1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27
28 static LIST_HEAD(nf_tables_expressions);
29 static LIST_HEAD(nf_tables_objects);
30 static LIST_HEAD(nf_tables_flowtables);
31 static LIST_HEAD(nf_tables_destroy_list);
32 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
33 static u64 table_handle;
34
35 enum {
36 NFT_VALIDATE_SKIP = 0,
37 NFT_VALIDATE_NEED,
38 NFT_VALIDATE_DO,
39 };
40
41 static struct rhltable nft_objname_ht;
42
43 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
44 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
45 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
46
47 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static const struct rhashtable_params nft_chain_ht_params = {
52 .head_offset = offsetof(struct nft_chain, rhlhead),
53 .key_offset = offsetof(struct nft_chain, name),
54 .hashfn = nft_chain_hash,
55 .obj_hashfn = nft_chain_hash_obj,
56 .obj_cmpfn = nft_chain_hash_cmp,
57 .automatic_shrinking = true,
58 };
59
60 static const struct rhashtable_params nft_objname_ht_params = {
61 .head_offset = offsetof(struct nft_object, rhlhead),
62 .key_offset = offsetof(struct nft_object, key),
63 .hashfn = nft_objname_hash,
64 .obj_hashfn = nft_objname_hash_obj,
65 .obj_cmpfn = nft_objname_hash_cmp,
66 .automatic_shrinking = true,
67 };
68
nft_validate_state_update(struct net * net,u8 new_validate_state)69 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
70 {
71 switch (net->nft.validate_state) {
72 case NFT_VALIDATE_SKIP:
73 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
74 break;
75 case NFT_VALIDATE_NEED:
76 break;
77 case NFT_VALIDATE_DO:
78 if (new_validate_state == NFT_VALIDATE_NEED)
79 return;
80 }
81
82 net->nft.validate_state = new_validate_state;
83 }
84 static void nf_tables_trans_destroy_work(struct work_struct *w);
85 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
86
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)87 static void nft_ctx_init(struct nft_ctx *ctx,
88 struct net *net,
89 const struct sk_buff *skb,
90 const struct nlmsghdr *nlh,
91 u8 family,
92 struct nft_table *table,
93 struct nft_chain *chain,
94 const struct nlattr * const *nla)
95 {
96 ctx->net = net;
97 ctx->family = family;
98 ctx->level = 0;
99 ctx->table = table;
100 ctx->chain = chain;
101 ctx->nla = nla;
102 ctx->portid = NETLINK_CB(skb).portid;
103 ctx->report = nlmsg_report(nlh);
104 ctx->flags = nlh->nlmsg_flags;
105 ctx->seq = nlh->nlmsg_seq;
106 }
107
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)108 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
109 int msg_type, u32 size, gfp_t gfp)
110 {
111 struct nft_trans *trans;
112
113 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
114 if (trans == NULL)
115 return NULL;
116
117 trans->msg_type = msg_type;
118 trans->ctx = *ctx;
119
120 return trans;
121 }
122
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)123 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
124 int msg_type, u32 size)
125 {
126 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
127 }
128
nft_trans_destroy(struct nft_trans * trans)129 static void nft_trans_destroy(struct nft_trans *trans)
130 {
131 list_del(&trans->list);
132 kfree(trans);
133 }
134
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)135 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
136 {
137 struct net *net = ctx->net;
138 struct nft_trans *trans;
139
140 if (!nft_set_is_anonymous(set))
141 return;
142
143 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
144 switch (trans->msg_type) {
145 case NFT_MSG_NEWSET:
146 if (nft_trans_set(trans) == set)
147 nft_trans_set_bound(trans) = true;
148 break;
149 case NFT_MSG_NEWSETELEM:
150 if (nft_trans_elem_set(trans) == set)
151 nft_trans_elem_set_bound(trans) = true;
152 break;
153 }
154 }
155 }
156
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)157 static int nft_netdev_register_hooks(struct net *net,
158 struct list_head *hook_list)
159 {
160 struct nft_hook *hook;
161 int err, j;
162
163 j = 0;
164 list_for_each_entry(hook, hook_list, list) {
165 err = nf_register_net_hook(net, &hook->ops);
166 if (err < 0)
167 goto err_register;
168
169 j++;
170 }
171 return 0;
172
173 err_register:
174 list_for_each_entry(hook, hook_list, list) {
175 if (j-- <= 0)
176 break;
177
178 nf_unregister_net_hook(net, &hook->ops);
179 }
180 return err;
181 }
182
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list)183 static void nft_netdev_unregister_hooks(struct net *net,
184 struct list_head *hook_list)
185 {
186 struct nft_hook *hook;
187
188 list_for_each_entry(hook, hook_list, list)
189 nf_unregister_net_hook(net, &hook->ops);
190 }
191
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)192 static int nf_tables_register_hook(struct net *net,
193 const struct nft_table *table,
194 struct nft_chain *chain)
195 {
196 struct nft_base_chain *basechain;
197 const struct nf_hook_ops *ops;
198
199 if (table->flags & NFT_TABLE_F_DORMANT ||
200 !nft_is_base_chain(chain))
201 return 0;
202
203 basechain = nft_base_chain(chain);
204 ops = &basechain->ops;
205
206 if (basechain->type->ops_register)
207 return basechain->type->ops_register(net, ops);
208
209 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
210 return nft_netdev_register_hooks(net, &basechain->hook_list);
211
212 return nf_register_net_hook(net, &basechain->ops);
213 }
214
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)215 static void nf_tables_unregister_hook(struct net *net,
216 const struct nft_table *table,
217 struct nft_chain *chain)
218 {
219 struct nft_base_chain *basechain;
220 const struct nf_hook_ops *ops;
221
222 if (table->flags & NFT_TABLE_F_DORMANT ||
223 !nft_is_base_chain(chain))
224 return;
225 basechain = nft_base_chain(chain);
226 ops = &basechain->ops;
227
228 if (basechain->type->ops_unregister)
229 return basechain->type->ops_unregister(net, ops);
230
231 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
232 nft_netdev_unregister_hooks(net, &basechain->hook_list);
233 else
234 nf_unregister_net_hook(net, &basechain->ops);
235 }
236
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)237 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
238 {
239 struct nft_trans *trans;
240
241 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
242 if (trans == NULL)
243 return -ENOMEM;
244
245 if (msg_type == NFT_MSG_NEWTABLE)
246 nft_activate_next(ctx->net, ctx->table);
247
248 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
249 return 0;
250 }
251
nft_deltable(struct nft_ctx * ctx)252 static int nft_deltable(struct nft_ctx *ctx)
253 {
254 int err;
255
256 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
257 if (err < 0)
258 return err;
259
260 nft_deactivate_next(ctx->net, ctx->table);
261 return err;
262 }
263
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)264 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
265 {
266 struct nft_trans *trans;
267
268 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
269 if (trans == NULL)
270 return ERR_PTR(-ENOMEM);
271
272 if (msg_type == NFT_MSG_NEWCHAIN) {
273 nft_activate_next(ctx->net, ctx->chain);
274
275 if (ctx->nla[NFTA_CHAIN_ID]) {
276 nft_trans_chain_id(trans) =
277 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
278 }
279 }
280
281 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
282 return trans;
283 }
284
nft_delchain(struct nft_ctx * ctx)285 static int nft_delchain(struct nft_ctx *ctx)
286 {
287 struct nft_trans *trans;
288
289 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
290 if (IS_ERR(trans))
291 return PTR_ERR(trans);
292
293 ctx->table->use--;
294 nft_deactivate_next(ctx->net, ctx->chain);
295
296 return 0;
297 }
298
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)299 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
300 struct nft_rule *rule)
301 {
302 struct nft_expr *expr;
303
304 expr = nft_expr_first(rule);
305 while (nft_expr_more(rule, expr)) {
306 if (expr->ops->activate)
307 expr->ops->activate(ctx, expr);
308
309 expr = nft_expr_next(expr);
310 }
311 }
312
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)313 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
314 struct nft_rule *rule,
315 enum nft_trans_phase phase)
316 {
317 struct nft_expr *expr;
318
319 expr = nft_expr_first(rule);
320 while (nft_expr_more(rule, expr)) {
321 if (expr->ops->deactivate)
322 expr->ops->deactivate(ctx, expr, phase);
323
324 expr = nft_expr_next(expr);
325 }
326 }
327
328 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)329 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
330 {
331 /* You cannot delete the same rule twice */
332 if (nft_is_active_next(ctx->net, rule)) {
333 nft_deactivate_next(ctx->net, rule);
334 ctx->chain->use--;
335 return 0;
336 }
337 return -ENOENT;
338 }
339
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)340 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
341 struct nft_rule *rule)
342 {
343 struct nft_trans *trans;
344
345 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
346 if (trans == NULL)
347 return NULL;
348
349 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
350 nft_trans_rule_id(trans) =
351 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
352 }
353 nft_trans_rule(trans) = rule;
354 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
355
356 return trans;
357 }
358
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)359 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
360 {
361 struct nft_flow_rule *flow;
362 struct nft_trans *trans;
363 int err;
364
365 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
366 if (trans == NULL)
367 return -ENOMEM;
368
369 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
370 flow = nft_flow_rule_create(ctx->net, rule);
371 if (IS_ERR(flow)) {
372 nft_trans_destroy(trans);
373 return PTR_ERR(flow);
374 }
375
376 nft_trans_flow_rule(trans) = flow;
377 }
378
379 err = nf_tables_delrule_deactivate(ctx, rule);
380 if (err < 0) {
381 nft_trans_destroy(trans);
382 return err;
383 }
384 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
385
386 return 0;
387 }
388
nft_delrule_by_chain(struct nft_ctx * ctx)389 static int nft_delrule_by_chain(struct nft_ctx *ctx)
390 {
391 struct nft_rule *rule;
392 int err;
393
394 list_for_each_entry(rule, &ctx->chain->rules, list) {
395 if (!nft_is_active_next(ctx->net, rule))
396 continue;
397
398 err = nft_delrule(ctx, rule);
399 if (err < 0)
400 return err;
401 }
402 return 0;
403 }
404
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)405 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
406 struct nft_set *set)
407 {
408 struct nft_trans *trans;
409
410 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
411 if (trans == NULL)
412 return -ENOMEM;
413
414 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
415 nft_trans_set_id(trans) =
416 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
417 nft_activate_next(ctx->net, set);
418 }
419 nft_trans_set(trans) = set;
420 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
421
422 return 0;
423 }
424
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)425 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
426 {
427 int err;
428
429 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
430 if (err < 0)
431 return err;
432
433 nft_deactivate_next(ctx->net, set);
434 ctx->table->use--;
435
436 return err;
437 }
438
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)439 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
440 struct nft_object *obj)
441 {
442 struct nft_trans *trans;
443
444 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
445 if (trans == NULL)
446 return -ENOMEM;
447
448 if (msg_type == NFT_MSG_NEWOBJ)
449 nft_activate_next(ctx->net, obj);
450
451 nft_trans_obj(trans) = obj;
452 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
453
454 return 0;
455 }
456
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)457 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
458 {
459 int err;
460
461 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
462 if (err < 0)
463 return err;
464
465 nft_deactivate_next(ctx->net, obj);
466 ctx->table->use--;
467
468 return err;
469 }
470
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)471 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
472 struct nft_flowtable *flowtable)
473 {
474 struct nft_trans *trans;
475
476 trans = nft_trans_alloc(ctx, msg_type,
477 sizeof(struct nft_trans_flowtable));
478 if (trans == NULL)
479 return -ENOMEM;
480
481 if (msg_type == NFT_MSG_NEWFLOWTABLE)
482 nft_activate_next(ctx->net, flowtable);
483
484 nft_trans_flowtable(trans) = flowtable;
485 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
486
487 return 0;
488 }
489
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)490 static int nft_delflowtable(struct nft_ctx *ctx,
491 struct nft_flowtable *flowtable)
492 {
493 int err;
494
495 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
496 if (err < 0)
497 return err;
498
499 nft_deactivate_next(ctx->net, flowtable);
500 ctx->table->use--;
501
502 return err;
503 }
504
505 /*
506 * Tables
507 */
508
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask)509 static struct nft_table *nft_table_lookup(const struct net *net,
510 const struct nlattr *nla,
511 u8 family, u8 genmask)
512 {
513 struct nft_table *table;
514
515 if (nla == NULL)
516 return ERR_PTR(-EINVAL);
517
518 list_for_each_entry_rcu(table, &net->nft.tables, list,
519 lockdep_is_held(&net->nft.commit_mutex)) {
520 if (!nla_strcmp(nla, table->name) &&
521 table->family == family &&
522 nft_active_genmask(table, genmask))
523 return table;
524 }
525
526 return ERR_PTR(-ENOENT);
527 }
528
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,u8 genmask)529 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
530 const struct nlattr *nla,
531 u8 genmask)
532 {
533 struct nft_table *table;
534
535 list_for_each_entry(table, &net->nft.tables, list) {
536 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
537 nft_active_genmask(table, genmask))
538 return table;
539 }
540
541 return ERR_PTR(-ENOENT);
542 }
543
nf_tables_alloc_handle(struct nft_table * table)544 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
545 {
546 return ++table->hgenerator;
547 }
548
549 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
550
551 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)552 __nft_chain_type_get(u8 family, enum nft_chain_types type)
553 {
554 if (family >= NFPROTO_NUMPROTO ||
555 type >= NFT_CHAIN_T_MAX)
556 return NULL;
557
558 return chain_type[family][type];
559 }
560
561 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)562 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
563 {
564 const struct nft_chain_type *type;
565 int i;
566
567 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
568 type = __nft_chain_type_get(family, i);
569 if (!type)
570 continue;
571 if (!nla_strcmp(nla, type->name))
572 return type;
573 }
574 return NULL;
575 }
576
577 struct nft_module_request {
578 struct list_head list;
579 char module[MODULE_NAME_LEN];
580 bool done;
581 };
582
583 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)584 static int nft_request_module(struct net *net, const char *fmt, ...)
585 {
586 char module_name[MODULE_NAME_LEN];
587 struct nft_module_request *req;
588 va_list args;
589 int ret;
590
591 va_start(args, fmt);
592 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
593 va_end(args);
594 if (ret >= MODULE_NAME_LEN)
595 return 0;
596
597 list_for_each_entry(req, &net->nft.module_list, list) {
598 if (!strcmp(req->module, module_name)) {
599 if (req->done)
600 return 0;
601
602 /* A request to load this module already exists. */
603 return -EAGAIN;
604 }
605 }
606
607 req = kmalloc(sizeof(*req), GFP_KERNEL);
608 if (!req)
609 return -ENOMEM;
610
611 req->done = false;
612 strlcpy(req->module, module_name, MODULE_NAME_LEN);
613 list_add_tail(&req->list, &net->nft.module_list);
614
615 return -EAGAIN;
616 }
617 #endif
618
lockdep_nfnl_nft_mutex_not_held(void)619 static void lockdep_nfnl_nft_mutex_not_held(void)
620 {
621 #ifdef CONFIG_PROVE_LOCKING
622 if (debug_locks)
623 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
624 #endif
625 }
626
627 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)628 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
629 u8 family, bool autoload)
630 {
631 const struct nft_chain_type *type;
632
633 type = __nf_tables_chain_type_lookup(nla, family);
634 if (type != NULL)
635 return type;
636
637 lockdep_nfnl_nft_mutex_not_held();
638 #ifdef CONFIG_MODULES
639 if (autoload) {
640 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
641 nla_len(nla),
642 (const char *)nla_data(nla)) == -EAGAIN)
643 return ERR_PTR(-EAGAIN);
644 }
645 #endif
646 return ERR_PTR(-ENOENT);
647 }
648
649 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
650 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
651 .len = NFT_TABLE_MAXNAMELEN - 1 },
652 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
653 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
654 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
655 .len = NFT_USERDATA_MAXLEN }
656 };
657
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)658 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
659 u32 portid, u32 seq, int event, u32 flags,
660 int family, const struct nft_table *table)
661 {
662 struct nlmsghdr *nlh;
663 struct nfgenmsg *nfmsg;
664
665 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
666 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
667 if (nlh == NULL)
668 goto nla_put_failure;
669
670 nfmsg = nlmsg_data(nlh);
671 nfmsg->nfgen_family = family;
672 nfmsg->version = NFNETLINK_V0;
673 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
674
675 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
676 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
677 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
678 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
679 NFTA_TABLE_PAD))
680 goto nla_put_failure;
681
682 if (table->udata) {
683 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
684 goto nla_put_failure;
685 }
686
687 nlmsg_end(skb, nlh);
688 return 0;
689
690 nla_put_failure:
691 nlmsg_trim(skb, nlh);
692 return -1;
693 }
694
695 struct nftnl_skb_parms {
696 bool report;
697 };
698 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
699
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)700 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
701 struct list_head *notify_list)
702 {
703 NFT_CB(skb).report = report;
704 list_add_tail(&skb->list, notify_list);
705 }
706
nf_tables_table_notify(const struct nft_ctx * ctx,int event)707 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
708 {
709 struct sk_buff *skb;
710 int err;
711 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;?:0",
712 ctx->table->name, ctx->table->handle);
713
714 audit_log_nfcfg(buf,
715 ctx->family,
716 ctx->table->use,
717 event == NFT_MSG_NEWTABLE ?
718 AUDIT_NFT_OP_TABLE_REGISTER :
719 AUDIT_NFT_OP_TABLE_UNREGISTER,
720 GFP_KERNEL);
721 kfree(buf);
722
723 if (!ctx->report &&
724 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
725 return;
726
727 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
728 if (skb == NULL)
729 goto err;
730
731 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
732 event, 0, ctx->family, ctx->table);
733 if (err < 0) {
734 kfree_skb(skb);
735 goto err;
736 }
737
738 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
739 return;
740 err:
741 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
742 }
743
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)744 static int nf_tables_dump_tables(struct sk_buff *skb,
745 struct netlink_callback *cb)
746 {
747 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
748 const struct nft_table *table;
749 unsigned int idx = 0, s_idx = cb->args[0];
750 struct net *net = sock_net(skb->sk);
751 int family = nfmsg->nfgen_family;
752
753 rcu_read_lock();
754 cb->seq = net->nft.base_seq;
755
756 list_for_each_entry_rcu(table, &net->nft.tables, list) {
757 if (family != NFPROTO_UNSPEC && family != table->family)
758 continue;
759
760 if (idx < s_idx)
761 goto cont;
762 if (idx > s_idx)
763 memset(&cb->args[1], 0,
764 sizeof(cb->args) - sizeof(cb->args[0]));
765 if (!nft_is_active(net, table))
766 continue;
767 if (nf_tables_fill_table_info(skb, net,
768 NETLINK_CB(cb->skb).portid,
769 cb->nlh->nlmsg_seq,
770 NFT_MSG_NEWTABLE, NLM_F_MULTI,
771 table->family, table) < 0)
772 goto done;
773
774 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
775 cont:
776 idx++;
777 }
778 done:
779 rcu_read_unlock();
780 cb->args[0] = idx;
781 return skb->len;
782 }
783
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)784 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
785 const struct nlmsghdr *nlh,
786 struct netlink_dump_control *c)
787 {
788 int err;
789
790 if (!try_module_get(THIS_MODULE))
791 return -EINVAL;
792
793 rcu_read_unlock();
794 err = netlink_dump_start(nlsk, skb, nlh, c);
795 rcu_read_lock();
796 module_put(THIS_MODULE);
797
798 return err;
799 }
800
801 /* called with rcu_read_lock held */
nf_tables_gettable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)802 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
803 struct sk_buff *skb, const struct nlmsghdr *nlh,
804 const struct nlattr * const nla[],
805 struct netlink_ext_ack *extack)
806 {
807 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
808 u8 genmask = nft_genmask_cur(net);
809 const struct nft_table *table;
810 struct sk_buff *skb2;
811 int family = nfmsg->nfgen_family;
812 int err;
813
814 if (nlh->nlmsg_flags & NLM_F_DUMP) {
815 struct netlink_dump_control c = {
816 .dump = nf_tables_dump_tables,
817 .module = THIS_MODULE,
818 };
819
820 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
821 }
822
823 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
824 if (IS_ERR(table)) {
825 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
826 return PTR_ERR(table);
827 }
828
829 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
830 if (!skb2)
831 return -ENOMEM;
832
833 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
834 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
835 family, table);
836 if (err < 0)
837 goto err_fill_table_info;
838
839 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
840
841 err_fill_table_info:
842 kfree_skb(skb2);
843 return err;
844 }
845
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)846 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
847 {
848 struct nft_chain *chain;
849 u32 i = 0;
850
851 list_for_each_entry(chain, &table->chains, list) {
852 if (!nft_is_active_next(net, chain))
853 continue;
854 if (!nft_is_base_chain(chain))
855 continue;
856
857 if (cnt && i++ == cnt)
858 break;
859
860 nf_tables_unregister_hook(net, table, chain);
861 }
862 }
863
nf_tables_table_enable(struct net * net,struct nft_table * table)864 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
865 {
866 struct nft_chain *chain;
867 int err, i = 0;
868
869 list_for_each_entry(chain, &table->chains, list) {
870 if (!nft_is_active_next(net, chain))
871 continue;
872 if (!nft_is_base_chain(chain))
873 continue;
874
875 err = nf_tables_register_hook(net, table, chain);
876 if (err < 0)
877 goto err_register_hooks;
878
879 i++;
880 }
881 return 0;
882
883 err_register_hooks:
884 if (i)
885 nft_table_disable(net, table, i);
886 return err;
887 }
888
nf_tables_table_disable(struct net * net,struct nft_table * table)889 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
890 {
891 nft_table_disable(net, table, 0);
892 }
893
nf_tables_updtable(struct nft_ctx * ctx)894 static int nf_tables_updtable(struct nft_ctx *ctx)
895 {
896 struct nft_trans *trans;
897 u32 flags;
898 int ret = 0;
899
900 if (!ctx->nla[NFTA_TABLE_FLAGS])
901 return 0;
902
903 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
904 if (flags & ~NFT_TABLE_F_DORMANT)
905 return -EINVAL;
906
907 if (flags == ctx->table->flags)
908 return 0;
909
910 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
911 sizeof(struct nft_trans_table));
912 if (trans == NULL)
913 return -ENOMEM;
914
915 if ((flags & NFT_TABLE_F_DORMANT) &&
916 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
917 nft_trans_table_enable(trans) = false;
918 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
919 ctx->table->flags & NFT_TABLE_F_DORMANT) {
920 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
921 ret = nf_tables_table_enable(ctx->net, ctx->table);
922 if (ret >= 0)
923 nft_trans_table_enable(trans) = true;
924 else
925 ctx->table->flags |= NFT_TABLE_F_DORMANT;
926 }
927 if (ret < 0)
928 goto err;
929
930 nft_trans_table_update(trans) = true;
931 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
932 return 0;
933 err:
934 nft_trans_destroy(trans);
935 return ret;
936 }
937
nft_chain_hash(const void * data,u32 len,u32 seed)938 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
939 {
940 const char *name = data;
941
942 return jhash(name, strlen(name), seed);
943 }
944
nft_chain_hash_obj(const void * data,u32 len,u32 seed)945 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
946 {
947 const struct nft_chain *chain = data;
948
949 return nft_chain_hash(chain->name, 0, seed);
950 }
951
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)952 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
953 const void *ptr)
954 {
955 const struct nft_chain *chain = ptr;
956 const char *name = arg->key;
957
958 return strcmp(chain->name, name);
959 }
960
nft_objname_hash(const void * data,u32 len,u32 seed)961 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
962 {
963 const struct nft_object_hash_key *k = data;
964
965 seed ^= hash_ptr(k->table, 32);
966
967 return jhash(k->name, strlen(k->name), seed);
968 }
969
nft_objname_hash_obj(const void * data,u32 len,u32 seed)970 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
971 {
972 const struct nft_object *obj = data;
973
974 return nft_objname_hash(&obj->key, 0, seed);
975 }
976
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)977 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
978 const void *ptr)
979 {
980 const struct nft_object_hash_key *k = arg->key;
981 const struct nft_object *obj = ptr;
982
983 if (obj->key.table != k->table)
984 return -1;
985
986 return strcmp(obj->key.name, k->name);
987 }
988
nf_tables_newtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)989 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
990 struct sk_buff *skb, const struct nlmsghdr *nlh,
991 const struct nlattr * const nla[],
992 struct netlink_ext_ack *extack)
993 {
994 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
995 u8 genmask = nft_genmask_next(net);
996 int family = nfmsg->nfgen_family;
997 const struct nlattr *attr;
998 struct nft_table *table;
999 struct nft_ctx ctx;
1000 u32 flags = 0;
1001 int err;
1002
1003 lockdep_assert_held(&net->nft.commit_mutex);
1004 attr = nla[NFTA_TABLE_NAME];
1005 table = nft_table_lookup(net, attr, family, genmask);
1006 if (IS_ERR(table)) {
1007 if (PTR_ERR(table) != -ENOENT)
1008 return PTR_ERR(table);
1009 } else {
1010 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1011 NL_SET_BAD_ATTR(extack, attr);
1012 return -EEXIST;
1013 }
1014 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1015 return -EOPNOTSUPP;
1016
1017 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1018 return nf_tables_updtable(&ctx);
1019 }
1020
1021 if (nla[NFTA_TABLE_FLAGS]) {
1022 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1023 if (flags & ~NFT_TABLE_F_DORMANT)
1024 return -EINVAL;
1025 }
1026
1027 err = -ENOMEM;
1028 table = kzalloc(sizeof(*table), GFP_KERNEL);
1029 if (table == NULL)
1030 goto err_kzalloc;
1031
1032 table->name = nla_strdup(attr, GFP_KERNEL);
1033 if (table->name == NULL)
1034 goto err_strdup;
1035
1036 if (nla[NFTA_TABLE_USERDATA]) {
1037 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1038 if (table->udata == NULL)
1039 goto err_table_udata;
1040
1041 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1042 }
1043
1044 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1045 if (err)
1046 goto err_chain_ht;
1047
1048 INIT_LIST_HEAD(&table->chains);
1049 INIT_LIST_HEAD(&table->sets);
1050 INIT_LIST_HEAD(&table->objects);
1051 INIT_LIST_HEAD(&table->flowtables);
1052 table->family = family;
1053 table->flags = flags;
1054 table->handle = ++table_handle;
1055
1056 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
1057 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1058 if (err < 0)
1059 goto err_trans;
1060
1061 list_add_tail_rcu(&table->list, &net->nft.tables);
1062 return 0;
1063 err_trans:
1064 rhltable_destroy(&table->chains_ht);
1065 err_chain_ht:
1066 kfree(table->udata);
1067 err_table_udata:
1068 kfree(table->name);
1069 err_strdup:
1070 kfree(table);
1071 err_kzalloc:
1072 return err;
1073 }
1074
nft_flush_table(struct nft_ctx * ctx)1075 static int nft_flush_table(struct nft_ctx *ctx)
1076 {
1077 struct nft_flowtable *flowtable, *nft;
1078 struct nft_chain *chain, *nc;
1079 struct nft_object *obj, *ne;
1080 struct nft_set *set, *ns;
1081 int err;
1082
1083 list_for_each_entry(chain, &ctx->table->chains, list) {
1084 if (!nft_is_active_next(ctx->net, chain))
1085 continue;
1086
1087 if (nft_chain_is_bound(chain))
1088 continue;
1089
1090 ctx->chain = chain;
1091
1092 err = nft_delrule_by_chain(ctx);
1093 if (err < 0)
1094 goto out;
1095 }
1096
1097 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1098 if (!nft_is_active_next(ctx->net, set))
1099 continue;
1100
1101 if (nft_set_is_anonymous(set) &&
1102 !list_empty(&set->bindings))
1103 continue;
1104
1105 err = nft_delset(ctx, set);
1106 if (err < 0)
1107 goto out;
1108 }
1109
1110 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1111 if (!nft_is_active_next(ctx->net, flowtable))
1112 continue;
1113
1114 err = nft_delflowtable(ctx, flowtable);
1115 if (err < 0)
1116 goto out;
1117 }
1118
1119 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1120 if (!nft_is_active_next(ctx->net, obj))
1121 continue;
1122
1123 err = nft_delobj(ctx, obj);
1124 if (err < 0)
1125 goto out;
1126 }
1127
1128 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1129 if (!nft_is_active_next(ctx->net, chain))
1130 continue;
1131
1132 if (nft_chain_is_bound(chain))
1133 continue;
1134
1135 ctx->chain = chain;
1136
1137 err = nft_delchain(ctx);
1138 if (err < 0)
1139 goto out;
1140 }
1141
1142 err = nft_deltable(ctx);
1143 out:
1144 return err;
1145 }
1146
nft_flush(struct nft_ctx * ctx,int family)1147 static int nft_flush(struct nft_ctx *ctx, int family)
1148 {
1149 struct nft_table *table, *nt;
1150 const struct nlattr * const *nla = ctx->nla;
1151 int err = 0;
1152
1153 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1154 if (family != AF_UNSPEC && table->family != family)
1155 continue;
1156
1157 ctx->family = table->family;
1158
1159 if (!nft_is_active_next(ctx->net, table))
1160 continue;
1161
1162 if (nla[NFTA_TABLE_NAME] &&
1163 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1164 continue;
1165
1166 ctx->table = table;
1167
1168 err = nft_flush_table(ctx);
1169 if (err < 0)
1170 goto out;
1171 }
1172 out:
1173 return err;
1174 }
1175
nf_tables_deltable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1176 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1177 struct sk_buff *skb, const struct nlmsghdr *nlh,
1178 const struct nlattr * const nla[],
1179 struct netlink_ext_ack *extack)
1180 {
1181 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1182 u8 genmask = nft_genmask_next(net);
1183 int family = nfmsg->nfgen_family;
1184 const struct nlattr *attr;
1185 struct nft_table *table;
1186 struct nft_ctx ctx;
1187
1188 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1189 if (family == AF_UNSPEC ||
1190 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1191 return nft_flush(&ctx, family);
1192
1193 if (nla[NFTA_TABLE_HANDLE]) {
1194 attr = nla[NFTA_TABLE_HANDLE];
1195 table = nft_table_lookup_byhandle(net, attr, genmask);
1196 } else {
1197 attr = nla[NFTA_TABLE_NAME];
1198 table = nft_table_lookup(net, attr, family, genmask);
1199 }
1200
1201 if (IS_ERR(table)) {
1202 NL_SET_BAD_ATTR(extack, attr);
1203 return PTR_ERR(table);
1204 }
1205
1206 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1207 table->use > 0)
1208 return -EBUSY;
1209
1210 ctx.family = family;
1211 ctx.table = table;
1212
1213 return nft_flush_table(&ctx);
1214 }
1215
nf_tables_table_destroy(struct nft_ctx * ctx)1216 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1217 {
1218 if (WARN_ON(ctx->table->use > 0))
1219 return;
1220
1221 rhltable_destroy(&ctx->table->chains_ht);
1222 kfree(ctx->table->name);
1223 kfree(ctx->table->udata);
1224 kfree(ctx->table);
1225 }
1226
nft_register_chain_type(const struct nft_chain_type * ctype)1227 void nft_register_chain_type(const struct nft_chain_type *ctype)
1228 {
1229 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1230 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1231 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1232 return;
1233 }
1234 chain_type[ctype->family][ctype->type] = ctype;
1235 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1236 }
1237 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1238
nft_unregister_chain_type(const struct nft_chain_type * ctype)1239 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1240 {
1241 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1242 chain_type[ctype->family][ctype->type] = NULL;
1243 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1244 }
1245 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1246
1247 /*
1248 * Chains
1249 */
1250
1251 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1252 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1253 {
1254 struct nft_chain *chain;
1255
1256 list_for_each_entry(chain, &table->chains, list) {
1257 if (chain->handle == handle &&
1258 nft_active_genmask(chain, genmask))
1259 return chain;
1260 }
1261
1262 return ERR_PTR(-ENOENT);
1263 }
1264
lockdep_commit_lock_is_held(const struct net * net)1265 static bool lockdep_commit_lock_is_held(const struct net *net)
1266 {
1267 #ifdef CONFIG_PROVE_LOCKING
1268 return lockdep_is_held(&net->nft.commit_mutex);
1269 #else
1270 return true;
1271 #endif
1272 }
1273
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1274 static struct nft_chain *nft_chain_lookup(struct net *net,
1275 struct nft_table *table,
1276 const struct nlattr *nla, u8 genmask)
1277 {
1278 char search[NFT_CHAIN_MAXNAMELEN + 1];
1279 struct rhlist_head *tmp, *list;
1280 struct nft_chain *chain;
1281
1282 if (nla == NULL)
1283 return ERR_PTR(-EINVAL);
1284
1285 nla_strlcpy(search, nla, sizeof(search));
1286
1287 WARN_ON(!rcu_read_lock_held() &&
1288 !lockdep_commit_lock_is_held(net));
1289
1290 chain = ERR_PTR(-ENOENT);
1291 rcu_read_lock();
1292 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1293 if (!list)
1294 goto out_unlock;
1295
1296 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1297 if (nft_active_genmask(chain, genmask))
1298 goto out_unlock;
1299 }
1300 chain = ERR_PTR(-ENOENT);
1301 out_unlock:
1302 rcu_read_unlock();
1303 return chain;
1304 }
1305
1306 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1307 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1308 .len = NFT_TABLE_MAXNAMELEN - 1 },
1309 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1310 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1311 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1312 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1313 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1314 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1315 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1316 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1317 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1318 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1319 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1320 .len = NFT_USERDATA_MAXLEN },
1321 };
1322
1323 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1324 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1325 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1326 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1327 .len = IFNAMSIZ - 1 },
1328 };
1329
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1330 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1331 {
1332 struct nft_stats *cpu_stats, total;
1333 struct nlattr *nest;
1334 unsigned int seq;
1335 u64 pkts, bytes;
1336 int cpu;
1337
1338 if (!stats)
1339 return 0;
1340
1341 memset(&total, 0, sizeof(total));
1342 for_each_possible_cpu(cpu) {
1343 cpu_stats = per_cpu_ptr(stats, cpu);
1344 do {
1345 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1346 pkts = cpu_stats->pkts;
1347 bytes = cpu_stats->bytes;
1348 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1349 total.pkts += pkts;
1350 total.bytes += bytes;
1351 }
1352 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1353 if (nest == NULL)
1354 goto nla_put_failure;
1355
1356 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1357 NFTA_COUNTER_PAD) ||
1358 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1359 NFTA_COUNTER_PAD))
1360 goto nla_put_failure;
1361
1362 nla_nest_end(skb, nest);
1363 return 0;
1364
1365 nla_put_failure:
1366 return -ENOSPC;
1367 }
1368
nft_dump_basechain_hook(struct sk_buff * skb,int family,const struct nft_base_chain * basechain)1369 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1370 const struct nft_base_chain *basechain)
1371 {
1372 const struct nf_hook_ops *ops = &basechain->ops;
1373 struct nft_hook *hook, *first = NULL;
1374 struct nlattr *nest, *nest_devs;
1375 int n = 0;
1376
1377 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1378 if (nest == NULL)
1379 goto nla_put_failure;
1380 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1381 goto nla_put_failure;
1382 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1383 goto nla_put_failure;
1384
1385 if (nft_base_chain_netdev(family, ops->hooknum)) {
1386 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1387 list_for_each_entry(hook, &basechain->hook_list, list) {
1388 if (!first)
1389 first = hook;
1390
1391 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1392 hook->ops.dev->name))
1393 goto nla_put_failure;
1394 n++;
1395 }
1396 nla_nest_end(skb, nest_devs);
1397
1398 if (n == 1 &&
1399 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1400 goto nla_put_failure;
1401 }
1402 nla_nest_end(skb, nest);
1403
1404 return 0;
1405 nla_put_failure:
1406 return -1;
1407 }
1408
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain)1409 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1410 u32 portid, u32 seq, int event, u32 flags,
1411 int family, const struct nft_table *table,
1412 const struct nft_chain *chain)
1413 {
1414 struct nlmsghdr *nlh;
1415 struct nfgenmsg *nfmsg;
1416
1417 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1418 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1419 if (nlh == NULL)
1420 goto nla_put_failure;
1421
1422 nfmsg = nlmsg_data(nlh);
1423 nfmsg->nfgen_family = family;
1424 nfmsg->version = NFNETLINK_V0;
1425 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1426
1427 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1428 goto nla_put_failure;
1429 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1430 NFTA_CHAIN_PAD))
1431 goto nla_put_failure;
1432 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1433 goto nla_put_failure;
1434
1435 if (nft_is_base_chain(chain)) {
1436 const struct nft_base_chain *basechain = nft_base_chain(chain);
1437 struct nft_stats __percpu *stats;
1438
1439 if (nft_dump_basechain_hook(skb, family, basechain))
1440 goto nla_put_failure;
1441
1442 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1443 htonl(basechain->policy)))
1444 goto nla_put_failure;
1445
1446 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1447 goto nla_put_failure;
1448
1449 stats = rcu_dereference_check(basechain->stats,
1450 lockdep_commit_lock_is_held(net));
1451 if (nft_dump_stats(skb, stats))
1452 goto nla_put_failure;
1453 }
1454
1455 if (chain->flags &&
1456 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1457 goto nla_put_failure;
1458
1459 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1460 goto nla_put_failure;
1461
1462 if (chain->udata &&
1463 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1464 goto nla_put_failure;
1465
1466 nlmsg_end(skb, nlh);
1467 return 0;
1468
1469 nla_put_failure:
1470 nlmsg_trim(skb, nlh);
1471 return -1;
1472 }
1473
nf_tables_chain_notify(const struct nft_ctx * ctx,int event)1474 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1475 {
1476 struct sk_buff *skb;
1477 int err;
1478 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
1479 ctx->table->name, ctx->table->handle,
1480 ctx->chain->name, ctx->chain->handle);
1481
1482 audit_log_nfcfg(buf,
1483 ctx->family,
1484 ctx->chain->use,
1485 event == NFT_MSG_NEWCHAIN ?
