1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/module.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/skbuff.h> 12 #include <linux/netlink.h> 13 #include <linux/vmalloc.h> 14 #include <linux/rhashtable.h> 15 #include <linux/netfilter.h> 16 #include <linux/netfilter/nfnetlink.h> 17 #include <linux/netfilter/nf_tables.h> 18 #include <net/netfilter/nf_flow_table.h> 19 #include <net/netfilter/nf_tables_core.h> 20 #include <net/netfilter/nf_tables.h> 21 #include <net/netfilter/nf_tables_offload.h> 22 #include <net/net_namespace.h> 23 #include <net/sock.h> 24 25 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) 26 27 static LIST_HEAD(nf_tables_expressions); 28 static LIST_HEAD(nf_tables_objects); 29 static LIST_HEAD(nf_tables_flowtables); 30 static LIST_HEAD(nf_tables_destroy_list); 31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock); 32 static u64 table_handle; 33 34 enum { 35 NFT_VALIDATE_SKIP = 0, 36 NFT_VALIDATE_NEED, 37 NFT_VALIDATE_DO, 38 }; 39 40 static struct rhltable nft_objname_ht; 41 42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed); 43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed); 44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *); 45 46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed); 47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed); 48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *); 49 50 static const struct rhashtable_params nft_chain_ht_params = { 51 .head_offset = offsetof(struct nft_chain, rhlhead), 52 .key_offset = offsetof(struct nft_chain, name), 53 .hashfn = nft_chain_hash, 54 .obj_hashfn = nft_chain_hash_obj, 55 .obj_cmpfn = nft_chain_hash_cmp, 56 .automatic_shrinking = true, 57 }; 58 59 static const struct rhashtable_params nft_objname_ht_params = { 60 .head_offset = offsetof(struct nft_object, rhlhead), 61 .key_offset = offsetof(struct nft_object, key), 62 .hashfn = nft_objname_hash, 63 .obj_hashfn = nft_objname_hash_obj, 64 .obj_cmpfn = nft_objname_hash_cmp, 65 .automatic_shrinking = true, 66 }; 67 68 static void nft_validate_state_update(struct net *net, u8 new_validate_state) 69 { 70 switch (net->nft.validate_state) { 71 case NFT_VALIDATE_SKIP: 72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); 73 break; 74 case NFT_VALIDATE_NEED: 75 break; 76 case NFT_VALIDATE_DO: 77 if (new_validate_state == NFT_VALIDATE_NEED) 78 return; 79 } 80 81 net->nft.validate_state = new_validate_state; 82 } 83 static void nf_tables_trans_destroy_work(struct work_struct *w); 84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); 85 86 static void nft_ctx_init(struct nft_ctx *ctx, 87 struct net *net, 88 const struct sk_buff *skb, 89 const struct nlmsghdr *nlh, 90 u8 family, 91 struct nft_table *table, 92 struct nft_chain *chain, 93 const struct nlattr * const *nla) 94 { 95 ctx->net = net; 96 ctx->family = family; 97 ctx->level = 0; 98 ctx->table = table; 99 ctx->chain = chain; 100 ctx->nla = nla; 101 ctx->portid = NETLINK_CB(skb).portid; 102 ctx->report = nlmsg_report(nlh); 103 ctx->flags = nlh->nlmsg_flags; 104 ctx->seq = nlh->nlmsg_seq; 105 } 106 107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, 108 int msg_type, u32 size, gfp_t gfp) 109 { 110 struct nft_trans *trans; 111 112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp); 113 if (trans == NULL) 114 return NULL; 115 116 trans->msg_type = msg_type; 117 trans->ctx = *ctx; 118 119 return trans; 120 } 121 122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx, 123 int msg_type, u32 size) 124 { 125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); 126 } 127 128 static void nft_trans_destroy(struct nft_trans *trans) 129 { 130 list_del(&trans->list); 131 kfree(trans); 132 } 133 134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) 135 { 136 struct net *net = ctx->net; 137 struct nft_trans *trans; 138 139 if (!nft_set_is_anonymous(set)) 140 return; 141 142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { 143 switch (trans->msg_type) { 144 case NFT_MSG_NEWSET: 145 if (nft_trans_set(trans) == set) 146 nft_trans_set_bound(trans) = true; 147 break; 148 case NFT_MSG_NEWSETELEM: 149 if (nft_trans_elem_set(trans) == set) 150 nft_trans_elem_set_bound(trans) = true; 151 break; 152 } 153 } 154 } 155 156 static int nft_netdev_register_hooks(struct net *net, 157 struct list_head *hook_list) 158 { 159 struct nft_hook *hook; 160 int err, j; 161 162 j = 0; 163 list_for_each_entry(hook, hook_list, list) { 164 err = nf_register_net_hook(net, &hook->ops); 165 if (err < 0) 166 goto err_register; 167 168 j++; 169 } 170 return 0; 171 172 err_register: 173 list_for_each_entry(hook, hook_list, list) { 174 if (j-- <= 0) 175 break; 176 177 nf_unregister_net_hook(net, &hook->ops); 178 } 179 return err; 180 } 181 182 static void nft_netdev_unregister_hooks(struct net *net, 183 struct list_head *hook_list) 184 { 185 struct nft_hook *hook; 186 187 list_for_each_entry(hook, hook_list, list) 188 nf_unregister_net_hook(net, &hook->ops); 189 } 190 191 static int nft_register_basechain_hooks(struct net *net, int family, 192 struct nft_base_chain *basechain) 193 { 194 if (family == NFPROTO_NETDEV) 195 return nft_netdev_register_hooks(net, &basechain->hook_list); 196 197 return nf_register_net_hook(net, &basechain->ops); 198 } 199 200 static void nft_unregister_basechain_hooks(struct net *net, int family, 201 struct nft_base_chain *basechain) 202 { 203 if (family == NFPROTO_NETDEV) 204 nft_netdev_unregister_hooks(net, &basechain->hook_list); 205 else 206 nf_unregister_net_hook(net, &basechain->ops); 207 } 208 209 static int nf_tables_register_hook(struct net *net, 210 const struct nft_table *table, 211 struct nft_chain *chain) 212 { 213 struct nft_base_chain *basechain; 214 const struct nf_hook_ops *ops; 215 216 if (table->flags & NFT_TABLE_F_DORMANT || 217 !nft_is_base_chain(chain)) 218 return 0; 219 220 basechain = nft_base_chain(chain); 221 ops = &basechain->ops; 222 223 if (basechain->type->ops_register) 224 return basechain->type->ops_register(net, ops); 225 226 return nft_register_basechain_hooks(net, table->family, basechain); 227 } 228 229 static void nf_tables_unregister_hook(struct net *net, 230 const struct nft_table *table, 231 struct nft_chain *chain) 232 { 233 struct nft_base_chain *basechain; 234 const struct nf_hook_ops *ops; 235 236 if (table->flags & NFT_TABLE_F_DORMANT || 237 !nft_is_base_chain(chain)) 238 return; 239 basechain = nft_base_chain(chain); 240 ops = &basechain->ops; 241 242 if (basechain->type->ops_unregister) 243 return basechain->type->ops_unregister(net, ops); 244 245 nft_unregister_basechain_hooks(net, table->family, basechain); 246 } 247 248 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) 249 { 250 struct nft_trans *trans; 251 252 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table)); 253 if (trans == NULL) 254 return -ENOMEM; 255 256 if (msg_type == NFT_MSG_NEWTABLE) 257 nft_activate_next(ctx->net, ctx->table); 258 259 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 260 return 0; 261 } 262 263 static int nft_deltable(struct nft_ctx *ctx) 264 { 265 int err; 266 267 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE); 268 if (err < 0) 269 return err; 270 271 nft_deactivate_next(ctx->net, ctx->table); 272 return err; 273 } 274 275 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type) 276 { 277 struct nft_trans *trans; 278 279 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain)); 280 if (trans == NULL) 281 return ERR_PTR(-ENOMEM); 282 283 if (msg_type == NFT_MSG_NEWCHAIN) 284 nft_activate_next(ctx->net, ctx->chain); 285 286 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 287 return trans; 288 } 289 290 static int nft_delchain(struct nft_ctx *ctx) 291 { 292 struct nft_trans *trans; 293 294 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN); 295 if (IS_ERR(trans)) 296 return PTR_ERR(trans); 297 298 ctx->table->use--; 299 nft_deactivate_next(ctx->net, ctx->chain); 300 301 return 0; 302 } 303 304 static void nft_rule_expr_activate(const struct nft_ctx *ctx, 305 struct nft_rule *rule) 306 { 307 struct nft_expr *expr; 308 309 expr = nft_expr_first(rule); 310 while (expr != nft_expr_last(rule) && expr->ops) { 311 if (expr->ops->activate) 312 expr->ops->activate(ctx, expr); 313 314 expr = nft_expr_next(expr); 315 } 316 } 317 318 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, 319 struct nft_rule *rule, 320 enum nft_trans_phase phase) 321 { 322 struct nft_expr *expr; 323 324 expr = nft_expr_first(rule); 325 while (expr != nft_expr_last(rule) && expr->ops) { 326 if (expr->ops->deactivate) 327 expr->ops->deactivate(ctx, expr, phase); 328 329 expr = nft_expr_next(expr); 330 } 331 } 332 333 static int 334 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) 335 { 336 /* You cannot delete the same rule twice */ 337 if (nft_is_active_next(ctx->net, rule)) { 338 nft_deactivate_next(ctx->net, rule); 339 ctx->chain->use--; 340 return 0; 341 } 342 return -ENOENT; 343 } 344 345 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type, 346 struct nft_rule *rule) 347 { 348 struct nft_trans *trans; 349 350 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule)); 351 if (trans == NULL) 352 return NULL; 353 354 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) { 355 nft_trans_rule_id(trans) = 356 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); 357 } 358 nft_trans_rule(trans) = rule; 359 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 360 361 return trans; 362 } 363 364 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) 365 { 366 struct nft_flow_rule *flow; 367 struct nft_trans *trans; 368 int err; 369 370 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule); 371 if (trans == NULL) 372 return -ENOMEM; 373 374 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) { 375 flow = nft_flow_rule_create(ctx->net, rule); 376 if (IS_ERR(flow)) { 377 nft_trans_destroy(trans); 378 return PTR_ERR(flow); 379 } 380 381 nft_trans_flow_rule(trans) = flow; 382 } 383 384 err = nf_tables_delrule_deactivate(ctx, rule); 385 if (err < 0) { 386 nft_trans_destroy(trans); 387 return err; 388 } 389 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); 390 391 return 0; 392 } 393 394 static int nft_delrule_by_chain(struct nft_ctx *ctx) 395 { 396 struct nft_rule *rule; 397 int err; 398 399 list_for_each_entry(rule, &ctx->chain->rules, list) { 400 if (!nft_is_active_next(ctx->net, rule)) 401 continue; 402 403 err = nft_delrule(ctx, rule); 404 if (err < 0) 405 return err; 406 } 407 return 0; 408 } 409 410 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, 411 struct nft_set *set) 412 { 413 struct nft_trans *trans; 414 415 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set)); 416 if (trans == NULL) 417 return -ENOMEM; 418 419 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) { 420 nft_trans_set_id(trans) = 421 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID])); 422 nft_activate_next(ctx->net, set); 423 } 424 nft_trans_set(trans) = set; 425 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 426 427 return 0; 428 } 429 430 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) 431 { 432 int err; 433 434 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set); 435 if (err < 0) 436 return err; 437 438 nft_deactivate_next(ctx->net, set); 439 ctx->table->use--; 440 441 return err; 442 } 443 444 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type, 445 struct nft_object *obj) 446 { 447 struct nft_trans *trans; 448 449 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj)); 450 if (trans == NULL) 451 return -ENOMEM; 452 453 if (msg_type == NFT_MSG_NEWOBJ) 454 nft_activate_next(ctx->net, obj); 455 456 nft_trans_obj(trans) = obj; 457 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 458 459 return 0; 460 } 461 462 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) 463 { 464 int err; 465 466 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj); 467 if (err < 0) 468 return err; 469 470 nft_deactivate_next(ctx->net, obj); 471 ctx->table->use--; 472 473 return err; 474 } 475 476 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type, 477 struct nft_flowtable *flowtable) 478 { 479 struct nft_trans *trans; 480 481 trans = nft_trans_alloc(ctx, msg_type, 482 sizeof(struct nft_trans_flowtable)); 483 if (trans == NULL) 484 return -ENOMEM; 485 486 if (msg_type == NFT_MSG_NEWFLOWTABLE) 487 nft_activate_next(ctx->net, flowtable); 488 489 nft_trans_flowtable(trans) = flowtable; 490 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 491 492 return 0; 493 } 494 495 static int nft_delflowtable(struct nft_ctx *ctx, 496 struct nft_flowtable *flowtable) 497 { 498 int err; 499 500 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable); 501 if (err < 0) 502 return err; 503 504 nft_deactivate_next(ctx->net, flowtable); 505 ctx->table->use--; 506 507 return err; 508 } 509 510 /* 511 * Tables 512 */ 513 514 static struct nft_table *nft_table_lookup(const struct net *net, 515 const struct nlattr *nla, 516 u8 family, u8 genmask) 517 { 518 struct nft_table *table; 519 520 if (nla == NULL) 521 return ERR_PTR(-EINVAL); 522 523 list_for_each_entry_rcu(table, &net->nft.tables, list) { 524 if (!nla_strcmp(nla, table->name) && 525 table->family == family && 526 nft_active_genmask(table, genmask)) 527 return table; 528 } 529 530 return ERR_PTR(-ENOENT); 531 } 532 533 static struct nft_table *nft_table_lookup_byhandle(const struct net *net, 534 const struct nlattr *nla, 535 u8 genmask) 536 { 537 struct nft_table *table; 538 539 list_for_each_entry(table, &net->nft.tables, list) { 540 if (be64_to_cpu(nla_get_be64(nla)) == table->handle && 541 nft_active_genmask(table, genmask)) 542 return table; 543 } 544 545 return ERR_PTR(-ENOENT); 546 } 547 548 static inline u64 nf_tables_alloc_handle(struct nft_table *table) 549 { 550 return ++table->hgenerator; 551 } 552 553 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX]; 554 555 static const struct nft_chain_type * 556 __nft_chain_type_get(u8 family, enum nft_chain_types type) 557 { 558 if (family >= NFPROTO_NUMPROTO || 559 type >= NFT_CHAIN_T_MAX) 560 return NULL; 561 562 return chain_type[family][type]; 563 } 564 565 static const struct nft_chain_type * 566 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family) 567 { 568 const struct nft_chain_type *type; 569 int i; 570 571 for (i = 0; i < NFT_CHAIN_T_MAX; i++) { 572 type = __nft_chain_type_get(family, i); 573 if (!type) 574 continue; 575 if (!nla_strcmp(nla, type->name)) 576 return type; 577 } 578 return NULL; 579 } 580 581 struct nft_module_request { 582 struct list_head list; 583 char module[MODULE_NAME_LEN]; 584 bool done; 585 }; 586 587 #ifdef CONFIG_MODULES 588 static int nft_request_module(struct net *net, const char *fmt, ...) 589 { 590 char module_name[MODULE_NAME_LEN]; 591 struct nft_module_request *req; 592 va_list args; 593 int ret; 594 595 va_start(args, fmt); 596 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 597 va_end(args); 598 if (ret >= MODULE_NAME_LEN) 599 return 0; 600 601 list_for_each_entry(req, &net->nft.module_list, list) { 602 if (!strcmp(req->module, module_name)) { 603 if (req->done) 604 return 0; 605 606 /* A request to load this module already exists. */ 607 return -EAGAIN; 608 } 609 } 610 611 req = kmalloc(sizeof(*req), GFP_KERNEL); 612 if (!req) 613 return -ENOMEM; 614 615 req->done = false; 616 strlcpy(req->module, module_name, MODULE_NAME_LEN); 617 list_add_tail(&req->list, &net->nft.module_list); 618 619 return -EAGAIN; 620 } 621 #endif 622 623 static void lockdep_nfnl_nft_mutex_not_held(void) 624 { 625 #ifdef CONFIG_PROVE_LOCKING 626 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES)); 627 #endif 628 } 629 630 static const struct nft_chain_type * 631 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla, 632 u8 family, bool autoload) 633 { 634 const struct nft_chain_type *type; 635 636 type = __nf_tables_chain_type_lookup(nla, family); 637 if (type != NULL) 638 return type; 639 640 lockdep_nfnl_nft_mutex_not_held(); 641 #ifdef CONFIG_MODULES 642 if (autoload) { 643 if (nft_request_module(net, "nft-chain-%u-%.*s", family, 644 nla_len(nla), 645 (const char *)nla_data(nla)) == -EAGAIN) 646 return ERR_PTR(-EAGAIN); 647 } 648 #endif 649 return ERR_PTR(-ENOENT); 650 } 651 652 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 653 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 654 .len = NFT_TABLE_MAXNAMELEN - 1 }, 655 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 656 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 657 }; 658 659 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, 660 u32 portid, u32 seq, int event, u32 flags, 661 int family, const struct nft_table *table) 662 { 663 struct nlmsghdr *nlh; 664 struct nfgenmsg *nfmsg; 665 666 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 667 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 668 if (nlh == NULL) 669 goto nla_put_failure; 670 671 nfmsg = nlmsg_data(nlh); 672 nfmsg->nfgen_family = family; 673 nfmsg->version = NFNETLINK_V0; 674 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 675 676 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || 677 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || 678 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || 679 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle), 680 NFTA_TABLE_PAD)) 681 goto nla_put_failure; 682 683 nlmsg_end(skb, nlh); 684 return 0; 685 686 nla_put_failure: 687 nlmsg_trim(skb, nlh); 688 return -1; 689 } 690 691 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) 692 { 693 struct sk_buff *skb; 694 int err; 695 696 if (!ctx->report && 697 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 698 return; 699 700 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 701 if (skb == NULL) 702 goto err; 703 704 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq, 705 event, 0, ctx->family, ctx->table); 706 if (err < 0) { 707 kfree_skb(skb); 708 goto err; 709 } 710 711 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 712 ctx->report, GFP_KERNEL); 713 return; 714 err: 715 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 716 } 717 718 static int nf_tables_dump_tables(struct sk_buff *skb, 719 struct netlink_callback *cb) 720 { 721 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 722 const struct nft_table *table; 723 unsigned int idx = 0, s_idx = cb->args[0]; 724 struct net *net = sock_net(skb->sk); 725 int family = nfmsg->nfgen_family; 726 727 rcu_read_lock(); 728 cb->seq = net->nft.base_seq; 729 730 list_for_each_entry_rcu(table, &net->nft.tables, list) { 731 if (family != NFPROTO_UNSPEC && family != table->family) 732 continue; 733 734 if (idx < s_idx) 735 goto cont; 736 if (idx > s_idx) 737 memset(&cb->args[1], 0, 738 sizeof(cb->args) - sizeof(cb->args[0])); 739 if (!nft_is_active(net, table)) 740 continue; 741 if (nf_tables_fill_table_info(skb, net, 742 NETLINK_CB(cb->skb).portid, 743 cb->nlh->nlmsg_seq, 744 NFT_MSG_NEWTABLE, NLM_F_MULTI, 745 table->family, table) < 0) 746 goto done; 747 748 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 749 cont: 750 idx++; 751 } 752 done: 753 rcu_read_unlock(); 754 cb->args[0] = idx; 755 return skb->len; 756 } 757 758 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 759 const struct nlmsghdr *nlh, 760 struct netlink_dump_control *c) 761 { 762 int err; 763 764 if (!try_module_get(THIS_MODULE)) 765 return -EINVAL; 766 767 rcu_read_unlock(); 768 err = netlink_dump_start(nlsk, skb, nlh, c); 769 rcu_read_lock(); 770 module_put(THIS_MODULE); 771 772 return err; 773 } 774 775 /* called with rcu_read_lock held */ 776 static int nf_tables_gettable(struct net *net, struct sock *nlsk, 777 struct sk_buff *skb, const struct nlmsghdr *nlh, 778 const struct nlattr * const nla[], 779 struct netlink_ext_ack *extack) 780 { 781 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 782 u8 genmask = nft_genmask_cur(net); 783 const struct nft_table *table; 784 struct sk_buff *skb2; 785 int family = nfmsg->nfgen_family; 786 int err; 787 788 if (nlh->nlmsg_flags & NLM_F_DUMP) { 789 struct netlink_dump_control c = { 790 .dump = nf_tables_dump_tables, 791 .module = THIS_MODULE, 792 }; 793 794 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 795 } 796 797 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask); 798 if (IS_ERR(table)) { 799 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]); 800 return PTR_ERR(table); 801 } 802 803 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 804 if (!skb2) 805 return -ENOMEM; 806 807 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid, 808 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0, 809 family, table); 810 if (err < 0) 811 goto err; 812 813 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 814 815 err: 816 kfree_skb(skb2); 817 return err; 818 } 819 820 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt) 821 { 822 struct nft_chain *chain; 823 u32 i = 0; 824 825 list_for_each_entry(chain, &table->chains, list) { 826 if (!nft_is_active_next(net, chain)) 827 continue; 828 if (!nft_is_base_chain(chain)) 829 continue; 830 831 if (cnt && i++ == cnt) 832 break; 833 834 nft_unregister_basechain_hooks(net, table->family, 835 nft_base_chain(chain)); 836 } 837 } 838 839 static int nf_tables_table_enable(struct net *net, struct nft_table *table) 840 { 841 struct nft_chain *chain; 842 int err, i = 0; 843 844 list_for_each_entry(chain, &table->chains, list) { 845 if (!nft_is_active_next(net, chain)) 846 continue; 847 if (!nft_is_base_chain(chain)) 848 continue; 849 850 err = nft_register_basechain_hooks(net, table->family, 851 nft_base_chain(chain)); 852 if (err < 0) 853 goto err_register_hooks; 854 855 i++; 856 } 857 return 0; 858 859 err_register_hooks: 860 if (i) 861 nft_table_disable(net, table, i); 862 return err; 863 } 864 865 static void nf_tables_table_disable(struct net *net, struct nft_table *table) 866 { 867 nft_table_disable(net, table, 0); 868 } 869 870 static int nf_tables_updtable(struct nft_ctx *ctx) 871 { 872 struct nft_trans *trans; 873 u32 flags; 874 int ret = 0; 875 876 if (!ctx->nla[NFTA_TABLE_FLAGS]) 877 return 0; 878 879 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS])); 880 if (flags & ~NFT_TABLE_F_DORMANT) 881 return -EINVAL; 882 883 if (flags == ctx->table->flags) 884 return 0; 885 886 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, 887 sizeof(struct nft_trans_table)); 888 if (trans == NULL) 889 return -ENOMEM; 890 891 if ((flags & NFT_TABLE_F_DORMANT) && 892 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) { 893 nft_trans_table_enable(trans) = false; 894 } else if (!(flags & NFT_TABLE_F_DORMANT) && 895 ctx->table->flags & NFT_TABLE_F_DORMANT) { 896 ret = nf_tables_table_enable(ctx->net, ctx->table); 897 if (ret >= 0) { 898 ctx->table->flags &= ~NFT_TABLE_F_DORMANT; 899 nft_trans_table_enable(trans) = true; 900 } 901 } 902 if (ret < 0) 903 goto err; 904 905 nft_trans_table_update(trans) = true; 906 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 907 return 0; 908 err: 909 nft_trans_destroy(trans); 910 return ret; 911 } 912 913 static u32 nft_chain_hash(const void *data, u32 len, u32 seed) 914 { 915 const char *name = data; 916 917 return jhash(name, strlen(name), seed); 918 } 919 920 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed) 921 { 922 const struct nft_chain *chain = data; 923 924 return nft_chain_hash(chain->name, 0, seed); 925 } 926 927 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg, 928 const void *ptr) 929 { 930 const struct nft_chain *chain = ptr; 931 const char *name = arg->key; 932 933 return strcmp(chain->name, name); 934 } 935 936 static u32 nft_objname_hash(const void *data, u32 len, u32 seed) 937 { 938 const struct nft_object_hash_key *k = data; 939 940 seed ^= hash_ptr(k->table, 32); 941 942 return jhash(k->name, strlen(k->name), seed); 943 } 944 945 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed) 946 { 947 const struct nft_object *obj = data; 948 949 return nft_objname_hash(&obj->key, 0, seed); 950 } 951 952 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg, 953 const void *ptr) 954 { 955 const struct nft_object_hash_key *k = arg->key; 956 const struct nft_object *obj = ptr; 957 958 if (obj->key.table != k->table) 959 return -1; 960 961 return strcmp(obj->key.name, k->name); 962 } 963 964 static int nf_tables_newtable(struct net *net, struct sock *nlsk, 965 struct sk_buff *skb, const struct nlmsghdr *nlh, 966 const struct nlattr * const nla[], 967 struct netlink_ext_ack *extack) 968 { 969 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 970 u8 genmask = nft_genmask_next(net); 971 int family = nfmsg->nfgen_family; 972 const struct nlattr *attr; 973 struct nft_table *table; 974 u32 flags = 0; 975 struct nft_ctx ctx; 976 int err; 977 978 lockdep_assert_held(&net->nft.commit_mutex); 979 attr = nla[NFTA_TABLE_NAME]; 980 table = nft_table_lookup(net, attr, family, genmask); 981 if (IS_ERR(table)) { 982 if (PTR_ERR(table) != -ENOENT) 983 return PTR_ERR(table); 984 } else { 985 if (nlh->nlmsg_flags & NLM_F_EXCL) { 986 NL_SET_BAD_ATTR(extack, attr); 987 return -EEXIST; 988 } 989 if (nlh->nlmsg_flags & NLM_F_REPLACE) 990 return -EOPNOTSUPP; 991 992 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 993 return nf_tables_updtable(&ctx); 994 } 995 996 if (nla[NFTA_TABLE_FLAGS]) { 997 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS])); 998 if (flags & ~NFT_TABLE_F_DORMANT) 999 return -EINVAL; 1000 } 1001 1002 err = -ENOMEM; 1003 table = kzalloc(sizeof(*table), GFP_KERNEL); 1004 if (table == NULL) 1005 goto err_kzalloc; 1006 1007 table->name = nla_strdup(attr, GFP_KERNEL); 1008 if (table->name == NULL) 1009 goto err_strdup; 1010 1011 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params); 1012 if (err) 1013 goto err_chain_ht; 1014 1015 INIT_LIST_HEAD(&table->chains); 1016 INIT_LIST_HEAD(&table->sets); 1017 INIT_LIST_HEAD(&table->objects); 1018 INIT_LIST_HEAD(&table->flowtables); 1019 table->family = family; 1020 table->flags = flags; 1021 table->handle = ++table_handle; 1022 1023 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 1024 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); 1025 if (err < 0) 1026 goto err_trans; 1027 1028 list_add_tail_rcu(&table->list, &net->nft.tables); 1029 return 0; 1030 err_trans: 1031 rhltable_destroy(&table->chains_ht); 1032 err_chain_ht: 1033 kfree(table->name); 1034 err_strdup: 1035 kfree(table); 1036 err_kzalloc: 1037 return err; 1038 } 1039 1040 static int nft_flush_table(struct nft_ctx *ctx) 1041 { 1042 struct nft_flowtable *flowtable, *nft; 1043 struct nft_chain *chain, *nc; 1044 struct nft_object *obj, *ne; 1045 struct nft_set *set, *ns; 1046 int err; 1047 1048 list_for_each_entry(chain, &ctx->table->chains, list) { 1049 if (!nft_is_active_next(ctx->net, chain)) 1050 continue; 1051 1052 ctx->chain = chain; 1053 1054 err = nft_delrule_by_chain(ctx); 1055 if (err < 0) 1056 goto out; 1057 } 1058 1059 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { 1060 if (!nft_is_active_next(ctx->net, set)) 1061 continue; 1062 1063 if (nft_set_is_anonymous(set) && 1064 !list_empty(&set->bindings)) 1065 continue; 1066 1067 err = nft_delset(ctx, set); 1068 if (err < 0) 1069 goto out; 1070 } 1071 1072 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { 1073 if (!nft_is_active_next(ctx->net, flowtable)) 1074 continue; 1075 1076 err = nft_delflowtable(ctx, flowtable); 1077 if (err < 0) 1078 goto out; 1079 } 1080 1081 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { 1082 if (!nft_is_active_next(ctx->net, obj)) 1083 continue; 1084 1085 err = nft_delobj(ctx, obj); 1086 if (err < 0) 1087 goto out; 1088 } 1089 1090 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { 1091 if (!nft_is_active_next(ctx->net, chain)) 1092 continue; 1093 1094 ctx->chain = chain; 1095 1096 err = nft_delchain(ctx); 1097 if (err < 0) 1098 goto out; 1099 } 1100 1101 err = nft_deltable(ctx); 1102 out: 1103 return err; 1104 } 1105 1106 static int nft_flush(struct nft_ctx *ctx, int family) 1107 { 1108 struct nft_table *table, *nt; 1109 const struct nlattr * const *nla = ctx->nla; 1110 int err = 0; 1111 1112 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { 1113 if (family != AF_UNSPEC && table->family != family) 1114 continue; 1115 1116 ctx->family = table->family; 1117 1118 if (!nft_is_active_next(ctx->net, table)) 1119 continue; 1120 1121 if (nla[NFTA_TABLE_NAME] && 1122 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) 1123 continue; 1124 1125 ctx->table = table; 1126 1127 err = nft_flush_table(ctx); 1128 if (err < 0) 1129 goto out; 1130 } 1131 out: 1132 return err; 1133 } 1134 1135 static int nf_tables_deltable(struct net *net, struct sock *nlsk, 1136 struct sk_buff *skb, const struct nlmsghdr *nlh, 1137 const struct nlattr * const nla[], 1138 struct netlink_ext_ack *extack) 1139 { 1140 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1141 u8 genmask = nft_genmask_next(net); 1142 int family = nfmsg->nfgen_family; 1143 const struct nlattr *attr; 1144 struct nft_table *table; 1145 struct nft_ctx ctx; 1146 1147 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla); 1148 if (family == AF_UNSPEC || 1149 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE])) 1150 return nft_flush(&ctx, family); 1151 1152 if (nla[NFTA_TABLE_HANDLE]) { 1153 attr = nla[NFTA_TABLE_HANDLE]; 1154 table = nft_table_lookup_byhandle(net, attr, genmask); 1155 } else { 1156 attr = nla[NFTA_TABLE_NAME]; 1157 table = nft_table_lookup(net, attr, family, genmask); 1158 } 1159 1160 if (IS_ERR(table)) { 1161 NL_SET_BAD_ATTR(extack, attr); 1162 return PTR_ERR(table); 1163 } 1164 1165 if (nlh->nlmsg_flags & NLM_F_NONREC && 1166 table->use > 0) 1167 return -EBUSY; 1168 1169 ctx.family = family; 1170 ctx.table = table; 1171 1172 return nft_flush_table(&ctx); 1173 } 1174 1175 static void nf_tables_table_destroy(struct nft_ctx *ctx) 1176 { 1177 if (WARN_ON(ctx->table->use > 0)) 1178 return; 1179 1180 rhltable_destroy(&ctx->table->chains_ht); 1181 kfree(ctx->table->name); 1182 kfree(ctx->table); 1183 } 1184 1185 void nft_register_chain_type(const struct nft_chain_type *ctype) 1186 { 1187 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1188 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) { 1189 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1190 return; 1191 } 1192 chain_type[ctype->family][ctype->type] = ctype; 1193 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1194 } 1195 EXPORT_SYMBOL_GPL(nft_register_chain_type); 1196 1197 void nft_unregister_chain_type(const struct nft_chain_type *ctype) 1198 { 1199 nfnl_lock(NFNL_SUBSYS_NFTABLES); 1200 chain_type[ctype->family][ctype->type] = NULL; 1201 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 1202 } 1203 EXPORT_SYMBOL_GPL(nft_unregister_chain_type); 1204 1205 /* 1206 * Chains 1207 */ 1208 1209 static struct nft_chain * 1210 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask) 1211 { 1212 struct nft_chain *chain; 1213 1214 list_for_each_entry(chain, &table->chains, list) { 1215 if (chain->handle == handle && 1216 nft_active_genmask(chain, genmask)) 1217 return chain; 1218 } 1219 1220 return ERR_PTR(-ENOENT); 1221 } 1222 1223 static bool lockdep_commit_lock_is_held(const struct net *net) 1224 { 1225 #ifdef CONFIG_PROVE_LOCKING 1226 return lockdep_is_held(&net->nft.commit_mutex); 1227 #else 1228 return true; 1229 #endif 1230 } 1231 1232 static struct nft_chain *nft_chain_lookup(struct net *net, 1233 struct nft_table *table, 1234 const struct nlattr *nla, u8 genmask) 1235 { 1236 char search[NFT_CHAIN_MAXNAMELEN + 1]; 1237 struct rhlist_head *tmp, *list; 1238 struct nft_chain *chain; 1239 1240 if (nla == NULL) 1241 return ERR_PTR(-EINVAL); 1242 1243 nla_strlcpy(search, nla, sizeof(search)); 1244 1245 WARN_ON(!rcu_read_lock_held() && 1246 !lockdep_commit_lock_is_held(net)); 1247 1248 chain = ERR_PTR(-ENOENT); 1249 rcu_read_lock(); 1250 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params); 1251 if (!list) 1252 goto out_unlock; 1253 1254 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 1255 if (nft_active_genmask(chain, genmask)) 1256 goto out_unlock; 1257 } 1258 chain = ERR_PTR(-ENOENT); 1259 out_unlock: 1260 rcu_read_unlock(); 1261 return chain; 1262 } 1263 1264 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = { 1265 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING, 1266 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1267 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 }, 1268 [NFTA_CHAIN_NAME] = { .type = NLA_STRING, 1269 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 1270 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, 1271 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, 1272 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1273 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1274 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1275 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1276 }; 1277 1278 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = { 1279 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 1280 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 }, 1281 [NFTA_HOOK_DEV] = { .type = NLA_STRING, 1282 .len = IFNAMSIZ - 1 }, 1283 }; 1284 1285 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) 1286 { 1287 struct nft_stats *cpu_stats, total; 1288 struct nlattr *nest; 1289 unsigned int seq; 1290 u64 pkts, bytes; 1291 int cpu; 1292 1293 if (!stats) 1294 return 0; 1295 1296 memset(&total, 0, sizeof(total)); 1297 for_each_possible_cpu(cpu) { 1298 cpu_stats = per_cpu_ptr(stats, cpu); 1299 do { 1300 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp); 1301 pkts = cpu_stats->pkts; 1302 bytes = cpu_stats->bytes; 1303 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq)); 1304 total.pkts += pkts; 1305 total.bytes += bytes; 1306 } 1307 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS); 1308 if (nest == NULL) 1309 goto nla_put_failure; 1310 1311 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts), 1312 NFTA_COUNTER_PAD) || 1313 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), 1314 NFTA_COUNTER_PAD)) 1315 goto nla_put_failure; 1316 1317 nla_nest_end(skb, nest); 1318 return 0; 1319 1320 nla_put_failure: 1321 return -ENOSPC; 1322 } 1323 1324 static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1325 const struct nft_base_chain *basechain) 1326 { 1327 const struct nf_hook_ops *ops = &basechain->ops; 1328 struct nft_hook *hook, *first = NULL; 1329 struct nlattr *nest, *nest_devs; 1330 int n = 0; 1331 1332 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK); 1333 if (nest == NULL) 1334 goto nla_put_failure; 1335 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum))) 1336 goto nla_put_failure; 1337 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority))) 1338 goto nla_put_failure; 1339 1340 if (family == NFPROTO_NETDEV) { 1341 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS); 1342 list_for_each_entry(hook, &basechain->hook_list, list) { 1343 if (!first) 1344 first = hook; 1345 1346 if (nla_put_string(skb, NFTA_DEVICE_NAME, 1347 hook->ops.dev->name)) 1348 goto nla_put_failure; 1349 n++; 1350 } 1351 nla_nest_end(skb, nest_devs); 1352 1353 if (n == 1 && 1354 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name)) 1355 goto nla_put_failure; 1356 } 1357 nla_nest_end(skb, nest); 1358 1359 return 0; 1360 nla_put_failure: 1361 return -1; 1362 } 1363 1364 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, 1365 u32 portid, u32 seq, int event, u32 flags, 1366 int family, const struct nft_table *table, 1367 const struct nft_chain *chain) 1368 { 1369 struct nlmsghdr *nlh; 1370 struct nfgenmsg *nfmsg; 1371 1372 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 1373 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 1374 if (nlh == NULL) 1375 goto nla_put_failure; 1376 1377 nfmsg = nlmsg_data(nlh); 1378 nfmsg->nfgen_family = family; 1379 nfmsg->version = NFNETLINK_V0; 1380 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 1381 1382 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) 1383 goto nla_put_failure; 1384 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), 1385 NFTA_CHAIN_PAD)) 1386 goto nla_put_failure; 1387 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name)) 1388 goto nla_put_failure; 1389 1390 if (nft_is_base_chain(chain)) { 1391 const struct nft_base_chain *basechain = nft_base_chain(chain); 1392 struct nft_stats __percpu *stats; 1393 1394 if (nft_dump_basechain_hook(skb, family, basechain)) 1395 goto nla_put_failure; 1396 1397 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, 1398 htonl(basechain->policy))) 1399 goto nla_put_failure; 1400 1401 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name)) 1402 goto nla_put_failure; 1403 1404 stats = rcu_dereference_check(basechain->stats, 1405 lockdep_commit_lock_is_held(net)); 1406 if (nft_dump_stats(skb, stats)) 1407 goto nla_put_failure; 1408 } 1409 1410 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use))) 1411 goto nla_put_failure; 1412 1413 nlmsg_end(skb, nlh); 1414 return 0; 1415 1416 nla_put_failure: 1417 nlmsg_trim(skb, nlh); 1418 return -1; 1419 } 1420 1421 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) 1422 { 1423 struct sk_buff *skb; 1424 int err; 1425 1426 if (!ctx->report && 1427 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 1428 return; 1429 1430 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 1431 if (skb == NULL) 1432 goto err; 1433 1434 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq, 1435 event, 0, ctx->family, ctx->table, 1436 ctx->chain); 1437 if (err < 0) { 1438 kfree_skb(skb); 1439 goto err; 1440 } 1441 1442 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 1443 ctx->report, GFP_KERNEL); 1444 return; 1445 err: 1446 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 1447 } 1448 1449 static int nf_tables_dump_chains(struct sk_buff *skb, 1450 struct netlink_callback *cb) 1451 { 1452 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1453 const struct nft_table *table; 1454 const struct nft_chain *chain; 1455 unsigned int idx = 0, s_idx = cb->args[0]; 1456 struct net *net = sock_net(skb->sk); 1457 int family = nfmsg->nfgen_family; 1458 1459 rcu_read_lock(); 1460 cb->seq = net->nft.base_seq; 1461 1462 list_for_each_entry_rcu(table, &net->nft.tables, list) { 1463 if (family != NFPROTO_UNSPEC && family != table->family) 1464 continue; 1465 1466 list_for_each_entry_rcu(chain, &table->chains, list) { 1467 if (idx < s_idx) 1468 goto cont; 1469 if (idx > s_idx) 1470 memset(&cb->args[1], 0, 1471 sizeof(cb->args) - sizeof(cb->args[0])); 1472 if (!nft_is_active(net, chain)) 1473 continue; 1474 if (nf_tables_fill_chain_info(skb, net, 1475 NETLINK_CB(cb->skb).portid, 1476 cb->nlh->nlmsg_seq, 1477 NFT_MSG_NEWCHAIN, 1478 NLM_F_MULTI, 1479 table->family, table, 1480 chain) < 0) 1481 goto done; 1482 1483 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 1484 cont: 1485 idx++; 1486 } 1487 } 1488 done: 1489 rcu_read_unlock(); 1490 cb->args[0] = idx; 1491 return skb->len; 1492 } 1493 1494 /* called with rcu_read_lock held */ 1495 static int nf_tables_getchain(struct net *net, struct sock *nlsk, 1496 struct sk_buff *skb, const struct nlmsghdr *nlh, 1497 const struct nlattr * const nla[], 1498 struct netlink_ext_ack *extack) 1499 { 1500 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1501 u8 genmask = nft_genmask_cur(net); 1502 const struct nft_chain *chain; 1503 struct nft_table *table; 1504 struct sk_buff *skb2; 1505 int family = nfmsg->nfgen_family; 1506 int err; 1507 1508 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1509 struct netlink_dump_control c = { 1510 .dump = nf_tables_dump_chains, 1511 .module = THIS_MODULE, 1512 }; 1513 1514 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 1515 } 1516 1517 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 1518 if (IS_ERR(table)) { 1519 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 1520 return PTR_ERR(table); 1521 } 1522 1523 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask); 1524 if (IS_ERR(chain)) { 1525 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]); 1526 return PTR_ERR(chain); 1527 } 1528 1529 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1530 if (!skb2) 1531 return -ENOMEM; 1532 1533 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid, 1534 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0, 1535 family, table, chain); 1536 if (err < 0) 1537 goto err; 1538 1539 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 1540 1541 err: 1542 kfree_skb(skb2); 1543 return err; 1544 } 1545 1546 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = { 1547 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 }, 1548 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 }, 1549 }; 1550 1551 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) 1552 { 1553 struct nlattr *tb[NFTA_COUNTER_MAX+1]; 1554 struct nft_stats __percpu *newstats; 1555 struct nft_stats *stats; 1556 int err; 1557 1558 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 1559 nft_counter_policy, NULL); 1560 if (err < 0) 1561 return ERR_PTR(err); 1562 1563 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 1564 return ERR_PTR(-EINVAL); 1565 1566 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 1567 if (newstats == NULL) 1568 return ERR_PTR(-ENOMEM); 1569 1570 /* Restore old counters on this cpu, no problem. Per-cpu statistics 1571 * are not exposed to userspace. 1572 */ 1573 preempt_disable(); 1574 stats = this_cpu_ptr(newstats); 1575 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); 1576 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); 1577 preempt_enable(); 1578 1579 return newstats; 1580 } 1581 1582 static void nft_chain_stats_replace(struct nft_trans *trans) 1583 { 1584 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain); 1585 1586 if (!nft_trans_chain_stats(trans)) 1587 return; 1588 1589 nft_trans_chain_stats(trans) = 1590 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans), 1591 lockdep_commit_lock_is_held(trans->ctx.net)); 1592 1593 if (!nft_trans_chain_stats(trans)) 1594 static_branch_inc(&nft_counters_enabled); 1595 } 1596 1597 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain) 1598 { 1599 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0); 1600 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1); 1601 1602 if (g0 != g1) 1603 kvfree(g1); 1604 kvfree(g0); 1605 1606 /* should be NULL either via abort or via successful commit */ 1607 WARN_ON_ONCE(chain->rules_next); 1608 kvfree(chain->rules_next); 1609 } 1610 1611 static void nf_tables_chain_destroy(struct nft_ctx *ctx) 1612 { 1613 struct nft_chain *chain = ctx->chain; 1614 struct nft_hook *hook, *next; 1615 1616 if (WARN_ON(chain->use > 0)) 1617 return; 1618 1619 /* no concurrent access possible anymore */ 1620 nf_tables_chain_free_chain_rules(chain); 1621 1622 if (nft_is_base_chain(chain)) { 1623 struct nft_base_chain *basechain = nft_base_chain(chain); 1624 1625 if (ctx->family == NFPROTO_NETDEV) { 1626 list_for_each_entry_safe(hook, next, 1627 &basechain->hook_list, list) { 1628 list_del_rcu(&hook->list); 1629 kfree_rcu(hook, rcu); 1630 } 1631 } 1632 module_put(basechain->type->owner); 1633 if (rcu_access_pointer(basechain->stats)) { 1634 static_branch_dec(&nft_counters_enabled); 1635 free_percpu(rcu_dereference_raw(basechain->stats)); 1636 } 1637 kfree(chain->name); 1638 kfree(basechain); 1639 } else { 1640 kfree(chain->name); 1641 kfree(chain); 1642 } 1643 } 1644 1645 static struct nft_hook *nft_netdev_hook_alloc(struct net *net, 1646 const struct nlattr *attr) 1647 { 1648 struct net_device *dev; 1649 char ifname[IFNAMSIZ]; 1650 struct nft_hook *hook; 1651 int err; 1652 1653 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL); 1654 if (!hook) { 1655 err = -ENOMEM; 1656 goto err_hook_alloc; 1657 } 1658 1659 nla_strlcpy(ifname, attr, IFNAMSIZ); 1660 dev = __dev_get_by_name(net, ifname); 1661 if (!dev) { 1662 err = -ENOENT; 1663 goto err_hook_dev; 1664 } 1665 hook->ops.dev = dev; 1666 1667 return hook; 1668 1669 err_hook_dev: 1670 kfree(hook); 1671 err_hook_alloc: 1672 return ERR_PTR(err); 1673 } 1674 1675 static bool nft_hook_list_find(struct list_head *hook_list, 1676 const struct nft_hook *this) 1677 { 1678 struct nft_hook *hook; 1679 1680 list_for_each_entry(hook, hook_list, list) { 1681 if (this->ops.dev == hook->ops.dev) 1682 return true; 1683 } 1684 1685 return false; 1686 } 1687 1688 static int nf_tables_parse_netdev_hooks(struct net *net, 1689 const struct nlattr *attr, 1690 struct list_head *hook_list) 1691 { 1692 struct nft_hook *hook, *next; 1693 const struct nlattr *tmp; 1694 int rem, n = 0, err; 1695 1696 nla_for_each_nested(tmp, attr, rem) { 1697 if (nla_type(tmp) != NFTA_DEVICE_NAME) { 1698 err = -EINVAL; 1699 goto err_hook; 1700 } 1701 1702 hook = nft_netdev_hook_alloc(net, tmp); 1703 if (IS_ERR(hook)) { 1704 err = PTR_ERR(hook); 1705 goto err_hook; 1706 } 1707 if (nft_hook_list_find(hook_list, hook)) { 1708 kfree(hook); 1709 err = -EEXIST; 1710 goto err_hook; 1711 } 1712 list_add_tail(&hook->list, hook_list); 1713 n++; 1714 1715 if (n == NFT_NETDEVICE_MAX) { 1716 err = -EFBIG; 1717 goto err_hook; 1718 } 1719 } 1720 if (!n) 1721 return -EINVAL; 1722 1723 return 0; 1724 1725 err_hook: 1726 list_for_each_entry_safe(hook, next, hook_list, list) { 1727 list_del(&hook->list); 1728 kfree(hook); 1729 } 1730 return err; 1731 } 1732 1733 struct nft_chain_hook { 1734 u32 num; 1735 s32 priority; 1736 const struct nft_chain_type *type; 1737 struct list_head list; 1738 }; 1739 1740 static int nft_chain_parse_netdev(struct net *net, 1741 struct nlattr *tb[], 1742 struct list_head *hook_list) 1743 { 1744 struct nft_hook *hook; 1745 int err; 1746 1747 if (tb[NFTA_HOOK_DEV]) { 1748 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]); 1749 if (IS_ERR(hook)) 1750 return PTR_ERR(hook); 1751 1752 list_add_tail(&hook->list, hook_list); 1753 } else if (tb[NFTA_HOOK_DEVS]) { 1754 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS], 1755 hook_list); 1756 if (err < 0) 1757 return err; 1758 } else { 1759 return -EINVAL; 1760 } 1761 1762 return 0; 1763 } 1764 1765 static int nft_chain_parse_hook(struct net *net, 1766 const struct nlattr * const nla[], 1767 struct nft_chain_hook *hook, u8 family, 1768 bool autoload) 1769 { 1770 struct nlattr *ha[NFTA_HOOK_MAX + 1]; 1771 const struct nft_chain_type *type; 1772 int err; 1773 1774 lockdep_assert_held(&net->nft.commit_mutex); 1775 lockdep_nfnl_nft_mutex_not_held(); 1776 1777 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, 1778 nla[NFTA_CHAIN_HOOK], 1779 nft_hook_policy, NULL); 1780 if (err < 0) 1781 return err; 1782 1783 if (ha[NFTA_HOOK_HOOKNUM] == NULL || 1784 ha[NFTA_HOOK_PRIORITY] == NULL) 1785 return -EINVAL; 1786 1787 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM])); 1788 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY])); 1789 1790 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT); 1791 if (!type) 1792 return -EOPNOTSUPP; 1793 1794 if (nla[NFTA_CHAIN_TYPE]) { 1795 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE], 1796 family, autoload); 1797 if (IS_ERR(type)) 1798 return PTR_ERR(type); 1799 } 1800 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num))) 1801 return -EOPNOTSUPP; 1802 1803 if (type->type == NFT_CHAIN_T_NAT && 1804 hook->priority <= NF_IP_PRI_CONNTRACK) 1805 return -EOPNOTSUPP; 1806 1807 if (!try_module_get(type->owner)) 1808 return -ENOENT; 1809 1810 hook->type = type; 1811 1812 INIT_LIST_HEAD(&hook->list); 1813 if (family == NFPROTO_NETDEV) { 1814 err = nft_chain_parse_netdev(net, ha, &hook->list); 1815 if (err < 0) { 1816 module_put(type->owner); 1817 return err; 1818 } 1819 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) { 1820 module_put(type->owner); 1821 return -EOPNOTSUPP; 1822 } 1823 1824 return 0; 1825 } 1826 1827 static void nft_chain_release_hook(struct nft_chain_hook *hook) 1828 { 1829 struct nft_hook *h, *next; 1830 1831 list_for_each_entry_safe(h, next, &hook->list, list) { 1832 list_del(&h->list); 1833 kfree(h); 1834 } 1835 module_put(hook->type->owner); 1836 } 1837 1838 struct nft_rules_old { 1839 struct rcu_head h; 1840 struct nft_rule **start; 1841 }; 1842 1843 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain, 1844 unsigned int alloc) 1845 { 1846 if (alloc > INT_MAX) 1847 return NULL; 1848 1849 alloc += 1; /* NULL, ends rules */ 1850 if (sizeof(struct nft_rule *) > INT_MAX / alloc) 1851 return NULL; 1852 1853 alloc *= sizeof(struct nft_rule *); 1854 alloc += sizeof(struct nft_rules_old); 1855 1856 return kvmalloc(alloc, GFP_KERNEL); 1857 } 1858 1859 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family, 1860 const struct nft_chain_hook *hook, 1861 struct nft_chain *chain) 1862 { 1863 ops->pf = family; 1864 ops->hooknum = hook->num; 1865 ops->priority = hook->priority; 1866 ops->priv = chain; 1867 ops->hook = hook->type->hooks[ops->hooknum]; 1868 } 1869 1870 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family, 1871 struct nft_chain_hook *hook, u32 flags) 1872 { 1873 struct nft_chain *chain; 1874 struct nft_hook *h; 1875 1876 basechain->type = hook->type; 1877 INIT_LIST_HEAD(&basechain->hook_list); 1878 chain = &basechain->chain; 1879 1880 if (family == NFPROTO_NETDEV) { 1881 list_splice_init(&hook->list, &basechain->hook_list); 1882 list_for_each_entry(h, &basechain->hook_list, list) 1883 nft_basechain_hook_init(&h->ops, family, hook, chain); 1884 1885 basechain->ops.hooknum = hook->num; 1886 basechain->ops.priority = hook->priority; 1887 } else { 1888 nft_basechain_hook_init(&basechain->ops, family, hook, chain); 1889 } 1890 1891 chain->flags |= NFT_BASE_CHAIN | flags; 1892 basechain->policy = NF_ACCEPT; 1893 if (chain->flags & NFT_CHAIN_HW_OFFLOAD && 1894 nft_chain_offload_priority(basechain) < 0) 1895 return -EOPNOTSUPP; 1896 1897 flow_block_init(&basechain->flow_block); 1898 1899 return 0; 1900 } 1901 1902 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 1903 u8 policy, u32 flags) 1904 { 1905 const struct nlattr * const *nla = ctx->nla; 1906 struct nft_table *table = ctx->table; 1907 struct nft_base_chain *basechain; 1908 struct nft_stats __percpu *stats; 1909 struct net *net = ctx->net; 1910 struct nft_trans *trans; 1911 struct nft_chain *chain; 1912 struct nft_rule **rules; 1913 int err; 1914 1915 if (table->use == UINT_MAX) 1916 return -EOVERFLOW; 1917 1918 if (nla[NFTA_CHAIN_HOOK]) { 1919 struct nft_chain_hook hook; 1920 1921 err = nft_chain_parse_hook(net, nla, &hook, family, true); 1922 if (err < 0) 1923 return err; 1924 1925 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); 1926 if (basechain == NULL) { 1927 nft_chain_release_hook(&hook); 1928 return -ENOMEM; 1929 } 1930 chain = &basechain->chain; 1931 1932 if (nla[NFTA_CHAIN_COUNTERS]) { 1933 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 1934 if (IS_ERR(stats)) { 1935 nft_chain_release_hook(&hook); 1936 kfree(basechain); 1937 return PTR_ERR(stats); 1938 } 1939 rcu_assign_pointer(basechain->stats, stats); 1940 static_branch_inc(&nft_counters_enabled); 1941 } 1942 1943 err = nft_basechain_init(basechain, family, &hook, flags); 1944 if (err < 0) { 1945 nft_chain_release_hook(&hook); 1946 kfree(basechain); 1947 return err; 1948 } 1949 } else { 1950 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 1951 if (chain == NULL) 1952 return -ENOMEM; 1953 } 1954 ctx->chain = chain; 1955 1956 INIT_LIST_HEAD(&chain->rules); 1957 chain->handle = nf_tables_alloc_handle(table); 1958 chain->table = table; 1959 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 1960 if (!chain->name) { 1961 err = -ENOMEM; 1962 goto err1; 1963 } 1964 1965 rules = nf_tables_chain_alloc_rules(chain, 0); 1966 if (!rules) { 1967 err = -ENOMEM; 1968 goto err1; 1969 } 1970 1971 *rules = NULL; 1972 rcu_assign_pointer(chain->rules_gen_0, rules); 1973 rcu_assign_pointer(chain->rules_gen_1, rules); 1974 1975 err = nf_tables_register_hook(net, table, chain); 1976 if (err < 0) 1977 goto err1; 1978 1979 err = rhltable_insert_key(&table->chains_ht, chain->name, 1980 &chain->rhlhead, nft_chain_ht_params); 1981 if (err) 1982 goto err2; 1983 1984 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); 1985 if (IS_ERR(trans)) { 1986 err = PTR_ERR(trans); 1987 rhltable_remove(&table->chains_ht, &chain->rhlhead, 1988 nft_chain_ht_params); 1989 goto err2; 1990 } 1991 1992 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 1993 if (nft_is_base_chain(chain)) 1994 nft_trans_chain_policy(trans) = policy; 1995 1996 table->use++; 1997 list_add_tail_rcu(&chain->list, &table->chains); 1998 1999 return 0; 2000 err2: 2001 nf_tables_unregister_hook(net, table, chain); 2002 err1: 2003 nf_tables_chain_destroy(ctx); 2004 2005 return err; 2006 } 2007 2008 static bool nft_hook_list_equal(struct list_head *hook_list1, 2009 struct list_head *hook_list2) 2010 { 2011 struct nft_hook *hook; 2012 int n = 0, m = 0; 2013 2014 n = 0; 2015 list_for_each_entry(hook, hook_list2, list) { 2016 if (!nft_hook_list_find(hook_list1, hook)) 2017 return false; 2018 2019 n++; 2020 } 2021 list_for_each_entry(hook, hook_list1, list) 2022 m++; 2023 2024 return n == m; 2025 } 2026 2027 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 2028 u32 flags) 2029 { 2030 const struct nlattr * const *nla = ctx->nla; 2031 struct nft_table *table = ctx->table; 2032 struct nft_chain *chain = ctx->chain; 2033 struct nft_base_chain *basechain; 2034 struct nft_stats *stats = NULL; 2035 struct nft_chain_hook hook; 2036 struct nf_hook_ops *ops; 2037 struct nft_trans *trans; 2038 int err; 2039 2040 if (chain->flags ^ flags) 2041 return -EOPNOTSUPP; 2042 2043 if (nla[NFTA_CHAIN_HOOK]) { 2044 if (!nft_is_base_chain(chain)) 2045 return -EBUSY; 2046 2047 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family, 2048 false); 2049 if (err < 0) 2050 return err; 2051 2052 basechain = nft_base_chain(chain); 2053 if (basechain->type != hook.type) { 2054 nft_chain_release_hook(&hook); 2055 return -EBUSY; 2056 } 2057 2058 if (ctx->family == NFPROTO_NETDEV) { 2059 if (!nft_hook_list_equal(&basechain->hook_list, 2060 &hook.list)) { 2061 nft_chain_release_hook(&hook); 2062 return -EBUSY; 2063 } 2064 } else { 2065 ops = &basechain->ops; 2066 if (ops->hooknum != hook.num || 2067 ops->priority != hook.priority) { 2068 nft_chain_release_hook(&hook); 2069 return -EBUSY; 2070 } 2071 } 2072 nft_chain_release_hook(&hook); 2073 } 2074 2075 if (nla[NFTA_CHAIN_HANDLE] && 2076 nla[NFTA_CHAIN_NAME]) { 2077 struct nft_chain *chain2; 2078 2079 chain2 = nft_chain_lookup(ctx->net, table, 2080 nla[NFTA_CHAIN_NAME], genmask); 2081 if (!IS_ERR(chain2)) 2082 return -EEXIST; 2083 } 2084 2085 if (nla[NFTA_CHAIN_COUNTERS]) { 2086 if (!nft_is_base_chain(chain)) 2087 return -EOPNOTSUPP; 2088 2089 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2090 if (IS_ERR(stats)) 2091 return PTR_ERR(stats); 2092 } 2093 2094 err = -ENOMEM; 2095 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN, 2096 sizeof(struct nft_trans_chain)); 2097 if (trans == NULL) 2098 goto err; 2099 2100 nft_trans_chain_stats(trans) = stats; 2101 nft_trans_chain_update(trans) = true; 2102 2103 if (nla[NFTA_CHAIN_POLICY]) 2104 nft_trans_chain_policy(trans) = policy; 2105 else 2106 nft_trans_chain_policy(trans) = -1; 2107 2108 if (nla[NFTA_CHAIN_HANDLE] && 2109 nla[NFTA_CHAIN_NAME]) { 2110 struct nft_trans *tmp; 2111 char *name; 2112 2113 err = -ENOMEM; 2114 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL); 2115 if (!name) 2116 goto err; 2117 2118 err = -EEXIST; 2119 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { 2120 if (tmp->msg_type == NFT_MSG_NEWCHAIN && 2121 tmp->ctx.table == table && 2122 nft_trans_chain_update(tmp) && 2123 nft_trans_chain_name(tmp) && 2124 strcmp(name, nft_trans_chain_name(tmp)) == 0) { 2125 kfree(name); 2126 goto err; 2127 } 2128 } 2129 2130 nft_trans_chain_name(trans) = name; 2131 } 2132 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 2133 2134 return 0; 2135 err: 2136 free_percpu(stats); 2137 kfree(trans); 2138 return err; 2139 } 2140 2141 static int nf_tables_newchain(struct net *net, struct sock *nlsk, 2142 struct sk_buff *skb, const struct nlmsghdr *nlh, 2143 const struct nlattr * const nla[], 2144 struct netlink_ext_ack *extack) 2145 { 2146 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2147 u8 genmask = nft_genmask_next(net); 2148 int family = nfmsg->nfgen_family; 2149 const struct nlattr *attr; 2150 struct nft_table *table; 2151 struct nft_chain *chain; 2152 u8 policy = NF_ACCEPT; 2153 struct nft_ctx ctx; 2154 u64 handle = 0; 2155 u32 flags = 0; 2156 2157 lockdep_assert_held(&net->nft.commit_mutex); 2158 2159 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 2160 if (IS_ERR(table)) { 2161 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2162 return PTR_ERR(table); 2163 } 2164 2165 chain = NULL; 2166 attr = nla[NFTA_CHAIN_NAME]; 2167 2168 if (nla[NFTA_CHAIN_HANDLE]) { 2169 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE])); 2170 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2171 if (IS_ERR(chain)) { 2172 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]); 2173 return PTR_ERR(chain); 2174 } 2175 attr = nla[NFTA_CHAIN_HANDLE]; 2176 } else { 2177 chain = nft_chain_lookup(net, table, attr, genmask); 2178 if (IS_ERR(chain)) { 2179 if (PTR_ERR(chain) != -ENOENT) { 2180 NL_SET_BAD_ATTR(extack, attr); 2181 return PTR_ERR(chain); 2182 } 2183 chain = NULL; 2184 } 2185 } 2186 2187 if (nla[NFTA_CHAIN_POLICY]) { 2188 if (chain != NULL && 2189 !nft_is_base_chain(chain)) { 2190 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2191 return -EOPNOTSUPP; 2192 } 2193 2194 if (chain == NULL && 2195 nla[NFTA_CHAIN_HOOK] == NULL) { 2196 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]); 2197 return -EOPNOTSUPP; 2198 } 2199 2200 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY])); 2201 switch (policy) { 2202 case NF_DROP: 2203 case NF_ACCEPT: 2204 break; 2205 default: 2206 return -EINVAL; 2207 } 2208 } 2209 2210 if (nla[NFTA_CHAIN_FLAGS]) 2211 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS])); 2212 else if (chain) 2213 flags = chain->flags; 2214 2215 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2216 2217 if (chain != NULL) { 2218 if (nlh->nlmsg_flags & NLM_F_EXCL) { 2219 NL_SET_BAD_ATTR(extack, attr); 2220 return -EEXIST; 2221 } 2222 if (nlh->nlmsg_flags & NLM_F_REPLACE) 2223 return -EOPNOTSUPP; 2224 2225 flags |= chain->flags & NFT_BASE_CHAIN; 2226 return nf_tables_updchain(&ctx, genmask, policy, flags); 2227 } 2228 2229 return nf_tables_addchain(&ctx, family, genmask, policy, flags); 2230 } 2231 2232 static int nf_tables_delchain(struct net *net, struct sock *nlsk, 2233 struct sk_buff *skb, const struct nlmsghdr *nlh, 2234 const struct nlattr * const nla[], 2235 struct netlink_ext_ack *extack) 2236 { 2237 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2238 u8 genmask = nft_genmask_next(net); 2239 int family = nfmsg->nfgen_family; 2240 const struct nlattr *attr; 2241 struct nft_table *table; 2242 struct nft_chain *chain; 2243 struct nft_rule *rule; 2244 struct nft_ctx ctx; 2245 u64 handle; 2246 u32 use; 2247 int err; 2248 2249 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); 2250 if (IS_ERR(table)) { 2251 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]); 2252 return PTR_ERR(table); 2253 } 2254 2255 if (nla[NFTA_CHAIN_HANDLE]) { 2256 attr = nla[NFTA_CHAIN_HANDLE]; 2257 handle = be64_to_cpu(nla_get_be64(attr)); 2258 chain = nft_chain_lookup_byhandle(table, handle, genmask); 2259 } else { 2260 attr = nla[NFTA_CHAIN_NAME]; 2261 chain = nft_chain_lookup(net, table, attr, genmask); 2262 } 2263 if (IS_ERR(chain)) { 2264 NL_SET_BAD_ATTR(extack, attr); 2265 return PTR_ERR(chain); 2266 } 2267 2268 if (nlh->nlmsg_flags & NLM_F_NONREC && 2269 chain->use > 0) 2270 return -EBUSY; 2271 2272 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 2273 2274 use = chain->use; 2275 list_for_each_entry(rule, &chain->rules, list) { 2276 if (!nft_is_active_next(net, rule)) 2277 continue; 2278 use--; 2279 2280 err = nft_delrule(&ctx, rule); 2281 if (err < 0) 2282 return err; 2283 } 2284 2285 /* There are rules and elements that are still holding references to us, 2286 * we cannot do a recursive removal in this case. 2287 */ 2288 if (use > 0) { 2289 NL_SET_BAD_ATTR(extack, attr); 2290 return -EBUSY; 2291 } 2292 2293 return nft_delchain(&ctx); 2294 } 2295 2296 /* 2297 * Expressions 2298 */ 2299 2300 /** 2301 * nft_register_expr - register nf_tables expr type 2302 * @ops: expr type 2303 * 2304 * Registers the expr type for use with nf_tables. Returns zero on 2305 * success or a negative errno code otherwise. 