1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nfnetlink.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_flow_table.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 #include <net/netfilter/nf_tables_offload.h>
22 #include <net/net_namespace.h>
23 #include <net/sock.h>
24
25 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
26
27 static LIST_HEAD(nf_tables_expressions);
28 static LIST_HEAD(nf_tables_objects);
29 static LIST_HEAD(nf_tables_flowtables);
30 static LIST_HEAD(nf_tables_destroy_list);
31 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
32 static u64 table_handle;
33
34 enum {
35 NFT_VALIDATE_SKIP = 0,
36 NFT_VALIDATE_NEED,
37 NFT_VALIDATE_DO,
38 };
39
40 static struct rhltable nft_objname_ht;
41
42 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
43 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
44 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
45
46 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
47 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
48 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
49
50 static const struct rhashtable_params nft_chain_ht_params = {
51 .head_offset = offsetof(struct nft_chain, rhlhead),
52 .key_offset = offsetof(struct nft_chain, name),
53 .hashfn = nft_chain_hash,
54 .obj_hashfn = nft_chain_hash_obj,
55 .obj_cmpfn = nft_chain_hash_cmp,
56 .automatic_shrinking = true,
57 };
58
59 static const struct rhashtable_params nft_objname_ht_params = {
60 .head_offset = offsetof(struct nft_object, rhlhead),
61 .key_offset = offsetof(struct nft_object, key),
62 .hashfn = nft_objname_hash,
63 .obj_hashfn = nft_objname_hash_obj,
64 .obj_cmpfn = nft_objname_hash_cmp,
65 .automatic_shrinking = true,
66 };
67
nft_validate_state_update(struct net * net,u8 new_validate_state)68 static void nft_validate_state_update(struct net *net, u8 new_validate_state)
69 {
70 switch (net->nft.validate_state) {
71 case NFT_VALIDATE_SKIP:
72 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
73 break;
74 case NFT_VALIDATE_NEED:
75 break;
76 case NFT_VALIDATE_DO:
77 if (new_validate_state == NFT_VALIDATE_NEED)
78 return;
79 }
80
81 net->nft.validate_state = new_validate_state;
82 }
83 static void nf_tables_trans_destroy_work(struct work_struct *w);
84 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
85
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)86 static void nft_ctx_init(struct nft_ctx *ctx,
87 struct net *net,
88 const struct sk_buff *skb,
89 const struct nlmsghdr *nlh,
90 u8 family,
91 struct nft_table *table,
92 struct nft_chain *chain,
93 const struct nlattr * const *nla)
94 {
95 ctx->net = net;
96 ctx->family = family;
97 ctx->level = 0;
98 ctx->table = table;
99 ctx->chain = chain;
100 ctx->nla = nla;
101 ctx->portid = NETLINK_CB(skb).portid;
102 ctx->report = nlmsg_report(nlh);
103 ctx->flags = nlh->nlmsg_flags;
104 ctx->seq = nlh->nlmsg_seq;
105 }
106
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)107 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
108 int msg_type, u32 size, gfp_t gfp)
109 {
110 struct nft_trans *trans;
111
112 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
113 if (trans == NULL)
114 return NULL;
115
116 trans->msg_type = msg_type;
117 trans->ctx = *ctx;
118
119 return trans;
120 }
121
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)122 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
123 int msg_type, u32 size)
124 {
125 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
126 }
127
nft_trans_destroy(struct nft_trans * trans)128 static void nft_trans_destroy(struct nft_trans *trans)
129 {
130 list_del(&trans->list);
131 kfree(trans);
132 }
133
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)134 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
135 {
136 struct net *net = ctx->net;
137 struct nft_trans *trans;
138
139 if (!nft_set_is_anonymous(set))
140 return;
141
142 list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
143 switch (trans->msg_type) {
144 case NFT_MSG_NEWSET:
145 if (nft_trans_set(trans) == set)
146 nft_trans_set_bound(trans) = true;
147 break;
148 case NFT_MSG_NEWSETELEM:
149 if (nft_trans_elem_set(trans) == set)
150 nft_trans_elem_set_bound(trans) = true;
151 break;
152 }
153 }
154 }
155
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)156 static int nf_tables_register_hook(struct net *net,
157 const struct nft_table *table,
158 struct nft_chain *chain)
159 {
160 const struct nft_base_chain *basechain;
161 const struct nf_hook_ops *ops;
162
163 if (table->flags & NFT_TABLE_F_DORMANT ||
164 !nft_is_base_chain(chain))
165 return 0;
166
167 basechain = nft_base_chain(chain);
168 ops = &basechain->ops;
169
170 if (basechain->type->ops_register)
171 return basechain->type->ops_register(net, ops);
172
173 return nf_register_net_hook(net, ops);
174 }
175
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)176 static void nf_tables_unregister_hook(struct net *net,
177 const struct nft_table *table,
178 struct nft_chain *chain)
179 {
180 const struct nft_base_chain *basechain;
181 const struct nf_hook_ops *ops;
182
183 if (table->flags & NFT_TABLE_F_DORMANT ||
184 !nft_is_base_chain(chain))
185 return;
186 basechain = nft_base_chain(chain);
187 ops = &basechain->ops;
188
189 if (basechain->type->ops_unregister)
190 return basechain->type->ops_unregister(net, ops);
191
192 nf_unregister_net_hook(net, ops);
193 }
194
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)195 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
196 {
197 struct nft_trans *trans;
198
199 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
200 if (trans == NULL)
201 return -ENOMEM;
202
203 if (msg_type == NFT_MSG_NEWTABLE)
204 nft_activate_next(ctx->net, ctx->table);
205
206 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
207 return 0;
208 }
209
nft_deltable(struct nft_ctx * ctx)210 static int nft_deltable(struct nft_ctx *ctx)
211 {
212 int err;
213
214 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
215 if (err < 0)
216 return err;
217
218 nft_deactivate_next(ctx->net, ctx->table);
219 return err;
220 }
221
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)222 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
223 {
224 struct nft_trans *trans;
225
226 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
227 if (trans == NULL)
228 return ERR_PTR(-ENOMEM);
229
230 if (msg_type == NFT_MSG_NEWCHAIN)
231 nft_activate_next(ctx->net, ctx->chain);
232
233 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
234 return trans;
235 }
236
nft_delchain(struct nft_ctx * ctx)237 static int nft_delchain(struct nft_ctx *ctx)
238 {
239 struct nft_trans *trans;
240
241 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
242 if (IS_ERR(trans))
243 return PTR_ERR(trans);
244
245 ctx->table->use--;
246 nft_deactivate_next(ctx->net, ctx->chain);
247
248 return 0;
249 }
250
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)251 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
252 struct nft_rule *rule)
253 {
254 struct nft_expr *expr;
255
256 expr = nft_expr_first(rule);
257 while (expr != nft_expr_last(rule) && expr->ops) {
258 if (expr->ops->activate)
259 expr->ops->activate(ctx, expr);
260
261 expr = nft_expr_next(expr);
262 }
263 }
264
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)265 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
266 struct nft_rule *rule,
267 enum nft_trans_phase phase)
268 {
269 struct nft_expr *expr;
270
271 expr = nft_expr_first(rule);
272 while (expr != nft_expr_last(rule) && expr->ops) {
273 if (expr->ops->deactivate)
274 expr->ops->deactivate(ctx, expr, phase);
275
276 expr = nft_expr_next(expr);
277 }
278 }
279
280 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)281 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
282 {
283 /* You cannot delete the same rule twice */
284 if (nft_is_active_next(ctx->net, rule)) {
285 nft_deactivate_next(ctx->net, rule);
286 ctx->chain->use--;
287 return 0;
288 }
289 return -ENOENT;
290 }
291
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)292 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
293 struct nft_rule *rule)
294 {
295 struct nft_trans *trans;
296
297 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
298 if (trans == NULL)
299 return NULL;
300
301 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
302 nft_trans_rule_id(trans) =
303 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
304 }
305 nft_trans_rule(trans) = rule;
306 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
307
308 return trans;
309 }
310
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)311 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
312 {
313 struct nft_trans *trans;
314 int err;
315
316 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
317 if (trans == NULL)
318 return -ENOMEM;
319
320 err = nf_tables_delrule_deactivate(ctx, rule);
321 if (err < 0) {
322 nft_trans_destroy(trans);
323 return err;
324 }
325 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
326
327 return 0;
328 }
329
nft_delrule_by_chain(struct nft_ctx * ctx)330 static int nft_delrule_by_chain(struct nft_ctx *ctx)
331 {
332 struct nft_rule *rule;
333 int err;
334
335 list_for_each_entry(rule, &ctx->chain->rules, list) {
336 if (!nft_is_active_next(ctx->net, rule))
337 continue;
338
339 err = nft_delrule(ctx, rule);
340 if (err < 0)
341 return err;
342 }
343 return 0;
344 }
345
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)346 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
347 struct nft_set *set)
348 {
349 struct nft_trans *trans;
350
351 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
352 if (trans == NULL)
353 return -ENOMEM;
354
355 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] != NULL) {
356 nft_trans_set_id(trans) =
357 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
358 nft_activate_next(ctx->net, set);
359 }
360 nft_trans_set(trans) = set;
361 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
362
363 return 0;
364 }
365
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)366 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
367 {
368 int err;
369
370 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
371 if (err < 0)
372 return err;
373
374 nft_deactivate_next(ctx->net, set);
375 ctx->table->use--;
376
377 return err;
378 }
379
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)380 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
381 struct nft_object *obj)
382 {
383 struct nft_trans *trans;
384
385 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
386 if (trans == NULL)
387 return -ENOMEM;
388
389 if (msg_type == NFT_MSG_NEWOBJ)
390 nft_activate_next(ctx->net, obj);
391
392 nft_trans_obj(trans) = obj;
393 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
394
395 return 0;
396 }
397
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)398 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
399 {
400 int err;
401
402 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
403 if (err < 0)
404 return err;
405
406 nft_deactivate_next(ctx->net, obj);
407 ctx->table->use--;
408
409 return err;
410 }
411
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)412 static int nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
413 struct nft_flowtable *flowtable)
414 {
415 struct nft_trans *trans;
416
417 trans = nft_trans_alloc(ctx, msg_type,
418 sizeof(struct nft_trans_flowtable));
419 if (trans == NULL)
420 return -ENOMEM;
421
422 if (msg_type == NFT_MSG_NEWFLOWTABLE)
423 nft_activate_next(ctx->net, flowtable);
424
425 nft_trans_flowtable(trans) = flowtable;
426 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
427
428 return 0;
429 }
430
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)431 static int nft_delflowtable(struct nft_ctx *ctx,
432 struct nft_flowtable *flowtable)
433 {
434 int err;
435
436 err = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
437 if (err < 0)
438 return err;
439
440 nft_deactivate_next(ctx->net, flowtable);
441 ctx->table->use--;
442
443 return err;
444 }
445
446 /*
447 * Tables
448 */
449
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask)450 static struct nft_table *nft_table_lookup(const struct net *net,
451 const struct nlattr *nla,
452 u8 family, u8 genmask)
453 {
454 struct nft_table *table;
455
456 if (nla == NULL)
457 return ERR_PTR(-EINVAL);
458
459 list_for_each_entry_rcu(table, &net->nft.tables, list) {
460 if (!nla_strcmp(nla, table->name) &&
461 table->family == family &&
462 nft_active_genmask(table, genmask))
463 return table;
464 }
465
466 return ERR_PTR(-ENOENT);
467 }
468
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,u8 genmask)469 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
470 const struct nlattr *nla,
471 u8 genmask)
472 {
473 struct nft_table *table;
474
475 list_for_each_entry(table, &net->nft.tables, list) {
476 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
477 nft_active_genmask(table, genmask))
478 return table;
479 }
480
481 return ERR_PTR(-ENOENT);
482 }
483
nf_tables_alloc_handle(struct nft_table * table)484 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
485 {
486 return ++table->hgenerator;
487 }
488
489 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
490
491 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)492 __nft_chain_type_get(u8 family, enum nft_chain_types type)
493 {
494 if (family >= NFPROTO_NUMPROTO ||
495 type >= NFT_CHAIN_T_MAX)
496 return NULL;
497
498 return chain_type[family][type];
499 }
500
501 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)502 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
503 {
504 const struct nft_chain_type *type;
505 int i;
506
507 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
508 type = __nft_chain_type_get(family, i);
509 if (!type)
510 continue;
511 if (!nla_strcmp(nla, type->name))
512 return type;
513 }
514 return NULL;
515 }
516
517 struct nft_module_request {
518 struct list_head list;
519 char module[MODULE_NAME_LEN];
520 bool done;
521 };
522
523 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)524 static int nft_request_module(struct net *net, const char *fmt, ...)