1486 AUDIT_NFT_OP_CHAIN_REGISTER :
1487 AUDIT_NFT_OP_CHAIN_UNREGISTER,
1488 GFP_KERNEL);
1489 kfree(buf);
1490
1491 if (!ctx->report &&
1492 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1493 return;
1494
1495 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1496 if (skb == NULL)
1497 goto err;
1498
1499 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1500 event, 0, ctx->family, ctx->table,
1501 ctx->chain);
1502 if (err < 0) {
1503 kfree_skb(skb);
1504 goto err;
1505 }
1506
1507 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
1508 return;
1509 err:
1510 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1511 }
1512
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1513 static int nf_tables_dump_chains(struct sk_buff *skb,
1514 struct netlink_callback *cb)
1515 {
1516 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1517 const struct nft_table *table;
1518 const struct nft_chain *chain;
1519 unsigned int idx = 0, s_idx = cb->args[0];
1520 struct net *net = sock_net(skb->sk);
1521 int family = nfmsg->nfgen_family;
1522
1523 rcu_read_lock();
1524 cb->seq = net->nft.base_seq;
1525
1526 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1527 if (family != NFPROTO_UNSPEC && family != table->family)
1528 continue;
1529
1530 list_for_each_entry_rcu(chain, &table->chains, list) {
1531 if (idx < s_idx)
1532 goto cont;
1533 if (idx > s_idx)
1534 memset(&cb->args[1], 0,
1535 sizeof(cb->args) - sizeof(cb->args[0]));
1536 if (!nft_is_active(net, chain))
1537 continue;
1538 if (nf_tables_fill_chain_info(skb, net,
1539 NETLINK_CB(cb->skb).portid,
1540 cb->nlh->nlmsg_seq,
1541 NFT_MSG_NEWCHAIN,
1542 NLM_F_MULTI,
1543 table->family, table,
1544 chain) < 0)
1545 goto done;
1546
1547 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1548 cont:
1549 idx++;
1550 }
1551 }
1552 done:
1553 rcu_read_unlock();
1554 cb->args[0] = idx;
1555 return skb->len;
1556 }
1557
1558 /* called with rcu_read_lock held */
nf_tables_getchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1559 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1560 struct sk_buff *skb, const struct nlmsghdr *nlh,
1561 const struct nlattr * const nla[],
1562 struct netlink_ext_ack *extack)
1563 {
1564 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1565 u8 genmask = nft_genmask_cur(net);
1566 const struct nft_chain *chain;
1567 struct nft_table *table;
1568 struct sk_buff *skb2;
1569 int family = nfmsg->nfgen_family;
1570 int err;
1571
1572 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1573 struct netlink_dump_control c = {
1574 .dump = nf_tables_dump_chains,
1575 .module = THIS_MODULE,
1576 };
1577
1578 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1579 }
1580
1581 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1582 if (IS_ERR(table)) {
1583 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1584 return PTR_ERR(table);
1585 }
1586
1587 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1588 if (IS_ERR(chain)) {
1589 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1590 return PTR_ERR(chain);
1591 }
1592
1593 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1594 if (!skb2)
1595 return -ENOMEM;
1596
1597 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1598 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1599 family, table, chain);
1600 if (err < 0)
1601 goto err_fill_chain_info;
1602
1603 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1604
1605 err_fill_chain_info:
1606 kfree_skb(skb2);
1607 return err;
1608 }
1609
1610 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1611 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1612 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1613 };
1614
nft_stats_alloc(const struct nlattr * attr)1615 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1616 {
1617 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1618 struct nft_stats __percpu *newstats;
1619 struct nft_stats *stats;
1620 int err;
1621
1622 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1623 nft_counter_policy, NULL);
1624 if (err < 0)
1625 return ERR_PTR(err);
1626
1627 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1628 return ERR_PTR(-EINVAL);
1629
1630 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1631 if (newstats == NULL)
1632 return ERR_PTR(-ENOMEM);
1633
1634 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1635 * are not exposed to userspace.
1636 */
1637 preempt_disable();
1638 stats = this_cpu_ptr(newstats);
1639 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1640 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1641 preempt_enable();
1642
1643 return newstats;
1644 }
1645
nft_chain_stats_replace(struct nft_trans * trans)1646 static void nft_chain_stats_replace(struct nft_trans *trans)
1647 {
1648 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1649
1650 if (!nft_trans_chain_stats(trans))
1651 return;
1652
1653 nft_trans_chain_stats(trans) =
1654 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
1655 lockdep_commit_lock_is_held(trans->ctx.net));
1656
1657 if (!nft_trans_chain_stats(trans))
1658 static_branch_inc(&nft_counters_enabled);
1659 }
1660
nf_tables_chain_free_chain_rules(struct nft_chain * chain)1661 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1662 {
1663 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1664 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1665
1666 if (g0 != g1)
1667 kvfree(g1);
1668 kvfree(g0);
1669
1670 /* should be NULL either via abort or via successful commit */
1671 WARN_ON_ONCE(chain->rules_next);
1672 kvfree(chain->rules_next);
1673 }
1674
nf_tables_chain_destroy(struct nft_ctx * ctx)1675 void nf_tables_chain_destroy(struct nft_ctx *ctx)
1676 {
1677 struct nft_chain *chain = ctx->chain;
1678 struct nft_hook *hook, *next;
1679
1680 if (WARN_ON(chain->use > 0))
1681 return;
1682
1683 /* no concurrent access possible anymore */
1684 nf_tables_chain_free_chain_rules(chain);
1685
1686 if (nft_is_base_chain(chain)) {
1687 struct nft_base_chain *basechain = nft_base_chain(chain);
1688
1689 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
1690 list_for_each_entry_safe(hook, next,
1691 &basechain->hook_list, list) {
1692 list_del_rcu(&hook->list);
1693 kfree_rcu(hook, rcu);
1694 }
1695 }
1696 module_put(basechain->type->owner);
1697 if (rcu_access_pointer(basechain->stats)) {
1698 static_branch_dec(&nft_counters_enabled);
1699 free_percpu(rcu_dereference_raw(basechain->stats));
1700 }
1701 kfree(chain->name);
1702 kfree(chain->udata);
1703 kfree(basechain);
1704 } else {
1705 kfree(chain->name);
1706 kfree(chain->udata);
1707 kfree(chain);
1708 }
1709 }
1710
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr)1711 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
1712 const struct nlattr *attr)
1713 {
1714 struct net_device *dev;
1715 char ifname[IFNAMSIZ];
1716 struct nft_hook *hook;
1717 int err;
1718
1719 hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1720 if (!hook) {
1721 err = -ENOMEM;
1722 goto err_hook_alloc;
1723 }
1724
1725 nla_strlcpy(ifname, attr, IFNAMSIZ);
1726 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
1727 * indirectly serializing all the other holders of the commit_mutex with
1728 * the rtnl_mutex.
1729 */
1730 dev = __dev_get_by_name(net, ifname);
1731 if (!dev) {
1732 err = -ENOENT;
1733 goto err_hook_dev;
1734 }
1735 hook->ops.dev = dev;
1736 hook->inactive = false;
1737
1738 return hook;
1739
1740 err_hook_dev:
1741 kfree(hook);
1742 err_hook_alloc:
1743 return ERR_PTR(err);
1744 }
1745
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)1746 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
1747 const struct nft_hook *this)
1748 {
1749 struct nft_hook *hook;
1750
1751 list_for_each_entry(hook, hook_list, list) {
1752 if (this->ops.dev == hook->ops.dev)
1753 return hook;
1754 }
1755
1756 return NULL;
1757 }
1758
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list)1759 static int nf_tables_parse_netdev_hooks(struct net *net,
1760 const struct nlattr *attr,
1761 struct list_head *hook_list)
1762 {
1763 struct nft_hook *hook, *next;
1764 const struct nlattr *tmp;
1765 int rem, n = 0, err;
1766
1767 nla_for_each_nested(tmp, attr, rem) {
1768 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
1769 err = -EINVAL;
1770 goto err_hook;
1771 }
1772
1773 hook = nft_netdev_hook_alloc(net, tmp);
1774 if (IS_ERR(hook)) {
1775 err = PTR_ERR(hook);
1776 goto err_hook;
1777 }
1778 if (nft_hook_list_find(hook_list, hook)) {
1779 kfree(hook);
1780 err = -EEXIST;
1781 goto err_hook;
1782 }
1783 list_add_tail(&hook->list, hook_list);
1784 n++;
1785
1786 if (n == NFT_NETDEVICE_MAX) {
1787 err = -EFBIG;
1788 goto err_hook;
1789 }
1790 }
1791
1792 return 0;
1793
1794 err_hook:
1795 list_for_each_entry_safe(hook, next, hook_list, list) {
1796 list_del(&hook->list);
1797 kfree(hook);
1798 }
1799 return err;
1800 }
1801
1802 struct nft_chain_hook {
1803 u32 num;
1804 s32 priority;
1805 const struct nft_chain_type *type;
1806 struct list_head list;
1807 };
1808
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list)1809 static int nft_chain_parse_netdev(struct net *net,
1810 struct nlattr *tb[],
1811 struct list_head *hook_list)
1812 {
1813 struct nft_hook *hook;
1814 int err;
1815
1816 if (tb[NFTA_HOOK_DEV]) {
1817 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
1818 if (IS_ERR(hook))
1819 return PTR_ERR(hook);
1820
1821 list_add_tail(&hook->list, hook_list);
1822 } else if (tb[NFTA_HOOK_DEVS]) {
1823 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
1824 hook_list);
1825 if (err < 0)
1826 return err;
1827
1828 if (list_empty(hook_list))
1829 return -EINVAL;
1830 } else {
1831 return -EINVAL;
1832 }
1833
1834 return 0;
1835 }
1836
nft_chain_parse_hook(struct net * net,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,bool autoload)1837 static int nft_chain_parse_hook(struct net *net,
1838 const struct nlattr * const nla[],
1839 struct nft_chain_hook *hook, u8 family,
1840 bool autoload)
1841 {
1842 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1843 const struct nft_chain_type *type;
1844 int err;
1845
1846 lockdep_assert_held(&net->nft.commit_mutex);
1847 lockdep_nfnl_nft_mutex_not_held();
1848
1849 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1850 nla[NFTA_CHAIN_HOOK],
1851 nft_hook_policy, NULL);
1852 if (err < 0)
1853 return err;
1854
1855 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1856 ha[NFTA_HOOK_PRIORITY] == NULL)
1857 return -EINVAL;
1858
1859 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1860 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1861
1862 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1863 if (!type)
1864 return -EOPNOTSUPP;
1865
1866 if (nla[NFTA_CHAIN_TYPE]) {
1867 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1868 family, autoload);
1869 if (IS_ERR(type))
1870 return PTR_ERR(type);
1871 }
1872 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1873 return -EOPNOTSUPP;
1874
1875 if (type->type == NFT_CHAIN_T_NAT &&
1876 hook->priority <= NF_IP_PRI_CONNTRACK)
1877 return -EOPNOTSUPP;
1878
1879 if (!try_module_get(type->owner))
1880 return -ENOENT;
1881
1882 hook->type = type;
1883
1884 INIT_LIST_HEAD(&hook->list);
1885 if (nft_base_chain_netdev(family, hook->num)) {
1886 err = nft_chain_parse_netdev(net, ha, &hook->list);
1887 if (err < 0) {
1888 module_put(type->owner);
1889 return err;
1890 }
1891 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
1892 module_put(type->owner);
1893 return -EOPNOTSUPP;
1894 }
1895
1896 return 0;
1897 }
1898
nft_chain_release_hook(struct nft_chain_hook * hook)1899 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1900 {
1901 struct nft_hook *h, *next;
1902
1903 list_for_each_entry_safe(h, next, &hook->list, list) {
1904 list_del(&h->list);
1905 kfree(h);
1906 }
1907 module_put(hook->type->owner);
1908 }
1909
1910 struct nft_rules_old {
1911 struct rcu_head h;
1912 struct nft_rule **start;
1913 };
1914
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int alloc)1915 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1916 unsigned int alloc)
1917 {
1918 if (alloc > INT_MAX)
1919 return NULL;
1920
1921 alloc += 1; /* NULL, ends rules */
1922 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1923 return NULL;
1924
1925 alloc *= sizeof(struct nft_rule *);
1926 alloc += sizeof(struct nft_rules_old);
1927
1928 return kvmalloc(alloc, GFP_KERNEL);
1929 }
1930
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)1931 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
1932 const struct nft_chain_hook *hook,
1933 struct nft_chain *chain)
1934 {
1935 ops->pf = family;
1936 ops->hooknum = hook->num;
1937 ops->priority = hook->priority;
1938 ops->priv = chain;
1939 ops->hook = hook->type->hooks[ops->hooknum];
1940 }
1941
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)1942 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
1943 struct nft_chain_hook *hook, u32 flags)
1944 {
1945 struct nft_chain *chain;
1946 struct nft_hook *h;
1947
1948 basechain->type = hook->type;
1949 INIT_LIST_HEAD(&basechain->hook_list);
1950 chain = &basechain->chain;
1951
1952 if (nft_base_chain_netdev(family, hook->num)) {
1953 list_splice_init(&hook->list, &basechain->hook_list);
1954 list_for_each_entry(h, &basechain->hook_list, list)
1955 nft_basechain_hook_init(&h->ops, family, hook, chain);
1956
1957 basechain->ops.hooknum = hook->num;
1958 basechain->ops.priority = hook->priority;
1959 } else {
1960 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
1961 }
1962
1963 chain->flags |= NFT_CHAIN_BASE | flags;
1964 basechain->policy = NF_ACCEPT;
1965 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1966 nft_chain_offload_priority(basechain) < 0)
1967 return -EOPNOTSUPP;
1968
1969 flow_block_init(&basechain->flow_block);
1970
1971 return 0;
1972 }
1973
nft_chain_add(struct nft_table * table,struct nft_chain * chain)1974 static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
1975 {
1976 int err;
1977
1978 err = rhltable_insert_key(&table->chains_ht, chain->name,
1979 &chain->rhlhead, nft_chain_ht_params);
1980 if (err)
1981 return err;
1982
1983 list_add_tail_rcu(&chain->list, &table->chains);
1984
1985 return 0;
1986 }
1987
1988 static u64 chain_id;
1989
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags)1990 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1991 u8 policy, u32 flags)
1992 {
1993 const struct nlattr * const *nla = ctx->nla;
1994 struct nft_table *table = ctx->table;
1995 struct nft_base_chain *basechain;
1996 struct nft_stats __percpu *stats;
1997 struct net *net = ctx->net;
1998 char name[NFT_NAME_MAXLEN];
1999 struct nft_trans *trans;
2000 struct nft_chain *chain;
2001 struct nft_rule **rules;
2002 int err;
2003
2004 if (table->use == UINT_MAX)
2005 return -EOVERFLOW;
2006
2007 if (nla[NFTA_CHAIN_HOOK]) {
2008 struct nft_chain_hook hook;
2009
2010 if (flags & NFT_CHAIN_BINDING)
2011 return -EOPNOTSUPP;
2012
2013 err = nft_chain_parse_hook(net, nla, &hook, family, true);
2014 if (err < 0)
2015 return err;
2016
2017 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2018 if (basechain == NULL) {
2019 nft_chain_release_hook(&hook);
2020 return -ENOMEM;
2021 }
2022 chain = &basechain->chain;
2023
2024 if (nla[NFTA_CHAIN_COUNTERS]) {
2025 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2026 if (IS_ERR(stats)) {
2027 nft_chain_release_hook(&hook);
2028 kfree(basechain);
2029 return PTR_ERR(stats);
2030 }
2031 rcu_assign_pointer(basechain->stats, stats);
2032 static_branch_inc(&nft_counters_enabled);
2033 }
2034
2035 err = nft_basechain_init(basechain, family, &hook, flags);
2036 if (err < 0) {
2037 nft_chain_release_hook(&hook);
2038 kfree(basechain);
2039 return err;
2040 }
2041 } else {
2042 if (flags & NFT_CHAIN_BASE)
2043 return -EINVAL;
2044 if (flags & NFT_CHAIN_HW_OFFLOAD)
2045 return -EOPNOTSUPP;
2046
2047 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2048 if (chain == NULL)
2049 return -ENOMEM;
2050
2051 chain->flags = flags;
2052 }
2053 ctx->chain = chain;
2054
2055 INIT_LIST_HEAD(&chain->rules);
2056 chain->handle = nf_tables_alloc_handle(table);
2057 chain->table = table;
2058
2059 if (nla[NFTA_CHAIN_NAME]) {
2060 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2061 } else {
2062 if (!(flags & NFT_CHAIN_BINDING)) {
2063 err = -EINVAL;
2064 goto err_destroy_chain;
2065 }
2066
2067 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2068 chain->name = kstrdup(name, GFP_KERNEL);
2069 }
2070
2071 if (!chain->name) {
2072 err = -ENOMEM;
2073 goto err_destroy_chain;
2074 }
2075
2076 if (nla[NFTA_CHAIN_USERDATA]) {
2077 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2078 if (chain->udata == NULL) {
2079 err = -ENOMEM;
2080 goto err_destroy_chain;
2081 }
2082 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2083 }
2084
2085 rules = nf_tables_chain_alloc_rules(chain, 0);
2086 if (!rules) {
2087 err = -ENOMEM;
2088 goto err_destroy_chain;
2089 }
2090
2091 *rules = NULL;
2092 rcu_assign_pointer(chain->rules_gen_0, rules);
2093 rcu_assign_pointer(chain->rules_gen_1, rules);
2094
2095 err = nf_tables_register_hook(net, table, chain);
2096 if (err < 0)
2097 goto err_destroy_chain;
2098
2099 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2100 if (IS_ERR(trans)) {
2101 err = PTR_ERR(trans);
2102 goto err_unregister_hook;
2103 }
2104
2105 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2106 if (nft_is_base_chain(chain))
2107 nft_trans_chain_policy(trans) = policy;
2108
2109 err = nft_chain_add(table, chain);
2110 if (err < 0) {
2111 nft_trans_destroy(trans);
2112 goto err_unregister_hook;
2113 }
2114
2115 table->use++;
2116
2117 return 0;
2118 err_unregister_hook:
2119 nf_tables_unregister_hook(net, table, chain);
2120 err_destroy_chain:
2121 nf_tables_chain_destroy(ctx);
2122
2123 return err;
2124 }
2125
nft_hook_list_equal(struct list_head * hook_list1,struct list_head * hook_list2)2126 static bool nft_hook_list_equal(struct list_head *hook_list1,
2127 struct list_head *hook_list2)
2128 {
2129 struct nft_hook *hook;
2130 int n = 0, m = 0;
2131
2132 n = 0;
2133 list_for_each_entry(hook, hook_list2, list) {
2134 if (!nft_hook_list_find(hook_list1, hook))
2135 return false;
2136
2137 n++;
2138 }
2139 list_for_each_entry(hook, hook_list1, list)
2140 m++;
2141
2142 return n == m;
2143 }
2144
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2145 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2146 u32 flags, const struct nlattr *attr,
2147 struct netlink_ext_ack *extack)
2148 {
2149 const struct nlattr * const *nla = ctx->nla;
2150 struct nft_table *table = ctx->table;
2151 struct nft_chain *chain = ctx->chain;
2152 struct nft_base_chain *basechain;
2153 struct nft_stats *stats = NULL;
2154 struct nft_chain_hook hook;
2155 struct nf_hook_ops *ops;
2156 struct nft_trans *trans;
2157 int err;
2158
2159 if (chain->flags ^ flags)
2160 return -EOPNOTSUPP;
2161
2162 if (nla[NFTA_CHAIN_HOOK]) {
2163 if (!nft_is_base_chain(chain)) {
2164 NL_SET_BAD_ATTR(extack, attr);
2165 return -EEXIST;
2166 }
2167 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
2168 false);
2169 if (err < 0)
2170 return err;
2171
2172 basechain = nft_base_chain(chain);
2173 if (basechain->type != hook.type) {
2174 nft_chain_release_hook(&hook);
2175 NL_SET_BAD_ATTR(extack, attr);
2176 return -EEXIST;
2177 }
2178
2179 if (nft_base_chain_netdev(ctx->family, hook.num)) {
2180 if (!nft_hook_list_equal(&basechain->hook_list,
2181 &hook.list)) {
2182 nft_chain_release_hook(&hook);
2183 NL_SET_BAD_ATTR(extack, attr);
2184 return -EEXIST;
2185 }
2186 } else {
2187 ops = &basechain->ops;
2188 if (ops->hooknum != hook.num ||
2189 ops->priority != hook.priority) {
2190 nft_chain_release_hook(&hook);
2191 NL_SET_BAD_ATTR(extack, attr);
2192 return -EEXIST;
2193 }
2194 }
2195 nft_chain_release_hook(&hook);
2196 }
2197
2198 if (nla[NFTA_CHAIN_HANDLE] &&
2199 nla[NFTA_CHAIN_NAME]) {
2200 struct nft_chain *chain2;
2201
2202 chain2 = nft_chain_lookup(ctx->net, table,
2203 nla[NFTA_CHAIN_NAME], genmask);
2204 if (!IS_ERR(chain2)) {
2205 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2206 return -EEXIST;
2207 }
2208 }
2209
2210 if (nla[NFTA_CHAIN_COUNTERS]) {
2211 if (!nft_is_base_chain(chain))
2212 return -EOPNOTSUPP;
2213
2214 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2215 if (IS_ERR(stats))
2216 return PTR_ERR(stats);
2217 }
2218
2219 err = -ENOMEM;
2220 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2221 sizeof(struct nft_trans_chain));
2222 if (trans == NULL)
2223 goto err;
2224
2225 nft_trans_chain_stats(trans) = stats;
2226 nft_trans_chain_update(trans) = true;
2227
2228 if (nla[NFTA_CHAIN_POLICY])
2229 nft_trans_chain_policy(trans) = policy;
2230 else
2231 nft_trans_chain_policy(trans) = -1;
2232
2233 if (nla[NFTA_CHAIN_HANDLE] &&
2234 nla[NFTA_CHAIN_NAME]) {
2235 struct nft_trans *tmp;
2236 char *name;
2237
2238 err = -ENOMEM;
2239 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2240 if (!name)
2241 goto err;
2242
2243 err = -EEXIST;
2244 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
2245 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2246 tmp->ctx.table == table &&
2247 nft_trans_chain_update(tmp) &&
2248 nft_trans_chain_name(tmp) &&
2249 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2250 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2251 kfree(name);
2252 goto err;
2253 }
2254 }
2255
2256 nft_trans_chain_name(trans) = name;
2257 }
2258 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
2259
2260 return 0;
2261 err:
2262 free_percpu(stats);
2263 kfree(trans);
2264 return err;
2265 }
2266
nft_chain_lookup_byid(const struct net * net,const struct nlattr * nla)2267 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2268 const struct nlattr *nla)
2269 {
2270 u32 id = ntohl(nla_get_be32(nla));
2271 struct nft_trans *trans;
2272
2273 list_for_each_entry(trans, &net->nft.commit_list, list) {
2274 struct nft_chain *chain = trans->ctx.chain;
2275
2276 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2277 id == nft_trans_chain_id(trans))
2278 return chain;
2279 }
2280 return ERR_PTR(-ENOENT);
2281 }
2282
nf_tables_newchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2283 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
2284 struct sk_buff *skb, const struct nlmsghdr *nlh,
2285 const struct nlattr * const nla[],
2286 struct netlink_ext_ack *extack)
2287 {
2288 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2289 u8 genmask = nft_genmask_next(net);
2290 int family = nfmsg->nfgen_family;
2291 struct nft_chain *chain = NULL;
2292 const struct nlattr *attr;
2293 struct nft_table *table;
2294 u8 policy = NF_ACCEPT;
2295 struct nft_ctx ctx;
2296 u64 handle = 0;
2297 u32 flags = 0;
2298
2299 lockdep_assert_held(&net->nft.commit_mutex);
2300
2301 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2302 if (IS_ERR(table)) {
2303 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2304 return PTR_ERR(table);
2305 }
2306
2307 chain = NULL;
2308 attr = nla[NFTA_CHAIN_NAME];
2309
2310 if (nla[NFTA_CHAIN_HANDLE]) {
2311 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2312 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2313 if (IS_ERR(chain)) {
2314 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2315 return PTR_ERR(chain);
2316 }
2317 attr = nla[NFTA_CHAIN_HANDLE];
2318 } else if (nla[NFTA_CHAIN_NAME]) {
2319 chain = nft_chain_lookup(net, table, attr, genmask);
2320 if (IS_ERR(chain)) {
2321 if (PTR_ERR(chain) != -ENOENT) {
2322 NL_SET_BAD_ATTR(extack, attr);
2323 return PTR_ERR(chain);
2324 }
2325 chain = NULL;
2326 }
2327 } else if (!nla[NFTA_CHAIN_ID]) {
2328 return -EINVAL;
2329 }
2330
2331 if (nla[NFTA_CHAIN_POLICY]) {
2332 if (chain != NULL &&
2333 !nft_is_base_chain(chain)) {
2334 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2335 return -EOPNOTSUPP;
2336 }
2337
2338 if (chain == NULL &&
2339 nla[NFTA_CHAIN_HOOK] == NULL) {
2340 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2341 return -EOPNOTSUPP;
2342 }
2343
2344 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2345 switch (policy) {
2346 case NF_DROP:
2347 case NF_ACCEPT:
2348 break;
2349 default:
2350 return -EINVAL;
2351 }
2352 }
2353
2354 if (nla[NFTA_CHAIN_FLAGS])
2355 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2356 else if (chain)
2357 flags = chain->flags;
2358
2359 if (flags & ~NFT_CHAIN_FLAGS)
2360 return -EOPNOTSUPP;
2361
2362 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2363
2364 if (chain != NULL) {
2365 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2366 NL_SET_BAD_ATTR(extack, attr);
2367 return -EEXIST;
2368 }
2369 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2370 return -EOPNOTSUPP;
2371
2372 flags |= chain->flags & NFT_CHAIN_BASE;
2373 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2374 extack);
2375 }
2376
2377 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
2378 }
2379
nf_tables_delchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2380 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
2381 struct sk_buff *skb, const struct nlmsghdr *nlh,
2382 const struct nlattr * const nla[],
2383 struct netlink_ext_ack *extack)
2384 {
2385 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2386 u8 genmask = nft_genmask_next(net);
2387 int family = nfmsg->nfgen_family;
2388 const struct nlattr *attr;
2389 struct nft_table *table;
2390 struct nft_chain *chain;
2391 struct nft_rule *rule;
2392 struct nft_ctx ctx;
2393 u64 handle;
2394 u32 use;
2395 int err;
2396
2397 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
2398 if (IS_ERR(table)) {
2399 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2400 return PTR_ERR(table);
2401 }
2402
2403 if (nla[NFTA_CHAIN_HANDLE]) {
2404 attr = nla[NFTA_CHAIN_HANDLE];
2405 handle = be64_to_cpu(nla_get_be64(attr));
2406 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2407 } else {
2408 attr = nla[NFTA_CHAIN_NAME];
2409 chain = nft_chain_lookup(net, table, attr, genmask);
2410 }
2411 if (IS_ERR(chain)) {
2412 NL_SET_BAD_ATTR(extack, attr);
2413 return PTR_ERR(chain);
2414 }
2415
2416 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2417 chain->use > 0)
2418 return -EBUSY;
2419
2420 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2421
2422 use = chain->use;
2423 list_for_each_entry(rule, &chain->rules, list) {
2424 if (!nft_is_active_next(net, rule))
2425 continue;
2426 use--;
2427
2428 err = nft_delrule(&ctx, rule);
2429 if (err < 0)
2430 return err;
2431 }
2432
2433 /* There are rules and elements that are still holding references to us,
2434 * we cannot do a recursive removal in this case.