2306 */ 2307 int nft_register_expr(struct nft_expr_type *type) 2308 { 2309 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2310 if (type->family == NFPROTO_UNSPEC) 2311 list_add_tail_rcu(&type->list, &nf_tables_expressions); 2312 else 2313 list_add_rcu(&type->list, &nf_tables_expressions); 2314 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2315 return 0; 2316 } 2317 EXPORT_SYMBOL_GPL(nft_register_expr); 2318 2319 /** 2320 * nft_unregister_expr - unregister nf_tables expr type 2321 * @ops: expr type 2322 * 2323 * Unregisters the expr typefor use with nf_tables. 2324 */ 2325 void nft_unregister_expr(struct nft_expr_type *type) 2326 { 2327 nfnl_lock(NFNL_SUBSYS_NFTABLES); 2328 list_del_rcu(&type->list); 2329 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 2330 } 2331 EXPORT_SYMBOL_GPL(nft_unregister_expr); 2332 2333 static const struct nft_expr_type *__nft_expr_type_get(u8 family, 2334 struct nlattr *nla) 2335 { 2336 const struct nft_expr_type *type, *candidate = NULL; 2337 2338 list_for_each_entry(type, &nf_tables_expressions, list) { 2339 if (!nla_strcmp(nla, type->name)) { 2340 if (!type->family && !candidate) 2341 candidate = type; 2342 else if (type->family == family) 2343 candidate = type; 2344 } 2345 } 2346 return candidate; 2347 } 2348 2349 #ifdef CONFIG_MODULES 2350 static int nft_expr_type_request_module(struct net *net, u8 family, 2351 struct nlattr *nla) 2352 { 2353 if (nft_request_module(net, "nft-expr-%u-%.*s", family, 2354 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN) 2355 return -EAGAIN; 2356 2357 return 0; 2358 } 2359 #endif 2360 2361 static const struct nft_expr_type *nft_expr_type_get(struct net *net, 2362 u8 family, 2363 struct nlattr *nla) 2364 { 2365 const struct nft_expr_type *type; 2366 2367 if (nla == NULL) 2368 return ERR_PTR(-EINVAL); 2369 2370 type = __nft_expr_type_get(family, nla); 2371 if (type != NULL && try_module_get(type->owner)) 2372 return type; 2373 2374 lockdep_nfnl_nft_mutex_not_held(); 2375 #ifdef CONFIG_MODULES 2376 if (type == NULL) { 2377 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN) 2378 return ERR_PTR(-EAGAIN); 2379 2380 if (nft_request_module(net, "nft-expr-%.*s", 2381 nla_len(nla), 2382 (char *)nla_data(nla)) == -EAGAIN) 2383 return ERR_PTR(-EAGAIN); 2384 } 2385 #endif 2386 return ERR_PTR(-ENOENT); 2387 } 2388 2389 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { 2390 [NFTA_EXPR_NAME] = { .type = NLA_STRING, 2391 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 2392 [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, 2393 }; 2394 2395 static int nf_tables_fill_expr_info(struct sk_buff *skb, 2396 const struct nft_expr *expr) 2397 { 2398 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name)) 2399 goto nla_put_failure; 2400 2401 if (expr->ops->dump) { 2402 struct nlattr *data = nla_nest_start_noflag(skb, 2403 NFTA_EXPR_DATA); 2404 if (data == NULL) 2405 goto nla_put_failure; 2406 if (expr->ops->dump(skb, expr) < 0) 2407 goto nla_put_failure; 2408 nla_nest_end(skb, data); 2409 } 2410 2411 return skb->len; 2412 2413 nla_put_failure: 2414 return -1; 2415 }; 2416 2417 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 2418 const struct nft_expr *expr) 2419 { 2420 struct nlattr *nest; 2421 2422 nest = nla_nest_start_noflag(skb, attr); 2423 if (!nest) 2424 goto nla_put_failure; 2425 if (nf_tables_fill_expr_info(skb, expr) < 0) 2426 goto nla_put_failure; 2427 nla_nest_end(skb, nest); 2428 return 0; 2429 2430 nla_put_failure: 2431 return -1; 2432 } 2433 2434 struct nft_expr_info { 2435 const struct nft_expr_ops *ops; 2436 struct nlattr *tb[NFT_EXPR_MAXATTR + 1]; 2437 }; 2438 2439 static int nf_tables_expr_parse(const struct nft_ctx *ctx, 2440 const struct nlattr *nla, 2441 struct nft_expr_info *info) 2442 { 2443 const struct nft_expr_type *type; 2444 const struct nft_expr_ops *ops; 2445 struct nlattr *tb[NFTA_EXPR_MAX + 1]; 2446 int err; 2447 2448 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla, 2449 nft_expr_policy, NULL); 2450 if (err < 0) 2451 return err; 2452 2453 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]); 2454 if (IS_ERR(type)) 2455 return PTR_ERR(type); 2456 2457 if (tb[NFTA_EXPR_DATA]) { 2458 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 2459 tb[NFTA_EXPR_DATA], 2460 type->policy, NULL); 2461 if (err < 0) 2462 goto err1; 2463 } else 2464 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1)); 2465 2466 if (type->select_ops != NULL) { 2467 ops = type->select_ops(ctx, 2468 (const struct nlattr * const *)info->tb); 2469 if (IS_ERR(ops)) { 2470 err = PTR_ERR(ops); 2471 #ifdef CONFIG_MODULES 2472 if (err == -EAGAIN) 2473 if (nft_expr_type_request_module(ctx->net, 2474 ctx->family, 2475 tb[NFTA_EXPR_NAME]) != -EAGAIN) 2476 err = -ENOENT; 2477 #endif 2478 goto err1; 2479 } 2480 } else 2481 ops = type->ops; 2482 2483 info->ops = ops; 2484 return 0; 2485 2486 err1: 2487 module_put(type->owner); 2488 return err; 2489 } 2490 2491 static int nf_tables_newexpr(const struct nft_ctx *ctx, 2492 const struct nft_expr_info *info, 2493 struct nft_expr *expr) 2494 { 2495 const struct nft_expr_ops *ops = info->ops; 2496 int err; 2497 2498 expr->ops = ops; 2499 if (ops->init) { 2500 err = ops->init(ctx, expr, (const struct nlattr **)info->tb); 2501 if (err < 0) 2502 goto err1; 2503 } 2504 2505 return 0; 2506 err1: 2507 expr->ops = NULL; 2508 return err; 2509 } 2510 2511 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, 2512 struct nft_expr *expr) 2513 { 2514 const struct nft_expr_type *type = expr->ops->type; 2515 2516 if (expr->ops->destroy) 2517 expr->ops->destroy(ctx, expr); 2518 module_put(type->owner); 2519 } 2520 2521 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, 2522 const struct nlattr *nla) 2523 { 2524 struct nft_expr_info info; 2525 struct nft_expr *expr; 2526 struct module *owner; 2527 int err; 2528 2529 err = nf_tables_expr_parse(ctx, nla, &info); 2530 if (err < 0) 2531 goto err1; 2532 2533 err = -ENOMEM; 2534 expr = kzalloc(info.ops->size, GFP_KERNEL); 2535 if (expr == NULL) 2536 goto err2; 2537 2538 err = nf_tables_newexpr(ctx, &info, expr); 2539 if (err < 0) 2540 goto err3; 2541 2542 return expr; 2543 err3: 2544 kfree(expr); 2545 err2: 2546 owner = info.ops->type->owner; 2547 if (info.ops->type->release_ops) 2548 info.ops->type->release_ops(info.ops); 2549 2550 module_put(owner); 2551 err1: 2552 return ERR_PTR(err); 2553 } 2554 2555 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) 2556 { 2557 nf_tables_expr_destroy(ctx, expr); 2558 kfree(expr); 2559 } 2560 2561 /* 2562 * Rules 2563 */ 2564 2565 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 2566 u64 handle) 2567 { 2568 struct nft_rule *rule; 2569 2570 // FIXME: this sucks 2571 list_for_each_entry_rcu(rule, &chain->rules, list) { 2572 if (handle == rule->handle) 2573 return rule; 2574 } 2575 2576 return ERR_PTR(-ENOENT); 2577 } 2578 2579 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 2580 const struct nlattr *nla) 2581 { 2582 if (nla == NULL) 2583 return ERR_PTR(-EINVAL); 2584 2585 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 2586 } 2587 2588 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { 2589 [NFTA_RULE_TABLE] = { .type = NLA_STRING, 2590 .len = NFT_TABLE_MAXNAMELEN - 1 }, 2591 [NFTA_RULE_CHAIN] = { .type = NLA_STRING, 2592 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 2593 [NFTA_RULE_HANDLE] = { .type = NLA_U64 }, 2594 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED }, 2595 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED }, 2596 [NFTA_RULE_POSITION] = { .type = NLA_U64 }, 2597 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY, 2598 .len = NFT_USERDATA_MAXLEN }, 2599 [NFTA_RULE_ID] = { .type = NLA_U32 }, 2600 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 }, 2601 }; 2602 2603 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net, 2604 u32 portid, u32 seq, int event, 2605 u32 flags, int family, 2606 const struct nft_table *table, 2607 const struct nft_chain *chain, 2608 const struct nft_rule *rule, 2609 const struct nft_rule *prule) 2610 { 2611 struct nlmsghdr *nlh; 2612 struct nfgenmsg *nfmsg; 2613 const struct nft_expr *expr, *next; 2614 struct nlattr *list; 2615 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 2616 2617 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); 2618 if (nlh == NULL) 2619 goto nla_put_failure; 2620 2621 nfmsg = nlmsg_data(nlh); 2622 nfmsg->nfgen_family = family; 2623 nfmsg->version = NFNETLINK_V0; 2624 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 2625 2626 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) 2627 goto nla_put_failure; 2628 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) 2629 goto nla_put_failure; 2630 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle), 2631 NFTA_RULE_PAD)) 2632 goto nla_put_failure; 2633 2634 if (event != NFT_MSG_DELRULE && prule) { 2635 if (nla_put_be64(skb, NFTA_RULE_POSITION, 2636 cpu_to_be64(prule->handle), 2637 NFTA_RULE_PAD)) 2638 goto nla_put_failure; 2639 } 2640 2641 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS); 2642 if (list == NULL) 2643 goto nla_put_failure; 2644 nft_rule_for_each_expr(expr, next, rule) { 2645 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0) 2646 goto nla_put_failure; 2647 } 2648 nla_nest_end(skb, list); 2649 2650 if (rule->udata) { 2651 struct nft_userdata *udata = nft_userdata(rule); 2652 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1, 2653 udata->data) < 0) 2654 goto nla_put_failure; 2655 } 2656 2657 nlmsg_end(skb, nlh); 2658 return 0; 2659 2660 nla_put_failure: 2661 nlmsg_trim(skb, nlh); 2662 return -1; 2663 } 2664 2665 static void nf_tables_rule_notify(const struct nft_ctx *ctx, 2666 const struct nft_rule *rule, int event) 2667 { 2668 struct sk_buff *skb; 2669 int err; 2670 2671 if (!ctx->report && 2672 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 2673 return; 2674 2675 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 2676 if (skb == NULL) 2677 goto err; 2678 2679 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq, 2680 event, 0, ctx->family, ctx->table, 2681 ctx->chain, rule, NULL); 2682 if (err < 0) { 2683 kfree_skb(skb); 2684 goto err; 2685 } 2686 2687 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 2688 ctx->report, GFP_KERNEL); 2689 return; 2690 err: 2691 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 2692 } 2693 2694 struct nft_rule_dump_ctx { 2695 char *table; 2696 char *chain; 2697 }; 2698 2699 static int __nf_tables_dump_rules(struct sk_buff *skb, 2700 unsigned int *idx, 2701 struct netlink_callback *cb, 2702 const struct nft_table *table, 2703 const struct nft_chain *chain) 2704 { 2705 struct net *net = sock_net(skb->sk); 2706 const struct nft_rule *rule, *prule; 2707 unsigned int s_idx = cb->args[0]; 2708 2709 prule = NULL; 2710 list_for_each_entry_rcu(rule, &chain->rules, list) { 2711 if (!nft_is_active(net, rule)) 2712 goto cont_skip; 2713 if (*idx < s_idx) 2714 goto cont; 2715 if (*idx > s_idx) { 2716 memset(&cb->args[1], 0, 2717 sizeof(cb->args) - sizeof(cb->args[0])); 2718 } 2719 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid, 2720 cb->nlh->nlmsg_seq, 2721 NFT_MSG_NEWRULE, 2722 NLM_F_MULTI | NLM_F_APPEND, 2723 table->family, 2724 table, chain, rule, prule) < 0) 2725 return 1; 2726 2727 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 2728 cont: 2729 prule = rule; 2730 cont_skip: 2731 (*idx)++; 2732 } 2733 return 0; 2734 } 2735 2736 static int nf_tables_dump_rules(struct sk_buff *skb, 2737 struct netlink_callback *cb) 2738 { 2739 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2740 const struct nft_rule_dump_ctx *ctx = cb->data; 2741 struct nft_table *table; 2742 const struct nft_chain *chain; 2743 unsigned int idx = 0; 2744 struct net *net = sock_net(skb->sk); 2745 int family = nfmsg->nfgen_family; 2746 2747 rcu_read_lock(); 2748 cb->seq = net->nft.base_seq; 2749 2750 list_for_each_entry_rcu(table, &net->nft.tables, list) { 2751 if (family != NFPROTO_UNSPEC && family != table->family) 2752 continue; 2753 2754 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0) 2755 continue; 2756 2757 if (ctx && ctx->table && ctx->chain) { 2758 struct rhlist_head *list, *tmp; 2759 2760 list = rhltable_lookup(&table->chains_ht, ctx->chain, 2761 nft_chain_ht_params); 2762 if (!list) 2763 goto done; 2764 2765 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) { 2766 if (!nft_is_active(net, chain)) 2767 continue; 2768 __nf_tables_dump_rules(skb, &idx, 2769 cb, table, chain); 2770 break; 2771 } 2772 goto done; 2773 } 2774 2775 list_for_each_entry_rcu(chain, &table->chains, list) { 2776 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain)) 2777 goto done; 2778 } 2779 2780 if (ctx && ctx->table) 2781 break; 2782 } 2783 done: 2784 rcu_read_unlock(); 2785 2786 cb->args[0] = idx; 2787 return skb->len; 2788 } 2789 2790 static int nf_tables_dump_rules_start(struct netlink_callback *cb) 2791 { 2792 const struct nlattr * const *nla = cb->data; 2793 struct nft_rule_dump_ctx *ctx = NULL; 2794 2795 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) { 2796 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC); 2797 if (!ctx) 2798 return -ENOMEM; 2799 2800 if (nla[NFTA_RULE_TABLE]) { 2801 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE], 2802 GFP_ATOMIC); 2803 if (!ctx->table) { 2804 kfree(ctx); 2805 return -ENOMEM; 2806 } 2807 } 2808 if (nla[NFTA_RULE_CHAIN]) { 2809 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN], 2810 GFP_ATOMIC); 2811 if (!ctx->chain) { 2812 kfree(ctx->table); 2813 kfree(ctx); 2814 return -ENOMEM; 2815 } 2816 } 2817 } 2818 2819 cb->data = ctx; 2820 return 0; 2821 } 2822 2823 static int nf_tables_dump_rules_done(struct netlink_callback *cb) 2824 { 2825 struct nft_rule_dump_ctx *ctx = cb->data; 2826 2827 if (ctx) { 2828 kfree(ctx->table); 2829 kfree(ctx->chain); 2830 kfree(ctx); 2831 } 2832 return 0; 2833 } 2834 2835 /* called with rcu_read_lock held */ 2836 static int nf_tables_getrule(struct net *net, struct sock *nlsk, 2837 struct sk_buff *skb, const struct nlmsghdr *nlh, 2838 const struct nlattr * const nla[], 2839 struct netlink_ext_ack *extack) 2840 { 2841 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2842 u8 genmask = nft_genmask_cur(net); 2843 const struct nft_chain *chain; 2844 const struct nft_rule *rule; 2845 struct nft_table *table; 2846 struct sk_buff *skb2; 2847 int family = nfmsg->nfgen_family; 2848 int err; 2849 2850 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2851 struct netlink_dump_control c = { 2852 .start= nf_tables_dump_rules_start, 2853 .dump = nf_tables_dump_rules, 2854 .done = nf_tables_dump_rules_done, 2855 .module = THIS_MODULE, 2856 .data = (void *)nla, 2857 }; 2858 2859 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 2860 } 2861 2862 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 2863 if (IS_ERR(table)) { 2864 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 2865 return PTR_ERR(table); 2866 } 2867 2868 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 2869 if (IS_ERR(chain)) { 2870 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 2871 return PTR_ERR(chain); 2872 } 2873 2874 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 2875 if (IS_ERR(rule)) { 2876 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 2877 return PTR_ERR(rule); 2878 } 2879 2880 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 2881 if (!skb2) 2882 return -ENOMEM; 2883 2884 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid, 2885 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0, 2886 family, table, chain, rule, NULL); 2887 if (err < 0) 2888 goto err; 2889 2890 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 2891 2892 err: 2893 kfree_skb(skb2); 2894 return err; 2895 } 2896 2897 static void nf_tables_rule_destroy(const struct nft_ctx *ctx, 2898 struct nft_rule *rule) 2899 { 2900 struct nft_expr *expr, *next; 2901 2902 /* 2903 * Careful: some expressions might not be initialized in case this 2904 * is called on error from nf_tables_newrule(). 2905 */ 2906 expr = nft_expr_first(rule); 2907 while (expr != nft_expr_last(rule) && expr->ops) { 2908 next = nft_expr_next(expr); 2909 nf_tables_expr_destroy(ctx, expr); 2910 expr = next; 2911 } 2912 kfree(rule); 2913 } 2914 2915 static void nf_tables_rule_release(const struct nft_ctx *ctx, 2916 struct nft_rule *rule) 2917 { 2918 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); 2919 nf_tables_rule_destroy(ctx, rule); 2920 } 2921 2922 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) 2923 { 2924 struct nft_expr *expr, *last; 2925 const struct nft_data *data; 2926 struct nft_rule *rule; 2927 int err; 2928 2929 if (ctx->level == NFT_JUMP_STACK_SIZE) 2930 return -EMLINK; 2931 2932 list_for_each_entry(rule, &chain->rules, list) { 2933 if (!nft_is_active_next(ctx->net, rule)) 2934 continue; 2935 2936 nft_rule_for_each_expr(expr, last, rule) { 2937 if (!expr->ops->validate) 2938 continue; 2939 2940 err = expr->ops->validate(ctx, expr, &data); 2941 if (err < 0) 2942 return err; 2943 } 2944 } 2945 2946 return 0; 2947 } 2948 EXPORT_SYMBOL_GPL(nft_chain_validate); 2949 2950 static int nft_table_validate(struct net *net, const struct nft_table *table) 2951 { 2952 struct nft_chain *chain; 2953 struct nft_ctx ctx = { 2954 .net = net, 2955 .family = table->family, 2956 }; 2957 int err; 2958 2959 list_for_each_entry(chain, &table->chains, list) { 2960 if (!nft_is_base_chain(chain)) 2961 continue; 2962 2963 ctx.chain = chain; 2964 err = nft_chain_validate(&ctx, chain); 2965 if (err < 0) 2966 return err; 2967 } 2968 2969 return 0; 2970 } 2971 2972 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 2973 const struct nlattr *nla); 2974 2975 #define NFT_RULE_MAXEXPRS 128 2976 2977 static int nf_tables_newrule(struct net *net, struct sock *nlsk, 2978 struct sk_buff *skb, const struct nlmsghdr *nlh, 2979 const struct nlattr * const nla[], 2980 struct netlink_ext_ack *extack) 2981 { 2982 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2983 u8 genmask = nft_genmask_next(net); 2984 struct nft_expr_info *info = NULL; 2985 int family = nfmsg->nfgen_family; 2986 struct nft_flow_rule *flow; 2987 struct nft_table *table; 2988 struct nft_chain *chain; 2989 struct nft_rule *rule, *old_rule = NULL; 2990 struct nft_userdata *udata; 2991 struct nft_trans *trans = NULL; 2992 struct nft_expr *expr; 2993 struct nft_ctx ctx; 2994 struct nlattr *tmp; 2995 unsigned int size, i, n, ulen = 0, usize = 0; 2996 int err, rem; 2997 u64 handle, pos_handle; 2998 2999 lockdep_assert_held(&net->nft.commit_mutex); 3000 3001 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 3002 if (IS_ERR(table)) { 3003 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3004 return PTR_ERR(table); 3005 } 3006 3007 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask); 3008 if (IS_ERR(chain)) { 3009 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3010 return PTR_ERR(chain); 3011 } 3012 3013 if (nla[NFTA_RULE_HANDLE]) { 3014 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 3015 rule = __nft_rule_lookup(chain, handle); 3016 if (IS_ERR(rule)) { 3017 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3018 return PTR_ERR(rule); 3019 } 3020 3021 if (nlh->nlmsg_flags & NLM_F_EXCL) { 3022 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3023 return -EEXIST; 3024 } 3025 if (nlh->nlmsg_flags & NLM_F_REPLACE) 3026 old_rule = rule; 3027 else 3028 return -EOPNOTSUPP; 3029 } else { 3030 if (!(nlh->nlmsg_flags & NLM_F_CREATE) || 3031 nlh->nlmsg_flags & NLM_F_REPLACE) 3032 return -EINVAL; 3033 handle = nf_tables_alloc_handle(table); 3034 3035 if (chain->use == UINT_MAX) 3036 return -EOVERFLOW; 3037 3038 if (nla[NFTA_RULE_POSITION]) { 3039 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 3040 old_rule = __nft_rule_lookup(chain, pos_handle); 3041 if (IS_ERR(old_rule)) { 3042 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 3043 return PTR_ERR(old_rule); 3044 } 3045 } else if (nla[NFTA_RULE_POSITION_ID]) { 3046 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); 3047 if (IS_ERR(old_rule)) { 3048 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); 3049 return PTR_ERR(old_rule); 3050 } 3051 } 3052 } 3053 3054 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3055 3056 n = 0; 3057 size = 0; 3058 if (nla[NFTA_RULE_EXPRESSIONS]) { 3059 info = kvmalloc_array(NFT_RULE_MAXEXPRS, 3060 sizeof(struct nft_expr_info), 3061 GFP_KERNEL); 3062 if (!info) 3063 return -ENOMEM; 3064 3065 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) { 3066 err = -EINVAL; 3067 if (nla_type(tmp) != NFTA_LIST_ELEM) 3068 goto err1; 3069 if (n == NFT_RULE_MAXEXPRS) 3070 goto err1; 3071 err = nf_tables_expr_parse(&ctx, tmp, &info[n]); 3072 if (err < 0) 3073 goto err1; 3074 size += info[n].ops->size; 3075 n++; 3076 } 3077 } 3078 /* Check for overflow of dlen field */ 3079 err = -EFBIG; 3080 if (size >= 1 << 12) 3081 goto err1; 3082 3083 if (nla[NFTA_RULE_USERDATA]) { 3084 ulen = nla_len(nla[NFTA_RULE_USERDATA]); 3085 if (ulen > 0) 3086 usize = sizeof(struct nft_userdata) + ulen; 3087 } 3088 3089 err = -ENOMEM; 3090 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL); 3091 if (rule == NULL) 3092 goto err1; 3093 3094 nft_activate_next(net, rule); 3095 3096 rule->handle = handle; 3097 rule->dlen = size; 3098 rule->udata = ulen ? 