525 {
526 char module_name[MODULE_NAME_LEN];
527 struct nft_module_request *req;
528 va_list args;
529 int ret;
530
531 va_start(args, fmt);
532 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
533 va_end(args);
534 if (ret >= MODULE_NAME_LEN)
535 return 0;
536
537 list_for_each_entry(req, &net->nft.module_list, list) {
538 if (!strcmp(req->module, module_name)) {
539 if (req->done)
540 return 0;
541
542 /* A request to load this module already exists. */
543 return -EAGAIN;
544 }
545 }
546
547 req = kmalloc(sizeof(*req), GFP_KERNEL);
548 if (!req)
549 return -ENOMEM;
550
551 req->done = false;
552 strlcpy(req->module, module_name, MODULE_NAME_LEN);
553 list_add_tail(&req->list, &net->nft.module_list);
554
555 return -EAGAIN;
556 }
557 #endif
558
lockdep_nfnl_nft_mutex_not_held(void)559 static void lockdep_nfnl_nft_mutex_not_held(void)
560 {
561 #ifdef CONFIG_PROVE_LOCKING
562 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
563 #endif
564 }
565
566 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)567 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
568 u8 family, bool autoload)
569 {
570 const struct nft_chain_type *type;
571
572 type = __nf_tables_chain_type_lookup(nla, family);
573 if (type != NULL)
574 return type;
575
576 lockdep_nfnl_nft_mutex_not_held();
577 #ifdef CONFIG_MODULES
578 if (autoload) {
579 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
580 nla_len(nla),
581 (const char *)nla_data(nla)) == -EAGAIN)
582 return ERR_PTR(-EAGAIN);
583 }
584 #endif
585 return ERR_PTR(-ENOENT);
586 }
587
588 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
589 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
590 .len = NFT_TABLE_MAXNAMELEN - 1 },
591 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
592 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
593 };
594
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)595 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
596 u32 portid, u32 seq, int event, u32 flags,
597 int family, const struct nft_table *table)
598 {
599 struct nlmsghdr *nlh;
600 struct nfgenmsg *nfmsg;
601
602 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
603 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
604 if (nlh == NULL)
605 goto nla_put_failure;
606
607 nfmsg = nlmsg_data(nlh);
608 nfmsg->nfgen_family = family;
609 nfmsg->version = NFNETLINK_V0;
610 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
611
612 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
613 nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) ||
614 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
615 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
616 NFTA_TABLE_PAD))
617 goto nla_put_failure;
618
619 nlmsg_end(skb, nlh);
620 return 0;
621
622 nla_put_failure:
623 nlmsg_trim(skb, nlh);
624 return -1;
625 }
626
nf_tables_table_notify(const struct nft_ctx * ctx,int event)627 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
628 {
629 struct sk_buff *skb;
630 int err;
631
632 if (!ctx->report &&
633 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
634 return;
635
636 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
637 if (skb == NULL)
638 goto err;
639
640 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
641 event, 0, ctx->family, ctx->table);
642 if (err < 0) {
643 kfree_skb(skb);
644 goto err;
645 }
646
647 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
648 ctx->report, GFP_KERNEL);
649 return;
650 err:
651 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
652 }
653
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)654 static int nf_tables_dump_tables(struct sk_buff *skb,
655 struct netlink_callback *cb)
656 {
657 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
658 const struct nft_table *table;
659 unsigned int idx = 0, s_idx = cb->args[0];
660 struct net *net = sock_net(skb->sk);
661 int family = nfmsg->nfgen_family;
662
663 rcu_read_lock();
664 cb->seq = net->nft.base_seq;
665
666 list_for_each_entry_rcu(table, &net->nft.tables, list) {
667 if (family != NFPROTO_UNSPEC && family != table->family)
668 continue;
669
670 if (idx < s_idx)
671 goto cont;
672 if (idx > s_idx)
673 memset(&cb->args[1], 0,
674 sizeof(cb->args) - sizeof(cb->args[0]));
675 if (!nft_is_active(net, table))
676 continue;
677 if (nf_tables_fill_table_info(skb, net,
678 NETLINK_CB(cb->skb).portid,
679 cb->nlh->nlmsg_seq,
680 NFT_MSG_NEWTABLE, NLM_F_MULTI,
681 table->family, table) < 0)
682 goto done;
683
684 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
685 cont:
686 idx++;
687 }
688 done:
689 rcu_read_unlock();
690 cb->args[0] = idx;
691 return skb->len;
692 }
693
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)694 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
695 const struct nlmsghdr *nlh,
696 struct netlink_dump_control *c)
697 {
698 int err;
699
700 if (!try_module_get(THIS_MODULE))
701 return -EINVAL;
702
703 rcu_read_unlock();
704 err = netlink_dump_start(nlsk, skb, nlh, c);
705 rcu_read_lock();
706 module_put(THIS_MODULE);
707
708 return err;
709 }
710
711 /* called with rcu_read_lock held */
nf_tables_gettable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)712 static int nf_tables_gettable(struct net *net, struct sock *nlsk,
713 struct sk_buff *skb, const struct nlmsghdr *nlh,
714 const struct nlattr * const nla[],
715 struct netlink_ext_ack *extack)
716 {
717 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
718 u8 genmask = nft_genmask_cur(net);
719 const struct nft_table *table;
720 struct sk_buff *skb2;
721 int family = nfmsg->nfgen_family;
722 int err;
723
724 if (nlh->nlmsg_flags & NLM_F_DUMP) {
725 struct netlink_dump_control c = {
726 .dump = nf_tables_dump_tables,
727 .module = THIS_MODULE,
728 };
729
730 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
731 }
732
733 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask);
734 if (IS_ERR(table)) {
735 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
736 return PTR_ERR(table);
737 }
738
739 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
740 if (!skb2)
741 return -ENOMEM;
742
743 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
744 nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
745 family, table);
746 if (err < 0)
747 goto err;
748
749 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
750
751 err:
752 kfree_skb(skb2);
753 return err;
754 }
755
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)756 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
757 {
758 struct nft_chain *chain;
759 u32 i = 0;
760
761 list_for_each_entry(chain, &table->chains, list) {
762 if (!nft_is_active_next(net, chain))
763 continue;
764 if (!nft_is_base_chain(chain))
765 continue;
766
767 if (cnt && i++ == cnt)
768 break;
769
770 nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
771 }
772 }
773
nf_tables_table_enable(struct net * net,struct nft_table * table)774 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
775 {
776 struct nft_chain *chain;
777 int err, i = 0;
778
779 list_for_each_entry(chain, &table->chains, list) {
780 if (!nft_is_active_next(net, chain))
781 continue;
782 if (!nft_is_base_chain(chain))
783 continue;
784
785 err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
786 if (err < 0)
787 goto err;
788
789 i++;
790 }
791 return 0;
792 err:
793 if (i)
794 nft_table_disable(net, table, i);
795 return err;
796 }
797
nf_tables_table_disable(struct net * net,struct nft_table * table)798 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
799 {
800 nft_table_disable(net, table, 0);
801 }
802
nf_tables_updtable(struct nft_ctx * ctx)803 static int nf_tables_updtable(struct nft_ctx *ctx)
804 {
805 struct nft_trans *trans;
806 u32 flags;
807 int ret = 0;
808
809 if (!ctx->nla[NFTA_TABLE_FLAGS])
810 return 0;
811
812 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
813 if (flags & ~NFT_TABLE_F_DORMANT)
814 return -EINVAL;
815
816 if (flags == ctx->table->flags)
817 return 0;
818
819 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
820 sizeof(struct nft_trans_table));
821 if (trans == NULL)
822 return -ENOMEM;
823
824 if ((flags & NFT_TABLE_F_DORMANT) &&
825 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
826 nft_trans_table_enable(trans) = false;
827 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
828 ctx->table->flags & NFT_TABLE_F_DORMANT) {
829 ret = nf_tables_table_enable(ctx->net, ctx->table);
830 if (ret >= 0) {
831 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
832 nft_trans_table_enable(trans) = true;
833 }
834 }
835 if (ret < 0)
836 goto err;
837
838 nft_trans_table_update(trans) = true;
839 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
840 return 0;
841 err:
842 nft_trans_destroy(trans);
843 return ret;
844 }
845
nft_chain_hash(const void * data,u32 len,u32 seed)846 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
847 {
848 const char *name = data;
849
850 return jhash(name, strlen(name), seed);
851 }
852
nft_chain_hash_obj(const void * data,u32 len,u32 seed)853 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
854 {
855 const struct nft_chain *chain = data;
856