2435 */
2436 if (use > 0) {
2437 NL_SET_BAD_ATTR(extack, attr);
2438 return -EBUSY;
2439 }
2440
2441 return nft_delchain(&ctx);
2442 }
2443
2444 /*
2445 * Expressions
2446 */
2447
2448 /**
2449 * nft_register_expr - register nf_tables expr type
2450 * @type: expr type
2451 *
2452 * Registers the expr type for use with nf_tables. Returns zero on
2453 * success or a negative errno code otherwise.
2454 */
nft_register_expr(struct nft_expr_type * type)2455 int nft_register_expr(struct nft_expr_type *type)
2456 {
2457 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2458 if (type->family == NFPROTO_UNSPEC)
2459 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2460 else
2461 list_add_rcu(&type->list, &nf_tables_expressions);
2462 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2463 return 0;
2464 }
2465 EXPORT_SYMBOL_GPL(nft_register_expr);
2466
2467 /**
2468 * nft_unregister_expr - unregister nf_tables expr type
2469 * @type: expr type
2470 *
2471 * Unregisters the expr typefor use with nf_tables.
2472 */
nft_unregister_expr(struct nft_expr_type * type)2473 void nft_unregister_expr(struct nft_expr_type *type)
2474 {
2475 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2476 list_del_rcu(&type->list);
2477 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2478 }
2479 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2480
__nft_expr_type_get(u8 family,struct nlattr * nla)2481 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2482 struct nlattr *nla)
2483 {
2484 const struct nft_expr_type *type, *candidate = NULL;
2485
2486 list_for_each_entry(type, &nf_tables_expressions, list) {
2487 if (!nla_strcmp(nla, type->name)) {
2488 if (!type->family && !candidate)
2489 candidate = type;
2490 else if (type->family == family)
2491 candidate = type;
2492 }
2493 }
2494 return candidate;
2495 }
2496
2497 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)2498 static int nft_expr_type_request_module(struct net *net, u8 family,
2499 struct nlattr *nla)
2500 {
2501 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2502 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2503 return -EAGAIN;
2504
2505 return 0;
2506 }
2507 #endif
2508
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)2509 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2510 u8 family,
2511 struct nlattr *nla)
2512 {
2513 const struct nft_expr_type *type;
2514
2515 if (nla == NULL)
2516 return ERR_PTR(-EINVAL);
2517
2518 type = __nft_expr_type_get(family, nla);
2519 if (type != NULL && try_module_get(type->owner))
2520 return type;
2521
2522 lockdep_nfnl_nft_mutex_not_held();
2523 #ifdef CONFIG_MODULES
2524 if (type == NULL) {
2525 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2526 return ERR_PTR(-EAGAIN);
2527
2528 if (nft_request_module(net, "nft-expr-%.*s",
2529 nla_len(nla),
2530 (char *)nla_data(nla)) == -EAGAIN)
2531 return ERR_PTR(-EAGAIN);
2532 }
2533 #endif
2534 return ERR_PTR(-ENOENT);
2535 }
2536
2537 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2538 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2539 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2540 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2541 };
2542
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr)2543 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2544 const struct nft_expr *expr)
2545 {
2546 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2547 goto nla_put_failure;
2548
2549 if (expr->ops->dump) {
2550 struct nlattr *data = nla_nest_start_noflag(skb,
2551 NFTA_EXPR_DATA);
2552 if (data == NULL)
2553 goto nla_put_failure;
2554 if (expr->ops->dump(skb, expr) < 0)
2555 goto nla_put_failure;
2556 nla_nest_end(skb, data);
2557 }
2558
2559 return skb->len;
2560
2561 nla_put_failure:
2562 return -1;
2563 };
2564
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr)2565 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2566 const struct nft_expr *expr)
2567 {
2568 struct nlattr *nest;
2569
2570 nest = nla_nest_start_noflag(skb, attr);
2571 if (!nest)
2572 goto nla_put_failure;
2573 if (nf_tables_fill_expr_info(skb, expr) < 0)
2574 goto nla_put_failure;
2575 nla_nest_end(skb, nest);
2576 return 0;
2577
2578 nla_put_failure:
2579 return -1;
2580 }
2581
2582 struct nft_expr_info {
2583 const struct nft_expr_ops *ops;
2584 const struct nlattr *attr;
2585 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2586 };
2587
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)2588 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2589 const struct nlattr *nla,
2590 struct nft_expr_info *info)
2591 {
2592 const struct nft_expr_type *type;
2593 const struct nft_expr_ops *ops;
2594 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2595 int err;
2596
2597 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2598 nft_expr_policy, NULL);
2599 if (err < 0)
2600 return err;
2601
2602 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2603 if (IS_ERR(type))
2604 return PTR_ERR(type);
2605
2606 if (tb[NFTA_EXPR_DATA]) {
2607 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2608 tb[NFTA_EXPR_DATA],
2609 type->policy, NULL);
2610 if (err < 0)
2611 goto err1;
2612 } else
2613 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2614
2615 if (type->select_ops != NULL) {
2616 ops = type->select_ops(ctx,
2617 (const struct nlattr * const *)info->tb);
2618 if (IS_ERR(ops)) {
2619 err = PTR_ERR(ops);
2620 #ifdef CONFIG_MODULES
2621 if (err == -EAGAIN)
2622 if (nft_expr_type_request_module(ctx->net,
2623 ctx->family,
2624 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2625 err = -ENOENT;
2626 #endif
2627 goto err1;
2628 }
2629 } else
2630 ops = type->ops;
2631
2632 info->attr = nla;
2633 info->ops = ops;
2634
2635 return 0;
2636
2637 err1:
2638 module_put(type->owner);
2639 return err;
2640 }
2641
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * info,struct nft_expr * expr)2642 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2643 const struct nft_expr_info *info,
2644 struct nft_expr *expr)
2645 {
2646 const struct nft_expr_ops *ops = info->ops;
2647 int err;
2648
2649 expr->ops = ops;
2650 if (ops->init) {
2651 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2652 if (err < 0)
2653 goto err1;
2654 }
2655
2656 return 0;
2657 err1:
2658 expr->ops = NULL;
2659 return err;
2660 }
2661
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2662 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2663 struct nft_expr *expr)
2664 {
2665 const struct nft_expr_type *type = expr->ops->type;
2666
2667 if (expr->ops->destroy)
2668 expr->ops->destroy(ctx, expr);
2669 module_put(type->owner);
2670 }
2671
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)2672 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2673 const struct nlattr *nla)
2674 {
2675 struct nft_expr_info info;
2676 struct nft_expr *expr;
2677 struct module *owner;
2678 int err;
2679
2680 err = nf_tables_expr_parse(ctx, nla, &info);
2681 if (err < 0)
2682 goto err_expr_parse;
2683
2684 err = -EOPNOTSUPP;
2685 if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
2686 goto err_expr_stateful;
2687
2688 err = -ENOMEM;
2689 expr = kzalloc(info.ops->size, GFP_KERNEL);
2690 if (expr == NULL)
2691 goto err_expr_stateful;
2692
2693 err = nf_tables_newexpr(ctx, &info, expr);
2694 if (err < 0)
2695 goto err_expr_new;
2696
2697 return expr;
2698 err_expr_new:
2699 kfree(expr);
2700 err_expr_stateful:
2701 owner = info.ops->type->owner;
2702 if (info.ops->type->release_ops)
2703 info.ops->type->release_ops(info.ops);
2704
2705 module_put(owner);
2706 err_expr_parse:
2707 return ERR_PTR(err);
2708 }
2709
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src)2710 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
2711 {
2712 int err;
2713
2714 if (src->ops->clone) {
2715 dst->ops = src->ops;
2716 err = src->ops->clone(dst, src);
2717 if (err < 0)
2718 return err;
2719 } else {
2720 memcpy(dst, src, src->ops->size);
2721 }
2722
2723 __module_get(src->ops->type->owner);
2724
2725 return 0;
2726 }
2727
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2728 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2729 {
2730 nf_tables_expr_destroy(ctx, expr);
2731 kfree(expr);
2732 }
2733
2734 /*
2735 * Rules
2736 */
2737
__nft_rule_lookup(const struct nft_chain * chain,u64 handle)2738 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2739 u64 handle)
2740 {
2741 struct nft_rule *rule;
2742
2743 // FIXME: this sucks
2744 list_for_each_entry_rcu(rule, &chain->rules, list) {
2745 if (handle == rule->handle)
2746 return rule;
2747 }
2748
2749 return ERR_PTR(-ENOENT);
2750 }
2751
nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)2752 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2753 const struct nlattr *nla)
2754 {
2755 if (nla == NULL)
2756 return ERR_PTR(-EINVAL);
2757
2758 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2759 }
2760
2761 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2762 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2763 .len = NFT_TABLE_MAXNAMELEN - 1 },
2764 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2765 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2766 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2767 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2768 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2769 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2770 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2771 .len = NFT_USERDATA_MAXLEN },
2772 [NFTA_RULE_ID] = { .type = NLA_U32 },
2773 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2774 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
2775 };
2776
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,const struct nft_rule * prule)2777 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2778 u32 portid, u32 seq, int event,
2779 u32 flags, int family,
2780 const struct nft_table *table,
2781 const struct nft_chain *chain,
2782 const struct nft_rule *rule,
2783 const struct nft_rule *prule)
2784 {
2785 struct nlmsghdr *nlh;
2786 struct nfgenmsg *nfmsg;
2787 const struct nft_expr *expr, *next;
2788 struct nlattr *list;
2789 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2790
2791 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2792 if (nlh == NULL)
2793 goto nla_put_failure;
2794
2795 nfmsg = nlmsg_data(nlh);
2796 nfmsg->nfgen_family = family;
2797 nfmsg->version = NFNETLINK_V0;
2798 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2799
2800 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2801 goto nla_put_failure;
2802 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2803 goto nla_put_failure;
2804 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2805 NFTA_RULE_PAD))
2806 goto nla_put_failure;
2807
2808 if (event != NFT_MSG_DELRULE && prule) {
2809 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2810 cpu_to_be64(prule->handle),
2811 NFTA_RULE_PAD))
2812 goto nla_put_failure;
2813 }
2814
2815 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2816 if (list == NULL)
2817 goto nla_put_failure;
2818 nft_rule_for_each_expr(expr, next, rule) {
2819 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2820 goto nla_put_failure;
2821 }
2822 nla_nest_end(skb, list);
2823
2824 if (rule->udata) {
2825 struct nft_userdata *udata = nft_userdata(rule);
2826 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2827 udata->data) < 0)
2828 goto nla_put_failure;
2829 }
2830
2831 nlmsg_end(skb, nlh);
2832 return 0;
2833
2834 nla_put_failure:
2835 nlmsg_trim(skb, nlh);
2836 return -1;
2837 }
2838
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)2839 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2840 const struct nft_rule *rule, int event)
2841 {
2842 struct sk_buff *skb;
2843 int err;
2844 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
2845 ctx->table->name, ctx->table->handle,
2846 ctx->chain->name, ctx->chain->handle);
2847
2848 audit_log_nfcfg(buf,
2849 ctx->family,
2850 rule->handle,
2851 event == NFT_MSG_NEWRULE ?
2852 AUDIT_NFT_OP_RULE_REGISTER :
2853 AUDIT_NFT_OP_RULE_UNREGISTER,
2854 GFP_KERNEL);
2855 kfree(buf);
2856
2857 if (!ctx->report &&
2858 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2859 return;
2860
2861 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2862 if (skb == NULL)
2863 goto err;
2864
2865 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2866 event, 0, ctx->family, ctx->table,
2867 ctx->chain, rule, NULL);
2868 if (err < 0) {
2869 kfree_skb(skb);
2870 goto err;
2871 }
2872
2873 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
2874 return;
2875 err:
2876 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2877 }
2878
2879 struct nft_rule_dump_ctx {
2880 char *table;
2881 char *chain;
2882 };
2883
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)2884 static int __nf_tables_dump_rules(struct sk_buff *skb,
2885 unsigned int *idx,
2886 struct netlink_callback *cb,
2887 const struct nft_table *table,
2888 const struct nft_chain *chain)
2889 {
2890 struct net *net = sock_net(skb->sk);
2891 const struct nft_rule *rule, *prule;
2892 unsigned int s_idx = cb->args[0];
2893
2894 prule = NULL;
2895 list_for_each_entry_rcu(rule, &chain->rules, list) {
2896 if (!nft_is_active(net, rule))
2897 goto cont_skip;
2898 if (*idx < s_idx)
2899 goto cont;
2900 if (*idx > s_idx) {
2901 memset(&cb->args[1], 0,
2902 sizeof(cb->args) - sizeof(cb->args[0]));
2903 }
2904 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2905 cb->nlh->nlmsg_seq,
2906 NFT_MSG_NEWRULE,
2907 NLM_F_MULTI | NLM_F_APPEND,
2908 table->family,
2909 table, chain, rule, prule) < 0)
2910 return 1;
2911
2912 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2913 cont:
2914 prule = rule;
2915 cont_skip:
2916 (*idx)++;
2917 }
2918 return 0;
2919 }
2920
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)2921 static int nf_tables_dump_rules(struct sk_buff *skb,
2922 struct netlink_callback *cb)
2923 {
2924 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2925 const struct nft_rule_dump_ctx *ctx = cb->data;
2926 struct nft_table *table;
2927 const struct nft_chain *chain;
2928 unsigned int idx = 0;
2929 struct net *net = sock_net(skb->sk);
2930 int family = nfmsg->nfgen_family;
2931
2932 rcu_read_lock();
2933 cb->seq = net->nft.base_seq;
2934
2935 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2936 if (family != NFPROTO_UNSPEC && family != table->family)
2937 continue;
2938
2939 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2940 continue;
2941
2942 if (ctx && ctx->table && ctx->chain) {
2943 struct rhlist_head *list, *tmp;
2944
2945 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2946 nft_chain_ht_params);
2947 if (!list)
2948 goto done;
2949
2950 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2951 if (!nft_is_active(net, chain))
2952 continue;
2953 __nf_tables_dump_rules(skb, &idx,
2954 cb, table, chain);
2955 break;
2956 }
2957 goto done;
2958 }
2959
2960 list_for_each_entry_rcu(chain, &table->chains, list) {
2961 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2962 goto done;
2963 }
2964
2965 if (ctx && ctx->table)
2966 break;
2967 }
2968 done:
2969 rcu_read_unlock();
2970
2971 cb->args[0] = idx;
2972 return skb->len;
2973 }
2974
nf_tables_dump_rules_start(struct netlink_callback * cb)2975 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2976 {
2977 const struct nlattr * const *nla = cb->data;
2978 struct nft_rule_dump_ctx *ctx = NULL;
2979
2980 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2981 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2982 if (!ctx)
2983 return -ENOMEM;
2984
2985 if (nla[NFTA_RULE_TABLE]) {
2986 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2987 GFP_ATOMIC);
2988 if (!ctx->table) {
2989 kfree(ctx);
2990 return -ENOMEM;
2991 }
2992 }
2993 if (nla[NFTA_RULE_CHAIN]) {
2994 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2995 GFP_ATOMIC);
2996 if (!ctx->chain) {
2997 kfree(ctx->table);
2998 kfree(ctx);
2999 return -ENOMEM;
3000 }
3001 }
3002 }
3003
3004 cb->data = ctx;
3005 return 0;
3006 }
3007
nf_tables_dump_rules_done(struct netlink_callback * cb)3008 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3009 {
3010 struct nft_rule_dump_ctx *ctx = cb->data;
3011
3012 if (ctx) {
3013 kfree(ctx->table);
3014 kfree(ctx->chain);
3015 kfree(ctx);
3016 }
3017 return 0;
3018 }
3019
3020 /* called with rcu_read_lock held */
nf_tables_getrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3021 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3022 struct sk_buff *skb, const struct nlmsghdr *nlh,
3023 const struct nlattr * const nla[],
3024 struct netlink_ext_ack *extack)
3025 {
3026 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3027 u8 genmask = nft_genmask_cur(net);
3028 const struct nft_chain *chain;
3029 const struct nft_rule *rule;
3030 struct nft_table *table;
3031 struct sk_buff *skb2;
3032 int family = nfmsg->nfgen_family;
3033 int err;
3034
3035 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3036 struct netlink_dump_control c = {
3037 .start= nf_tables_dump_rules_start,
3038 .dump = nf_tables_dump_rules,
3039 .done = nf_tables_dump_rules_done,
3040 .module = THIS_MODULE,
3041 .data = (void *)nla,
3042 };
3043
3044 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3045 }
3046
3047 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3048 if (IS_ERR(table)) {
3049 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3050 return PTR_ERR(table);
3051 }
3052
3053 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3054 if (IS_ERR(chain)) {
3055 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3056 return PTR_ERR(chain);
3057 }
3058
3059 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3060 if (IS_ERR(rule)) {
3061 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3062 return PTR_ERR(rule);
3063 }
3064
3065 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3066 if (!skb2)
3067 return -ENOMEM;
3068
3069 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
3070 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3071 family, table, chain, rule, NULL);
3072 if (err < 0)
3073 goto err_fill_rule_info;
3074
3075 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3076
3077 err_fill_rule_info:
3078 kfree_skb(skb2);
3079 return err;
3080 }
3081
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)3082 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3083 struct nft_rule *rule)
3084 {
3085 struct nft_expr *expr, *next;
3086
3087 /*
3088 * Careful: some expressions might not be initialized in case this
3089 * is called on error from nf_tables_newrule().
3090 */
3091 expr = nft_expr_first(rule);
3092 while (nft_expr_more(rule, expr)) {
3093 next = nft_expr_next(expr);
3094 nf_tables_expr_destroy(ctx, expr);
3095 expr = next;
3096 }
3097 kfree(rule);
3098 }
3099
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)3100 void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3101 {
3102 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3103 nf_tables_rule_destroy(ctx, rule);
3104 }
3105
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)3106 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3107 {
3108 struct nft_expr *expr, *last;
3109 const struct nft_data *data;
3110 struct nft_rule *rule;
3111 int err;
3112
3113 if (ctx->level == NFT_JUMP_STACK_SIZE)
3114 return -EMLINK;
3115
3116 list_for_each_entry(rule, &chain->rules, list) {
3117 if (!nft_is_active_next(ctx->net, rule))
3118 continue;
3119
3120 nft_rule_for_each_expr(expr, last, rule) {
3121 if (!expr->ops->validate)
3122 continue;
3123
3124 err = expr->ops->validate(ctx, expr, &data);
3125 if (err < 0)
3126 return err;
3127 }
3128 }
3129
3130 return 0;
3131 }
3132 EXPORT_SYMBOL_GPL(nft_chain_validate);
3133
nft_table_validate(struct net * net,const struct nft_table * table)3134 static int nft_table_validate(struct net *net, const struct nft_table *table)
3135 {
3136 struct nft_chain *chain;
3137 struct nft_ctx ctx = {
3138 .net = net,
3139 .family = table->family,
3140 };
3141 int err;
3142
3143 list_for_each_entry(chain, &table->chains, list) {
3144 if (!nft_is_base_chain(chain))
3145 continue;
3146
3147 ctx.chain = chain;
3148 err = nft_chain_validate(&ctx, chain);
3149 if (err < 0)
3150 return err;
3151 }
3152
3153 return 0;
3154 }
3155
3156 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3157 const struct nlattr *nla);
3158
3159 #define NFT_RULE_MAXEXPRS 128
3160
nf_tables_newrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3161 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
3162 struct sk_buff *skb, const struct nlmsghdr *nlh,
3163 const struct nlattr * const nla[],
3164 struct netlink_ext_ack *extack)
3165 {
3166 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3167 u8 genmask = nft_genmask_next(net);
3168 struct nft_expr_info *info = NULL;
3169 int family = nfmsg->nfgen_family;
3170 struct nft_flow_rule *flow;
3171 struct nft_table *table;
3172 struct nft_chain *chain;
3173 struct nft_rule *rule, *old_rule = NULL;
3174 struct nft_userdata *udata;
3175 struct nft_trans *trans = NULL;
3176 struct nft_expr *expr;
3177 struct nft_ctx ctx;
3178 struct nlattr *tmp;
3179 unsigned int size, i, n, ulen = 0, usize = 0;
3180 int err, rem;
3181 u64 handle, pos_handle;
3182
3183 lockdep_assert_held(&net->nft.commit_mutex);
3184
3185 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3186 if (IS_ERR(table)) {
3187 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3188 return PTR_ERR(table);
3189 }
3190
3191 if (nla[NFTA_RULE_CHAIN]) {
3192 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3193 genmask);
3194 if (IS_ERR(chain)) {
3195 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3196 return PTR_ERR(chain);
3197 }
3198 if (nft_chain_is_bound(chain))
3199 return -EOPNOTSUPP;
3200
3201 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3202 chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]);
3203 if (IS_ERR(chain)) {
3204 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3205 return PTR_ERR(chain);
3206 }
3207 } else {
3208 return -EINVAL;
3209 }
3210
3211 if (nla[NFTA_RULE_HANDLE]) {
3212 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3213 rule = __nft_rule_lookup(chain, handle);
3214 if (IS_ERR(rule)) {
3215 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3216 return PTR_ERR(rule);
3217 }
3218
3219 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3220 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3221 return -EEXIST;
3222 }
3223 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3224 old_rule = rule;
3225 else
3226 return -EOPNOTSUPP;
3227 } else {
3228 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
3229 nlh->nlmsg_flags & NLM_F_REPLACE)
3230 return -EINVAL;
3231 handle = nf_tables_alloc_handle(table);
3232
3233 if (chain->use == UINT_MAX)
3234 return -EOVERFLOW;
3235
3236 if (nla[NFTA_RULE_POSITION]) {
3237 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
3238 old_rule = __nft_rule_lookup(chain, pos_handle);
3239 if (IS_ERR(old_rule)) {
3240 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
3241 return PTR_ERR(old_rule);
3242 }
3243 } else if (nla[NFTA_RULE_POSITION_ID]) {
3244 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
3245 if (IS_ERR(old_rule)) {
3246 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
3247 return PTR_ERR(old_rule);
3248 }
3249 }
3250 }
3251
3252 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3253
3254 n = 0;
3255 size = 0;
3256 if (nla[NFTA_RULE_EXPRESSIONS]) {
3257 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
3258 sizeof(struct nft_expr_info),
3259 GFP_KERNEL);
3260 if (!info)
3261 return -ENOMEM;
3262
3263 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
3264 err = -EINVAL;
3265 if (nla_type(tmp) != NFTA_LIST_ELEM)
3266 goto err1;
3267 if (n == NFT_RULE_MAXEXPRS)
3268 goto err1;
3269 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
3270 if (err < 0) {
3271 NL_SET_BAD_ATTR(extack, tmp);
3272 goto err1;
3273 }
3274 size += info[n].ops->size;
3275 n++;
3276 }
3277 }
3278 /* Check for overflow of dlen field */
3279 err = -EFBIG;
3280 if (size >= 1 << 12)
3281 goto err1;
3282
3283 if (nla[NFTA_RULE_USERDATA]) {
3284 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
3285 if (ulen > 0)
3286 usize = sizeof(struct nft_userdata) + ulen;
3287 }
3288
3289 err = -ENOMEM;
3290 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3291 if (rule == NULL)
3292 goto err1;
3293
3294 nft_activate_next(net, rule);
3295
3296 rule->handle = handle;
3297 rule->dlen = size;
3298 rule->udata = ulen ? 1 : 0;
3299
3300 if (ulen) {
3301 udata = nft_userdata(rule);
3302 udata->len = ulen - 1;
3303 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
3304 }
3305
3306 expr = nft_expr_first(rule);
3307 for (i = 0; i < n; i++) {
3308 err = nf_tables_newexpr(&ctx, &info[i], expr);
3309 if (err < 0) {
3310 NL_SET_BAD_ATTR(extack, info[i].attr);
3311 goto err2;
3312 }
3313
3314 if (info[i].ops->validate)
3315 nft_validate_state_update(net, NFT_VALIDATE_NEED);
3316
3317 info[i].ops = NULL;
3318 expr = nft_expr_next(expr);
3319 }
3320
3321 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
3322 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3323 if (trans == NULL) {
3324 err = -ENOMEM;
3325 goto err2;
3326 }
3327 err = nft_delrule(&ctx, old_rule);
3328 if (err < 0) {
3329 nft_trans_destroy(trans);
3330 goto err2;
3331 }
3332
3333 list_add_tail_rcu(&rule->list, &old_rule->list);
3334 } else {
3335 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
3336 if (!trans) {
3337 err = -ENOMEM;
3338 goto err2;
3339 }
3340
3341 if (nlh->nlmsg_flags & NLM_F_APPEND) {
3342 if (old_rule)
3343 list_add_rcu(&rule->list, &old_rule->list);
3344 else
3345 list_add_tail_rcu(&rule->list, &chain->rules);
3346 } else {
3347 if (old_rule)
3348 list_add_tail_rcu(&rule->list, &old_rule->list);
3349 else
3350 list_add_rcu(&rule->list, &chain->rules);
3351 }
3352 }
3353 kvfree(info);
3354 chain->use++;
3355
3356 if (net->nft.validate_state == NFT_VALIDATE_DO)
3357 return nft_table_validate(net, table);
3358
3359 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
3360 flow = nft_flow_rule_create(net, rule);
3361 if (IS_ERR(flow))
3362 return PTR_ERR(flow);
3363
3364 nft_trans_flow_rule(trans) = flow;
3365 }
3366
3367 return 0;
3368 err2:
3369 nf_tables_rule_release(&ctx, rule);
3370 err1:
3371 for (i = 0; i < n; i++) {
3372 if (info[i].ops) {
3373 module_put(info[i].ops->type->owner);
3374 if (info[i].ops->type->release_ops)
3375 info[i].ops->type->release_ops(info[i].ops);
3376 }
3377 }
3378 kvfree(info);
3379 return err;
3380 }
3381
nft_rule_lookup_byid(const struct net * net,const struct nlattr * nla)3382 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3383 const struct nlattr *nla)
3384 {
3385 u32 id = ntohl(nla_get_be32(nla));
3386 struct nft_trans *trans;
3387
3388 list_for_each_entry(trans, &net->nft.commit_list, list) {
3389 struct nft_rule *rule = nft_trans_rule(trans);
3390
3391 if (trans->msg_type == NFT_MSG_NEWRULE &&
3392 id == nft_trans_rule_id(trans))
3393 return rule;
3394 }
3395 return ERR_PTR(-ENOENT);
3396 }
3397
nf_tables_delrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3398 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
3399 struct sk_buff *skb, const struct nlmsghdr *nlh,
3400 const struct nlattr * const nla[],
3401 struct netlink_ext_ack *extack)
3402 {
3403 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3404 u8 genmask = nft_genmask_next(net);
3405 struct nft_table *table;
3406 struct nft_chain *chain = NULL;
3407 struct nft_rule *rule;
3408 int family = nfmsg->nfgen_family, err = 0;
3409 struct nft_ctx ctx;
3410
3411 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
3412 if (IS_ERR(table)) {
3413 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3414 return PTR_ERR(table);
3415 }
3416
3417 if (nla[NFTA_RULE_CHAIN]) {
3418 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3419 genmask);
3420 if (IS_ERR(chain)) {
3421 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3422 return PTR_ERR(chain);
3423 }
3424 if (nft_chain_is_bound(chain))
3425 return -EOPNOTSUPP;
3426 }
3427
3428 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
3429
3430 if (chain) {
3431 if (nla[NFTA_RULE_HANDLE]) {
3432 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
3433 if (IS_ERR(rule)) {
3434 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3435 return PTR_ERR(rule);
3436 }
3437
3438 err = nft_delrule(&ctx, rule);
3439 } else if (nla[NFTA_RULE_ID]) {
3440 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
3441 if (IS_ERR(rule)) {
3442 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
3443 return PTR_ERR(rule);
3444 }
3445
3446 err = nft_delrule(&ctx, rule);
3447 } else {
3448 err = nft_delrule_by_chain(&ctx);
3449 }
3450 } else {
3451 list_for_each_entry(chain, &table->chains, list) {
3452 if (!nft_is_active_next(net, chain))
3453 continue;
3454
3455 ctx.chain = chain;
3456 err = nft_delrule_by_chain(&ctx);
3457 if (err < 0)
3458 break;
3459 }
3460 }
3461
3462 return err;
3463 }
3464
3465 /*
3466 * Sets
3467 */
3468 static const struct nft_set_type *nft_set_types[] = {
3469 &nft_set_hash_fast_type,
3470 &nft_set_hash_type,
3471 &nft_set_rhash_type,
3472 &nft_set_bitmap_type,
3473 &nft_set_rbtree_type,
3474 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
3475 &nft_set_pipapo_avx2_type,
3476 #endif
3477 &nft_set_pipapo_type,
3478 };
3479
3480 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3481 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3482 NFT_SET_EVAL)
3483
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)3484 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3485 {
3486 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3487 }
3488
3489 /*
3490 * Select a set implementation based on the data characteristics and the
3491 * given policy. The total memory use might not be known if no size is
3492 * given, in that case the amount of memory per element is used.
