };
7077
7078 if (!(binding->flags & NFT_SET_MAP))
7079 continue;
7080
7081 err = nft_validate_register_store(&bind_ctx, dreg,
7082 &elem.data.val,
7083 desc.type, desc.len);
7084 if (err < 0)
7085 goto err_parse_data;
7086
7087 if (desc.type == NFT_DATA_VERDICT &&
7088 (elem.data.val.verdict.code == NFT_GOTO ||
7089 elem.data.val.verdict.code == NFT_JUMP))
7090 nft_validate_state_update(ctx->table,
7091 NFT_VALIDATE_NEED);
7092 }
7093
7094 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
7095 if (err < 0)
7096 goto err_parse_data;
7097 }
7098
7099 /* The full maximum length of userdata can exceed the maximum
7100 * offset value (U8_MAX) for following extensions, therefor it
7101 * must be the last extension added.
7102 */
7103 ulen = 0;
7104 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
7105 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
7106 if (ulen > 0) {
7107 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7108 ulen);
7109 if (err < 0)
7110 goto err_parse_data;
7111 }
7112 }
7113
7114 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7115 elem.key_end.val.data, elem.data.val.data,
7116 timeout, expiration, GFP_KERNEL_ACCOUNT);
7117 if (IS_ERR(elem.priv)) {
7118 err = PTR_ERR(elem.priv);
7119 goto err_parse_data;
7120 }
7121
7122 ext = nft_set_elem_ext(set, elem.priv);
7123 if (flags)
7124 *nft_set_ext_flags(ext) = flags;
7125
7126 if (obj)
7127 *nft_set_ext_obj(ext) = obj;
7128
7129 if (ulen > 0) {
7130 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7131 err = -EINVAL;
7132 goto err_elem_free;
7133 }
7134 udata = nft_set_ext_userdata(ext);
7135 udata->len = ulen - 1;
7136 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7137 }
7138 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7139 if (err < 0)
7140 goto err_elem_free;
7141
7142 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7143 if (trans == NULL) {
7144 err = -ENOMEM;
7145 goto err_elem_free;
7146 }
7147
7148 ext->genmask = nft_genmask_cur(ctx->net);
7149
7150 err = nft_setelem_insert(ctx->net, set, &elem, &elem_priv, flags);
7151 if (err) {
7152 if (err == -EEXIST) {
7153 ext2 = nft_set_elem_ext(set, elem_priv);
7154 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7155 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7156 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7157 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7158 goto err_element_clash;
7159 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7160 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7161 memcmp(nft_set_ext_data(ext),
7162 nft_set_ext_data(ext2), set->dlen) != 0) ||
7163 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7164 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7165 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7166 goto err_element_clash;
7167 else if (!(nlmsg_flags & NLM_F_EXCL)) {
7168 err = 0;
7169 if (nft_set_ext_exists(ext2, NFT_SET_EXT_TIMEOUT)) {
7170 update_flags = 0;
7171 if (timeout != nft_set_ext_timeout(ext2)->timeout) {
7172 nft_trans_elem_timeout(trans) = timeout;
7173 if (expiration == 0)
7174 expiration = timeout;
7175
7176 update_flags |= NFT_TRANS_UPD_TIMEOUT;
7177 }
7178 if (expiration) {
7179 nft_trans_elem_expiration(trans) = expiration;
7180 update_flags |= NFT_TRANS_UPD_EXPIRATION;
7181 }
7182
7183 if (update_flags) {
7184 nft_trans_elem_priv(trans) = elem_priv;
7185 nft_trans_elem_update_flags(trans) = update_flags;
7186 nft_trans_commit_list_add_tail(ctx->net, trans);
7187 goto err_elem_free;
7188 }
7189 }
7190 }
7191 } else if (err == -ENOTEMPTY) {
7192 /* ENOTEMPTY reports overlapping between this element
7193 * and an existing one.
7194 */
7195 err = -EEXIST;
7196 }
7197 goto err_element_clash;
7198 }
7199
7200 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7201 unsigned int max = set->size ? set->size + set->ndeact : UINT_MAX;
7202
7203 if (!atomic_add_unless(&set->nelems, 1, max)) {
7204 err = -ENFILE;
7205 goto err_set_full;
7206 }
7207 }
7208
7209 nft_trans_elem_priv(trans) = elem.priv;
7210 nft_trans_commit_list_add_tail(ctx->net, trans);
7211 return 0;
7212
7213 err_set_full:
7214 nft_setelem_remove(ctx->net, set, elem.priv);
7215 err_element_clash:
7216 kfree(trans);
7217 err_elem_free:
7218 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7219 err_parse_data:
7220 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7221 nft_data_release(&elem.data.val, desc.type);
7222 err_parse_key_end:
7223 if (obj)
7224 nft_use_dec_restore(&obj->use);
7225
7226 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7227 err_parse_key:
7228 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7229 err_set_elem_expr:
7230 for (i = 0; i < num_exprs && expr_array[i]; i++)
7231 nft_expr_destroy(ctx, expr_array[i]);
7232 err_set_elem_expr_clone:
7233 return err;
7234 }
7235
nf_tables_newsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7236 static int nf_tables_newsetelem(struct sk_buff *skb,
7237 const struct nfnl_info *info,
7238 const struct nlattr * const nla[])
7239 {
7240 struct netlink_ext_ack *extack = info->extack;
7241 u8 genmask = nft_genmask_next(info->net);
7242 u8 family = info->nfmsg->nfgen_family;
7243 struct net *net = info->net;
7244 const struct nlattr *attr;
7245 struct nft_table *table;
7246 struct nft_set *set;
7247 struct nft_ctx ctx;
7248 int rem, err;
7249
7250 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7251 return -EINVAL;
7252
7253 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7254 genmask, NETLINK_CB(skb).portid);
7255 if (IS_ERR(table)) {
7256 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7257 return PTR_ERR(table);
7258 }
7259
7260 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7261 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7262 if (IS_ERR(set)) {
7263 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7264 return PTR_ERR(set);
7265 }
7266
7267 if (!list_empty(&set->bindings) &&
7268 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7269 return -EBUSY;
7270
7271 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7272
7273 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7274 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7275 if (err < 0) {
7276 NL_SET_BAD_ATTR(extack, attr);
7277 return err;
7278 }
7279 }
7280
7281 if (table->validate_state == NFT_VALIDATE_DO)
7282 return nft_table_validate(net, table);
7283
7284 return 0;
7285 }
7286
7287 /**
7288 * nft_data_hold - hold a nft_data item
7289 *
7290 * @data: struct nft_data to release
7291 * @type: type of data
7292 *
7293 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7294 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7295 * NFT_GOTO verdicts. This function must be called on active data objects
7296 * from the second phase of the commit protocol.
7297 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)7298 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7299 {
7300 struct nft_chain *chain;
7301
7302 if (type == NFT_DATA_VERDICT) {
7303 switch (data->verdict.code) {
7304 case NFT_JUMP:
7305 case NFT_GOTO:
7306 chain = data->verdict.chain;
7307 nft_use_inc_restore(&chain->use);
7308 break;
7309 }
7310 }
7311 }
7312
nft_setelem_active_next(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7313 static int nft_setelem_active_next(const struct net *net,
7314 const struct nft_set *set,
7315 struct nft_elem_priv *elem_priv)
7316 {
7317 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7318 u8 genmask = nft_genmask_next(net);
7319
7320 return nft_set_elem_active(ext, genmask);
7321 }
7322
nft_setelem_data_activate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7323 static void nft_setelem_data_activate(const struct net *net,
7324 const struct nft_set *set,
7325 struct nft_elem_priv *elem_priv)
7326 {
7327 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7328
7329 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7330 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7331 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7332 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7333 }
7334
nft_setelem_data_deactivate(const struct net * net,const struct nft_set * set,struct nft_elem_priv * elem_priv)7335 void nft_setelem_data_deactivate(const struct net *net,
7336 const struct nft_set *set,
7337 struct nft_elem_priv *elem_priv)
7338 {
7339 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7340
7341 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7342 nft_data_release(nft_set_ext_data(ext), set->dtype);
7343 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7344 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7345 }
7346
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)7347 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7348 const struct nlattr *attr)
7349 {
7350 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7351 struct nft_set_ext_tmpl tmpl;
7352 struct nft_set_elem elem;
7353 struct nft_set_ext *ext;
7354 struct nft_trans *trans;
7355 u32 flags = 0;
7356 int err;
7357
7358 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7359 nft_set_elem_policy, NULL);
7360 if (err < 0)
7361 return err;
7362
7363 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7364 if (err < 0)
7365 return err;
7366
7367 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7368 return -EINVAL;
7369
7370 if (!nft_setelem_valid_key_end(set, nla, flags))
7371 return -EINVAL;
7372
7373 nft_set_ext_prepare(&tmpl);
7374
7375 if (flags != 0) {
7376 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7377 if (err < 0)
7378 return err;
7379 }
7380
7381 if (nla[NFTA_SET_ELEM_KEY]) {
7382 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7383 nla[NFTA_SET_ELEM_KEY]);
7384 if (err < 0)
7385 return err;
7386
7387 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7388 if (err < 0)
7389 goto fail_elem;
7390 }
7391
7392 if (nla[NFTA_SET_ELEM_KEY_END]) {
7393 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7394 nla[NFTA_SET_ELEM_KEY_END]);
7395 if (err < 0)
7396 goto fail_elem;
7397
7398 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7399 if (err < 0)
7400 goto fail_elem_key_end;
7401 }
7402
7403 err = -ENOMEM;
7404 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7405 elem.key_end.val.data, NULL, 0, 0,
7406 GFP_KERNEL_ACCOUNT);
7407 if (IS_ERR(elem.priv)) {
7408 err = PTR_ERR(elem.priv);
7409 goto fail_elem_key_end;
7410 }
7411
7412 ext = nft_set_elem_ext(set, elem.priv);
7413 if (flags)
7414 *nft_set_ext_flags(ext) = flags;
7415
7416 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7417 if (trans == NULL)
7418 goto fail_trans;
7419
7420 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7421 if (err < 0)
7422 goto fail_ops;
7423
7424 nft_setelem_data_deactivate(ctx->net, set, elem.priv);
7425
7426 nft_trans_elem_priv(trans) = elem.priv;
7427 nft_trans_commit_list_add_tail(ctx->net, trans);
7428 return 0;
7429
7430 fail_ops:
7431 kfree(trans);
7432 fail_trans:
7433 kfree(elem.priv);
7434 fail_elem_key_end:
7435 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7436 fail_elem:
7437 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7438 return err;
7439 }
7440
nft_setelem_flush(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_elem_priv * elem_priv)7441 static int nft_setelem_flush(const struct nft_ctx *ctx,
7442 struct nft_set *set,
7443 const struct nft_set_iter *iter,
7444 struct nft_elem_priv *elem_priv)
7445 {
7446 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
7447 struct nft_trans *trans;
7448
7449 if (!nft_set_elem_active(ext, iter->genmask))
7450 return 0;
7451
7452 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7453 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7454 if (!trans)
7455 return -ENOMEM;
7456
7457 set->ops->flush(ctx->net, set, elem_priv);
7458 set->ndeact++;
7459
7460 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7461 nft_trans_elem_set(trans) = set;
7462 nft_trans_elem_priv(trans) = elem_priv;
7463 nft_trans_commit_list_add_tail(ctx->net, trans);
7464
7465 return 0;
7466 }
7467
__nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set,struct nft_elem_priv * elem_priv)7468 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7469 struct nft_set *set,
7470 struct nft_elem_priv *elem_priv)
7471 {
7472 struct nft_trans *trans;
7473
7474 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7475 sizeof(struct nft_trans_elem), GFP_KERNEL);
7476 if (!trans)
7477 return -ENOMEM;
7478
7479 nft_setelem_data_deactivate(ctx->net, set, elem_priv);
7480 nft_trans_elem_set(trans) = set;
7481 nft_trans_elem_priv(trans) = elem_priv;
7482 nft_trans_commit_list_add_tail(ctx->net, trans);
7483
7484 return 0;
7485 }
7486
nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set)7487 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7488 struct nft_set *set)
7489 {
7490 u8 genmask = nft_genmask_next(ctx->net);
7491 struct nft_set_elem_catchall *catchall;
7492 struct nft_set_ext *ext;
7493 int ret = 0;
7494
7495 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7496 ext = nft_set_elem_ext(set, catchall->elem);
7497 if (!nft_set_elem_active(ext, genmask))
7498 continue;
7499
7500 ret = __nft_set_catchall_flush(ctx, set, catchall->elem);
7501 if (ret < 0)
7502 break;
7503 nft_set_elem_change_active(ctx->net, set, ext);
7504 }
7505
7506 return ret;
7507 }
7508
nft_set_flush(struct nft_ctx * ctx,struct nft_set * set,u8 genmask)7509 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7510 {
7511 struct nft_set_iter iter = {
7512 .genmask = genmask,
7513 .type = NFT_ITER_UPDATE,
7514 .fn = nft_setelem_flush,
7515 };
7516
7517 set->ops->walk(ctx, set, &iter);
7518 if (!iter.err)
7519 iter.err = nft_set_catchall_flush(ctx, set);
7520
7521 return iter.err;
7522 }
7523
nf_tables_delsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7524 static int nf_tables_delsetelem(struct sk_buff *skb,
7525 const struct nfnl_info *info,
7526 const struct nlattr * const nla[])
7527 {
7528 struct netlink_ext_ack *extack = info->extack;
7529 u8 genmask = nft_genmask_next(info->net);
7530 u8 family = info->nfmsg->nfgen_family;
7531 struct net *net = info->net;
7532 const struct nlattr *attr;
7533 struct nft_table *table;
7534 struct nft_set *set;
7535 struct nft_ctx ctx;
7536 int rem, err = 0;
7537
7538 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7539 genmask, NETLINK_CB(skb).portid);
7540 if (IS_ERR(table)) {
7541 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7542 return PTR_ERR(table);
7543 }
7544
7545 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7546 if (IS_ERR(set)) {
7547 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]);
7548 return PTR_ERR(set);
7549 }
7550
7551 if (nft_set_is_anonymous(set))
7552 return -EOPNOTSUPP;
7553
7554 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7555 return -EBUSY;
7556
7557 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7558
7559 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7560 return nft_set_flush(&ctx, set, genmask);
7561
7562 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7563 err = nft_del_setelem(&ctx, set, attr);
7564 if (err == -ENOENT &&
7565 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7566 continue;
7567
7568 if (err < 0) {
7569 NL_SET_BAD_ATTR(extack, attr);
7570 return err;
7571 }
7572 }
7573
7574 return 0;
7575 }
7576
7577 /*
7578 * Stateful objects
7579 */
7580
7581 /**
7582 * nft_register_obj- register nf_tables stateful object type
7583 * @obj_type: object type
7584 *
7585 * Registers the object type for use with nf_tables. Returns zero on
7586 * success or a negative errno code otherwise.
7587 */
nft_register_obj(struct nft_object_type * obj_type)7588 int nft_register_obj(struct nft_object_type *obj_type)
7589 {
7590 if (obj_type->type == NFT_OBJECT_UNSPEC)
7591 return -EINVAL;
7592
7593 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7594 list_add_rcu(&obj_type->list, &nf_tables_objects);
7595 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7596 return 0;
7597 }
7598 EXPORT_SYMBOL_GPL(nft_register_obj);
7599
7600 /**
7601 * nft_unregister_obj - unregister nf_tables object type
7602 * @obj_type: object type
7603 *
7604 * Unregisters the object type for use with nf_tables.