857 return nft_chain_hash(chain->name, 0, seed);
858 }
859
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)860 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
861 const void *ptr)
862 {
863 const struct nft_chain *chain = ptr;
864 const char *name = arg->key;
865
866 return strcmp(chain->name, name);
867 }
868
nft_objname_hash(const void * data,u32 len,u32 seed)869 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
870 {
871 const struct nft_object_hash_key *k = data;
872
873 seed ^= hash_ptr(k->table, 32);
874
875 return jhash(k->name, strlen(k->name), seed);
876 }
877
nft_objname_hash_obj(const void * data,u32 len,u32 seed)878 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
879 {
880 const struct nft_object *obj = data;
881
882 return nft_objname_hash(&obj->key, 0, seed);
883 }
884
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)885 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
886 const void *ptr)
887 {
888 const struct nft_object_hash_key *k = arg->key;
889 const struct nft_object *obj = ptr;
890
891 if (obj->key.table != k->table)
892 return -1;
893
894 return strcmp(obj->key.name, k->name);
895 }
896
nf_tables_newtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)897 static int nf_tables_newtable(struct net *net, struct sock *nlsk,
898 struct sk_buff *skb, const struct nlmsghdr *nlh,
899 const struct nlattr * const nla[],
900 struct netlink_ext_ack *extack)
901 {
902 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
903 u8 genmask = nft_genmask_next(net);
904 int family = nfmsg->nfgen_family;
905 const struct nlattr *attr;
906 struct nft_table *table;
907 u32 flags = 0;
908 struct nft_ctx ctx;
909 int err;
910
911 lockdep_assert_held(&net->nft.commit_mutex);
912 attr = nla[NFTA_TABLE_NAME];
913 table = nft_table_lookup(net, attr, family, genmask);
914 if (IS_ERR(table)) {
915 if (PTR_ERR(table) != -ENOENT)
916 return PTR_ERR(table);
917 } else {
918 if (nlh->nlmsg_flags & NLM_F_EXCL) {
919 NL_SET_BAD_ATTR(extack, attr);
920 return -EEXIST;
921 }
922 if (nlh->nlmsg_flags & NLM_F_REPLACE)
923 return -EOPNOTSUPP;
924
925 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
926 return nf_tables_updtable(&ctx);
927 }
928
929 if (nla[NFTA_TABLE_FLAGS]) {
930 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
931 if (flags & ~NFT_TABLE_F_DORMANT)
932 return -EINVAL;
933 }
934
935 err = -ENOMEM;
936 table = kzalloc(sizeof(*table), GFP_KERNEL);
937 if (table == NULL)
938 goto err_kzalloc;
939
940 table->name = nla_strdup(attr, GFP_KERNEL);
941 if (table->name == NULL)
942 goto err_strdup;
943
944 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
945 if (err)
946 goto err_chain_ht;
947
948 INIT_LIST_HEAD(&table->chains);
949 INIT_LIST_HEAD(&table->sets);
950 INIT_LIST_HEAD(&table->objects);
951 INIT_LIST_HEAD(&table->flowtables);
952 table->family = family;
953 table->flags = flags;
954 table->handle = ++table_handle;
955
956 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
957 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
958 if (err < 0)
959 goto err_trans;
960
961 list_add_tail_rcu(&table->list, &net->nft.tables);
962 return 0;
963 err_trans:
964 rhltable_destroy(&table->chains_ht);
965 err_chain_ht:
966 kfree(table->name);
967 err_strdup:
968 kfree(table);
969 err_kzalloc:
970 return err;
971 }
972
nft_flush_table(struct nft_ctx * ctx)973 static int nft_flush_table(struct nft_ctx *ctx)
974 {
975 struct nft_flowtable *flowtable, *nft;
976 struct nft_chain *chain, *nc;
977 struct nft_object *obj, *ne;
978 struct nft_set *set, *ns;
979 int err;
980
981 list_for_each_entry(chain, &ctx->table->chains, list) {
982 if (!nft_is_active_next(ctx->net, chain))
983 continue;
984
985 ctx->chain = chain;
986
987 err = nft_delrule_by_chain(ctx);
988 if (err < 0)
989 goto out;
990 }
991
992 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
993 if (!nft_is_active_next(ctx->net, set))
994 continue;
995
996 if (nft_set_is_anonymous(set) &&
997 !list_empty(&set->bindings))
998 continue;
999
1000 err = nft_delset(ctx, set);
1001 if (err < 0)
1002 goto out;
1003 }
1004
1005 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1006 if (!nft_is_active_next(ctx->net, flowtable))
1007 continue;
1008
1009 err = nft_delflowtable(ctx, flowtable);
1010 if (err < 0)
1011 goto out;
1012 }
1013
1014 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1015 if (!nft_is_active_next(ctx->net, obj))
1016 continue;
1017
1018 err = nft_delobj(ctx, obj);
1019 if (err < 0)
1020 goto out;
1021 }
1022
1023 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1024 if (!nft_is_active_next(ctx->net, chain))
1025 continue;
1026
1027 ctx->chain = chain;
1028
1029 err = nft_delchain(ctx);
1030 if (err < 0)
1031 goto out;
1032 }
1033
1034 err = nft_deltable(ctx);
1035 out:
1036 return err;
1037 }
1038
nft_flush(struct nft_ctx * ctx,int family)1039 static int nft_flush(struct nft_ctx *ctx, int family)
1040 {
1041 struct nft_table *table, *nt;
1042 const struct nlattr * const *nla = ctx->nla;
1043 int err = 0;
1044
1045 list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) {
1046 if (family != AF_UNSPEC && table->family != family)
1047 continue;
1048
1049 ctx->family = table->family;
1050
1051 if (!nft_is_active_next(ctx->net, table))
1052 continue;
1053
1054 if (nla[NFTA_TABLE_NAME] &&
1055 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1056 continue;
1057
1058 ctx->table = table;
1059
1060 err = nft_flush_table(ctx);
1061 if (err < 0)
1062 goto out;
1063 }
1064 out:
1065 return err;
1066 }
1067
nf_tables_deltable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1068 static int nf_tables_deltable(struct net *net, struct sock *nlsk,
1069 struct sk_buff *skb, const struct nlmsghdr *nlh,
1070 const struct nlattr * const nla[],
1071 struct netlink_ext_ack *extack)
1072 {
1073 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1074 u8 genmask = nft_genmask_next(net);
1075 int family = nfmsg->nfgen_family;
1076 const struct nlattr *attr;
1077 struct nft_table *table;
1078 struct nft_ctx ctx;
1079
1080 nft_ctx_init(&ctx, net, skb, nlh, 0, NULL, NULL, nla);
1081 if (family == AF_UNSPEC ||
1082 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1083 return nft_flush(&ctx, family);
1084
1085 if (nla[NFTA_TABLE_HANDLE]) {
1086 attr = nla[NFTA_TABLE_HANDLE];
1087 table = nft_table_lookup_byhandle(net, attr, genmask);
1088 } else {
1089 attr = nla[NFTA_TABLE_NAME];
1090 table = nft_table_lookup(net, attr, family, genmask);
1091 }
1092
1093 if (IS_ERR(table)) {
1094 NL_SET_BAD_ATTR(extack, attr);
1095 return PTR_ERR(table);
1096 }
1097
1098 if (nlh->nlmsg_flags & NLM_F_NONREC &&
1099 table->use > 0)
1100 return -EBUSY;
1101
1102 ctx.family = family;
1103 ctx.table = table;
1104
1105 return nft_flush_table(&ctx);
1106 }
1107
nf_tables_table_destroy(struct nft_ctx * ctx)1108 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1109 {
1110 if (WARN_ON(ctx->table->use > 0))
1111 return;
1112
1113 rhltable_destroy(&ctx->table->chains_ht);
1114 kfree(ctx->table->name);
1115 kfree(ctx->table);
1116 }
1117
nft_register_chain_type(const struct nft_chain_type * ctype)1118 void nft_register_chain_type(const struct nft_chain_type *ctype)
1119 {
1120 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1121 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1122 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1123 return;
1124 }
1125 chain_type[ctype->family][ctype->type] = ctype;
1126 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1127 }
1128 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1129
nft_unregister_chain_type(const struct nft_chain_type * ctype)1130 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1131 {
1132 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1133 chain_type[ctype->family][ctype->type] = NULL;
1134 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1135 }
1136 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1137
1138 /*
1139 * Chains
1140 */
1141
1142 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1143 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1144 {
1145 struct nft_chain *chain;
1146
1147 list_for_each_entry(chain, &table->chains, list) {
1148 if (chain->handle == handle &&
1149 nft_active_genmask(chain, genmask))
1150 return chain;
1151 }
1152
1153 return ERR_PTR(-ENOENT);
1154 }
1155
lockdep_commit_lock_is_held(const struct net * net)1156 static bool lockdep_commit_lock_is_held(const struct net *net)
1157 {
1158 #ifdef CONFIG_PROVE_LOCKING
1159 return lockdep_is_held(&net->nft.commit_mutex);
1160 #else
1161 return true;
1162 #endif
1163 }
1164
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1165 static struct nft_chain *nft_chain_lookup(struct net *net,
1166 struct nft_table *table,
1167 const struct nlattr *nla, u8 genmask)
1168 {
1169 char search[NFT_CHAIN_MAXNAMELEN + 1];
1170 struct rhlist_head *tmp, *list;
1171 struct nft_chain *chain;
1172
1173 if (nla == NULL)
1174 return ERR_PTR(-EINVAL);
1175
1176 nla_strlcpy(search, nla, sizeof(search));
1177
1178 WARN_ON(!rcu_read_lock_held() &&
1179 !lockdep_commit_lock_is_held(net));
1180