1 : 0; 3099 3100 if (ulen) { 3101 udata = nft_userdata(rule); 3102 udata->len = ulen - 1; 3103 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen); 3104 } 3105 3106 expr = nft_expr_first(rule); 3107 for (i = 0; i < n; i++) { 3108 err = nf_tables_newexpr(&ctx, &info[i], expr); 3109 if (err < 0) 3110 goto err2; 3111 3112 if (info[i].ops->validate) 3113 nft_validate_state_update(net, NFT_VALIDATE_NEED); 3114 3115 info[i].ops = NULL; 3116 expr = nft_expr_next(expr); 3117 } 3118 3119 if (nlh->nlmsg_flags & NLM_F_REPLACE) { 3120 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3121 if (trans == NULL) { 3122 err = -ENOMEM; 3123 goto err2; 3124 } 3125 err = nft_delrule(&ctx, old_rule); 3126 if (err < 0) { 3127 nft_trans_destroy(trans); 3128 goto err2; 3129 } 3130 3131 list_add_tail_rcu(&rule->list, &old_rule->list); 3132 } else { 3133 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule); 3134 if (!trans) { 3135 err = -ENOMEM; 3136 goto err2; 3137 } 3138 3139 if (nlh->nlmsg_flags & NLM_F_APPEND) { 3140 if (old_rule) 3141 list_add_rcu(&rule->list, &old_rule->list); 3142 else 3143 list_add_tail_rcu(&rule->list, &chain->rules); 3144 } else { 3145 if (old_rule) 3146 list_add_tail_rcu(&rule->list, &old_rule->list); 3147 else 3148 list_add_rcu(&rule->list, &chain->rules); 3149 } 3150 } 3151 kvfree(info); 3152 chain->use++; 3153 3154 if (net->nft.validate_state == NFT_VALIDATE_DO) 3155 return nft_table_validate(net, table); 3156 3157 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { 3158 flow = nft_flow_rule_create(net, rule); 3159 if (IS_ERR(flow)) 3160 return PTR_ERR(flow); 3161 3162 nft_trans_flow_rule(trans) = flow; 3163 } 3164 3165 return 0; 3166 err2: 3167 nf_tables_rule_release(&ctx, rule); 3168 err1: 3169 for (i = 0; i < n; i++) { 3170 if (info[i].ops) { 3171 module_put(info[i].ops->type->owner); 3172 if (info[i].ops->type->release_ops) 3173 info[i].ops->type->release_ops(info[i].ops); 3174 } 3175 } 3176 kvfree(info); 3177 return err; 3178 } 3179 3180 static struct nft_rule *nft_rule_lookup_byid(const struct net *net, 3181 const struct nlattr *nla) 3182 { 3183 u32 id = ntohl(nla_get_be32(nla)); 3184 struct nft_trans *trans; 3185 3186 list_for_each_entry(trans, &net->nft.commit_list, list) { 3187 struct nft_rule *rule = nft_trans_rule(trans); 3188 3189 if (trans->msg_type == NFT_MSG_NEWRULE && 3190 id == nft_trans_rule_id(trans)) 3191 return rule; 3192 } 3193 return ERR_PTR(-ENOENT); 3194 } 3195 3196 static int nf_tables_delrule(struct net *net, struct sock *nlsk, 3197 struct sk_buff *skb, const struct nlmsghdr *nlh, 3198 const struct nlattr * const nla[], 3199 struct netlink_ext_ack *extack) 3200 { 3201 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3202 u8 genmask = nft_genmask_next(net); 3203 struct nft_table *table; 3204 struct nft_chain *chain = NULL; 3205 struct nft_rule *rule; 3206 int family = nfmsg->nfgen_family, err = 0; 3207 struct nft_ctx ctx; 3208 3209 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); 3210 if (IS_ERR(table)) { 3211 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]); 3212 return PTR_ERR(table); 3213 } 3214 3215 if (nla[NFTA_RULE_CHAIN]) { 3216 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], 3217 genmask); 3218 if (IS_ERR(chain)) { 3219 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]); 3220 return PTR_ERR(chain); 3221 } 3222 } 3223 3224 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla); 3225 3226 if (chain) { 3227 if (nla[NFTA_RULE_HANDLE]) { 3228 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3229 if (IS_ERR(rule)) { 3230 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3231 return PTR_ERR(rule); 3232 } 3233 3234 err = nft_delrule(&ctx, rule); 3235 } else if (nla[NFTA_RULE_ID]) { 3236 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); 3237 if (IS_ERR(rule)) { 3238 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); 3239 return PTR_ERR(rule); 3240 } 3241 3242 err = nft_delrule(&ctx, rule); 3243 } else { 3244 err = nft_delrule_by_chain(&ctx); 3245 } 3246 } else { 3247 list_for_each_entry(chain, &table->chains, list) { 3248 if (!nft_is_active_next(net, chain)) 3249 continue; 3250 3251 ctx.chain = chain; 3252 err = nft_delrule_by_chain(&ctx); 3253 if (err < 0) 3254 break; 3255 } 3256 } 3257 3258 return err; 3259 } 3260 3261 /* 3262 * Sets 3263 */ 3264 3265 static LIST_HEAD(nf_tables_set_types); 3266 3267 int nft_register_set(struct nft_set_type *type) 3268 { 3269 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3270 list_add_tail_rcu(&type->list, &nf_tables_set_types); 3271 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3272 return 0; 3273 } 3274 EXPORT_SYMBOL_GPL(nft_register_set); 3275 3276 void nft_unregister_set(struct nft_set_type *type) 3277 { 3278 nfnl_lock(NFNL_SUBSYS_NFTABLES); 3279 list_del_rcu(&type->list); 3280 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 3281 } 3282 EXPORT_SYMBOL_GPL(nft_unregister_set); 3283 3284 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \ 3285 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \ 3286 NFT_SET_EVAL) 3287 3288 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags) 3289 { 3290 return (flags & type->features) == (flags & NFT_SET_FEATURES); 3291 } 3292 3293 /* 3294 * Select a set implementation based on the data characteristics and the 3295 * given policy. The total memory use might not be known if no size is 3296 * given, in that case the amount of memory per element is used. 3297 */ 3298 static const struct nft_set_ops * 3299 nft_select_set_ops(const struct nft_ctx *ctx, 3300 const struct nlattr * const nla[], 3301 const struct nft_set_desc *desc, 3302 enum nft_set_policies policy) 3303 { 3304 const struct nft_set_ops *ops, *bops; 3305 struct nft_set_estimate est, best; 3306 const struct nft_set_type *type; 3307 u32 flags = 0; 3308 3309 lockdep_assert_held(&ctx->net->nft.commit_mutex); 3310 lockdep_nfnl_nft_mutex_not_held(); 3311 #ifdef CONFIG_MODULES 3312 if (list_empty(&nf_tables_set_types)) { 3313 if (nft_request_module(ctx->net, "nft-set") == -EAGAIN) 3314 return ERR_PTR(-EAGAIN); 3315 } 3316 #endif 3317 if (nla[NFTA_SET_FLAGS] != NULL) 3318 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3319 3320 bops = NULL; 3321 best.size = ~0; 3322 best.lookup = ~0; 3323 best.space = ~0; 3324 3325 list_for_each_entry(type, &nf_tables_set_types, list) { 3326 ops = &type->ops; 3327 3328 if (!nft_set_ops_candidate(type, flags)) 3329 continue; 3330 if (!ops->estimate(desc, flags, &est)) 3331 continue; 3332 3333 switch (policy) { 3334 case NFT_SET_POL_PERFORMANCE: 3335 if (est.lookup < best.lookup) 3336 break; 3337 if (est.lookup == best.lookup && 3338 est.space < best.space) 3339 break; 3340 continue; 3341 case NFT_SET_POL_MEMORY: 3342 if (!desc->size) { 3343 if (est.space < best.space) 3344 break; 3345 if (est.space == best.space && 3346 est.lookup < best.lookup) 3347 break; 3348 } else if (est.size < best.size || !bops) { 3349 break; 3350 } 3351 continue; 3352 default: 3353 break; 3354 } 3355 3356 if (!try_module_get(type->owner)) 3357 continue; 3358 if (bops != NULL) 3359 module_put(to_set_type(bops)->owner); 3360 3361 bops = ops; 3362 best = est; 3363 } 3364 3365 if (bops != NULL) 3366 return bops; 3367 3368 return ERR_PTR(-EOPNOTSUPP); 3369 } 3370 3371 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = { 3372 [NFTA_SET_TABLE] = { .type = NLA_STRING, 3373 .len = NFT_TABLE_MAXNAMELEN - 1 }, 3374 [NFTA_SET_NAME] = { .type = NLA_STRING, 3375 .len = NFT_SET_MAXNAMELEN - 1 }, 3376 [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 3377 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 3378 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 3379 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, 3380 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 }, 3381 [NFTA_SET_POLICY] = { .type = NLA_U32 }, 3382 [NFTA_SET_DESC] = { .type = NLA_NESTED }, 3383 [NFTA_SET_ID] = { .type = NLA_U32 }, 3384 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 }, 3385 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 }, 3386 [NFTA_SET_USERDATA] = { .type = NLA_BINARY, 3387 .len = NFT_USERDATA_MAXLEN }, 3388 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 }, 3389 [NFTA_SET_HANDLE] = { .type = NLA_U64 }, 3390 }; 3391 3392 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = { 3393 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 }, 3394 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED }, 3395 }; 3396 3397 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net, 3398 const struct sk_buff *skb, 3399 const struct nlmsghdr *nlh, 3400 const struct nlattr * const nla[], 3401 struct netlink_ext_ack *extack, 3402 u8 genmask) 3403 { 3404 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3405 int family = nfmsg->nfgen_family; 3406 struct nft_table *table = NULL; 3407 3408 if (nla[NFTA_SET_TABLE] != NULL) { 3409 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, 3410 genmask); 3411 if (IS_ERR(table)) { 3412 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 3413 return PTR_ERR(table); 3414 } 3415 } 3416 3417 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 3418 return 0; 3419 } 3420 3421 static struct nft_set *nft_set_lookup(const struct nft_table *table, 3422 const struct nlattr *nla, u8 genmask) 3423 { 3424 struct nft_set *set; 3425 3426 if (nla == NULL) 3427 return ERR_PTR(-EINVAL); 3428 3429 list_for_each_entry_rcu(set, &table->sets, list) { 3430 if (!nla_strcmp(nla, set->name) && 3431 nft_active_genmask(set, genmask)) 3432 return set; 3433 } 3434 return ERR_PTR(-ENOENT); 3435 } 3436 3437 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, 3438 const struct nlattr *nla, 3439 u8 genmask) 3440 { 3441 struct nft_set *set; 3442 3443 list_for_each_entry(set, &table->sets, list) { 3444 if (be64_to_cpu(nla_get_be64(nla)) == set->handle && 3445 nft_active_genmask(set, genmask)) 3446 return set; 3447 } 3448 return ERR_PTR(-ENOENT); 3449 } 3450 3451 static struct nft_set *nft_set_lookup_byid(const struct net *net, 3452 const struct nlattr *nla, u8 genmask) 3453 { 3454 struct nft_trans *trans; 3455 u32 id = ntohl(nla_get_be32(nla)); 3456 3457 list_for_each_entry(trans, &net->nft.commit_list, list) { 3458 if (trans->msg_type == NFT_MSG_NEWSET) { 3459 struct nft_set *set = nft_trans_set(trans); 3460 3461 if (id == nft_trans_set_id(trans) && 3462 nft_active_genmask(set, genmask)) 3463 return set; 3464 } 3465 } 3466 return ERR_PTR(-ENOENT); 3467 } 3468 3469 struct nft_set *nft_set_lookup_global(const struct net *net, 3470 const struct nft_table *table, 3471 const struct nlattr *nla_set_name, 3472 const struct nlattr *nla_set_id, 3473 u8 genmask) 3474 { 3475 struct nft_set *set; 3476 3477 set = nft_set_lookup(table, nla_set_name, genmask); 3478 if (IS_ERR(set)) { 3479 if (!nla_set_id) 3480 return set; 3481 3482 set = nft_set_lookup_byid(net, nla_set_id, genmask); 3483 } 3484 return set; 3485 } 3486 EXPORT_SYMBOL_GPL(nft_set_lookup_global); 3487 3488 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set, 3489 const char *name) 3490 { 3491 const struct nft_set *i; 3492 const char *p; 3493 unsigned long *inuse; 3494 unsigned int n = 0, min = 0; 3495 3496 p = strchr(name, '%'); 3497 if (p != NULL) { 3498 if (p[1] != 'd' || strchr(p + 2, '%')) 3499 return -EINVAL; 3500 3501 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL); 3502 if (inuse == NULL) 3503 return -ENOMEM; 3504 cont: 3505 list_for_each_entry(i, &ctx->table->sets, list) { 3506 int tmp; 3507 3508 if (!nft_is_active_next(ctx->net, set)) 3509 continue; 3510 if (!sscanf(i->name, name, &tmp)) 3511 continue; 3512 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE) 3513 continue; 3514 3515 set_bit(tmp - min, inuse); 3516 } 3517 3518 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE); 3519 if (n >= BITS_PER_BYTE * PAGE_SIZE) { 3520 min += BITS_PER_BYTE * PAGE_SIZE; 3521 memset(inuse, 0, PAGE_SIZE); 3522 goto cont; 3523 } 3524 free_page((unsigned long)inuse); 3525 } 3526 3527 set->name = kasprintf(GFP_KERNEL, name, min + n); 3528 if (!set->name) 3529 return -ENOMEM; 3530 3531 list_for_each_entry(i, &ctx->table->sets, list) { 3532 if (!nft_is_active_next(ctx->net, i)) 3533 continue; 3534 if (!strcmp(set->name, i->name)) { 3535 kfree(set->name); 3536 return -ENFILE; 3537 } 3538 } 3539 return 0; 3540 } 3541 3542 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result) 3543 { 3544 u64 ms = be64_to_cpu(nla_get_be64(nla)); 3545 u64 max = (u64)(~((u64)0)); 3546 3547 max = div_u64(max, NSEC_PER_MSEC); 3548 if (ms >= max) 3549 return -ERANGE; 3550 3551 ms *= NSEC_PER_MSEC; 3552 *result = nsecs_to_jiffies64(ms); 3553 return 0; 3554 } 3555 3556 static __be64 nf_jiffies64_to_msecs(u64 input) 3557 { 3558 return cpu_to_be64(jiffies64_to_msecs(input)); 3559 } 3560 3561 static int nf_tables_fill_set_concat(struct sk_buff *skb, 3562 const struct nft_set *set) 3563 { 3564 struct nlattr *concat, *field; 3565 int i; 3566 3567 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT); 3568 if (!concat) 3569 return -ENOMEM; 3570 3571 for (i = 0; i < set->field_count; i++) { 3572 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 3573 if (!field) 3574 return -ENOMEM; 3575 3576 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN, 3577 htonl(set->field_len[i]))) 3578 return -ENOMEM; 3579 3580 nla_nest_end(skb, field); 3581 } 3582 3583 nla_nest_end(skb, concat); 3584 3585 return 0; 3586 } 3587 3588 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, 3589 const struct nft_set *set, u16 event, u16 flags) 3590 { 3591 struct nfgenmsg *nfmsg; 3592 struct nlmsghdr *nlh; 3593 struct nlattr *desc; 3594 u32 portid = ctx->portid; 3595 u32 seq = ctx->seq; 3596 3597 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 3598 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 3599 flags); 3600 if (nlh == NULL) 3601 goto nla_put_failure; 3602 3603 nfmsg = nlmsg_data(nlh); 3604 nfmsg->nfgen_family = ctx->family; 3605 nfmsg->version = NFNETLINK_V0; 3606 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 3607 3608 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 3609 goto nla_put_failure; 3610 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 3611 goto nla_put_failure; 3612 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle), 3613 NFTA_SET_PAD)) 3614 goto nla_put_failure; 3615 if (set->flags != 0) 3616 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) 3617 goto nla_put_failure; 3618 3619 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype))) 3620 goto nla_put_failure; 3621 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen))) 3622 goto nla_put_failure; 3623 if (set->flags & NFT_SET_MAP) { 3624 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype))) 3625 goto nla_put_failure; 3626 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen))) 3627 goto nla_put_failure; 3628 } 3629 if (set->flags & NFT_SET_OBJECT && 3630 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype))) 3631 goto nla_put_failure; 3632 3633 if (set->timeout && 3634 nla_put_be64(skb, NFTA_SET_TIMEOUT, 3635 nf_jiffies64_to_msecs(set->timeout), 3636 NFTA_SET_PAD)) 3637 goto nla_put_failure; 3638 if (set->gc_int && 3639 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int))) 3640 goto nla_put_failure; 3641 3642 if (set->policy != NFT_SET_POL_PERFORMANCE) { 3643 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy))) 3644 goto nla_put_failure; 3645 } 3646 3647 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata)) 3648 goto nla_put_failure; 3649 3650 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC); 3651 3652 if (desc == NULL) 3653 goto nla_put_failure; 3654 if (set->size && 3655 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size))) 3656 goto nla_put_failure; 3657 3658 if (set->field_count > 1 && 3659 nf_tables_fill_set_concat(skb, set)) 3660 goto nla_put_failure; 3661 3662 nla_nest_end(skb, desc); 3663 3664 nlmsg_end(skb, nlh); 3665 return 0; 3666 3667 nla_put_failure: 3668 nlmsg_trim(skb, nlh); 3669 return -1; 3670 } 3671 3672 static void nf_tables_set_notify(const struct nft_ctx *ctx, 3673 const struct nft_set *set, int event, 3674 gfp_t gfp_flags) 3675 { 3676 struct sk_buff *skb; 3677 u32 portid = ctx->portid; 3678 int err; 3679 3680 if (!ctx->report && 3681 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 3682 return; 3683 3684 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags); 3685 if (skb == NULL) 3686 goto err; 3687 3688 err = nf_tables_fill_set(skb, ctx, set, event, 0); 3689 if (err < 0) { 3690 kfree_skb(skb); 3691 goto err; 3692 } 3693 3694 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report, 3695 gfp_flags); 3696 return; 3697 err: 3698 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 3699 } 3700 3701 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) 3702 { 3703 const struct nft_set *set; 3704 unsigned int idx, s_idx = cb->args[0]; 3705 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; 3706 struct net *net = sock_net(skb->sk); 3707 struct nft_ctx *ctx = cb->data, ctx_set; 3708 3709 if (cb->args[1]) 3710 return skb->len; 3711 3712 rcu_read_lock(); 3713 cb->seq = net->nft.base_seq; 3714 3715 list_for_each_entry_rcu(table, &net->nft.tables, list) { 3716 if (ctx->family != NFPROTO_UNSPEC && 3717 ctx->family != table->family) 3718 continue; 3719 3720 if (ctx->table && ctx->table != table) 3721 continue; 3722 3723 if (cur_table) { 3724 if (cur_table != table) 3725 continue; 3726 3727 cur_table = NULL; 3728 } 3729 idx = 0; 3730 list_for_each_entry_rcu(set, &table->sets, list) { 3731 if (idx < s_idx) 3732 goto cont; 3733 if (!nft_is_active(net, set)) 3734 goto cont; 3735 3736 ctx_set = *ctx; 3737 ctx_set.table = table; 3738 ctx_set.family = table->family; 3739 3740 if (nf_tables_fill_set(skb, &ctx_set, set, 3741 NFT_MSG_NEWSET, 3742 NLM_F_MULTI) < 0) { 3743 cb->args[0] = idx; 3744 cb->args[2] = (unsigned long) table; 3745 goto done; 3746 } 3747 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 3748 cont: 3749 idx++; 3750 } 3751 if (s_idx) 3752 s_idx = 0; 3753 } 3754 cb->args[1] = 1; 3755 done: 3756 rcu_read_unlock(); 3757 return skb->len; 3758 } 3759 3760 static int nf_tables_dump_sets_start(struct netlink_callback *cb) 3761 { 3762 struct nft_ctx *ctx_dump = NULL; 3763 3764 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC); 3765 if (ctx_dump == NULL) 3766 return -ENOMEM; 3767 3768 cb->data = ctx_dump; 3769 return 0; 3770 } 3771 3772 static int nf_tables_dump_sets_done(struct netlink_callback *cb) 3773 { 3774 kfree(cb->data); 3775 return 0; 3776 } 3777 3778 /* called with rcu_read_lock held */ 3779 static int nf_tables_getset(struct net *net, struct sock *nlsk, 3780 struct sk_buff *skb, const struct nlmsghdr *nlh, 3781 const struct nlattr * const nla[], 3782 struct netlink_ext_ack *extack) 3783 { 3784 u8 genmask = nft_genmask_cur(net); 3785 const struct nft_set *set; 3786 struct nft_ctx ctx; 3787 struct sk_buff *skb2; 3788 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3789 int err; 3790 3791 /* Verify existence before starting dump */ 3792 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 3793 genmask); 3794 if (err < 0) 3795 return err; 3796 3797 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3798 struct netlink_dump_control c = { 3799 .start = nf_tables_dump_sets_start, 3800 .dump = nf_tables_dump_sets, 3801 .done = nf_tables_dump_sets_done, 3802 .data = &ctx, 3803 .module = THIS_MODULE, 3804 }; 3805 3806 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 3807 } 3808 3809 /* Only accept unspec with dump */ 3810 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 3811 return -EAFNOSUPPORT; 3812 if (!nla[NFTA_SET_TABLE]) 3813 return -EINVAL; 3814 3815 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask); 3816 if (IS_ERR(set)) 3817 return PTR_ERR(set); 3818 3819 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 3820 if (skb2 == NULL) 3821 return -ENOMEM; 3822 3823 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0); 3824 if (err < 0) 3825 goto err; 3826 3827 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 3828 3829 err: 3830 kfree_skb(skb2); 3831 return err; 3832 } 3833 3834 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = { 3835 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 }, 3836 }; 3837 3838 static int nft_set_desc_concat_parse(const struct nlattr *attr, 3839 struct nft_set_desc *desc) 3840 { 3841 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1]; 3842 u32 len; 3843 int err; 3844 3845 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr, 3846 nft_concat_policy, NULL); 3847 if (err < 0) 3848 return err; 3849 3850 if (!tb[NFTA_SET_FIELD_LEN]) 3851 return -EINVAL; 3852 3853 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN])); 3854 3855 if (len * BITS_PER_BYTE / 32 > NFT_REG32_COUNT) 3856 return -E2BIG; 3857 3858 desc->field_len[desc->field_count++] = len; 3859 3860 return 0; 3861 } 3862 3863 static int nft_set_desc_concat(struct nft_set_desc *desc, 3864 const struct nlattr *nla) 3865 { 3866 struct nlattr *attr; 3867 int rem, err; 3868 3869 nla_for_each_nested(attr, nla, rem) { 3870 if (nla_type(attr) != NFTA_LIST_ELEM) 3871 return -EINVAL; 3872 3873 err = nft_set_desc_concat_parse(attr, desc); 3874 if (err < 0) 3875 return err; 3876 } 3877 3878 return 0; 3879 } 3880 3881 static int nf_tables_set_desc_parse(struct nft_set_desc *desc, 3882 const struct nlattr *nla) 3883 { 3884 struct nlattr *da[NFTA_SET_DESC_MAX + 1]; 3885 int err; 3886 3887 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla, 3888 nft_set_desc_policy, NULL); 3889 if (err < 0) 3890 return err; 3891 3892 if (da[NFTA_SET_DESC_SIZE] != NULL) 3893 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE])); 3894 if (da[NFTA_SET_DESC_CONCAT]) 3895 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]); 3896 3897 return err; 3898 } 3899 3900 static int nf_tables_newset(struct net *net, struct sock *nlsk, 3901 struct sk_buff *skb, const struct nlmsghdr *nlh, 3902 const struct nlattr * const nla[], 3903 struct netlink_ext_ack *extack) 3904 { 3905 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3906 u8 genmask = nft_genmask_next(net); 3907 int family = nfmsg->nfgen_family; 3908 const struct nft_set_ops *ops; 3909 struct nft_table *table; 3910 struct nft_set *set; 3911 struct nft_ctx ctx; 3912 char *name; 3913 u64 size; 3914 u64 timeout; 3915 u32 ktype, dtype, flags, policy, gc_int, objtype; 3916 struct nft_set_desc desc; 3917 unsigned char *udata; 3918 u16 udlen; 3919 int err; 3920 int i; 3921 3922 if (nla[NFTA_SET_TABLE] == NULL || 3923 nla[NFTA_SET_NAME] == NULL || 3924 nla[NFTA_SET_KEY_LEN] == NULL || 3925 nla[NFTA_SET_ID] == NULL) 3926 return -EINVAL; 3927 3928 memset(&desc, 0, sizeof(desc)); 3929 3930 ktype = NFT_DATA_VALUE; 3931 if (nla[NFTA_SET_KEY_TYPE] != NULL) { 3932 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE])); 3933 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK) 3934 return -EINVAL; 3935 } 3936 3937 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN])); 3938 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN) 3939 return -EINVAL; 3940 3941 flags = 0; 3942 if (nla[NFTA_SET_FLAGS] != NULL) { 3943 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS])); 3944 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | 3945 NFT_SET_INTERVAL | NFT_SET_TIMEOUT | 3946 NFT_SET_MAP | NFT_SET_EVAL | 3947 NFT_SET_OBJECT)) 3948 return -EINVAL; 3949 /* Only one of these operations is supported */ 3950 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 3951 (NFT_SET_MAP | NFT_SET_OBJECT)) 3952 return -EOPNOTSUPP; 3953 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 3954 (NFT_SET_EVAL | NFT_SET_OBJECT)) 3955 return -EOPNOTSUPP; 3956 } 3957 3958 dtype = 0; 3959 if (nla[NFTA_SET_DATA_TYPE] != NULL) { 3960 if (!(flags & NFT_SET_MAP)) 3961 return -EINVAL; 3962 3963 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE])); 3964 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK && 3965 dtype != NFT_DATA_VERDICT) 3966 return -EINVAL; 3967 3968 if (dtype != NFT_DATA_VERDICT) { 3969 if (nla[NFTA_SET_DATA_LEN] == NULL) 3970 return -EINVAL; 3971 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN])); 3972 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN) 3973 return -EINVAL; 3974 } else 3975 desc.dlen = sizeof(struct nft_verdict); 3976 } else if (flags & NFT_SET_MAP) 3977 return -EINVAL; 3978 3979 if (nla[NFTA_SET_OBJ_TYPE] != NULL) { 3980 if (!(flags & NFT_SET_OBJECT)) 3981 return -EINVAL; 3982 3983 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE])); 3984 if (objtype == NFT_OBJECT_UNSPEC || 3985 objtype > NFT_OBJECT_MAX) 3986 return -EINVAL; 3987 } else if (flags & NFT_SET_OBJECT) 3988 return -EINVAL; 3989 else 3990 objtype = NFT_OBJECT_UNSPEC; 3991 3992 timeout = 0; 3993 if (nla[NFTA_SET_TIMEOUT] != NULL) { 3994 if (!(flags & NFT_SET_TIMEOUT)) 3995 return -EINVAL; 3996 3997 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout); 3998 if (err) 3999 return err; 4000 } 4001 gc_int = 0; 4002 if (nla[NFTA_SET_GC_INTERVAL] != NULL) { 4003 if (!(flags & NFT_SET_TIMEOUT)) 4004 return -EINVAL; 4005 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL])); 4006 } 4007 4008 policy = NFT_SET_POL_PERFORMANCE; 4009 if (nla[NFTA_SET_POLICY] != NULL) 4010 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY])); 4011 4012 if (nla[NFTA_SET_DESC] != NULL) { 4013 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]); 4014 if (err < 0) 4015 return err; 4016 } 4017 4018 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask); 4019 if (IS_ERR(table)) { 4020 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]); 4021 return PTR_ERR(table); 4022 } 4023 4024 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 4025 4026 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4027 if (IS_ERR(set)) { 4028 if (PTR_ERR(set) != -ENOENT) { 4029 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4030 return PTR_ERR(set); 4031 } 4032 } else { 4033 if (nlh->nlmsg_flags & NLM_F_EXCL) { 4034 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4035 return -EEXIST; 4036 } 4037 if (nlh->nlmsg_flags & NLM_F_REPLACE) 4038 return -EOPNOTSUPP; 4039 4040 return 0; 4041 } 4042 4043 if (!(nlh->nlmsg_flags & NLM_F_CREATE)) 4044 return -ENOENT; 4045 4046 ops = nft_select_set_ops(&ctx, nla, &desc, policy); 4047 if (IS_ERR(ops)) 4048 return PTR_ERR(ops); 4049 4050 udlen = 0; 4051 if (nla[NFTA_SET_USERDATA]) 4052 udlen = nla_len(nla[NFTA_SET_USERDATA]); 4053 4054 size = 0; 4055 if (ops->privsize != NULL) 4056 size = ops->privsize(nla, &desc); 4057 4058 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL); 4059 if (!set) { 4060 err = -ENOMEM; 4061 goto err1; 4062 } 4063 4064 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL); 4065 if (!name) { 4066 err = -ENOMEM; 4067 goto err2; 4068 } 4069 4070 err = nf_tables_set_alloc_name(&ctx, set, name); 4071 kfree(name); 4072 if (err < 0) 4073 goto err2; 4074 4075 udata = NULL; 4076 if (udlen) { 4077 udata = set->data + size; 4078 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen); 4079 } 4080 4081 INIT_LIST_HEAD(&set->bindings); 4082 set->table = table; 4083 write_pnet(&set->net, net); 4084 set->ops = ops; 4085 set->ktype = ktype; 4086 set->klen = desc.klen; 4087 set->dtype = dtype; 4088 set->objtype = objtype; 4089 set->dlen = desc.dlen; 4090 set->flags = flags; 4091 set->size = desc.size; 4092 set->policy = policy; 4093 set->udlen = udlen; 4094 set->udata = udata; 4095 set->timeout = timeout; 4096 set->gc_int = gc_int; 4097 set->handle = nf_tables_alloc_handle(table); 4098 4099 set->field_count = desc.field_count; 4100 for (i = 0; i < desc.field_count; i++) 4101 set->field_len[i] = desc.field_len[i]; 4102 4103 err = ops->init(set, &desc, nla); 4104 if (err < 0) 4105 goto err3; 4106 4107 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set); 4108 if (err < 0) 4109 goto err4; 4110 4111 list_add_tail_rcu(&set->list, &table->sets); 4112 table->use++; 4113 return 0; 4114 4115 err4: 4116 ops->destroy(set); 4117 err3: 4118 kfree(set->name); 4119 err2: 4120 kvfree(set); 4121 err1: 4122 module_put(to_set_type(ops)->owner); 4123 return err; 4124 } 4125 4126 static void nft_set_destroy(struct nft_set *set) 4127 { 4128 if (WARN_ON(set->use > 0)) 4129 return; 4130 4131 set->ops->destroy(set); 4132 module_put(to_set_type(set->ops)->owner); 4133 kfree(set->name); 4134 kvfree(set); 4135 } 4136 4137 static int nf_tables_delset(struct net *net, struct sock *nlsk, 4138 struct sk_buff *skb, const struct nlmsghdr *nlh, 4139 const struct nlattr * const nla[], 4140 struct netlink_ext_ack *extack) 4141 { 4142 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4143 u8 genmask = nft_genmask_next(net); 4144 const struct nlattr *attr; 4145 struct nft_set *set; 4146 struct nft_ctx ctx; 4147 int err; 4148 4149 if (nfmsg->nfgen_family == NFPROTO_UNSPEC) 4150 return -EAFNOSUPPORT; 4151 if (nla[NFTA_SET_TABLE] == NULL) 4152 return -EINVAL; 4153 4154 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack, 4155 genmask); 4156 if (err < 0) 4157 return err; 4158 4159 if (nla[NFTA_SET_HANDLE]) { 4160 attr = nla[NFTA_SET_HANDLE]; 4161 set = nft_set_lookup_byhandle(ctx.table, attr, genmask); 4162 } else { 4163 attr = nla[NFTA_SET_NAME]; 4164 set = nft_set_lookup(ctx.table, attr, genmask); 4165 } 4166 4167 if (IS_ERR(set)) { 4168 NL_SET_BAD_ATTR(extack, attr); 4169 return PTR_ERR(set); 4170 } 4171 if (set->use || 4172 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) { 4173 NL_SET_BAD_ATTR(extack, attr); 4174 return -EBUSY; 4175 } 4176 4177 return nft_delset(&ctx, set); 4178 } 4179 4180 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx, 4181 struct nft_set *set, 4182 const struct nft_set_iter *iter, 4183 struct nft_set_elem *elem) 4184 { 4185 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4186 enum nft_registers dreg; 4187 4188 dreg = nft_type_to_reg(set->dtype); 4189 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext), 4190 set->dtype == NFT_DATA_VERDICT ? 4191 NFT_DATA_VERDICT : NFT_DATA_VALUE, 4192 set->dlen); 4193 } 4194 4195 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 4196 struct nft_set_binding *binding) 4197 { 4198 struct nft_set_binding *i; 4199 struct nft_set_iter iter; 4200 4201 if (set->use == UINT_MAX) 4202 return -EOVERFLOW; 4203 4204 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4205 return -EBUSY; 4206 4207 if (binding->flags & NFT_SET_MAP) { 4208 /* If the set is already bound to the same chain all 4209 * jumps are already validated for that chain. 