7605 */
nft_unregister_obj(struct nft_object_type * obj_type)7606 void nft_unregister_obj(struct nft_object_type *obj_type)
7607 {
7608 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7609 list_del_rcu(&obj_type->list);
7610 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7611 }
7612 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7613
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7614 struct nft_object *nft_obj_lookup(const struct net *net,
7615 const struct nft_table *table,
7616 const struct nlattr *nla, u32 objtype,
7617 u8 genmask)
7618 {
7619 struct nft_object_hash_key k = { .table = table };
7620 char search[NFT_OBJ_MAXNAMELEN];
7621 struct rhlist_head *tmp, *list;
7622 struct nft_object *obj;
7623
7624 nla_strscpy(search, nla, sizeof(search));
7625 k.name = search;
7626
7627 WARN_ON_ONCE(!rcu_read_lock_held() &&
7628 !lockdep_commit_lock_is_held(net));
7629
7630 rcu_read_lock();
7631 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7632 if (!list)
7633 goto out;
7634
7635 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7636 if (objtype == obj->ops->type->type &&
7637 nft_active_genmask(obj, genmask)) {
7638 rcu_read_unlock();
7639 return obj;
7640 }
7641 }
7642 out:
7643 rcu_read_unlock();
7644 return ERR_PTR(-ENOENT);
7645 }
7646 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7647
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7648 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7649 const struct nlattr *nla,
7650 u32 objtype, u8 genmask)
7651 {
7652 struct nft_object *obj;
7653
7654 list_for_each_entry(obj, &table->objects, list) {
7655 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7656 objtype == obj->ops->type->type &&
7657 nft_active_genmask(obj, genmask))
7658 return obj;
7659 }
7660 return ERR_PTR(-ENOENT);
7661 }
7662
7663 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7664 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7665 .len = NFT_TABLE_MAXNAMELEN - 1 },
7666 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7667 .len = NFT_OBJ_MAXNAMELEN - 1 },
7668 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7669 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7670 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7671 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7672 .len = NFT_USERDATA_MAXLEN },
7673 };
7674
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)7675 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7676 const struct nft_object_type *type,
7677 const struct nlattr *attr)
7678 {
7679 struct nlattr **tb;
7680 const struct nft_object_ops *ops;
7681 struct nft_object *obj;
7682 int err = -ENOMEM;
7683
7684 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7685 if (!tb)
7686 goto err1;
7687
7688 if (attr) {
7689 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7690 type->policy, NULL);
7691 if (err < 0)
7692 goto err2;
7693 } else {
7694 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7695 }
7696
7697 if (type->select_ops) {
7698 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7699 if (IS_ERR(ops)) {
7700 err = PTR_ERR(ops);
7701 goto err2;
7702 }
7703 } else {
7704 ops = type->ops;
7705 }
7706
7707 err = -ENOMEM;
7708 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7709 if (!obj)
7710 goto err2;
7711
7712 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7713 if (err < 0)
7714 goto err3;
7715
7716 obj->ops = ops;
7717
7718 kfree(tb);
7719 return obj;
7720 err3:
7721 kfree(obj);
7722 err2:
7723 kfree(tb);
7724 err1:
7725 return ERR_PTR(err);
7726 }
7727
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)7728 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7729 struct nft_object *obj, bool reset)
7730 {
7731 struct nlattr *nest;
7732
7733 nest = nla_nest_start_noflag(skb, attr);
7734 if (!nest)
7735 goto nla_put_failure;
7736 if (obj->ops->dump(skb, obj, reset) < 0)
7737 goto nla_put_failure;
7738 nla_nest_end(skb, nest);
7739 return 0;
7740
7741 nla_put_failure:
7742 return -1;
7743 }
7744
__nft_obj_type_get(u32 objtype,u8 family)7745 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
7746 {
7747 const struct nft_object_type *type;
7748
7749 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
7750 if (type->family != NFPROTO_UNSPEC &&
7751 type->family != family)
7752 continue;
7753
7754 if (objtype == type->type)
7755 return type;
7756 }
7757 return NULL;
7758 }
7759
7760 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype,u8 family)7761 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
7762 {
7763 const struct nft_object_type *type;
7764
7765 rcu_read_lock();
7766 type = __nft_obj_type_get(objtype, family);
7767 if (type != NULL && try_module_get(type->owner)) {
7768 rcu_read_unlock();
7769 return type;
7770 }
7771 rcu_read_unlock();
7772
7773 lockdep_nfnl_nft_mutex_not_held();
7774 #ifdef CONFIG_MODULES
7775 if (type == NULL) {
7776 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7777 return ERR_PTR(-EAGAIN);
7778 }
7779 #endif
7780 return ERR_PTR(-ENOENT);
7781 }
7782
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)7783 static int nf_tables_updobj(const struct nft_ctx *ctx,
7784 const struct nft_object_type *type,
7785 const struct nlattr *attr,
7786 struct nft_object *obj)
7787 {
7788 struct nft_object *newobj;
7789 struct nft_trans *trans;
7790 int err = -ENOMEM;
7791
7792 if (!try_module_get(type->owner))
7793 return -ENOENT;
7794
7795 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7796 sizeof(struct nft_trans_obj));
7797 if (!trans)
7798 goto err_trans;
7799
7800 newobj = nft_obj_init(ctx, type, attr);
7801 if (IS_ERR(newobj)) {
7802 err = PTR_ERR(newobj);
7803 goto err_free_trans;
7804 }
7805
7806 nft_trans_obj(trans) = obj;
7807 nft_trans_obj_update(trans) = true;
7808 nft_trans_obj_newobj(trans) = newobj;
7809 nft_trans_commit_list_add_tail(ctx->net, trans);
7810
7811 return 0;
7812
7813 err_free_trans:
7814 kfree(trans);
7815 err_trans:
7816 module_put(type->owner);
7817 return err;
7818 }
7819
nf_tables_newobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7820 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7821 const struct nlattr * const nla[])
7822 {
7823 struct netlink_ext_ack *extack = info->extack;
7824 u8 genmask = nft_genmask_next(info->net);
7825 u8 family = info->nfmsg->nfgen_family;
7826 const struct nft_object_type *type;
7827 struct net *net = info->net;
7828 struct nft_table *table;
7829 struct nft_object *obj;
7830 struct nft_ctx ctx;
7831 u32 objtype;
7832 int err;
7833
7834 if (!nla[NFTA_OBJ_TYPE] ||
7835 !nla[NFTA_OBJ_NAME] ||
7836 !nla[NFTA_OBJ_DATA])
7837 return -EINVAL;
7838
7839 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7840 NETLINK_CB(skb).portid);
7841 if (IS_ERR(table)) {
7842 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7843 return PTR_ERR(table);
7844 }
7845
7846 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7847 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7848 if (IS_ERR(obj)) {
7849 err = PTR_ERR(obj);
7850 if (err != -ENOENT) {
7851 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7852 return err;
7853 }
7854 } else {
7855 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7856 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7857 return -EEXIST;
7858 }
7859 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7860 return -EOPNOTSUPP;
7861
7862 type = __nft_obj_type_get(objtype, family);
7863 if (WARN_ON_ONCE(!type))
7864 return -ENOENT;
7865
7866 if (!obj->ops->update)
7867 return 0;
7868
7869 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7870
7871 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7872 }
7873
7874 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7875
7876 if (!nft_use_inc(&table->use))
7877 return -EMFILE;
7878
7879 type = nft_obj_type_get(net, objtype, family);
7880 if (IS_ERR(type)) {
7881 err = PTR_ERR(type);
7882 goto err_type;
7883 }
7884
7885 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7886 if (IS_ERR(obj)) {
7887 err = PTR_ERR(obj);
7888 goto err_init;
7889 }
7890 obj->key.table = table;
7891 obj->handle = nf_tables_alloc_handle(table);
7892
7893 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7894 if (!obj->key.name) {
7895 err = -ENOMEM;
7896 goto err_strdup;
7897 }
7898
7899 if (nla[NFTA_OBJ_USERDATA]) {
7900 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7901 if (obj->udata == NULL)
7902 goto err_userdata;
7903
7904 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7905 }
7906
7907 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7908 if (err < 0)
7909 goto err_trans;
7910
7911 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7912 nft_objname_ht_params);
7913 if (err < 0)
7914 goto err_obj_ht;
7915
7916 list_add_tail_rcu(&obj->list, &table->objects);
7917
7918 return 0;
7919 err_obj_ht:
7920 /* queued in transaction log */
7921 INIT_LIST_HEAD(&obj->list);
7922 return err;
7923 err_trans:
7924 kfree(obj->udata);
7925 err_userdata:
7926 kfree(obj->key.name);
7927 err_strdup:
7928 if (obj->ops->destroy)
7929 obj->ops->destroy(&ctx, obj);
7930 kfree(obj);
7931 err_init:
7932 module_put(type->owner);
7933 err_type:
7934 nft_use_dec_restore(&table->use);
7935
7936 return err;
7937 }
7938
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)7939 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7940 u32 portid, u32 seq, int event, u32 flags,
7941 int family, const struct nft_table *table,
7942 struct nft_object *obj, bool reset)
7943 {
7944 struct nlmsghdr *nlh;
7945
7946 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7947 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7948 NFNETLINK_V0, nft_base_seq(net));
7949 if (!nlh)
7950 goto nla_put_failure;
7951
7952 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7953 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7954 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7955 NFTA_OBJ_PAD))
7956 goto nla_put_failure;
7957
7958 if (event == NFT_MSG_DELOBJ) {
7959 nlmsg_end(skb, nlh);
7960 return 0;
7961 }
7962
7963 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7964 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7965 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7966 goto nla_put_failure;
7967
7968 if (obj->udata &&
7969 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7970 goto nla_put_failure;
7971
7972 nlmsg_end(skb, nlh);
7973 return 0;
7974
7975 nla_put_failure:
7976 nlmsg_trim(skb, nlh);
7977 return -1;
7978 }
7979
audit_log_obj_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)7980 static void audit_log_obj_reset(const struct nft_table *table,
7981 unsigned int base_seq, unsigned int nentries)
7982 {
7983 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7984
7985 audit_log_nfcfg(buf, table->family, nentries,
7986 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7987 kfree(buf);
7988 }
7989
7990 struct nft_obj_dump_ctx {
7991 unsigned int s_idx;
7992 char *table;
7993 u32 type;
7994 bool reset;
7995 };
7996
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)7997 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7998 {
7999 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8000 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8001 struct net *net = sock_net(skb->sk);
8002 int family = nfmsg->nfgen_family;
8003 struct nftables_pernet *nft_net;
8004 const struct nft_table *table;
8005 unsigned int entries = 0;
8006 struct nft_object *obj;
8007 unsigned int idx = 0;
8008 int rc = 0;
8009
8010 rcu_read_lock();
8011 nft_net = nft_pernet(net);
8012 cb->seq = READ_ONCE(nft_net->base_seq);
8013
8014 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8015 if (family != NFPROTO_UNSPEC && family != table->family)
8016 continue;
8017
8018 entries = 0;
8019 list_for_each_entry_rcu(obj, &table->objects, list) {
8020 if (!nft_is_active(net, obj))
8021 goto cont;
8022 if (idx < ctx->s_idx)
8023 goto cont;
8024 if (ctx->table && strcmp(ctx->table, table->name))
8025 goto cont;
8026 if (ctx->type != NFT_OBJECT_UNSPEC &&
8027 obj->ops->type->type != ctx->type)
8028 goto cont;
8029
8030 rc = nf_tables_fill_obj_info(skb, net,
8031 NETLINK_CB(cb->skb).portid,
8032 cb->nlh->nlmsg_seq,
8033 NFT_MSG_NEWOBJ,
8034 NLM_F_MULTI | NLM_F_APPEND,
8035 table->family, table,
8036 obj, ctx->reset);
8037 if (rc < 0)
8038 break;
8039
8040 entries++;
8041 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8042 cont:
8043 idx++;
8044 }
8045 if (ctx->reset && entries)
8046 audit_log_obj_reset(table, nft_net->base_seq, entries);
8047 if (rc < 0)
8048 break;
8049 }
8050 rcu_read_unlock();
8051
8052 ctx->s_idx = idx;
8053 return skb->len;
8054 }
8055
nf_tables_dumpreset_obj(struct sk_buff * skb,struct netlink_callback * cb)8056 static int nf_tables_dumpreset_obj(struct sk_buff *skb,
8057 struct netlink_callback *cb)
8058 {
8059 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
8060 int ret;
8061
8062 mutex_lock(&nft_net->commit_mutex);
8063 ret = nf_tables_dump_obj(skb, cb);
8064 mutex_unlock(&nft_net->commit_mutex);
8065
8066 return ret;
8067 }
8068
nf_tables_dump_obj_start(struct netlink_callback * cb)8069 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
8070 {
8071 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8072 const struct nlattr * const *nla = cb->data;
8073
8074 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
8075
8076 if (nla[NFTA_OBJ_TABLE]) {
8077 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
8078 if (!ctx->table)
8079 return -ENOMEM;
8080 }
8081
8082 if (nla[NFTA_OBJ_TYPE])
8083 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8084
8085 return 0;
8086 }
8087
nf_tables_dumpreset_obj_start(struct netlink_callback * cb)8088 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb)
8089 {
8090 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8091
8092 ctx->reset = true;
8093
8094 return nf_tables_dump_obj_start(cb);
8095 }
8096
nf_tables_dump_obj_done(struct netlink_callback * cb)8097 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
8098 {
8099 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
8100
8101 kfree(ctx->table);
8102
8103 return 0;
8104 }
8105
8106 /* called with rcu_read_lock held */
8107 static struct sk_buff *
nf_tables_getobj_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)8108 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
8109 const struct nlattr * const nla[], bool reset)
8110 {
8111 struct netlink_ext_ack *extack = info->extack;
8112 u8 genmask = nft_genmask_cur(info->net);
8113 u8 family = info->nfmsg->nfgen_family;
8114 const struct nft_table *table;
8115 struct net *net = info->net;
8116 struct nft_object *obj;
8117 struct sk_buff *skb2;
8118 u32 objtype;
8119 int err;
8120
8121 if (!nla[NFTA_OBJ_NAME] ||
8122 !nla[NFTA_OBJ_TYPE])
8123 return ERR_PTR(-EINVAL);
8124
8125 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8126 if (IS_ERR(table)) {
8127 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8128 return ERR_CAST(table);
8129 }
8130
8131 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8132 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8133 if (IS_ERR(obj)) {
8134 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8135 return ERR_CAST(obj);
8136 }
8137
8138 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8139 if (!skb2)
8140 return ERR_PTR(-ENOMEM);
8141
8142 err = nf_tables_fill_obj_info(skb2, net, portid,
8143 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8144 family, table, obj, reset);
8145 if (err < 0) {
8146 kfree_skb(skb2);
8147 return ERR_PTR(err);
8148 }
8149
8150 return skb2;
8151 }
8152
nf_tables_getobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8153 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8154 const struct nlattr * const nla[])
8155 {
8156 u32 portid = NETLINK_CB(skb).portid;
8157 struct sk_buff *skb2;
8158
8159 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8160 struct netlink_dump_control c = {
8161 .start = nf_tables_dump_obj_start,
8162 .dump = nf_tables_dump_obj,
8163 .done = nf_tables_dump_obj_done,
8164 .module = THIS_MODULE,
8165 .data = (void *)nla,
8166 };
8167
8168 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8169 }
8170
8171 skb2 = nf_tables_getobj_single(portid, info, nla, false);
8172 if (IS_ERR(skb2))
8173 return PTR_ERR(skb2);
8174
8175 return nfnetlink_unicast(skb2, info->net, portid);
8176 }
8177
nf_tables_getobj_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8178 static int nf_tables_getobj_reset(struct sk_buff *skb,
8179 const struct nfnl_info *info,
8180 const struct nlattr * const nla[])
8181 {
8182 struct nftables_pernet *nft_net = nft_pernet(info->net);
8183 u32 portid = NETLINK_CB(skb).portid;
8184 struct net *net = info->net;
8185 struct sk_buff *skb2;
8186 char *buf;
8187
8188 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8189 struct netlink_dump_control c = {
8190 .start = nf_tables_dumpreset_obj_start,
8191 .dump = nf_tables_dumpreset_obj,
8192 .done = nf_tables_dump_obj_done,
8193 .module = THIS_MODULE,
8194 .data = (void *)nla,
8195 };
8196
8197 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8198 }
8199
8200 if (!try_module_get(THIS_MODULE))
8201 return -EINVAL;
8202 rcu_read_unlock();
8203 mutex_lock(&nft_net->commit_mutex);
8204 skb2 = nf_tables_getobj_single(portid, info, nla, true);
8205 mutex_unlock(&nft_net->commit_mutex);
8206 rcu_read_lock();
8207 module_put(THIS_MODULE);
8208
8209 if (IS_ERR(skb2))
8210 return PTR_ERR(skb2);
8211
8212 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
8213 nla_len(nla[NFTA_OBJ_TABLE]),
8214 (char *)nla_data(nla[NFTA_OBJ_TABLE]),
8215 nft_net->base_seq);
8216 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
8217 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8218 kfree(buf);
8219
8220 return nfnetlink_unicast(skb2, net, portid);
8221 }
8222
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)8223 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8224 {
8225 if (obj->ops->destroy)
8226 obj->ops->destroy(ctx, obj);
8227
8228 module_put(obj->ops->type->owner);
8229 kfree(obj->key.name);
8230 kfree(obj->udata);
8231 kfree(obj);
8232 }
8233
nf_tables_delobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8234 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8235 const struct nlattr * const nla[])
8236 {
8237 struct netlink_ext_ack *extack = info->extack;
8238 u8 genmask = nft_genmask_next(info->net);
8239 u8 family = info->nfmsg->nfgen_family;
8240 struct net *net = info->net;
8241 const struct nlattr *attr;
8242 struct nft_table *table;
8243 struct nft_object *obj;
8244 struct nft_ctx ctx;
8245 u32 objtype;
8246
8247 if (!nla[NFTA_OBJ_TYPE] ||
8248 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8249 return -EINVAL;
8250
8251 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8252 NETLINK_CB(skb).portid);
8253 if (IS_ERR(table)) {
8254 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8255 return PTR_ERR(table);
8256 }
8257
8258 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8259 if (nla[NFTA_OBJ_HANDLE]) {
8260 attr = nla[NFTA_OBJ_HANDLE];
8261 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8262 } else {
8263 attr = nla[NFTA_OBJ_NAME];
8264 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8265 }
8266
8267 if (IS_ERR(obj)) {
8268 if (PTR_ERR(obj) == -ENOENT &&
8269 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8270 return 0;
8271
8272 NL_SET_BAD_ATTR(extack, attr);
8273 return PTR_ERR(obj);
8274 }
8275 if (obj->use > 0) {
8276 NL_SET_BAD_ATTR(extack, attr);
8277 return -EBUSY;
8278 }
8279
8280 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8281
8282 return nft_delobj(&ctx, obj);
8283 }
8284
8285 static void
__nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8286 __nft_obj_notify(struct net *net, const struct nft_table *table,
8287 struct nft_object *obj, u32 portid, u32 seq, int event,
8288 u16 flags, int family, int report, gfp_t gfp)
8289 {
8290 struct nftables_pernet *nft_net = nft_pernet(net);
8291 struct sk_buff *skb;
8292 int err;
8293
8294 if (!report &&
8295 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8296 return;
8297
8298 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8299 if (skb == NULL)
8300 goto err;
8301
8302 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8303 flags & (NLM_F_CREATE | NLM_F_EXCL),
8304 family, table, obj, false);
8305 if (err < 0) {
8306 kfree_skb(skb);
8307 goto err;
8308 }
8309
8310 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8311 return;
8312 err:
8313 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8314 }
8315
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8316 void nft_obj_notify(struct net *net, const struct nft_table *table,
8317 struct nft_object *obj, u32 portid, u32 seq, int event,
8318 u16 flags, int family, int report, gfp_t gfp)
8319 {
8320 struct nftables_pernet *nft_net = nft_pernet(net);
8321 char *buf = kasprintf(gfp, "%s:%u",
8322 table->name, nft_net->base_seq);
8323
8324 audit_log_nfcfg(buf,
8325 family,
8326 obj->handle,
8327 event == NFT_MSG_NEWOBJ ?