1181 chain = ERR_PTR(-ENOENT);
1182 rcu_read_lock();
1183 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1184 if (!list)
1185 goto out_unlock;
1186
1187 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1188 if (nft_active_genmask(chain, genmask))
1189 goto out_unlock;
1190 }
1191 chain = ERR_PTR(-ENOENT);
1192 out_unlock:
1193 rcu_read_unlock();
1194 return chain;
1195 }
1196
1197 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1198 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1199 .len = NFT_TABLE_MAXNAMELEN - 1 },
1200 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1201 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1202 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1203 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1204 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1205 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1206 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1207 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1208 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1209 };
1210
1211 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1212 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1213 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1214 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1215 .len = IFNAMSIZ - 1 },
1216 };
1217
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1218 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1219 {
1220 struct nft_stats *cpu_stats, total;
1221 struct nlattr *nest;
1222 unsigned int seq;
1223 u64 pkts, bytes;
1224 int cpu;
1225
1226 if (!stats)
1227 return 0;
1228
1229 memset(&total, 0, sizeof(total));
1230 for_each_possible_cpu(cpu) {
1231 cpu_stats = per_cpu_ptr(stats, cpu);
1232 do {
1233 seq = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
1234 pkts = cpu_stats->pkts;
1235 bytes = cpu_stats->bytes;
1236 } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, seq));
1237 total.pkts += pkts;
1238 total.bytes += bytes;
1239 }
1240 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1241 if (nest == NULL)
1242 goto nla_put_failure;
1243
1244 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1245 NFTA_COUNTER_PAD) ||
1246 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1247 NFTA_COUNTER_PAD))
1248 goto nla_put_failure;
1249
1250 nla_nest_end(skb, nest);
1251 return 0;
1252
1253 nla_put_failure:
1254 return -ENOSPC;
1255 }
1256
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain)1257 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1258 u32 portid, u32 seq, int event, u32 flags,
1259 int family, const struct nft_table *table,
1260 const struct nft_chain *chain)
1261 {
1262 struct nlmsghdr *nlh;
1263 struct nfgenmsg *nfmsg;
1264
1265 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1266 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
1267 if (nlh == NULL)
1268 goto nla_put_failure;
1269
1270 nfmsg = nlmsg_data(nlh);
1271 nfmsg->nfgen_family = family;
1272 nfmsg->version = NFNETLINK_V0;
1273 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
1274
1275 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
1276 goto nla_put_failure;
1277 if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1278 NFTA_CHAIN_PAD))
1279 goto nla_put_failure;
1280 if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
1281 goto nla_put_failure;
1282
1283 if (nft_is_base_chain(chain)) {
1284 const struct nft_base_chain *basechain = nft_base_chain(chain);
1285 const struct nf_hook_ops *ops = &basechain->ops;
1286 struct nft_stats __percpu *stats;
1287 struct nlattr *nest;
1288
1289 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1290 if (nest == NULL)
1291 goto nla_put_failure;
1292 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1293 goto nla_put_failure;
1294 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1295 goto nla_put_failure;
1296 if (basechain->dev_name[0] &&
1297 nla_put_string(skb, NFTA_HOOK_DEV, basechain->dev_name))
1298 goto nla_put_failure;
1299 nla_nest_end(skb, nest);
1300
1301 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1302 htonl(basechain->policy)))
1303 goto nla_put_failure;
1304
1305 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1306 goto nla_put_failure;
1307
1308 stats = rcu_dereference_check(basechain->stats,
1309 lockdep_commit_lock_is_held(net));
1310 if (nft_dump_stats(skb, stats))
1311 goto nla_put_failure;
1312 }
1313
1314 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1315 goto nla_put_failure;
1316
1317 nlmsg_end(skb, nlh);
1318 return 0;
1319
1320 nla_put_failure:
1321 nlmsg_trim(skb, nlh);
1322 return -1;
1323 }
1324
nf_tables_chain_notify(const struct nft_ctx * ctx,int event)1325 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event)
1326 {
1327 struct sk_buff *skb;
1328 int err;
1329
1330 if (!ctx->report &&
1331 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1332 return;
1333
1334 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1335 if (skb == NULL)
1336 goto err;
1337
1338 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1339 event, 0, ctx->family, ctx->table,
1340 ctx->chain);
1341 if (err < 0) {
1342 kfree_skb(skb);
1343 goto err;
1344 }
1345
1346 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
1347 ctx->report, GFP_KERNEL);
1348 return;
1349 err:
1350 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1351 }
1352
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1353 static int nf_tables_dump_chains(struct sk_buff *skb,
1354 struct netlink_callback *cb)
1355 {
1356 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1357 const struct nft_table *table;
1358 const struct nft_chain *chain;
1359 unsigned int idx = 0, s_idx = cb->args[0];
1360 struct net *net = sock_net(skb->sk);
1361 int family = nfmsg->nfgen_family;
1362
1363 rcu_read_lock();
1364 cb->seq = net->nft.base_seq;
1365
1366 list_for_each_entry_rcu(table, &net->nft.tables, list) {
1367 if (family != NFPROTO_UNSPEC && family != table->family)
1368 continue;
1369
1370 list_for_each_entry_rcu(chain, &table->chains, list) {
1371 if (idx < s_idx)
1372 goto cont;
1373 if (idx > s_idx)
1374 memset(&cb->args[1], 0,
1375 sizeof(cb->args) - sizeof(cb->args[0]));
1376 if (!nft_is_active(net, chain))
1377 continue;
1378 if (nf_tables_fill_chain_info(skb, net,
1379 NETLINK_CB(cb->skb).portid,
1380 cb->nlh->nlmsg_seq,
1381 NFT_MSG_NEWCHAIN,
1382 NLM_F_MULTI,
1383 table->family, table,
1384 chain) < 0)
1385 goto done;
1386
1387 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1388 cont:
1389 idx++;
1390 }
1391 }
1392 done:
1393 rcu_read_unlock();
1394 cb->args[0] = idx;
1395 return skb->len;
1396 }
1397
1398 /* called with rcu_read_lock held */
nf_tables_getchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1399 static int nf_tables_getchain(struct net *net, struct sock *nlsk,
1400 struct sk_buff *skb, const struct nlmsghdr *nlh,
1401 const struct nlattr * const nla[],
1402 struct netlink_ext_ack *extack)
1403 {
1404 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1405 u8 genmask = nft_genmask_cur(net);
1406 const struct nft_chain *chain;
1407 struct nft_table *table;
1408 struct sk_buff *skb2;
1409 int family = nfmsg->nfgen_family;
1410 int err;
1411
1412 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1413 struct netlink_dump_control c = {
1414 .dump = nf_tables_dump_chains,
1415 .module = THIS_MODULE,
1416 };
1417
1418 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
1419 }
1420
1421 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1422 if (IS_ERR(table)) {
1423 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1424 return PTR_ERR(table);
1425 }
1426
1427 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1428 if (IS_ERR(chain)) {
1429 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1430 return PTR_ERR(chain);
1431 }
1432
1433 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1434 if (!skb2)
1435 return -ENOMEM;
1436
1437 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1438 nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
1439 family, table, chain);
1440 if (err < 0)
1441 goto err;
1442
1443 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
1444
1445 err:
1446 kfree_skb(skb2);
1447 return err;
1448 }
1449
1450 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
1451 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
1452 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
1453 };
1454
nft_stats_alloc(const struct nlattr * attr)1455 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
1456 {
1457 struct nlattr *tb[NFTA_COUNTER_MAX+1];
1458 struct nft_stats __percpu *newstats;
1459 struct nft_stats *stats;
1460 int err;
1461
1462 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
1463 nft_counter_policy, NULL);
1464 if (err < 0)
1465 return ERR_PTR(err);
1466
1467 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
1468 return ERR_PTR(-EINVAL);
1469
1470 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
1471 if (newstats == NULL)
1472 return ERR_PTR(-ENOMEM);
1473
1474 /* Restore old counters on this cpu, no problem. Per-cpu statistics
1475 * are not exposed to userspace.