4210 */ 4211 list_for_each_entry(i, &set->bindings, list) { 4212 if (i->flags & NFT_SET_MAP && 4213 i->chain == binding->chain) 4214 goto bind; 4215 } 4216 4217 iter.genmask = nft_genmask_next(ctx->net); 4218 iter.skip = 0; 4219 iter.count = 0; 4220 iter.err = 0; 4221 iter.fn = nf_tables_bind_check_setelem; 4222 4223 set->ops->walk(ctx, set, &iter); 4224 if (iter.err < 0) 4225 return iter.err; 4226 } 4227 bind: 4228 binding->chain = ctx->chain; 4229 list_add_tail_rcu(&binding->list, &set->bindings); 4230 nft_set_trans_bind(ctx, set); 4231 set->use++; 4232 4233 return 0; 4234 } 4235 EXPORT_SYMBOL_GPL(nf_tables_bind_set); 4236 4237 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, 4238 struct nft_set_binding *binding, bool event) 4239 { 4240 list_del_rcu(&binding->list); 4241 4242 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { 4243 list_del_rcu(&set->list); 4244 if (event) 4245 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, 4246 GFP_KERNEL); 4247 } 4248 } 4249 4250 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, 4251 struct nft_set_binding *binding, 4252 enum nft_trans_phase phase) 4253 { 4254 switch (phase) { 4255 case NFT_TRANS_PREPARE: 4256 set->use--; 4257 return; 4258 case NFT_TRANS_ABORT: 4259 case NFT_TRANS_RELEASE: 4260 set->use--; 4261 /* fall through */ 4262 default: 4263 nf_tables_unbind_set(ctx, set, binding, 4264 phase == NFT_TRANS_COMMIT); 4265 } 4266 } 4267 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); 4268 4269 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) 4270 { 4271 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) 4272 nft_set_destroy(set); 4273 } 4274 EXPORT_SYMBOL_GPL(nf_tables_destroy_set); 4275 4276 const struct nft_set_ext_type nft_set_ext_types[] = { 4277 [NFT_SET_EXT_KEY] = { 4278 .align = __alignof__(u32), 4279 }, 4280 [NFT_SET_EXT_DATA] = { 4281 .align = __alignof__(u32), 4282 }, 4283 [NFT_SET_EXT_EXPR] = { 4284 .align = __alignof__(struct nft_expr), 4285 }, 4286 [NFT_SET_EXT_OBJREF] = { 4287 .len = sizeof(struct nft_object *), 4288 .align = __alignof__(struct nft_object *), 4289 }, 4290 [NFT_SET_EXT_FLAGS] = { 4291 .len = sizeof(u8), 4292 .align = __alignof__(u8), 4293 }, 4294 [NFT_SET_EXT_TIMEOUT] = { 4295 .len = sizeof(u64), 4296 .align = __alignof__(u64), 4297 }, 4298 [NFT_SET_EXT_EXPIRATION] = { 4299 .len = sizeof(u64), 4300 .align = __alignof__(u64), 4301 }, 4302 [NFT_SET_EXT_USERDATA] = { 4303 .len = sizeof(struct nft_userdata), 4304 .align = __alignof__(struct nft_userdata), 4305 }, 4306 [NFT_SET_EXT_KEY_END] = { 4307 .align = __alignof__(u32), 4308 }, 4309 }; 4310 EXPORT_SYMBOL_GPL(nft_set_ext_types); 4311 4312 /* 4313 * Set elements 4314 */ 4315 4316 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 4317 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 4318 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 4319 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 4320 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 4321 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 4322 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, 4323 .len = NFT_USERDATA_MAXLEN }, 4324 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, 4325 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, 4326 .len = NFT_OBJ_MAXNAMELEN - 1 }, 4327 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED }, 4328 }; 4329 4330 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { 4331 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING, 4332 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4333 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING, 4334 .len = NFT_SET_MAXNAMELEN - 1 }, 4335 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED }, 4336 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 }, 4337 }; 4338 4339 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net, 4340 const struct sk_buff *skb, 4341 const struct nlmsghdr *nlh, 4342 const struct nlattr * const nla[], 4343 struct netlink_ext_ack *extack, 4344 u8 genmask) 4345 { 4346 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 4347 int family = nfmsg->nfgen_family; 4348 struct nft_table *table; 4349 4350 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family, 4351 genmask); 4352 if (IS_ERR(table)) { 4353 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]); 4354 return PTR_ERR(table); 4355 } 4356 4357 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla); 4358 return 0; 4359 } 4360 4361 static int nf_tables_fill_setelem(struct sk_buff *skb, 4362 const struct nft_set *set, 4363 const struct nft_set_elem *elem) 4364 { 4365 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 4366 unsigned char *b = skb_tail_pointer(skb); 4367 struct nlattr *nest; 4368 4369 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM); 4370 if (nest == NULL) 4371 goto nla_put_failure; 4372 4373 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext), 4374 NFT_DATA_VALUE, set->klen) < 0) 4375 goto nla_put_failure; 4376 4377 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) && 4378 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext), 4379 NFT_DATA_VALUE, set->klen) < 0) 4380 goto nla_put_failure; 4381 4382 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 4383 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext), 4384 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE, 4385 set->dlen) < 0) 4386 goto nla_put_failure; 4387 4388 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) && 4389 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0) 4390 goto nla_put_failure; 4391 4392 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 4393 nla_put_string(skb, NFTA_SET_ELEM_OBJREF, 4394 (*nft_set_ext_obj(ext))->key.name) < 0) 4395 goto nla_put_failure; 4396 4397 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 4398 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS, 4399 htonl(*nft_set_ext_flags(ext)))) 4400 goto nla_put_failure; 4401 4402 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) && 4403 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT, 4404 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)), 4405 NFTA_SET_ELEM_PAD)) 4406 goto nla_put_failure; 4407 4408 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4409 u64 expires, now = get_jiffies_64(); 4410 4411 expires = *nft_set_ext_expiration(ext); 4412 if (time_before64(now, expires)) 4413 expires -= now; 4414 else 4415 expires = 0; 4416 4417 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION, 4418 nf_jiffies64_to_msecs(expires), 4419 NFTA_SET_ELEM_PAD)) 4420 goto nla_put_failure; 4421 } 4422 4423 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) { 4424 struct nft_userdata *udata; 4425 4426 udata = nft_set_ext_userdata(ext); 4427 if (nla_put(skb, NFTA_SET_ELEM_USERDATA, 4428 udata->len + 1, udata->data)) 4429 goto nla_put_failure; 4430 } 4431 4432 nla_nest_end(skb, nest); 4433 return 0; 4434 4435 nla_put_failure: 4436 nlmsg_trim(skb, b); 4437 return -EMSGSIZE; 4438 } 4439 4440 struct nft_set_dump_args { 4441 const struct netlink_callback *cb; 4442 struct nft_set_iter iter; 4443 struct sk_buff *skb; 4444 }; 4445 4446 static int nf_tables_dump_setelem(const struct nft_ctx *ctx, 4447 struct nft_set *set, 4448 const struct nft_set_iter *iter, 4449 struct nft_set_elem *elem) 4450 { 4451 struct nft_set_dump_args *args; 4452 4453 args = container_of(iter, struct nft_set_dump_args, iter); 4454 return nf_tables_fill_setelem(args->skb, set, elem); 4455 } 4456 4457 struct nft_set_dump_ctx { 4458 const struct nft_set *set; 4459 struct nft_ctx ctx; 4460 }; 4461 4462 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 4463 { 4464 struct nft_set_dump_ctx *dump_ctx = cb->data; 4465 struct net *net = sock_net(skb->sk); 4466 struct nft_table *table; 4467 struct nft_set *set; 4468 struct nft_set_dump_args args; 4469 bool set_found = false; 4470 struct nfgenmsg *nfmsg; 4471 struct nlmsghdr *nlh; 4472 struct nlattr *nest; 4473 u32 portid, seq; 4474 int event; 4475 4476 rcu_read_lock(); 4477 list_for_each_entry_rcu(table, &net->nft.tables, list) { 4478 if (dump_ctx->ctx.family != NFPROTO_UNSPEC && 4479 dump_ctx->ctx.family != table->family) 4480 continue; 4481 4482 if (table != dump_ctx->ctx.table) 4483 continue; 4484 4485 list_for_each_entry_rcu(set, &table->sets, list) { 4486 if (set == dump_ctx->set) { 4487 set_found = true; 4488 break; 4489 } 4490 } 4491 break; 4492 } 4493 4494 if (!set_found) { 4495 rcu_read_unlock(); 4496 return -ENOENT; 4497 } 4498 4499 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM); 4500 portid = NETLINK_CB(cb->skb).portid; 4501 seq = cb->nlh->nlmsg_seq; 4502 4503 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4504 NLM_F_MULTI); 4505 if (nlh == NULL) 4506 goto nla_put_failure; 4507 4508 nfmsg = nlmsg_data(nlh); 4509 nfmsg->nfgen_family = table->family; 4510 nfmsg->version = NFNETLINK_V0; 4511 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 4512 4513 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) 4514 goto nla_put_failure; 4515 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) 4516 goto nla_put_failure; 4517 4518 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4519 if (nest == NULL) 4520 goto nla_put_failure; 4521 4522 args.cb = cb; 4523 args.skb = skb; 4524 args.iter.genmask = nft_genmask_cur(net); 4525 args.iter.skip = cb->args[0]; 4526 args.iter.count = 0; 4527 args.iter.err = 0; 4528 args.iter.fn = nf_tables_dump_setelem; 4529 set->ops->walk(&dump_ctx->ctx, set, &args.iter); 4530 rcu_read_unlock(); 4531 4532 nla_nest_end(skb, nest); 4533 nlmsg_end(skb, nlh); 4534 4535 if (args.iter.err && args.iter.err != -EMSGSIZE) 4536 return args.iter.err; 4537 if (args.iter.count == cb->args[0]) 4538 return 0; 4539 4540 cb->args[0] = args.iter.count; 4541 return skb->len; 4542 4543 nla_put_failure: 4544 rcu_read_unlock(); 4545 return -ENOSPC; 4546 } 4547 4548 static int nf_tables_dump_set_start(struct netlink_callback *cb) 4549 { 4550 struct nft_set_dump_ctx *dump_ctx = cb->data; 4551 4552 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC); 4553 4554 return cb->data ? 0 : -ENOMEM; 4555 } 4556 4557 static int nf_tables_dump_set_done(struct netlink_callback *cb) 4558 { 4559 kfree(cb->data); 4560 return 0; 4561 } 4562 4563 static int nf_tables_fill_setelem_info(struct sk_buff *skb, 4564 const struct nft_ctx *ctx, u32 seq, 4565 u32 portid, int event, u16 flags, 4566 const struct nft_set *set, 4567 const struct nft_set_elem *elem) 4568 { 4569 struct nfgenmsg *nfmsg; 4570 struct nlmsghdr *nlh; 4571 struct nlattr *nest; 4572 int err; 4573 4574 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 4575 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 4576 flags); 4577 if (nlh == NULL) 4578 goto nla_put_failure; 4579 4580 nfmsg = nlmsg_data(nlh); 4581 nfmsg->nfgen_family = ctx->family; 4582 nfmsg->version = NFNETLINK_V0; 4583 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); 4584 4585 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) 4586 goto nla_put_failure; 4587 if (nla_put_string(skb, NFTA_SET_NAME, set->name)) 4588 goto nla_put_failure; 4589 4590 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS); 4591 if (nest == NULL) 4592 goto nla_put_failure; 4593 4594 err = nf_tables_fill_setelem(skb, set, elem); 4595 if (err < 0) 4596 goto nla_put_failure; 4597 4598 nla_nest_end(skb, nest); 4599 4600 nlmsg_end(skb, nlh); 4601 return 0; 4602 4603 nla_put_failure: 4604 nlmsg_trim(skb, nlh); 4605 return -1; 4606 } 4607 4608 static int nft_setelem_parse_flags(const struct nft_set *set, 4609 const struct nlattr *attr, u32 *flags) 4610 { 4611 if (attr == NULL) 4612 return 0; 4613 4614 *flags = ntohl(nla_get_be32(attr)); 4615 if (*flags & ~NFT_SET_ELEM_INTERVAL_END) 4616 return -EINVAL; 4617 if (!(set->flags & NFT_SET_INTERVAL) && 4618 *flags & NFT_SET_ELEM_INTERVAL_END) 4619 return -EINVAL; 4620 4621 return 0; 4622 } 4623 4624 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set, 4625 struct nft_data *key, struct nlattr *attr) 4626 { 4627 struct nft_data_desc desc; 4628 int err; 4629 4630 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr); 4631 if (err < 0) 4632 return err; 4633 4634 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) { 4635 nft_data_release(key, desc.type); 4636 return -EINVAL; 4637 } 4638 4639 return 0; 4640 } 4641 4642 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set, 4643 const struct nlattr *attr) 4644 { 4645 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 4646 struct nft_set_elem elem; 4647 struct sk_buff *skb; 4648 uint32_t flags = 0; 4649 void *priv; 4650 int err; 4651 4652 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 4653 nft_set_elem_policy, NULL); 4654 if (err < 0) 4655 return err; 4656 4657 if (!nla[NFTA_SET_ELEM_KEY]) 4658 return -EINVAL; 4659 4660 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 4661 if (err < 0) 4662 return err; 4663 4664 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 4665 nla[NFTA_SET_ELEM_KEY]); 4666 if (err < 0) 4667 return err; 4668 4669 if (nla[NFTA_SET_ELEM_KEY_END]) { 4670 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 4671 nla[NFTA_SET_ELEM_KEY_END]); 4672 if (err < 0) 4673 return err; 4674 } 4675 4676 priv = set->ops->get(ctx->net, set, &elem, flags); 4677 if (IS_ERR(priv)) 4678 return PTR_ERR(priv); 4679 4680 elem.priv = priv; 4681 4682 err = -ENOMEM; 4683 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC); 4684 if (skb == NULL) 4685 goto err1; 4686 4687 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid, 4688 NFT_MSG_NEWSETELEM, 0, set, &elem); 4689 if (err < 0) 4690 goto err2; 4691 4692 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT); 4693 /* This avoids a loop in nfnetlink. */ 4694 if (err < 0) 4695 goto err1; 4696 4697 return 0; 4698 err2: 4699 kfree_skb(skb); 4700 err1: 4701 /* this avoids a loop in nfnetlink. */ 4702 return err == -EAGAIN ? -ENOBUFS : err; 4703 } 4704 4705 /* called with rcu_read_lock held */ 4706 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk, 4707 struct sk_buff *skb, const struct nlmsghdr *nlh, 4708 const struct nlattr * const nla[], 4709 struct netlink_ext_ack *extack) 4710 { 4711 u8 genmask = nft_genmask_cur(net); 4712 struct nft_set *set; 4713 struct nlattr *attr; 4714 struct nft_ctx ctx; 4715 int rem, err = 0; 4716 4717 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 4718 genmask); 4719 if (err < 0) 4720 return err; 4721 4722 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 4723 if (IS_ERR(set)) 4724 return PTR_ERR(set); 4725 4726 if (nlh->nlmsg_flags & NLM_F_DUMP) { 4727 struct netlink_dump_control c = { 4728 .start = nf_tables_dump_set_start, 4729 .dump = nf_tables_dump_set, 4730 .done = nf_tables_dump_set_done, 4731 .module = THIS_MODULE, 4732 }; 4733 struct nft_set_dump_ctx dump_ctx = { 4734 .set = set, 4735 .ctx = ctx, 4736 }; 4737 4738 c.data = &dump_ctx; 4739 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 4740 } 4741 4742 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS]) 4743 return -EINVAL; 4744 4745 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 4746 err = nft_get_set_elem(&ctx, set, attr); 4747 if (err < 0) 4748 break; 4749 } 4750 4751 return err; 4752 } 4753 4754 static void nf_tables_setelem_notify(const struct nft_ctx *ctx, 4755 const struct nft_set *set, 4756 const struct nft_set_elem *elem, 4757 int event, u16 flags) 4758 { 4759 struct net *net = ctx->net; 4760 u32 portid = ctx->portid; 4761 struct sk_buff *skb; 4762 int err; 4763 4764 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 4765 return; 4766 4767 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 4768 if (skb == NULL) 4769 goto err; 4770 4771 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags, 4772 set, elem); 4773 if (err < 0) { 4774 kfree_skb(skb); 4775 goto err; 4776 } 4777 4778 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report, 4779 GFP_KERNEL); 4780 return; 4781 err: 4782 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 4783 } 4784 4785 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 4786 int msg_type, 4787 struct nft_set *set) 4788 { 4789 struct nft_trans *trans; 4790 4791 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem)); 4792 if (trans == NULL) 4793 return NULL; 4794 4795 nft_trans_elem_set(trans) = set; 4796 return trans; 4797 } 4798 4799 void *nft_set_elem_init(const struct nft_set *set, 4800 const struct nft_set_ext_tmpl *tmpl, 4801 const u32 *key, const u32 *key_end, 4802 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp) 4803 { 4804 struct nft_set_ext *ext; 4805 void *elem; 4806 4807 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp); 4808 if (elem == NULL) 4809 return NULL; 4810 4811 ext = nft_set_elem_ext(set, elem); 4812 nft_set_ext_init(ext, tmpl); 4813 4814 memcpy(nft_set_ext_key(ext), key, set->klen); 4815 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) 4816 memcpy(nft_set_ext_key_end(ext), key_end, set->klen); 4817 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 4818 memcpy(nft_set_ext_data(ext), data, set->dlen); 4819 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { 4820 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration; 4821 if (expiration == 0) 4822 *nft_set_ext_expiration(ext) += timeout; 4823 } 4824 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) 4825 *nft_set_ext_timeout(ext) = timeout; 4826 4827 return elem; 4828 } 4829 4830 void nft_set_elem_destroy(const struct nft_set *set, void *elem, 4831 bool destroy_expr) 4832 { 4833 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 4834 struct nft_ctx ctx = { 4835 .net = read_pnet(&set->net), 4836 .family = set->table->family, 4837 }; 4838 4839 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE); 4840 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 4841 nft_data_release(nft_set_ext_data(ext), set->dtype); 4842 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) { 4843 struct nft_expr *expr = nft_set_ext_expr(ext); 4844 4845 if (expr->ops->destroy_clone) { 4846 expr->ops->destroy_clone(&ctx, expr); 4847 module_put(expr->ops->type->owner); 4848 } else { 4849 nf_tables_expr_destroy(&ctx, expr); 4850 } 4851 } 4852 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 4853 (*nft_set_ext_obj(ext))->use--; 4854 kfree(elem); 4855 } 4856 EXPORT_SYMBOL_GPL(nft_set_elem_destroy); 4857 4858 /* Only called from commit path, nft_set_elem_deactivate() already deals with 4859 * the refcounting from the preparation phase. 4860 */ 4861 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, 4862 const struct nft_set *set, void *elem) 4863 { 4864 struct nft_set_ext *ext = nft_set_elem_ext(set, elem); 4865 4866 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) 4867 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext)); 4868 kfree(elem); 4869 } 4870 4871 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 4872 const struct nlattr *attr, u32 nlmsg_flags) 4873 { 4874 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 4875 u8 genmask = nft_genmask_next(ctx->net); 4876 struct nft_set_ext_tmpl tmpl; 4877 struct nft_set_ext *ext, *ext2; 4878 struct nft_set_elem elem; 4879 struct nft_set_binding *binding; 4880 struct nft_object *obj = NULL; 4881 struct nft_userdata *udata; 4882 struct nft_data_desc desc; 4883 struct nft_data data; 4884 enum nft_registers dreg; 4885 struct nft_trans *trans; 4886 u32 flags = 0; 4887 u64 timeout; 4888 u64 expiration; 4889 u8 ulen; 4890 int err; 4891 4892 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 4893 nft_set_elem_policy, NULL); 4894 if (err < 0) 4895 return err; 4896 4897 if (nla[NFTA_SET_ELEM_KEY] == NULL) 4898 return -EINVAL; 4899 4900 nft_set_ext_prepare(&tmpl); 4901 4902 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 4903 if (err < 0) 4904 return err; 4905 if (flags != 0) 4906 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 4907 4908 if (set->flags & NFT_SET_MAP) { 4909 if (nla[NFTA_SET_ELEM_DATA] == NULL && 4910 !(flags & NFT_SET_ELEM_INTERVAL_END)) 4911 return -EINVAL; 4912 } else { 4913 if (nla[NFTA_SET_ELEM_DATA] != NULL) 4914 return -EINVAL; 4915 } 4916 4917 if ((flags & NFT_SET_ELEM_INTERVAL_END) && 4918 (nla[NFTA_SET_ELEM_DATA] || 4919 nla[NFTA_SET_ELEM_OBJREF] || 4920 nla[NFTA_SET_ELEM_TIMEOUT] || 4921 nla[NFTA_SET_ELEM_EXPIRATION] || 4922 nla[NFTA_SET_ELEM_USERDATA] || 4923 nla[NFTA_SET_ELEM_EXPR])) 4924 return -EINVAL; 4925 4926 timeout = 0; 4927 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) { 4928 if (!(set->flags & NFT_SET_TIMEOUT)) 4929 return -EINVAL; 4930 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT], 4931 &timeout); 4932 if (err) 4933 return err; 4934 } else if (set->flags & NFT_SET_TIMEOUT) { 4935 timeout = set->timeout; 4936 } 4937 4938 expiration = 0; 4939 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) { 4940 if (!(set->flags & NFT_SET_TIMEOUT)) 4941 return -EINVAL; 4942 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION], 4943 &expiration); 4944 if (err) 4945 return err; 4946 } 4947 4948 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 4949 nla[NFTA_SET_ELEM_KEY]); 4950 if (err < 0) 4951 return err; 4952 4953 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 4954 4955 if (nla[NFTA_SET_ELEM_KEY_END]) { 4956 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 4957 nla[NFTA_SET_ELEM_KEY_END]); 4958 if (err < 0) 4959 goto err_parse_key; 4960 4961 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 4962 } 4963 4964 if (timeout > 0) { 4965 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION); 4966 if (timeout != set->timeout) 4967 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT); 4968 } 4969 4970 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) { 4971 if (!(set->flags & NFT_SET_OBJECT)) { 4972 err = -EINVAL; 4973 goto err_parse_key_end; 4974 } 4975 obj = nft_obj_lookup(ctx->net, ctx->table, 4976 nla[NFTA_SET_ELEM_OBJREF], 4977 set->objtype, genmask); 4978 if (IS_ERR(obj)) { 4979 err = PTR_ERR(obj); 4980 goto err_parse_key_end; 4981 } 4982 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); 4983 } 4984 4985 if (nla[NFTA_SET_ELEM_DATA] != NULL) { 4986 err = nft_data_init(ctx, &data, sizeof(data), &desc, 4987 nla[NFTA_SET_ELEM_DATA]); 4988 if (err < 0) 4989 goto err_parse_key_end; 4990 4991 err = -EINVAL; 4992 if (set->dtype != NFT_DATA_VERDICT && desc.len != set->dlen) 4993 goto err_parse_data; 4994 4995 dreg = nft_type_to_reg(set->dtype); 4996 list_for_each_entry(binding, &set->bindings, list) { 4997 struct nft_ctx bind_ctx = { 4998 .net = ctx->net, 4999 .family = ctx->family, 5000 .table = ctx->table, 5001 .chain = (struct nft_chain *)binding->chain, 5002 }; 5003 5004 if (!(binding->flags & NFT_SET_MAP)) 5005 continue; 5006 5007 err = nft_validate_register_store(&bind_ctx, dreg, 5008 &data, 5009 desc.type, desc.len); 5010 if (err < 0) 5011 goto err_parse_data; 5012 5013 if (desc.type == NFT_DATA_VERDICT && 5014 (data.verdict.code == NFT_GOTO || 5015 data.verdict.code == NFT_JUMP)) 5016 nft_validate_state_update(ctx->net, 5017 NFT_VALIDATE_NEED); 5018 } 5019 5020 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len); 5021 } 5022 5023 /* The full maximum length of userdata can exceed the maximum 5024 * offset value (U8_MAX) for following extensions, therefor it 5025 * must be the last extension added. 5026 */ 5027 ulen = 0; 5028 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) { 5029 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]); 5030 if (ulen > 0) 5031 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA, 5032 ulen); 5033 } 5034 5035 err = -ENOMEM; 5036 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5037 elem.key_end.val.data, data.data, 5038 timeout, expiration, GFP_KERNEL); 5039 if (elem.priv == NULL) 5040 goto err_parse_data; 5041 5042 ext = nft_set_elem_ext(set, elem.priv); 5043 if (flags) 5044 *nft_set_ext_flags(ext) = flags; 5045 if (ulen > 0) { 5046 udata = nft_set_ext_userdata(ext); 5047 udata->len = ulen - 1; 5048 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen); 5049 } 5050 if (obj) { 5051 *nft_set_ext_obj(ext) = obj; 5052 obj->use++; 5053 } 5054 5055 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); 5056 if (trans == NULL) 5057 goto err_trans; 5058 5059 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; 5060 err = set->ops->insert(ctx->net, set, &elem, &ext2); 5061 if (err) { 5062 if (err == -EEXIST) { 5063 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^ 5064 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) || 5065 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^ 5066 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) { 5067 err = -EBUSY; 5068 goto err_element_clash; 5069 } 5070 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) && 5071 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) && 5072 memcmp(nft_set_ext_data(ext), 5073 nft_set_ext_data(ext2), set->dlen) != 0) || 5074 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) && 5075 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) && 5076 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2))) 5077 err = -EBUSY; 5078 else if (!(nlmsg_flags & NLM_F_EXCL)) 5079 err = 0; 5080 } 5081 goto err_element_clash; 5082 } 5083 5084 if (set->size && 5085 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) { 5086 err = -ENFILE; 5087 goto err_set_full; 5088 } 5089 5090 nft_trans_elem(trans) = elem; 5091 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5092 return 0; 5093 5094 err_set_full: 5095 set->ops->remove(ctx->net, set, &elem); 5096 err_element_clash: 5097 kfree(trans); 5098 err_trans: 5099 if (obj) 5100 obj->use--; 5101 kfree(elem.priv); 5102 err_parse_data: 5103 if (nla[NFTA_SET_ELEM_DATA] != NULL) 5104 nft_data_release(&data, desc.type); 5105 err_parse_key_end: 5106 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); 5107 err_parse_key: 5108 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5109 5110 return err; 5111 } 5112 5113 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, 5114 struct sk_buff *skb, const struct nlmsghdr *nlh, 5115 const struct nlattr * const nla[], 5116 struct netlink_ext_ack *extack) 5117 { 5118 u8 genmask = nft_genmask_next(net); 5119 const struct nlattr *attr; 5120 struct nft_set *set; 5121 struct nft_ctx ctx; 5122 int rem, err; 5123 5124 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) 5125 return -EINVAL; 5126 5127 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5128 genmask); 5129 if (err < 0) 5130 return err; 5131 5132 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET], 5133 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask); 5134 if (IS_ERR(set)) 5135 return PTR_ERR(set); 5136 5137 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5138 return -EBUSY; 5139 5140 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5141 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags); 5142 if (err < 0) 5143 return err; 5144 } 5145 5146 if (net->nft.validate_state == NFT_VALIDATE_DO) 5147 return nft_table_validate(net, ctx.table); 5148 5149 return 0; 5150 } 5151 5152 /** 5153 * nft_data_hold - hold a nft_data item 5154 * 5155 * @data: struct nft_data to release 5156 * @type: type of data 5157 * 5158 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded, 5159 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and 5160 * NFT_GOTO verdicts. This function must be called on active data objects 5161 * from the second phase of the commit protocol. 