8328 AUDIT_NFT_OP_OBJ_REGISTER :
8329 AUDIT_NFT_OP_OBJ_UNREGISTER,
8330 gfp);
8331 kfree(buf);
8332
8333 __nft_obj_notify(net, table, obj, portid, seq, event,
8334 flags, family, report, gfp);
8335 }
8336 EXPORT_SYMBOL_GPL(nft_obj_notify);
8337
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)8338 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8339 struct nft_object *obj, int event)
8340 {
8341 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8342 ctx->seq, event, ctx->flags, ctx->family,
8343 ctx->report, GFP_KERNEL);
8344 }
8345
8346 /*
8347 * Flow tables
8348 */
nft_register_flowtable_type(struct nf_flowtable_type * type)8349 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8350 {
8351 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8352 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8353 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8354 }
8355 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8356
nft_unregister_flowtable_type(struct nf_flowtable_type * type)8357 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8358 {
8359 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8360 list_del_rcu(&type->list);
8361 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8362 }
8363 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8364
8365 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8366 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8367 .len = NFT_NAME_MAXLEN - 1 },
8368 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8369 .len = NFT_NAME_MAXLEN - 1 },
8370 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8371 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8372 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8373 };
8374
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8375 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8376 const struct nlattr *nla, u8 genmask)
8377 {
8378 struct nft_flowtable *flowtable;
8379
8380 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8381 if (!nla_strcmp(nla, flowtable->name) &&
8382 nft_active_genmask(flowtable, genmask))
8383 return flowtable;
8384 }
8385 return ERR_PTR(-ENOENT);
8386 }
8387 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8388
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)8389 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8390 struct nft_flowtable *flowtable,
8391 enum nft_trans_phase phase)
8392 {
8393 switch (phase) {
8394 case NFT_TRANS_PREPARE_ERROR:
8395 case NFT_TRANS_PREPARE:
8396 case NFT_TRANS_ABORT:
8397 case NFT_TRANS_RELEASE:
8398 nft_use_dec(&flowtable->use);
8399 fallthrough;
8400 default:
8401 return;
8402 }
8403 }
8404 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8405
8406 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8407 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8408 const struct nlattr *nla, u8 genmask)
8409 {
8410 struct nft_flowtable *flowtable;
8411
8412 list_for_each_entry(flowtable, &table->flowtables, list) {
8413 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8414 nft_active_genmask(flowtable, genmask))
8415 return flowtable;
8416 }
8417 return ERR_PTR(-ENOENT);
8418 }
8419
8420 struct nft_flowtable_hook {
8421 u32 num;
8422 int priority;
8423 struct list_head list;
8424 };
8425
8426 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8427 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8428 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8429 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8430 };
8431
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * const nla[],struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack,bool add)8432 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8433 const struct nlattr * const nla[],
8434 struct nft_flowtable_hook *flowtable_hook,
8435 struct nft_flowtable *flowtable,
8436 struct netlink_ext_ack *extack, bool add)
8437 {
8438 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8439 struct nft_hook *hook;
8440 int hooknum, priority;
8441 int err;
8442
8443 INIT_LIST_HEAD(&flowtable_hook->list);
8444
8445 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8446 nla[NFTA_FLOWTABLE_HOOK],
8447 nft_flowtable_hook_policy, NULL);
8448 if (err < 0)
8449 return err;
8450
8451 if (add) {
8452 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8453 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8454 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8455 return -ENOENT;
8456 }
8457
8458 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8459 if (hooknum != NF_NETDEV_INGRESS)
8460 return -EOPNOTSUPP;
8461
8462 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8463
8464 flowtable_hook->priority = priority;
8465 flowtable_hook->num = hooknum;
8466 } else {
8467 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8468 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8469 if (hooknum != flowtable->hooknum)
8470 return -EOPNOTSUPP;
8471 }
8472
8473 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8474 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8475 if (priority != flowtable->data.priority)
8476 return -EOPNOTSUPP;
8477 }
8478
8479 flowtable_hook->priority = flowtable->data.priority;
8480 flowtable_hook->num = flowtable->hooknum;
8481 }
8482
8483 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8484 err = nf_tables_parse_netdev_hooks(ctx->net,
8485 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8486 &flowtable_hook->list,
8487 extack);
8488 if (err < 0)
8489 return err;
8490 }
8491
8492 list_for_each_entry(hook, &flowtable_hook->list, list) {
8493 hook->ops.pf = NFPROTO_NETDEV;
8494 hook->ops.hooknum = flowtable_hook->num;
8495 hook->ops.priority = flowtable_hook->priority;
8496 hook->ops.priv = &flowtable->data;
8497 hook->ops.hook = flowtable->data.type->hook;
8498 }
8499
8500 return err;
8501 }
8502
8503 /* call under rcu_read_lock */
__nft_flowtable_type_get(u8 family)8504 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8505 {
8506 const struct nf_flowtable_type *type;
8507
8508 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8509 if (family == type->family)
8510 return type;
8511 }
8512 return NULL;
8513 }
8514
8515 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)8516 nft_flowtable_type_get(struct net *net, u8 family)
8517 {
8518 const struct nf_flowtable_type *type;
8519
8520 rcu_read_lock();
8521 type = __nft_flowtable_type_get(family);
8522 if (type != NULL && try_module_get(type->owner)) {
8523 rcu_read_unlock();
8524 return type;
8525 }
8526 rcu_read_unlock();
8527
8528 lockdep_nfnl_nft_mutex_not_held();
8529 #ifdef CONFIG_MODULES
8530 if (type == NULL) {
8531 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8532 return ERR_PTR(-EAGAIN);
8533 }
8534 #endif
8535 return ERR_PTR(-ENOENT);
8536 }
8537
8538 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_hook(struct net * net,struct nft_flowtable * flowtable,struct nft_hook * hook)8539 static void nft_unregister_flowtable_hook(struct net *net,
8540 struct nft_flowtable *flowtable,
8541 struct nft_hook *hook)
8542 {
8543 nf_unregister_net_hook(net, &hook->ops);
8544 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8545 FLOW_BLOCK_UNBIND);
8546 }
8547
__nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)8548 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8549 struct list_head *hook_list,
8550 bool release_netdev)
8551 {
8552 struct nft_hook *hook, *next;
8553
8554 list_for_each_entry_safe(hook, next, hook_list, list) {
8555 nf_unregister_net_hook(net, &hook->ops);
8556 if (release_netdev) {
8557 list_del(&hook->list);
8558 kfree_rcu(hook, rcu);
8559 }
8560 }
8561 }
8562
nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list)8563 static void nft_unregister_flowtable_net_hooks(struct net *net,
8564 struct list_head *hook_list)
8565 {
8566 __nft_unregister_flowtable_net_hooks(net, hook_list, false);
8567 }
8568
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)8569 static int nft_register_flowtable_net_hooks(struct net *net,
8570 struct nft_table *table,
8571 struct list_head *hook_list,
8572 struct nft_flowtable *flowtable)
8573 {
8574 struct nft_hook *hook, *hook2, *next;
8575 struct nft_flowtable *ft;
8576 int err, i = 0;
8577
8578 list_for_each_entry(hook, hook_list, list) {
8579 list_for_each_entry(ft, &table->flowtables, list) {
8580 if (!nft_is_active_next(net, ft))
8581 continue;
8582
8583 list_for_each_entry(hook2, &ft->hook_list, list) {
8584 if (hook->ops.dev == hook2->ops.dev &&
8585 hook->ops.pf == hook2->ops.pf) {
8586 err = -EEXIST;
8587 goto err_unregister_net_hooks;
8588 }
8589 }
8590 }
8591
8592 err = flowtable->data.type->setup(&flowtable->data,
8593 hook->ops.dev,
8594 FLOW_BLOCK_BIND);
8595 if (err < 0)
8596 goto err_unregister_net_hooks;
8597
8598 err = nf_register_net_hook(net, &hook->ops);
8599 if (err < 0) {
8600 flowtable->data.type->setup(&flowtable->data,
8601 hook->ops.dev,
8602 FLOW_BLOCK_UNBIND);
8603 goto err_unregister_net_hooks;
8604 }
8605
8606 i++;
8607 }
8608
8609 return 0;
8610
8611 err_unregister_net_hooks:
8612 list_for_each_entry_safe(hook, next, hook_list, list) {
8613 if (i-- <= 0)
8614 break;
8615
8616 nft_unregister_flowtable_hook(net, flowtable, hook);
8617 list_del_rcu(&hook->list);
8618 kfree_rcu(hook, rcu);
8619 }
8620
8621 return err;
8622 }
8623
nft_hooks_destroy(struct list_head * hook_list)8624 static void nft_hooks_destroy(struct list_head *hook_list)
8625 {
8626 struct nft_hook *hook, *next;
8627
8628 list_for_each_entry_safe(hook, next, hook_list, list) {
8629 list_del_rcu(&hook->list);
8630 kfree_rcu(hook, rcu);
8631 }
8632 }
8633
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8634 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8635 struct nft_flowtable *flowtable,
8636 struct netlink_ext_ack *extack)
8637 {
8638 const struct nlattr * const *nla = ctx->nla;
8639 struct nft_flowtable_hook flowtable_hook;
8640 struct nft_hook *hook, *next;
8641 struct nft_trans *trans;
8642 bool unregister = false;
8643 u32 flags;
8644 int err;
8645
8646 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8647 extack, false);
8648 if (err < 0)
8649 return err;
8650
8651 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8652 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8653 list_del(&hook->list);
8654 kfree(hook);
8655 }
8656 }
8657
8658 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8659 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8660 if (flags & ~NFT_FLOWTABLE_MASK) {
8661 err = -EOPNOTSUPP;
8662 goto err_flowtable_update_hook;
8663 }
8664 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8665 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8666 err = -EOPNOTSUPP;
8667 goto err_flowtable_update_hook;
8668 }
8669 } else {
8670 flags = flowtable->data.flags;
8671 }
8672
8673 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8674 &flowtable_hook.list, flowtable);
8675 if (err < 0)
8676 goto err_flowtable_update_hook;
8677
8678 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8679 sizeof(struct nft_trans_flowtable));
8680 if (!trans) {
8681 unregister = true;
8682 err = -ENOMEM;
8683 goto err_flowtable_update_hook;
8684 }
8685
8686 nft_trans_flowtable_flags(trans) = flags;
8687 nft_trans_flowtable(trans) = flowtable;
8688 nft_trans_flowtable_update(trans) = true;
8689 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8690 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8691
8692 nft_trans_commit_list_add_tail(ctx->net, trans);
8693
8694 return 0;
8695
8696 err_flowtable_update_hook:
8697 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8698 if (unregister)
8699 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8700 list_del_rcu(&hook->list);
8701 kfree_rcu(hook, rcu);
8702 }
8703
8704 return err;
8705
8706 }
8707
nf_tables_newflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8708 static int nf_tables_newflowtable(struct sk_buff *skb,
8709 const struct nfnl_info *info,
8710 const struct nlattr * const nla[])
8711 {
8712 struct netlink_ext_ack *extack = info->extack;
8713 struct nft_flowtable_hook flowtable_hook;
8714 u8 genmask = nft_genmask_next(info->net);
8715 u8 family = info->nfmsg->nfgen_family;
8716 const struct nf_flowtable_type *type;
8717 struct nft_flowtable *flowtable;
8718 struct net *net = info->net;
8719 struct nft_table *table;
8720 struct nft_trans *trans;
8721 struct nft_ctx ctx;
8722 int err;
8723
8724 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8725 !nla[NFTA_FLOWTABLE_NAME] ||
8726 !nla[NFTA_FLOWTABLE_HOOK])
8727 return -EINVAL;
8728
8729 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8730 genmask, NETLINK_CB(skb).portid);
8731 if (IS_ERR(table)) {
8732 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8733 return PTR_ERR(table);
8734 }
8735
8736 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8737 genmask);
8738 if (IS_ERR(flowtable)) {
8739 err = PTR_ERR(flowtable);
8740 if (err != -ENOENT) {
8741 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8742 return err;
8743 }
8744 } else {
8745 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8746 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8747 return -EEXIST;
8748 }
8749
8750 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8751
8752 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8753 }
8754
8755 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8756
8757 if (!nft_use_inc(&table->use))
8758 return -EMFILE;
8759
8760 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8761 if (!flowtable) {
8762 err = -ENOMEM;
8763 goto flowtable_alloc;
8764 }
8765
8766 flowtable->table = table;
8767 flowtable->handle = nf_tables_alloc_handle(table);
8768 INIT_LIST_HEAD(&flowtable->hook_list);
8769
8770 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8771 if (!flowtable->name) {
8772 err = -ENOMEM;
8773 goto err1;
8774 }
8775
8776 type = nft_flowtable_type_get(net, family);
8777 if (IS_ERR(type)) {
8778 err = PTR_ERR(type);
8779 goto err2;
8780 }
8781
8782 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8783 flowtable->data.flags =
8784 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8785 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8786 err = -EOPNOTSUPP;
8787 goto err3;
8788 }
8789 }
8790
8791 write_pnet(&flowtable->data.net, net);
8792 flowtable->data.type = type;
8793 err = type->init(&flowtable->data);
8794 if (err < 0)
8795 goto err3;
8796
8797 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8798 extack, true);
8799 if (err < 0)
8800 goto err_flowtable_parse_hooks;
8801
8802 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8803 flowtable->data.priority = flowtable_hook.priority;
8804 flowtable->hooknum = flowtable_hook.num;
8805
8806 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8807 if (IS_ERR(trans)) {
8808 err = PTR_ERR(trans);
8809 goto err_flowtable_trans;
8810 }
8811
8812 /* This must be LAST to ensure no packets are walking over this flowtable. */
8813 err = nft_register_flowtable_net_hooks(ctx.net, table,
8814 &flowtable->hook_list,
8815 flowtable);
8816 if (err < 0)
8817 goto err_flowtable_hooks;
8818
8819 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8820
8821 return 0;
8822
8823 err_flowtable_hooks:
8824 nft_trans_destroy(trans);
8825 err_flowtable_trans:
8826 nft_hooks_destroy(&flowtable->hook_list);
8827 err_flowtable_parse_hooks:
8828 flowtable->data.type->free(&flowtable->data);
8829 err3:
8830 module_put(type->owner);
8831 err2:
8832 kfree(flowtable->name);
8833 err1:
8834 kfree(flowtable);
8835 flowtable_alloc:
8836 nft_use_dec_restore(&table->use);
8837
8838 return err;
8839 }
8840
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)8841 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8842 {
8843 struct nft_hook *this, *next;
8844
8845 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8846 list_del(&this->list);
8847 kfree(this);
8848 }
8849 }
8850
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8851 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8852 struct nft_flowtable *flowtable,
8853 struct netlink_ext_ack *extack)
8854 {
8855 const struct nlattr * const *nla = ctx->nla;
8856 struct nft_flowtable_hook flowtable_hook;
8857 LIST_HEAD(flowtable_del_list);
8858 struct nft_hook *this, *hook;
8859 struct nft_trans *trans;
8860 int err;
8861
8862 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8863 extack, false);
8864 if (err < 0)
8865 return err;
8866
8867 list_for_each_entry(this, &flowtable_hook.list, list) {
8868 hook = nft_hook_list_find(&flowtable->hook_list, this);
8869 if (!hook) {
8870 err = -ENOENT;
8871 goto err_flowtable_del_hook;
8872 }
8873 list_move(&hook->list, &flowtable_del_list);
8874 }
8875
8876 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8877 sizeof(struct nft_trans_flowtable));
8878 if (!trans) {
8879 err = -ENOMEM;
8880 goto err_flowtable_del_hook;
8881 }
8882
8883 nft_trans_flowtable(trans) = flowtable;
8884 nft_trans_flowtable_update(trans) = true;
8885 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8886 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8887 nft_flowtable_hook_release(&flowtable_hook);
8888
8889 nft_trans_commit_list_add_tail(ctx->net, trans);
8890
8891 return 0;
8892
8893 err_flowtable_del_hook:
8894 list_splice(&flowtable_del_list, &flowtable->hook_list);
8895 nft_flowtable_hook_release(&flowtable_hook);
8896
8897 return err;
8898 }
8899
nf_tables_delflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8900 static int nf_tables_delflowtable(struct sk_buff *skb,
8901 const struct nfnl_info *info,
8902 const struct nlattr * const nla[])
8903 {
8904 struct netlink_ext_ack *extack = info->extack;
8905 u8 genmask = nft_genmask_next(info->net);
8906 u8 family = info->nfmsg->nfgen_family;
8907 struct nft_flowtable *flowtable;
8908 struct net *net = info->net;
8909 const struct nlattr *attr;
8910 struct nft_table *table;
8911 struct nft_ctx ctx;
8912
8913 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8914 (!nla[NFTA_FLOWTABLE_NAME] &&
8915 !nla[NFTA_FLOWTABLE_HANDLE]))
8916 return -EINVAL;
8917
8918 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8919 genmask, NETLINK_CB(skb).portid);
8920 if (IS_ERR(table)) {
8921 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8922 return PTR_ERR(table);
8923 }
8924
8925 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8926 attr = nla[NFTA_FLOWTABLE_HANDLE];