3493 */
3494 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,const struct nlattr * const nla[],const struct nft_set_desc * desc,enum nft_set_policies policy)3495 nft_select_set_ops(const struct nft_ctx *ctx,
3496 const struct nlattr * const nla[],
3497 const struct nft_set_desc *desc,
3498 enum nft_set_policies policy)
3499 {
3500 const struct nft_set_ops *ops, *bops;
3501 struct nft_set_estimate est, best;
3502 const struct nft_set_type *type;
3503 u32 flags = 0;
3504 int i;
3505
3506 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3507 lockdep_nfnl_nft_mutex_not_held();
3508
3509 if (nla[NFTA_SET_FLAGS] != NULL)
3510 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3511
3512 bops = NULL;
3513 best.size = ~0;
3514 best.lookup = ~0;
3515 best.space = ~0;
3516
3517 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
3518 type = nft_set_types[i];
3519 ops = &type->ops;
3520
3521 if (!nft_set_ops_candidate(type, flags))
3522 continue;
3523 if (!ops->estimate(desc, flags, &est))
3524 continue;
3525
3526 switch (policy) {
3527 case NFT_SET_POL_PERFORMANCE:
3528 if (est.lookup < best.lookup)
3529 break;
3530 if (est.lookup == best.lookup &&
3531 est.space < best.space)
3532 break;
3533 continue;
3534 case NFT_SET_POL_MEMORY:
3535 if (!desc->size) {
3536 if (est.space < best.space)
3537 break;
3538 if (est.space == best.space &&
3539 est.lookup < best.lookup)
3540 break;
3541 } else if (est.size < best.size || !bops) {
3542 break;
3543 }
3544 continue;
3545 default:
3546 break;
3547 }
3548
3549 bops = ops;
3550 best = est;
3551 }
3552
3553 if (bops != NULL)
3554 return bops;
3555
3556 return ERR_PTR(-EOPNOTSUPP);
3557 }
3558
3559 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3560 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3561 .len = NFT_TABLE_MAXNAMELEN - 1 },
3562 [NFTA_SET_NAME] = { .type = NLA_STRING,
3563 .len = NFT_SET_MAXNAMELEN - 1 },
3564 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3565 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3566 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3567 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3568 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3569 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3570 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3571 [NFTA_SET_ID] = { .type = NLA_U32 },
3572 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3573 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3574 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3575 .len = NFT_USERDATA_MAXLEN },
3576 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3577 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3578 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
3579 };
3580
3581 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3582 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3583 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
3584 };
3585
nft_ctx_init_from_setattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)3586 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3587 const struct sk_buff *skb,
3588 const struct nlmsghdr *nlh,
3589 const struct nlattr * const nla[],
3590 struct netlink_ext_ack *extack,
3591 u8 genmask)
3592 {
3593 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3594 int family = nfmsg->nfgen_family;
3595 struct nft_table *table = NULL;
3596
3597 if (nla[NFTA_SET_TABLE] != NULL) {
3598 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3599 genmask);
3600 if (IS_ERR(table)) {
3601 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3602 return PTR_ERR(table);
3603 }
3604 }
3605
3606 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3607 return 0;
3608 }
3609
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3610 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3611 const struct nlattr *nla, u8 genmask)
3612 {
3613 struct nft_set *set;
3614
3615 if (nla == NULL)
3616 return ERR_PTR(-EINVAL);
3617
3618 list_for_each_entry_rcu(set, &table->sets, list) {
3619 if (!nla_strcmp(nla, set->name) &&
3620 nft_active_genmask(set, genmask))
3621 return set;
3622 }
3623 return ERR_PTR(-ENOENT);
3624 }
3625
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3626 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3627 const struct nlattr *nla,
3628 u8 genmask)
3629 {
3630 struct nft_set *set;
3631
3632 list_for_each_entry(set, &table->sets, list) {
3633 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3634 nft_active_genmask(set, genmask))
3635 return set;
3636 }
3637 return ERR_PTR(-ENOENT);
3638 }
3639
nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)3640 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3641 const struct nft_table *table,
3642 const struct nlattr *nla, u8 genmask)
3643 {
3644 struct nft_trans *trans;
3645 u32 id = ntohl(nla_get_be32(nla));
3646
3647 list_for_each_entry(trans, &net->nft.commit_list, list) {
3648 if (trans->msg_type == NFT_MSG_NEWSET) {
3649 struct nft_set *set = nft_trans_set(trans);
3650
3651 if (id == nft_trans_set_id(trans) &&
3652 set->table == table &&
3653 nft_active_genmask(set, genmask))
3654 return set;
3655 }
3656 }
3657 return ERR_PTR(-ENOENT);
3658 }
3659
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)3660 struct nft_set *nft_set_lookup_global(const struct net *net,
3661 const struct nft_table *table,
3662 const struct nlattr *nla_set_name,
3663 const struct nlattr *nla_set_id,
3664 u8 genmask)
3665 {
3666 struct nft_set *set;
3667
3668 set = nft_set_lookup(table, nla_set_name, genmask);
3669 if (IS_ERR(set)) {
3670 if (!nla_set_id)
3671 return set;
3672
3673 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
3674 }
3675 return set;
3676 }
3677 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3678
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)3679 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3680 const char *name)
3681 {
3682 const struct nft_set *i;
3683 const char *p;
3684 unsigned long *inuse;
3685 unsigned int n = 0, min = 0;
3686
3687 p = strchr(name, '%');
3688 if (p != NULL) {
3689 if (p[1] != 'd' || strchr(p + 2, '%'))
3690 return -EINVAL;
3691
3692 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3693 if (inuse == NULL)
3694 return -ENOMEM;
3695 cont:
3696 list_for_each_entry(i, &ctx->table->sets, list) {
3697 int tmp;
3698
3699 if (!nft_is_active_next(ctx->net, set))
3700 continue;
3701 if (!sscanf(i->name, name, &tmp))
3702 continue;
3703 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3704 continue;
3705
3706 set_bit(tmp - min, inuse);
3707 }
3708
3709 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3710 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3711 min += BITS_PER_BYTE * PAGE_SIZE;
3712 memset(inuse, 0, PAGE_SIZE);
3713 goto cont;
3714 }
3715 free_page((unsigned long)inuse);
3716 }
3717
3718 set->name = kasprintf(GFP_KERNEL, name, min + n);
3719 if (!set->name)
3720 return -ENOMEM;
3721
3722 list_for_each_entry(i, &ctx->table->sets, list) {
3723 if (!nft_is_active_next(ctx->net, i))
3724 continue;
3725 if (!strcmp(set->name, i->name)) {
3726 kfree(set->name);
3727 set->name = NULL;
3728 return -ENFILE;
3729 }
3730 }
3731 return 0;
3732 }
3733
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)3734 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3735 {
3736 u64 ms = be64_to_cpu(nla_get_be64(nla));
3737 u64 max = (u64)(~((u64)0));
3738
3739 max = div_u64(max, NSEC_PER_MSEC);
3740 if (ms >= max)
3741 return -ERANGE;
3742
3743 ms *= NSEC_PER_MSEC;
3744 *result = nsecs_to_jiffies64(ms);
3745 return 0;
3746 }
3747
nf_jiffies64_to_msecs(u64 input)3748 __be64 nf_jiffies64_to_msecs(u64 input)
3749 {
3750 return cpu_to_be64(jiffies64_to_msecs(input));
3751 }
3752
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)3753 static int nf_tables_fill_set_concat(struct sk_buff *skb,
3754 const struct nft_set *set)
3755 {
3756 struct nlattr *concat, *field;
3757 int i;
3758
3759 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
3760 if (!concat)
3761 return -ENOMEM;
3762
3763 for (i = 0; i < set->field_count; i++) {
3764 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
3765 if (!field)
3766 return -ENOMEM;
3767
3768 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
3769 htonl(set->field_len[i])))
3770 return -ENOMEM;
3771
3772 nla_nest_end(skb, field);
3773 }
3774
3775 nla_nest_end(skb, concat);
3776
3777 return 0;
3778 }
3779
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)3780 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3781 const struct nft_set *set, u16 event, u16 flags)
3782 {
3783 struct nfgenmsg *nfmsg;
3784 struct nlmsghdr *nlh;
3785 u32 portid = ctx->portid;
3786 struct nlattr *nest;
3787 u32 seq = ctx->seq;
3788
3789 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3790 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3791 flags);
3792 if (nlh == NULL)
3793 goto nla_put_failure;
3794
3795 nfmsg = nlmsg_data(nlh);
3796 nfmsg->nfgen_family = ctx->family;
3797 nfmsg->version = NFNETLINK_V0;
3798 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3799
3800 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3801 goto nla_put_failure;
3802 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3803 goto nla_put_failure;
3804 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3805 NFTA_SET_PAD))
3806 goto nla_put_failure;
3807 if (set->flags != 0)
3808 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3809 goto nla_put_failure;
3810
3811 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3812 goto nla_put_failure;
3813 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3814 goto nla_put_failure;
3815 if (set->flags & NFT_SET_MAP) {
3816 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3817 goto nla_put_failure;
3818 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3819 goto nla_put_failure;
3820 }
3821 if (set->flags & NFT_SET_OBJECT &&
3822 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3823 goto nla_put_failure;
3824
3825 if (set->timeout &&
3826 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3827 nf_jiffies64_to_msecs(set->timeout),
3828 NFTA_SET_PAD))
3829 goto nla_put_failure;
3830 if (set->gc_int &&
3831 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3832 goto nla_put_failure;
3833
3834 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3835 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3836 goto nla_put_failure;
3837 }
3838
3839 if (set->udata &&
3840 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3841 goto nla_put_failure;
3842
3843 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3844 if (!nest)
3845 goto nla_put_failure;
3846 if (set->size &&
3847 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3848 goto nla_put_failure;
3849
3850 if (set->field_count > 1 &&
3851 nf_tables_fill_set_concat(skb, set))
3852 goto nla_put_failure;
3853
3854 nla_nest_end(skb, nest);
3855
3856 if (set->expr) {
3857 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
3858 if (nf_tables_fill_expr_info(skb, set->expr) < 0)
3859 goto nla_put_failure;
3860
3861 nla_nest_end(skb, nest);
3862 }
3863
3864 nlmsg_end(skb, nlh);
3865 return 0;
3866
3867 nla_put_failure:
3868 nlmsg_trim(skb, nlh);
3869 return -1;
3870 }
3871
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)3872 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3873 const struct nft_set *set, int event,
3874 gfp_t gfp_flags)
3875 {
3876 struct sk_buff *skb;
3877 u32 portid = ctx->portid;
3878 int err;
3879 char *buf = kasprintf(gfp_flags, "%s:%llu;%s:%llu",
3880 ctx->table->name, ctx->table->handle,
3881 set->name, set->handle);
3882
3883 audit_log_nfcfg(buf,
3884 ctx->family,
3885 set->field_count,
3886 event == NFT_MSG_NEWSET ?
3887 AUDIT_NFT_OP_SET_REGISTER :
3888 AUDIT_NFT_OP_SET_UNREGISTER,
3889 gfp_flags);
3890 kfree(buf);
3891
3892 if (!ctx->report &&
3893 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3894 return;
3895
3896 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3897 if (skb == NULL)
3898 goto err;
3899
3900 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3901 if (err < 0) {
3902 kfree_skb(skb);
3903 goto err;
3904 }
3905
3906 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
3907 return;
3908 err:
3909 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3910 }
3911
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)3912 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3913 {
3914 const struct nft_set *set;
3915 unsigned int idx, s_idx = cb->args[0];
3916 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3917 struct net *net = sock_net(skb->sk);
3918 struct nft_ctx *ctx = cb->data, ctx_set;
3919
3920 if (cb->args[1])
3921 return skb->len;
3922
3923 rcu_read_lock();
3924 cb->seq = net->nft.base_seq;
3925
3926 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3927 if (ctx->family != NFPROTO_UNSPEC &&
3928 ctx->family != table->family)
3929 continue;
3930
3931 if (ctx->table && ctx->table != table)
3932 continue;
3933
3934 if (cur_table) {
3935 if (cur_table != table)
3936 continue;
3937
3938 cur_table = NULL;
3939 }
3940 idx = 0;
3941 list_for_each_entry_rcu(set, &table->sets, list) {
3942 if (idx < s_idx)
3943 goto cont;
3944 if (!nft_is_active(net, set))
3945 goto cont;
3946
3947 ctx_set = *ctx;
3948 ctx_set.table = table;
3949 ctx_set.family = table->family;
3950
3951 if (nf_tables_fill_set(skb, &ctx_set, set,
3952 NFT_MSG_NEWSET,
3953 NLM_F_MULTI) < 0) {
3954 cb->args[0] = idx;
3955 cb->args[2] = (unsigned long) table;
3956 goto done;
3957 }
3958 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3959 cont:
3960 idx++;
3961 }
3962 if (s_idx)
3963 s_idx = 0;
3964 }
3965 cb->args[1] = 1;
3966 done:
3967 rcu_read_unlock();
3968 return skb->len;
3969 }
3970
nf_tables_dump_sets_start(struct netlink_callback * cb)3971 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3972 {
3973 struct nft_ctx *ctx_dump = NULL;
3974
3975 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3976 if (ctx_dump == NULL)
3977 return -ENOMEM;
3978
3979 cb->data = ctx_dump;
3980 return 0;
3981 }
3982
nf_tables_dump_sets_done(struct netlink_callback * cb)3983 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3984 {
3985 kfree(cb->data);
3986 return 0;
3987 }
3988
3989 /* called with rcu_read_lock held */
nf_tables_getset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3990 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3991 struct sk_buff *skb, const struct nlmsghdr *nlh,
3992 const struct nlattr * const nla[],
3993 struct netlink_ext_ack *extack)
3994 {
3995 u8 genmask = nft_genmask_cur(net);
3996 const struct nft_set *set;
3997 struct nft_ctx ctx;
3998 struct sk_buff *skb2;
3999 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4000 int err;
4001
4002 /* Verify existence before starting dump */
4003 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4004 genmask);
4005 if (err < 0)
4006 return err;
4007
4008 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4009 struct netlink_dump_control c = {
4010 .start = nf_tables_dump_sets_start,
4011 .dump = nf_tables_dump_sets,
4012 .done = nf_tables_dump_sets_done,
4013 .data = &ctx,
4014 .module = THIS_MODULE,
4015 };
4016
4017 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4018 }
4019
4020 /* Only accept unspec with dump */
4021 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4022 return -EAFNOSUPPORT;
4023 if (!nla[NFTA_SET_TABLE])
4024 return -EINVAL;
4025
4026 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
4027 if (IS_ERR(set))
4028 return PTR_ERR(set);
4029
4030 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4031 if (skb2 == NULL)
4032 return -ENOMEM;
4033
4034 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4035 if (err < 0)
4036 goto err_fill_set_info;
4037
4038 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4039
4040 err_fill_set_info:
4041 kfree_skb(skb2);
4042 return err;
4043 }
4044
4045 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4046 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4047 };
4048
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)4049 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4050 struct nft_set_desc *desc)
4051 {
4052 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4053 u32 len;
4054 int err;
4055
4056 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4057 return -E2BIG;
4058
4059 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4060 nft_concat_policy, NULL);
4061 if (err < 0)
4062 return err;
4063
4064 if (!tb[NFTA_SET_FIELD_LEN])
4065 return -EINVAL;
4066
4067 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4068 if (!len || len > U8_MAX)
4069 return -EINVAL;
4070
4071 desc->field_len[desc->field_count++] = len;
4072
4073 return 0;
4074 }
4075
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)4076 static int nft_set_desc_concat(struct nft_set_desc *desc,
4077 const struct nlattr *nla)
4078 {
4079 struct nlattr *attr;
4080 u32 num_regs = 0;
4081 int rem, err, i;
4082
4083 nla_for_each_nested(attr, nla, rem) {
4084 if (nla_type(attr) != NFTA_LIST_ELEM)
4085 return -EINVAL;
4086
4087 err = nft_set_desc_concat_parse(attr, desc);
4088 if (err < 0)
4089 return err;
4090 }
4091
4092 for (i = 0; i < desc->field_count; i++)
4093 num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
4094
4095 if (num_regs > NFT_REG32_COUNT)
4096 return -E2BIG;
4097
4098 return 0;
4099 }
4100
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)4101 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4102 const struct nlattr *nla)
4103 {
4104 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4105 int err;
4106
4107 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4108 nft_set_desc_policy, NULL);
4109 if (err < 0)
4110 return err;
4111
4112 if (da[NFTA_SET_DESC_SIZE] != NULL)
4113 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4114 if (da[NFTA_SET_DESC_CONCAT])
4115 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4116
4117 return err;
4118 }
4119
nf_tables_newset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4120 static int nf_tables_newset(struct net *net, struct sock *nlsk,
4121 struct sk_buff *skb, const struct nlmsghdr *nlh,
4122 const struct nlattr * const nla[],
4123 struct netlink_ext_ack *extack)
4124 {
4125 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4126 u8 genmask = nft_genmask_next(net);
4127 int family = nfmsg->nfgen_family;
4128 const struct nft_set_ops *ops;
4129 struct nft_expr *expr = NULL;
4130 struct nft_table *table;
4131 struct nft_set *set;
4132 struct nft_ctx ctx;
4133 size_t alloc_size;
4134 char *name;
4135 u64 size;
4136 u64 timeout;
4137 u32 ktype, dtype, flags, policy, gc_int, objtype;
4138 struct nft_set_desc desc;
4139 unsigned char *udata;
4140 u16 udlen;
4141 int err;
4142 int i;
4143
4144 if (nla[NFTA_SET_TABLE] == NULL ||
4145 nla[NFTA_SET_NAME] == NULL ||
4146 nla[NFTA_SET_KEY_LEN] == NULL ||
4147 nla[NFTA_SET_ID] == NULL)
4148 return -EINVAL;
4149
4150 memset(&desc, 0, sizeof(desc));
4151
4152 ktype = NFT_DATA_VALUE;
4153 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
4154 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
4155 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
4156 return -EINVAL;
4157 }
4158
4159 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
4160 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
4161 return -EINVAL;
4162
4163 flags = 0;
4164 if (nla[NFTA_SET_FLAGS] != NULL) {
4165 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4166 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
4167 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
4168 NFT_SET_MAP | NFT_SET_EVAL |
4169 NFT_SET_OBJECT | NFT_SET_CONCAT))
4170 return -EOPNOTSUPP;
4171 /* Only one of these operations is supported */
4172 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
4173 (NFT_SET_MAP | NFT_SET_OBJECT))
4174 return -EOPNOTSUPP;
4175 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
4176 (NFT_SET_EVAL | NFT_SET_OBJECT))
4177 return -EOPNOTSUPP;
4178 }
4179
4180 dtype = 0;
4181 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
4182 if (!(flags & NFT_SET_MAP))
4183 return -EINVAL;
4184
4185 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
4186 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
4187 dtype != NFT_DATA_VERDICT)
4188 return -EINVAL;
4189
4190 if (dtype != NFT_DATA_VERDICT) {
4191 if (nla[NFTA_SET_DATA_LEN] == NULL)
4192 return -EINVAL;
4193 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
4194 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
4195 return -EINVAL;
4196 } else
4197 desc.dlen = sizeof(struct nft_verdict);
4198 } else if (flags & NFT_SET_MAP)
4199 return -EINVAL;
4200
4201 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
4202 if (!(flags & NFT_SET_OBJECT))
4203 return -EINVAL;
4204
4205 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
4206 if (objtype == NFT_OBJECT_UNSPEC ||
4207 objtype > NFT_OBJECT_MAX)
4208 return -EOPNOTSUPP;
4209 } else if (flags & NFT_SET_OBJECT)
4210 return -EINVAL;
4211 else
4212 objtype = NFT_OBJECT_UNSPEC;
4213
4214 timeout = 0;
4215 if (nla[NFTA_SET_TIMEOUT] != NULL) {
4216 if (!(flags & NFT_SET_TIMEOUT))
4217 return -EINVAL;
4218
4219 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
4220 if (err)
4221 return err;
4222 }
4223 gc_int = 0;
4224 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4225 if (!(flags & NFT_SET_TIMEOUT))
4226 return -EINVAL;
4227 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4228 }
4229
4230 policy = NFT_SET_POL_PERFORMANCE;
4231 if (nla[NFTA_SET_POLICY] != NULL)
4232 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
4233
4234 if (nla[NFTA_SET_DESC] != NULL) {
4235 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
4236 if (err < 0)
4237 return err;
4238 }
4239
4240 if (nla[NFTA_SET_EXPR])
4241 desc.expr = true;
4242
4243 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
4244 if (IS_ERR(table)) {
4245 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4246 return PTR_ERR(table);
4247 }
4248
4249 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
4250
4251 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4252 if (IS_ERR(set)) {
4253 if (PTR_ERR(set) != -ENOENT) {
4254 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4255 return PTR_ERR(set);
4256 }
4257 } else {
4258 if (nlh->nlmsg_flags & NLM_F_EXCL) {
4259 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
4260 return -EEXIST;
4261 }
4262 if (nlh->nlmsg_flags & NLM_F_REPLACE)
4263 return -EOPNOTSUPP;
4264
4265 return 0;
4266 }
4267
4268 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
4269 return -ENOENT;
4270
4271 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
4272 if (IS_ERR(ops))
4273 return PTR_ERR(ops);
4274
4275 udlen = 0;
4276 if (nla[NFTA_SET_USERDATA])
4277 udlen = nla_len(nla[NFTA_SET_USERDATA]);
4278
4279 size = 0;
4280 if (ops->privsize != NULL)
4281 size = ops->privsize(nla, &desc);
4282 alloc_size = sizeof(*set) + size + udlen;
4283 if (alloc_size < size || alloc_size > INT_MAX)
4284 return -ENOMEM;
4285 set = kvzalloc(alloc_size, GFP_KERNEL);
4286 if (!set)
4287 return -ENOMEM;
4288
4289 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4290 if (!name) {
4291 err = -ENOMEM;
4292 goto err_set_name;
4293 }
4294
4295 err = nf_tables_set_alloc_name(&ctx, set, name);
4296 kfree(name);
4297 if (err < 0)
4298 goto err_set_name;
4299
4300 udata = NULL;
4301 if (udlen) {
4302 udata = set->data + size;
4303 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
4304 }
4305
4306 INIT_LIST_HEAD(&set->bindings);
4307 set->table = table;
4308 write_pnet(&set->net, net);
4309 set->ops = ops;
4310 set->ktype = ktype;
4311 set->klen = desc.klen;
4312 set->dtype = dtype;
4313 set->objtype = objtype;
4314 set->dlen = desc.dlen;
4315 set->flags = flags;
4316 set->size = desc.size;
4317 set->policy = policy;
4318 set->udlen = udlen;
4319 set->udata = udata;
4320 set->timeout = timeout;
4321 set->gc_int = gc_int;
4322
4323 set->field_count = desc.field_count;
4324 for (i = 0; i < desc.field_count; i++)
4325 set->field_len[i] = desc.field_len[i];
4326
4327 err = ops->init(set, &desc, nla);
4328 if (err < 0)
4329 goto err_set_init;
4330
4331 if (nla[NFTA_SET_EXPR]) {
4332 expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
4333 if (IS_ERR(expr)) {
4334 err = PTR_ERR(expr);
4335 goto err_set_expr_alloc;
4336 }
4337
4338 set->expr = expr;
4339 }
4340
4341 set->handle = nf_tables_alloc_handle(table);
4342
4343 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
4344 if (err < 0)
4345 goto err_set_expr_alloc;
4346
4347 list_add_tail_rcu(&set->list, &table->sets);
4348 table->use++;
4349 return 0;
4350
4351 err_set_expr_alloc:
4352 if (set->expr)
4353 nft_expr_destroy(&ctx, set->expr);
4354
4355 ops->destroy(set);
4356 err_set_init:
4357 kfree(set->name);
4358 err_set_name:
4359 kvfree(set);
4360 return err;
4361 }
4362
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)4363 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
4364 {
4365 if (WARN_ON(set->use > 0))
4366 return;
4367
4368 if (set->expr)
4369 nft_expr_destroy(ctx, set->expr);
4370
4371 set->ops->destroy(set);
4372 kfree(set->name);
4373 kvfree(set);
4374 }
4375
nf_tables_delset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4376 static int nf_tables_delset(struct net *net, struct sock *nlsk,
4377 struct sk_buff *skb, const struct nlmsghdr *nlh,
4378 const struct nlattr * const nla[],
4379 struct netlink_ext_ack *extack)
4380 {
4381 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4382 u8 genmask = nft_genmask_next(net);
4383 const struct nlattr *attr;
4384 struct nft_set *set;
4385 struct nft_ctx ctx;
4386 int err;
4387
4388 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
4389 return -EAFNOSUPPORT;
4390 if (nla[NFTA_SET_TABLE] == NULL)
4391 return -EINVAL;
4392
4393 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
4394 genmask);
4395 if (err < 0)
4396 return err;
4397
4398 if (nla[NFTA_SET_HANDLE]) {
4399 attr = nla[NFTA_SET_HANDLE];
4400 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
4401 } else {
4402 attr = nla[NFTA_SET_NAME];
4403 set = nft_set_lookup(ctx.table, attr, genmask);
4404 }
4405
4406 if (IS_ERR(set)) {
4407 NL_SET_BAD_ATTR(extack, attr);
4408 return PTR_ERR(set);
4409 }
4410 if (set->use ||
4411 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
4412 NL_SET_BAD_ATTR(extack, attr);
4413 return -EBUSY;
4414 }
4415
4416 return nft_delset(&ctx, set);
4417 }
4418
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4419 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
4420 struct nft_set *set,
4421 const struct nft_set_iter *iter,
4422 struct nft_set_elem *elem)
4423 {
4424 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4425 enum nft_registers dreg;
4426
4427 dreg = nft_type_to_reg(set->dtype);
4428 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
4429 set->dtype == NFT_DATA_VERDICT ?
4430 NFT_DATA_VERDICT : NFT_DATA_VALUE,
4431 set->dlen);
4432 }
4433
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)4434 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
4435 struct nft_set_binding *binding)
4436 {
4437 struct nft_set_binding *i;
4438 struct nft_set_iter iter;
4439
4440 if (set->use == UINT_MAX)
4441 return -EOVERFLOW;
4442
4443 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
4444 return -EBUSY;
4445
4446 if (binding->flags & NFT_SET_MAP) {
4447 /* If the set is already bound to the same chain all
4448 * jumps are already validated for that chain.