1476 */
1477 preempt_disable();
1478 stats = this_cpu_ptr(newstats);
1479 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
1480 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
1481 preempt_enable();
1482
1483 return newstats;
1484 }
1485
nft_chain_stats_replace(struct nft_trans * trans)1486 static void nft_chain_stats_replace(struct nft_trans *trans)
1487 {
1488 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
1489
1490 if (!nft_trans_chain_stats(trans))
1491 return;
1492
1493 rcu_swap_protected(chain->stats, nft_trans_chain_stats(trans),
1494 lockdep_commit_lock_is_held(trans->ctx.net));
1495
1496 if (!nft_trans_chain_stats(trans))
1497 static_branch_inc(&nft_counters_enabled);
1498 }
1499
nf_tables_chain_free_chain_rules(struct nft_chain * chain)1500 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
1501 {
1502 struct nft_rule **g0 = rcu_dereference_raw(chain->rules_gen_0);
1503 struct nft_rule **g1 = rcu_dereference_raw(chain->rules_gen_1);
1504
1505 if (g0 != g1)
1506 kvfree(g1);
1507 kvfree(g0);
1508
1509 /* should be NULL either via abort or via successful commit */
1510 WARN_ON_ONCE(chain->rules_next);
1511 kvfree(chain->rules_next);
1512 }
1513
nf_tables_chain_destroy(struct nft_ctx * ctx)1514 static void nf_tables_chain_destroy(struct nft_ctx *ctx)
1515 {
1516 struct nft_chain *chain = ctx->chain;
1517
1518 if (WARN_ON(chain->use > 0))
1519 return;
1520
1521 /* no concurrent access possible anymore */
1522 nf_tables_chain_free_chain_rules(chain);
1523
1524 if (nft_is_base_chain(chain)) {
1525 struct nft_base_chain *basechain = nft_base_chain(chain);
1526
1527 module_put(basechain->type->owner);
1528 if (rcu_access_pointer(basechain->stats)) {
1529 static_branch_dec(&nft_counters_enabled);
1530 free_percpu(rcu_dereference_raw(basechain->stats));
1531 }
1532 kfree(chain->name);
1533 kfree(basechain);
1534 } else {
1535 kfree(chain->name);
1536 kfree(chain);
1537 }
1538 }
1539
1540 struct nft_chain_hook {
1541 u32 num;
1542 s32 priority;
1543 const struct nft_chain_type *type;
1544 struct net_device *dev;
1545 };
1546
nft_chain_parse_hook(struct net * net,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,bool autoload)1547 static int nft_chain_parse_hook(struct net *net,
1548 const struct nlattr * const nla[],
1549 struct nft_chain_hook *hook, u8 family,
1550 bool autoload)
1551 {
1552 struct nlattr *ha[NFTA_HOOK_MAX + 1];
1553 const struct nft_chain_type *type;
1554 struct net_device *dev;
1555 int err;
1556
1557 lockdep_assert_held(&net->nft.commit_mutex);
1558 lockdep_nfnl_nft_mutex_not_held();
1559
1560 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
1561 nla[NFTA_CHAIN_HOOK],
1562 nft_hook_policy, NULL);
1563 if (err < 0)
1564 return err;
1565
1566 if (ha[NFTA_HOOK_HOOKNUM] == NULL ||
1567 ha[NFTA_HOOK_PRIORITY] == NULL)
1568 return -EINVAL;
1569
1570 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1571 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1572
1573 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1574 if (!type)
1575 return -EOPNOTSUPP;
1576
1577 if (nla[NFTA_CHAIN_TYPE]) {
1578 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1579 family, autoload);
1580 if (IS_ERR(type))
1581 return PTR_ERR(type);
1582 }
1583 if (hook->num > NF_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
1584 return -EOPNOTSUPP;
1585
1586 if (type->type == NFT_CHAIN_T_NAT &&
1587 hook->priority <= NF_IP_PRI_CONNTRACK)
1588 return -EOPNOTSUPP;
1589
1590 if (!try_module_get(type->owner))
1591 return -ENOENT;
1592
1593 hook->type = type;
1594
1595 hook->dev = NULL;
1596 if (family == NFPROTO_NETDEV) {
1597 char ifname[IFNAMSIZ];
1598
1599 if (!ha[NFTA_HOOK_DEV]) {
1600 module_put(type->owner);
1601 return -EOPNOTSUPP;
1602 }
1603
1604 nla_strlcpy(ifname, ha[NFTA_HOOK_DEV], IFNAMSIZ);
1605 dev = __dev_get_by_name(net, ifname);
1606 if (!dev) {
1607 module_put(type->owner);
1608 return -ENOENT;
1609 }
1610 hook->dev = dev;
1611 } else if (ha[NFTA_HOOK_DEV]) {
1612 module_put(type->owner);
1613 return -EOPNOTSUPP;
1614 }
1615
1616 return 0;
1617 }
1618
nft_chain_release_hook(struct nft_chain_hook * hook)1619 static void nft_chain_release_hook(struct nft_chain_hook *hook)
1620 {
1621 module_put(hook->type->owner);
1622 }
1623
1624 struct nft_rules_old {
1625 struct rcu_head h;
1626 struct nft_rule **start;
1627 };
1628
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int alloc)1629 static struct nft_rule **nf_tables_chain_alloc_rules(const struct nft_chain *chain,
1630 unsigned int alloc)
1631 {
1632 if (alloc > INT_MAX)
1633 return NULL;
1634
1635 alloc += 1; /* NULL, ends rules */
1636 if (sizeof(struct nft_rule *) > INT_MAX / alloc)
1637 return NULL;
1638
1639 alloc *= sizeof(struct nft_rule *);
1640 alloc += sizeof(struct nft_rules_old);
1641
1642 return kvmalloc(alloc, GFP_KERNEL);
1643 }
1644
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags)1645 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
1646 u8 policy, u32 flags)
1647 {
1648 const struct nlattr * const *nla = ctx->nla;
1649 struct nft_table *table = ctx->table;
1650 struct nft_base_chain *basechain;
1651 struct nft_stats __percpu *stats;
1652 struct net *net = ctx->net;
1653 struct nft_trans *trans;
1654 struct nft_chain *chain;
1655 struct nft_rule **rules;
1656 int err;
1657
1658 if (table->use == UINT_MAX)
1659 return -EOVERFLOW;
1660
1661 if (nla[NFTA_CHAIN_HOOK]) {
1662 struct nft_chain_hook hook;
1663 struct nf_hook_ops *ops;
1664
1665 err = nft_chain_parse_hook(net, nla, &hook, family, true);
1666 if (err < 0)
1667 return err;
1668
1669 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
1670 if (basechain == NULL) {
1671 nft_chain_release_hook(&hook);
1672 return -ENOMEM;
1673 }
1674
1675 if (hook.dev != NULL)
1676 strncpy(basechain->dev_name, hook.dev->name, IFNAMSIZ);
1677
1678 if (nla[NFTA_CHAIN_COUNTERS]) {
1679 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1680 if (IS_ERR(stats)) {
1681 nft_chain_release_hook(&hook);
1682 kfree(basechain);
1683 return PTR_ERR(stats);
1684 }
1685 rcu_assign_pointer(basechain->stats, stats);
1686 static_branch_inc(&nft_counters_enabled);
1687 }
1688
1689 basechain->type = hook.type;
1690 chain = &basechain->chain;
1691
1692 ops = &basechain->ops;
1693 ops->pf = family;
1694 ops->hooknum = hook.num;
1695 ops->priority = hook.priority;
1696 ops->priv = chain;
1697 ops->hook = hook.type->hooks[ops->hooknum];
1698 ops->dev = hook.dev;
1699
1700 chain->flags |= NFT_BASE_CHAIN | flags;
1701 basechain->policy = NF_ACCEPT;
1702 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1703 nft_chain_offload_priority(basechain) < 0)
1704 return -EOPNOTSUPP;
1705
1706 flow_block_init(&basechain->flow_block);
1707 } else {
1708 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
1709 if (chain == NULL)
1710 return -ENOMEM;
1711 }
1712 ctx->chain = chain;
1713
1714 INIT_LIST_HEAD(&chain->rules);
1715 chain->handle = nf_tables_alloc_handle(table);
1716 chain->table = table;
1717 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1718 if (!chain->name) {
1719 err = -ENOMEM;
1720 goto err1;
1721 }
1722
1723 rules = nf_tables_chain_alloc_rules(chain, 0);
1724 if (!rules) {
1725 err = -ENOMEM;
1726 goto err1;
1727 }
1728
1729 *rules = NULL;
1730 rcu_assign_pointer(chain->rules_gen_0, rules);
1731 rcu_assign_pointer(chain->rules_gen_1, rules);
1732
1733 err = nf_tables_register_hook(net, table, chain);
1734 if (err < 0)
1735 goto err1;
1736
1737 err = rhltable_insert_key(&table->chains_ht, chain->name,
1738 &chain->rhlhead, nft_chain_ht_params);
1739 if (err)
1740 goto err2;
1741
1742 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
1743 if (IS_ERR(trans)) {
1744 err = PTR_ERR(trans);
1745 rhltable_remove(&table->chains_ht, &chain->rhlhead,
1746 nft_chain_ht_params);
1747 goto err2;
1748 }
1749
1750 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
1751 if (nft_is_base_chain(chain))
1752 nft_trans_chain_policy(trans) = policy;
1753
1754 table->use++;
1755 list_add_tail_rcu(&chain->list, &table->chains);
1756
1757 return 0;
1758 err2:
1759 nf_tables_unregister_hook(net, table, chain);
1760 err1:
1761 nf_tables_chain_destroy(ctx);
1762
1763 return err;
1764 }
1765
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags)1766 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
1767 u32 flags)
1768 {
1769 const struct nlattr * const *nla = ctx->nla;
1770 struct nft_table *table = ctx->table;
1771 struct nft_chain *chain = ctx->chain;
1772 struct nft_base_chain *basechain;
1773 struct nft_stats *stats = NULL;
1774 struct nft_chain_hook hook;
1775 struct nf_hook_ops *ops;
1776 struct nft_trans *trans;
1777 int err;
1778
1779 if (chain->flags ^ flags)
1780 return -EOPNOTSUPP;
1781
1782 if (nla[NFTA_CHAIN_HOOK]) {
1783 if (!nft_is_base_chain(chain))
1784 return -EBUSY;
1785
1786 err = nft_chain_parse_hook(ctx->net, nla, &hook, ctx->family,
1787 false);
1788 if (err < 0)
1789 return err;
1790
1791 basechain = nft_base_chain(chain);
1792 if (basechain->type != hook.type) {
1793 nft_chain_release_hook(&hook);
1794 return -EBUSY;
1795 }
1796
1797 ops = &basechain->ops;
1798 if (ops->hooknum != hook.num ||
1799 ops->priority != hook.priority ||
1800 ops->dev != hook.dev) {
1801 nft_chain_release_hook(&hook);
1802 return -EBUSY;
1803 }
1804 nft_chain_release_hook(&hook);
1805 }
1806
1807 if (nla[NFTA_CHAIN_HANDLE] &&
1808 nla[NFTA_CHAIN_NAME]) {
1809 struct nft_chain *chain2;
1810
1811 chain2 = nft_chain_lookup(ctx->net, table,
1812 nla[NFTA_CHAIN_NAME], genmask);
1813 if (!IS_ERR(chain2))
1814 return -EEXIST;
1815 }
1816
1817 if (nla[NFTA_CHAIN_COUNTERS]) {
1818 if (!nft_is_base_chain(chain))
1819 return -EOPNOTSUPP;
1820
1821 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
1822 if (IS_ERR(stats))
1823 return PTR_ERR(stats);
1824 }
1825
1826 err = -ENOMEM;
1827 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
1828 sizeof(struct nft_trans_chain));
1829 if (trans == NULL)
1830 goto err;
1831
1832 nft_trans_chain_stats(trans) = stats;
1833 nft_trans_chain_update(trans) = true;
1834
1835 if (nla[NFTA_CHAIN_POLICY])
1836 nft_trans_chain_policy(trans) = policy;
1837 else
1838 nft_trans_chain_policy(trans) = -1;
1839
1840 if (nla[NFTA_CHAIN_HANDLE] &&
1841 nla[NFTA_CHAIN_NAME]) {
1842 struct nft_trans *tmp;
1843 char *name;
1844
1845 err = -ENOMEM;
1846 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
1847 if (!name)
1848 goto err;
1849
1850 err = -EEXIST;
1851 list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) {
1852 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
1853 tmp->ctx.table == table &&
1854 nft_trans_chain_update(tmp) &&
1855 nft_trans_chain_name(tmp) &&
1856 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
1857 kfree(name);
1858 goto err;
1859 }
1860 }
1861
1862 nft_trans_chain_name(trans) = name;
1863 }
1864 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
1865
1866 return 0;
1867 err:
1868 free_percpu(stats);
1869 kfree(trans);
1870 return err;