8927 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8928 } else {
8929 attr = nla[NFTA_FLOWTABLE_NAME];
8930 flowtable = nft_flowtable_lookup(table, attr, genmask);
8931 }
8932
8933 if (IS_ERR(flowtable)) {
8934 if (PTR_ERR(flowtable) == -ENOENT &&
8935 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8936 return 0;
8937
8938 NL_SET_BAD_ATTR(extack, attr);
8939 return PTR_ERR(flowtable);
8940 }
8941
8942 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8943
8944 if (nla[NFTA_FLOWTABLE_HOOK])
8945 return nft_delflowtable_hook(&ctx, flowtable, extack);
8946
8947 if (flowtable->use > 0) {
8948 NL_SET_BAD_ATTR(extack, attr);
8949 return -EBUSY;
8950 }
8951
8952 return nft_delflowtable(&ctx, flowtable);
8953 }
8954
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)8955 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8956 u32 portid, u32 seq, int event,
8957 u32 flags, int family,
8958 struct nft_flowtable *flowtable,
8959 struct list_head *hook_list)
8960 {
8961 struct nlattr *nest, *nest_devs;
8962 struct nft_hook *hook;
8963 struct nlmsghdr *nlh;
8964
8965 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8966 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8967 NFNETLINK_V0, nft_base_seq(net));
8968 if (!nlh)
8969 goto nla_put_failure;
8970
8971 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8972 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8973 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8974 NFTA_FLOWTABLE_PAD))
8975 goto nla_put_failure;
8976
8977 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8978 nlmsg_end(skb, nlh);
8979 return 0;
8980 }
8981
8982 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8983 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8984 goto nla_put_failure;
8985
8986 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8987 if (!nest)
8988 goto nla_put_failure;
8989 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8990 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8991 goto nla_put_failure;
8992
8993 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8994 if (!nest_devs)
8995 goto nla_put_failure;
8996
8997 if (!hook_list)
8998 hook_list = &flowtable->hook_list;
8999
9000 list_for_each_entry_rcu(hook, hook_list, list) {
9001 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
9002 goto nla_put_failure;
9003 }
9004 nla_nest_end(skb, nest_devs);
9005 nla_nest_end(skb, nest);
9006
9007 nlmsg_end(skb, nlh);
9008 return 0;
9009
9010 nla_put_failure:
9011 nlmsg_trim(skb, nlh);
9012 return -1;
9013 }
9014
9015 struct nft_flowtable_filter {
9016 char *table;
9017 };
9018
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)9019 static int nf_tables_dump_flowtable(struct sk_buff *skb,
9020 struct netlink_callback *cb)
9021 {
9022 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
9023 struct nft_flowtable_filter *filter = cb->data;
9024 unsigned int idx = 0, s_idx = cb->args[0];
9025 struct net *net = sock_net(skb->sk);
9026 int family = nfmsg->nfgen_family;
9027 struct nft_flowtable *flowtable;
9028 struct nftables_pernet *nft_net;
9029 const struct nft_table *table;
9030
9031 rcu_read_lock();
9032 nft_net = nft_pernet(net);
9033 cb->seq = READ_ONCE(nft_net->base_seq);
9034
9035 list_for_each_entry_rcu(table, &nft_net->tables, list) {
9036 if (family != NFPROTO_UNSPEC && family != table->family)
9037 continue;
9038
9039 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
9040 if (!nft_is_active(net, flowtable))
9041 goto cont;
9042 if (idx < s_idx)
9043 goto cont;
9044 if (idx > s_idx)
9045 memset(&cb->args[1], 0,
9046 sizeof(cb->args) - sizeof(cb->args[0]));
9047 if (filter && filter->table &&
9048 strcmp(filter->table, table->name))
9049 goto cont;
9050
9051 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
9052 cb->nlh->nlmsg_seq,
9053 NFT_MSG_NEWFLOWTABLE,
9054 NLM_F_MULTI | NLM_F_APPEND,
9055 table->family,
9056 flowtable, NULL) < 0)
9057 goto done;
9058
9059 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
9060 cont:
9061 idx++;
9062 }
9063 }
9064 done:
9065 rcu_read_unlock();
9066
9067 cb->args[0] = idx;
9068 return skb->len;
9069 }
9070
nf_tables_dump_flowtable_start(struct netlink_callback * cb)9071 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
9072 {
9073 const struct nlattr * const *nla = cb->data;
9074 struct nft_flowtable_filter *filter = NULL;
9075
9076 if (nla[NFTA_FLOWTABLE_TABLE]) {
9077 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
9078 if (!filter)
9079 return -ENOMEM;
9080
9081 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
9082 GFP_ATOMIC);
9083 if (!filter->table) {
9084 kfree(filter);
9085 return -ENOMEM;
9086 }
9087 }
9088
9089 cb->data = filter;
9090 return 0;
9091 }
9092
nf_tables_dump_flowtable_done(struct netlink_callback * cb)9093 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
9094 {
9095 struct nft_flowtable_filter *filter = cb->data;
9096
9097 if (!filter)
9098 return 0;
9099
9100 kfree(filter->table);
9101 kfree(filter);
9102
9103 return 0;
9104 }
9105
9106 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9107 static int nf_tables_getflowtable(struct sk_buff *skb,
9108 const struct nfnl_info *info,
9109 const struct nlattr * const nla[])
9110 {
9111 struct netlink_ext_ack *extack = info->extack;
9112 u8 genmask = nft_genmask_cur(info->net);
9113 u8 family = info->nfmsg->nfgen_family;
9114 struct nft_flowtable *flowtable;
9115 const struct nft_table *table;
9116 struct net *net = info->net;
9117 struct sk_buff *skb2;
9118 int err;
9119
9120 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
9121 struct netlink_dump_control c = {
9122 .start = nf_tables_dump_flowtable_start,
9123 .dump = nf_tables_dump_flowtable,
9124 .done = nf_tables_dump_flowtable_done,
9125 .module = THIS_MODULE,
9126 .data = (void *)nla,
9127 };
9128
9129 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9130 }
9131
9132 if (!nla[NFTA_FLOWTABLE_NAME])
9133 return -EINVAL;
9134
9135 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9136 genmask, 0);
9137 if (IS_ERR(table)) {
9138 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
9139 return PTR_ERR(table);
9140 }
9141
9142 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
9143 genmask);
9144 if (IS_ERR(flowtable)) {
9145 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
9146 return PTR_ERR(flowtable);
9147 }
9148
9149 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9150 if (!skb2)
9151 return -ENOMEM;
9152
9153 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9154 info->nlh->nlmsg_seq,
9155 NFT_MSG_NEWFLOWTABLE, 0, family,
9156 flowtable, NULL);
9157 if (err < 0)
9158 goto err_fill_flowtable_info;
9159
9160 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9161
9162 err_fill_flowtable_info:
9163 kfree_skb(skb2);
9164 return err;
9165 }
9166
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)9167 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9168 struct nft_flowtable *flowtable,
9169 struct list_head *hook_list, int event)
9170 {
9171 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9172 struct sk_buff *skb;
9173 u16 flags = 0;
9174 int err;
9175
9176 if (!ctx->report &&
9177 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9178 return;
9179
9180 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9181 if (skb == NULL)
9182 goto err;
9183
9184 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9185 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9186
9187 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9188 ctx->seq, event, flags,
9189 ctx->family, flowtable, hook_list);
9190 if (err < 0) {
9191 kfree_skb(skb);
9192 goto err;
9193 }
9194
9195 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9196 return;
9197 err:
9198 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9199 }
9200
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)9201 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9202 {
9203 struct nft_hook *hook, *next;
9204
9205 flowtable->data.type->free(&flowtable->data);
9206 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9207 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
9208 FLOW_BLOCK_UNBIND);
9209 list_del_rcu(&hook->list);
9210 kfree_rcu(hook, rcu);
9211 }
9212 kfree(flowtable->name);
9213 module_put(flowtable->data.type->owner);
9214 kfree(flowtable);
9215 }
9216
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)9217 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9218 u32 portid, u32 seq)
9219 {
9220 struct nftables_pernet *nft_net = nft_pernet(net);
9221 struct nlmsghdr *nlh;
9222 char buf[TASK_COMM_LEN];
9223 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9224
9225 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9226 NFNETLINK_V0, nft_base_seq(net));
9227 if (!nlh)
9228 goto nla_put_failure;
9229
9230 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
9231 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9232 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9233 goto nla_put_failure;
9234
9235 nlmsg_end(skb, nlh);
9236 return 0;
9237
9238 nla_put_failure:
9239 nlmsg_trim(skb, nlh);
9240 return -EMSGSIZE;
9241 }
9242
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)9243 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
9244 struct nft_flowtable *flowtable)
9245 {
9246 struct nft_hook *hook;
9247
9248 list_for_each_entry(hook, &flowtable->hook_list, list) {
9249 if (hook->ops.dev != dev)
9250 continue;
9251
9252 /* flow_offload_netdev_event() cleans up entries for us. */
9253 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
9254 list_del_rcu(&hook->list);
9255 kfree_rcu(hook, rcu);
9256 break;
9257 }
9258 }
9259
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)9260 static int nf_tables_flowtable_event(struct notifier_block *this,
9261 unsigned long event, void *ptr)
9262 {
9263 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9264 struct nft_flowtable *flowtable;
9265 struct nftables_pernet *nft_net;
9266 struct nft_table *table;
9267 struct net *net;
9268
9269 if (event != NETDEV_UNREGISTER)
9270 return 0;
9271
9272 net = dev_net(dev);
9273 nft_net = nft_pernet(net);
9274 mutex_lock(&nft_net->commit_mutex);
9275 list_for_each_entry(table, &nft_net->tables, list) {
9276 list_for_each_entry(flowtable, &table->flowtables, list) {
9277 nft_flowtable_event(event, dev, flowtable);
9278 }
9279 }
9280 mutex_unlock(&nft_net->commit_mutex);
9281
9282 return NOTIFY_DONE;
9283 }
9284
9285 static struct notifier_block nf_tables_flowtable_notifier = {
9286 .notifier_call = nf_tables_flowtable_event,
9287 };
9288
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)9289 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9290 int event)
9291 {
9292 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9293 struct sk_buff *skb2;
9294 int err;
9295
9296 if (!nlmsg_report(nlh) &&
9297 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9298 return;
9299
9300 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9301 if (skb2 == NULL)
9302 goto err;
9303
9304 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9305 nlh->nlmsg_seq);
9306 if (err < 0) {
9307 kfree_skb(skb2);
9308 goto err;
9309 }
9310
9311 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9312 nlmsg_report(nlh), GFP_KERNEL);
9313 return;
9314 err:
9315 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9316 -ENOBUFS);
9317 }
9318
nf_tables_getgen(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9319 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9320 const struct nlattr * const nla[])
9321 {
9322 struct sk_buff *skb2;
9323 int err;
9324
9325 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9326 if (skb2 == NULL)
9327 return -ENOMEM;
9328
9329 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9330 info->nlh->nlmsg_seq);
9331 if (err < 0)
9332 goto err_fill_gen_info;
9333
9334 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9335
9336 err_fill_gen_info:
9337 kfree_skb(skb2);
9338 return err;
9339 }
9340
9341 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9342 [NFT_MSG_NEWTABLE] = {
9343 .call = nf_tables_newtable,
9344 .type = NFNL_CB_BATCH,
9345 .attr_count = NFTA_TABLE_MAX,
9346 .policy = nft_table_policy,
9347 },
9348 [NFT_MSG_GETTABLE] = {
9349 .call = nf_tables_gettable,
9350 .type = NFNL_CB_RCU,
9351 .attr_count = NFTA_TABLE_MAX,
9352 .policy = nft_table_policy,
9353 },
9354 [NFT_MSG_DELTABLE] = {
9355 .call = nf_tables_deltable,
9356 .type = NFNL_CB_BATCH,
9357 .attr_count = NFTA_TABLE_MAX,
9358 .policy = nft_table_policy,
9359 },
9360 [NFT_MSG_DESTROYTABLE] = {
9361 .call = nf_tables_deltable,
9362 .type = NFNL_CB_BATCH,
9363 .attr_count = NFTA_TABLE_MAX,
9364 .policy = nft_table_policy,
9365 },
9366 [NFT_MSG_NEWCHAIN] = {
9367 .call = nf_tables_newchain,
9368 .type = NFNL_CB_BATCH,
9369 .attr_count = NFTA_CHAIN_MAX,
9370 .policy = nft_chain_policy,
9371 },
9372 [NFT_MSG_GETCHAIN] = {
9373 .call = nf_tables_getchain,
9374 .type = NFNL_CB_RCU,
9375 .attr_count = NFTA_CHAIN_MAX,
9376 .policy = nft_chain_policy,
9377 },
9378 [NFT_MSG_DELCHAIN] = {
9379 .call = nf_tables_delchain,
9380 .type = NFNL_CB_BATCH,
9381 .attr_count = NFTA_CHAIN_MAX,
9382 .policy = nft_chain_policy,
9383 },
9384 [NFT_MSG_DESTROYCHAIN] = {
9385 .call = nf_tables_delchain,
9386 .type = NFNL_CB_BATCH,
9387 .attr_count = NFTA_CHAIN_MAX,
9388 .policy = nft_chain_policy,
9389 },
9390 [NFT_MSG_NEWRULE] = {
9391 .call = nf_tables_newrule,
9392 .type = NFNL_CB_BATCH,
9393 .attr_count = NFTA_RULE_MAX,
9394 .policy = nft_rule_policy,
9395 },
9396 [NFT_MSG_GETRULE] = {
9397 .call = nf_tables_getrule,
9398 .type = NFNL_CB_RCU,
9399 .attr_count = NFTA_RULE_MAX,
9400 .policy = nft_rule_policy,
9401 },
9402 [NFT_MSG_GETRULE_RESET] = {
9403 .call = nf_tables_getrule_reset,
9404 .type = NFNL_CB_RCU,
9405 .attr_count = NFTA_RULE_MAX,
9406 .policy = nft_rule_policy,
9407 },
9408 [NFT_MSG_DELRULE] = {
9409 .call = nf_tables_delrule,
9410 .type = NFNL_CB_BATCH,
9411 .attr_count = NFTA_RULE_MAX,
9412 .policy = nft_rule_policy,
9413 },
9414 [NFT_MSG_DESTROYRULE] = {
9415 .call = nf_tables_delrule,
9416 .type = NFNL_CB_BATCH,
9417 .attr_count = NFTA_RULE_MAX,
9418 .policy = nft_rule_policy,
9419 },
9420 [NFT_MSG_NEWSET] = {
9421 .call = nf_tables_newset,
9422 .type = NFNL_CB_BATCH,
9423 .attr_count = NFTA_SET_MAX,
9424 .policy = nft_set_policy,
9425 },
9426 [NFT_MSG_GETSET] = {
9427 .call = nf_tables_getset,
9428 .type = NFNL_CB_RCU,
9429 .attr_count = NFTA_SET_MAX,
9430 .policy = nft_set_policy,
9431 },
9432 [NFT_MSG_DELSET] = {
9433 .call = nf_tables_delset,
9434 .type = NFNL_CB_BATCH,
9435 .attr_count = NFTA_SET_MAX,
9436 .policy = nft_set_policy,
9437 },
9438 [NFT_MSG_DESTROYSET] = {
9439 .call = nf_tables_delset,
9440 .type = NFNL_CB_BATCH,
9441 .attr_count = NFTA_SET_MAX,
9442 .policy = nft_set_policy,
9443 },
9444 [NFT_MSG_NEWSETELEM] = {
9445 .call = nf_tables_newsetelem,
9446 .type = NFNL_CB_BATCH,
9447 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9448 .policy = nft_set_elem_list_policy,
9449 },
9450 [NFT_MSG_GETSETELEM] = {
9451 .call = nf_tables_getsetelem,
9452 .type = NFNL_CB_RCU,
9453 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9454 .policy = nft_set_elem_list_policy,
9455 },
9456 [NFT_MSG_GETSETELEM_RESET] = {
9457 .call = nf_tables_getsetelem_reset,
9458 .type = NFNL_CB_RCU,
9459 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9460 .policy = nft_set_elem_list_policy,
9461 },
9462 [NFT_MSG_DELSETELEM] = {
9463 .call = nf_tables_delsetelem,
9464 .type = NFNL_CB_BATCH,
9465 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9466 .policy = nft_set_elem_list_policy,
9467 },
9468 [NFT_MSG_DESTROYSETELEM] = {
9469 .call = nf_tables_delsetelem,
9470 .type = NFNL_CB_BATCH,
9471 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9472 .policy = nft_set_elem_list_policy,
9473 },
9474 [NFT_MSG_GETGEN] = {
9475 .call = nf_tables_getgen,
9476 .type = NFNL_CB_RCU,
9477 },
9478 [NFT_MSG_NEWOBJ] = {
9479 .call = nf_tables_newobj,
9480 .type = NFNL_CB_BATCH,
9481 .attr_count = NFTA_OBJ_MAX,
9482 .policy = nft_obj_policy,
9483 },
9484 [NFT_MSG_GETOBJ] = {
9485 .call = nf_tables_getobj,
9486 .type = NFNL_CB_RCU,
9487 .attr_count = NFTA_OBJ_MAX,
9488 .policy = nft_obj_policy,
9489 },
9490 [NFT_MSG_DELOBJ] = {
9491 .call = nf_tables_delobj,
9492 .type = NFNL_CB_BATCH,
9493 .attr_count = NFTA_OBJ_MAX,
9494 .policy = nft_obj_policy,
9495 },
9496 [NFT_MSG_DESTROYOBJ] = {
9497 .call = nf_tables_delobj,
9498 .type = NFNL_CB_BATCH,
9499 .attr_count = NFTA_OBJ_MAX,
9500 .policy = nft_obj_policy,
9501 },
9502 [NFT_MSG_GETOBJ_RESET] = {
9503 .call = nf_tables_getobj_reset,
9504 .type = NFNL_CB_RCU,
9505 .attr_count = NFTA_OBJ_MAX,
9506 .policy = nft_obj_policy,
9507 },
9508 [NFT_MSG_NEWFLOWTABLE] = {
9509 .call = nf_tables_newflowtable,
9510 .type = NFNL_CB_BATCH,
9511 .attr_count = NFTA_FLOWTABLE_MAX,
9512 .policy = nft_flowtable_policy,
9513 },
9514 [NFT_MSG_GETFLOWTABLE] = {
9515 .call = nf_tables_getflowtable,
9516 .type = NFNL_CB_RCU,
9517 .attr_count = NFTA_FLOWTABLE_MAX,
9518 .policy = nft_flowtable_policy,
9519 },
9520 [NFT_MSG_DELFLOWTABLE] = {
9521 .call = nf_tables_delflowtable,
9522 .type = NFNL_CB_BATCH,
9523 .attr_count = NFTA_FLOWTABLE_MAX,
9524 .policy = nft_flowtable_policy,
9525 },
9526 [NFT_MSG_DESTROYFLOWTABLE] = {
9527 .call = nf_tables_delflowtable,
9528 .type = NFNL_CB_BATCH,
9529 .attr_count = NFTA_FLOWTABLE_MAX,
9530 .policy = nft_flowtable_policy,
9531 },
9532 };
9533
nf_tables_validate(struct net * net)9534 static int nf_tables_validate(struct net *net)
9535 {
9536 struct nftables_pernet *nft_net = nft_pernet(net);
9537 struct nft_table *table;
9538
9539 list_for_each_entry(table, &nft_net->tables, list) {
9540 switch (table->validate_state) {
9541 case NFT_VALIDATE_SKIP:
9542 continue;
9543 case NFT_VALIDATE_NEED:
9544 nft_validate_state_update(table, NFT_VALIDATE_DO);
9545 fallthrough;
9546 case NFT_VALIDATE_DO:
9547 if (nft_table_validate(net, table) < 0)
9548 return -EAGAIN;
9549
9550 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9551 break;
9552 }
9553 }
9554
9555 return 0;
9556 }
9557
9558 /* a drop policy has to be deferred until all rules have been activated,
9559 * otherwise a large ruleset that contains a drop-policy base chain will
9560 * cause all packets to get dropped until the full transaction has been
9561 * processed.
9562 *
9563 * We defer the drop policy until the transaction has been finalized.