4449 */
4450 list_for_each_entry(i, &set->bindings, list) {
4451 if (i->flags & NFT_SET_MAP &&
4452 i->chain == binding->chain)
4453 goto bind;
4454 }
4455
4456 iter.genmask = nft_genmask_next(ctx->net);
4457 iter.skip = 0;
4458 iter.count = 0;
4459 iter.err = 0;
4460 iter.fn = nf_tables_bind_check_setelem;
4461
4462 set->ops->walk(ctx, set, &iter);
4463 if (iter.err < 0)
4464 return iter.err;
4465 }
4466 bind:
4467 binding->chain = ctx->chain;
4468 list_add_tail_rcu(&binding->list, &set->bindings);
4469 nft_set_trans_bind(ctx, set);
4470 set->use++;
4471
4472 return 0;
4473 }
4474 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
4475
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)4476 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
4477 struct nft_set_binding *binding, bool event)
4478 {
4479 list_del_rcu(&binding->list);
4480
4481 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
4482 list_del_rcu(&set->list);
4483 if (event)
4484 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
4485 GFP_KERNEL);
4486 }
4487 }
4488
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)4489 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
4490 struct nft_set_binding *binding,
4491 enum nft_trans_phase phase)
4492 {
4493 switch (phase) {
4494 case NFT_TRANS_PREPARE:
4495 set->use--;
4496 return;
4497 case NFT_TRANS_ABORT:
4498 case NFT_TRANS_RELEASE:
4499 set->use--;
4500 fallthrough;
4501 default:
4502 nf_tables_unbind_set(ctx, set, binding,
4503 phase == NFT_TRANS_COMMIT);
4504 }
4505 }
4506 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
4507
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)4508 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
4509 {
4510 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
4511 nft_set_destroy(ctx, set);
4512 }
4513 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
4514
4515 const struct nft_set_ext_type nft_set_ext_types[] = {
4516 [NFT_SET_EXT_KEY] = {
4517 .align = __alignof__(u32),
4518 },
4519 [NFT_SET_EXT_DATA] = {
4520 .align = __alignof__(u32),
4521 },
4522 [NFT_SET_EXT_EXPR] = {
4523 .align = __alignof__(struct nft_expr),
4524 },
4525 [NFT_SET_EXT_OBJREF] = {
4526 .len = sizeof(struct nft_object *),
4527 .align = __alignof__(struct nft_object *),
4528 },
4529 [NFT_SET_EXT_FLAGS] = {
4530 .len = sizeof(u8),
4531 .align = __alignof__(u8),
4532 },
4533 [NFT_SET_EXT_TIMEOUT] = {
4534 .len = sizeof(u64),
4535 .align = __alignof__(u64),
4536 },
4537 [NFT_SET_EXT_EXPIRATION] = {
4538 .len = sizeof(u64),
4539 .align = __alignof__(u64),
4540 },
4541 [NFT_SET_EXT_USERDATA] = {
4542 .len = sizeof(struct nft_userdata),
4543 .align = __alignof__(struct nft_userdata),
4544 },
4545 [NFT_SET_EXT_KEY_END] = {
4546 .align = __alignof__(u32),
4547 },
4548 };
4549
4550 /*
4551 * Set elements
4552 */
4553
4554 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
4555 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
4556 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
4557 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
4558 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
4559 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
4560 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
4561 .len = NFT_USERDATA_MAXLEN },
4562 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
4563 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
4564 .len = NFT_OBJ_MAXNAMELEN - 1 },
4565 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
4566 };
4567
4568 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
4569 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
4570 .len = NFT_TABLE_MAXNAMELEN - 1 },
4571 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
4572 .len = NFT_SET_MAXNAMELEN - 1 },
4573 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
4574 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
4575 };
4576
nft_ctx_init_from_elemattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)4577 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
4578 const struct sk_buff *skb,
4579 const struct nlmsghdr *nlh,
4580 const struct nlattr * const nla[],
4581 struct netlink_ext_ack *extack,
4582 u8 genmask)
4583 {
4584 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
4585 int family = nfmsg->nfgen_family;
4586 struct nft_table *table;
4587
4588 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
4589 genmask);
4590 if (IS_ERR(table)) {
4591 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
4592 return PTR_ERR(table);
4593 }
4594
4595 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
4596 return 0;
4597 }
4598
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_elem * elem)4599 static int nf_tables_fill_setelem(struct sk_buff *skb,
4600 const struct nft_set *set,
4601 const struct nft_set_elem *elem)
4602 {
4603 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4604 unsigned char *b = skb_tail_pointer(skb);
4605 struct nlattr *nest;
4606
4607 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4608 if (nest == NULL)
4609 goto nla_put_failure;
4610
4611 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4612 NFT_DATA_VALUE, set->klen) < 0)
4613 goto nla_put_failure;
4614
4615 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
4616 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
4617 NFT_DATA_VALUE, set->klen) < 0)
4618 goto nla_put_failure;
4619
4620 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4621 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4622 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4623 set->dlen) < 0)
4624 goto nla_put_failure;
4625
4626 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4627 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4628 goto nla_put_failure;
4629
4630 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4631 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4632 (*nft_set_ext_obj(ext))->key.name) < 0)
4633 goto nla_put_failure;
4634
4635 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4636 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4637 htonl(*nft_set_ext_flags(ext))))
4638 goto nla_put_failure;
4639
4640 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4641 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4642 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4643 NFTA_SET_ELEM_PAD))
4644 goto nla_put_failure;
4645
4646 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4647 u64 expires, now = get_jiffies_64();
4648
4649 expires = *nft_set_ext_expiration(ext);
4650 if (time_before64(now, expires))
4651 expires -= now;
4652 else
4653 expires = 0;
4654
4655 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4656 nf_jiffies64_to_msecs(expires),
4657 NFTA_SET_ELEM_PAD))
4658 goto nla_put_failure;
4659 }
4660
4661 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4662 struct nft_userdata *udata;
4663
4664 udata = nft_set_ext_userdata(ext);
4665 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4666 udata->len + 1, udata->data))
4667 goto nla_put_failure;
4668 }
4669
4670 nla_nest_end(skb, nest);
4671 return 0;
4672
4673 nla_put_failure:
4674 nlmsg_trim(skb, b);
4675 return -EMSGSIZE;
4676 }
4677
4678 struct nft_set_dump_args {
4679 const struct netlink_callback *cb;
4680 struct nft_set_iter iter;
4681 struct sk_buff *skb;
4682 };
4683
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4684 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4685 struct nft_set *set,
4686 const struct nft_set_iter *iter,
4687 struct nft_set_elem *elem)
4688 {
4689 struct nft_set_dump_args *args;
4690
4691 args = container_of(iter, struct nft_set_dump_args, iter);
4692 return nf_tables_fill_setelem(args->skb, set, elem);
4693 }
4694
4695 struct nft_set_dump_ctx {
4696 const struct nft_set *set;
4697 struct nft_ctx ctx;
4698 };
4699
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)4700 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4701 {
4702 struct nft_set_dump_ctx *dump_ctx = cb->data;
4703 struct net *net = sock_net(skb->sk);
4704 struct nft_table *table;
4705 struct nft_set *set;
4706 struct nft_set_dump_args args;
4707 bool set_found = false;
4708 struct nfgenmsg *nfmsg;
4709 struct nlmsghdr *nlh;
4710 struct nlattr *nest;
4711 u32 portid, seq;
4712 int event;
4713
4714 rcu_read_lock();
4715 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4716 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4717 dump_ctx->ctx.family != table->family)
4718 continue;
4719
4720 if (table != dump_ctx->ctx.table)
4721 continue;
4722
4723 list_for_each_entry_rcu(set, &table->sets, list) {
4724 if (set == dump_ctx->set) {
4725 set_found = true;
4726 break;
4727 }
4728 }
4729 break;
4730 }
4731
4732 if (!set_found) {
4733 rcu_read_unlock();
4734 return -ENOENT;
4735 }
4736
4737 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4738 portid = NETLINK_CB(cb->skb).portid;
4739 seq = cb->nlh->nlmsg_seq;
4740
4741 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4742 NLM_F_MULTI);
4743 if (nlh == NULL)
4744 goto nla_put_failure;
4745
4746 nfmsg = nlmsg_data(nlh);
4747 nfmsg->nfgen_family = table->family;
4748 nfmsg->version = NFNETLINK_V0;
4749 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4750
4751 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4752 goto nla_put_failure;
4753 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4754 goto nla_put_failure;
4755
4756 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4757 if (nest == NULL)
4758 goto nla_put_failure;
4759
4760 args.cb = cb;
4761 args.skb = skb;
4762 args.iter.genmask = nft_genmask_cur(net);
4763 args.iter.skip = cb->args[0];
4764 args.iter.count = 0;
4765 args.iter.err = 0;
4766 args.iter.fn = nf_tables_dump_setelem;
4767 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4768 rcu_read_unlock();
4769
4770 nla_nest_end(skb, nest);
4771 nlmsg_end(skb, nlh);
4772
4773 if (args.iter.err && args.iter.err != -EMSGSIZE)
4774 return args.iter.err;
4775 if (args.iter.count == cb->args[0])
4776 return 0;
4777
4778 cb->args[0] = args.iter.count;
4779 return skb->len;
4780
4781 nla_put_failure:
4782 rcu_read_unlock();
4783 return -ENOSPC;
4784 }
4785
nf_tables_dump_set_start(struct netlink_callback * cb)4786 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4787 {
4788 struct nft_set_dump_ctx *dump_ctx = cb->data;
4789
4790 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4791
4792 return cb->data ? 0 : -ENOMEM;
4793 }
4794
nf_tables_dump_set_done(struct netlink_callback * cb)4795 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4796 {
4797 kfree(cb->data);
4798 return 0;
4799 }
4800
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_set_elem * elem)4801 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4802 const struct nft_ctx *ctx, u32 seq,
4803 u32 portid, int event, u16 flags,
4804 const struct nft_set *set,
4805 const struct nft_set_elem *elem)
4806 {
4807 struct nfgenmsg *nfmsg;
4808 struct nlmsghdr *nlh;
4809 struct nlattr *nest;
4810 int err;
4811
4812 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4813 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4814 flags);
4815 if (nlh == NULL)
4816 goto nla_put_failure;
4817
4818 nfmsg = nlmsg_data(nlh);
4819 nfmsg->nfgen_family = ctx->family;
4820 nfmsg->version = NFNETLINK_V0;
4821 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4822
4823 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4824 goto nla_put_failure;
4825 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4826 goto nla_put_failure;
4827
4828 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4829 if (nest == NULL)
4830 goto nla_put_failure;
4831
4832 err = nf_tables_fill_setelem(skb, set, elem);
4833 if (err < 0)
4834 goto nla_put_failure;
4835
4836 nla_nest_end(skb, nest);
4837
4838 nlmsg_end(skb, nlh);
4839 return 0;
4840
4841 nla_put_failure:
4842 nlmsg_trim(skb, nlh);
4843 return -1;
4844 }
4845
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)4846 static int nft_setelem_parse_flags(const struct nft_set *set,
4847 const struct nlattr *attr, u32 *flags)
4848 {
4849 if (attr == NULL)
4850 return 0;
4851
4852 *flags = ntohl(nla_get_be32(attr));
4853 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4854 return -EINVAL;
4855 if (!(set->flags & NFT_SET_INTERVAL) &&
4856 *flags & NFT_SET_ELEM_INTERVAL_END)
4857 return -EINVAL;
4858
4859 return 0;
4860 }
4861
nft_setelem_parse_key(struct nft_ctx * ctx,struct nft_set * set,struct nft_data * key,struct nlattr * attr)4862 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
4863 struct nft_data *key, struct nlattr *attr)
4864 {
4865 struct nft_data_desc desc;
4866 int err;
4867
4868 err = nft_data_init(ctx, key, NFT_DATA_VALUE_MAXLEN, &desc, attr);
4869 if (err < 0)
4870 return err;
4871
4872 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4873 nft_data_release(key, desc.type);
4874 return -EINVAL;
4875 }
4876
4877 return 0;
4878 }
4879
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)4880 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
4881 struct nft_data_desc *desc,
4882 struct nft_data *data,
4883 struct nlattr *attr)
4884 {
4885 u32 dtype;
4886 int err;
4887
4888 err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
4889 if (err < 0)
4890 return err;
4891
4892 if (set->dtype == NFT_DATA_VERDICT)
4893 dtype = NFT_DATA_VERDICT;
4894 else
4895 dtype = NFT_DATA_VALUE;
4896
4897 if (dtype != desc->type ||
4898 set->dlen != desc->len) {
4899 nft_data_release(data, desc->type);
4900 return -EINVAL;
4901 }
4902
4903 return 0;
4904 }
4905
nft_get_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)4906 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4907 const struct nlattr *attr)
4908 {
4909 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4910 struct nft_set_elem elem;
4911 struct sk_buff *skb;
4912 uint32_t flags = 0;
4913 void *priv;
4914 int err;
4915
4916 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4917 nft_set_elem_policy, NULL);
4918 if (err < 0)
4919 return err;
4920
4921 if (!nla[NFTA_SET_ELEM_KEY])
4922 return -EINVAL;
4923
4924 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4925 if (err < 0)
4926 return err;
4927
4928 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
4929 nla[NFTA_SET_ELEM_KEY]);
4930 if (err < 0)
4931 return err;
4932
4933 if (nla[NFTA_SET_ELEM_KEY_END]) {
4934 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
4935 nla[NFTA_SET_ELEM_KEY_END]);
4936 if (err < 0)
4937 return err;
4938 }
4939
4940 priv = set->ops->get(ctx->net, set, &elem, flags);
4941 if (IS_ERR(priv))
4942 return PTR_ERR(priv);
4943
4944 elem.priv = priv;
4945
4946 err = -ENOMEM;
4947 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4948 if (skb == NULL)
4949 return err;
4950
4951 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4952 NFT_MSG_NEWSETELEM, 0, set, &elem);
4953 if (err < 0)
4954 goto err_fill_setelem;
4955
4956 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
4957
4958 err_fill_setelem:
4959 kfree_skb(skb);
4960 return err;
4961 }
4962
4963 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4964 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4965 struct sk_buff *skb, const struct nlmsghdr *nlh,
4966 const struct nlattr * const nla[],
4967 struct netlink_ext_ack *extack)
4968 {
4969 u8 genmask = nft_genmask_cur(net);
4970 struct nft_set *set;
4971 struct nlattr *attr;
4972 struct nft_ctx ctx;
4973 int rem, err = 0;
4974
4975 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4976 genmask);
4977 if (err < 0)
4978 return err;
4979
4980 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4981 if (IS_ERR(set))
4982 return PTR_ERR(set);
4983
4984 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4985 struct netlink_dump_control c = {
4986 .start = nf_tables_dump_set_start,
4987 .dump = nf_tables_dump_set,
4988 .done = nf_tables_dump_set_done,
4989 .module = THIS_MODULE,
4990 };
4991 struct nft_set_dump_ctx dump_ctx = {
4992 .set = set,
4993 .ctx = ctx,
4994 };
4995
4996 c.data = &dump_ctx;
4997 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4998 }
4999
5000 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
5001 return -EINVAL;
5002
5003 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5004 err = nft_get_set_elem(&ctx, set, attr);
5005 if (err < 0)
5006 break;
5007 }
5008
5009 return err;
5010 }
5011
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_set_elem * elem,int event,u16 flags)5012 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
5013 const struct nft_set *set,
5014 const struct nft_set_elem *elem,
5015 int event, u16 flags)
5016 {
5017 struct net *net = ctx->net;
5018 u32 portid = ctx->portid;
5019 struct sk_buff *skb;
5020 int err;
5021 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
5022 ctx->table->name, ctx->table->handle,
5023 set->name, set->handle);
5024
5025 audit_log_nfcfg(buf,
5026 ctx->family,
5027 set->handle,
5028 event == NFT_MSG_NEWSETELEM ?
5029 AUDIT_NFT_OP_SETELEM_REGISTER :
5030 AUDIT_NFT_OP_SETELEM_UNREGISTER,
5031 GFP_KERNEL);
5032 kfree(buf);
5033
5034 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5035 return;
5036
5037 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
5038 if (skb == NULL)
5039 goto err;
5040
5041 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
5042 set, elem);
5043 if (err < 0) {
5044 kfree_skb(skb);
5045 goto err;
5046 }
5047
5048 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
5049 return;
5050 err:
5051 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5052 }
5053
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)5054 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
5055 int msg_type,
5056 struct nft_set *set)
5057 {
5058 struct nft_trans *trans;
5059
5060 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
5061 if (trans == NULL)
5062 return NULL;
5063
5064 nft_trans_elem_set(trans) = set;
5065 return trans;
5066 }
5067
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)5068 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
5069 const struct nft_set *set,
5070 const struct nlattr *attr)
5071 {
5072 struct nft_expr *expr;
5073 int err;
5074
5075 expr = nft_expr_init(ctx, attr);
5076 if (IS_ERR(expr))
5077 return expr;
5078
5079 err = -EOPNOTSUPP;
5080 if (expr->ops->type->flags & NFT_EXPR_GC) {
5081 if (set->flags & NFT_SET_TIMEOUT)
5082 goto err_set_elem_expr;
5083 if (!set->ops->gc_init)
5084 goto err_set_elem_expr;
5085 set->ops->gc_init(set);
5086 }
5087
5088 return expr;
5089
5090 err_set_elem_expr:
5091 nft_expr_destroy(ctx, expr);
5092 return ERR_PTR(err);
5093 }
5094
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)5095 void *nft_set_elem_init(const struct nft_set *set,
5096 const struct nft_set_ext_tmpl *tmpl,
5097 const u32 *key, const u32 *key_end,
5098 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
5099 {
5100 struct nft_set_ext *ext;
5101 void *elem;
5102
5103 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
5104 if (elem == NULL)
5105 return NULL;
5106
5107 ext = nft_set_elem_ext(set, elem);
5108 nft_set_ext_init(ext, tmpl);
5109
5110 memcpy(nft_set_ext_key(ext), key, set->klen);
5111 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
5112 memcpy(nft_set_ext_key_end(ext), key_end, set->klen);
5113 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5114 memcpy(nft_set_ext_data(ext), data, set->dlen);
5115 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5116 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
5117 if (expiration == 0)
5118 *nft_set_ext_expiration(ext) += timeout;
5119 }
5120 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
5121 *nft_set_ext_timeout(ext) = timeout;
5122
5123 return elem;
5124 }
5125
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)5126 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
5127 struct nft_expr *expr)
5128 {
5129 if (expr->ops->destroy_clone) {
5130 expr->ops->destroy_clone(ctx, expr);
5131 module_put(expr->ops->type->owner);
5132 } else {
5133 nf_tables_expr_destroy(ctx, expr);
5134 }
5135 }
5136
nft_set_elem_destroy(const struct nft_set * set,void * elem,bool destroy_expr)5137 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
5138 bool destroy_expr)
5139 {
5140 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5141 struct nft_ctx ctx = {
5142 .net = read_pnet(&set->net),
5143 .family = set->table->family,
5144 };
5145
5146 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
5147 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5148 nft_data_release(nft_set_ext_data(ext), set->dtype);
5149 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5150 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
5151
5152 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5153 (*nft_set_ext_obj(ext))->use--;
5154 kfree(elem);
5155 }
5156 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
5157
5158 /* Only called from commit path, nft_set_elem_deactivate() already deals with
5159 * the refcounting from the preparation phase.
5160 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,void * elem)5161 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5162 const struct nft_set *set, void *elem)
5163 {
5164 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
5165
5166 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
5167 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
5168
5169 kfree(elem);
5170 }
5171
nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext * ext,struct nft_expr * expr)5172 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
5173 const struct nft_set_ext *ext,
5174 struct nft_expr *expr)
5175 {
5176 struct nft_expr *elem_expr = nft_set_ext_expr(ext);
5177 int err;
5178
5179 if (expr == NULL)
5180 return 0;
5181
5182 err = nft_expr_clone(elem_expr, expr);
5183 if (err < 0)
5184 return -ENOMEM;
5185
5186 nft_expr_destroy(ctx, expr);
5187 return 0;
5188 }
5189
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)5190 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
5191 const struct nlattr *attr, u32 nlmsg_flags)
5192 {
5193 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5194 u8 genmask = nft_genmask_next(ctx->net);
5195 struct nft_set_ext_tmpl tmpl;
5196 struct nft_set_ext *ext, *ext2;
5197 struct nft_set_elem elem;
5198 struct nft_set_binding *binding;
5199 struct nft_object *obj = NULL;
5200 struct nft_expr *expr = NULL;
5201 struct nft_userdata *udata;
5202 struct nft_data_desc desc;
5203 enum nft_registers dreg;
5204 struct nft_trans *trans;
5205 u32 flags = 0;
5206 u64 timeout;
5207 u64 expiration;
5208 u8 ulen;
5209 int err;
5210
5211 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5212 nft_set_elem_policy, NULL);
5213 if (err < 0)
5214 return err;
5215
5216 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5217 return -EINVAL;
5218
5219 nft_set_ext_prepare(&tmpl);
5220
5221 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5222 if (err < 0)
5223 return err;
5224 if (flags != 0)
5225 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5226
5227 if (set->flags & NFT_SET_MAP) {
5228 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
5229 !(flags & NFT_SET_ELEM_INTERVAL_END))
5230 return -EINVAL;
5231 } else {
5232 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5233 return -EINVAL;
5234 }
5235
5236 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
5237 (nla[NFTA_SET_ELEM_DATA] ||
5238 nla[NFTA_SET_ELEM_OBJREF] ||
5239 nla[NFTA_SET_ELEM_TIMEOUT] ||
5240 nla[NFTA_SET_ELEM_EXPIRATION] ||
5241 nla[NFTA_SET_ELEM_USERDATA] ||
5242 nla[NFTA_SET_ELEM_EXPR]))
5243 return -EINVAL;
5244
5245 timeout = 0;
5246 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
5247 if (!(set->flags & NFT_SET_TIMEOUT))
5248 return -EINVAL;
5249 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
5250 &timeout);
5251 if (err)
5252 return err;
5253 } else if (set->flags & NFT_SET_TIMEOUT) {
5254 timeout = set->timeout;
5255 }
5256
5257 expiration = 0;
5258 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
5259 if (!(set->flags & NFT_SET_TIMEOUT))
5260 return -EINVAL;
5261 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
5262 &expiration);
5263 if (err)
5264 return err;
5265 }
5266
5267 if (nla[NFTA_SET_ELEM_EXPR] != NULL) {
5268 expr = nft_set_elem_expr_alloc(ctx, set,
5269 nla[NFTA_SET_ELEM_EXPR]);
5270 if (IS_ERR(expr))
5271 return PTR_ERR(expr);
5272
5273 err = -EOPNOTSUPP;
5274 if (set->expr && set->expr->ops != expr->ops)
5275 goto err_set_elem_expr;
5276 } else if (set->expr) {
5277 expr = kzalloc(set->expr->ops->size, GFP_KERNEL);
5278 if (!expr)
5279 return -ENOMEM;
5280
5281 err = nft_expr_clone(expr, set->expr);
5282 if (err < 0)
5283 goto err_set_elem_expr;
5284 }
5285
5286 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5287 nla[NFTA_SET_ELEM_KEY]);
5288 if (err < 0)
5289 goto err_set_elem_expr;
5290
5291 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5292
5293 if (nla[NFTA_SET_ELEM_KEY_END]) {
5294 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5295 nla[NFTA_SET_ELEM_KEY_END]);
5296 if (err < 0)
5297 goto err_parse_key;
5298
5299 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5300 }
5301
5302 if (timeout > 0) {
5303 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
5304 if (timeout != set->timeout)
5305 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
5306 }
5307
5308 if (expr)
5309 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPR,
5310 expr->ops->size);
5311
5312 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
5313 if (!(set->flags & NFT_SET_OBJECT)) {
5314 err = -EINVAL;
5315 goto err_parse_key_end;
5316 }
5317 obj = nft_obj_lookup(ctx->net, ctx->table,
5318 nla[NFTA_SET_ELEM_OBJREF],
5319 set->objtype, genmask);
5320 if (IS_ERR(obj)) {
5321 err = PTR_ERR(obj);
5322 goto err_parse_key_end;
5323 }
5324 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
5325 }
5326
5327 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
5328 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
5329 nla[NFTA_SET_ELEM_DATA]);
5330 if (err < 0)
5331 goto err_parse_key_end;
5332
5333 dreg = nft_type_to_reg(set->dtype);
5334 list_for_each_entry(binding, &set->bindings, list) {
5335 struct nft_ctx bind_ctx = {
5336 .net = ctx->net,
5337 .family = ctx->family,
5338 .table = ctx->table,
5339 .chain = (struct nft_chain *)binding->chain,
5340 };
5341
5342 if (!(binding->flags & NFT_SET_MAP))
5343 continue;
5344
5345 err = nft_validate_register_store(&bind_ctx, dreg,
5346 &elem.data.val,
5347 desc.type, desc.len);
5348 if (err < 0)
5349 goto err_parse_data;
5350
5351 if (desc.type == NFT_DATA_VERDICT &&
5352 (elem.data.val.verdict.code == NFT_GOTO ||
5353 elem.data.val.verdict.code == NFT_JUMP))
5354 nft_validate_state_update(ctx->net,
5355 NFT_VALIDATE_NEED);
5356 }
5357
5358 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
5359 }
5360
5361 /* The full maximum length of userdata can exceed the maximum
5362 * offset value (U8_MAX) for following extensions, therefor it
5363 * must be the last extension added.
5364 */
5365 ulen = 0;
5366 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
5367 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
5368 if (ulen > 0)
5369 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
5370 ulen);
5371 }
5372
5373 err = -ENOMEM;
5374 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5375 elem.key_end.val.data, elem.data.val.data,
5376 timeout, expiration, GFP_KERNEL);
5377 if (elem.priv == NULL)
5378 goto err_parse_data;
5379
5380 ext = nft_set_elem_ext(set, elem.priv);
5381 if (flags)
5382 *nft_set_ext_flags(ext) = flags;
5383 if (ulen > 0) {
5384 udata = nft_set_ext_userdata(ext);
5385 udata->len = ulen - 1;
5386 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
5387 }
5388 if (obj) {
5389 *nft_set_ext_obj(ext) = obj;
5390 obj->use++;
5391 }
5392
5393 err = nft_set_elem_expr_setup(ctx, ext, expr);
5394 if (err < 0)
5395 goto err_elem_expr;
5396 expr = NULL;
5397
5398 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
5399 if (trans == NULL) {
5400 err = -ENOMEM;
5401 goto err_elem_expr;
5402 }
5403
5404 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
5405 err = set->ops->insert(ctx->net, set, &elem, &ext2);
5406 if (err) {
5407 if (err == -EEXIST) {
5408 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
5409 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
5410 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
5411 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
5412 goto err_element_clash;
5413 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5414 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
5415 memcmp(nft_set_ext_data(ext),
5416 nft_set_ext_data(ext2), set->dlen) != 0) ||
5417 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5418 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
5419 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
5420 goto err_element_clash;
5421 else if (!(nlmsg_flags & NLM_F_EXCL))
5422 err = 0;
5423 } else if (err == -ENOTEMPTY) {
5424 /* ENOTEMPTY reports overlapping between this element
5425 * and an existing one.
5426 */
5427 err = -EEXIST;
5428 }
5429 goto err_element_clash;
5430 }
5431
5432 if (set->size &&
5433 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
5434 err = -ENFILE;
5435 goto err_set_full;
5436 }
5437
5438 nft_trans_elem(trans) = elem;
5439 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5440 return 0;
5441
5442 err_set_full:
5443 set->ops->remove(ctx->net, set, &elem);
5444 err_element_clash:
5445 kfree(trans);
5446 err_elem_expr:
5447 if (obj)
5448 obj->use--;
5449
5450 nf_tables_set_elem_destroy(ctx, set, elem.priv);
5451 err_parse_data:
5452 if (nla[NFTA_SET_ELEM_DATA] != NULL)
5453 nft_data_release(&elem.data.val, desc.type);
5454 err_parse_key_end:
5455 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
5456 err_parse_key:
5457 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5458 err_set_elem_expr:
5459 if (expr != NULL)
5460 nft_expr_destroy(ctx, expr);
5461
5462 return err;
5463 }
5464
nf_tables_newsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5465 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
5466 struct sk_buff *skb, const struct nlmsghdr *nlh,
5467 const struct nlattr * const nla[],
5468 struct netlink_ext_ack *extack)
5469 {
5470 u8 genmask = nft_genmask_next(net);
5471 const struct nlattr *attr;
5472 struct nft_set *set;
5473 struct nft_ctx ctx;
5474 int rem, err;
5475
5476 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
5477 return -EINVAL;
5478
5479 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5480 genmask);
5481 if (err < 0)
5482 return err;
5483
5484 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
5485 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
5486 if (IS_ERR(set))
5487 return PTR_ERR(set);
5488
5489 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5490 return -EBUSY;
5491
5492 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5493 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
5494 if (err < 0)
5495 return err;
5496 }
5497
5498 if (net->nft.validate_state == NFT_VALIDATE_DO)
5499 return nft_table_validate(net, ctx.table);
5500
5501 return 0;
5502 }
5503
5504 /**
5505 * nft_data_hold - hold a nft_data item
5506 *
5507 * @data: struct nft_data to release
5508 * @type: type of data
5509 *
5510 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
5511 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
5512 * NFT_GOTO verdicts. This function must be called on active data objects
5513 * from the second phase of the commit protocol.
5514 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)5515 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
5516 {
5517 struct nft_chain *chain;
5518 struct nft_rule *rule;
5519
5520 if (type == NFT_DATA_VERDICT) {
5521 switch (data->verdict.code) {
5522 case NFT_JUMP:
5523 case NFT_GOTO:
5524 chain = data->verdict.chain;
5525 chain->use++;
5526
5527 if (!nft_chain_is_bound(chain))
5528 break;
5529
5530 chain->table->use++;
5531 list_for_each_entry(rule, &chain->rules, list)
5532 chain->use++;
5533
5534 nft_chain_add(chain->table, chain);
5535 break;
5536 }
5537 }
5538 }
5539
nft_set_elem_activate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)5540 static void nft_set_elem_activate(const struct net *net,
5541 const struct nft_set *set,
5542 struct nft_set_elem *elem)
5543 {
5544 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5545
5546 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5547 nft_data_hold(nft_set_ext_data(ext), set->dtype);
5548 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5549 (*nft_set_ext_obj(ext))->use++;
5550 }
5551
nft_set_elem_deactivate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)5552 static void nft_set_elem_deactivate(const struct net *net,
5553 const struct nft_set *set,
5554 struct nft_set_elem *elem)
5555 {
5556 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5557
5558 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
5559 nft_data_release(nft_set_ext_data(ext), set->dtype);
5560 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
5561 (*nft_set_ext_obj(ext))->use--;
5562 }
5563
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)5564 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
5565 const struct nlattr *attr)
5566 {
5567 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
5568 struct nft_set_ext_tmpl tmpl;
5569 struct nft_set_elem elem;
5570 struct nft_set_ext *ext;
5571 struct nft_trans *trans;
5572 u32 flags = 0;
5573 void *priv;
5574 int err;
5575
5576 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
5577 nft_set_elem_policy, NULL);
5578 if (err < 0)
5579 return err;
5580
5581 if (nla[NFTA_SET_ELEM_KEY] == NULL)
5582 return -EINVAL;
5583
5584 nft_set_ext_prepare(&tmpl);
5585
5586 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
5587 if (err < 0)
5588 return err;
5589 if (flags != 0)
5590 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
5591
5592 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
5593 nla[NFTA_SET_ELEM_KEY]);
5594 if (err < 0)
5595 return err;
5596
5597 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
5598
5599 if (nla[NFTA_SET_ELEM_KEY_END]) {
5600 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
5601 nla[NFTA_SET_ELEM_KEY_END]);
5602 if (err < 0)
5603 return err;
5604
5605 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
5606 }
5607
5608 err = -ENOMEM;
5609 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
5610 elem.key_end.val.data, NULL, 0, 0,
5611 GFP_KERNEL);
5612 if (elem.priv == NULL)
5613 goto fail_elem;
5614
5615 ext = nft_set_elem_ext(set, elem.priv);
5616 if (flags)
5617 *nft_set_ext_flags(ext) = flags;
5618
5619 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
5620 if (trans == NULL)
5621 goto fail_trans;
5622
5623 priv = set->ops->deactivate(ctx->net, set, &elem);
5624 if (priv == NULL) {
5625 err = -ENOENT;
5626 goto fail_ops;
5627 }
5628 kfree(elem.priv);
5629 elem.priv = priv;
5630
5631 nft_set_elem_deactivate(ctx->net, set, &elem);
5632
5633 nft_trans_elem(trans) = elem;
5634 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5635 return 0;
5636
5637 fail_ops:
5638 kfree(trans);
5639 fail_trans:
5640 kfree(elem.priv);
5641 fail_elem:
5642 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
5643 return err;
5644 }
5645
nft_flush_set(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)5646 static int nft_flush_set(const struct nft_ctx *ctx,
5647 struct nft_set *set,
5648 const struct nft_set_iter *iter,
5649 struct nft_set_elem *elem)
5650 {
5651 struct nft_trans *trans;
5652 int err;
5653
5654 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
5655 sizeof(struct nft_trans_elem), GFP_ATOMIC);
5656 if (!trans)
5657 return -ENOMEM;
5658
5659 if (!set->ops->flush(ctx->net, set, elem->priv)) {
5660 err = -ENOENT;
5661 goto err1;
5662 }
5663 set->ndeact++;
5664
5665 nft_set_elem_deactivate(ctx->net, set, elem);
5666 nft_trans_elem_set(trans) = set;
5667 nft_trans_elem(trans) = *elem;
5668 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5669
5670 return 0;
5671 err1:
5672 kfree(trans);
5673 return err;
5674 }
5675
nf_tables_delsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5676 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
5677 struct sk_buff *skb, const struct nlmsghdr *nlh,
5678 const struct nlattr * const nla[],
5679 struct netlink_ext_ack *extack)
5680 {
5681 u8 genmask = nft_genmask_next(net);
5682 const struct nlattr *attr;
5683 struct nft_set *set;
5684 struct nft_ctx ctx;
5685 int rem, err = 0;
5686
5687 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
5688 genmask);
5689 if (err < 0)
5690 return err;
5691
5692 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
5693 if (IS_ERR(set))
5694 return PTR_ERR(set);
5695 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
5696 return -EBUSY;
5697
5698 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
5699 struct nft_set_iter iter = {
5700 .genmask = genmask,
5701 .fn = nft_flush_set,
5702 };
5703 set->ops->walk(&ctx, set, &iter);
5704
5705 return iter.err;
5706 }
5707
5708 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
5709 err = nft_del_setelem(&ctx, set, attr);
5710 if (err < 0)
5711 break;
5712
5713 set->ndeact++;
5714 }
5715 return err;
5716 }
5717
nft_set_gc_batch_release(struct rcu_head * rcu)5718 void nft_set_gc_batch_release(struct rcu_head *rcu)
5719 {
5720 struct nft_set_gc_batch *gcb;
5721 unsigned int i;
5722
5723 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
5724 for (i = 0; i < gcb->head.cnt; i++)
5725 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
5726 kfree(gcb);
5727 }
5728
nft_set_gc_batch_alloc(const struct nft_set * set,gfp_t gfp)5729 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
5730 gfp_t gfp)
5731 {
5732 struct nft_set_gc_batch *gcb;
5733
5734 gcb = kzalloc(sizeof(*gcb), gfp);
5735 if (gcb == NULL)
5736 return gcb;
5737 gcb->head.set = set;
5738 return gcb;
5739 }
5740
5741 /*
5742 * Stateful objects
5743 */
5744
5745 /**
5746 * nft_register_obj- register nf_tables stateful object type
5747 * @obj_type: object type
5748 *
5749 * Registers the object type for use with nf_tables. Returns zero on
5750 * success or a negative errno code otherwise.
5751 */
nft_register_obj(struct nft_object_type * obj_type)5752 int nft_register_obj(struct nft_object_type *obj_type)
5753 {
5754 if (obj_type->type == NFT_OBJECT_UNSPEC)
5755 return -EINVAL;
5756
5757 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5758 list_add_rcu(&obj_type->list, &nf_tables_objects);
5759 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5760 return 0;
5761 }
5762 EXPORT_SYMBOL_GPL(nft_register_obj);
5763
5764 /**
5765 * nft_unregister_obj - unregister nf_tables object type
5766 * @obj_type: object type
5767 *
5768 * Unregisters the object type for use with nf_tables.