1871 }
1872
nf_tables_newchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1873 static int nf_tables_newchain(struct net *net, struct sock *nlsk,
1874 struct sk_buff *skb, const struct nlmsghdr *nlh,
1875 const struct nlattr * const nla[],
1876 struct netlink_ext_ack *extack)
1877 {
1878 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1879 u8 genmask = nft_genmask_next(net);
1880 int family = nfmsg->nfgen_family;
1881 const struct nlattr *attr;
1882 struct nft_table *table;
1883 struct nft_chain *chain;
1884 u8 policy = NF_ACCEPT;
1885 struct nft_ctx ctx;
1886 u64 handle = 0;
1887 u32 flags = 0;
1888
1889 lockdep_assert_held(&net->nft.commit_mutex);
1890
1891 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1892 if (IS_ERR(table)) {
1893 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1894 return PTR_ERR(table);
1895 }
1896
1897 chain = NULL;
1898 attr = nla[NFTA_CHAIN_NAME];
1899
1900 if (nla[NFTA_CHAIN_HANDLE]) {
1901 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
1902 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1903 if (IS_ERR(chain)) {
1904 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
1905 return PTR_ERR(chain);
1906 }
1907 attr = nla[NFTA_CHAIN_HANDLE];
1908 } else {
1909 chain = nft_chain_lookup(net, table, attr, genmask);
1910 if (IS_ERR(chain)) {
1911 if (PTR_ERR(chain) != -ENOENT) {
1912 NL_SET_BAD_ATTR(extack, attr);
1913 return PTR_ERR(chain);
1914 }
1915 chain = NULL;
1916 }
1917 }
1918
1919 if (nla[NFTA_CHAIN_POLICY]) {
1920 if (chain != NULL &&
1921 !nft_is_base_chain(chain)) {
1922 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1923 return -EOPNOTSUPP;
1924 }
1925
1926 if (chain == NULL &&
1927 nla[NFTA_CHAIN_HOOK] == NULL) {
1928 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
1929 return -EOPNOTSUPP;
1930 }
1931
1932 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
1933 switch (policy) {
1934 case NF_DROP:
1935 case NF_ACCEPT:
1936 break;
1937 default:
1938 return -EINVAL;
1939 }
1940 }
1941
1942 if (nla[NFTA_CHAIN_FLAGS])
1943 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
1944 else if (chain)
1945 flags = chain->flags;
1946
1947 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
1948
1949 if (chain != NULL) {
1950 if (nlh->nlmsg_flags & NLM_F_EXCL) {
1951 NL_SET_BAD_ATTR(extack, attr);
1952 return -EEXIST;
1953 }
1954 if (nlh->nlmsg_flags & NLM_F_REPLACE)
1955 return -EOPNOTSUPP;
1956
1957 flags |= chain->flags & NFT_BASE_CHAIN;
1958 return nf_tables_updchain(&ctx, genmask, policy, flags);
1959 }
1960
1961 return nf_tables_addchain(&ctx, family, genmask, policy, flags);
1962 }
1963
nf_tables_delchain(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)1964 static int nf_tables_delchain(struct net *net, struct sock *nlsk,
1965 struct sk_buff *skb, const struct nlmsghdr *nlh,
1966 const struct nlattr * const nla[],
1967 struct netlink_ext_ack *extack)
1968 {
1969 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1970 u8 genmask = nft_genmask_next(net);
1971 int family = nfmsg->nfgen_family;
1972 const struct nlattr *attr;
1973 struct nft_table *table;
1974 struct nft_chain *chain;
1975 struct nft_rule *rule;
1976 struct nft_ctx ctx;
1977 u64 handle;
1978 u32 use;
1979 int err;
1980
1981 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask);
1982 if (IS_ERR(table)) {
1983 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1984 return PTR_ERR(table);
1985 }
1986
1987 if (nla[NFTA_CHAIN_HANDLE]) {
1988 attr = nla[NFTA_CHAIN_HANDLE];
1989 handle = be64_to_cpu(nla_get_be64(attr));
1990 chain = nft_chain_lookup_byhandle(table, handle, genmask);
1991 } else {
1992 attr = nla[NFTA_CHAIN_NAME];
1993 chain = nft_chain_lookup(net, table, attr, genmask);
1994 }
1995 if (IS_ERR(chain)) {
1996 NL_SET_BAD_ATTR(extack, attr);
1997 return PTR_ERR(chain);
1998 }
1999
2000 if (nlh->nlmsg_flags & NLM_F_NONREC &&
2001 chain->use > 0)
2002 return -EBUSY;
2003
2004 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2005
2006 use = chain->use;
2007 list_for_each_entry(rule, &chain->rules, list) {
2008 if (!nft_is_active_next(net, rule))
2009 continue;
2010 use--;
2011
2012 err = nft_delrule(&ctx, rule);
2013 if (err < 0)
2014 return err;
2015 }
2016
2017 /* There are rules and elements that are still holding references to us,
2018 * we cannot do a recursive removal in this case.
2019 */
2020 if (use > 0) {
2021 NL_SET_BAD_ATTR(extack, attr);
2022 return -EBUSY;
2023 }
2024
2025 return nft_delchain(&ctx);
2026 }
2027
2028 /*
2029 * Expressions
2030 */
2031
2032 /**
2033 * nft_register_expr - register nf_tables expr type
2034 * @ops: expr type
2035 *
2036 * Registers the expr type for use with nf_tables. Returns zero on
2037 * success or a negative errno code otherwise.
2038 */
nft_register_expr(struct nft_expr_type * type)2039 int nft_register_expr(struct nft_expr_type *type)
2040 {
2041 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2042 if (type->family == NFPROTO_UNSPEC)
2043 list_add_tail_rcu(&type->list, &nf_tables_expressions);
2044 else
2045 list_add_rcu(&type->list, &nf_tables_expressions);
2046 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2047 return 0;
2048 }
2049 EXPORT_SYMBOL_GPL(nft_register_expr);
2050
2051 /**
2052 * nft_unregister_expr - unregister nf_tables expr type
2053 * @ops: expr type
2054 *
2055 * Unregisters the expr typefor use with nf_tables.
2056 */
nft_unregister_expr(struct nft_expr_type * type)2057 void nft_unregister_expr(struct nft_expr_type *type)
2058 {
2059 nfnl_lock(NFNL_SUBSYS_NFTABLES);
2060 list_del_rcu(&type->list);
2061 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
2062 }
2063 EXPORT_SYMBOL_GPL(nft_unregister_expr);
2064
__nft_expr_type_get(u8 family,struct nlattr * nla)2065 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
2066 struct nlattr *nla)
2067 {
2068 const struct nft_expr_type *type, *candidate = NULL;
2069
2070 list_for_each_entry(type, &nf_tables_expressions, list) {
2071 if (!nla_strcmp(nla, type->name)) {
2072 if (!type->family && !candidate)
2073 candidate = type;
2074 else if (type->family == family)
2075 candidate = type;
2076 }
2077 }
2078 return candidate;
2079 }
2080
2081 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)2082 static int nft_expr_type_request_module(struct net *net, u8 family,
2083 struct nlattr *nla)
2084 {
2085 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2086 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2087 return -EAGAIN;
2088
2089 return 0;
2090 }
2091 #endif
2092
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)2093 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
2094 u8 family,
2095 struct nlattr *nla)
2096 {
2097 const struct nft_expr_type *type;
2098
2099 if (nla == NULL)
2100 return ERR_PTR(-EINVAL);
2101
2102 type = __nft_expr_type_get(family, nla);
2103 if (type != NULL && try_module_get(type->owner))
2104 return type;
2105
2106 lockdep_nfnl_nft_mutex_not_held();
2107 #ifdef CONFIG_MODULES
2108 if (type == NULL) {
2109 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2110 return ERR_PTR(-EAGAIN);
2111
2112 if (nft_request_module(net, "nft-expr-%.*s",
2113 nla_len(nla),
2114 (char *)nla_data(nla)) == -EAGAIN)
2115 return ERR_PTR(-EAGAIN);
2116 }
2117 #endif
2118 return ERR_PTR(-ENOENT);
2119 }
2120
2121 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
2122 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
2123 .len = NFT_MODULE_AUTOLOAD_LIMIT },
2124 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
2125 };
2126
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr)2127 static int nf_tables_fill_expr_info(struct sk_buff *skb,
2128 const struct nft_expr *expr)
2129 {
2130 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
2131 goto nla_put_failure;
2132
2133 if (expr->ops->dump) {
2134 struct nlattr *data = nla_nest_start_noflag(skb,
2135 NFTA_EXPR_DATA);
2136 if (data == NULL)
2137 goto nla_put_failure;
2138 if (expr->ops->dump(skb, expr) < 0)
2139 goto nla_put_failure;
2140 nla_nest_end(skb, data);
2141 }
2142
2143 return skb->len;
2144
2145 nla_put_failure:
2146 return -1;
2147 };
2148
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr)2149 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
2150 const struct nft_expr *expr)
2151 {
2152 struct nlattr *nest;
2153
2154 nest = nla_nest_start_noflag(skb, attr);
2155 if (!nest)
2156 goto nla_put_failure;
2157 if (nf_tables_fill_expr_info(skb, expr) < 0)
2158 goto nla_put_failure;
2159 nla_nest_end(skb, nest);
2160 return 0;
2161
2162 nla_put_failure:
2163 return -1;
2164 }
2165
2166 struct nft_expr_info {
2167 const struct nft_expr_ops *ops;
2168 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
2169 };
2170
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)2171 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
2172 const struct nlattr *nla,
2173 struct nft_expr_info *info)
2174 {
2175 const struct nft_expr_type *type;
2176 const struct nft_expr_ops *ops;
2177 struct nlattr *tb[NFTA_EXPR_MAX + 1];
2178 int err;
2179
2180 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
2181 nft_expr_policy, NULL);
2182 if (err < 0)
2183 return err;
2184
2185 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
2186 if (IS_ERR(type))
2187 return PTR_ERR(type);
2188
2189 if (tb[NFTA_EXPR_DATA]) {
2190 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
2191 tb[NFTA_EXPR_DATA],
2192 type->policy, NULL);
2193 if (err < 0)
2194 goto err1;
2195 } else
2196 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
2197
2198 if (type->select_ops != NULL) {
2199 ops = type->select_ops(ctx,
2200 (const struct nlattr * const *)info->tb);
2201 if (IS_ERR(ops)) {
2202 err = PTR_ERR(ops);
2203 #ifdef CONFIG_MODULES
2204 if (err == -EAGAIN)
2205 if (nft_expr_type_request_module(ctx->net,
2206 ctx->family,
2207 tb[NFTA_EXPR_NAME]) != -EAGAIN)
2208 err = -ENOENT;
2209 #endif
2210 goto err1;
2211 }
2212 } else
2213 ops = type->ops;
2214
2215 info->ops = ops;
2216 return 0;
2217
2218 err1:
2219 module_put(type->owner);
2220 return err;
2221 }
2222
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * info,struct nft_expr * expr)2223 static int nf_tables_newexpr(const struct nft_ctx *ctx,
2224 const struct nft_expr_info *info,
2225 struct nft_expr *expr)
2226 {
2227 const struct nft_expr_ops *ops = info->ops;
2228 int err;
2229
2230 expr->ops = ops;
2231 if (ops->init) {
2232 err = ops->init(ctx, expr, (const struct nlattr **)info->tb);
2233 if (err < 0)
2234 goto err1;
2235 }
2236
2237 return 0;
2238 err1:
2239 expr->ops = NULL;
2240 return err;
2241 }
2242
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2243 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
2244 struct nft_expr *expr)
2245 {
2246 const struct nft_expr_type *type = expr->ops->type;
2247
2248 if (expr->ops->destroy)
2249 expr->ops->destroy(ctx, expr);
2250 module_put(type->owner);
2251 }
2252
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)2253 struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2254 const struct nlattr *nla)