9564 */
nft_chain_commit_drop_policy(struct nft_trans_chain * trans)9565 static void nft_chain_commit_drop_policy(struct nft_trans_chain *trans)
9566 {
9567 struct nft_base_chain *basechain;
9568
9569 if (trans->policy != NF_DROP)
9570 return;
9571
9572 if (!nft_is_base_chain(trans->chain))
9573 return;
9574
9575 basechain = nft_base_chain(trans->chain);
9576 basechain->policy = NF_DROP;
9577 }
9578
nft_chain_commit_update(struct nft_trans_chain * trans)9579 static void nft_chain_commit_update(struct nft_trans_chain *trans)
9580 {
9581 struct nft_table *table = trans->nft_trans_binding.nft_trans.table;
9582 struct nft_base_chain *basechain;
9583
9584 if (trans->name) {
9585 rhltable_remove(&table->chains_ht,
9586 &trans->chain->rhlhead,
9587 nft_chain_ht_params);
9588 swap(trans->chain->name, trans->name);
9589 rhltable_insert_key(&table->chains_ht,
9590 trans->chain->name,
9591 &trans->chain->rhlhead,
9592 nft_chain_ht_params);
9593 }
9594
9595 if (!nft_is_base_chain(trans->chain))
9596 return;
9597
9598 nft_chain_stats_replace(trans);
9599
9600 basechain = nft_base_chain(trans->chain);
9601
9602 switch (trans->policy) {
9603 case NF_DROP:
9604 case NF_ACCEPT:
9605 basechain->policy = trans->policy;
9606 break;
9607 }
9608 }
9609
nft_obj_commit_update(const struct nft_ctx * ctx,struct nft_trans * trans)9610 static void nft_obj_commit_update(const struct nft_ctx *ctx,
9611 struct nft_trans *trans)
9612 {
9613 struct nft_object *newobj;
9614 struct nft_object *obj;
9615
9616 obj = nft_trans_obj(trans);
9617 newobj = nft_trans_obj_newobj(trans);
9618
9619 if (WARN_ON_ONCE(!obj->ops->update))
9620 return;
9621
9622 obj->ops->update(obj, newobj);
9623 nft_obj_destroy(ctx, newobj);
9624 }
9625
nft_commit_release(struct nft_trans * trans)9626 static void nft_commit_release(struct nft_trans *trans)
9627 {
9628 struct nft_ctx ctx = {
9629 .net = trans->net,
9630 };
9631
9632 nft_ctx_update(&ctx, trans);
9633
9634 switch (trans->msg_type) {
9635 case NFT_MSG_DELTABLE:
9636 case NFT_MSG_DESTROYTABLE:
9637 nf_tables_table_destroy(trans->table);
9638 break;
9639 case NFT_MSG_NEWCHAIN:
9640 free_percpu(nft_trans_chain_stats(trans));
9641 kfree(nft_trans_chain_name(trans));
9642 break;
9643 case NFT_MSG_DELCHAIN:
9644 case NFT_MSG_DESTROYCHAIN:
9645 if (nft_trans_chain_update(trans))
9646 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9647 else
9648 nf_tables_chain_destroy(nft_trans_chain(trans));
9649 break;
9650 case NFT_MSG_DELRULE:
9651 case NFT_MSG_DESTROYRULE:
9652 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
9653 break;
9654 case NFT_MSG_DELSET:
9655 case NFT_MSG_DESTROYSET:
9656 nft_set_destroy(&ctx, nft_trans_set(trans));
9657 break;
9658 case NFT_MSG_DELSETELEM:
9659 case NFT_MSG_DESTROYSETELEM:
9660 nf_tables_set_elem_destroy(&ctx,
9661 nft_trans_elem_set(trans),
9662 nft_trans_elem_priv(trans));
9663 break;
9664 case NFT_MSG_DELOBJ:
9665 case NFT_MSG_DESTROYOBJ:
9666 nft_obj_destroy(&ctx, nft_trans_obj(trans));
9667 break;
9668 case NFT_MSG_DELFLOWTABLE:
9669 case NFT_MSG_DESTROYFLOWTABLE:
9670 if (nft_trans_flowtable_update(trans))
9671 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9672 else
9673 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9674 break;
9675 }
9676
9677 if (trans->put_net)
9678 put_net(trans->net);
9679
9680 kfree(trans);
9681 }
9682
nf_tables_trans_destroy_work(struct work_struct * w)9683 static void nf_tables_trans_destroy_work(struct work_struct *w)
9684 {
9685 struct nft_trans *trans, *next;
9686 LIST_HEAD(head);
9687
9688 spin_lock(&nf_tables_destroy_list_lock);
9689 list_splice_init(&nf_tables_destroy_list, &head);
9690 spin_unlock(&nf_tables_destroy_list_lock);
9691
9692 if (list_empty(&head))
9693 return;
9694
9695 synchronize_rcu();
9696
9697 list_for_each_entry_safe(trans, next, &head, list) {
9698 nft_trans_list_del(trans);
9699 nft_commit_release(trans);
9700 }
9701 }
9702
nf_tables_trans_destroy_flush_work(void)9703 void nf_tables_trans_destroy_flush_work(void)
9704 {
9705 flush_work(&trans_destroy_work);
9706 }
9707 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9708
nft_expr_reduce(struct nft_regs_track * track,const struct nft_expr * expr)9709 static bool nft_expr_reduce(struct nft_regs_track *track,
9710 const struct nft_expr *expr)
9711 {
9712 return false;
9713 }
9714
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)9715 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9716 {
9717 const struct nft_expr *expr, *last;
9718 struct nft_regs_track track = {};
9719 unsigned int size, data_size;
9720 void *data, *data_boundary;
9721 struct nft_rule_dp *prule;
9722 struct nft_rule *rule;
9723
9724 /* already handled or inactive chain? */
9725 if (chain->blob_next || !nft_is_active_next(net, chain))
9726 return 0;
9727
9728 data_size = 0;
9729 list_for_each_entry(rule, &chain->rules, list) {
9730 if (nft_is_active_next(net, rule)) {
9731 data_size += sizeof(*prule) + rule->dlen;
9732 if (data_size > INT_MAX)
9733 return -ENOMEM;
9734 }
9735 }
9736
9737 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9738 if (!chain->blob_next)
9739 return -ENOMEM;
9740
9741 data = (void *)chain->blob_next->data;
9742 data_boundary = data + data_size;
9743 size = 0;
9744
9745 list_for_each_entry(rule, &chain->rules, list) {
9746 if (!nft_is_active_next(net, rule))
9747 continue;
9748
9749 prule = (struct nft_rule_dp *)data;
9750 data += offsetof(struct nft_rule_dp, data);
9751 if (WARN_ON_ONCE(data > data_boundary))
9752 return -ENOMEM;
9753
9754 size = 0;
9755 track.last = nft_expr_last(rule);
9756 nft_rule_for_each_expr(expr, last, rule) {
9757 track.cur = expr;
9758
9759 if (nft_expr_reduce(&track, expr)) {
9760 expr = track.cur;
9761 continue;
9762 }
9763
9764 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9765 return -ENOMEM;
9766
9767 memcpy(data + size, expr, expr->ops->size);
9768 size += expr->ops->size;
9769 }
9770 if (WARN_ON_ONCE(size >= 1 << 12))
9771 return -ENOMEM;
9772
9773 prule->handle = rule->handle;
9774 prule->dlen = size;
9775 prule->is_last = 0;
9776
9777 data += size;
9778 size = 0;
9779 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9780 }
9781
9782 if (WARN_ON_ONCE(data > data_boundary))
9783 return -ENOMEM;
9784
9785 prule = (struct nft_rule_dp *)data;
9786 nft_last_rule(chain, prule);
9787
9788 return 0;
9789 }
9790
nf_tables_commit_chain_prepare_cancel(struct net * net)9791 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9792 {
9793 struct nftables_pernet *nft_net = nft_pernet(net);
9794 struct nft_trans *trans, *next;
9795
9796 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9797 if (trans->msg_type == NFT_MSG_NEWRULE ||
9798 trans->msg_type == NFT_MSG_DELRULE) {
9799 struct nft_chain *chain = nft_trans_rule_chain(trans);
9800
9801 kvfree(chain->blob_next);
9802 chain->blob_next = NULL;
9803 }
9804 }
9805 }
9806
__nf_tables_commit_chain_free_rules(struct rcu_head * h)9807 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9808 {
9809 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9810
9811 kvfree(l->blob);
9812 }
9813
nf_tables_commit_chain_free_rules_old(struct nft_rule_blob * blob)9814 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9815 {
9816 struct nft_rule_dp_last *last;
9817
9818 /* last rule trailer is after end marker */
9819 last = (void *)blob + sizeof(*blob) + blob->size;
9820 last->blob = blob;
9821
9822 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9823 }
9824
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)9825 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9826 {
9827 struct nft_rule_blob *g0, *g1;
9828 bool next_genbit;
9829
9830 next_genbit = nft_gencursor_next(net);
9831
9832 g0 = rcu_dereference_protected(chain->blob_gen_0,
9833 lockdep_commit_lock_is_held(net));
9834 g1 = rcu_dereference_protected(chain->blob_gen_1,
9835 lockdep_commit_lock_is_held(net));
9836
9837 /* No changes to this chain? */
9838 if (chain->blob_next == NULL) {
9839 /* chain had no change in last or next generation */
9840 if (g0 == g1)
9841 return;
9842 /*
9843 * chain had no change in this generation; make sure next
9844 * one uses same rules as current generation.
9845 */
9846 if (next_genbit) {
9847 rcu_assign_pointer(chain->blob_gen_1, g0);
9848 nf_tables_commit_chain_free_rules_old(g1);
9849 } else {
9850 rcu_assign_pointer(chain->blob_gen_0, g1);
9851 nf_tables_commit_chain_free_rules_old(g0);
9852 }
9853
9854 return;
9855 }
9856
9857 if (next_genbit)
9858 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9859 else
9860 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9861
9862 chain->blob_next = NULL;
9863
9864 if (g0 == g1)
9865 return;
9866
9867 if (next_genbit)
9868 nf_tables_commit_chain_free_rules_old(g1);
9869 else
9870 nf_tables_commit_chain_free_rules_old(g0);
9871 }
9872
nft_obj_del(struct nft_object * obj)9873 static void nft_obj_del(struct nft_object *obj)
9874 {
9875 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9876 list_del_rcu(&obj->list);
9877 }
9878
nft_chain_del(struct nft_chain * chain)9879 void nft_chain_del(struct nft_chain *chain)
9880 {
9881 struct nft_table *table = chain->table;
9882
9883 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9884 nft_chain_ht_params));
9885 list_del_rcu(&chain->list);
9886 }
9887
nft_trans_gc_setelem_remove(struct nft_ctx * ctx,struct nft_trans_gc * trans)9888 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9889 struct nft_trans_gc *trans)
9890 {
9891 struct nft_elem_priv **priv = trans->priv;
9892 unsigned int i;
9893
9894 for (i = 0; i < trans->count; i++) {
9895 nft_setelem_data_deactivate(ctx->net, trans->set, priv[i]);
9896 nft_setelem_remove(ctx->net, trans->set, priv[i]);
9897 }
9898 }
9899
nft_trans_gc_destroy(struct nft_trans_gc * trans)9900 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9901 {
9902 nft_set_put(trans->set);
9903 put_net(trans->net);
9904 kfree(trans);
9905 }
9906
nft_trans_gc_trans_free(struct rcu_head * rcu)9907 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9908 {
9909 struct nft_elem_priv *elem_priv;
9910 struct nft_trans_gc *trans;
9911 struct nft_ctx ctx = {};
9912 unsigned int i;
9913
9914 trans = container_of(rcu, struct nft_trans_gc, rcu);
9915 ctx.net = read_pnet(&trans->set->net);
9916
9917 for (i = 0; i < trans->count; i++) {
9918 elem_priv = trans->priv[i];
9919 if (!nft_setelem_is_catchall(trans->set, elem_priv))
9920 atomic_dec(&trans->set->nelems);
9921
9922 nf_tables_set_elem_destroy(&ctx, trans->set, elem_priv);
9923 }
9924
9925 nft_trans_gc_destroy(trans);
9926 }
9927
nft_trans_gc_work_done(struct nft_trans_gc * trans)9928 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9929 {
9930 struct nftables_pernet *nft_net;
9931 struct nft_ctx ctx = {};
9932
9933 nft_net = nft_pernet(trans->net);
9934
9935 mutex_lock(&nft_net->commit_mutex);
9936
9937 /* Check for race with transaction, otherwise this batch refers to
9938 * stale objects that might not be there anymore. Skip transaction if
9939 * set has been destroyed from control plane transaction in case gc
9940 * worker loses race.
9941 */
9942 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9943 mutex_unlock(&nft_net->commit_mutex);
9944 return false;
9945 }
9946
9947 ctx.net = trans->net;
9948 ctx.table = trans->set->table;
9949
9950 nft_trans_gc_setelem_remove(&ctx, trans);
9951 mutex_unlock(&nft_net->commit_mutex);
9952
9953 return true;
9954 }
9955
nft_trans_gc_work(struct work_struct * work)9956 static void nft_trans_gc_work(struct work_struct *work)
9957 {
9958 struct nft_trans_gc *trans, *next;
9959 LIST_HEAD(trans_gc_list);
9960
9961 spin_lock(&nf_tables_gc_list_lock);
9962 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9963 spin_unlock(&nf_tables_gc_list_lock);
9964
9965 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9966 list_del(&trans->list);
9967 if (!nft_trans_gc_work_done(trans)) {
9968 nft_trans_gc_destroy(trans);
9969 continue;
9970 }
9971 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9972 }
9973 }
9974
nft_trans_gc_alloc(struct nft_set * set,unsigned int gc_seq,gfp_t gfp)9975 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9976 unsigned int gc_seq, gfp_t gfp)
9977 {
9978 struct net *net = read_pnet(&set->net);
9979 struct nft_trans_gc *trans;
9980
9981 trans = kzalloc(sizeof(*trans), gfp);
9982 if (!trans)
9983 return NULL;
9984
9985 trans->net = maybe_get_net(net);
9986 if (!trans->net) {
9987 kfree(trans);
9988 return NULL;
9989 }
9990
9991 refcount_inc(&set->refs);
9992 trans->set = set;
9993 trans->seq = gc_seq;
9994
9995 return trans;
9996 }
9997
nft_trans_gc_elem_add(struct nft_trans_gc * trans,void * priv)9998 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9999 {
10000 trans->priv[trans->count++] = priv;
10001 }
10002
nft_trans_gc_queue_work(struct nft_trans_gc * trans)10003 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
10004 {
10005 spin_lock(&nf_tables_gc_list_lock);
10006 list_add_tail(&trans->list, &nf_tables_gc_list);
10007 spin_unlock(&nf_tables_gc_list_lock);
10008
10009 schedule_work(&trans_gc_work);
10010 }
10011
nft_trans_gc_space(struct nft_trans_gc * trans)10012 static int nft_trans_gc_space(struct nft_trans_gc *trans)
10013 {
10014 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
10015 }
10016
nft_trans_gc_queue_async(struct nft_trans_gc * gc,unsigned int gc_seq,gfp_t gfp)10017 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
10018 unsigned int gc_seq, gfp_t gfp)
10019 {
10020 struct nft_set *set;
10021
10022 if (nft_trans_gc_space(gc))
10023 return gc;
10024
10025 set = gc->set;
10026 nft_trans_gc_queue_work(gc);
10027
10028 return nft_trans_gc_alloc(set, gc_seq, gfp);
10029 }
10030
nft_trans_gc_queue_async_done(struct nft_trans_gc * trans)10031 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
10032 {
10033 if (trans->count == 0) {
10034 nft_trans_gc_destroy(trans);
10035 return;
10036 }
10037
10038 nft_trans_gc_queue_work(trans);
10039 }
10040
nft_trans_gc_queue_sync(struct nft_trans_gc * gc,gfp_t gfp)10041 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
10042 {
10043 struct nft_set *set;
10044
10045 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
10046 return NULL;
10047
10048 if (nft_trans_gc_space(gc))
10049 return gc;
10050
10051 set = gc->set;
10052 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
10053
10054 return nft_trans_gc_alloc(set, 0, gfp);
10055 }
10056
nft_trans_gc_queue_sync_done(struct nft_trans_gc * trans)10057 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
10058 {
10059 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
10060
10061 if (trans->count == 0) {
10062 nft_trans_gc_destroy(trans);
10063 return;
10064 }
10065
10066 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
10067 }
10068
nft_trans_gc_catchall_async(struct nft_trans_gc * gc,unsigned int gc_seq)10069 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
10070 unsigned int gc_seq)
10071 {
10072 struct nft_set_elem_catchall *catchall;
10073 const struct nft_set *set = gc->set;
10074 struct nft_set_ext *ext;
10075
10076 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
10077 ext = nft_set_elem_ext(set, catchall->elem);
10078
10079 if (!nft_set_elem_expired(ext))
10080 continue;
10081 if (nft_set_elem_is_dead(ext))
10082 goto dead_elem;
10083
10084 nft_set_elem_dead(ext);
10085 dead_elem:
10086 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
10087 if (!gc)
10088 return NULL;
10089
10090 nft_trans_gc_elem_add(gc, catchall->elem);
10091 }
10092
10093 return gc;
10094 }
10095
nft_trans_gc_catchall_sync(struct nft_trans_gc * gc)10096 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
10097 {
10098 struct nft_set_elem_catchall *catchall, *next;
10099 u64 tstamp = nft_net_tstamp(gc->net);
10100 const struct nft_set *set = gc->set;
10101 struct nft_elem_priv *elem_priv;
10102 struct nft_set_ext *ext;
10103
10104 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
10105
10106 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
10107 ext = nft_set_elem_ext(set, catchall->elem);
10108
10109 if (!__nft_set_elem_expired(ext, tstamp))
10110 continue;
10111
10112 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
10113 if (!gc)
10114 return NULL;
10115
10116 elem_priv = catchall->elem;
10117 nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
10118 nft_setelem_catchall_destroy(catchall);
10119 nft_trans_gc_elem_add(gc, elem_priv);
10120 }
10121
10122 return gc;
10123 }
10124
nf_tables_module_autoload_cleanup(struct net * net)10125 static void nf_tables_module_autoload_cleanup(struct net *net)
10126 {
10127 struct nftables_pernet *nft_net = nft_pernet(net);
10128 struct nft_module_request *req, *next;
10129
10130 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10131 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10132 WARN_ON_ONCE(!req->done);
10133 list_del(&req->list);
10134 kfree(req);
10135 }
10136 }
10137
nf_tables_commit_release(struct net * net)10138 static void nf_tables_commit_release(struct net *net)
10139 {
10140 struct nftables_pernet *nft_net = nft_pernet(net);
10141 struct nft_trans *trans;
10142
10143 /* all side effects have to be made visible.