5162 */ 5163 void nft_data_hold(const struct nft_data *data, enum nft_data_types type) 5164 { 5165 if (type == NFT_DATA_VERDICT) { 5166 switch (data->verdict.code) { 5167 case NFT_JUMP: 5168 case NFT_GOTO: 5169 data->verdict.chain->use++; 5170 break; 5171 } 5172 } 5173 } 5174 5175 static void nft_set_elem_activate(const struct net *net, 5176 const struct nft_set *set, 5177 struct nft_set_elem *elem) 5178 { 5179 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5180 5181 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5182 nft_data_hold(nft_set_ext_data(ext), set->dtype); 5183 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5184 (*nft_set_ext_obj(ext))->use++; 5185 } 5186 5187 static void nft_set_elem_deactivate(const struct net *net, 5188 const struct nft_set *set, 5189 struct nft_set_elem *elem) 5190 { 5191 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 5192 5193 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) 5194 nft_data_release(nft_set_ext_data(ext), set->dtype); 5195 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) 5196 (*nft_set_ext_obj(ext))->use--; 5197 } 5198 5199 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, 5200 const struct nlattr *attr) 5201 { 5202 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1]; 5203 struct nft_set_ext_tmpl tmpl; 5204 struct nft_set_elem elem; 5205 struct nft_set_ext *ext; 5206 struct nft_trans *trans; 5207 u32 flags = 0; 5208 void *priv; 5209 int err; 5210 5211 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr, 5212 nft_set_elem_policy, NULL); 5213 if (err < 0) 5214 return err; 5215 5216 if (nla[NFTA_SET_ELEM_KEY] == NULL) 5217 return -EINVAL; 5218 5219 nft_set_ext_prepare(&tmpl); 5220 5221 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags); 5222 if (err < 0) 5223 return err; 5224 if (flags != 0) 5225 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS); 5226 5227 err = nft_setelem_parse_key(ctx, set, &elem.key.val, 5228 nla[NFTA_SET_ELEM_KEY]); 5229 if (err < 0) 5230 return err; 5231 5232 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen); 5233 5234 if (nla[NFTA_SET_ELEM_KEY_END]) { 5235 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val, 5236 nla[NFTA_SET_ELEM_KEY_END]); 5237 if (err < 0) 5238 return err; 5239 5240 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen); 5241 } 5242 5243 err = -ENOMEM; 5244 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, 5245 elem.key_end.val.data, NULL, 0, 0, 5246 GFP_KERNEL); 5247 if (elem.priv == NULL) 5248 goto fail_elem; 5249 5250 ext = nft_set_elem_ext(set, elem.priv); 5251 if (flags) 5252 *nft_set_ext_flags(ext) = flags; 5253 5254 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 5255 if (trans == NULL) 5256 goto fail_trans; 5257 5258 priv = set->ops->deactivate(ctx->net, set, &elem); 5259 if (priv == NULL) { 5260 err = -ENOENT; 5261 goto fail_ops; 5262 } 5263 kfree(elem.priv); 5264 elem.priv = priv; 5265 5266 nft_set_elem_deactivate(ctx->net, set, &elem); 5267 5268 nft_trans_elem(trans) = elem; 5269 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5270 return 0; 5271 5272 fail_ops: 5273 kfree(trans); 5274 fail_trans: 5275 kfree(elem.priv); 5276 fail_elem: 5277 nft_data_release(&elem.key.val, NFT_DATA_VALUE); 5278 return err; 5279 } 5280 5281 static int nft_flush_set(const struct nft_ctx *ctx, 5282 struct nft_set *set, 5283 const struct nft_set_iter *iter, 5284 struct nft_set_elem *elem) 5285 { 5286 struct nft_trans *trans; 5287 int err; 5288 5289 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 5290 sizeof(struct nft_trans_elem), GFP_ATOMIC); 5291 if (!trans) 5292 return -ENOMEM; 5293 5294 if (!set->ops->flush(ctx->net, set, elem->priv)) { 5295 err = -ENOENT; 5296 goto err1; 5297 } 5298 set->ndeact++; 5299 5300 nft_set_elem_deactivate(ctx->net, set, elem); 5301 nft_trans_elem_set(trans) = set; 5302 nft_trans_elem(trans) = *elem; 5303 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5304 5305 return 0; 5306 err1: 5307 kfree(trans); 5308 return err; 5309 } 5310 5311 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, 5312 struct sk_buff *skb, const struct nlmsghdr *nlh, 5313 const struct nlattr * const nla[], 5314 struct netlink_ext_ack *extack) 5315 { 5316 u8 genmask = nft_genmask_next(net); 5317 const struct nlattr *attr; 5318 struct nft_set *set; 5319 struct nft_ctx ctx; 5320 int rem, err = 0; 5321 5322 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack, 5323 genmask); 5324 if (err < 0) 5325 return err; 5326 5327 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 5328 if (IS_ERR(set)) 5329 return PTR_ERR(set); 5330 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) 5331 return -EBUSY; 5332 5333 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) { 5334 struct nft_set_iter iter = { 5335 .genmask = genmask, 5336 .fn = nft_flush_set, 5337 }; 5338 set->ops->walk(&ctx, set, &iter); 5339 5340 return iter.err; 5341 } 5342 5343 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { 5344 err = nft_del_setelem(&ctx, set, attr); 5345 if (err < 0) 5346 break; 5347 5348 set->ndeact++; 5349 } 5350 return err; 5351 } 5352 5353 void nft_set_gc_batch_release(struct rcu_head *rcu) 5354 { 5355 struct nft_set_gc_batch *gcb; 5356 unsigned int i; 5357 5358 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu); 5359 for (i = 0; i < gcb->head.cnt; i++) 5360 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true); 5361 kfree(gcb); 5362 } 5363 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release); 5364 5365 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set, 5366 gfp_t gfp) 5367 { 5368 struct nft_set_gc_batch *gcb; 5369 5370 gcb = kzalloc(sizeof(*gcb), gfp); 5371 if (gcb == NULL) 5372 return gcb; 5373 gcb->head.set = set; 5374 return gcb; 5375 } 5376 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc); 5377 5378 /* 5379 * Stateful objects 5380 */ 5381 5382 /** 5383 * nft_register_obj- register nf_tables stateful object type 5384 * @obj: object type 5385 * 5386 * Registers the object type for use with nf_tables. Returns zero on 5387 * success or a negative errno code otherwise. 5388 */ 5389 int nft_register_obj(struct nft_object_type *obj_type) 5390 { 5391 if (obj_type->type == NFT_OBJECT_UNSPEC) 5392 return -EINVAL; 5393 5394 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5395 list_add_rcu(&obj_type->list, &nf_tables_objects); 5396 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5397 return 0; 5398 } 5399 EXPORT_SYMBOL_GPL(nft_register_obj); 5400 5401 /** 5402 * nft_unregister_obj - unregister nf_tables object type 5403 * @obj: object type 5404 * 5405 * Unregisters the object type for use with nf_tables. 5406 */ 5407 void nft_unregister_obj(struct nft_object_type *obj_type) 5408 { 5409 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5410 list_del_rcu(&obj_type->list); 5411 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 5412 } 5413 EXPORT_SYMBOL_GPL(nft_unregister_obj); 5414 5415 struct nft_object *nft_obj_lookup(const struct net *net, 5416 const struct nft_table *table, 5417 const struct nlattr *nla, u32 objtype, 5418 u8 genmask) 5419 { 5420 struct nft_object_hash_key k = { .table = table }; 5421 char search[NFT_OBJ_MAXNAMELEN]; 5422 struct rhlist_head *tmp, *list; 5423 struct nft_object *obj; 5424 5425 nla_strlcpy(search, nla, sizeof(search)); 5426 k.name = search; 5427 5428 WARN_ON_ONCE(!rcu_read_lock_held() && 5429 !lockdep_commit_lock_is_held(net)); 5430 5431 rcu_read_lock(); 5432 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params); 5433 if (!list) 5434 goto out; 5435 5436 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) { 5437 if (objtype == obj->ops->type->type && 5438 nft_active_genmask(obj, genmask)) { 5439 rcu_read_unlock(); 5440 return obj; 5441 } 5442 } 5443 out: 5444 rcu_read_unlock(); 5445 return ERR_PTR(-ENOENT); 5446 } 5447 EXPORT_SYMBOL_GPL(nft_obj_lookup); 5448 5449 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table, 5450 const struct nlattr *nla, 5451 u32 objtype, u8 genmask) 5452 { 5453 struct nft_object *obj; 5454 5455 list_for_each_entry(obj, &table->objects, list) { 5456 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle && 5457 objtype == obj->ops->type->type && 5458 nft_active_genmask(obj, genmask)) 5459 return obj; 5460 } 5461 return ERR_PTR(-ENOENT); 5462 } 5463 5464 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = { 5465 [NFTA_OBJ_TABLE] = { .type = NLA_STRING, 5466 .len = NFT_TABLE_MAXNAMELEN - 1 }, 5467 [NFTA_OBJ_NAME] = { .type = NLA_STRING, 5468 .len = NFT_OBJ_MAXNAMELEN - 1 }, 5469 [NFTA_OBJ_TYPE] = { .type = NLA_U32 }, 5470 [NFTA_OBJ_DATA] = { .type = NLA_NESTED }, 5471 [NFTA_OBJ_HANDLE] = { .type = NLA_U64}, 5472 }; 5473 5474 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx, 5475 const struct nft_object_type *type, 5476 const struct nlattr *attr) 5477 { 5478 struct nlattr **tb; 5479 const struct nft_object_ops *ops; 5480 struct nft_object *obj; 5481 int err = -ENOMEM; 5482 5483 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL); 5484 if (!tb) 5485 goto err1; 5486 5487 if (attr) { 5488 err = nla_parse_nested_deprecated(tb, type->maxattr, attr, 5489 type->policy, NULL); 5490 if (err < 0) 5491 goto err2; 5492 } else { 5493 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1)); 5494 } 5495 5496 if (type->select_ops) { 5497 ops = type->select_ops(ctx, (const struct nlattr * const *)tb); 5498 if (IS_ERR(ops)) { 5499 err = PTR_ERR(ops); 5500 goto err2; 5501 } 5502 } else { 5503 ops = type->ops; 5504 } 5505 5506 err = -ENOMEM; 5507 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL); 5508 if (!obj) 5509 goto err2; 5510 5511 err = ops->init(ctx, (const struct nlattr * const *)tb, obj); 5512 if (err < 0) 5513 goto err3; 5514 5515 obj->ops = ops; 5516 5517 kfree(tb); 5518 return obj; 5519 err3: 5520 kfree(obj); 5521 err2: 5522 kfree(tb); 5523 err1: 5524 return ERR_PTR(err); 5525 } 5526 5527 static int nft_object_dump(struct sk_buff *skb, unsigned int attr, 5528 struct nft_object *obj, bool reset) 5529 { 5530 struct nlattr *nest; 5531 5532 nest = nla_nest_start_noflag(skb, attr); 5533 if (!nest) 5534 goto nla_put_failure; 5535 if (obj->ops->dump(skb, obj, reset) < 0) 5536 goto nla_put_failure; 5537 nla_nest_end(skb, nest); 5538 return 0; 5539 5540 nla_put_failure: 5541 return -1; 5542 } 5543 5544 static const struct nft_object_type *__nft_obj_type_get(u32 objtype) 5545 { 5546 const struct nft_object_type *type; 5547 5548 list_for_each_entry(type, &nf_tables_objects, list) { 5549 if (objtype == type->type) 5550 return type; 5551 } 5552 return NULL; 5553 } 5554 5555 static const struct nft_object_type * 5556 nft_obj_type_get(struct net *net, u32 objtype) 5557 { 5558 const struct nft_object_type *type; 5559 5560 type = __nft_obj_type_get(objtype); 5561 if (type != NULL && try_module_get(type->owner)) 5562 return type; 5563 5564 lockdep_nfnl_nft_mutex_not_held(); 5565 #ifdef CONFIG_MODULES 5566 if (type == NULL) { 5567 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN) 5568 return ERR_PTR(-EAGAIN); 5569 } 5570 #endif 5571 return ERR_PTR(-ENOENT); 5572 } 5573 5574 static int nf_tables_updobj(const struct nft_ctx *ctx, 5575 const struct nft_object_type *type, 5576 const struct nlattr *attr, 5577 struct nft_object *obj) 5578 { 5579 struct nft_object *newobj; 5580 struct nft_trans *trans; 5581 int err; 5582 5583 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 5584 sizeof(struct nft_trans_obj)); 5585 if (!trans) 5586 return -ENOMEM; 5587 5588 newobj = nft_obj_init(ctx, type, attr); 5589 if (IS_ERR(newobj)) { 5590 err = PTR_ERR(newobj); 5591 goto err_free_trans; 5592 } 5593 5594 nft_trans_obj(trans) = obj; 5595 nft_trans_obj_update(trans) = true; 5596 nft_trans_obj_newobj(trans) = newobj; 5597 list_add_tail(&trans->list, &ctx->net->nft.commit_list); 5598 5599 return 0; 5600 5601 err_free_trans: 5602 kfree(trans); 5603 return err; 5604 } 5605 5606 static int nf_tables_newobj(struct net *net, struct sock *nlsk, 5607 struct sk_buff *skb, const struct nlmsghdr *nlh, 5608 const struct nlattr * const nla[], 5609 struct netlink_ext_ack *extack) 5610 { 5611 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 5612 const struct nft_object_type *type; 5613 u8 genmask = nft_genmask_next(net); 5614 int family = nfmsg->nfgen_family; 5615 struct nft_table *table; 5616 struct nft_object *obj; 5617 struct nft_ctx ctx; 5618 u32 objtype; 5619 int err; 5620 5621 if (!nla[NFTA_OBJ_TYPE] || 5622 !nla[NFTA_OBJ_NAME] || 5623 !nla[NFTA_OBJ_DATA]) 5624 return -EINVAL; 5625 5626 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 5627 if (IS_ERR(table)) { 5628 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 5629 return PTR_ERR(table); 5630 } 5631 5632 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5633 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 5634 if (IS_ERR(obj)) { 5635 err = PTR_ERR(obj); 5636 if (err != -ENOENT) { 5637 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5638 return err; 5639 } 5640 } else { 5641 if (nlh->nlmsg_flags & NLM_F_EXCL) { 5642 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5643 return -EEXIST; 5644 } 5645 if (nlh->nlmsg_flags & NLM_F_REPLACE) 5646 return -EOPNOTSUPP; 5647 5648 type = __nft_obj_type_get(objtype); 5649 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5650 5651 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 5652 } 5653 5654 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5655 5656 type = nft_obj_type_get(net, objtype); 5657 if (IS_ERR(type)) 5658 return PTR_ERR(type); 5659 5660 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); 5661 if (IS_ERR(obj)) { 5662 err = PTR_ERR(obj); 5663 goto err1; 5664 } 5665 obj->key.table = table; 5666 obj->handle = nf_tables_alloc_handle(table); 5667 5668 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL); 5669 if (!obj->key.name) { 5670 err = -ENOMEM; 5671 goto err2; 5672 } 5673 5674 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj); 5675 if (err < 0) 5676 goto err3; 5677 5678 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead, 5679 nft_objname_ht_params); 5680 if (err < 0) 5681 goto err4; 5682 5683 list_add_tail_rcu(&obj->list, &table->objects); 5684 table->use++; 5685 return 0; 5686 err4: 5687 /* queued in transaction log */ 5688 INIT_LIST_HEAD(&obj->list); 5689 return err; 5690 err3: 5691 kfree(obj->key.name); 5692 err2: 5693 if (obj->ops->destroy) 5694 obj->ops->destroy(&ctx, obj); 5695 kfree(obj); 5696 err1: 5697 module_put(type->owner); 5698 return err; 5699 } 5700 5701 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, 5702 u32 portid, u32 seq, int event, u32 flags, 5703 int family, const struct nft_table *table, 5704 struct nft_object *obj, bool reset) 5705 { 5706 struct nfgenmsg *nfmsg; 5707 struct nlmsghdr *nlh; 5708 5709 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 5710 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 5711 if (nlh == NULL) 5712 goto nla_put_failure; 5713 5714 nfmsg = nlmsg_data(nlh); 5715 nfmsg->nfgen_family = family; 5716 nfmsg->version = NFNETLINK_V0; 5717 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 5718 5719 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || 5720 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || 5721 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || 5722 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || 5723 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) || 5724 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), 5725 NFTA_OBJ_PAD)) 5726 goto nla_put_failure; 5727 5728 nlmsg_end(skb, nlh); 5729 return 0; 5730 5731 nla_put_failure: 5732 nlmsg_trim(skb, nlh); 5733 return -1; 5734 } 5735 5736 struct nft_obj_filter { 5737 char *table; 5738 u32 type; 5739 }; 5740 5741 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) 5742 { 5743 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 5744 const struct nft_table *table; 5745 unsigned int idx = 0, s_idx = cb->args[0]; 5746 struct nft_obj_filter *filter = cb->data; 5747 struct net *net = sock_net(skb->sk); 5748 int family = nfmsg->nfgen_family; 5749 struct nft_object *obj; 5750 bool reset = false; 5751 5752 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 5753 reset = true; 5754 5755 rcu_read_lock(); 5756 cb->seq = net->nft.base_seq; 5757 5758 list_for_each_entry_rcu(table, &net->nft.tables, list) { 5759 if (family != NFPROTO_UNSPEC && family != table->family) 5760 continue; 5761 5762 list_for_each_entry_rcu(obj, &table->objects, list) { 5763 if (!nft_is_active(net, obj)) 5764 goto cont; 5765 if (idx < s_idx) 5766 goto cont; 5767 if (idx > s_idx) 5768 memset(&cb->args[1], 0, 5769 sizeof(cb->args) - sizeof(cb->args[0])); 5770 if (filter && filter->table && 5771 strcmp(filter->table, table->name)) 5772 goto cont; 5773 if (filter && 5774 filter->type != NFT_OBJECT_UNSPEC && 5775 obj->ops->type->type != filter->type) 5776 goto cont; 5777 5778 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid, 5779 cb->nlh->nlmsg_seq, 5780 NFT_MSG_NEWOBJ, 5781 NLM_F_MULTI | NLM_F_APPEND, 5782 table->family, table, 5783 obj, reset) < 0) 5784 goto done; 5785 5786 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 5787 cont: 5788 idx++; 5789 } 5790 } 5791 done: 5792 rcu_read_unlock(); 5793 5794 cb->args[0] = idx; 5795 return skb->len; 5796 } 5797 5798 static int nf_tables_dump_obj_start(struct netlink_callback *cb) 5799 { 5800 const struct nlattr * const *nla = cb->data; 5801 struct nft_obj_filter *filter = NULL; 5802 5803 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) { 5804 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 5805 if (!filter) 5806 return -ENOMEM; 5807 5808 if (nla[NFTA_OBJ_TABLE]) { 5809 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC); 5810 if (!filter->table) { 5811 kfree(filter); 5812 return -ENOMEM; 5813 } 5814 } 5815 5816 if (nla[NFTA_OBJ_TYPE]) 5817 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5818 } 5819 5820 cb->data = filter; 5821 return 0; 5822 } 5823 5824 static int nf_tables_dump_obj_done(struct netlink_callback *cb) 5825 { 5826 struct nft_obj_filter *filter = cb->data; 5827 5828 if (filter) { 5829 kfree(filter->table); 5830 kfree(filter); 5831 } 5832 5833 return 0; 5834 } 5835 5836 /* called with rcu_read_lock held */ 5837 static int nf_tables_getobj(struct net *net, struct sock *nlsk, 5838 struct sk_buff *skb, const struct nlmsghdr *nlh, 5839 const struct nlattr * const nla[], 5840 struct netlink_ext_ack *extack) 5841 { 5842 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 5843 u8 genmask = nft_genmask_cur(net); 5844 int family = nfmsg->nfgen_family; 5845 const struct nft_table *table; 5846 struct nft_object *obj; 5847 struct sk_buff *skb2; 5848 bool reset = false; 5849 u32 objtype; 5850 int err; 5851 5852 if (nlh->nlmsg_flags & NLM_F_DUMP) { 5853 struct netlink_dump_control c = { 5854 .start = nf_tables_dump_obj_start, 5855 .dump = nf_tables_dump_obj, 5856 .done = nf_tables_dump_obj_done, 5857 .module = THIS_MODULE, 5858 .data = (void *)nla, 5859 }; 5860 5861 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 5862 } 5863 5864 if (!nla[NFTA_OBJ_NAME] || 5865 !nla[NFTA_OBJ_TYPE]) 5866 return -EINVAL; 5867 5868 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 5869 if (IS_ERR(table)) { 5870 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 5871 return PTR_ERR(table); 5872 } 5873 5874 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5875 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask); 5876 if (IS_ERR(obj)) { 5877 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]); 5878 return PTR_ERR(obj); 5879 } 5880 5881 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 5882 if (!skb2) 5883 return -ENOMEM; 5884 5885 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET) 5886 reset = true; 5887 5888 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid, 5889 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0, 5890 family, table, obj, reset); 5891 if (err < 0) 5892 goto err; 5893 5894 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 5895 err: 5896 kfree_skb(skb2); 5897 return err; 5898 } 5899 5900 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 5901 { 5902 if (obj->ops->destroy) 5903 obj->ops->destroy(ctx, obj); 5904 5905 module_put(obj->ops->type->owner); 5906 kfree(obj->key.name); 5907 kfree(obj); 5908 } 5909 5910 static int nf_tables_delobj(struct net *net, struct sock *nlsk, 5911 struct sk_buff *skb, const struct nlmsghdr *nlh, 5912 const struct nlattr * const nla[], 5913 struct netlink_ext_ack *extack) 5914 { 5915 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 5916 u8 genmask = nft_genmask_next(net); 5917 int family = nfmsg->nfgen_family; 5918 const struct nlattr *attr; 5919 struct nft_table *table; 5920 struct nft_object *obj; 5921 struct nft_ctx ctx; 5922 u32 objtype; 5923 5924 if (!nla[NFTA_OBJ_TYPE] || 5925 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE])) 5926 return -EINVAL; 5927 5928 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask); 5929 if (IS_ERR(table)) { 5930 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]); 5931 return PTR_ERR(table); 5932 } 5933 5934 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE])); 5935 if (nla[NFTA_OBJ_HANDLE]) { 5936 attr = nla[NFTA_OBJ_HANDLE]; 5937 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask); 5938 } else { 5939 attr = nla[NFTA_OBJ_NAME]; 5940 obj = nft_obj_lookup(net, table, attr, objtype, genmask); 5941 } 5942 5943 if (IS_ERR(obj)) { 5944 NL_SET_BAD_ATTR(extack, attr); 5945 return PTR_ERR(obj); 5946 } 5947 if (obj->use > 0) { 5948 NL_SET_BAD_ATTR(extack, attr); 5949 return -EBUSY; 5950 } 5951 5952 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 5953 5954 return nft_delobj(&ctx, obj); 5955 } 5956 5957 void nft_obj_notify(struct net *net, const struct nft_table *table, 5958 struct nft_object *obj, u32 portid, u32 seq, int event, 5959 int family, int report, gfp_t gfp) 5960 { 5961 struct sk_buff *skb; 5962 int err; 5963 5964 if (!report && 5965 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 5966 return; 5967 5968 skb = nlmsg_new(NLMSG_GOODSIZE, gfp); 5969 if (skb == NULL) 5970 goto err; 5971 5972 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family, 5973 table, obj, false); 5974 if (err < 0) { 5975 kfree_skb(skb); 5976 goto err; 5977 } 5978 5979 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp); 5980 return; 5981 err: 5982 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 5983 } 5984 EXPORT_SYMBOL_GPL(nft_obj_notify); 5985 5986 static void nf_tables_obj_notify(const struct nft_ctx *ctx, 5987 struct nft_object *obj, int event) 5988 { 5989 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event, 5990 ctx->family, ctx->report, GFP_KERNEL); 5991 } 5992 5993 /* 5994 * Flow tables 5995 */ 5996 void nft_register_flowtable_type(struct nf_flowtable_type *type) 5997 { 5998 nfnl_lock(NFNL_SUBSYS_NFTABLES); 5999 list_add_tail_rcu(&type->list, &nf_tables_flowtables); 6000 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6001 } 6002 EXPORT_SYMBOL_GPL(nft_register_flowtable_type); 6003 6004 void nft_unregister_flowtable_type(struct nf_flowtable_type *type) 6005 { 6006 nfnl_lock(NFNL_SUBSYS_NFTABLES); 6007 list_del_rcu(&type->list); 6008 nfnl_unlock(NFNL_SUBSYS_NFTABLES); 6009 } 6010 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type); 6011 6012 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = { 6013 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING, 6014 .len = NFT_NAME_MAXLEN - 1 }, 6015 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING, 6016 .len = NFT_NAME_MAXLEN - 1 }, 6017 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 6018 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 6019 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 6020 }; 6021 6022 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 6023 const struct nlattr *nla, u8 genmask) 6024 { 6025 struct nft_flowtable *flowtable; 6026 6027 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 6028 if (!nla_strcmp(nla, flowtable->name) && 6029 nft_active_genmask(flowtable, genmask)) 6030 return flowtable; 6031 } 6032 return ERR_PTR(-ENOENT); 6033 } 6034 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 6035 6036 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 6037 struct nft_flowtable *flowtable, 6038 enum nft_trans_phase phase) 6039 { 6040 switch (phase) { 6041 case NFT_TRANS_PREPARE: 6042 case NFT_TRANS_ABORT: 6043 case NFT_TRANS_RELEASE: 6044 flowtable->use--; 6045 /* fall through */ 6046 default: 6047 return; 6048 } 6049 } 6050 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 6051 6052 static struct nft_flowtable * 6053 nft_flowtable_lookup_byhandle(const struct nft_table *table, 6054 const struct nlattr *nla, u8 genmask) 6055 { 6056 struct nft_flowtable *flowtable; 6057 6058 list_for_each_entry(flowtable, &table->flowtables, list) { 6059 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle && 6060 nft_active_genmask(flowtable, genmask)) 6061 return flowtable; 6062 } 6063 return ERR_PTR(-ENOENT); 6064 } 6065 6066 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = { 6067 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 }, 6068 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 }, 6069 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED }, 6070 }; 6071 6072 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx, 6073 const struct nlattr *attr, 6074 struct nft_flowtable *flowtable) 6075 { 6076 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1]; 6077 struct nft_hook *hook; 6078 int hooknum, priority; 6079 int err; 6080 6081 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr, 6082 nft_flowtable_hook_policy, NULL); 6083 if (err < 0) 6084 return err; 6085 6086 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] || 6087 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] || 6088 !tb[NFTA_FLOWTABLE_HOOK_DEVS]) 6089 return -EINVAL; 6090 6091 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM])); 6092 if (hooknum != NF_NETDEV_INGRESS) 6093 return -EINVAL; 6094 6095 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY])); 6096 6097 err = nf_tables_parse_netdev_hooks(ctx->net, 6098 tb[NFTA_FLOWTABLE_HOOK_DEVS], 6099 &flowtable->hook_list); 6100 if (err < 0) 6101 return err; 6102 6103 flowtable->hooknum = hooknum; 6104 flowtable->data.priority = priority; 6105 6106 list_for_each_entry(hook, &flowtable->hook_list, list) { 6107 hook->ops.pf = NFPROTO_NETDEV; 6108 hook->ops.hooknum = hooknum; 6109 hook->ops.priority = priority; 6110 hook->ops.priv = &flowtable->data; 6111 hook->ops.hook = flowtable->data.type->hook; 6112 } 6113 6114 return err; 6115 } 6116 6117 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) 6118 { 6119 const struct nf_flowtable_type *type; 6120 6121 list_for_each_entry(type, &nf_tables_flowtables, list) { 6122 if (family == type->family) 6123 return type; 6124 } 6125 return NULL; 6126 } 6127 6128 static const struct nf_flowtable_type * 6129 nft_flowtable_type_get(struct net *net, u8 family) 6130 { 6131 const struct nf_flowtable_type *type; 6132 6133 type = __nft_flowtable_type_get(family); 6134 if (type != NULL && try_module_get(type->owner)) 6135 return type; 6136 6137 lockdep_nfnl_nft_mutex_not_held(); 6138 #ifdef CONFIG_MODULES 6139 if (type == NULL) { 6140 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN) 6141 return ERR_PTR(-EAGAIN); 6142 } 6143 #endif 6144 return ERR_PTR(-ENOENT); 6145 } 6146 6147 /* Only called from error and netdev event paths. */ 6148 static void nft_unregister_flowtable_hook(struct net *net, 6149 struct nft_flowtable *flowtable, 6150 struct nft_hook *hook) 6151 { 6152 nf_unregister_net_hook(net, &hook->ops); 6153 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 6154 FLOW_BLOCK_UNBIND); 6155 } 6156 6157 static void nft_unregister_flowtable_net_hooks(struct net *net, 6158 struct nft_flowtable *flowtable) 6159 { 6160 struct nft_hook *hook; 6161 6162 list_for_each_entry(hook, &flowtable->hook_list, list) 6163 nf_unregister_net_hook(net, &hook->ops); 6164 } 6165 6166 static int nft_register_flowtable_net_hooks(struct net *net, 6167 struct nft_table *table, 6168 struct nft_flowtable *flowtable) 6169 { 6170 struct nft_hook *hook, *hook2, *next; 6171 struct nft_flowtable *ft; 6172 int err, i = 0; 6173 6174 list_for_each_entry(hook, &flowtable->hook_list, list) { 6175 list_for_each_entry(ft, &table->flowtables, list) { 6176 list_for_each_entry(hook2, &ft->hook_list, list) { 6177 if (hook->ops.dev == hook2->ops.dev && 6178 hook->ops.pf == hook2->ops.pf) { 6179 err = -EBUSY; 6180 goto err_unregister_net_hooks; 6181 } 6182 } 6183 } 6184 6185 err = flowtable->data.type->setup(&flowtable->data, 6186 hook->ops.dev, 6187 FLOW_BLOCK_BIND); 6188 if (err < 0) 6189 goto err_unregister_net_hooks; 6190 6191 err = nf_register_net_hook(net, &hook->ops); 6192 if (err < 0) { 6193 flowtable->data.type->setup(&flowtable->data, 6194 hook->ops.dev, 6195 FLOW_BLOCK_UNBIND); 6196 goto err_unregister_net_hooks; 6197 } 6198 6199 i++; 6200 } 6201 6202 return 0; 6203 6204 err_unregister_net_hooks: 6205 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 6206 if (i-- <= 0) 6207 break; 6208 6209 nft_unregister_flowtable_hook(net, flowtable, hook); 6210 list_del_rcu(&hook->list); 6211 kfree_rcu(hook, rcu); 6212 } 6213 6214 return err; 6215 } 6216 6217 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk, 6218 struct sk_buff *skb, 6219 const struct nlmsghdr *nlh, 6220 const struct nlattr * const nla[], 6221 struct netlink_ext_ack *extack) 6222 { 6223 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6224 const struct nf_flowtable_type *type; 6225 u8 genmask = nft_genmask_next(net); 6226 int family = nfmsg->nfgen_family; 6227 struct nft_flowtable *flowtable; 6228 struct nft_hook *hook, *next; 6229 struct nft_table *table; 6230 struct nft_ctx ctx; 6231 int err; 6232 6233 if (!nla[NFTA_FLOWTABLE_TABLE] || 6234 !nla[NFTA_FLOWTABLE_NAME] || 6235 !nla[NFTA_FLOWTABLE_HOOK]) 6236 return -EINVAL; 6237 6238 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6239 genmask); 6240 if (IS_ERR(table)) { 6241 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 6242 return PTR_ERR(table); 6243 } 6244 6245 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 6246 genmask); 6247 if (IS_ERR(flowtable)) { 6248 err = PTR_ERR(flowtable); 6249 if (err != -ENOENT) { 6250 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6251 return err; 6252 } 6253 } else { 6254 if (nlh->nlmsg_flags & NLM_F_EXCL) { 6255 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]); 6256 return -EEXIST; 6257 } 6258 6259 return 0; 6260 } 6261 6262 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6263 6264 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL); 6265 if (!flowtable) 6266 return -ENOMEM; 6267 6268 flowtable->table = table; 6269 flowtable->handle = nf_tables_alloc_handle(table); 6270 INIT_LIST_HEAD(&flowtable->hook_list); 6271 6272 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL); 6273 if (!flowtable->name) { 6274 err = -ENOMEM; 6275 goto err1; 6276 } 6277 6278 type = nft_flowtable_type_get(net, family); 6279 if (IS_ERR(type)) { 6280 err = PTR_ERR(type); 6281 goto err2; 6282 } 6283 6284 if (nla[NFTA_FLOWTABLE_FLAGS]) { 6285 flowtable->data.flags = 6286 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS])); 6287 if (flowtable->data.flags & ~NF_FLOWTABLE_HW_OFFLOAD) 6288 goto err3; 6289 } 6290 6291 write_pnet(&flowtable->data.net, net); 6292 flowtable->data.type = type; 6293 err = type->init(&flowtable->data); 6294 if (err < 0) 6295 goto err3; 6296 6297 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK], 6298 flowtable); 6299 if (err < 0) 6300 goto err4; 6301 6302 err = nft_register_flowtable_net_hooks(ctx.net, table, flowtable); 6303 if (err < 0) 6304 goto err4; 6305 6306 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable); 6307 if (err < 0) 6308 goto err5; 6309 6310 list_add_tail_rcu(&flowtable->list, &table->flowtables); 6311 table->use++; 6312 6313 return 0; 6314 err5: 6315 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 6316 nft_unregister_flowtable_hook(net, flowtable, hook); 6317 list_del_rcu(&hook->list); 6318 kfree_rcu(hook, rcu); 6319 } 6320 err4: 6321 flowtable->data.type->free(&flowtable->data); 6322 err3: 6323 module_put(type->owner); 6324 err2: 6325 kfree(flowtable->name); 6326 err1: 6327 kfree(flowtable); 6328 return err; 6329 } 6330 6331 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk, 6332 struct sk_buff *skb, 6333 const struct nlmsghdr *nlh, 6334 const struct nlattr * const nla[], 6335 struct netlink_ext_ack *extack) 6336 { 6337 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6338 u8 genmask = nft_genmask_next(net); 6339 int family = nfmsg->nfgen_family; 6340 struct nft_flowtable *flowtable; 6341 const struct nlattr *attr; 6342 struct nft_table *table; 6343 struct nft_ctx ctx; 6344 6345 if (!nla[NFTA_FLOWTABLE_TABLE] || 6346 (!nla[NFTA_FLOWTABLE_NAME] && 6347 !nla[NFTA_FLOWTABLE_HANDLE])) 6348 return -EINVAL; 6349 6350 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6351 genmask); 6352 if (IS_ERR(table)) { 6353 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]); 6354 return PTR_ERR(table); 6355 } 6356 6357 if (nla[NFTA_FLOWTABLE_HANDLE]) { 6358 attr = nla[NFTA_FLOWTABLE_HANDLE]; 6359 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 6360 } else { 6361 attr = nla[NFTA_FLOWTABLE_NAME]; 6362 flowtable = nft_flowtable_lookup(table, attr, genmask); 6363 } 6364 6365 if (IS_ERR(flowtable)) { 6366 NL_SET_BAD_ATTR(extack, attr); 6367 return PTR_ERR(flowtable); 6368 } 6369 if (flowtable->use > 0) { 6370 NL_SET_BAD_ATTR(extack, attr); 6371 return -EBUSY; 6372 } 6373 6374 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); 6375 6376 return nft_delflowtable(&ctx, flowtable); 6377 } 6378 6379 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, 6380 u32 portid, u32 seq, int event, 6381 u32 flags, int family, 6382 struct nft_flowtable *flowtable) 6383 { 6384 struct nlattr *nest, *nest_devs; 6385 struct nfgenmsg *nfmsg; 6386 struct nft_hook *hook; 6387 struct nlmsghdr *nlh; 6388 6389 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); 6390 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); 6391 if (nlh == NULL) 6392 goto nla_put_failure; 6393 6394 nfmsg = nlmsg_data(nlh); 6395 nfmsg->nfgen_family = family; 6396 nfmsg->version = NFNETLINK_V0; 6397 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 6398 6399 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || 6400 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || 6401 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || 6402 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle), 6403 NFTA_FLOWTABLE_PAD) || 6404 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) 6405 goto nla_put_failure; 6406 6407 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK); 6408 if (!nest) 6409 goto nla_put_failure; 6410 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) || 6411 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority))) 6412 goto nla_put_failure; 6413 6414 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS); 6415 if (!nest_devs) 6416 goto nla_put_failure; 6417 6418 list_for_each_entry_rcu(hook, &flowtable->hook_list, list) { 6419 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 6420 goto nla_put_failure; 6421 } 6422 nla_nest_end(skb, nest_devs); 6423 nla_nest_end(skb, nest); 6424 6425 nlmsg_end(skb, nlh); 6426 return 0; 6427 6428 nla_put_failure: 6429 nlmsg_trim(skb, nlh); 6430 return -1; 6431 } 6432 6433 struct nft_flowtable_filter { 6434 char *table; 6435 }; 6436 6437 static int nf_tables_dump_flowtable(struct sk_buff *skb, 6438 struct netlink_callback *cb) 6439 { 6440 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 6441 struct nft_flowtable_filter *filter = cb->data; 6442 unsigned int idx = 0, s_idx = cb->args[0]; 6443 struct net *net = sock_net(skb->sk); 6444 int family = nfmsg->nfgen_family; 6445 struct nft_flowtable *flowtable; 6446 const struct nft_table *table; 6447 6448 rcu_read_lock(); 6449 cb->seq = net->nft.base_seq; 6450 6451 list_for_each_entry_rcu(table, &net->nft.tables, list) { 6452 if (family != NFPROTO_UNSPEC && family != table->family) 6453 continue; 6454 6455 list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 6456 if (!nft_is_active(net, flowtable)) 6457 goto cont; 6458 if (idx < s_idx) 6459 goto cont; 6460 if (idx > s_idx) 6461 memset(&cb->args[1], 0, 6462 sizeof(cb->args) - sizeof(cb->args[0])); 6463 if (filter && filter->table && 6464 strcmp(filter->table, table->name)) 6465 goto cont; 6466 6467 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid, 6468 cb->nlh->nlmsg_seq, 6469 NFT_MSG_NEWFLOWTABLE, 6470 NLM_F_MULTI | NLM_F_APPEND, 6471 table->family, flowtable) < 0) 6472 goto done; 6473 6474 nl_dump_check_consistent(cb, nlmsg_hdr(skb)); 6475 cont: 6476 idx++; 6477 } 6478 } 6479 done: 6480 rcu_read_unlock(); 6481 6482 cb->args[0] = idx; 6483 return skb->len; 6484 } 6485 6486 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb) 6487 { 6488 const struct nlattr * const *nla = cb->data; 6489 struct nft_flowtable_filter *filter = NULL; 6490 6491 if (nla[NFTA_FLOWTABLE_TABLE]) { 6492 filter = kzalloc(sizeof(*filter), GFP_ATOMIC); 6493 if (!filter) 6494 return -ENOMEM; 6495 6496 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE], 6497 GFP_ATOMIC); 6498 if (!filter->table) { 6499 kfree(filter); 6500 return -ENOMEM; 6501 } 6502 } 6503 6504 cb->data = filter; 6505 return 0; 6506 } 6507 6508 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb) 6509 { 6510 struct nft_flowtable_filter *filter = cb->data; 6511 6512 if (!filter) 6513 return 0; 6514 6515 kfree(filter->table); 6516 kfree(filter); 6517 6518 return 0; 6519 } 6520 6521 /* called with rcu_read_lock held */ 6522 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk, 6523 struct sk_buff *skb, 6524 const struct nlmsghdr *nlh, 6525 const struct nlattr * const nla[], 6526 struct netlink_ext_ack *extack) 6527 { 6528 const struct nfgenmsg *nfmsg = nlmsg_data(nlh); 6529 u8 genmask = nft_genmask_cur(net); 6530 int family = nfmsg->nfgen_family; 6531 struct nft_flowtable *flowtable; 6532 const struct nft_table *table; 6533 struct sk_buff *skb2; 6534 int err; 6535 6536 if (nlh->nlmsg_flags & NLM_F_DUMP) { 6537 struct netlink_dump_control c = { 6538 .start = nf_tables_dump_flowtable_start, 6539 .dump = nf_tables_dump_flowtable, 6540 .done = nf_tables_dump_flowtable_done, 6541 .module = THIS_MODULE, 6542 .data = (void *)nla, 6543 }; 6544 6545 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c); 6546 } 6547 6548 if (!nla[NFTA_FLOWTABLE_NAME]) 6549 return -EINVAL; 6550 6551 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family, 6552 genmask); 6553 if (IS_ERR(table)) 6554 return PTR_ERR(table); 6555 6556 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 6557 genmask); 6558 if (IS_ERR(flowtable)) 6559 return PTR_ERR(flowtable); 6560 6561 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6562 if (!skb2) 6563 return -ENOMEM; 6564 6565 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid, 6566 nlh->nlmsg_seq, 6567 NFT_MSG_NEWFLOWTABLE, 0, family, 6568 flowtable); 6569 if (err < 0) 6570 goto err; 6571 6572 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 6573 err: 6574 kfree_skb(skb2); 6575 return err; 6576 } 6577 6578 static void nf_tables_flowtable_notify(struct nft_ctx *ctx, 6579 struct nft_flowtable *flowtable, 6580 int event) 6581 { 6582 struct sk_buff *skb; 6583 int err; 6584 6585 if (ctx->report && 6586 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES)) 6587 return; 6588 6589 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6590 if (skb == NULL) 6591 goto err; 6592 6593 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid, 6594 ctx->seq, event, 0, 6595 ctx->family, flowtable); 6596 if (err < 0) { 6597 kfree_skb(skb); 6598 goto err; 6599 } 6600 6601 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES, 6602 ctx->report, GFP_KERNEL); 6603 return; 6604 err: 6605 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); 6606 } 6607 6608 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable) 6609 { 6610 struct nft_hook *hook, *next; 6611 6612 flowtable->data.type->free(&flowtable->data); 6613 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) { 6614 flowtable->data.type->setup(&flowtable->data, hook->ops.dev, 6615 FLOW_BLOCK_UNBIND); 6616 list_del_rcu(&hook->list); 6617 kfree(hook); 6618 } 6619 kfree(flowtable->name); 6620 module_put(flowtable->data.type->owner); 6621 kfree(flowtable); 6622 } 6623 6624 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, 6625 u32 portid, u32 seq) 6626 { 6627 struct nlmsghdr *nlh; 6628 struct nfgenmsg *nfmsg; 6629 char buf[TASK_COMM_LEN]; 6630 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); 6631 6632 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); 6633 if (nlh == NULL) 6634 goto nla_put_failure; 6635 6636 nfmsg = nlmsg_data(nlh); 6637 nfmsg->nfgen_family = AF_UNSPEC; 6638 nfmsg->version = NFNETLINK_V0; 6639 nfmsg->res_id = htons(net->nft.base_seq & 0xffff); 6640 6641 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || 6642 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || 6643 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) 6644 goto nla_put_failure; 6645 6646 nlmsg_end(skb, nlh); 6647 return 0; 6648 6649 nla_put_failure: 6650 nlmsg_trim(skb, nlh); 6651 return -EMSGSIZE; 6652 } 6653 6654 static void nft_flowtable_event(unsigned long event, struct net_device *dev, 6655 struct nft_flowtable *flowtable) 6656 { 6657 struct nft_hook *hook; 6658 6659 list_for_each_entry(hook, &flowtable->hook_list, list) { 6660 if (hook->ops.dev != dev) 6661 continue; 6662 6663 /* flow_offload_netdev_event() cleans up entries for us. */ 6664 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook); 6665 list_del_rcu(&hook->list); 6666 kfree_rcu(hook, rcu); 6667 break; 6668 } 6669 } 6670 6671 static int nf_tables_flowtable_event(struct notifier_block *this, 6672 unsigned long event, void *ptr) 6673 { 6674 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 6675 struct nft_flowtable *flowtable; 6676 struct nft_table *table; 6677 struct net *net; 6678 6679 if (event != NETDEV_UNREGISTER) 6680 return 0; 6681 6682 net = dev_net(dev); 6683 mutex_lock(&net->nft.commit_mutex); 6684 list_for_each_entry(table, &net->nft.tables, list) { 6685 list_for_each_entry(flowtable, &table->flowtables, list) { 6686 nft_flowtable_event(event, dev, flowtable); 6687 } 6688 } 6689 mutex_unlock(&net->nft.commit_mutex); 6690 6691 return NOTIFY_DONE; 6692 } 6693 6694 static struct notifier_block nf_tables_flowtable_notifier = { 6695 .notifier_call = nf_tables_flowtable_event, 6696 }; 6697 6698 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb, 6699 int event) 6700 { 6701 struct nlmsghdr *nlh = nlmsg_hdr(skb); 6702 struct sk_buff *skb2; 6703 int err; 6704 6705 if (nlmsg_report(nlh) && 6706 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES)) 6707 return; 6708 6709 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); 6710 if (skb2 == NULL) 6711 goto err; 6712 6713 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 6714 nlh->nlmsg_seq); 6715 if (err < 0) { 6716 kfree_skb(skb2); 6717 goto err; 6718 } 6719 6720 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 6721 nlmsg_report(nlh), GFP_KERNEL); 6722 return; 6723 err: 6724 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES, 6725 -ENOBUFS); 6726 } 6727 6728 static int nf_tables_getgen(struct net *net, struct sock *nlsk, 6729 struct sk_buff *skb, const struct nlmsghdr *nlh, 6730 const struct nlattr * const nla[], 6731 struct netlink_ext_ack *extack) 6732 { 6733 struct sk_buff *skb2; 6734 int err; 6735 6736 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 6737 if (skb2 == NULL) 6738 return -ENOMEM; 6739 6740 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid, 6741 nlh->nlmsg_seq); 6742 if (err < 0) 6743 goto err; 6744 6745 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid); 6746 err: 6747 kfree_skb(skb2); 6748 return err; 6749 } 6750 6751 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = { 6752 [NFT_MSG_NEWTABLE] = { 6753 .call_batch = nf_tables_newtable, 6754 .attr_count = NFTA_TABLE_MAX, 6755 .policy = nft_table_policy, 6756 }, 6757 [NFT_MSG_GETTABLE] = { 6758 .call_rcu = nf_tables_gettable, 6759 .attr_count = NFTA_TABLE_MAX, 6760 .policy = nft_table_policy, 6761 }, 6762 [NFT_MSG_DELTABLE] = { 6763 .call_batch = nf_tables_deltable, 6764 .attr_count = NFTA_TABLE_MAX, 6765 .policy = nft_table_policy, 6766 }, 6767 [NFT_MSG_NEWCHAIN] = { 6768 .call_batch = nf_tables_newchain, 6769 .attr_count = NFTA_CHAIN_MAX, 6770 .policy = nft_chain_policy, 6771 }, 6772 [NFT_MSG_GETCHAIN] = { 6773 .call_rcu = nf_tables_getchain, 6774 .attr_count = NFTA_CHAIN_MAX, 6775 .policy = nft_chain_policy, 6776 }, 6777 [NFT_MSG_DELCHAIN] = { 6778 .call_batch = nf_tables_delchain, 6779 .attr_count = NFTA_CHAIN_MAX, 6780 .policy = nft_chain_policy, 6781 }, 6782 [NFT_MSG_NEWRULE] = { 6783 .call_batch = nf_tables_newrule, 6784 .attr_count = NFTA_RULE_MAX, 6785 .policy = nft_rule_policy, 6786 }, 6787 [NFT_MSG_GETRULE] = { 6788 .call_rcu = nf_tables_getrule, 6789 .attr_count = NFTA_RULE_MAX, 6790 .policy = nft_rule_policy, 6791 }, 6792 [NFT_MSG_DELRULE] = { 6793 .call_batch = nf_tables_delrule, 6794 .attr_count = NFTA_RULE_MAX, 6795 .policy = nft_rule_policy, 6796 }, 6797 [NFT_MSG_NEWSET] = { 6798 .call_batch = nf_tables_newset, 6799 .attr_count = NFTA_SET_MAX, 6800 .policy = nft_set_policy, 6801 }, 6802 [NFT_MSG_GETSET] = { 6803 .call_rcu = nf_tables_getset, 6804 .attr_count = NFTA_SET_MAX, 6805 .policy = nft_set_policy, 6806 }, 6807 [NFT_MSG_DELSET] = { 6808 .call_batch = nf_tables_delset, 6809 .attr_count = NFTA_SET_MAX, 6810 .policy = nft_set_policy, 6811 }, 6812 [NFT_MSG_NEWSETELEM] = { 6813 .call_batch = nf_tables_newsetelem, 6814 .attr_count = NFTA_SET_ELEM_LIST_MAX, 6815 .policy = nft_set_elem_list_policy, 6816 }, 6817 [NFT_MSG_GETSETELEM] = { 6818 .call_rcu = nf_tables_getsetelem, 6819 .attr_count = NFTA_SET_ELEM_LIST_MAX, 6820 .policy = nft_set_elem_list_policy, 6821 }, 6822 [NFT_MSG_DELSETELEM] = { 6823 .call_batch = nf_tables_delsetelem, 6824 .attr_count = NFTA_SET_ELEM_LIST_MAX, 6825 .policy = nft_set_elem_list_policy, 6826 }, 6827 [NFT_MSG_GETGEN] = { 6828 .call_rcu = nf_tables_getgen, 6829 }, 6830 [NFT_MSG_NEWOBJ] = { 6831 .call_batch = nf_tables_newobj, 6832 .attr_count = NFTA_OBJ_MAX, 6833 .policy = nft_obj_policy, 6834 }, 6835 [NFT_MSG_GETOBJ] = { 6836 .call_rcu = nf_tables_getobj, 6837 .attr_count = NFTA_OBJ_MAX, 6838 .policy = nft_obj_policy, 6839 }, 6840 [NFT_MSG_DELOBJ] = { 6841 .call_batch = nf_tables_delobj, 6842 .attr_count = NFTA_OBJ_MAX, 6843 .policy = nft_obj_policy, 6844 }, 6845 [NFT_MSG_GETOBJ_RESET] = { 6846 .call_rcu = nf_tables_getobj, 6847 .attr_count = NFTA_OBJ_MAX, 6848 .policy = nft_obj_policy, 6849 }, 6850 [NFT_MSG_NEWFLOWTABLE] = { 6851 .call_batch = nf_tables_newflowtable, 6852 .attr_count = NFTA_FLOWTABLE_MAX, 6853 .policy = nft_flowtable_policy, 6854 }, 6855 [NFT_MSG_GETFLOWTABLE] = { 6856 .call_rcu = nf_tables_getflowtable, 6857 .attr_count = NFTA_FLOWTABLE_MAX, 6858 .policy = nft_flowtable_policy, 6859 }, 6860 [NFT_MSG_DELFLOWTABLE] = { 6861 .call_batch = nf_tables_delflowtable, 6862 .attr_count = NFTA_FLOWTABLE_MAX, 6863 .policy = nft_flowtable_policy, 6864 }, 6865 }; 6866 6867 static int nf_tables_validate(struct net *net) 6868 { 6869 struct nft_table *table; 6870 6871 switch (net->nft.validate_state) { 6872 case NFT_VALIDATE_SKIP: 6873 break; 6874 case NFT_VALIDATE_NEED: 6875 nft_validate_state_update(net, NFT_VALIDATE_DO); 6876 /* fall through */ 6877 case NFT_VALIDATE_DO: 6878 list_for_each_entry(table, &net->nft.tables, list) { 6879 if (nft_table_validate(net, table) < 0) 6880 return -EAGAIN; 6881 } 6882 break; 6883 } 6884 6885 return 0; 6886 } 6887 6888 /* a drop policy has to be deferred until all rules have been activated, 6889 * otherwise a large ruleset that contains a drop-policy base chain will 6890 * cause all packets to get dropped until the full transaction has been 6891 * processed. 6892 * 6893 * We defer the drop policy until the transaction has been finalized. 6894 */ 6895 static void nft_chain_commit_drop_policy(struct nft_trans *trans) 6896 { 6897 struct nft_base_chain *basechain; 6898 6899 if (nft_trans_chain_policy(trans) != NF_DROP) 6900 return; 6901 6902 if (!nft_is_base_chain(trans->ctx.chain)) 6903 return; 6904 6905 basechain = nft_base_chain(trans->ctx.chain); 6906 basechain->policy = NF_DROP; 6907 } 6908 6909 static void nft_chain_commit_update(struct nft_trans *trans) 6910 { 6911 struct nft_base_chain *basechain; 6912 6913 if (nft_trans_chain_name(trans)) { 6914 rhltable_remove(&trans->ctx.table->chains_ht, 6915 &trans->ctx.chain->rhlhead, 6916 nft_chain_ht_params); 6917 swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); 6918 rhltable_insert_key(&trans->ctx.table->chains_ht, 6919 trans->ctx.chain->name, 6920 &trans->ctx.chain->rhlhead, 6921 nft_chain_ht_params); 6922 } 6923 6924 if (!nft_is_base_chain(trans->ctx.chain)) 6925 return; 6926 6927 nft_chain_stats_replace(trans); 6928 6929 basechain = nft_base_chain(trans->ctx.chain); 6930 6931 switch (nft_trans_chain_policy(trans)) { 6932 case NF_DROP: 6933 case NF_ACCEPT: 6934 basechain->policy = nft_trans_chain_policy(trans); 6935 break; 6936 } 6937 } 6938 6939 static void nft_obj_commit_update(struct nft_trans *trans) 6940 { 6941 struct nft_object *newobj; 6942 struct nft_object *obj; 6943 6944 obj = nft_trans_obj(trans); 6945 newobj = nft_trans_obj_newobj(trans); 6946 6947 if (obj->ops->update) 6948 obj->ops->update(obj, newobj); 6949 6950 kfree(newobj); 6951 } 6952 6953 static void nft_commit_release(struct nft_trans *trans) 6954 { 6955 switch (trans->msg_type) { 6956 case NFT_MSG_DELTABLE: 6957 nf_tables_table_destroy(&trans->ctx); 6958 break; 6959 case NFT_MSG_NEWCHAIN: 6960 free_percpu(nft_trans_chain_stats(trans)); 6961 kfree(nft_trans_chain_name(trans)); 6962 break; 6963 case NFT_MSG_DELCHAIN: 6964 nf_tables_chain_destroy(&trans->ctx); 6965 break; 6966 case NFT_MSG_DELRULE: 6967 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 6968 break; 6969 case NFT_MSG_DELSET: 6970 nft_set_destroy(nft_trans_set(trans)); 6971 break; 6972 case NFT_MSG_DELSETELEM: 6973 nf_tables_set_elem_destroy(&trans->ctx, 6974 nft_trans_elem_set(trans), 6975 nft_trans_elem(trans).priv); 6976 break; 6977 case NFT_MSG_DELOBJ: 6978 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 6979 break; 6980 case NFT_MSG_DELFLOWTABLE: 6981 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 6982 break; 6983 } 6984 6985 if (trans->put_net) 6986 put_net(trans->ctx.net); 6987 6988 kfree(trans); 6989 } 6990 6991 static void nf_tables_trans_destroy_work(struct work_struct *w) 6992 { 6993 struct nft_trans *trans, *next; 6994 LIST_HEAD(head); 6995 6996 spin_lock(&nf_tables_destroy_list_lock); 6997 list_splice_init(&nf_tables_destroy_list, &head); 6998 spin_unlock(&nf_tables_destroy_list_lock); 6999 7000 if (list_empty(&head)) 7001 return; 7002 7003 synchronize_rcu(); 7004 7005 list_for_each_entry_safe(trans, next, &head, list) { 7006 list_del(&trans->list); 7007 nft_commit_release(trans); 7008 } 7009 } 7010 7011 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain) 7012 { 7013 struct nft_rule *rule; 7014 unsigned int alloc = 0; 7015 int i; 7016 7017 /* already handled or inactive chain? */ 7018 if (chain->rules_next || !nft_is_active_next(net, chain)) 7019 return 0; 7020 7021 rule = list_entry(&chain->rules, struct nft_rule, list); 7022 i = 0; 7023 7024 list_for_each_entry_continue(rule, &chain->rules, list) { 7025 if (nft_is_active_next(net, rule)) 7026 alloc++; 7027 } 7028 7029 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc); 7030 if (!chain->rules_next) 7031 return -ENOMEM; 7032 7033 list_for_each_entry_continue(rule, &chain->rules, list) { 7034 if (nft_is_active_next(net, rule)) 7035 chain->rules_next[i++] = rule; 7036 } 7037 7038 chain->rules_next[i] = NULL; 7039 return 0; 7040 } 7041 7042 static void nf_tables_commit_chain_prepare_cancel(struct net *net) 7043 { 7044 struct nft_trans *trans, *next; 7045 7046 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7047 struct nft_chain *chain = trans->ctx.chain; 7048 7049 if (trans->msg_type == NFT_MSG_NEWRULE || 7050 trans->msg_type == NFT_MSG_DELRULE) { 7051 kvfree(chain->rules_next); 7052 chain->rules_next = NULL; 7053 } 7054 } 7055 } 7056 7057 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 7058 { 7059 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 7060 7061 kvfree(o->start); 7062 } 7063 7064 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules) 7065 { 7066 struct nft_rule **r = rules; 7067 struct nft_rules_old *old; 7068 7069 while (*r) 7070 r++; 7071 7072 r++; /* rcu_head is after end marker */ 7073 old = (void *) r; 7074 old->start = rules; 7075 7076 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 7077 } 7078 7079 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) 7080 { 7081 struct nft_rule **g0, **g1; 7082 bool next_genbit; 7083 7084 next_genbit = nft_gencursor_next(net); 7085 7086 g0 = rcu_dereference_protected(chain->rules_gen_0, 7087 lockdep_commit_lock_is_held(net)); 7088 g1 = rcu_dereference_protected(chain->rules_gen_1, 7089 lockdep_commit_lock_is_held(net)); 7090 7091 /* No changes to this chain? */ 7092 if (chain->rules_next == NULL) { 7093 /* chain had no change in last or next generation */ 7094 if (g0 == g1) 7095 return; 7096 /* 7097 * chain had no change in this generation; make sure next 7098 * one uses same rules as current generation. 7099 */ 7100 if (next_genbit) { 7101 rcu_assign_pointer(chain->rules_gen_1, g0); 7102 nf_tables_commit_chain_free_rules_old(g1); 7103 } else { 7104 rcu_assign_pointer(chain->rules_gen_0, g1); 7105 nf_tables_commit_chain_free_rules_old(g0); 7106 } 7107 7108 return; 7109 } 7110 7111 if (next_genbit) 7112 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next); 7113 else 7114 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next); 7115 7116 chain->rules_next = NULL; 7117 7118 if (g0 == g1) 7119 return; 7120 7121 if (next_genbit) 7122 nf_tables_commit_chain_free_rules_old(g1); 7123 else 7124 nf_tables_commit_chain_free_rules_old(g0); 7125 } 7126 7127 static void nft_obj_del(struct nft_object *obj) 7128 { 7129 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params); 7130 list_del_rcu(&obj->list); 7131 } 7132 7133 static void nft_chain_del(struct nft_chain *chain) 7134 { 7135 struct nft_table *table = chain->table; 7136 7137 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead, 7138 nft_chain_ht_params)); 7139 list_del_rcu(&chain->list); 7140 } 7141 7142 static void nf_tables_module_autoload_cleanup(struct net *net) 7143 { 7144 struct nft_module_request *req, *next; 7145 7146 WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); 7147 list_for_each_entry_safe(req, next, &net->nft.module_list, list) { 7148 WARN_ON_ONCE(!req->done); 7149 list_del(&req->list); 7150 kfree(req); 7151 } 7152 } 7153 7154 static void nf_tables_commit_release(struct net *net) 7155 { 7156 struct nft_trans *trans; 7157 7158 /* all side effects have to be made visible. 7159 * For example, if a chain named 'foo' has been deleted, a 7160 * new transaction must not find it anymore. 7161 * 7162 * Memory reclaim happens asynchronously from work queue 7163 * to prevent expensive synchronize_rcu() in commit phase. 7164 */ 7165 if (list_empty(&net->nft.commit_list)) { 7166 nf_tables_module_autoload_cleanup(net); 7167 mutex_unlock(&net->nft.commit_mutex); 7168 return; 7169 } 7170 7171 trans = list_last_entry(&net->nft.commit_list, 7172 struct nft_trans, list); 7173 get_net(trans->ctx.net); 7174 WARN_ON_ONCE(trans->put_net); 7175 7176 trans->put_net = true; 7177 spin_lock(&nf_tables_destroy_list_lock); 7178 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list); 7179 spin_unlock(&nf_tables_destroy_list_lock); 7180 7181 nf_tables_module_autoload_cleanup(net); 7182 mutex_unlock(&net->nft.commit_mutex); 7183 7184 schedule_work(&trans_destroy_work); 7185 } 7186 7187 static int nf_tables_commit(struct net *net, struct sk_buff *skb) 7188 { 7189 struct nft_trans *trans, *next; 7190 struct nft_trans_elem *te; 7191 struct nft_chain *chain; 7192 struct nft_table *table; 7193 int err; 7194 7195 if (list_empty(&net->nft.commit_list)) { 7196 mutex_unlock(&net->nft.commit_mutex); 7197 return 0; 7198 } 7199 7200 /* 0. Validate ruleset, otherwise roll back for error reporting. */ 7201 if (nf_tables_validate(net) < 0) 7202 return -EAGAIN; 7203 7204 err = nft_flow_rule_offload_commit(net); 7205 if (err < 0) 7206 return err; 7207 7208 /* 1. Allocate space for next generation rules_gen_X[] */ 7209 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7210 int ret; 7211 7212 if (trans->msg_type == NFT_MSG_NEWRULE || 7213 trans->msg_type == NFT_MSG_DELRULE) { 7214 chain = trans->ctx.chain; 7215 7216 ret = nf_tables_commit_chain_prepare(net, chain); 7217 if (ret < 0) { 7218 nf_tables_commit_chain_prepare_cancel(net); 7219 return ret; 7220 } 7221 } 7222 } 7223 7224 /* step 2. Make rules_gen_X visible to packet path */ 7225 list_for_each_entry(table, &net->nft.tables, list) { 7226 list_for_each_entry(chain, &table->chains, list) 7227 nf_tables_commit_chain(net, chain); 7228 } 7229 7230 /* 7231 * Bump generation counter, invalidate any dump in progress. 7232 * Cannot fail after this point. 