2255 {
2256 struct nft_expr_info info;
2257 struct nft_expr *expr;
2258 struct module *owner;
2259 int err;
2260
2261 err = nf_tables_expr_parse(ctx, nla, &info);
2262 if (err < 0)
2263 goto err1;
2264
2265 err = -ENOMEM;
2266 expr = kzalloc(info.ops->size, GFP_KERNEL);
2267 if (expr == NULL)
2268 goto err2;
2269
2270 err = nf_tables_newexpr(ctx, &info, expr);
2271 if (err < 0)
2272 goto err3;
2273
2274 return expr;
2275 err3:
2276 kfree(expr);
2277 err2:
2278 owner = info.ops->type->owner;
2279 if (info.ops->type->release_ops)
2280 info.ops->type->release_ops(info.ops);
2281
2282 module_put(owner);
2283 err1:
2284 return ERR_PTR(err);
2285 }
2286
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)2287 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
2288 {
2289 nf_tables_expr_destroy(ctx, expr);
2290 kfree(expr);
2291 }
2292
2293 /*
2294 * Rules
2295 */
2296
__nft_rule_lookup(const struct nft_chain * chain,u64 handle)2297 static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain,
2298 u64 handle)
2299 {
2300 struct nft_rule *rule;
2301
2302 // FIXME: this sucks
2303 list_for_each_entry_rcu(rule, &chain->rules, list) {
2304 if (handle == rule->handle)
2305 return rule;
2306 }
2307
2308 return ERR_PTR(-ENOENT);
2309 }
2310
nft_rule_lookup(const struct nft_chain * chain,const struct nlattr * nla)2311 static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain,
2312 const struct nlattr *nla)
2313 {
2314 if (nla == NULL)
2315 return ERR_PTR(-EINVAL);
2316
2317 return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
2318 }
2319
2320 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
2321 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
2322 .len = NFT_TABLE_MAXNAMELEN - 1 },
2323 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
2324 .len = NFT_CHAIN_MAXNAMELEN - 1 },
2325 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
2326 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
2327 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
2328 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
2329 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
2330 .len = NFT_USERDATA_MAXLEN },
2331 [NFTA_RULE_ID] = { .type = NLA_U32 },
2332 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
2333 };
2334
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,const struct nft_rule * prule)2335 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
2336 u32 portid, u32 seq, int event,
2337 u32 flags, int family,
2338 const struct nft_table *table,
2339 const struct nft_chain *chain,
2340 const struct nft_rule *rule,
2341 const struct nft_rule *prule)
2342 {
2343 struct nlmsghdr *nlh;
2344 struct nfgenmsg *nfmsg;
2345 const struct nft_expr *expr, *next;
2346 struct nlattr *list;
2347 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
2348
2349 nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags);
2350 if (nlh == NULL)
2351 goto nla_put_failure;
2352
2353 nfmsg = nlmsg_data(nlh);
2354 nfmsg->nfgen_family = family;
2355 nfmsg->version = NFNETLINK_V0;
2356 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
2357
2358 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
2359 goto nla_put_failure;
2360 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
2361 goto nla_put_failure;
2362 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
2363 NFTA_RULE_PAD))
2364 goto nla_put_failure;
2365
2366 if (event != NFT_MSG_DELRULE && prule) {
2367 if (nla_put_be64(skb, NFTA_RULE_POSITION,
2368 cpu_to_be64(prule->handle),
2369 NFTA_RULE_PAD))
2370 goto nla_put_failure;
2371 }
2372
2373 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
2374 if (list == NULL)
2375 goto nla_put_failure;
2376 nft_rule_for_each_expr(expr, next, rule) {
2377 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr) < 0)
2378 goto nla_put_failure;
2379 }
2380 nla_nest_end(skb, list);
2381
2382 if (rule->udata) {
2383 struct nft_userdata *udata = nft_userdata(rule);
2384 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
2385 udata->data) < 0)
2386 goto nla_put_failure;
2387 }
2388
2389 nlmsg_end(skb, nlh);
2390 return 0;
2391
2392 nla_put_failure:
2393 nlmsg_trim(skb, nlh);
2394 return -1;
2395 }
2396
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)2397 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
2398 const struct nft_rule *rule, int event)
2399 {
2400 struct sk_buff *skb;
2401 int err;
2402
2403 if (!ctx->report &&
2404 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
2405 return;
2406
2407 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
2408 if (skb == NULL)
2409 goto err;
2410
2411 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
2412 event, 0, ctx->family, ctx->table,
2413 ctx->chain, rule, NULL);
2414 if (err < 0) {
2415 kfree_skb(skb);
2416 goto err;
2417 }
2418
2419 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
2420 ctx->report, GFP_KERNEL);
2421 return;
2422 err:
2423 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
2424 }
2425
2426 struct nft_rule_dump_ctx {
2427 char *table;
2428 char *chain;
2429 };
2430
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain)2431 static int __nf_tables_dump_rules(struct sk_buff *skb,
2432 unsigned int *idx,
2433 struct netlink_callback *cb,
2434 const struct nft_table *table,
2435 const struct nft_chain *chain)
2436 {
2437 struct net *net = sock_net(skb->sk);
2438 const struct nft_rule *rule, *prule;
2439 unsigned int s_idx = cb->args[0];
2440
2441 prule = NULL;
2442 list_for_each_entry_rcu(rule, &chain->rules, list) {
2443 if (!nft_is_active(net, rule))
2444 goto cont_skip;
2445 if (*idx < s_idx)
2446 goto cont;
2447 if (*idx > s_idx) {
2448 memset(&cb->args[1], 0,
2449 sizeof(cb->args) - sizeof(cb->args[0]));
2450 }
2451 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
2452 cb->nlh->nlmsg_seq,
2453 NFT_MSG_NEWRULE,
2454 NLM_F_MULTI | NLM_F_APPEND,
2455 table->family,
2456 table, chain, rule, prule) < 0)
2457 return 1;
2458
2459 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
2460 cont:
2461 prule = rule;
2462 cont_skip:
2463 (*idx)++;
2464 }
2465 return 0;
2466 }
2467
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)2468 static int nf_tables_dump_rules(struct sk_buff *skb,
2469 struct netlink_callback *cb)
2470 {
2471 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2472 const struct nft_rule_dump_ctx *ctx = cb->data;
2473 struct nft_table *table;
2474 const struct nft_chain *chain;
2475 unsigned int idx = 0;
2476 struct net *net = sock_net(skb->sk);
2477 int family = nfmsg->nfgen_family;
2478
2479 rcu_read_lock();
2480 cb->seq = net->nft.base_seq;
2481
2482 list_for_each_entry_rcu(table, &net->nft.tables, list) {
2483 if (family != NFPROTO_UNSPEC && family != table->family)
2484 continue;
2485
2486 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
2487 continue;
2488
2489 if (ctx && ctx->table && ctx->chain) {
2490 struct rhlist_head *list, *tmp;
2491
2492 list = rhltable_lookup(&table->chains_ht, ctx->chain,
2493 nft_chain_ht_params);
2494 if (!list)
2495 goto done;
2496
2497 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
2498 if (!nft_is_active(net, chain))
2499 continue;
2500 __nf_tables_dump_rules(skb, &idx,
2501 cb, table, chain);
2502 break;
2503 }
2504 goto done;
2505 }
2506
2507 list_for_each_entry_rcu(chain, &table->chains, list) {
2508 if (__nf_tables_dump_rules(skb, &idx, cb, table, chain))
2509 goto done;
2510 }
2511
2512 if (ctx && ctx->table)
2513 break;
2514 }
2515 done:
2516 rcu_read_unlock();
2517
2518 cb->args[0] = idx;
2519 return skb->len;
2520 }
2521
nf_tables_dump_rules_start(struct netlink_callback * cb)2522 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
2523 {
2524 const struct nlattr * const *nla = cb->data;
2525 struct nft_rule_dump_ctx *ctx = NULL;
2526
2527 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
2528 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
2529 if (!ctx)
2530 return -ENOMEM;
2531
2532 if (nla[NFTA_RULE_TABLE]) {
2533 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
2534 GFP_ATOMIC);
2535 if (!ctx->table) {
2536 kfree(ctx);
2537 return -ENOMEM;
2538 }
2539 }
2540 if (nla[NFTA_RULE_CHAIN]) {
2541 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
2542 GFP_ATOMIC);
2543 if (!ctx->chain) {
2544 kfree(ctx->table);
2545 kfree(ctx);
2546 return -ENOMEM;
2547 }
2548 }
2549 }
2550
2551 cb->data = ctx;
2552 return 0;
2553 }
2554
nf_tables_dump_rules_done(struct netlink_callback * cb)2555 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
2556 {
2557 struct nft_rule_dump_ctx *ctx = cb->data;
2558
2559 if (ctx) {
2560 kfree(ctx->table);
2561 kfree(ctx->chain);
2562 kfree(ctx);
2563 }
2564 return 0;
2565 }
2566
2567 /* called with rcu_read_lock held */
nf_tables_getrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2568 static int nf_tables_getrule(struct net *net, struct sock *nlsk,
2569 struct sk_buff *skb, const struct nlmsghdr *nlh,
2570 const struct nlattr * const nla[],
2571 struct netlink_ext_ack *extack)
2572 {
2573 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2574 u8 genmask = nft_genmask_cur(net);
2575 const struct nft_chain *chain;
2576 const struct nft_rule *rule;
2577 struct nft_table *table;
2578 struct sk_buff *skb2;
2579 int family = nfmsg->nfgen_family;
2580 int err;
2581
2582 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2583 struct netlink_dump_control c = {
2584 .start= nf_tables_dump_rules_start,
2585 .dump = nf_tables_dump_rules,
2586 .done = nf_tables_dump_rules_done,
2587 .module = THIS_MODULE,
2588 .data = (void *)nla,
2589 };
2590
2591 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
2592 }
2593
2594 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2595 if (IS_ERR(table)) {
2596 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2597 return PTR_ERR(table);
2598 }
2599
2600 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2601 if (IS_ERR(chain)) {
2602 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2603 return PTR_ERR(chain);
2604 }
2605
2606 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2607 if (IS_ERR(rule)) {
2608 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2609 return PTR_ERR(rule);
2610 }
2611
2612 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
2613 if (!skb2)
2614 return -ENOMEM;
2615
2616 err = nf_tables_fill_rule_info(skb2, net, NETLINK_CB(skb).portid,
2617 nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
2618 family, table, chain, rule, NULL);
2619 if (err < 0)
2620 goto err;
2621
2622 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
2623
2624 err:
2625 kfree_skb(skb2);
2626 return err;
2627 }
2628
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)2629 static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2630 struct nft_rule *rule)
2631 {
2632 struct nft_expr *expr, *next;
2633
2634 /*
2635 * Careful: some expressions might not be initialized in case this
2636 * is called on error from nf_tables_newrule().