10144 * For example, if a chain named 'foo' has been deleted, a
10145 * new transaction must not find it anymore.
10146 *
10147 * Memory reclaim happens asynchronously from work queue
10148 * to prevent expensive synchronize_rcu() in commit phase.
10149 */
10150 if (list_empty(&nft_net->commit_list)) {
10151 nf_tables_module_autoload_cleanup(net);
10152 mutex_unlock(&nft_net->commit_mutex);
10153 return;
10154 }
10155
10156 trans = list_last_entry(&nft_net->commit_list,
10157 struct nft_trans, list);
10158 get_net(trans->net);
10159 WARN_ON_ONCE(trans->put_net);
10160
10161 trans->put_net = true;
10162 spin_lock(&nf_tables_destroy_list_lock);
10163 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
10164 spin_unlock(&nf_tables_destroy_list_lock);
10165
10166 nf_tables_module_autoload_cleanup(net);
10167 schedule_work(&trans_destroy_work);
10168
10169 mutex_unlock(&nft_net->commit_mutex);
10170 }
10171
nft_commit_notify(struct net * net,u32 portid)10172 static void nft_commit_notify(struct net *net, u32 portid)
10173 {
10174 struct nftables_pernet *nft_net = nft_pernet(net);
10175 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10176 unsigned char *data;
10177 int len;
10178
10179 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10180 if (!batch_skb) {
10181 new_batch:
10182 batch_skb = skb;
10183 len = NLMSG_GOODSIZE - skb->len;
10184 list_del(&skb->list);
10185 continue;
10186 }
10187 len -= skb->len;
10188 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10189 data = skb_put(batch_skb, skb->len);
10190 memcpy(data, skb->data, skb->len);
10191 list_del(&skb->list);
10192 kfree_skb(skb);
10193 continue;
10194 }
10195 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10196 NFT_CB(batch_skb).report, GFP_KERNEL);
10197 goto new_batch;
10198 }
10199
10200 if (batch_skb) {
10201 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10202 NFT_CB(batch_skb).report, GFP_KERNEL);
10203 }
10204
10205 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10206 }
10207
nf_tables_commit_audit_alloc(struct list_head * adl,struct nft_table * table)10208 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10209 struct nft_table *table)
10210 {
10211 struct nft_audit_data *adp;
10212
10213 list_for_each_entry(adp, adl, list) {
10214 if (adp->table == table)
10215 return 0;
10216 }
10217 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
10218 if (!adp)
10219 return -ENOMEM;
10220 adp->table = table;
10221 list_add(&adp->list, adl);
10222 return 0;
10223 }
10224
nf_tables_commit_audit_free(struct list_head * adl)10225 static void nf_tables_commit_audit_free(struct list_head *adl)
10226 {
10227 struct nft_audit_data *adp, *adn;
10228
10229 list_for_each_entry_safe(adp, adn, adl, list) {
10230 list_del(&adp->list);
10231 kfree(adp);
10232 }
10233 }
10234
nf_tables_commit_audit_collect(struct list_head * adl,struct nft_table * table,u32 op)10235 static void nf_tables_commit_audit_collect(struct list_head *adl,
10236 struct nft_table *table, u32 op)
10237 {
10238 struct nft_audit_data *adp;
10239
10240 list_for_each_entry(adp, adl, list) {
10241 if (adp->table == table)
10242 goto found;
10243 }
10244 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10245 return;
10246 found:
10247 adp->entries++;
10248 if (!adp->op || adp->op > op)
10249 adp->op = op;
10250 }
10251
10252 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10253
nf_tables_commit_audit_log(struct list_head * adl,u32 generation)10254 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10255 {
10256 struct nft_audit_data *adp, *adn;
10257 char aubuf[AUNFTABLENAMELEN];
10258
10259 list_for_each_entry_safe(adp, adn, adl, list) {
10260 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10261 generation);
10262 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10263 nft2audit_op[adp->op], GFP_KERNEL);
10264 list_del(&adp->list);
10265 kfree(adp);
10266 }
10267 }
10268
nft_set_commit_update(struct list_head * set_update_list)10269 static void nft_set_commit_update(struct list_head *set_update_list)
10270 {
10271 struct nft_set *set, *next;
10272
10273 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10274 list_del_init(&set->pending_update);
10275
10276 if (!set->ops->commit || set->dead)
10277 continue;
10278
10279 set->ops->commit(set);
10280 }
10281 }
10282
nft_gc_seq_begin(struct nftables_pernet * nft_net)10283 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10284 {
10285 unsigned int gc_seq;
10286
10287 /* Bump gc counter, it becomes odd, this is the busy mark. */
10288 gc_seq = READ_ONCE(nft_net->gc_seq);
10289 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10290
10291 return gc_seq;
10292 }
10293
nft_gc_seq_end(struct nftables_pernet * nft_net,unsigned int gc_seq)10294 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10295 {
10296 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10297 }
10298
nf_tables_commit(struct net * net,struct sk_buff * skb)10299 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10300 {
10301 struct nftables_pernet *nft_net = nft_pernet(net);
10302 const struct nlmsghdr *nlh = nlmsg_hdr(skb);
10303 struct nft_trans_binding *trans_binding;
10304 struct nft_trans *trans, *next;
10305 unsigned int base_seq, gc_seq;
10306 LIST_HEAD(set_update_list);
10307 struct nft_trans_elem *te;
10308 struct nft_chain *chain;
10309 struct nft_table *table;
10310 struct nft_ctx ctx;
10311 LIST_HEAD(adl);
10312 int err;
10313
10314 if (list_empty(&nft_net->commit_list)) {
10315 mutex_unlock(&nft_net->commit_mutex);
10316 return 0;
10317 }
10318
10319 nft_ctx_init(&ctx, net, skb, nlh, NFPROTO_UNSPEC, NULL, NULL, NULL);
10320
10321 list_for_each_entry(trans_binding, &nft_net->binding_list, binding_list) {
10322 trans = &trans_binding->nft_trans;
10323 switch (trans->msg_type) {
10324 case NFT_MSG_NEWSET:
10325 if (!nft_trans_set_update(trans) &&
10326 nft_set_is_anonymous(nft_trans_set(trans)) &&
10327 !nft_trans_set_bound(trans)) {
10328 pr_warn_once("nftables ruleset with unbound set\n");
10329 return -EINVAL;
10330 }
10331 break;
10332 case NFT_MSG_NEWCHAIN:
10333 if (!nft_trans_chain_update(trans) &&
10334 nft_chain_binding(nft_trans_chain(trans)) &&
10335 !nft_trans_chain_bound(trans)) {
10336 pr_warn_once("nftables ruleset with unbound chain\n");
10337 return -EINVAL;
10338 }
10339 break;
10340 default:
10341 WARN_ONCE(1, "Unhandled bind type %d", trans->msg_type);
10342 break;
10343 }
10344 }
10345
10346 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10347 if (nf_tables_validate(net) < 0) {
10348 nft_net->validate_state = NFT_VALIDATE_DO;
10349 return -EAGAIN;
10350 }
10351
10352 err = nft_flow_rule_offload_commit(net);
10353 if (err < 0)
10354 return err;
10355
10356 /* 1. Allocate space for next generation rules_gen_X[] */
10357 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10358 struct nft_table *table = trans->table;
10359 int ret;
10360
10361 ret = nf_tables_commit_audit_alloc(&adl, table);
10362 if (ret) {
10363 nf_tables_commit_chain_prepare_cancel(net);
10364 nf_tables_commit_audit_free(&adl);
10365 return ret;
10366 }
10367 if (trans->msg_type == NFT_MSG_NEWRULE ||
10368 trans->msg_type == NFT_MSG_DELRULE) {
10369 chain = nft_trans_rule_chain(trans);
10370
10371 ret = nf_tables_commit_chain_prepare(net, chain);
10372 if (ret < 0) {
10373 nf_tables_commit_chain_prepare_cancel(net);
10374 nf_tables_commit_audit_free(&adl);
10375 return ret;
10376 }
10377 }
10378 }
10379
10380 /* step 2. Make rules_gen_X visible to packet path */
10381 list_for_each_entry(table, &nft_net->tables, list) {
10382 list_for_each_entry(chain, &table->chains, list)
10383 nf_tables_commit_chain(net, chain);
10384 }
10385
10386 /*
10387 * Bump generation counter, invalidate any dump in progress.
10388 * Cannot fail after this point.
10389 */
10390 base_seq = READ_ONCE(nft_net->base_seq);
10391 while (++base_seq == 0)
10392 ;
10393
10394 WRITE_ONCE(nft_net->base_seq, base_seq);
10395
10396 gc_seq = nft_gc_seq_begin(nft_net);
10397
10398 /* step 3. Start new generation, rules_gen_X now in use. */
10399 net->nft.gencursor = nft_gencursor_next(net);
10400
10401 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10402 struct nft_table *table = trans->table;
10403
10404 nft_ctx_update(&ctx, trans);
10405
10406 nf_tables_commit_audit_collect(&adl, table, trans->msg_type);
10407 switch (trans->msg_type) {
10408 case NFT_MSG_NEWTABLE:
10409 if (nft_trans_table_update(trans)) {
10410 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10411 nft_trans_destroy(trans);
10412 break;
10413 }
10414 if (table->flags & NFT_TABLE_F_DORMANT)
10415 nf_tables_table_disable(net, table);
10416
10417 table->flags &= ~__NFT_TABLE_F_UPDATE;
10418 } else {
10419 nft_clear(net, table);
10420 }
10421 nf_tables_table_notify(&ctx, NFT_MSG_NEWTABLE);
10422 nft_trans_destroy(trans);
10423 break;
10424 case NFT_MSG_DELTABLE:
10425 case NFT_MSG_DESTROYTABLE:
10426 list_del_rcu(&table->list);
10427 nf_tables_table_notify(&ctx, trans->msg_type);
10428 break;
10429 case NFT_MSG_NEWCHAIN:
10430 if (nft_trans_chain_update(trans)) {
10431 nft_chain_commit_update(nft_trans_container_chain(trans));
10432 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN,
10433 &nft_trans_chain_hooks(trans));
10434 list_splice(&nft_trans_chain_hooks(trans),
10435 &nft_trans_basechain(trans)->hook_list);
10436 /* trans destroyed after rcu grace period */
10437 } else {
10438 nft_chain_commit_drop_policy(nft_trans_container_chain(trans));
10439 nft_clear(net, nft_trans_chain(trans));
10440 nf_tables_chain_notify(&ctx, NFT_MSG_NEWCHAIN, NULL);
10441 nft_trans_destroy(trans);
10442 }
10443 break;
10444 case NFT_MSG_DELCHAIN:
10445 case NFT_MSG_DESTROYCHAIN:
10446 if (nft_trans_chain_update(trans)) {
10447 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10448 &nft_trans_chain_hooks(trans));
10449 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10450 nft_netdev_unregister_hooks(net,
10451 &nft_trans_chain_hooks(trans),
10452 true);
10453 }
10454 } else {
10455 nft_chain_del(nft_trans_chain(trans));
10456 nf_tables_chain_notify(&ctx, NFT_MSG_DELCHAIN,
10457 NULL);
10458 nf_tables_unregister_hook(ctx.net, ctx.table,
10459 nft_trans_chain(trans));
10460 }
10461 break;
10462 case NFT_MSG_NEWRULE:
10463 nft_clear(net, nft_trans_rule(trans));
10464 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10465 NFT_MSG_NEWRULE);
10466 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10467 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10468
10469 nft_trans_destroy(trans);
10470 break;
10471 case NFT_MSG_DELRULE:
10472 case NFT_MSG_DESTROYRULE:
10473 list_del_rcu(&nft_trans_rule(trans)->list);
10474 nf_tables_rule_notify(&ctx, nft_trans_rule(trans),
10475 trans->msg_type);
10476 nft_rule_expr_deactivate(&ctx, nft_trans_rule(trans),
10477 NFT_TRANS_COMMIT);
10478
10479 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10480 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10481 break;
10482 case NFT_MSG_NEWSET:
10483 list_del(&nft_trans_container_set(trans)->list_trans_newset);
10484 if (nft_trans_set_update(trans)) {
10485 struct nft_set *set = nft_trans_set(trans);
10486
10487 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10488 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10489
10490 if (nft_trans_set_size(trans))
10491 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10492 } else {
10493 nft_clear(net, nft_trans_set(trans));
10494 /* This avoids hitting -EBUSY when deleting the table
10495 * from the transaction.
10496 */
10497 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10498 !list_empty(&nft_trans_set(trans)->bindings))
10499 nft_use_dec(&table->use);
10500 }
10501 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10502 NFT_MSG_NEWSET, GFP_KERNEL);
10503 nft_trans_destroy(trans);
10504 break;
10505 case NFT_MSG_DELSET:
10506 case NFT_MSG_DESTROYSET:
10507 nft_trans_set(trans)->dead = 1;
10508 list_del_rcu(&nft_trans_set(trans)->list);
10509 nf_tables_set_notify(&ctx, nft_trans_set(trans),
10510 trans->msg_type, GFP_KERNEL);
10511 break;
10512 case NFT_MSG_NEWSETELEM:
10513 te = nft_trans_container_elem(trans);
10514
10515 if (te->update_flags) {
10516 const struct nft_set_ext *ext =
10517 nft_set_elem_ext(te->set, te->elem_priv);
10518
10519 if (te->update_flags & NFT_TRANS_UPD_TIMEOUT) {
10520 WRITE_ONCE(nft_set_ext_timeout(ext)->timeout,
10521 te->timeout);
10522 }
10523 if (te->update_flags & NFT_TRANS_UPD_EXPIRATION) {
10524 WRITE_ONCE(nft_set_ext_timeout(ext)->expiration,
10525 get_jiffies_64() + te->expiration);
10526 }
10527 } else {
10528 nft_setelem_activate(net, te->set, te->elem_priv);
10529 }
10530
10531 nf_tables_setelem_notify(&ctx, te->set,
10532 te->elem_priv,
10533 NFT_MSG_NEWSETELEM);
10534 if (te->set->ops->commit &&
10535 list_empty(&te->set->pending_update)) {
10536 list_add_tail(&te->set->pending_update,
10537 &set_update_list);
10538 }
10539 nft_trans_destroy(trans);
10540 break;
10541 case NFT_MSG_DELSETELEM:
10542 case NFT_MSG_DESTROYSETELEM:
10543 te = nft_trans_container_elem(trans);
10544
10545 nf_tables_setelem_notify(&ctx, te->set,
10546 te->elem_priv,
10547 trans->msg_type);
10548 nft_setelem_remove(net, te->set, te->elem_priv);
10549 if (!nft_setelem_is_catchall(te->set, te->elem_priv)) {
10550 atomic_dec(&te->set->nelems);
10551 te->set->ndeact--;
10552 }
10553 if (te->set->ops->commit &&
10554 list_empty(&te->set->pending_update)) {
10555 list_add_tail(&te->set->pending_update,
10556 &set_update_list);
10557 }
10558 break;
10559 case NFT_MSG_NEWOBJ:
10560 if (nft_trans_obj_update(trans)) {
10561 nft_obj_commit_update(&ctx, trans);
10562 nf_tables_obj_notify(&ctx,
10563 nft_trans_obj(trans),
10564 NFT_MSG_NEWOBJ);
10565 } else {
10566 nft_clear(net, nft_trans_obj(trans));
10567 nf_tables_obj_notify(&ctx,
10568 nft_trans_obj(trans),
10569 NFT_MSG_NEWOBJ);
10570 nft_trans_destroy(trans);
10571 }
10572 break;
10573 case NFT_MSG_DELOBJ:
10574 case NFT_MSG_DESTROYOBJ:
10575 nft_obj_del(nft_trans_obj(trans));
10576 nf_tables_obj_notify(&ctx, nft_trans_obj(trans),
10577 trans->msg_type);
10578 break;
10579 case NFT_MSG_NEWFLOWTABLE:
10580 if (nft_trans_flowtable_update(trans)) {
10581 nft_trans_flowtable(trans)->data.flags =
10582 nft_trans_flowtable_flags(trans);
10583 nf_tables_flowtable_notify(&ctx,
10584 nft_trans_flowtable(trans),
10585 &nft_trans_flowtable_hooks(trans),
10586 NFT_MSG_NEWFLOWTABLE);
10587 list_splice(&nft_trans_flowtable_hooks(trans),
10588 &nft_trans_flowtable(trans)->hook_list);
10589 } else {
10590 nft_clear(net, nft_trans_flowtable(trans));
10591 nf_tables_flowtable_notify(&ctx,
10592 nft_trans_flowtable(trans),
10593 NULL,
10594 NFT_MSG_NEWFLOWTABLE);
10595 }
10596 nft_trans_destroy(trans);