7233 */ 7234 while (++net->nft.base_seq == 0); 7235 7236 /* step 3. Start new generation, rules_gen_X now in use. */ 7237 net->nft.gencursor = nft_gencursor_next(net); 7238 7239 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { 7240 switch (trans->msg_type) { 7241 case NFT_MSG_NEWTABLE: 7242 if (nft_trans_table_update(trans)) { 7243 if (!nft_trans_table_enable(trans)) { 7244 nf_tables_table_disable(net, 7245 trans->ctx.table); 7246 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 7247 } 7248 } else { 7249 nft_clear(net, trans->ctx.table); 7250 } 7251 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE); 7252 nft_trans_destroy(trans); 7253 break; 7254 case NFT_MSG_DELTABLE: 7255 list_del_rcu(&trans->ctx.table->list); 7256 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE); 7257 break; 7258 case NFT_MSG_NEWCHAIN: 7259 if (nft_trans_chain_update(trans)) { 7260 nft_chain_commit_update(trans); 7261 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 7262 /* trans destroyed after rcu grace period */ 7263 } else { 7264 nft_chain_commit_drop_policy(trans); 7265 nft_clear(net, trans->ctx.chain); 7266 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN); 7267 nft_trans_destroy(trans); 7268 } 7269 break; 7270 case NFT_MSG_DELCHAIN: 7271 nft_chain_del(trans->ctx.chain); 7272 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN); 7273 nf_tables_unregister_hook(trans->ctx.net, 7274 trans->ctx.table, 7275 trans->ctx.chain); 7276 break; 7277 case NFT_MSG_NEWRULE: 7278 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 7279 nf_tables_rule_notify(&trans->ctx, 7280 nft_trans_rule(trans), 7281 NFT_MSG_NEWRULE); 7282 nft_trans_destroy(trans); 7283 break; 7284 case NFT_MSG_DELRULE: 7285 list_del_rcu(&nft_trans_rule(trans)->list); 7286 nf_tables_rule_notify(&trans->ctx, 7287 nft_trans_rule(trans), 7288 NFT_MSG_DELRULE); 7289 nft_rule_expr_deactivate(&trans->ctx, 7290 nft_trans_rule(trans), 7291 NFT_TRANS_COMMIT); 7292 break; 7293 case NFT_MSG_NEWSET: 7294 nft_clear(net, nft_trans_set(trans)); 7295 /* This avoids hitting -EBUSY when deleting the table 7296 * from the transaction. 7297 */ 7298 if (nft_set_is_anonymous(nft_trans_set(trans)) && 7299 !list_empty(&nft_trans_set(trans)->bindings)) 7300 trans->ctx.table->use--; 7301 7302 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 7303 NFT_MSG_NEWSET, GFP_KERNEL); 7304 nft_trans_destroy(trans); 7305 break; 7306 case NFT_MSG_DELSET: 7307 list_del_rcu(&nft_trans_set(trans)->list); 7308 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), 7309 NFT_MSG_DELSET, GFP_KERNEL); 7310 break; 7311 case NFT_MSG_NEWSETELEM: 7312 te = (struct nft_trans_elem *)trans->data; 7313 7314 te->set->ops->activate(net, te->set, &te->elem); 7315 nf_tables_setelem_notify(&trans->ctx, te->set, 7316 &te->elem, 7317 NFT_MSG_NEWSETELEM, 0); 7318 nft_trans_destroy(trans); 7319 break; 7320 case NFT_MSG_DELSETELEM: 7321 te = (struct nft_trans_elem *)trans->data; 7322 7323 nf_tables_setelem_notify(&trans->ctx, te->set, 7324 &te->elem, 7325 NFT_MSG_DELSETELEM, 0); 7326 te->set->ops->remove(net, te->set, &te->elem); 7327 atomic_dec(&te->set->nelems); 7328 te->set->ndeact--; 7329 break; 7330 case NFT_MSG_NEWOBJ: 7331 if (nft_trans_obj_update(trans)) { 7332 nft_obj_commit_update(trans); 7333 nf_tables_obj_notify(&trans->ctx, 7334 nft_trans_obj(trans), 7335 NFT_MSG_NEWOBJ); 7336 } else { 7337 nft_clear(net, nft_trans_obj(trans)); 7338 nf_tables_obj_notify(&trans->ctx, 7339 nft_trans_obj(trans), 7340 NFT_MSG_NEWOBJ); 7341 nft_trans_destroy(trans); 7342 } 7343 break; 7344 case NFT_MSG_DELOBJ: 7345 nft_obj_del(nft_trans_obj(trans)); 7346 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans), 7347 NFT_MSG_DELOBJ); 7348 break; 7349 case NFT_MSG_NEWFLOWTABLE: 7350 nft_clear(net, nft_trans_flowtable(trans)); 7351 nf_tables_flowtable_notify(&trans->ctx, 7352 nft_trans_flowtable(trans), 7353 NFT_MSG_NEWFLOWTABLE); 7354 nft_trans_destroy(trans); 7355 break; 7356 case NFT_MSG_DELFLOWTABLE: 7357 list_del_rcu(&nft_trans_flowtable(trans)->list); 7358 nf_tables_flowtable_notify(&trans->ctx, 7359 nft_trans_flowtable(trans), 7360 NFT_MSG_DELFLOWTABLE); 7361 nft_unregister_flowtable_net_hooks(net, 7362 nft_trans_flowtable(trans)); 7363 break; 7364 } 7365 } 7366 7367 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); 7368 nf_tables_commit_release(net); 7369 7370 return 0; 7371 } 7372 7373 static void nf_tables_module_autoload(struct net *net) 7374 { 7375 struct nft_module_request *req, *next; 7376 LIST_HEAD(module_list); 7377 7378 list_splice_init(&net->nft.module_list, &module_list); 7379 mutex_unlock(&net->nft.commit_mutex); 7380 list_for_each_entry_safe(req, next, &module_list, list) { 7381 if (req->done) { 7382 list_del(&req->list); 7383 kfree(req); 7384 } else { 7385 request_module("%s", req->module); 7386 req->done = true; 7387 } 7388 } 7389 mutex_lock(&net->nft.commit_mutex); 7390 list_splice(&module_list, &net->nft.module_list); 7391 } 7392 7393 static void nf_tables_abort_release(struct nft_trans *trans) 7394 { 7395 switch (trans->msg_type) { 7396 case NFT_MSG_NEWTABLE: 7397 nf_tables_table_destroy(&trans->ctx); 7398 break; 7399 case NFT_MSG_NEWCHAIN: 7400 nf_tables_chain_destroy(&trans->ctx); 7401 break; 7402 case NFT_MSG_NEWRULE: 7403 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); 7404 break; 7405 case NFT_MSG_NEWSET: 7406 nft_set_destroy(nft_trans_set(trans)); 7407 break; 7408 case NFT_MSG_NEWSETELEM: 7409 nft_set_elem_destroy(nft_trans_elem_set(trans), 7410 nft_trans_elem(trans).priv, true); 7411 break; 7412 case NFT_MSG_NEWOBJ: 7413 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans)); 7414 break; 7415 case NFT_MSG_NEWFLOWTABLE: 7416 nf_tables_flowtable_destroy(nft_trans_flowtable(trans)); 7417 break; 7418 } 7419 kfree(trans); 7420 } 7421 7422 static int __nf_tables_abort(struct net *net, bool autoload) 7423 { 7424 struct nft_trans *trans, *next; 7425 struct nft_trans_elem *te; 7426 7427 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, 7428 list) { 7429 switch (trans->msg_type) { 7430 case NFT_MSG_NEWTABLE: 7431 if (nft_trans_table_update(trans)) { 7432 if (nft_trans_table_enable(trans)) { 7433 nf_tables_table_disable(net, 7434 trans->ctx.table); 7435 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT; 7436 } 7437 nft_trans_destroy(trans); 7438 } else { 7439 list_del_rcu(&trans->ctx.table->list); 7440 } 7441 break; 7442 case NFT_MSG_DELTABLE: 7443 nft_clear(trans->ctx.net, trans->ctx.table); 7444 nft_trans_destroy(trans); 7445 break; 7446 case NFT_MSG_NEWCHAIN: 7447 if (nft_trans_chain_update(trans)) { 7448 free_percpu(nft_trans_chain_stats(trans)); 7449 kfree(nft_trans_chain_name(trans)); 7450 nft_trans_destroy(trans); 7451 } else { 7452 trans->ctx.table->use--; 7453 nft_chain_del(trans->ctx.chain); 7454 nf_tables_unregister_hook(trans->ctx.net, 7455 trans->ctx.table, 7456 trans->ctx.chain); 7457 } 7458 break; 7459 case NFT_MSG_DELCHAIN: 7460 trans->ctx.table->use++; 7461 nft_clear(trans->ctx.net, trans->ctx.chain); 7462 nft_trans_destroy(trans); 7463 break; 7464 case NFT_MSG_NEWRULE: 7465 trans->ctx.chain->use--; 7466 list_del_rcu(&nft_trans_rule(trans)->list); 7467 nft_rule_expr_deactivate(&trans->ctx, 7468 nft_trans_rule(trans), 7469 NFT_TRANS_ABORT); 7470 break; 7471 case NFT_MSG_DELRULE: 7472 trans->ctx.chain->use++; 7473 nft_clear(trans->ctx.net, nft_trans_rule(trans)); 7474 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); 7475 nft_trans_destroy(trans); 7476 break; 7477 case NFT_MSG_NEWSET: 7478 trans->ctx.table->use--; 7479 if (nft_trans_set_bound(trans)) { 7480 nft_trans_destroy(trans); 7481 break; 7482 } 7483 list_del_rcu(&nft_trans_set(trans)->list); 7484 break; 7485 case NFT_MSG_DELSET: 7486 trans->ctx.table->use++; 7487 nft_clear(trans->ctx.net, nft_trans_set(trans)); 7488 nft_trans_destroy(trans); 7489 break; 7490 case NFT_MSG_NEWSETELEM: 7491 if (nft_trans_elem_set_bound(trans)) { 7492 nft_trans_destroy(trans); 7493 break; 7494 } 7495 te = (struct nft_trans_elem *)trans->data; 7496 te->set->ops->remove(net, te->set, &te->elem); 7497 atomic_dec(&te->set->nelems); 7498 break; 7499 case NFT_MSG_DELSETELEM: 7500 te = (struct nft_trans_elem *)trans->data; 7501 7502 nft_set_elem_activate(net, te->set, &te->elem); 7503 te->set->ops->activate(net, te->set, &te->elem); 7504 te->set->ndeact--; 7505 7506 nft_trans_destroy(trans); 7507 break; 7508 case NFT_MSG_NEWOBJ: 7509 if (nft_trans_obj_update(trans)) { 7510 kfree(nft_trans_obj_newobj(trans)); 7511 nft_trans_destroy(trans); 7512 } else { 7513 trans->ctx.table->use--; 7514 nft_obj_del(nft_trans_obj(trans)); 7515 } 7516 break; 7517 case NFT_MSG_DELOBJ: 7518 trans->ctx.table->use++; 7519 nft_clear(trans->ctx.net, nft_trans_obj(trans)); 7520 nft_trans_destroy(trans); 7521 break; 7522 case NFT_MSG_NEWFLOWTABLE: 7523 trans->ctx.table->use--; 7524 list_del_rcu(&nft_trans_flowtable(trans)->list); 7525 nft_unregister_flowtable_net_hooks(net, 7526 nft_trans_flowtable(trans)); 7527 break; 7528 case NFT_MSG_DELFLOWTABLE: 7529 trans->ctx.table->use++; 7530 nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); 7531 nft_trans_destroy(trans); 7532 break; 7533 } 7534 } 7535 7536 synchronize_rcu(); 7537 7538 list_for_each_entry_safe_reverse(trans, next, 7539 &net->nft.commit_list, list) { 7540 list_del(&trans->list); 7541 nf_tables_abort_release(trans); 7542 } 7543 7544 if (autoload) 7545 nf_tables_module_autoload(net); 7546 else 7547 nf_tables_module_autoload_cleanup(net); 7548 7549 return 0; 7550 } 7551 7552 static void nf_tables_cleanup(struct net *net) 7553 { 7554 nft_validate_state_update(net, NFT_VALIDATE_SKIP); 7555 } 7556 7557 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload) 7558 { 7559 int ret = __nf_tables_abort(net, autoload); 7560 7561 mutex_unlock(&net->nft.commit_mutex); 7562 7563 return ret; 7564 } 7565 7566 static bool nf_tables_valid_genid(struct net *net, u32 genid) 7567 { 7568 bool genid_ok; 7569 7570 mutex_lock(&net->nft.commit_mutex); 7571 7572 genid_ok = genid == 0 || net->nft.base_seq == genid; 7573 if (!genid_ok) 7574 mutex_unlock(&net->nft.commit_mutex); 7575 7576 /* else, commit mutex has to be released by commit or abort function */ 7577 return genid_ok; 7578 } 7579 7580 static const struct nfnetlink_subsystem nf_tables_subsys = { 7581 .name = "nf_tables", 7582 .subsys_id = NFNL_SUBSYS_NFTABLES, 7583 .cb_count = NFT_MSG_MAX, 7584 .cb = nf_tables_cb, 7585 .commit = nf_tables_commit, 7586 .abort = nf_tables_abort, 7587 .cleanup = nf_tables_cleanup, 7588 .valid_genid = nf_tables_valid_genid, 7589 .owner = THIS_MODULE, 7590 }; 7591 7592 int nft_chain_validate_dependency(const struct nft_chain *chain, 7593 enum nft_chain_types type) 7594 { 7595 const struct nft_base_chain *basechain; 7596 7597 if (nft_is_base_chain(chain)) { 7598 basechain = nft_base_chain(chain); 7599 if (basechain->type->type != type) 7600 return -EOPNOTSUPP; 7601 } 7602 return 0; 7603 } 7604 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); 7605 7606 int nft_chain_validate_hooks(const struct nft_chain *chain, 7607 unsigned int hook_flags) 7608 { 7609 struct nft_base_chain *basechain; 7610 7611 if (nft_is_base_chain(chain)) { 7612 basechain = nft_base_chain(chain); 7613 7614 if ((1 << basechain->ops.hooknum) & hook_flags) 7615 return 0; 7616 7617 return -EOPNOTSUPP; 7618 } 7619 7620 return 0; 7621 } 7622 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); 7623 7624 /* 7625 * Loop detection - walk through the ruleset beginning at the destination chain 7626 * of a new jump until either the source chain is reached (loop) or all 7627 * reachable chains have been traversed. 7628 * 7629 * The loop check is performed whenever a new jump verdict is added to an 7630 * expression or verdict map or a verdict map is bound to a new chain. 7631 */ 7632 7633 static int nf_tables_check_loops(const struct nft_ctx *ctx, 7634 const struct nft_chain *chain); 7635 7636 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx, 7637 struct nft_set *set, 7638 const struct nft_set_iter *iter, 7639 struct nft_set_elem *elem) 7640 { 7641 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 7642 const struct nft_data *data; 7643 7644 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 7645 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 7646 return 0; 7647 7648 data = nft_set_ext_data(ext); 7649 switch (data->verdict.code) { 7650 case NFT_JUMP: 7651 case NFT_GOTO: 7652 return nf_tables_check_loops(ctx, data->verdict.chain); 7653 default: 7654 return 0; 7655 } 7656 } 7657 7658 static int nf_tables_check_loops(const struct nft_ctx *ctx, 7659 const struct nft_chain *chain) 7660 { 7661 const struct nft_rule *rule; 7662 const struct nft_expr *expr, *last; 7663 struct nft_set *set; 7664 struct nft_set_binding *binding; 7665 struct nft_set_iter iter; 7666 7667 if (ctx->chain == chain) 7668 return -ELOOP; 7669 7670 list_for_each_entry(rule, &chain->rules, list) { 7671 nft_rule_for_each_expr(expr, last, rule) { 7672 struct nft_immediate_expr *priv; 7673 const struct nft_data *data; 7674 int err; 7675 7676 if (strcmp(expr->ops->type->name, "immediate")) 7677 continue; 7678 7679 priv = nft_expr_priv(expr); 7680 if (priv->dreg != NFT_REG_VERDICT) 7681 continue; 7682 7683 data = &priv->data; 7684 switch (data->verdict.code) { 7685 case NFT_JUMP: 7686 case NFT_GOTO: 7687 err = nf_tables_check_loops(ctx, 7688 data->verdict.chain); 7689 if (err < 0) 7690 return err; 7691 default: 7692 break; 7693 } 7694 } 7695 } 7696 7697 list_for_each_entry(set, &ctx->table->sets, list) { 7698 if (!nft_is_active_next(ctx->net, set)) 7699 continue; 7700 if (!(set->flags & NFT_SET_MAP) || 7701 set->dtype != NFT_DATA_VERDICT) 7702 continue; 7703 7704 list_for_each_entry(binding, &set->bindings, list) { 7705 if (!(binding->flags & NFT_SET_MAP) || 7706 binding->chain != chain) 7707 continue; 7708 7709 iter.genmask = nft_genmask_next(ctx->net); 7710 iter.skip = 0; 7711 iter.count = 0; 7712 iter.err = 0; 7713 iter.fn = nf_tables_loop_check_setelem; 7714 7715 set->ops->walk(ctx, set, &iter); 7716 if (iter.err < 0) 7717 return iter.err; 7718 } 7719 } 7720 7721 return 0; 7722 } 7723 7724 /** 7725 * nft_parse_u32_check - fetch u32 attribute and check for maximum value 7726 * 7727 * @attr: netlink attribute to fetch value from 7728 * @max: maximum value to be stored in dest 7729 * @dest: pointer to the variable 7730 * 7731 * Parse, check and store a given u32 netlink attribute into variable. 7732 * This function returns -ERANGE if the value goes over maximum value. 7733 * Otherwise a 0 is returned and the attribute value is stored in the 7734 * destination variable. 7735 */ 7736 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) 7737 { 7738 u32 val; 7739 7740 val = ntohl(nla_get_be32(attr)); 7741 if (val > max) 7742 return -ERANGE; 7743 7744 *dest = val; 7745 return 0; 7746 } 7747 EXPORT_SYMBOL_GPL(nft_parse_u32_check); 7748 7749 /** 7750 * nft_parse_register - parse a register value from a netlink attribute 7751 * 7752 * @attr: netlink attribute 7753 * 7754 * Parse and translate a register value from a netlink attribute. 7755 * Registers used to be 128 bit wide, these register numbers will be 7756 * mapped to the corresponding 32 bit register numbers. 7757 */ 7758 unsigned int nft_parse_register(const struct nlattr *attr) 7759 { 7760 unsigned int reg; 7761 7762 reg = ntohl(nla_get_be32(attr)); 7763 switch (reg) { 7764 case NFT_REG_VERDICT...NFT_REG_4: 7765 return reg * NFT_REG_SIZE / NFT_REG32_SIZE; 7766 default: 7767 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; 7768 } 7769 } 7770 EXPORT_SYMBOL_GPL(nft_parse_register); 7771 7772 /** 7773 * nft_dump_register - dump a register value to a netlink attribute 7774 * 7775 * @skb: socket buffer 7776 * @attr: attribute number 7777 * @reg: register number 7778 * 7779 * Construct a netlink attribute containing the register number. For 7780 * compatibility reasons, register numbers being a multiple of 4 are 7781 * translated to the corresponding 128 bit register numbers. 7782 */ 7783 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg) 7784 { 7785 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0) 7786 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE); 7787 else 7788 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00; 7789 7790 return nla_put_be32(skb, attr, htonl(reg)); 7791 } 7792 EXPORT_SYMBOL_GPL(nft_dump_register); 7793 7794 /** 7795 * nft_validate_register_load - validate a load from a register 7796 * 7797 * @reg: the register number 7798 * @len: the length of the data 7799 * 7800 * Validate that the input register is one of the general purpose 7801 * registers and that the length of the load is within the bounds. 7802 */ 7803 int nft_validate_register_load(enum nft_registers reg, unsigned int len) 7804 { 7805 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 7806 return -EINVAL; 7807 if (len == 0) 7808 return -EINVAL; 7809 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data)) 7810 return -ERANGE; 7811 7812 return 0; 7813 } 7814 EXPORT_SYMBOL_GPL(nft_validate_register_load); 7815 7816 /** 7817 * nft_validate_register_store - validate an expressions' register store 7818 * 7819 * @ctx: context of the expression performing the load 7820 * @reg: the destination register number 7821 * @data: the data to load 7822 * @type: the data type 7823 * @len: the length of the data 7824 * 7825 * Validate that a data load uses the appropriate data type for 7826 * the destination register and the length is within the bounds. 7827 * A value of NULL for the data means that its runtime gathered 7828 * data. 7829 */ 7830 int nft_validate_register_store(const struct nft_ctx *ctx, 7831 enum nft_registers reg, 7832 const struct nft_data *data, 7833 enum nft_data_types type, unsigned int len) 7834 { 7835 int err; 7836 7837 switch (reg) { 7838 case NFT_REG_VERDICT: 7839 if (type != NFT_DATA_VERDICT) 7840 return -EINVAL; 7841 7842 if (data != NULL && 7843 (data->verdict.code == NFT_GOTO || 7844 data->verdict.code == NFT_JUMP)) { 7845 err = nf_tables_check_loops(ctx, data->verdict.chain); 7846 if (err < 0) 7847 return err; 7848 } 7849 7850 return 0; 7851 default: 7852 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE) 7853 return -EINVAL; 7854 if (len == 0) 7855 return -EINVAL; 7856 if (reg * NFT_REG32_SIZE + len > 7857 sizeof_field(struct nft_regs, data)) 7858 return -ERANGE; 7859 7860 if (data != NULL && type != NFT_DATA_VALUE) 7861 return -EINVAL; 7862 return 0; 7863 } 7864 } 7865 EXPORT_SYMBOL_GPL(nft_validate_register_store); 7866 7867 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = { 7868 [NFTA_VERDICT_CODE] = { .type = NLA_U32 }, 7869 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING, 7870 .len = NFT_CHAIN_MAXNAMELEN - 1 }, 7871 }; 7872 7873 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, 7874 struct nft_data_desc *desc, const struct nlattr *nla) 7875 { 7876 u8 genmask = nft_genmask_next(ctx->net); 7877 struct nlattr *tb[NFTA_VERDICT_MAX + 1]; 7878 struct nft_chain *chain; 7879 int err; 7880 7881 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla, 7882 nft_verdict_policy, NULL); 7883 if (err < 0) 7884 return err; 7885 7886 if (!tb[NFTA_VERDICT_CODE]) 7887 return -EINVAL; 7888 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); 7889 7890 switch (data->verdict.code) { 7891 default: 7892 switch (data->verdict.code & NF_VERDICT_MASK) { 7893 case NF_ACCEPT: 7894 case NF_DROP: 7895 case NF_QUEUE: 7896 break; 7897 default: 7898 return -EINVAL; 7899 } 7900 /* fall through */ 7901 case NFT_CONTINUE: 7902 case NFT_BREAK: 7903 case NFT_RETURN: 7904 break; 7905 case NFT_JUMP: 7906 case NFT_GOTO: 7907 if (!tb[NFTA_VERDICT_CHAIN]) 7908 return -EINVAL; 7909 chain = nft_chain_lookup(ctx->net, ctx->table, 7910 tb[NFTA_VERDICT_CHAIN], genmask); 7911 if (IS_ERR(chain)) 7912 return PTR_ERR(chain); 7913 if (nft_is_base_chain(chain)) 7914 return -EOPNOTSUPP; 7915 7916 chain->use++; 7917 data->verdict.chain = chain; 7918 break; 7919 } 7920 7921 desc->len = sizeof(data->verdict); 7922 desc->type = NFT_DATA_VERDICT; 7923 return 0; 7924 } 7925 7926 static void nft_verdict_uninit(const struct nft_data *data) 7927 { 7928 switch (data->verdict.code) { 7929 case NFT_JUMP: 7930 case NFT_GOTO: 7931 data->verdict.chain->use--; 7932 break; 7933 } 7934 } 7935 7936 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v) 7937 { 7938 struct nlattr *nest; 7939 7940 nest = nla_nest_start_noflag(skb, type); 7941 if (!nest) 7942 goto nla_put_failure; 7943 7944 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code))) 7945 goto nla_put_failure; 7946 7947 switch (v->code) { 7948 case NFT_JUMP: 7949 case NFT_GOTO: 7950 if (nla_put_string(skb, NFTA_VERDICT_CHAIN, 7951 v->chain->name)) 7952 goto nla_put_failure; 7953 } 7954 nla_nest_end(skb, nest); 7955 return 0; 7956 7957 nla_put_failure: 7958 return -1; 7959 } 7960 7961 static int nft_value_init(const struct nft_ctx *ctx, 7962 struct nft_data *data, unsigned int size, 7963 struct nft_data_desc *desc, const struct nlattr *nla) 7964 { 7965 unsigned int len; 7966 7967 len = nla_len(nla); 7968 if (len == 0) 7969 return -EINVAL; 7970 if (len > size) 7971 return -EOVERFLOW; 7972 7973 nla_memcpy(data->data, nla, len); 7974 desc->type = NFT_DATA_VALUE; 7975 desc->len = len; 7976 return 0; 7977 } 7978 7979 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data, 7980 unsigned int len) 7981 { 7982 return nla_put(skb, NFTA_DATA_VALUE, len, data->data); 7983 } 7984 7985 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = { 7986 [NFTA_DATA_VALUE] = { .type = NLA_BINARY }, 7987 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED }, 7988 }; 7989 7990 /** 7991 * nft_data_init - parse nf_tables data netlink attributes 7992 * 7993 * @ctx: context of the expression using the data 7994 * @data: destination struct nft_data 7995 * @size: maximum data length 7996 * @desc: data description 7997 * @nla: netlink attribute containing data 7998 * 7999 * Parse the netlink data attributes and initialize a struct nft_data. 8000 * The type and length of data are returned in the data description. 8001 * 8002 * The caller can indicate that it only wants to accept data of type 8003 * NFT_DATA_VALUE by passing NULL for the ctx argument. 8004 */ 8005 int nft_data_init(const struct nft_ctx *ctx, 8006 struct nft_data *data, unsigned int size, 8007 struct nft_data_desc *desc, const struct nlattr *nla) 8008 { 8009 struct nlattr *tb[NFTA_DATA_MAX + 1]; 8010 int err; 8011 8012 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla, 8013 nft_data_policy, NULL); 8014 if (err < 0) 8015 return err; 8016 8017 if (tb[NFTA_DATA_VALUE]) 8018 return nft_value_init(ctx, data, size, desc, 8019 tb[NFTA_DATA_VALUE]); 8020 if (tb[NFTA_DATA_VERDICT] && ctx != NULL) 8021 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]); 8022 return -EINVAL; 8023 } 8024 EXPORT_SYMBOL_GPL(nft_data_init); 8025 8026 /** 8027 * nft_data_release - release a nft_data item 8028 * 8029 * @data: struct nft_data to release 8030 * @type: type of data 8031 * 8032 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded, 8033 * all others need to be released by calling this function. 8034 */ 8035 void nft_data_release(const struct nft_data *data, enum nft_data_types type) 8036 { 8037 if (type < NFT_DATA_VERDICT) 8038 return; 8039 switch (type) { 8040 case NFT_DATA_VERDICT: 8041 return nft_verdict_uninit(data); 8042 default: 8043 WARN_ON(1); 8044 } 8045 } 8046 EXPORT_SYMBOL_GPL(nft_data_release); 8047 8048 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data, 8049 enum nft_data_types type, unsigned int len) 8050 { 8051 struct nlattr *nest; 8052 int err; 8053 8054 nest = nla_nest_start_noflag(skb, attr); 8055 if (nest == NULL) 8056 return -1; 8057 8058 switch (type) { 8059 case NFT_DATA_VALUE: 8060 err = nft_value_dump(skb, data, len); 8061 break; 8062 case NFT_DATA_VERDICT: 8063 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict); 8064 break; 8065 default: 8066 err = -EINVAL; 8067 WARN_ON(1); 8068 } 8069 8070 nla_nest_end(skb, nest); 8071 return err; 8072 } 8073 EXPORT_SYMBOL_GPL(nft_data_dump); 8074 8075 int __nft_release_basechain(struct nft_ctx *ctx) 8076 { 8077 struct nft_rule *rule, *nr; 8078 8079 if (WARN_ON(!nft_is_base_chain(ctx->chain))) 8080 return 0; 8081 8082 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); 8083 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { 8084 list_del(&rule->list); 8085 ctx->chain->use--; 8086 nf_tables_rule_release(ctx, rule); 8087 } 8088 nft_chain_del(ctx->chain); 8089 ctx->table->use--; 8090 nf_tables_chain_destroy(ctx); 8091 8092 return 0; 8093 } 8094 EXPORT_SYMBOL_GPL(__nft_release_basechain); 8095 8096 static void __nft_release_tables(struct net *net) 8097 { 8098 struct nft_flowtable *flowtable, *nf; 8099 struct nft_table *table, *nt; 8100 struct nft_chain *chain, *nc; 8101 struct nft_object *obj, *ne; 8102 struct nft_rule *rule, *nr; 8103 struct nft_set *set, *ns; 8104 struct nft_ctx ctx = { 8105 .net = net, 8106 .family = NFPROTO_NETDEV, 8107 }; 8108 8109 list_for_each_entry_safe(table, nt, &net->nft.tables, list) { 8110 ctx.family = table->family; 8111 8112 list_for_each_entry(chain, &table->chains, list) 8113 nf_tables_unregister_hook(net, table, chain); 8114 /* No packets are walking on these chains anymore. */ 8115 ctx.table = table; 8116 list_for_each_entry(chain, &table->chains, list) { 8117 ctx.chain = chain; 8118 list_for_each_entry_safe(rule, nr, &chain->rules, list) { 8119 list_del(&rule->list); 8120 chain->use--; 8121 nf_tables_rule_release(&ctx, rule); 8122 } 8123 } 8124 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 8125 list_del(&flowtable->list); 8126 table->use--; 8127 nf_tables_flowtable_destroy(flowtable); 8128 } 8129 list_for_each_entry_safe(set, ns, &table->sets, list) { 8130 list_del(&set->list); 8131 table->use--; 8132 nft_set_destroy(set); 8133 } 8134 list_for_each_entry_safe(obj, ne, &table->objects, list) { 8135 nft_obj_del(obj); 8136 table->use--; 8137 nft_obj_destroy(&ctx, obj); 8138 } 8139 list_for_each_entry_safe(chain, nc, &table->chains, list) { 8140 ctx.chain = chain; 8141 nft_chain_del(chain); 8142 table->use--; 8143 nf_tables_chain_destroy(&ctx); 8144 } 8145 list_del(&table->list); 8146 nf_tables_table_destroy(&ctx); 8147 } 8148 } 8149 8150 static int __net_init nf_tables_init_net(struct net *net) 8151 { 8152 INIT_LIST_HEAD(&net->nft.tables); 8153 INIT_LIST_HEAD(&net->nft.commit_list); 8154 INIT_LIST_HEAD(&net->nft.module_list); 8155 mutex_init(&net->nft.commit_mutex); 8156 net->nft.base_seq = 1; 8157 net->nft.validate_state = NFT_VALIDATE_SKIP; 8158 8159 return 0; 8160 } 8161 8162 static void __net_exit nf_tables_exit_net(struct net *net) 8163 { 8164 mutex_lock(&net->nft.commit_mutex); 8165 if (!list_empty(&net->nft.commit_list)) 8166 __nf_tables_abort(net, false); 8167 __nft_release_tables(net); 8168 mutex_unlock(&net->nft.commit_mutex); 8169 WARN_ON_ONCE(!list_empty(&net->nft.tables)); 8170 } 8171 8172 static struct pernet_operations nf_tables_net_ops = { 8173 .init = nf_tables_init_net, 8174 .exit = nf_tables_exit_net, 8175 }; 8176 8177 static int __init nf_tables_module_init(void) 8178 { 8179 int err; 8180 8181 spin_lock_init(&nf_tables_destroy_list_lock); 8182 err = register_pernet_subsys(&nf_tables_net_ops); 8183 if (err < 0) 8184 return err; 8185 8186 err = nft_chain_filter_init(); 8187 if (err < 0) 8188 goto err1; 8189 8190 err = nf_tables_core_module_init(); 8191 if (err < 0) 8192 goto err2; 8193 8194 err = register_netdevice_notifier(&nf_tables_flowtable_notifier); 8195 if (err < 0) 8196 goto err3; 8197 8198 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params); 8199 if (err < 0) 8200 goto err4; 8201 8202 err = nft_offload_init(); 8203 if (err < 0) 8204 goto err5; 8205 8206 /* must be last */ 8207 err = nfnetlink_subsys_register(&nf_tables_subsys); 8208 if (err < 0) 8209 goto err6; 8210 8211 nft_chain_route_init(); 8212 8213 return err; 8214 err6: 8215 nft_offload_exit(); 8216 err5: 8217 rhltable_destroy(&nft_objname_ht); 8218 err4: 8219 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 8220 err3: 8221 nf_tables_core_module_exit(); 8222 err2: 8223 nft_chain_filter_fini(); 8224 err1: 8225 unregister_pernet_subsys(&nf_tables_net_ops); 8226 return err; 8227 } 8228 8229 static void __exit nf_tables_module_exit(void) 8230 { 8231 nfnetlink_subsys_unregister(&nf_tables_subsys); 8232 nft_offload_exit(); 8233 unregister_netdevice_notifier(&nf_tables_flowtable_notifier); 8234 nft_chain_filter_fini(); 8235 nft_chain_route_fini(); 8236 unregister_pernet_subsys(&nf_tables_net_ops); 8237 cancel_work_sync(&trans_destroy_work); 8238 rcu_barrier(); 8239 rhltable_destroy(&nft_objname_ht); 8240 nf_tables_core_module_exit(); 8241 } 8242 8243 module_init(nf_tables_module_init); 8244 module_exit(nf_tables_module_exit); 8245 8246 MODULE_LICENSE("GPL"); 8247 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 8248 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES); 8249