5769 */
nft_unregister_obj(struct nft_object_type * obj_type)5770 void nft_unregister_obj(struct nft_object_type *obj_type)
5771 {
5772 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5773 list_del_rcu(&obj_type->list);
5774 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5775 }
5776 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5777
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)5778 struct nft_object *nft_obj_lookup(const struct net *net,
5779 const struct nft_table *table,
5780 const struct nlattr *nla, u32 objtype,
5781 u8 genmask)
5782 {
5783 struct nft_object_hash_key k = { .table = table };
5784 char search[NFT_OBJ_MAXNAMELEN];
5785 struct rhlist_head *tmp, *list;
5786 struct nft_object *obj;
5787
5788 nla_strlcpy(search, nla, sizeof(search));
5789 k.name = search;
5790
5791 WARN_ON_ONCE(!rcu_read_lock_held() &&
5792 !lockdep_commit_lock_is_held(net));
5793
5794 rcu_read_lock();
5795 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5796 if (!list)
5797 goto out;
5798
5799 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5800 if (objtype == obj->ops->type->type &&
5801 nft_active_genmask(obj, genmask)) {
5802 rcu_read_unlock();
5803 return obj;
5804 }
5805 }
5806 out:
5807 rcu_read_unlock();
5808 return ERR_PTR(-ENOENT);
5809 }
5810 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5811
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)5812 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5813 const struct nlattr *nla,
5814 u32 objtype, u8 genmask)
5815 {
5816 struct nft_object *obj;
5817
5818 list_for_each_entry(obj, &table->objects, list) {
5819 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5820 objtype == obj->ops->type->type &&
5821 nft_active_genmask(obj, genmask))
5822 return obj;
5823 }
5824 return ERR_PTR(-ENOENT);
5825 }
5826
5827 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5828 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5829 .len = NFT_TABLE_MAXNAMELEN - 1 },
5830 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5831 .len = NFT_OBJ_MAXNAMELEN - 1 },
5832 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5833 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5834 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5835 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
5836 .len = NFT_USERDATA_MAXLEN },
5837 };
5838
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)5839 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5840 const struct nft_object_type *type,
5841 const struct nlattr *attr)
5842 {
5843 struct nlattr **tb;
5844 const struct nft_object_ops *ops;
5845 struct nft_object *obj;
5846 int err = -ENOMEM;
5847
5848 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5849 if (!tb)
5850 goto err1;
5851
5852 if (attr) {
5853 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5854 type->policy, NULL);
5855 if (err < 0)
5856 goto err2;
5857 } else {
5858 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5859 }
5860
5861 if (type->select_ops) {
5862 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5863 if (IS_ERR(ops)) {
5864 err = PTR_ERR(ops);
5865 goto err2;
5866 }
5867 } else {
5868 ops = type->ops;
5869 }
5870
5871 err = -ENOMEM;
5872 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5873 if (!obj)
5874 goto err2;
5875
5876 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5877 if (err < 0)
5878 goto err3;
5879
5880 obj->ops = ops;
5881
5882 kfree(tb);
5883 return obj;
5884 err3:
5885 kfree(obj);
5886 err2:
5887 kfree(tb);
5888 err1:
5889 return ERR_PTR(err);
5890 }
5891
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)5892 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5893 struct nft_object *obj, bool reset)
5894 {
5895 struct nlattr *nest;
5896
5897 nest = nla_nest_start_noflag(skb, attr);
5898 if (!nest)
5899 goto nla_put_failure;
5900 if (obj->ops->dump(skb, obj, reset) < 0)
5901 goto nla_put_failure;
5902 nla_nest_end(skb, nest);
5903 return 0;
5904
5905 nla_put_failure:
5906 return -1;
5907 }
5908
__nft_obj_type_get(u32 objtype)5909 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5910 {
5911 const struct nft_object_type *type;
5912
5913 list_for_each_entry(type, &nf_tables_objects, list) {
5914 if (objtype == type->type)
5915 return type;
5916 }
5917 return NULL;
5918 }
5919
5920 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype)5921 nft_obj_type_get(struct net *net, u32 objtype)
5922 {
5923 const struct nft_object_type *type;
5924
5925 type = __nft_obj_type_get(objtype);
5926 if (type != NULL && try_module_get(type->owner))
5927 return type;
5928
5929 lockdep_nfnl_nft_mutex_not_held();
5930 #ifdef CONFIG_MODULES
5931 if (type == NULL) {
5932 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5933 return ERR_PTR(-EAGAIN);
5934 }
5935 #endif
5936 return ERR_PTR(-ENOENT);
5937 }
5938
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)5939 static int nf_tables_updobj(const struct nft_ctx *ctx,
5940 const struct nft_object_type *type,
5941 const struct nlattr *attr,
5942 struct nft_object *obj)
5943 {
5944 struct nft_object *newobj;
5945 struct nft_trans *trans;
5946 int err;
5947
5948 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5949 sizeof(struct nft_trans_obj));
5950 if (!trans)
5951 return -ENOMEM;
5952
5953 newobj = nft_obj_init(ctx, type, attr);
5954 if (IS_ERR(newobj)) {
5955 err = PTR_ERR(newobj);
5956 goto err_free_trans;
5957 }
5958
5959 nft_trans_obj(trans) = obj;
5960 nft_trans_obj_update(trans) = true;
5961 nft_trans_obj_newobj(trans) = newobj;
5962 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5963
5964 return 0;
5965
5966 err_free_trans:
5967 kfree(trans);
5968 return err;
5969 }
5970
nf_tables_newobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5971 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5972 struct sk_buff *skb, const struct nlmsghdr *nlh,
5973 const struct nlattr * const nla[],
5974 struct netlink_ext_ack *extack)
5975 {
5976 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5977 const struct nft_object_type *type;
5978 u8 genmask = nft_genmask_next(net);
5979 int family = nfmsg->nfgen_family;
5980 struct nft_table *table;
5981 struct nft_object *obj;
5982 struct nft_ctx ctx;
5983 u32 objtype;
5984 int err;
5985
5986 if (!nla[NFTA_OBJ_TYPE] ||
5987 !nla[NFTA_OBJ_NAME] ||
5988 !nla[NFTA_OBJ_DATA])
5989 return -EINVAL;
5990
5991 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5992 if (IS_ERR(table)) {
5993 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5994 return PTR_ERR(table);
5995 }
5996
5997 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5998 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5999 if (IS_ERR(obj)) {
6000 err = PTR_ERR(obj);
6001 if (err != -ENOENT) {
6002 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6003 return err;
6004 }
6005 } else {
6006 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6007 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6008 return -EEXIST;
6009 }
6010 if (nlh->nlmsg_flags & NLM_F_REPLACE)
6011 return -EOPNOTSUPP;
6012
6013 type = __nft_obj_type_get(objtype);
6014 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6015
6016 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
6017 }
6018
6019 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6020
6021 type = nft_obj_type_get(net, objtype);
6022 if (IS_ERR(type))
6023 return PTR_ERR(type);
6024
6025 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
6026 if (IS_ERR(obj)) {
6027 err = PTR_ERR(obj);
6028 goto err_init;
6029 }
6030 obj->key.table = table;
6031 obj->handle = nf_tables_alloc_handle(table);
6032
6033 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6034 if (!obj->key.name) {
6035 err = -ENOMEM;
6036 goto err_strdup;
6037 }
6038
6039 if (nla[NFTA_OBJ_USERDATA]) {
6040 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL);
6041 if (obj->udata == NULL)
6042 goto err_userdata;
6043
6044 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
6045 }
6046
6047 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
6048 if (err < 0)
6049 goto err_trans;
6050
6051 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
6052 nft_objname_ht_params);
6053 if (err < 0)
6054 goto err_obj_ht;
6055
6056 list_add_tail_rcu(&obj->list, &table->objects);
6057 table->use++;
6058 return 0;
6059 err_obj_ht:
6060 /* queued in transaction log */
6061 INIT_LIST_HEAD(&obj->list);
6062 return err;
6063 err_trans:
6064 kfree(obj->udata);
6065 err_userdata:
6066 kfree(obj->key.name);
6067 err_strdup:
6068 if (obj->ops->destroy)
6069 obj->ops->destroy(&ctx, obj);
6070 kfree(obj);
6071 err_init:
6072 module_put(type->owner);
6073 return err;
6074 }
6075
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)6076 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
6077 u32 portid, u32 seq, int event, u32 flags,
6078 int family, const struct nft_table *table,
6079 struct nft_object *obj, bool reset)
6080 {
6081 struct nfgenmsg *nfmsg;
6082 struct nlmsghdr *nlh;
6083
6084 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6085 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6086 if (nlh == NULL)
6087 goto nla_put_failure;
6088
6089 nfmsg = nlmsg_data(nlh);
6090 nfmsg->nfgen_family = family;
6091 nfmsg->version = NFNETLINK_V0;
6092 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6093
6094 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
6095 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
6096 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
6097 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
6098 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
6099 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
6100 NFTA_OBJ_PAD))
6101 goto nla_put_failure;
6102
6103 if (obj->udata &&
6104 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
6105 goto nla_put_failure;
6106
6107 nlmsg_end(skb, nlh);
6108 return 0;
6109
6110 nla_put_failure:
6111 nlmsg_trim(skb, nlh);
6112 return -1;
6113 }
6114
6115 struct nft_obj_filter {
6116 char *table;
6117 u32 type;
6118 };
6119
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)6120 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
6121 {
6122 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6123 const struct nft_table *table;
6124 unsigned int idx = 0, s_idx = cb->args[0];
6125 struct nft_obj_filter *filter = cb->data;
6126 struct net *net = sock_net(skb->sk);
6127 int family = nfmsg->nfgen_family;
6128 struct nft_object *obj;
6129 bool reset = false;
6130
6131 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6132 reset = true;
6133
6134 rcu_read_lock();
6135 cb->seq = net->nft.base_seq;
6136
6137 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6138 if (family != NFPROTO_UNSPEC && family != table->family)
6139 continue;
6140
6141 list_for_each_entry_rcu(obj, &table->objects, list) {
6142 if (!nft_is_active(net, obj))
6143 goto cont;
6144 if (idx < s_idx)
6145 goto cont;
6146 if (idx > s_idx)
6147 memset(&cb->args[1], 0,
6148 sizeof(cb->args) - sizeof(cb->args[0]));
6149 if (filter && filter->table &&
6150 strcmp(filter->table, table->name))
6151 goto cont;
6152 if (filter &&
6153 filter->type != NFT_OBJECT_UNSPEC &&
6154 obj->ops->type->type != filter->type)
6155 goto cont;
6156
6157 if (reset) {
6158 char *buf = kasprintf(GFP_ATOMIC,
6159 "%s:%llu;?:0",
6160 table->name,
6161 table->handle);
6162
6163 audit_log_nfcfg(buf,
6164 family,
6165 obj->handle,
6166 AUDIT_NFT_OP_OBJ_RESET,
6167 GFP_ATOMIC);
6168 kfree(buf);
6169 }
6170
6171 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
6172 cb->nlh->nlmsg_seq,
6173 NFT_MSG_NEWOBJ,
6174 NLM_F_MULTI | NLM_F_APPEND,
6175 table->family, table,
6176 obj, reset) < 0)
6177 goto done;
6178
6179 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6180 cont:
6181 idx++;
6182 }
6183 }
6184 done:
6185 rcu_read_unlock();
6186
6187 cb->args[0] = idx;
6188 return skb->len;
6189 }
6190
nf_tables_dump_obj_start(struct netlink_callback * cb)6191 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
6192 {
6193 const struct nlattr * const *nla = cb->data;
6194 struct nft_obj_filter *filter = NULL;
6195
6196 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
6197 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6198 if (!filter)
6199 return -ENOMEM;
6200
6201 if (nla[NFTA_OBJ_TABLE]) {
6202 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
6203 if (!filter->table) {
6204 kfree(filter);
6205 return -ENOMEM;
6206 }
6207 }
6208
6209 if (nla[NFTA_OBJ_TYPE])
6210 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6211 }
6212
6213 cb->data = filter;
6214 return 0;
6215 }
6216
nf_tables_dump_obj_done(struct netlink_callback * cb)6217 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
6218 {
6219 struct nft_obj_filter *filter = cb->data;
6220
6221 if (filter) {
6222 kfree(filter->table);
6223 kfree(filter);
6224 }
6225
6226 return 0;
6227 }
6228
6229 /* called with rcu_read_lock held */
nf_tables_getobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6230 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
6231 struct sk_buff *skb, const struct nlmsghdr *nlh,
6232 const struct nlattr * const nla[],
6233 struct netlink_ext_ack *extack)
6234 {
6235 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6236 u8 genmask = nft_genmask_cur(net);
6237 int family = nfmsg->nfgen_family;
6238 const struct nft_table *table;
6239 struct nft_object *obj;
6240 struct sk_buff *skb2;
6241 bool reset = false;
6242 u32 objtype;
6243 int err;
6244
6245 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6246 struct netlink_dump_control c = {
6247 .start = nf_tables_dump_obj_start,
6248 .dump = nf_tables_dump_obj,
6249 .done = nf_tables_dump_obj_done,
6250 .module = THIS_MODULE,
6251 .data = (void *)nla,
6252 };
6253
6254 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6255 }
6256
6257 if (!nla[NFTA_OBJ_NAME] ||
6258 !nla[NFTA_OBJ_TYPE])
6259 return -EINVAL;
6260
6261 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6262 if (IS_ERR(table)) {
6263 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6264 return PTR_ERR(table);
6265 }
6266
6267 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6268 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
6269 if (IS_ERR(obj)) {
6270 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
6271 return PTR_ERR(obj);
6272 }
6273
6274 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6275 if (!skb2)
6276 return -ENOMEM;
6277
6278 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
6279 reset = true;
6280
6281 if (reset) {
6282 char *buf = kasprintf(GFP_ATOMIC, "%s:%llu;?:0",
6283 table->name, table->handle);
6284
6285 audit_log_nfcfg(buf,
6286 family,
6287 obj->handle,
6288 AUDIT_NFT_OP_OBJ_RESET,
6289 GFP_ATOMIC);
6290 kfree(buf);
6291 }
6292
6293 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
6294 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
6295 family, table, obj, reset);
6296 if (err < 0)
6297 goto err_fill_obj_info;
6298
6299 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
6300
6301 err_fill_obj_info:
6302 kfree_skb(skb2);
6303 return err;
6304 }
6305
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)6306 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
6307 {
6308 if (obj->ops->destroy)
6309 obj->ops->destroy(ctx, obj);
6310
6311 module_put(obj->ops->type->owner);
6312 kfree(obj->key.name);
6313 kfree(obj->udata);
6314 kfree(obj);
6315 }
6316
nf_tables_delobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6317 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
6318 struct sk_buff *skb, const struct nlmsghdr *nlh,
6319 const struct nlattr * const nla[],
6320 struct netlink_ext_ack *extack)
6321 {
6322 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6323 u8 genmask = nft_genmask_next(net);
6324 int family = nfmsg->nfgen_family;
6325 const struct nlattr *attr;
6326 struct nft_table *table;
6327 struct nft_object *obj;
6328 struct nft_ctx ctx;
6329 u32 objtype;
6330
6331 if (!nla[NFTA_OBJ_TYPE] ||
6332 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
6333 return -EINVAL;
6334
6335 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
6336 if (IS_ERR(table)) {
6337 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
6338 return PTR_ERR(table);
6339 }
6340
6341 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
6342 if (nla[NFTA_OBJ_HANDLE]) {
6343 attr = nla[NFTA_OBJ_HANDLE];
6344 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
6345 } else {
6346 attr = nla[NFTA_OBJ_NAME];
6347 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
6348 }
6349
6350 if (IS_ERR(obj)) {
6351 NL_SET_BAD_ATTR(extack, attr);
6352 return PTR_ERR(obj);
6353 }
6354 if (obj->use > 0) {
6355 NL_SET_BAD_ATTR(extack, attr);
6356 return -EBUSY;
6357 }
6358
6359 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6360
6361 return nft_delobj(&ctx, obj);
6362 }
6363
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,int family,int report,gfp_t gfp)6364 void nft_obj_notify(struct net *net, const struct nft_table *table,
6365 struct nft_object *obj, u32 portid, u32 seq, int event,
6366 int family, int report, gfp_t gfp)
6367 {
6368 struct sk_buff *skb;
6369 int err;
6370 char *buf = kasprintf(gfp, "%s:%llu;?:0",
6371 table->name, table->handle);
6372
6373 audit_log_nfcfg(buf,
6374 family,
6375 obj->handle,
6376 event == NFT_MSG_NEWOBJ ?
6377 AUDIT_NFT_OP_OBJ_REGISTER :
6378 AUDIT_NFT_OP_OBJ_UNREGISTER,
6379 gfp);
6380 kfree(buf);
6381
6382 if (!report &&
6383 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6384 return;
6385
6386 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
6387 if (skb == NULL)
6388 goto err;
6389
6390 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
6391 table, obj, false);
6392 if (err < 0) {
6393 kfree_skb(skb);
6394 goto err;
6395 }
6396
6397 nft_notify_enqueue(skb, report, &net->nft.notify_list);
6398 return;
6399 err:
6400 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6401 }
6402 EXPORT_SYMBOL_GPL(nft_obj_notify);
6403
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)6404 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
6405 struct nft_object *obj, int event)
6406 {
6407 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
6408 ctx->family, ctx->report, GFP_KERNEL);
6409 }
6410
6411 /*
6412 * Flow tables
6413 */
nft_register_flowtable_type(struct nf_flowtable_type * type)6414 void nft_register_flowtable_type(struct nf_flowtable_type *type)
6415 {
6416 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6417 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
6418 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6419 }
6420 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
6421
nft_unregister_flowtable_type(struct nf_flowtable_type * type)6422 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
6423 {
6424 nfnl_lock(NFNL_SUBSYS_NFTABLES);
6425 list_del_rcu(&type->list);
6426 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
6427 }
6428 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
6429
6430 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
6431 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
6432 .len = NFT_NAME_MAXLEN - 1 },
6433 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
6434 .len = NFT_NAME_MAXLEN - 1 },
6435 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
6436 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
6437 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
6438 };
6439
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)6440 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
6441 const struct nlattr *nla, u8 genmask)
6442 {
6443 struct nft_flowtable *flowtable;
6444
6445 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6446 if (!nla_strcmp(nla, flowtable->name) &&
6447 nft_active_genmask(flowtable, genmask))
6448 return flowtable;
6449 }
6450 return ERR_PTR(-ENOENT);
6451 }
6452 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
6453
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)6454 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
6455 struct nft_flowtable *flowtable,
6456 enum nft_trans_phase phase)
6457 {
6458 switch (phase) {
6459 case NFT_TRANS_PREPARE:
6460 case NFT_TRANS_ABORT:
6461 case NFT_TRANS_RELEASE:
6462 flowtable->use--;
6463 fallthrough;
6464 default:
6465 return;
6466 }
6467 }
6468 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
6469
6470 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)6471 nft_flowtable_lookup_byhandle(const struct nft_table *table,
6472 const struct nlattr *nla, u8 genmask)
6473 {
6474 struct nft_flowtable *flowtable;
6475
6476 list_for_each_entry(flowtable, &table->flowtables, list) {
6477 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
6478 nft_active_genmask(flowtable, genmask))
6479 return flowtable;
6480 }
6481 return ERR_PTR(-ENOENT);
6482 }
6483
6484 struct nft_flowtable_hook {
6485 u32 num;
6486 int priority;
6487 struct list_head list;
6488 };
6489
6490 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
6491 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
6492 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
6493 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
6494 };
6495
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * attr,struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,bool add)6496 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
6497 const struct nlattr *attr,
6498 struct nft_flowtable_hook *flowtable_hook,
6499 struct nft_flowtable *flowtable, bool add)
6500 {
6501 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
6502 struct nft_hook *hook;
6503 int hooknum, priority;
6504 int err;
6505
6506 INIT_LIST_HEAD(&flowtable_hook->list);
6507
6508 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
6509 nft_flowtable_hook_policy, NULL);
6510 if (err < 0)
6511 return err;
6512
6513 if (add) {
6514 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
6515 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY])
6516 return -EINVAL;
6517
6518 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6519 if (hooknum != NF_NETDEV_INGRESS)
6520 return -EOPNOTSUPP;
6521
6522 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6523
6524 flowtable_hook->priority = priority;
6525 flowtable_hook->num = hooknum;
6526 } else {
6527 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
6528 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
6529 if (hooknum != flowtable->hooknum)
6530 return -EOPNOTSUPP;
6531 }
6532
6533 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
6534 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
6535 if (priority != flowtable->data.priority)
6536 return -EOPNOTSUPP;
6537 }
6538
6539 flowtable_hook->priority = flowtable->data.priority;
6540 flowtable_hook->num = flowtable->hooknum;
6541 }
6542
6543 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
6544 err = nf_tables_parse_netdev_hooks(ctx->net,
6545 tb[NFTA_FLOWTABLE_HOOK_DEVS],
6546 &flowtable_hook->list);
6547 if (err < 0)
6548 return err;
6549 }
6550
6551 list_for_each_entry(hook, &flowtable_hook->list, list) {
6552 hook->ops.pf = NFPROTO_NETDEV;
6553 hook->ops.hooknum = flowtable_hook->num;
6554 hook->ops.priority = flowtable_hook->priority;
6555 hook->ops.priv = &flowtable->data;
6556 hook->ops.hook = flowtable->data.type->hook;
6557 }
6558
6559 return err;
6560 }
6561
__nft_flowtable_type_get(u8 family)6562 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
6563 {
6564 const struct nf_flowtable_type *type;
6565
6566 list_for_each_entry(type, &nf_tables_flowtables, list) {
6567 if (family == type->family)
6568 return type;
6569 }
6570 return NULL;
6571 }
6572
6573 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)6574 nft_flowtable_type_get(struct net *net, u8 family)
6575 {
6576 const struct nf_flowtable_type *type;
6577
6578 type = __nft_flowtable_type_get(family);
6579 if (type != NULL && try_module_get(type->owner))
6580 return type;
6581
6582 lockdep_nfnl_nft_mutex_not_held();
6583 #ifdef CONFIG_MODULES
6584 if (type == NULL) {
6585 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6586 return ERR_PTR(-EAGAIN);
6587 }
6588 #endif
6589 return ERR_PTR(-ENOENT);
6590 }
6591
6592 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_hook(struct net * net,struct nft_flowtable * flowtable,struct nft_hook * hook)6593 static void nft_unregister_flowtable_hook(struct net *net,
6594 struct nft_flowtable *flowtable,
6595 struct nft_hook *hook)
6596 {
6597 nf_unregister_net_hook(net, &hook->ops);
6598 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
6599 FLOW_BLOCK_UNBIND);
6600 }
6601
nft_unregister_flowtable_net_hooks(struct net * net,struct list_head * hook_list)6602 static void nft_unregister_flowtable_net_hooks(struct net *net,
6603 struct list_head *hook_list)
6604 {
6605 struct nft_hook *hook;
6606
6607 list_for_each_entry(hook, hook_list, list)
6608 nf_unregister_net_hook(net, &hook->ops);
6609 }
6610
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)6611 static int nft_register_flowtable_net_hooks(struct net *net,
6612 struct nft_table *table,
6613 struct list_head *hook_list,
6614 struct nft_flowtable *flowtable)
6615 {
6616 struct nft_hook *hook, *hook2, *next;
6617 struct nft_flowtable *ft;
6618 int err, i = 0;
6619
6620 list_for_each_entry(hook, hook_list, list) {
6621 list_for_each_entry(ft, &table->flowtables, list) {
6622 if (!nft_is_active_next(net, ft))
6623 continue;
6624
6625 list_for_each_entry(hook2, &ft->hook_list, list) {
6626 if (hook->ops.dev == hook2->ops.dev &&
6627 hook->ops.pf == hook2->ops.pf) {
6628 err = -EEXIST;
6629 goto err_unregister_net_hooks;
6630 }
6631 }
6632 }
6633
6634 err = flowtable->data.type->setup(&flowtable->data,
6635 hook->ops.dev,
6636 FLOW_BLOCK_BIND);
6637 if (err < 0)
6638 goto err_unregister_net_hooks;
6639
6640 err = nf_register_net_hook(net, &hook->ops);
6641 if (err < 0) {
6642 flowtable->data.type->setup(&flowtable->data,
6643 hook->ops.dev,
6644 FLOW_BLOCK_UNBIND);
6645 goto err_unregister_net_hooks;
6646 }
6647
6648 i++;
6649 }
6650
6651 return 0;
6652
6653 err_unregister_net_hooks:
6654 list_for_each_entry_safe(hook, next, hook_list, list) {
6655 if (i-- <= 0)
6656 break;
6657
6658 nft_unregister_flowtable_hook(net, flowtable, hook);
6659 list_del_rcu(&hook->list);
6660 kfree_rcu(hook, rcu);
6661 }
6662
6663 return err;
6664 }
6665
nft_flowtable_hooks_destroy(struct list_head * hook_list)6666 static void nft_flowtable_hooks_destroy(struct list_head *hook_list)
6667 {
6668 struct nft_hook *hook, *next;
6669
6670 list_for_each_entry_safe(hook, next, hook_list, list) {
6671 list_del_rcu(&hook->list);
6672 kfree_rcu(hook, rcu);
6673 }
6674 }
6675
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable)6676 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
6677 struct nft_flowtable *flowtable)
6678 {
6679 const struct nlattr * const *nla = ctx->nla;
6680 struct nft_flowtable_hook flowtable_hook;
6681 struct nft_hook *hook, *next;
6682 struct nft_trans *trans;
6683 bool unregister = false;
6684 u32 flags;
6685 int err;
6686
6687 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6688 &flowtable_hook, flowtable, false);
6689 if (err < 0)
6690 return err;
6691
6692 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6693 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
6694 list_del(&hook->list);
6695 kfree(hook);
6696 }
6697 }
6698
6699 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6700 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6701 if (flags & ~NFT_FLOWTABLE_MASK)
6702 return -EOPNOTSUPP;
6703 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
6704 (flags & NFT_FLOWTABLE_HW_OFFLOAD))
6705 return -EOPNOTSUPP;
6706 } else {
6707 flags = flowtable->data.flags;
6708 }
6709
6710 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
6711 &flowtable_hook.list, flowtable);
6712 if (err < 0)
6713 goto err_flowtable_update_hook;
6714
6715 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
6716 sizeof(struct nft_trans_flowtable));
6717 if (!trans) {
6718 unregister = true;
6719 err = -ENOMEM;
6720 goto err_flowtable_update_hook;
6721 }
6722
6723 nft_trans_flowtable_flags(trans) = flags;
6724 nft_trans_flowtable(trans) = flowtable;
6725 nft_trans_flowtable_update(trans) = true;
6726 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6727 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
6728
6729 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6730
6731 return 0;
6732
6733 err_flowtable_update_hook:
6734 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
6735 if (unregister)
6736 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
6737 list_del_rcu(&hook->list);
6738 kfree_rcu(hook, rcu);
6739 }
6740
6741 return err;
6742
6743 }
6744
nf_tables_newflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6745 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
6746 struct sk_buff *skb,
6747 const struct nlmsghdr *nlh,
6748 const struct nlattr * const nla[],
6749 struct netlink_ext_ack *extack)
6750 {
6751 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6752 struct nft_flowtable_hook flowtable_hook;
6753 const struct nf_flowtable_type *type;
6754 u8 genmask = nft_genmask_next(net);
6755 int family = nfmsg->nfgen_family;
6756 struct nft_flowtable *flowtable;
6757 struct nft_hook *hook, *next;
6758 struct nft_table *table;
6759 struct nft_ctx ctx;
6760 int err;
6761
6762 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6763 !nla[NFTA_FLOWTABLE_NAME] ||
6764 !nla[NFTA_FLOWTABLE_HOOK])
6765 return -EINVAL;
6766
6767 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6768 genmask);
6769 if (IS_ERR(table)) {
6770 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6771 return PTR_ERR(table);
6772 }
6773
6774 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6775 genmask);
6776 if (IS_ERR(flowtable)) {
6777 err = PTR_ERR(flowtable);
6778 if (err != -ENOENT) {
6779 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6780 return err;
6781 }
6782 } else {
6783 if (nlh->nlmsg_flags & NLM_F_EXCL) {
6784 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
6785 return -EEXIST;
6786 }
6787
6788 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6789
6790 return nft_flowtable_update(&ctx, nlh, flowtable);
6791 }
6792
6793 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6794
6795 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
6796 if (!flowtable)
6797 return -ENOMEM;
6798
6799 flowtable->table = table;
6800 flowtable->handle = nf_tables_alloc_handle(table);
6801 INIT_LIST_HEAD(&flowtable->hook_list);
6802
6803 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
6804 if (!flowtable->name) {
6805 err = -ENOMEM;
6806 goto err1;
6807 }
6808
6809 type = nft_flowtable_type_get(net, family);
6810 if (IS_ERR(type)) {
6811 err = PTR_ERR(type);
6812 goto err2;
6813 }
6814
6815 if (nla[NFTA_FLOWTABLE_FLAGS]) {
6816 flowtable->data.flags =
6817 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
6818 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
6819 err = -EOPNOTSUPP;
6820 goto err3;
6821 }
6822 }
6823
6824 write_pnet(&flowtable->data.net, net);
6825 flowtable->data.type = type;
6826 err = type->init(&flowtable->data);
6827 if (err < 0)
6828 goto err3;
6829
6830 err = nft_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
6831 &flowtable_hook, flowtable, true);
6832 if (err < 0)
6833 goto err4;
6834
6835 list_splice(&flowtable_hook.list, &flowtable->hook_list);
6836 flowtable->data.priority = flowtable_hook.priority;
6837 flowtable->hooknum = flowtable_hook.num;
6838
6839 err = nft_register_flowtable_net_hooks(ctx.net, table,
6840 &flowtable->hook_list,
6841 flowtable);
6842 if (err < 0) {
6843 nft_flowtable_hooks_destroy(&flowtable->hook_list);
6844 goto err4;
6845 }
6846
6847 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
6848 if (err < 0)
6849 goto err5;
6850
6851 list_add_tail_rcu(&flowtable->list, &table->flowtables);
6852 table->use++;
6853
6854 return 0;
6855 err5:
6856 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
6857 nft_unregister_flowtable_hook(net, flowtable, hook);
6858 list_del_rcu(&hook->list);
6859 kfree_rcu(hook, rcu);
6860 }
6861 err4:
6862 flowtable->data.type->free(&flowtable->data);
6863 err3:
6864 module_put(type->owner);
6865 err2:
6866 kfree(flowtable->name);
6867 err1:
6868 kfree(flowtable);
6869 return err;
6870 }
6871
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)6872 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
6873 {
6874 struct nft_hook *this, *next;
6875
6876 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
6877 list_del(&this->list);
6878 kfree(this);
6879 }
6880 }
6881
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable)6882 static int nft_delflowtable_hook(struct nft_ctx *ctx,
6883 struct nft_flowtable *flowtable)
6884 {
6885 const struct nlattr * const *nla = ctx->nla;
6886 struct nft_flowtable_hook flowtable_hook;
6887 struct nft_hook *this, *hook;
6888 struct nft_trans *trans;
6889 int err;
6890
6891 err = nft_flowtable_parse_hook(ctx, nla[NFTA_FLOWTABLE_HOOK],
6892 &flowtable_hook, flowtable, false);
6893 if (err < 0)
6894 return err;
6895
6896 list_for_each_entry(this, &flowtable_hook.list, list) {
6897 hook = nft_hook_list_find(&flowtable->hook_list, this);
6898 if (!hook) {
6899 err = -ENOENT;
6900 goto err_flowtable_del_hook;
6901 }
6902 hook->inactive = true;
6903 }
6904
6905 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
6906 sizeof(struct nft_trans_flowtable));
6907 if (!trans) {
6908 err = -ENOMEM;
6909 goto err_flowtable_del_hook;
6910 }
6911
6912 nft_trans_flowtable(trans) = flowtable;
6913 nft_trans_flowtable_update(trans) = true;
6914 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
6915 nft_flowtable_hook_release(&flowtable_hook);
6916
6917 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
6918
6919 return 0;
6920
6921 err_flowtable_del_hook:
6922 list_for_each_entry(this, &flowtable_hook.list, list) {
6923 hook = nft_hook_list_find(&flowtable->hook_list, this);
6924 if (!hook)
6925 break;
6926
6927 hook->inactive = false;
6928 }
6929 nft_flowtable_hook_release(&flowtable_hook);
6930
6931 return err;
6932 }
6933
nf_tables_delflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6934 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
6935 struct sk_buff *skb,
6936 const struct nlmsghdr *nlh,
6937 const struct nlattr * const nla[],
6938 struct netlink_ext_ack *extack)
6939 {
6940 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6941 u8 genmask = nft_genmask_next(net);
6942 int family = nfmsg->nfgen_family;
6943 struct nft_flowtable *flowtable;
6944 const struct nlattr *attr;
6945 struct nft_table *table;
6946 struct nft_ctx ctx;
6947
6948 if (!nla[NFTA_FLOWTABLE_TABLE] ||
6949 (!nla[NFTA_FLOWTABLE_NAME] &&
6950 !nla[NFTA_FLOWTABLE_HANDLE]))
6951 return -EINVAL;
6952
6953 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6954 genmask);
6955 if (IS_ERR(table)) {
6956 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
6957 return PTR_ERR(table);
6958 }
6959
6960 if (nla[NFTA_FLOWTABLE_HANDLE]) {
6961 attr = nla[NFTA_FLOWTABLE_HANDLE];
6962 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
6963 } else {
6964 attr = nla[NFTA_FLOWTABLE_NAME];
6965 flowtable = nft_flowtable_lookup(table, attr, genmask);
6966 }
6967
6968 if (IS_ERR(flowtable)) {
6969 NL_SET_BAD_ATTR(extack, attr);
6970 return PTR_ERR(flowtable);
6971 }
6972
6973 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
6974
6975 if (nla[NFTA_FLOWTABLE_HOOK])
6976 return nft_delflowtable_hook(&ctx, flowtable);
6977
6978 if (flowtable->use > 0) {
6979 NL_SET_BAD_ATTR(extack, attr);
6980 return -EBUSY;
6981 }
6982
6983 return nft_delflowtable(&ctx, flowtable);
6984 }
6985
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)6986 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
6987 u32 portid, u32 seq, int event,
6988 u32 flags, int family,
6989 struct nft_flowtable *flowtable,
6990 struct list_head *hook_list)
6991 {
6992 struct nlattr *nest, *nest_devs;
6993 struct nfgenmsg *nfmsg;
6994 struct nft_hook *hook;
6995 struct nlmsghdr *nlh;
6996
6997 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6998 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
6999 if (nlh == NULL)
7000 goto nla_put_failure;
7001
7002 nfmsg = nlmsg_data(nlh);
7003 nfmsg->nfgen_family = family;
7004 nfmsg->version = NFNETLINK_V0;
7005 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7006
7007 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
7008 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
7009 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
7010 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
7011 NFTA_FLOWTABLE_PAD) ||
7012 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
7013 goto nla_put_failure;
7014
7015 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
7016 if (!nest)
7017 goto nla_put_failure;
7018 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
7019 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
7020 goto nla_put_failure;
7021
7022 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
7023 if (!nest_devs)
7024 goto nla_put_failure;
7025
7026 list_for_each_entry_rcu(hook, hook_list, list) {
7027 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
7028 goto nla_put_failure;
7029 }
7030 nla_nest_end(skb, nest_devs);
7031 nla_nest_end(skb, nest);
7032
7033 nlmsg_end(skb, nlh);
7034 return 0;
7035
7036 nla_put_failure:
7037 nlmsg_trim(skb, nlh);
7038 return -1;
7039 }
7040
7041 struct nft_flowtable_filter {
7042 char *table;
7043 };
7044
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)7045 static int nf_tables_dump_flowtable(struct sk_buff *skb,
7046 struct netlink_callback *cb)
7047 {
7048 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7049 struct nft_flowtable_filter *filter = cb->data;
7050 unsigned int idx = 0, s_idx = cb->args[0];
7051 struct net *net = sock_net(skb->sk);
7052 int family = nfmsg->nfgen_family;
7053 struct nft_flowtable *flowtable;
7054 const struct nft_table *table;
7055
7056 rcu_read_lock();
7057 cb->seq = net->nft.base_seq;
7058
7059 list_for_each_entry_rcu(table, &net->nft.tables, list) {
7060 if (family != NFPROTO_UNSPEC && family != table->family)
7061 continue;
7062
7063 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
7064 if (!nft_is_active(net, flowtable))
7065 goto cont;
7066 if (idx < s_idx)
7067 goto cont;
7068 if (idx > s_idx)
7069 memset(&cb->args[1], 0,
7070 sizeof(cb->args) - sizeof(cb->args[0]));
7071 if (filter && filter->table &&
7072 strcmp(filter->table, table->name))
7073 goto cont;
7074
7075 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
7076 cb->nlh->nlmsg_seq,
7077 NFT_MSG_NEWFLOWTABLE,
7078 NLM_F_MULTI | NLM_F_APPEND,
7079 table->family,
7080 flowtable,
7081 &flowtable->hook_list) < 0)
7082 goto done;
7083
7084 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7085 cont:
7086 idx++;
7087 }
7088 }
7089 done:
7090 rcu_read_unlock();
7091
7092 cb->args[0] = idx;
7093 return skb->len;
7094 }
7095
nf_tables_dump_flowtable_start(struct netlink_callback * cb)7096 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
7097 {
7098 const struct nlattr * const *nla = cb->data;
7099 struct nft_flowtable_filter *filter = NULL;
7100
7101 if (nla[NFTA_FLOWTABLE_TABLE]) {
7102 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
7103 if (!filter)
7104 return -ENOMEM;
7105
7106 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
7107 GFP_ATOMIC);
7108 if (!filter->table) {
7109 kfree(filter);
7110 return -ENOMEM;
7111 }
7112 }
7113
7114 cb->data = filter;
7115 return 0;
7116 }
7117
nf_tables_dump_flowtable_done(struct netlink_callback * cb)7118 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
7119 {
7120 struct nft_flowtable_filter *filter = cb->data;
7121
7122 if (!filter)
7123 return 0;
7124
7125 kfree(filter->table);
7126 kfree(filter);
7127
7128 return 0;
7129 }
7130
7131 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)7132 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
7133 struct sk_buff *skb,
7134 const struct nlmsghdr *nlh,
7135 const struct nlattr * const nla[],
7136 struct netlink_ext_ack *extack)
7137 {
7138 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
7139 u8 genmask = nft_genmask_cur(net);
7140 int family = nfmsg->nfgen_family;
7141 struct nft_flowtable *flowtable;
7142 const struct nft_table *table;
7143 struct sk_buff *skb2;
7144 int err;
7145
7146 if (nlh->nlmsg_flags & NLM_F_DUMP) {
7147 struct netlink_dump_control c = {
7148 .start = nf_tables_dump_flowtable_start,
7149 .dump = nf_tables_dump_flowtable,
7150 .done = nf_tables_dump_flowtable_done,
7151 .module = THIS_MODULE,
7152 .data = (void *)nla,
7153 };
7154
7155 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
7156 }
7157
7158 if (!nla[NFTA_FLOWTABLE_NAME])
7159 return -EINVAL;
7160
7161 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
7162 genmask);
7163 if (IS_ERR(table))
7164 return PTR_ERR(table);
7165
7166 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
7167 genmask);
7168 if (IS_ERR(flowtable))
7169 return PTR_ERR(flowtable);
7170
7171 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7172 if (!skb2)
7173 return -ENOMEM;
7174
7175 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
7176 nlh->nlmsg_seq,
7177 NFT_MSG_NEWFLOWTABLE, 0, family,
7178 flowtable, &flowtable->hook_list);
7179 if (err < 0)
7180 goto err_fill_flowtable_info;
7181
7182 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7183
7184 err_fill_flowtable_info:
7185 kfree_skb(skb2);
7186 return err;
7187 }
7188
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)7189 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
7190 struct nft_flowtable *flowtable,
7191 struct list_head *hook_list,
7192 int event)
7193 {
7194 struct sk_buff *skb;
7195 int err;
7196 char *buf = kasprintf(GFP_KERNEL, "%s:%llu;%s:%llu",
7197 flowtable->table->name, flowtable->table->handle,
7198 flowtable->name, flowtable->handle);
7199
7200 audit_log_nfcfg(buf,
7201 ctx->family,
7202 flowtable->hooknum,
7203 event == NFT_MSG_NEWFLOWTABLE ?