10597 break;
10598 case NFT_MSG_DELFLOWTABLE:
10599 case NFT_MSG_DESTROYFLOWTABLE:
10600 if (nft_trans_flowtable_update(trans)) {
10601 nf_tables_flowtable_notify(&ctx,
10602 nft_trans_flowtable(trans),
10603 &nft_trans_flowtable_hooks(trans),
10604 trans->msg_type);
10605 nft_unregister_flowtable_net_hooks(net,
10606 &nft_trans_flowtable_hooks(trans));
10607 } else {
10608 list_del_rcu(&nft_trans_flowtable(trans)->list);
10609 nf_tables_flowtable_notify(&ctx,
10610 nft_trans_flowtable(trans),
10611 NULL,
10612 trans->msg_type);
10613 nft_unregister_flowtable_net_hooks(net,
10614 &nft_trans_flowtable(trans)->hook_list);
10615 }
10616 break;
10617 }
10618 }
10619
10620 nft_set_commit_update(&set_update_list);
10621
10622 nft_commit_notify(net, NETLINK_CB(skb).portid);
10623 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10624 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10625
10626 nft_gc_seq_end(nft_net, gc_seq);
10627 nft_net->validate_state = NFT_VALIDATE_SKIP;
10628 nf_tables_commit_release(net);
10629
10630 return 0;
10631 }
10632
nf_tables_module_autoload(struct net * net)10633 static void nf_tables_module_autoload(struct net *net)
10634 {
10635 struct nftables_pernet *nft_net = nft_pernet(net);
10636 struct nft_module_request *req, *next;
10637 LIST_HEAD(module_list);
10638
10639 list_splice_init(&nft_net->module_list, &module_list);
10640 mutex_unlock(&nft_net->commit_mutex);
10641 list_for_each_entry_safe(req, next, &module_list, list) {
10642 request_module("%s", req->module);
10643 req->done = true;
10644 }
10645 mutex_lock(&nft_net->commit_mutex);
10646 list_splice(&module_list, &nft_net->module_list);
10647 }
10648
nf_tables_abort_release(struct nft_trans * trans)10649 static void nf_tables_abort_release(struct nft_trans *trans)
10650 {
10651 struct nft_ctx ctx = { };
10652
10653 nft_ctx_update(&ctx, trans);
10654
10655 switch (trans->msg_type) {
10656 case NFT_MSG_NEWTABLE:
10657 nf_tables_table_destroy(trans->table);
10658 break;
10659 case NFT_MSG_NEWCHAIN:
10660 if (nft_trans_chain_update(trans))
10661 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10662 else
10663 nf_tables_chain_destroy(nft_trans_chain(trans));
10664 break;
10665 case NFT_MSG_NEWRULE:
10666 nf_tables_rule_destroy(&ctx, nft_trans_rule(trans));
10667 break;
10668 case NFT_MSG_NEWSET:
10669 nft_set_destroy(&ctx, nft_trans_set(trans));
10670 break;
10671 case NFT_MSG_NEWSETELEM:
10672 nft_set_elem_destroy(nft_trans_elem_set(trans),
10673 nft_trans_elem_priv(trans), true);
10674 break;
10675 case NFT_MSG_NEWOBJ:
10676 nft_obj_destroy(&ctx, nft_trans_obj(trans));
10677 break;
10678 case NFT_MSG_NEWFLOWTABLE:
10679 if (nft_trans_flowtable_update(trans))
10680 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10681 else
10682 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10683 break;
10684 }
10685 kfree(trans);
10686 }
10687
nft_set_abort_update(struct list_head * set_update_list)10688 static void nft_set_abort_update(struct list_head *set_update_list)
10689 {
10690 struct nft_set *set, *next;
10691
10692 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10693 list_del_init(&set->pending_update);
10694
10695 if (!set->ops->abort)
10696 continue;
10697
10698 set->ops->abort(set);
10699 }
10700 }
10701
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)10702 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10703 {
10704 struct nftables_pernet *nft_net = nft_pernet(net);
10705 struct nft_trans *trans, *next;
10706 LIST_HEAD(set_update_list);
10707 struct nft_trans_elem *te;
10708 struct nft_ctx ctx = {
10709 .net = net,
10710 };
10711 int err = 0;
10712
10713 if (action == NFNL_ABORT_VALIDATE &&
10714 nf_tables_validate(net) < 0)
10715 err = -EAGAIN;
10716
10717 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10718 list) {
10719 struct nft_table *table = trans->table;
10720
10721 nft_ctx_update(&ctx, trans);
10722
10723 switch (trans->msg_type) {
10724 case NFT_MSG_NEWTABLE:
10725 if (nft_trans_table_update(trans)) {
10726 if (!(table->flags & __NFT_TABLE_F_UPDATE)) {
10727 nft_trans_destroy(trans);
10728 break;
10729 }
10730 if (table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10731 nf_tables_table_disable(net, table);
10732 table->flags |= NFT_TABLE_F_DORMANT;
10733 } else if (table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10734 table->flags &= ~NFT_TABLE_F_DORMANT;
10735 }
10736 if (table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
10737 table->flags &= ~NFT_TABLE_F_OWNER;
10738 table->nlpid = 0;
10739 }
10740 table->flags &= ~__NFT_TABLE_F_UPDATE;
10741 nft_trans_destroy(trans);
10742 } else {
10743 list_del_rcu(&table->list);
10744 }
10745 break;
10746 case NFT_MSG_DELTABLE:
10747 case NFT_MSG_DESTROYTABLE:
10748 nft_clear(trans->net, table);
10749 nft_trans_destroy(trans);
10750 break;
10751 case NFT_MSG_NEWCHAIN:
10752 if (nft_trans_chain_update(trans)) {
10753 if (!(table->flags & NFT_TABLE_F_DORMANT)) {
10754 nft_netdev_unregister_hooks(net,
10755 &nft_trans_chain_hooks(trans),
10756 true);
10757 }
10758 free_percpu(nft_trans_chain_stats(trans));
10759 kfree(nft_trans_chain_name(trans));
10760 nft_trans_destroy(trans);
10761 } else {
10762 if (nft_trans_chain_bound(trans)) {
10763 nft_trans_destroy(trans);
10764 break;
10765 }
10766 nft_use_dec_restore(&table->use);
10767 nft_chain_del(nft_trans_chain(trans));
10768 nf_tables_unregister_hook(trans->net, table,
10769 nft_trans_chain(trans));
10770 }
10771 break;
10772 case NFT_MSG_DELCHAIN:
10773 case NFT_MSG_DESTROYCHAIN:
10774 if (nft_trans_chain_update(trans)) {
10775 list_splice(&nft_trans_chain_hooks(trans),
10776 &nft_trans_basechain(trans)->hook_list);
10777 } else {
10778 nft_use_inc_restore(&table->use);
10779 nft_clear(trans->net, nft_trans_chain(trans));
10780 }
10781 nft_trans_destroy(trans);
10782 break;
10783 case NFT_MSG_NEWRULE:
10784 if (nft_trans_rule_bound(trans)) {
10785 nft_trans_destroy(trans);
10786 break;
10787 }
10788 nft_use_dec_restore(&nft_trans_rule_chain(trans)->use);
10789 list_del_rcu(&nft_trans_rule(trans)->list);
10790 nft_rule_expr_deactivate(&ctx,
10791 nft_trans_rule(trans),
10792 NFT_TRANS_ABORT);
10793 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10794 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10795 break;
10796 case NFT_MSG_DELRULE:
10797 case NFT_MSG_DESTROYRULE:
10798 nft_use_inc_restore(&nft_trans_rule_chain(trans)->use);
10799 nft_clear(trans->net, nft_trans_rule(trans));
10800 nft_rule_expr_activate(&ctx, nft_trans_rule(trans));
10801 if (nft_trans_rule_chain(trans)->flags & NFT_CHAIN_HW_OFFLOAD)
10802 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10803
10804 nft_trans_destroy(trans);
10805 break;
10806 case NFT_MSG_NEWSET:
10807 list_del(&nft_trans_container_set(trans)->list_trans_newset);
10808 if (nft_trans_set_update(trans)) {
10809 nft_trans_destroy(trans);
10810 break;
10811 }
10812 nft_use_dec_restore(&table->use);
10813 if (nft_trans_set_bound(trans)) {
10814 nft_trans_destroy(trans);
10815 break;
10816 }
10817 nft_trans_set(trans)->dead = 1;
10818 list_del_rcu(&nft_trans_set(trans)->list);
10819 break;
10820 case NFT_MSG_DELSET:
10821 case NFT_MSG_DESTROYSET:
10822 nft_use_inc_restore(&table->use);
10823 nft_clear(trans->net, nft_trans_set(trans));
10824 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10825 nft_map_activate(&ctx, nft_trans_set(trans));
10826
10827 nft_trans_destroy(trans);
10828 break;
10829 case NFT_MSG_NEWSETELEM:
10830 if (nft_trans_elem_update_flags(trans) ||
10831 nft_trans_elem_set_bound(trans)) {
10832 nft_trans_destroy(trans);
10833 break;
10834 }
10835 te = nft_trans_container_elem(trans);
10836 if (!te->set->ops->abort ||
10837 nft_setelem_is_catchall(te->set, te->elem_priv))
10838 nft_setelem_remove(net, te->set, te->elem_priv);
10839
10840 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10841 atomic_dec(&te->set->nelems);
10842
10843 if (te->set->ops->abort &&
10844 list_empty(&te->set->pending_update)) {
10845 list_add_tail(&te->set->pending_update,
10846 &set_update_list);
10847 }
10848 break;
10849 case NFT_MSG_DELSETELEM:
10850 case NFT_MSG_DESTROYSETELEM:
10851 te = nft_trans_container_elem(trans);
10852
10853 if (!nft_setelem_active_next(net, te->set, te->elem_priv)) {
10854 nft_setelem_data_activate(net, te->set, te->elem_priv);
10855 nft_setelem_activate(net, te->set, te->elem_priv);
10856 }
10857 if (!nft_setelem_is_catchall(te->set, te->elem_priv))
10858 te->set->ndeact--;
10859
10860 if (te->set->ops->abort &&
10861 list_empty(&te->set->pending_update)) {
10862 list_add_tail(&te->set->pending_update,
10863 &set_update_list);
10864 }
10865 nft_trans_destroy(trans);
10866 break;
10867 case NFT_MSG_NEWOBJ:
10868 if (nft_trans_obj_update(trans)) {
10869 nft_obj_destroy(&ctx, nft_trans_obj_newobj(trans));
10870 nft_trans_destroy(trans);
10871 } else {
10872 nft_use_dec_restore(&table->use);
10873 nft_obj_del(nft_trans_obj(trans));
10874 }
10875 break;
10876 case NFT_MSG_DELOBJ:
10877 case NFT_MSG_DESTROYOBJ:
10878 nft_use_inc_restore(&table->use);
10879 nft_clear(trans->net, nft_trans_obj(trans));
10880 nft_trans_destroy(trans);
10881 break;
10882 case NFT_MSG_NEWFLOWTABLE:
10883 if (nft_trans_flowtable_update(trans)) {
10884 nft_unregister_flowtable_net_hooks(net,
10885 &nft_trans_flowtable_hooks(trans));
10886 } else {
10887 nft_use_dec_restore(&table->use);
10888 list_del_rcu(&nft_trans_flowtable(trans)->list);
10889 nft_unregister_flowtable_net_hooks(net,
10890 &nft_trans_flowtable(trans)->hook_list);
10891 }
10892 break;
10893 case NFT_MSG_DELFLOWTABLE:
10894 case NFT_MSG_DESTROYFLOWTABLE:
10895 if (nft_trans_flowtable_update(trans)) {
10896 list_splice(&nft_trans_flowtable_hooks(trans),
10897 &nft_trans_flowtable(trans)->hook_list);
10898 } else {
10899 nft_use_inc_restore(&table->use);
10900 nft_clear(trans->net, nft_trans_flowtable(trans));
10901 }
10902 nft_trans_destroy(trans);
10903 break;
10904 }
10905 }
10906
10907 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
10908
10909 nft_set_abort_update(&set_update_list);
10910
10911 synchronize_rcu();
10912
10913 list_for_each_entry_safe_reverse(trans, next,
10914 &nft_net->commit_list, list) {
10915 nft_trans_list_del(trans);
10916 nf_tables_abort_release(trans);
10917 }
10918
10919 return err;
10920 }
10921
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)10922 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10923 enum nfnl_abort_action action)
10924 {
10925 struct nftables_pernet *nft_net = nft_pernet(net);
10926 unsigned int gc_seq;
10927 int ret;
10928
10929 gc_seq = nft_gc_seq_begin(nft_net);
10930 ret = __nf_tables_abort(net, action);
10931 nft_gc_seq_end(nft_net, gc_seq);
10932
10933 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10934
10935 /* module autoload needs to happen after GC sequence update because it
10936 * temporarily releases and grabs mutex again.
10937 */
10938 if (action == NFNL_ABORT_AUTOLOAD)
10939 nf_tables_module_autoload(net);
10940 else
10941 nf_tables_module_autoload_cleanup(net);
10942
10943 mutex_unlock(&nft_net->commit_mutex);
10944
10945 return ret;
10946 }
10947
nf_tables_valid_genid(struct net * net,u32 genid)10948 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10949 {
10950 struct nftables_pernet *nft_net = nft_pernet(net);
10951 bool genid_ok;
10952
10953 mutex_lock(&nft_net->commit_mutex);
10954 nft_net->tstamp = get_jiffies_64();
10955
10956 genid_ok = genid == 0 || nft_net->base_seq == genid;
10957 if (!genid_ok)
10958 mutex_unlock(&nft_net->commit_mutex);
10959
10960 /* else, commit mutex has to be released by commit or abort function */
10961 return genid_ok;
10962 }
10963
10964 static const struct nfnetlink_subsystem nf_tables_subsys = {
10965 .name = "nf_tables",
10966 .subsys_id = NFNL_SUBSYS_NFTABLES,
10967 .cb_count = NFT_MSG_MAX,
10968 .cb = nf_tables_cb,
10969 .commit = nf_tables_commit,
10970 .abort = nf_tables_abort,
10971 .valid_genid = nf_tables_valid_genid,
10972 .owner = THIS_MODULE,
10973 };
10974
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)10975 int nft_chain_validate_dependency(const struct nft_chain *chain,
10976 enum nft_chain_types type)
10977 {
10978 const struct nft_base_chain *basechain;
10979
10980 if (nft_is_base_chain(chain)) {
10981 basechain = nft_base_chain(chain);
10982 if (basechain->type->type != type)
10983 return -EOPNOTSUPP;
10984 }
10985 return 0;
10986 }
10987 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10988
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)10989 int nft_chain_validate_hooks(const struct nft_chain *chain,
10990 unsigned int hook_flags)
10991 {
10992 struct nft_base_chain *basechain;
10993
10994 if (nft_is_base_chain(chain)) {
10995 basechain = nft_base_chain(chain);
10996
10997 if ((1 << basechain->ops.hooknum) & hook_flags)
10998 return 0;
10999
11000 return -EOPNOTSUPP;
11001 }
11002
11003 return 0;
11004 }
11005 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
11006
11007 /**
11008 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
11009 *
11010 * @attr: netlink attribute to fetch value from
11011 * @max: maximum value to be stored in dest
11012 * @dest: pointer to the variable
11013 *
11014 * Parse, check and store a given u32 netlink attribute into variable.
11015 * This function returns -ERANGE if the value goes over maximum value.
11016 * Otherwise a 0 is returned and the attribute value is stored in the
11017 * destination variable.
11018 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)11019 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
11020 {
11021 u32 val;
11022
11023 val = ntohl(nla_get_be32(attr));
11024 if (val > max)
11025 return -ERANGE;
11026
11027 *dest = val;
11028 return 0;
11029 }
11030 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
11031
nft_parse_register(const struct nlattr * attr,u32 * preg)11032 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
11033 {
11034 unsigned int reg;
11035
11036 reg = ntohl(nla_get_be32(attr));
11037 switch (reg) {
11038 case NFT_REG_VERDICT...NFT_REG_4:
11039 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
11040 break;
11041 case NFT_REG32_00...NFT_REG32_15:
11042 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
11043 break;
11044 default:
11045 return -ERANGE;
11046 }
11047
11048 return 0;
11049 }
11050
11051 /**
11052 * nft_dump_register - dump a register value to a netlink attribute
11053 *
11054 * @skb: socket buffer
11055 * @attr: attribute number
11056 * @reg: register number
11057 *
11058 * Construct a netlink attribute containing the register number. For
11059 * compatibility reasons, register numbers being a multiple of 4 are
11060 * translated to the corresponding 128 bit register numbers.
11061 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)11062 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
11063 {
11064 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
11065 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
11066 else
11067 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
11068
11069 return nla_put_be32(skb, attr, htonl(reg));
11070 }
11071 EXPORT_SYMBOL_GPL(nft_dump_register);
11072
nft_validate_register_load(enum nft_registers reg,unsigned int len)11073 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
11074 {
11075 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11076 return -EINVAL;
11077 if (len == 0)
11078 return -EINVAL;
11079 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
11080 return -ERANGE;
11081
11082 return 0;
11083 }
11084
nft_parse_register_load(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * sreg,u32 len)11085 int nft_parse_register_load(const struct nft_ctx *ctx,
11086 const struct nlattr *attr, u8 *sreg, u32 len)
11087 {
11088 int err, invalid_reg;
11089 u32 reg, next_register;
11090
11091 err = nft_parse_register(attr, ®);
11092 if (err < 0)
11093 return err;
11094
11095 err = nft_validate_register_load(reg, len);
11096 if (err < 0)
11097 return err;
11098
11099 next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
11100
11101 /* Can't happen: nft_validate_register_load() should have failed */
11102 if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
11103 return -EINVAL;
11104
11105 /* find first register that did not see an earlier store. */
11106 invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
11107
11108 /* invalid register within the range that we're loading from? */
11109 if (invalid_reg < next_register)
11110 return -ENODATA;
11111
11112 *sreg = reg;
11113 return 0;
11114 }
11115 EXPORT_SYMBOL_GPL(nft_parse_register_load);
11116
nft_saw_register_store(const struct nft_ctx * __ctx,int reg,unsigned int len)11117 static void nft_saw_register_store(const struct nft_ctx *__ctx,
11118 int reg, unsigned int len)
11119 {
11120 unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE);
11121 struct nft_ctx *ctx = (struct nft_ctx *)__ctx;
11122
11123 if (WARN_ON_ONCE(len == 0 || reg < 0))
11124 return;
11125
11126 bitmap_set(ctx->reg_inited, reg, registers);
11127 }
11128
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11129 static int nft_validate_register_store(const struct nft_ctx *ctx,
11130 enum nft_registers reg,
11131 const struct nft_data *data,
11132 enum nft_data_types type,
11133 unsigned int len)
11134 {
11135 int err;
11136
11137 switch (reg) {
11138 case NFT_REG_VERDICT:
11139 if (type != NFT_DATA_VERDICT)
11140 return -EINVAL;
11141
11142 if (data != NULL &&
11143 (data->verdict.code == NFT_GOTO ||
11144 data->verdict.code == NFT_JUMP)) {
11145 err = nft_chain_validate(ctx, data->verdict.chain);
11146 if (err < 0)
11147 return err;
11148 }
11149
11150 break;
11151 default:
11152 if (type != NFT_DATA_VALUE)
11153 return -EINVAL;
11154
11155 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
11156 return -EINVAL;
11157 if (len == 0)
11158 return -EINVAL;
11159 if (reg * NFT_REG32_SIZE + len >
11160 sizeof_field(struct nft_regs, data))
11161 return -ERANGE;
11162
11163 break;
11164 }
11165
11166 nft_saw_register_store(ctx, reg, len);
11167 return 0;
11168 }
11169
nft_parse_register_store(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * dreg,const struct nft_data * data,enum nft_data_types type,unsigned int len)11170 int nft_parse_register_store(const struct nft_ctx *ctx,
11171 const struct nlattr *attr, u8 *dreg,
11172 const struct nft_data *data,
11173 enum nft_data_types type, unsigned int len)
11174 {
11175 int err;
11176 u32 reg;
11177
11178 err = nft_parse_register(attr, ®);
11179 if (err < 0)
11180 return err;
11181
11182 err = nft_validate_register_store(ctx, reg, data, type, len);
11183 if (err < 0)
11184 return err;
11185
11186 *dreg = reg;
11187 return 0;
11188 }
11189 EXPORT_SYMBOL_GPL(nft_parse_register_store);
11190
11191 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
11192 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
11193 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
11194 .len = NFT_CHAIN_MAXNAMELEN - 1 },
11195 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
11196 };
11197
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11198 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
11199 struct nft_data_desc *desc, const struct nlattr *nla)
11200 {
11201 u8 genmask = nft_genmask_next(ctx->net);
11202 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
11203 struct nft_chain *chain;
11204 int err;
11205
11206 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11207 nft_verdict_policy, NULL);
11208 if (err < 0)
11209 return err;
11210
11211 if (!tb[NFTA_VERDICT_CODE])
11212 return -EINVAL;
11213
11214 /* zero padding hole for memcmp */
11215 memset(data, 0, sizeof(*data));
11216 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11217
11218 switch (data->verdict.code) {
11219 case NF_ACCEPT:
11220 case NF_DROP:
11221 case NF_QUEUE:
11222 break;
11223 case NFT_CONTINUE:
11224 case NFT_BREAK:
11225 case NFT_RETURN:
11226 break;
11227 case NFT_JUMP:
11228 case NFT_GOTO:
11229 if (tb[NFTA_VERDICT_CHAIN]) {
11230 chain = nft_chain_lookup(ctx->net, ctx->table,
11231 tb[NFTA_VERDICT_CHAIN],
11232 genmask);
11233 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11234 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11235 tb[NFTA_VERDICT_CHAIN_ID],
11236 genmask);
11237 if (IS_ERR(chain))
11238 return PTR_ERR(chain);
11239 } else {
11240 return -EINVAL;
11241 }
11242
11243 if (IS_ERR(chain))
11244 return PTR_ERR(chain);
11245 if (nft_is_base_chain(chain))
11246 return -EOPNOTSUPP;
11247 if (nft_chain_is_bound(chain))
11248 return -EINVAL;
11249 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11250 chain->flags & NFT_CHAIN_BINDING)
11251 return -EINVAL;
11252 if (!nft_use_inc(&chain->use))
11253 return -EMFILE;
11254
11255 data->verdict.chain = chain;
11256 break;
11257 default:
11258 return -EINVAL;
11259 }
11260
11261 desc->len = sizeof(data->verdict);
11262
11263 return 0;
11264 }
11265
nft_verdict_uninit(const struct nft_data * data)11266 static void nft_verdict_uninit(const struct nft_data *data)
11267 {
11268 struct nft_chain *chain;
11269
11270 switch (data->verdict.code) {
11271 case NFT_JUMP:
11272 case NFT_GOTO:
11273 chain = data->verdict.chain;
11274 nft_use_dec(&chain->use);
11275 break;
11276 }
11277 }
11278
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)11279 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11280 {
11281 struct nlattr *nest;
11282
11283 nest = nla_nest_start_noflag(skb, type);
11284 if (!nest)
11285 goto nla_put_failure;
11286
11287 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11288 goto nla_put_failure;
11289
11290 switch (v->code) {
11291 case NFT_JUMP:
11292 case NFT_GOTO:
11293 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11294 v->chain->name))
11295 goto nla_put_failure;
11296 }
11297 nla_nest_end(skb, nest);
11298 return 0;
11299
11300 nla_put_failure:
11301 return -1;
11302 }
11303
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11304 static int nft_value_init(const struct nft_ctx *ctx,
11305 struct nft_data *data, struct nft_data_desc *desc,
11306 const struct nlattr *nla)
11307 {
11308 unsigned int len;
11309
11310 len = nla_len(nla);
11311 if (len == 0)
11312 return -EINVAL;
11313 if (len > desc->size)
11314 return -EOVERFLOW;
11315 if (desc->len) {
11316 if (len != desc->len)
11317 return -EINVAL;
11318 } else {
11319 desc->len = len;
11320 }
11321
11322 nla_memcpy(data->data, nla, len);
11323
11324 return 0;
11325 }
11326
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)11327 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11328 unsigned int len)
11329 {
11330 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11331 }
11332
11333 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11334 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11335 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11336 };
11337
11338 /**
11339 * nft_data_init - parse nf_tables data netlink attributes
11340 *
11341 * @ctx: context of the expression using the data
11342 * @data: destination struct nft_data
11343 * @desc: data description
11344 * @nla: netlink attribute containing data
11345 *
11346 * Parse the netlink data attributes and initialize a struct nft_data.
11347 * The type and length of data are returned in the data description.
11348 *
11349 * The caller can indicate that it only wants to accept data of type
11350 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11351 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11352 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11353 struct nft_data_desc *desc, const struct nlattr *nla)
11354 {
11355 struct nlattr *tb[NFTA_DATA_MAX + 1];
11356 int err;
11357
11358 if (WARN_ON_ONCE(!desc->size))
11359 return -EINVAL;
11360
11361 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11362 nft_data_policy, NULL);
11363 if (err < 0)
11364 return err;
11365
11366 if (tb[NFTA_DATA_VALUE]) {
11367 if (desc->type != NFT_DATA_VALUE)
11368 return -EINVAL;
11369
11370 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11371 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11372 if (desc->type != NFT_DATA_VERDICT)
11373 return -EINVAL;
11374
11375 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11376 } else {
11377 err = -EINVAL;
11378 }
11379
11380 return err;
11381 }
11382 EXPORT_SYMBOL_GPL(nft_data_init);
11383
11384 /**
11385 * nft_data_release - release a nft_data item
11386 *
11387 * @data: struct nft_data to release
11388 * @type: type of data
11389 *
11390 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11391 * all others need to be released by calling this function.
11392 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)11393 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11394 {
11395 if (type < NFT_DATA_VERDICT)
11396 return;
11397 switch (type) {
11398 case NFT_DATA_VERDICT:
11399 return nft_verdict_uninit(data);
11400 default:
11401 WARN_ON(1);
11402 }
11403 }
11404 EXPORT_SYMBOL_GPL(nft_data_release);
11405
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)11406 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11407 enum nft_data_types type, unsigned int len)
11408 {
11409 struct nlattr *nest;
11410 int err;
11411
11412 nest = nla_nest_start_noflag(skb, attr);
11413 if (nest == NULL)
11414 return -1;
11415
11416 switch (type) {
11417 case NFT_DATA_VALUE:
11418 err = nft_value_dump(skb, data, len);
11419 break;
11420 case NFT_DATA_VERDICT:
11421 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11422 break;
11423 default:
11424 err = -EINVAL;
11425 WARN_ON(1);
11426 }
11427
11428 nla_nest_end(skb, nest);
11429 return err;
11430 }
11431 EXPORT_SYMBOL_GPL(nft_data_dump);
11432
__nft_release_basechain(struct nft_ctx * ctx)11433 int __nft_release_basechain(struct nft_ctx *ctx)
11434 {
11435 struct nft_rule *rule, *nr;
11436
11437 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
11438 return 0;
11439
11440 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11441 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11442 list_del(&rule->list);
11443 nft_use_dec(&ctx->chain->use);
11444 nf_tables_rule_release(ctx, rule);
11445 }
11446 nft_chain_del(ctx->chain);
11447 nft_use_dec(&ctx->table->use);
11448 nf_tables_chain_destroy(ctx->chain);
11449
11450 return 0;
11451 }
11452 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11453
__nft_release_hook(struct net * net,struct nft_table * table)11454 static void __nft_release_hook(struct net *net, struct nft_table *table)
11455 {
11456 struct nft_flowtable *flowtable;
11457 struct nft_chain *chain;
11458
11459 list_for_each_entry(chain, &table->chains, list)
11460 __nf_tables_unregister_hook(net, table, chain, true);
11461 list_for_each_entry(flowtable, &table->flowtables, list)
11462 __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
11463 true);
11464 }
11465
__nft_release_hooks(struct net * net)11466 static void __nft_release_hooks(struct net *net)
11467 {
11468 struct nftables_pernet *nft_net = nft_pernet(net);
11469 struct nft_table *table;
11470
11471 list_for_each_entry(table, &nft_net->tables, list) {
11472 if (nft_table_has_owner(table))
11473 continue;
11474
11475 __nft_release_hook(net, table);
11476 }
11477 }
11478
__nft_release_table(struct net * net,struct nft_table * table)11479 static void __nft_release_table(struct net *net, struct nft_table *table)
11480 {
11481 struct nft_flowtable *flowtable, *nf;
11482 struct nft_chain *chain, *nc;
11483 struct nft_object *obj, *ne;
11484 struct nft_rule *rule, *nr;
11485 struct nft_set *set, *ns;
11486 struct nft_ctx ctx = {
11487 .net = net,
11488 .family = NFPROTO_NETDEV,
11489 };
11490
11491 ctx.family = table->family;
11492 ctx.table = table;
11493 list_for_each_entry(chain, &table->chains, list) {
11494 if (nft_chain_binding(chain))
11495 continue;
11496
11497 ctx.chain = chain;
11498 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11499 list_del(&rule->list);
11500 nft_use_dec(&chain->use);
11501 nf_tables_rule_release(&ctx, rule);
11502 }
11503 }
11504 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11505 list_del(&flowtable->list);
11506 nft_use_dec(&table->use);
11507 nf_tables_flowtable_destroy(flowtable);
11508 }
11509 list_for_each_entry_safe(set, ns, &table->sets, list) {
11510 list_del(&set->list);
11511 nft_use_dec(&table->use);
11512 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11513 nft_map_deactivate(&ctx, set);
11514
11515 nft_set_destroy(&ctx, set);
11516 }
11517 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11518 nft_obj_del(obj);
11519 nft_use_dec(&table->use);
11520 nft_obj_destroy(&ctx, obj);
11521 }
11522 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11523 nft_chain_del(chain);
11524 nft_use_dec(&table->use);
11525 nf_tables_chain_destroy(chain);
11526 }
11527 nf_tables_table_destroy(table);
11528 }
11529
__nft_release_tables(struct net * net)11530 static void __nft_release_tables(struct net *net)
11531 {
11532 struct nftables_pernet *nft_net = nft_pernet(net);
11533 struct nft_table *table, *nt;
11534
11535 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11536 if (nft_table_has_owner(table))
11537 continue;
11538
11539 list_del(&table->list);
11540
11541 __nft_release_table(net, table);
11542 }
11543 }
11544
nft_rcv_nl_event(struct notifier_block * this,unsigned long event,void * ptr)11545 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11546 void *ptr)
11547 {
11548 struct nft_table *table, *to_delete[8];
11549 struct nftables_pernet *nft_net;
11550 struct netlink_notify *n = ptr;
11551 struct net *net = n->net;
11552 unsigned int deleted;
11553 bool restart = false;
11554 unsigned int gc_seq;
11555
11556 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11557 return NOTIFY_DONE;
11558
11559 nft_net = nft_pernet(net);
11560 deleted = 0;
11561 mutex_lock(&nft_net->commit_mutex);
11562
11563 gc_seq = nft_gc_seq_begin(nft_net);
11564
11565 nf_tables_trans_destroy_flush_work();
11566 again:
11567 list_for_each_entry(table, &nft_net->tables, list) {
11568 if (nft_table_has_owner(table) &&
11569 n->portid == table->nlpid) {
11570 if (table->flags & NFT_TABLE_F_PERSIST) {
11571 table->flags &= ~NFT_TABLE_F_OWNER;
11572 continue;
11573 }
11574 __nft_release_hook(net, table);
11575 list_del_rcu(&table->list);
11576 to_delete[deleted++] = table;
11577 if (deleted >= ARRAY_SIZE(to_delete))
11578 break;
11579 }
11580 }
11581 if (deleted) {
11582 restart = deleted >= ARRAY_SIZE(to_delete);
11583 synchronize_rcu();
11584 while (deleted)
11585 __nft_release_table(net, to_delete[--deleted]);
11586
11587 if (restart)
11588 goto again;
11589 }
11590 nft_gc_seq_end(nft_net, gc_seq);
11591
11592 mutex_unlock(&nft_net->commit_mutex);
11593
11594 return NOTIFY_DONE;
11595 }
11596
11597 static struct notifier_block nft_nl_notifier = {
11598 .notifier_call = nft_rcv_nl_event,
11599 };
11600
nf_tables_init_net(struct net * net)11601 static int __net_init nf_tables_init_net(struct net *net)
11602 {
11603 struct nftables_pernet *nft_net = nft_pernet(net);
11604
11605 INIT_LIST_HEAD(&nft_net->tables);
11606 INIT_LIST_HEAD(&nft_net->commit_list);
11607 INIT_LIST_HEAD(&nft_net->commit_set_list);
11608 INIT_LIST_HEAD(&nft_net->binding_list);
11609 INIT_LIST_HEAD(&nft_net->module_list);
11610 INIT_LIST_HEAD(&nft_net->notify_list);
11611 mutex_init(&nft_net->commit_mutex);
11612 nft_net->base_seq = 1;
11613 nft_net->gc_seq = 0;
11614 nft_net->validate_state = NFT_VALIDATE_SKIP;
11615
11616 return 0;
11617 }
11618
nf_tables_pre_exit_net(struct net * net)11619 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11620 {
11621 struct nftables_pernet *nft_net = nft_pernet(net);
11622
11623 mutex_lock(&nft_net->commit_mutex);
11624 __nft_release_hooks(net);
11625 mutex_unlock(&nft_net->commit_mutex);
11626 }
11627
nf_tables_exit_net(struct net * net)11628 static void __net_exit nf_tables_exit_net(struct net *net)
11629 {
11630 struct nftables_pernet *nft_net = nft_pernet(net);
11631 unsigned int gc_seq;
11632
11633 mutex_lock(&nft_net->commit_mutex);
11634
11635 gc_seq = nft_gc_seq_begin(nft_net);
11636
11637 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11638 WARN_ON_ONCE(!list_empty(&nft_net->commit_set_list));
11639
11640 if (!list_empty(&nft_net->module_list))
11641 nf_tables_module_autoload_cleanup(net);
11642
11643 __nft_release_tables(net);
11644
11645 nft_gc_seq_end(nft_net, gc_seq);
11646
11647 mutex_unlock(&nft_net->commit_mutex);
11648 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11649 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11650 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11651 }
11652
nf_tables_exit_batch(struct list_head * net_exit_list)11653 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11654 {
11655 flush_work(&trans_gc_work);
11656 }
11657
11658 static struct pernet_operations nf_tables_net_ops = {
11659 .init = nf_tables_init_net,
11660 .pre_exit = nf_tables_pre_exit_net,
11661 .exit = nf_tables_exit_net,
11662 .exit_batch = nf_tables_exit_batch,
11663 .id = &nf_tables_net_id,
11664 .size = sizeof(struct nftables_pernet),
11665 };
11666
nf_tables_module_init(void)11667 static int __init nf_tables_module_init(void)
11668 {
11669 int err;
11670
11671 BUILD_BUG_ON(offsetof(struct nft_trans_table, nft_trans) != 0);
11672 BUILD_BUG_ON(offsetof(struct nft_trans_chain, nft_trans_binding.nft_trans) != 0);
11673 BUILD_BUG_ON(offsetof(struct nft_trans_rule, nft_trans) != 0);
11674 BUILD_BUG_ON(offsetof(struct nft_trans_set, nft_trans_binding.nft_trans) != 0);
11675 BUILD_BUG_ON(offsetof(struct nft_trans_elem, nft_trans) != 0);
11676 BUILD_BUG_ON(offsetof(struct nft_trans_obj, nft_trans) != 0);
11677 BUILD_BUG_ON(offsetof(struct nft_trans_flowtable, nft_trans) != 0);
11678
11679 err = register_pernet_subsys(&nf_tables_net_ops);
11680 if (err < 0)
11681 return err;
11682
11683 err = nft_chain_filter_init();
11684 if (err < 0)
11685 goto err_chain_filter;
11686
11687 err = nf_tables_core_module_init();
11688 if (err < 0)
11689 goto err_core_module;
11690
11691 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11692 if (err < 0)
11693 goto err_netdev_notifier;
11694
11695 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11696 if (err < 0)
11697 goto err_rht_objname;
11698
11699 err = nft_offload_init();
11700 if (err < 0)
11701 goto err_offload;
11702
11703 err = netlink_register_notifier(&nft_nl_notifier);
11704 if (err < 0)
11705 goto err_netlink_notifier;
11706
11707 /* must be last */
11708 err = nfnetlink_subsys_register(&nf_tables_subsys);
11709 if (err < 0)
11710 goto err_nfnl_subsys;
11711
11712 nft_chain_route_init();
11713
11714 return err;
11715
11716 err_nfnl_subsys:
11717 netlink_unregister_notifier(&nft_nl_notifier);
11718 err_netlink_notifier:
11719 nft_offload_exit();
11720 err_offload:
11721 rhltable_destroy(&nft_objname_ht);
11722 err_rht_objname:
11723 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11724 err_netdev_notifier:
11725 nf_tables_core_module_exit();
11726 err_core_module:
11727 nft_chain_filter_fini();
11728 err_chain_filter:
11729 unregister_pernet_subsys(&nf_tables_net_ops);
11730 return err;
11731 }
11732
nf_tables_module_exit(void)11733 static void __exit nf_tables_module_exit(void)
11734 {
11735 nfnetlink_subsys_unregister(&nf_tables_subsys);
11736 netlink_unregister_notifier(&nft_nl_notifier);
11737 nft_offload_exit();
11738 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11739 nft_chain_filter_fini();
11740 nft_chain_route_fini();
11741 nf_tables_trans_destroy_flush_work();
11742 unregister_pernet_subsys(&nf_tables_net_ops);
11743 cancel_work_sync(&trans_gc_work);
11744 cancel_work_sync(&trans_destroy_work);
11745 rcu_barrier();
11746 rhltable_destroy(&nft_objname_ht);
11747 nf_tables_core_module_exit();
11748 }
11749
11750 module_init(nf_tables_module_init);
11751 module_exit(nf_tables_module_exit);
11752
11753 MODULE_LICENSE("GPL");
11754 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11755 MODULE_DESCRIPTION("Framework for packet filtering and classification");
11756 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
11757