7204 AUDIT_NFT_OP_FLOWTABLE_REGISTER :
7205 AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
7206 GFP_KERNEL);
7207 kfree(buf);
7208
7209 if (!ctx->report &&
7210 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
7211 return;
7212
7213 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7214 if (skb == NULL)
7215 goto err;
7216
7217 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
7218 ctx->seq, event, 0,
7219 ctx->family, flowtable, hook_list);
7220 if (err < 0) {
7221 kfree_skb(skb);
7222 goto err;
7223 }
7224
7225 nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list);
7226 return;
7227 err:
7228 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
7229 }
7230
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)7231 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
7232 {
7233 struct nft_hook *hook, *next;
7234
7235 flowtable->data.type->free(&flowtable->data);
7236 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7237 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
7238 FLOW_BLOCK_UNBIND);
7239 list_del_rcu(&hook->list);
7240 kfree(hook);
7241 }
7242 kfree(flowtable->name);
7243 module_put(flowtable->data.type->owner);
7244 kfree(flowtable);
7245 }
7246
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)7247 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
7248 u32 portid, u32 seq)
7249 {
7250 struct nlmsghdr *nlh;
7251 struct nfgenmsg *nfmsg;
7252 char buf[TASK_COMM_LEN];
7253 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
7254
7255 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
7256 if (nlh == NULL)
7257 goto nla_put_failure;
7258
7259 nfmsg = nlmsg_data(nlh);
7260 nfmsg->nfgen_family = AF_UNSPEC;
7261 nfmsg->version = NFNETLINK_V0;
7262 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
7263
7264 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
7265 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
7266 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
7267 goto nla_put_failure;
7268
7269 nlmsg_end(skb, nlh);
7270 return 0;
7271
7272 nla_put_failure:
7273 nlmsg_trim(skb, nlh);
7274 return -EMSGSIZE;
7275 }
7276
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)7277 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
7278 struct nft_flowtable *flowtable)
7279 {
7280 struct nft_hook *hook;
7281
7282 list_for_each_entry(hook, &flowtable->hook_list, list) {
7283 if (hook->ops.dev != dev)
7284 continue;
7285
7286 /* flow_offload_netdev_event() cleans up entries for us. */
7287 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
7288 list_del_rcu(&hook->list);
7289 kfree_rcu(hook, rcu);
7290 break;
7291 }
7292 }
7293
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)7294 static int nf_tables_flowtable_event(struct notifier_block *this,
7295 unsigned long event, void *ptr)
7296 {
7297 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
7298 struct nft_flowtable *flowtable;
7299 struct nft_table *table;
7300 struct net *net;
7301
7302 if (event != NETDEV_UNREGISTER)
7303 return 0;
7304
7305 net = dev_net(dev);
7306 mutex_lock(&net->nft.commit_mutex);
7307 list_for_each_entry(table, &net->nft.tables, list) {
7308 list_for_each_entry(flowtable, &table->flowtables, list) {
7309 nft_flowtable_event(event, dev, flowtable);
7310 }
7311 }
7312 mutex_unlock(&net->nft.commit_mutex);
7313
7314 return NOTIFY_DONE;
7315 }
7316
7317 static struct notifier_block nf_tables_flowtable_notifier = {
7318 .notifier_call = nf_tables_flowtable_event,
7319 };
7320
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)7321 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
7322 int event)
7323 {
7324 struct nlmsghdr *nlh = nlmsg_hdr(skb);
7325 struct sk_buff *skb2;
7326 int err;
7327
7328 audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
7329 AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
7330
7331 if (!nlmsg_report(nlh) &&
7332 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
7333 return;
7334
7335 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
7336 if (skb2 == NULL)
7337 goto err;
7338
7339 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7340 nlh->nlmsg_seq);
7341 if (err < 0) {
7342 kfree_skb(skb2);
7343 goto err;
7344 }
7345
7346 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7347 nlmsg_report(nlh), GFP_KERNEL);
7348 return;
7349 err:
7350 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
7351 -ENOBUFS);
7352 }
7353
nf_tables_getgen(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)7354 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
7355 struct sk_buff *skb, const struct nlmsghdr *nlh,
7356 const struct nlattr * const nla[],
7357 struct netlink_ext_ack *extack)
7358 {
7359 struct sk_buff *skb2;
7360 int err;
7361
7362 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
7363 if (skb2 == NULL)
7364 return -ENOMEM;
7365
7366 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
7367 nlh->nlmsg_seq);
7368 if (err < 0)
7369 goto err_fill_gen_info;
7370
7371 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
7372
7373 err_fill_gen_info:
7374 kfree_skb(skb2);
7375 return err;
7376 }
7377
7378 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
7379 [NFT_MSG_NEWTABLE] = {
7380 .call_batch = nf_tables_newtable,
7381 .attr_count = NFTA_TABLE_MAX,
7382 .policy = nft_table_policy,
7383 },
7384 [NFT_MSG_GETTABLE] = {
7385 .call_rcu = nf_tables_gettable,
7386 .attr_count = NFTA_TABLE_MAX,
7387 .policy = nft_table_policy,
7388 },
7389 [NFT_MSG_DELTABLE] = {
7390 .call_batch = nf_tables_deltable,
7391 .attr_count = NFTA_TABLE_MAX,
7392 .policy = nft_table_policy,
7393 },
7394 [NFT_MSG_NEWCHAIN] = {
7395 .call_batch = nf_tables_newchain,
7396 .attr_count = NFTA_CHAIN_MAX,
7397 .policy = nft_chain_policy,
7398 },
7399 [NFT_MSG_GETCHAIN] = {
7400 .call_rcu = nf_tables_getchain,
7401 .attr_count = NFTA_CHAIN_MAX,
7402 .policy = nft_chain_policy,
7403 },
7404 [NFT_MSG_DELCHAIN] = {
7405 .call_batch = nf_tables_delchain,
7406 .attr_count = NFTA_CHAIN_MAX,
7407 .policy = nft_chain_policy,
7408 },
7409 [NFT_MSG_NEWRULE] = {
7410 .call_batch = nf_tables_newrule,
7411 .attr_count = NFTA_RULE_MAX,
7412 .policy = nft_rule_policy,
7413 },
7414 [NFT_MSG_GETRULE] = {
7415 .call_rcu = nf_tables_getrule,
7416 .attr_count = NFTA_RULE_MAX,
7417 .policy = nft_rule_policy,
7418 },
7419 [NFT_MSG_DELRULE] = {
7420 .call_batch = nf_tables_delrule,
7421 .attr_count = NFTA_RULE_MAX,
7422 .policy = nft_rule_policy,
7423 },
7424 [NFT_MSG_NEWSET] = {
7425 .call_batch = nf_tables_newset,
7426 .attr_count = NFTA_SET_MAX,
7427 .policy = nft_set_policy,
7428 },
7429 [NFT_MSG_GETSET] = {
7430 .call_rcu = nf_tables_getset,
7431 .attr_count = NFTA_SET_MAX,
7432 .policy = nft_set_policy,
7433 },
7434 [NFT_MSG_DELSET] = {
7435 .call_batch = nf_tables_delset,
7436 .attr_count = NFTA_SET_MAX,
7437 .policy = nft_set_policy,
7438 },
7439 [NFT_MSG_NEWSETELEM] = {
7440 .call_batch = nf_tables_newsetelem,
7441 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7442 .policy = nft_set_elem_list_policy,
7443 },
7444 [NFT_MSG_GETSETELEM] = {
7445 .call_rcu = nf_tables_getsetelem,
7446 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7447 .policy = nft_set_elem_list_policy,
7448 },
7449 [NFT_MSG_DELSETELEM] = {
7450 .call_batch = nf_tables_delsetelem,
7451 .attr_count = NFTA_SET_ELEM_LIST_MAX,
7452 .policy = nft_set_elem_list_policy,
7453 },
7454 [NFT_MSG_GETGEN] = {
7455 .call_rcu = nf_tables_getgen,
7456 },
7457 [NFT_MSG_NEWOBJ] = {
7458 .call_batch = nf_tables_newobj,
7459 .attr_count = NFTA_OBJ_MAX,
7460 .policy = nft_obj_policy,
7461 },
7462 [NFT_MSG_GETOBJ] = {
7463 .call_rcu = nf_tables_getobj,
7464 .attr_count = NFTA_OBJ_MAX,
7465 .policy = nft_obj_policy,
7466 },
7467 [NFT_MSG_DELOBJ] = {
7468 .call_batch = nf_tables_delobj,
7469 .attr_count = NFTA_OBJ_MAX,
7470 .policy = nft_obj_policy,
7471 },
7472 [NFT_MSG_GETOBJ_RESET] = {
7473 .call_rcu = nf_tables_getobj,
7474 .attr_count = NFTA_OBJ_MAX,
7475 .policy = nft_obj_policy,
7476 },
7477 [NFT_MSG_NEWFLOWTABLE] = {
7478 .call_batch = nf_tables_newflowtable,
7479 .attr_count = NFTA_FLOWTABLE_MAX,
7480 .policy = nft_flowtable_policy,
7481 },
7482 [NFT_MSG_GETFLOWTABLE] = {
7483 .call_rcu = nf_tables_getflowtable,
7484 .attr_count = NFTA_FLOWTABLE_MAX,
7485 .policy = nft_flowtable_policy,
7486 },
7487 [NFT_MSG_DELFLOWTABLE] = {
7488 .call_batch = nf_tables_delflowtable,
7489 .attr_count = NFTA_FLOWTABLE_MAX,
7490 .policy = nft_flowtable_policy,
7491 },
7492 };
7493
nf_tables_validate(struct net * net)7494 static int nf_tables_validate(struct net *net)
7495 {
7496 struct nft_table *table;
7497
7498 switch (net->nft.validate_state) {
7499 case NFT_VALIDATE_SKIP:
7500 break;
7501 case NFT_VALIDATE_NEED:
7502 nft_validate_state_update(net, NFT_VALIDATE_DO);
7503 fallthrough;
7504 case NFT_VALIDATE_DO:
7505 list_for_each_entry(table, &net->nft.tables, list) {
7506 if (nft_table_validate(net, table) < 0)
7507 return -EAGAIN;
7508 }
7509 break;
7510 }
7511
7512 return 0;
7513 }
7514
7515 /* a drop policy has to be deferred until all rules have been activated,
7516 * otherwise a large ruleset that contains a drop-policy base chain will
7517 * cause all packets to get dropped until the full transaction has been
7518 * processed.
7519 *
7520 * We defer the drop policy until the transaction has been finalized.
7521 */
nft_chain_commit_drop_policy(struct nft_trans * trans)7522 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
7523 {
7524 struct nft_base_chain *basechain;
7525
7526 if (nft_trans_chain_policy(trans) != NF_DROP)
7527 return;
7528
7529 if (!nft_is_base_chain(trans->ctx.chain))
7530 return;
7531
7532 basechain = nft_base_chain(trans->ctx.chain);
7533 basechain->policy = NF_DROP;
7534 }
7535
nft_chain_commit_update(struct nft_trans * trans)7536 static void nft_chain_commit_update(struct nft_trans *trans)
7537 {
7538 struct nft_base_chain *basechain;
7539
7540 if (nft_trans_chain_name(trans)) {
7541 rhltable_remove(&trans->ctx.table->chains_ht,
7542 &trans->ctx.chain->rhlhead,
7543 nft_chain_ht_params);
7544 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
7545 rhltable_insert_key(&trans->ctx.table->chains_ht,
7546 trans->ctx.chain->name,
7547 &trans->ctx.chain->rhlhead,
7548 nft_chain_ht_params);
7549 }
7550
7551 if (!nft_is_base_chain(trans->ctx.chain))
7552 return;
7553
7554 nft_chain_stats_replace(trans);
7555
7556 basechain = nft_base_chain(trans->ctx.chain);
7557
7558 switch (nft_trans_chain_policy(trans)) {
7559 case NF_DROP:
7560 case NF_ACCEPT:
7561 basechain->policy = nft_trans_chain_policy(trans);
7562 break;
7563 }
7564 }
7565
nft_obj_commit_update(struct nft_trans * trans)7566 static void nft_obj_commit_update(struct nft_trans *trans)
7567 {
7568 struct nft_object *newobj;
7569 struct nft_object *obj;
7570
7571 obj = nft_trans_obj(trans);
7572 newobj = nft_trans_obj_newobj(trans);
7573
7574 if (obj->ops->update)
7575 obj->ops->update(obj, newobj);
7576
7577 kfree(newobj);
7578 }
7579
nft_commit_release(struct nft_trans * trans)7580 static void nft_commit_release(struct nft_trans *trans)
7581 {
7582 switch (trans->msg_type) {
7583 case NFT_MSG_DELTABLE:
7584 nf_tables_table_destroy(&trans->ctx);
7585 break;
7586 case NFT_MSG_NEWCHAIN:
7587 free_percpu(nft_trans_chain_stats(trans));
7588 kfree(nft_trans_chain_name(trans));
7589 break;
7590 case NFT_MSG_DELCHAIN:
7591 nf_tables_chain_destroy(&trans->ctx);
7592 break;
7593 case NFT_MSG_DELRULE:
7594 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
7595 break;
7596 case NFT_MSG_DELSET:
7597 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
7598 break;
7599 case NFT_MSG_DELSETELEM:
7600 nf_tables_set_elem_destroy(&trans->ctx,
7601 nft_trans_elem_set(trans),
7602 nft_trans_elem(trans).priv);
7603 break;
7604 case NFT_MSG_DELOBJ:
7605 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7606 break;
7607 case NFT_MSG_DELFLOWTABLE:
7608 if (nft_trans_flowtable_update(trans))
7609 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
7610 else
7611 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7612 break;
7613 }
7614
7615 if (trans->put_net)
7616 put_net(trans->ctx.net);
7617
7618 kfree(trans);
7619 }
7620
nf_tables_trans_destroy_work(struct work_struct * w)7621 static void nf_tables_trans_destroy_work(struct work_struct *w)
7622 {
7623 struct nft_trans *trans, *next;
7624 LIST_HEAD(head);
7625
7626 spin_lock(&nf_tables_destroy_list_lock);
7627 list_splice_init(&nf_tables_destroy_list, &head);
7628 spin_unlock(&nf_tables_destroy_list_lock);
7629
7630 if (list_empty(&head))
7631 return;
7632
7633 synchronize_rcu();
7634
7635 list_for_each_entry_safe(trans, next, &head, list) {
7636 list_del(&trans->list);
7637 nft_commit_release(trans);
7638 }
7639 }
7640
nf_tables_trans_destroy_flush_work(void)7641 void nf_tables_trans_destroy_flush_work(void)
7642 {
7643 flush_work(&trans_destroy_work);
7644 }
7645 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
7646
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)7647 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
7648 {
7649 struct nft_rule *rule;
7650 unsigned int alloc = 0;
7651 int i;
7652
7653 /* already handled or inactive chain? */
7654 if (chain->rules_next || !nft_is_active_next(net, chain))
7655 return 0;
7656
7657 rule = list_entry(&chain->rules, struct nft_rule, list);
7658 i = 0;
7659
7660 list_for_each_entry_continue(rule, &chain->rules, list) {
7661 if (nft_is_active_next(net, rule))
7662 alloc++;
7663 }
7664
7665 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
7666 if (!chain->rules_next)
7667 return -ENOMEM;
7668
7669 list_for_each_entry_continue(rule, &chain->rules, list) {
7670 if (nft_is_active_next(net, rule))
7671 chain->rules_next[i++] = rule;
7672 }
7673
7674 chain->rules_next[i] = NULL;
7675 return 0;
7676 }
7677
nf_tables_commit_chain_prepare_cancel(struct net * net)7678 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
7679 {
7680 struct nft_trans *trans, *next;
7681
7682 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7683 struct nft_chain *chain = trans->ctx.chain;
7684
7685 if (trans->msg_type == NFT_MSG_NEWRULE ||
7686 trans->msg_type == NFT_MSG_DELRULE) {
7687 kvfree(chain->rules_next);
7688 chain->rules_next = NULL;
7689 }
7690 }
7691 }
7692
__nf_tables_commit_chain_free_rules_old(struct rcu_head * h)7693 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
7694 {
7695 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
7696
7697 kvfree(o->start);
7698 }
7699
nf_tables_commit_chain_free_rules_old(struct nft_rule ** rules)7700 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
7701 {
7702 struct nft_rule **r = rules;
7703 struct nft_rules_old *old;
7704
7705 while (*r)
7706 r++;
7707
7708 r++; /* rcu_head is after end marker */
7709 old = (void *) r;
7710 old->start = rules;
7711
7712 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
7713 }
7714
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)7715 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
7716 {
7717 struct nft_rule **g0, **g1;
7718 bool next_genbit;
7719
7720 next_genbit = nft_gencursor_next(net);
7721
7722 g0 = rcu_dereference_protected(chain->rules_gen_0,
7723 lockdep_commit_lock_is_held(net));
7724 g1 = rcu_dereference_protected(chain->rules_gen_1,
7725 lockdep_commit_lock_is_held(net));
7726
7727 /* No changes to this chain? */
7728 if (chain->rules_next == NULL) {
7729 /* chain had no change in last or next generation */
7730 if (g0 == g1)
7731 return;
7732 /*
7733 * chain had no change in this generation; make sure next
7734 * one uses same rules as current generation.
7735 */
7736 if (next_genbit) {
7737 rcu_assign_pointer(chain->rules_gen_1, g0);
7738 nf_tables_commit_chain_free_rules_old(g1);
7739 } else {
7740 rcu_assign_pointer(chain->rules_gen_0, g1);
7741 nf_tables_commit_chain_free_rules_old(g0);
7742 }
7743
7744 return;
7745 }
7746
7747 if (next_genbit)
7748 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
7749 else
7750 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
7751
7752 chain->rules_next = NULL;
7753
7754 if (g0 == g1)
7755 return;
7756
7757 if (next_genbit)
7758 nf_tables_commit_chain_free_rules_old(g1);
7759 else
7760 nf_tables_commit_chain_free_rules_old(g0);
7761 }
7762
nft_obj_del(struct nft_object * obj)7763 static void nft_obj_del(struct nft_object *obj)
7764 {
7765 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
7766 list_del_rcu(&obj->list);
7767 }
7768
nft_chain_del(struct nft_chain * chain)7769 void nft_chain_del(struct nft_chain *chain)
7770 {
7771 struct nft_table *table = chain->table;
7772
7773 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
7774 nft_chain_ht_params));
7775 list_del_rcu(&chain->list);
7776 }
7777
nft_flowtable_hooks_del(struct nft_flowtable * flowtable,struct list_head * hook_list)7778 static void nft_flowtable_hooks_del(struct nft_flowtable *flowtable,
7779 struct list_head *hook_list)
7780 {
7781 struct nft_hook *hook, *next;
7782
7783 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
7784 if (hook->inactive)
7785 list_move(&hook->list, hook_list);
7786 }
7787 }
7788
nf_tables_module_autoload_cleanup(struct net * net)7789 static void nf_tables_module_autoload_cleanup(struct net *net)
7790 {
7791 struct nft_module_request *req, *next;
7792
7793 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7794 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7795 WARN_ON_ONCE(!req->done);
7796 list_del(&req->list);
7797 kfree(req);
7798 }
7799 }
7800
nf_tables_commit_release(struct net * net)7801 static void nf_tables_commit_release(struct net *net)
7802 {
7803 struct nft_trans *trans;
7804
7805 /* all side effects have to be made visible.
7806 * For example, if a chain named 'foo' has been deleted, a
7807 * new transaction must not find it anymore.
7808 *
7809 * Memory reclaim happens asynchronously from work queue
7810 * to prevent expensive synchronize_rcu() in commit phase.
7811 */
7812 if (list_empty(&net->nft.commit_list)) {
7813 nf_tables_module_autoload_cleanup(net);
7814 mutex_unlock(&net->nft.commit_mutex);
7815 return;
7816 }
7817
7818 trans = list_last_entry(&net->nft.commit_list,
7819 struct nft_trans, list);
7820 get_net(trans->ctx.net);
7821 WARN_ON_ONCE(trans->put_net);
7822
7823 trans->put_net = true;
7824 spin_lock(&nf_tables_destroy_list_lock);
7825 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7826 spin_unlock(&nf_tables_destroy_list_lock);
7827
7828 nf_tables_module_autoload_cleanup(net);
7829 schedule_work(&trans_destroy_work);
7830
7831 mutex_unlock(&net->nft.commit_mutex);
7832 }
7833
nft_commit_notify(struct net * net,u32 portid)7834 static void nft_commit_notify(struct net *net, u32 portid)
7835 {
7836 struct sk_buff *batch_skb = NULL, *nskb, *skb;
7837 unsigned char *data;
7838 int len;
7839
7840 list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) {
7841 if (!batch_skb) {
7842 new_batch:
7843 batch_skb = skb;
7844 len = NLMSG_GOODSIZE - skb->len;
7845 list_del(&skb->list);
7846 continue;
7847 }
7848 len -= skb->len;
7849 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
7850 data = skb_put(batch_skb, skb->len);
7851 memcpy(data, skb->data, skb->len);
7852 list_del(&skb->list);
7853 kfree_skb(skb);
7854 continue;
7855 }
7856 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7857 NFT_CB(batch_skb).report, GFP_KERNEL);
7858 goto new_batch;
7859 }
7860
7861 if (batch_skb) {
7862 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
7863 NFT_CB(batch_skb).report, GFP_KERNEL);
7864 }
7865
7866 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
7867 }
7868
nf_tables_commit(struct net * net,struct sk_buff * skb)7869 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
7870 {
7871 struct nft_trans *trans, *next;
7872 struct nft_trans_elem *te;
7873 struct nft_chain *chain;
7874 struct nft_table *table;
7875 int err;
7876
7877 if (list_empty(&net->nft.commit_list)) {
7878 mutex_unlock(&net->nft.commit_mutex);
7879 return 0;
7880 }
7881
7882 /* 0. Validate ruleset, otherwise roll back for error reporting. */
7883 if (nf_tables_validate(net) < 0)
7884 return -EAGAIN;
7885
7886 err = nft_flow_rule_offload_commit(net);
7887 if (err < 0)
7888 return err;
7889
7890 /* 1. Allocate space for next generation rules_gen_X[] */
7891 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7892 int ret;
7893
7894 if (trans->msg_type == NFT_MSG_NEWRULE ||
7895 trans->msg_type == NFT_MSG_DELRULE) {
7896 chain = trans->ctx.chain;
7897
7898 ret = nf_tables_commit_chain_prepare(net, chain);
7899 if (ret < 0) {
7900 nf_tables_commit_chain_prepare_cancel(net);
7901 return ret;
7902 }
7903 }
7904 }
7905
7906 /* step 2. Make rules_gen_X visible to packet path */
7907 list_for_each_entry(table, &net->nft.tables, list) {
7908 list_for_each_entry(chain, &table->chains, list)
7909 nf_tables_commit_chain(net, chain);
7910 }
7911
7912 /*
7913 * Bump generation counter, invalidate any dump in progress.
7914 * Cannot fail after this point.
7915 */
7916 while (++net->nft.base_seq == 0);
7917
7918 /* step 3. Start new generation, rules_gen_X now in use. */
7919 net->nft.gencursor = nft_gencursor_next(net);
7920
7921 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
7922 switch (trans->msg_type) {
7923 case NFT_MSG_NEWTABLE:
7924 if (nft_trans_table_update(trans)) {
7925 if (!nft_trans_table_enable(trans)) {
7926 nf_tables_table_disable(net,
7927 trans->ctx.table);
7928 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7929 }
7930 } else {
7931 nft_clear(net, trans->ctx.table);
7932 }
7933 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
7934 nft_trans_destroy(trans);
7935 break;
7936 case NFT_MSG_DELTABLE:
7937 list_del_rcu(&trans->ctx.table->list);
7938 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
7939 break;
7940 case NFT_MSG_NEWCHAIN:
7941 if (nft_trans_chain_update(trans)) {
7942 nft_chain_commit_update(trans);
7943 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7944 /* trans destroyed after rcu grace period */
7945 } else {
7946 nft_chain_commit_drop_policy(trans);
7947 nft_clear(net, trans->ctx.chain);
7948 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
7949 nft_trans_destroy(trans);
7950 }
7951 break;
7952 case NFT_MSG_DELCHAIN:
7953 nft_chain_del(trans->ctx.chain);
7954 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
7955 nf_tables_unregister_hook(trans->ctx.net,
7956 trans->ctx.table,
7957 trans->ctx.chain);
7958 break;
7959 case NFT_MSG_NEWRULE:
7960 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7961 nf_tables_rule_notify(&trans->ctx,
7962 nft_trans_rule(trans),
7963 NFT_MSG_NEWRULE);
7964 nft_trans_destroy(trans);
7965 break;
7966 case NFT_MSG_DELRULE:
7967 list_del_rcu(&nft_trans_rule(trans)->list);
7968 nf_tables_rule_notify(&trans->ctx,
7969 nft_trans_rule(trans),
7970 NFT_MSG_DELRULE);
7971 nft_rule_expr_deactivate(&trans->ctx,
7972 nft_trans_rule(trans),
7973 NFT_TRANS_COMMIT);
7974 break;
7975 case NFT_MSG_NEWSET:
7976 nft_clear(net, nft_trans_set(trans));
7977 /* This avoids hitting -EBUSY when deleting the table
7978 * from the transaction.
7979 */
7980 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
7981 !list_empty(&nft_trans_set(trans)->bindings))
7982 trans->ctx.table->use--;
7983
7984 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7985 NFT_MSG_NEWSET, GFP_KERNEL);
7986 nft_trans_destroy(trans);
7987 break;
7988 case NFT_MSG_DELSET:
7989 list_del_rcu(&nft_trans_set(trans)->list);
7990 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
7991 NFT_MSG_DELSET, GFP_KERNEL);
7992 break;
7993 case NFT_MSG_NEWSETELEM:
7994 te = (struct nft_trans_elem *)trans->data;
7995
7996 te->set->ops->activate(net, te->set, &te->elem);
7997 nf_tables_setelem_notify(&trans->ctx, te->set,
7998 &te->elem,
7999 NFT_MSG_NEWSETELEM, 0);
8000 nft_trans_destroy(trans);
8001 break;
8002 case NFT_MSG_DELSETELEM:
8003 te = (struct nft_trans_elem *)trans->data;
8004
8005 nf_tables_setelem_notify(&trans->ctx, te->set,
8006 &te->elem,
8007 NFT_MSG_DELSETELEM, 0);
8008 te->set->ops->remove(net, te->set, &te->elem);
8009 atomic_dec(&te->set->nelems);
8010 te->set->ndeact--;
8011 break;
8012 case NFT_MSG_NEWOBJ:
8013 if (nft_trans_obj_update(trans)) {
8014 nft_obj_commit_update(trans);
8015 nf_tables_obj_notify(&trans->ctx,
8016 nft_trans_obj(trans),
8017 NFT_MSG_NEWOBJ);
8018 } else {
8019 nft_clear(net, nft_trans_obj(trans));
8020 nf_tables_obj_notify(&trans->ctx,
8021 nft_trans_obj(trans),
8022 NFT_MSG_NEWOBJ);
8023 nft_trans_destroy(trans);
8024 }
8025 break;
8026 case NFT_MSG_DELOBJ:
8027 nft_obj_del(nft_trans_obj(trans));
8028 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
8029 NFT_MSG_DELOBJ);
8030 break;
8031 case NFT_MSG_NEWFLOWTABLE:
8032 if (nft_trans_flowtable_update(trans)) {
8033 nft_trans_flowtable(trans)->data.flags =
8034 nft_trans_flowtable_flags(trans);
8035 nf_tables_flowtable_notify(&trans->ctx,
8036 nft_trans_flowtable(trans),
8037 &nft_trans_flowtable_hooks(trans),
8038 NFT_MSG_NEWFLOWTABLE);
8039 list_splice(&nft_trans_flowtable_hooks(trans),
8040 &nft_trans_flowtable(trans)->hook_list);
8041 } else {
8042 nft_clear(net, nft_trans_flowtable(trans));
8043 nf_tables_flowtable_notify(&trans->ctx,
8044 nft_trans_flowtable(trans),
8045 &nft_trans_flowtable(trans)->hook_list,
8046 NFT_MSG_NEWFLOWTABLE);
8047 }
8048 nft_trans_destroy(trans);
8049 break;
8050 case NFT_MSG_DELFLOWTABLE:
8051 if (nft_trans_flowtable_update(trans)) {
8052 nft_flowtable_hooks_del(nft_trans_flowtable(trans),
8053 &nft_trans_flowtable_hooks(trans));
8054 nf_tables_flowtable_notify(&trans->ctx,
8055 nft_trans_flowtable(trans),
8056 &nft_trans_flowtable_hooks(trans),
8057 NFT_MSG_DELFLOWTABLE);
8058 nft_unregister_flowtable_net_hooks(net,
8059 &nft_trans_flowtable_hooks(trans));
8060 } else {
8061 list_del_rcu(&nft_trans_flowtable(trans)->list);
8062 nf_tables_flowtable_notify(&trans->ctx,
8063 nft_trans_flowtable(trans),
8064 &nft_trans_flowtable(trans)->hook_list,
8065 NFT_MSG_DELFLOWTABLE);
8066 nft_unregister_flowtable_net_hooks(net,
8067 &nft_trans_flowtable(trans)->hook_list);
8068 }
8069 break;
8070 }
8071 }
8072
8073 nft_commit_notify(net, NETLINK_CB(skb).portid);
8074 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
8075 nf_tables_commit_release(net);
8076
8077 return 0;
8078 }
8079
nf_tables_module_autoload(struct net * net)8080 static void nf_tables_module_autoload(struct net *net)
8081 {
8082 struct nft_module_request *req, *next;
8083 LIST_HEAD(module_list);
8084
8085 list_splice_init(&net->nft.module_list, &module_list);
8086 mutex_unlock(&net->nft.commit_mutex);
8087 list_for_each_entry_safe(req, next, &module_list, list) {
8088 request_module("%s", req->module);
8089 req->done = true;
8090 }
8091 mutex_lock(&net->nft.commit_mutex);
8092 list_splice(&module_list, &net->nft.module_list);
8093 }
8094
nf_tables_abort_release(struct nft_trans * trans)8095 static void nf_tables_abort_release(struct nft_trans *trans)
8096 {
8097 switch (trans->msg_type) {
8098 case NFT_MSG_NEWTABLE:
8099 nf_tables_table_destroy(&trans->ctx);
8100 break;
8101 case NFT_MSG_NEWCHAIN:
8102 nf_tables_chain_destroy(&trans->ctx);
8103 break;
8104 case NFT_MSG_NEWRULE:
8105 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
8106 break;
8107 case NFT_MSG_NEWSET:
8108 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
8109 break;
8110 case NFT_MSG_NEWSETELEM:
8111 nft_set_elem_destroy(nft_trans_elem_set(trans),
8112 nft_trans_elem(trans).priv, true);
8113 break;
8114 case NFT_MSG_NEWOBJ:
8115 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
8116 break;
8117 case NFT_MSG_NEWFLOWTABLE:
8118 if (nft_trans_flowtable_update(trans))
8119 nft_flowtable_hooks_destroy(&nft_trans_flowtable_hooks(trans));
8120 else
8121 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
8122 break;
8123 }
8124 kfree(trans);
8125 }
8126
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)8127 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
8128 {
8129 struct nft_trans *trans, *next;
8130 struct nft_trans_elem *te;
8131 struct nft_hook *hook;
8132
8133 if (action == NFNL_ABORT_VALIDATE &&
8134 nf_tables_validate(net) < 0)
8135 return -EAGAIN;
8136
8137 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
8138 list) {
8139 switch (trans->msg_type) {
8140 case NFT_MSG_NEWTABLE:
8141 if (nft_trans_table_update(trans)) {
8142 if (nft_trans_table_enable(trans)) {
8143 nf_tables_table_disable(net,
8144 trans->ctx.table);
8145 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
8146 }
8147 nft_trans_destroy(trans);
8148 } else {
8149 list_del_rcu(&trans->ctx.table->list);
8150 }
8151 break;
8152 case NFT_MSG_DELTABLE:
8153 nft_clear(trans->ctx.net, trans->ctx.table);
8154 nft_trans_destroy(trans);
8155 break;
8156 case NFT_MSG_NEWCHAIN:
8157 if (nft_trans_chain_update(trans)) {
8158 free_percpu(nft_trans_chain_stats(trans));
8159 kfree(nft_trans_chain_name(trans));
8160 nft_trans_destroy(trans);
8161 } else {
8162 if (nft_chain_is_bound(trans->ctx.chain)) {
8163 nft_trans_destroy(trans);
8164 break;
8165 }
8166 trans->ctx.table->use--;
8167 nft_chain_del(trans->ctx.chain);
8168 nf_tables_unregister_hook(trans->ctx.net,
8169 trans->ctx.table,
8170 trans->ctx.chain);
8171 }
8172 break;
8173 case NFT_MSG_DELCHAIN:
8174 trans->ctx.table->use++;
8175 nft_clear(trans->ctx.net, trans->ctx.chain);
8176 nft_trans_destroy(trans);
8177 break;
8178 case NFT_MSG_NEWRULE:
8179 trans->ctx.chain->use--;
8180 list_del_rcu(&nft_trans_rule(trans)->list);
8181 nft_rule_expr_deactivate(&trans->ctx,
8182 nft_trans_rule(trans),
8183 NFT_TRANS_ABORT);
8184 break;
8185 case NFT_MSG_DELRULE:
8186 trans->ctx.chain->use++;
8187 nft_clear(trans->ctx.net, nft_trans_rule(trans));
8188 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
8189 nft_trans_destroy(trans);
8190 break;
8191 case NFT_MSG_NEWSET:
8192 trans->ctx.table->use--;
8193 if (nft_trans_set_bound(trans)) {
8194 nft_trans_destroy(trans);
8195 break;
8196 }
8197 list_del_rcu(&nft_trans_set(trans)->list);
8198 break;
8199 case NFT_MSG_DELSET:
8200 trans->ctx.table->use++;
8201 nft_clear(trans->ctx.net, nft_trans_set(trans));
8202 nft_trans_destroy(trans);
8203 break;
8204 case NFT_MSG_NEWSETELEM:
8205 if (nft_trans_elem_set_bound(trans)) {
8206 nft_trans_destroy(trans);
8207 break;
8208 }
8209 te = (struct nft_trans_elem *)trans->data;
8210 te->set->ops->remove(net, te->set, &te->elem);
8211 atomic_dec(&te->set->nelems);
8212 break;
8213 case NFT_MSG_DELSETELEM:
8214 te = (struct nft_trans_elem *)trans->data;
8215
8216 nft_set_elem_activate(net, te->set, &te->elem);
8217 te->set->ops->activate(net, te->set, &te->elem);
8218 te->set->ndeact--;
8219
8220 nft_trans_destroy(trans);
8221 break;
8222 case NFT_MSG_NEWOBJ:
8223 if (nft_trans_obj_update(trans)) {
8224 kfree(nft_trans_obj_newobj(trans));
8225 nft_trans_destroy(trans);
8226 } else {
8227 trans->ctx.table->use--;
8228 nft_obj_del(nft_trans_obj(trans));
8229 }
8230 break;
8231 case NFT_MSG_DELOBJ:
8232 trans->ctx.table->use++;
8233 nft_clear(trans->ctx.net, nft_trans_obj(trans));
8234 nft_trans_destroy(trans);
8235 break;
8236 case NFT_MSG_NEWFLOWTABLE:
8237 if (nft_trans_flowtable_update(trans)) {
8238 nft_unregister_flowtable_net_hooks(net,
8239 &nft_trans_flowtable_hooks(trans));
8240 } else {
8241 trans->ctx.table->use--;
8242 list_del_rcu(&nft_trans_flowtable(trans)->list);
8243 nft_unregister_flowtable_net_hooks(net,
8244 &nft_trans_flowtable(trans)->hook_list);
8245 }
8246 break;
8247 case NFT_MSG_DELFLOWTABLE:
8248 if (nft_trans_flowtable_update(trans)) {
8249 list_for_each_entry(hook, &nft_trans_flowtable(trans)->hook_list, list)
8250 hook->inactive = false;
8251 } else {
8252 trans->ctx.table->use++;
8253 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
8254 }
8255 nft_trans_destroy(trans);
8256 break;
8257 }
8258 }
8259
8260 synchronize_rcu();
8261
8262 list_for_each_entry_safe_reverse(trans, next,
8263 &net->nft.commit_list, list) {
8264 list_del(&trans->list);
8265 nf_tables_abort_release(trans);
8266 }
8267
8268 if (action == NFNL_ABORT_AUTOLOAD)
8269 nf_tables_module_autoload(net);
8270 else
8271 nf_tables_module_autoload_cleanup(net);
8272
8273 return 0;
8274 }
8275
nf_tables_cleanup(struct net * net)8276 static void nf_tables_cleanup(struct net *net)
8277 {
8278 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
8279 }
8280
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)8281 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
8282 enum nfnl_abort_action action)
8283 {
8284 int ret = __nf_tables_abort(net, action);
8285
8286 mutex_unlock(&net->nft.commit_mutex);
8287
8288 return ret;
8289 }
8290
nf_tables_valid_genid(struct net * net,u32 genid)8291 static bool nf_tables_valid_genid(struct net *net, u32 genid)
8292 {
8293 bool genid_ok;
8294
8295 mutex_lock(&net->nft.commit_mutex);
8296
8297 genid_ok = genid == 0 || net->nft.base_seq == genid;
8298 if (!genid_ok)
8299 mutex_unlock(&net->nft.commit_mutex);
8300
8301 /* else, commit mutex has to be released by commit or abort function */
8302 return genid_ok;
8303 }
8304
8305 static const struct nfnetlink_subsystem nf_tables_subsys = {
8306 .name = "nf_tables",
8307 .subsys_id = NFNL_SUBSYS_NFTABLES,
8308 .cb_count = NFT_MSG_MAX,
8309 .cb = nf_tables_cb,
8310 .commit = nf_tables_commit,
8311 .abort = nf_tables_abort,
8312 .cleanup = nf_tables_cleanup,
8313 .valid_genid = nf_tables_valid_genid,
8314 .owner = THIS_MODULE,
8315 };
8316
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)8317 int nft_chain_validate_dependency(const struct nft_chain *chain,
8318 enum nft_chain_types type)
8319 {
8320 const struct nft_base_chain *basechain;
8321
8322 if (nft_is_base_chain(chain)) {
8323 basechain = nft_base_chain(chain);
8324 if (basechain->type->type != type)
8325 return -EOPNOTSUPP;
8326 }
8327 return 0;
8328 }
8329 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
8330
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)8331 int nft_chain_validate_hooks(const struct nft_chain *chain,
8332 unsigned int hook_flags)
8333 {
8334 struct nft_base_chain *basechain;
8335
8336 if (nft_is_base_chain(chain)) {
8337 basechain = nft_base_chain(chain);
8338
8339 if ((1 << basechain->ops.hooknum) & hook_flags)
8340 return 0;
8341
8342 return -EOPNOTSUPP;
8343 }
8344
8345 return 0;
8346 }
8347 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
8348
8349 /*
8350 * Loop detection - walk through the ruleset beginning at the destination chain
8351 * of a new jump until either the source chain is reached (loop) or all
8352 * reachable chains have been traversed.
8353 *
8354 * The loop check is performed whenever a new jump verdict is added to an
8355 * expression or verdict map or a verdict map is bound to a new chain.
8356 */
8357
8358 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8359 const struct nft_chain *chain);
8360
nf_tables_loop_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)8361 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
8362 struct nft_set *set,
8363 const struct nft_set_iter *iter,
8364 struct nft_set_elem *elem)
8365 {
8366 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
8367 const struct nft_data *data;
8368
8369 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
8370 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
8371 return 0;
8372
8373 data = nft_set_ext_data(ext);
8374 switch (data->verdict.code) {
8375 case NFT_JUMP:
8376 case NFT_GOTO:
8377 return nf_tables_check_loops(ctx, data->verdict.chain);
8378 default:
8379 return 0;
8380 }
8381 }
8382
nf_tables_check_loops(const struct nft_ctx * ctx,const struct nft_chain * chain)8383 static int nf_tables_check_loops(const struct nft_ctx *ctx,
8384 const struct nft_chain *chain)
8385 {
8386 const struct nft_rule *rule;
8387 const struct nft_expr *expr, *last;
8388 struct nft_set *set;
8389 struct nft_set_binding *binding;
8390 struct nft_set_iter iter;
8391
8392 if (ctx->chain == chain)
8393 return -ELOOP;
8394
8395 list_for_each_entry(rule, &chain->rules, list) {
8396 nft_rule_for_each_expr(expr, last, rule) {
8397 struct nft_immediate_expr *priv;
8398 const struct nft_data *data;
8399 int err;
8400
8401 if (strcmp(expr->ops->type->name, "immediate"))
8402 continue;
8403
8404 priv = nft_expr_priv(expr);
8405 if (priv->dreg != NFT_REG_VERDICT)
8406 continue;
8407
8408 data = &priv->data;
8409 switch (data->verdict.code) {
8410 case NFT_JUMP:
8411 case NFT_GOTO:
8412 err = nf_tables_check_loops(ctx,
8413 data->verdict.chain);
8414 if (err < 0)
8415 return err;
8416 break;
8417 default:
8418 break;
8419 }
8420 }
8421 }
8422
8423 list_for_each_entry(set, &ctx->table->sets, list) {
8424 if (!nft_is_active_next(ctx->net, set))
8425 continue;
8426 if (!(set->flags & NFT_SET_MAP) ||
8427 set->dtype != NFT_DATA_VERDICT)
8428 continue;
8429
8430 list_for_each_entry(binding, &set->bindings, list) {
8431 if (!(binding->flags & NFT_SET_MAP) ||
8432 binding->chain != chain)
8433 continue;
8434
8435 iter.genmask = nft_genmask_next(ctx->net);
8436 iter.skip = 0;
8437 iter.count = 0;
8438 iter.err = 0;
8439 iter.fn = nf_tables_loop_check_setelem;
8440
8441 set->ops->walk(ctx, set, &iter);
8442 if (iter.err < 0)
8443 return iter.err;
8444 }
8445 }
8446
8447 return 0;
8448 }
8449
8450 /**
8451 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
8452 *
8453 * @attr: netlink attribute to fetch value from
8454 * @max: maximum value to be stored in dest
8455 * @dest: pointer to the variable
8456 *
8457 * Parse, check and store a given u32 netlink attribute into variable.
8458 * This function returns -ERANGE if the value goes over maximum value.
8459 * Otherwise a 0 is returned and the attribute value is stored in the
8460 * destination variable.
8461 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)8462 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
8463 {
8464 u32 val;
8465
8466 val = ntohl(nla_get_be32(attr));
8467 if (val > max)
8468 return -ERANGE;
8469
8470 *dest = val;
8471 return 0;
8472 }
8473 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
8474
8475 /**
8476 * nft_parse_register - parse a register value from a netlink attribute
8477 *
8478 * @attr: netlink attribute
8479 *
8480 * Parse and translate a register value from a netlink attribute.
8481 * Registers used to be 128 bit wide, these register numbers will be
8482 * mapped to the corresponding 32 bit register numbers.
8483 */
nft_parse_register(const struct nlattr * attr)8484 unsigned int nft_parse_register(const struct nlattr *attr)
8485 {
8486 unsigned int reg;
8487
8488 reg = ntohl(nla_get_be32(attr));
8489 switch (reg) {
8490 case NFT_REG_VERDICT...NFT_REG_4:
8491 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
8492 default:
8493 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
8494 }
8495 }
8496 EXPORT_SYMBOL_GPL(nft_parse_register);
8497
8498 /**
8499 * nft_dump_register - dump a register value to a netlink attribute
8500 *
8501 * @skb: socket buffer
8502 * @attr: attribute number
8503 * @reg: register number
8504 *
8505 * Construct a netlink attribute containing the register number. For
8506 * compatibility reasons, register numbers being a multiple of 4 are
8507 * translated to the corresponding 128 bit register numbers.
8508 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)8509 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
8510 {
8511 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
8512 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
8513 else
8514 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
8515
8516 return nla_put_be32(skb, attr, htonl(reg));
8517 }
8518 EXPORT_SYMBOL_GPL(nft_dump_register);
8519
8520 /**
8521 * nft_validate_register_load - validate a load from a register
8522 *
8523 * @reg: the register number
8524 * @len: the length of the data
8525 *
8526 * Validate that the input register is one of the general purpose
8527 * registers and that the length of the load is within the bounds.
8528 */
nft_validate_register_load(enum nft_registers reg,unsigned int len)8529 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
8530 {
8531 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8532 return -EINVAL;
8533 if (len == 0)
8534 return -EINVAL;
8535 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
8536 return -ERANGE;
8537
8538 return 0;
8539 }
8540 EXPORT_SYMBOL_GPL(nft_validate_register_load);
8541
8542 /**
8543 * nft_validate_register_store - validate an expressions' register store
8544 *
8545 * @ctx: context of the expression performing the load
8546 * @reg: the destination register number
8547 * @data: the data to load
8548 * @type: the data type
8549 * @len: the length of the data
8550 *
8551 * Validate that a data load uses the appropriate data type for
8552 * the destination register and the length is within the bounds.
8553 * A value of NULL for the data means that its runtime gathered
8554 * data.
8555 */
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)8556 int nft_validate_register_store(const struct nft_ctx *ctx,
8557 enum nft_registers reg,
8558 const struct nft_data *data,
8559 enum nft_data_types type, unsigned int len)
8560 {
8561 int err;
8562
8563 switch (reg) {
8564 case NFT_REG_VERDICT:
8565 if (type != NFT_DATA_VERDICT)
8566 return -EINVAL;
8567
8568 if (data != NULL &&
8569 (data->verdict.code == NFT_GOTO ||
8570 data->verdict.code == NFT_JUMP)) {
8571 err = nf_tables_check_loops(ctx, data->verdict.chain);
8572 if (err < 0)
8573 return err;
8574 }
8575
8576 return 0;
8577 default:
8578 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
8579 return -EINVAL;
8580 if (len == 0)
8581 return -EINVAL;
8582 if (reg * NFT_REG32_SIZE + len >
8583 sizeof_field(struct nft_regs, data))
8584 return -ERANGE;
8585
8586 if (data != NULL && type != NFT_DATA_VALUE)
8587 return -EINVAL;
8588 return 0;
8589 }
8590 }
8591 EXPORT_SYMBOL_GPL(nft_validate_register_store);
8592
8593 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
8594 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
8595 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
8596 .len = NFT_CHAIN_MAXNAMELEN - 1 },
8597 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
8598 };
8599
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)8600 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
8601 struct nft_data_desc *desc, const struct nlattr *nla)
8602 {
8603 u8 genmask = nft_genmask_next(ctx->net);
8604 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
8605 struct nft_chain *chain;
8606 int err;
8607
8608 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
8609 nft_verdict_policy, NULL);
8610 if (err < 0)
8611 return err;
8612
8613 if (!tb[NFTA_VERDICT_CODE])
8614 return -EINVAL;
8615 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
8616
8617 switch (data->verdict.code) {
8618 default:
8619 switch (data->verdict.code & NF_VERDICT_MASK) {
8620 case NF_ACCEPT:
8621 case NF_DROP:
8622 case NF_QUEUE:
8623 break;
8624 default:
8625 return -EINVAL;
8626 }
8627 fallthrough;
8628 case NFT_CONTINUE:
8629 case NFT_BREAK:
8630 case NFT_RETURN:
8631 break;
8632 case NFT_JUMP:
8633 case NFT_GOTO:
8634 if (tb[NFTA_VERDICT_CHAIN]) {
8635 chain = nft_chain_lookup(ctx->net, ctx->table,
8636 tb[NFTA_VERDICT_CHAIN],
8637 genmask);
8638 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
8639 chain = nft_chain_lookup_byid(ctx->net,
8640 tb[NFTA_VERDICT_CHAIN_ID]);
8641 if (IS_ERR(chain))
8642 return PTR_ERR(chain);
8643 } else {
8644 return -EINVAL;
8645 }
8646
8647 if (IS_ERR(chain))
8648 return PTR_ERR(chain);
8649 if (nft_is_base_chain(chain))
8650 return -EOPNOTSUPP;
8651 if (nft_chain_is_bound(chain))
8652 return -EINVAL;
8653
8654 chain->use++;
8655 data->verdict.chain = chain;
8656 break;
8657 }
8658
8659 desc->len = sizeof(data->verdict);
8660 desc->type = NFT_DATA_VERDICT;
8661 return 0;
8662 }
8663
nft_verdict_uninit(const struct nft_data * data)8664 static void nft_verdict_uninit(const struct nft_data *data)
8665 {
8666 struct nft_chain *chain;
8667 struct nft_rule *rule;
8668
8669 switch (data->verdict.code) {
8670 case NFT_JUMP:
8671 case NFT_GOTO:
8672 chain = data->verdict.chain;
8673 chain->use--;
8674
8675 if (!nft_chain_is_bound(chain))
8676 break;
8677
8678 chain->table->use--;
8679 list_for_each_entry(rule, &chain->rules, list)
8680 chain->use--;
8681
8682 nft_chain_del(chain);
8683 break;
8684 }
8685 }
8686
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)8687 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
8688 {
8689 struct nlattr *nest;
8690
8691 nest = nla_nest_start_noflag(skb, type);
8692 if (!nest)
8693 goto nla_put_failure;
8694
8695 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
8696 goto nla_put_failure;
8697
8698 switch (v->code) {
8699 case NFT_JUMP:
8700 case NFT_GOTO:
8701 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
8702 v->chain->name))
8703 goto nla_put_failure;
8704 }
8705 nla_nest_end(skb, nest);
8706 return 0;
8707
8708 nla_put_failure:
8709 return -1;
8710 }
8711
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)8712 static int nft_value_init(const struct nft_ctx *ctx,
8713 struct nft_data *data, unsigned int size,
8714 struct nft_data_desc *desc, const struct nlattr *nla)
8715 {
8716 unsigned int len;
8717
8718 len = nla_len(nla);
8719 if (len == 0)
8720 return -EINVAL;
8721 if (len > size)
8722 return -EOVERFLOW;
8723
8724 nla_memcpy(data->data, nla, len);
8725 desc->type = NFT_DATA_VALUE;
8726 desc->len = len;
8727 return 0;
8728 }
8729
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)8730 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
8731 unsigned int len)
8732 {
8733 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
8734 }
8735
8736 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
8737 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
8738 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
8739 };
8740
8741 /**
8742 * nft_data_init - parse nf_tables data netlink attributes
8743 *
8744 * @ctx: context of the expression using the data
8745 * @data: destination struct nft_data
8746 * @size: maximum data length
8747 * @desc: data description
8748 * @nla: netlink attribute containing data
8749 *
8750 * Parse the netlink data attributes and initialize a struct nft_data.
8751 * The type and length of data are returned in the data description.
8752 *
8753 * The caller can indicate that it only wants to accept data of type
8754 * NFT_DATA_VALUE by passing NULL for the ctx argument.
8755 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)8756 int nft_data_init(const struct nft_ctx *ctx,
8757 struct nft_data *data, unsigned int size,
8758 struct nft_data_desc *desc, const struct nlattr *nla)
8759 {
8760 struct nlattr *tb[NFTA_DATA_MAX + 1];
8761 int err;
8762
8763 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
8764 nft_data_policy, NULL);
8765 if (err < 0)
8766 return err;
8767
8768 if (tb[NFTA_DATA_VALUE])
8769 return nft_value_init(ctx, data, size, desc,
8770 tb[NFTA_DATA_VALUE]);
8771 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
8772 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
8773 return -EINVAL;
8774 }
8775 EXPORT_SYMBOL_GPL(nft_data_init);
8776
8777 /**
8778 * nft_data_release - release a nft_data item
8779 *
8780 * @data: struct nft_data to release
8781 * @type: type of data
8782 *
8783 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
8784 * all others need to be released by calling this function.
8785 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)8786 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
8787 {
8788 if (type < NFT_DATA_VERDICT)
8789 return;
8790 switch (type) {
8791 case NFT_DATA_VERDICT:
8792 return nft_verdict_uninit(data);
8793 default:
8794 WARN_ON(1);
8795 }
8796 }
8797 EXPORT_SYMBOL_GPL(nft_data_release);
8798
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)8799 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
8800 enum nft_data_types type, unsigned int len)
8801 {
8802 struct nlattr *nest;
8803 int err;
8804
8805 nest = nla_nest_start_noflag(skb, attr);
8806 if (nest == NULL)
8807 return -1;
8808
8809 switch (type) {
8810 case NFT_DATA_VALUE:
8811 err = nft_value_dump(skb, data, len);
8812 break;
8813 case NFT_DATA_VERDICT:
8814 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
8815 break;
8816 default:
8817 err = -EINVAL;
8818 WARN_ON(1);
8819 }
8820
8821 nla_nest_end(skb, nest);
8822 return err;
8823 }
8824 EXPORT_SYMBOL_GPL(nft_data_dump);
8825
__nft_release_basechain(struct nft_ctx * ctx)8826 int __nft_release_basechain(struct nft_ctx *ctx)
8827 {
8828 struct nft_rule *rule, *nr;
8829
8830 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
8831 return 0;
8832
8833 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
8834 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
8835 list_del(&rule->list);
8836 ctx->chain->use--;
8837 nf_tables_rule_release(ctx, rule);
8838 }
8839 nft_chain_del(ctx->chain);
8840 ctx->table->use--;
8841 nf_tables_chain_destroy(ctx);
8842
8843 return 0;
8844 }
8845 EXPORT_SYMBOL_GPL(__nft_release_basechain);
8846
__nft_release_hooks(struct net * net)8847 static void __nft_release_hooks(struct net *net)
8848 {
8849 struct nft_table *table;
8850 struct nft_chain *chain;
8851
8852 list_for_each_entry(table, &net->nft.tables, list) {
8853 list_for_each_entry(chain, &table->chains, list)
8854 nf_tables_unregister_hook(net, table, chain);
8855 }
8856 }
8857
__nft_release_tables(struct net * net)8858 static void __nft_release_tables(struct net *net)
8859 {
8860 struct nft_flowtable *flowtable, *nf;
8861 struct nft_table *table, *nt;
8862 struct nft_chain *chain, *nc;
8863 struct nft_object *obj, *ne;
8864 struct nft_rule *rule, *nr;
8865 struct nft_set *set, *ns;
8866 struct nft_ctx ctx = {
8867 .net = net,
8868 .family = NFPROTO_NETDEV,
8869 };
8870
8871 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
8872 ctx.family = table->family;
8873 ctx.table = table;
8874 list_for_each_entry(chain, &table->chains, list) {
8875 ctx.chain = chain;
8876 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
8877 list_del(&rule->list);
8878 chain->use--;
8879 nf_tables_rule_release(&ctx, rule);
8880 }
8881 }
8882 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
8883 list_del(&flowtable->list);
8884 table->use--;
8885 nf_tables_flowtable_destroy(flowtable);
8886 }
8887 list_for_each_entry_safe(set, ns, &table->sets, list) {
8888 list_del(&set->list);
8889 table->use--;
8890 nft_set_destroy(&ctx, set);
8891 }
8892 list_for_each_entry_safe(obj, ne, &table->objects, list) {
8893 nft_obj_del(obj);
8894 table->use--;
8895 nft_obj_destroy(&ctx, obj);
8896 }
8897 list_for_each_entry_safe(chain, nc, &table->chains, list) {
8898 ctx.chain = chain;
8899 nft_chain_del(chain);
8900 table->use--;
8901 nf_tables_chain_destroy(&ctx);
8902 }
8903 list_del(&table->list);
8904 nf_tables_table_destroy(&ctx);
8905 }
8906 }
8907
nf_tables_init_net(struct net * net)8908 static int __net_init nf_tables_init_net(struct net *net)
8909 {
8910 INIT_LIST_HEAD(&net->nft.tables);
8911 INIT_LIST_HEAD(&net->nft.commit_list);
8912 INIT_LIST_HEAD(&net->nft.module_list);
8913 INIT_LIST_HEAD(&net->nft.notify_list);
8914 mutex_init(&net->nft.commit_mutex);
8915 net->nft.base_seq = 1;
8916 net->nft.validate_state = NFT_VALIDATE_SKIP;
8917
8918 return 0;
8919 }
8920
nf_tables_pre_exit_net(struct net * net)8921 static void __net_exit nf_tables_pre_exit_net(struct net *net)
8922 {
8923 __nft_release_hooks(net);
8924 }
8925
nf_tables_exit_net(struct net * net)8926 static void __net_exit nf_tables_exit_net(struct net *net)
8927 {
8928 mutex_lock(&net->nft.commit_mutex);
8929 if (!list_empty(&net->nft.commit_list))
8930 __nf_tables_abort(net, NFNL_ABORT_NONE);
8931 __nft_release_tables(net);
8932 mutex_unlock(&net->nft.commit_mutex);
8933 WARN_ON_ONCE(!list_empty(&net->nft.tables));
8934 WARN_ON_ONCE(!list_empty(&net->nft.module_list));
8935 WARN_ON_ONCE(!list_empty(&net->nft.notify_list));
8936 }
8937
8938 static struct pernet_operations nf_tables_net_ops = {
8939 .init = nf_tables_init_net,
8940 .pre_exit = nf_tables_pre_exit_net,
8941 .exit = nf_tables_exit_net,
8942 };
8943
nf_tables_module_init(void)8944 static int __init nf_tables_module_init(void)
8945 {
8946 int err;
8947
8948 spin_lock_init(&nf_tables_destroy_list_lock);
8949 err = register_pernet_subsys(&nf_tables_net_ops);
8950 if (err < 0)
8951 return err;
8952
8953 err = nft_chain_filter_init();
8954 if (err < 0)
8955 goto err1;
8956
8957 err = nf_tables_core_module_init();
8958 if (err < 0)
8959 goto err2;
8960
8961 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
8962 if (err < 0)
8963 goto err3;
8964
8965 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
8966 if (err < 0)
8967 goto err4;
8968
8969 err = nft_offload_init();
8970 if (err < 0)
8971 goto err5;
8972
8973 /* must be last */
8974 err = nfnetlink_subsys_register(&nf_tables_subsys);
8975 if (err < 0)
8976 goto err6;
8977
8978 nft_chain_route_init();
8979
8980 return err;
8981 err6:
8982 nft_offload_exit();
8983 err5:
8984 rhltable_destroy(&nft_objname_ht);
8985 err4:
8986 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
8987 err3:
8988 nf_tables_core_module_exit();
8989 err2:
8990 nft_chain_filter_fini();
8991 err1:
8992 unregister_pernet_subsys(&nf_tables_net_ops);
8993 return err;
8994 }
8995
nf_tables_module_exit(void)8996 static void __exit nf_tables_module_exit(void)
8997 {
8998 nfnetlink_subsys_unregister(&nf_tables_subsys);
8999 nft_offload_exit();
9000 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
9001 nft_chain_filter_fini();
9002 nft_chain_route_fini();
9003 unregister_pernet_subsys(&nf_tables_net_ops);
9004 cancel_work_sync(&trans_destroy_work);
9005 rcu_barrier();
9006 rhltable_destroy(&nft_objname_ht);
9007 nf_tables_core_module_exit();
9008 }
9009
9010 module_init(nf_tables_module_init);
9011 module_exit(nf_tables_module_exit);
9012
9013 MODULE_LICENSE("GPL");
9014 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
9015 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
9016