2637 */
2638 expr = nft_expr_first(rule);
2639 while (expr != nft_expr_last(rule) && expr->ops) {
2640 next = nft_expr_next(expr);
2641 nf_tables_expr_destroy(ctx, expr);
2642 expr = next;
2643 }
2644 kfree(rule);
2645 }
2646
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)2647 static void nf_tables_rule_release(const struct nft_ctx *ctx,
2648 struct nft_rule *rule)
2649 {
2650 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2651 nf_tables_rule_destroy(ctx, rule);
2652 }
2653
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)2654 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
2655 {
2656 struct nft_expr *expr, *last;
2657 const struct nft_data *data;
2658 struct nft_rule *rule;
2659 int err;
2660
2661 if (ctx->level == NFT_JUMP_STACK_SIZE)
2662 return -EMLINK;
2663
2664 list_for_each_entry(rule, &chain->rules, list) {
2665 if (!nft_is_active_next(ctx->net, rule))
2666 continue;
2667
2668 nft_rule_for_each_expr(expr, last, rule) {
2669 if (!expr->ops->validate)
2670 continue;
2671
2672 err = expr->ops->validate(ctx, expr, &data);
2673 if (err < 0)
2674 return err;
2675 }
2676 }
2677
2678 return 0;
2679 }
2680 EXPORT_SYMBOL_GPL(nft_chain_validate);
2681
nft_table_validate(struct net * net,const struct nft_table * table)2682 static int nft_table_validate(struct net *net, const struct nft_table *table)
2683 {
2684 struct nft_chain *chain;
2685 struct nft_ctx ctx = {
2686 .net = net,
2687 .family = table->family,
2688 };
2689 int err;
2690
2691 list_for_each_entry(chain, &table->chains, list) {
2692 if (!nft_is_base_chain(chain))
2693 continue;
2694
2695 ctx.chain = chain;
2696 err = nft_chain_validate(&ctx, chain);
2697 if (err < 0)
2698 return err;
2699 }
2700
2701 return 0;
2702 }
2703
2704 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2705 const struct nlattr *nla);
2706
2707 #define NFT_RULE_MAXEXPRS 128
2708
nf_tables_newrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2709 static int nf_tables_newrule(struct net *net, struct sock *nlsk,
2710 struct sk_buff *skb, const struct nlmsghdr *nlh,
2711 const struct nlattr * const nla[],
2712 struct netlink_ext_ack *extack)
2713 {
2714 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2715 u8 genmask = nft_genmask_next(net);
2716 struct nft_expr_info *info = NULL;
2717 int family = nfmsg->nfgen_family;
2718 struct nft_flow_rule *flow;
2719 struct nft_table *table;
2720 struct nft_chain *chain;
2721 struct nft_rule *rule, *old_rule = NULL;
2722 struct nft_userdata *udata;
2723 struct nft_trans *trans = NULL;
2724 struct nft_expr *expr;
2725 struct nft_ctx ctx;
2726 struct nlattr *tmp;
2727 unsigned int size, i, n, ulen = 0, usize = 0;
2728 int err, rem;
2729 u64 handle, pos_handle;
2730
2731 lockdep_assert_held(&net->nft.commit_mutex);
2732
2733 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2734 if (IS_ERR(table)) {
2735 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2736 return PTR_ERR(table);
2737 }
2738
2739 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
2740 if (IS_ERR(chain)) {
2741 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2742 return PTR_ERR(chain);
2743 }
2744
2745 if (nla[NFTA_RULE_HANDLE]) {
2746 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
2747 rule = __nft_rule_lookup(chain, handle);
2748 if (IS_ERR(rule)) {
2749 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2750 return PTR_ERR(rule);
2751 }
2752
2753 if (nlh->nlmsg_flags & NLM_F_EXCL) {
2754 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2755 return -EEXIST;
2756 }
2757 if (nlh->nlmsg_flags & NLM_F_REPLACE)
2758 old_rule = rule;
2759 else
2760 return -EOPNOTSUPP;
2761 } else {
2762 if (!(nlh->nlmsg_flags & NLM_F_CREATE) ||
2763 nlh->nlmsg_flags & NLM_F_REPLACE)
2764 return -EINVAL;
2765 handle = nf_tables_alloc_handle(table);
2766
2767 if (chain->use == UINT_MAX)
2768 return -EOVERFLOW;
2769
2770 if (nla[NFTA_RULE_POSITION]) {
2771 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
2772 old_rule = __nft_rule_lookup(chain, pos_handle);
2773 if (IS_ERR(old_rule)) {
2774 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
2775 return PTR_ERR(old_rule);
2776 }
2777 } else if (nla[NFTA_RULE_POSITION_ID]) {
2778 old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]);
2779 if (IS_ERR(old_rule)) {
2780 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
2781 return PTR_ERR(old_rule);
2782 }
2783 }
2784 }
2785
2786 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2787
2788 n = 0;
2789 size = 0;
2790 if (nla[NFTA_RULE_EXPRESSIONS]) {
2791 info = kvmalloc_array(NFT_RULE_MAXEXPRS,
2792 sizeof(struct nft_expr_info),
2793 GFP_KERNEL);
2794 if (!info)
2795 return -ENOMEM;
2796
2797 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
2798 err = -EINVAL;
2799 if (nla_type(tmp) != NFTA_LIST_ELEM)
2800 goto err1;
2801 if (n == NFT_RULE_MAXEXPRS)
2802 goto err1;
2803 err = nf_tables_expr_parse(&ctx, tmp, &info[n]);
2804 if (err < 0)
2805 goto err1;
2806 size += info[n].ops->size;
2807 n++;
2808 }
2809 }
2810 /* Check for overflow of dlen field */
2811 err = -EFBIG;
2812 if (size >= 1 << 12)
2813 goto err1;
2814
2815 if (nla[NFTA_RULE_USERDATA]) {
2816 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
2817 if (ulen > 0)
2818 usize = sizeof(struct nft_userdata) + ulen;
2819 }
2820
2821 err = -ENOMEM;
2822 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
2823 if (rule == NULL)
2824 goto err1;
2825
2826 nft_activate_next(net, rule);
2827
2828 rule->handle = handle;
2829 rule->dlen = size;
2830 rule->udata = ulen ? 1 : 0;
2831
2832 if (ulen) {
2833 udata = nft_userdata(rule);
2834 udata->len = ulen - 1;
2835 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
2836 }
2837
2838 expr = nft_expr_first(rule);
2839 for (i = 0; i < n; i++) {
2840 err = nf_tables_newexpr(&ctx, &info[i], expr);
2841 if (err < 0)
2842 goto err2;
2843
2844 if (info[i].ops->validate)
2845 nft_validate_state_update(net, NFT_VALIDATE_NEED);
2846
2847 info[i].ops = NULL;
2848 expr = nft_expr_next(expr);
2849 }
2850
2851 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
2852 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2853 if (trans == NULL) {
2854 err = -ENOMEM;
2855 goto err2;
2856 }
2857 err = nft_delrule(&ctx, old_rule);
2858 if (err < 0) {
2859 nft_trans_destroy(trans);
2860 goto err2;
2861 }
2862
2863 list_add_tail_rcu(&rule->list, &old_rule->list);
2864 } else {
2865 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
2866 if (!trans) {
2867 err = -ENOMEM;
2868 goto err2;
2869 }
2870
2871 if (nlh->nlmsg_flags & NLM_F_APPEND) {
2872 if (old_rule)
2873 list_add_rcu(&rule->list, &old_rule->list);
2874 else
2875 list_add_tail_rcu(&rule->list, &chain->rules);
2876 } else {
2877 if (old_rule)
2878 list_add_tail_rcu(&rule->list, &old_rule->list);
2879 else
2880 list_add_rcu(&rule->list, &chain->rules);
2881 }
2882 }
2883 kvfree(info);
2884 chain->use++;
2885
2886 if (net->nft.validate_state == NFT_VALIDATE_DO)
2887 return nft_table_validate(net, table);
2888
2889 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
2890 flow = nft_flow_rule_create(net, rule);
2891 if (IS_ERR(flow))
2892 return PTR_ERR(flow);
2893
2894 nft_trans_flow_rule(trans) = flow;
2895 }
2896
2897 return 0;
2898 err2:
2899 nf_tables_rule_release(&ctx, rule);
2900 err1:
2901 for (i = 0; i < n; i++) {
2902 if (info[i].ops) {
2903 module_put(info[i].ops->type->owner);
2904 if (info[i].ops->type->release_ops)
2905 info[i].ops->type->release_ops(info[i].ops);
2906 }
2907 }
2908 kvfree(info);
2909 return err;
2910 }
2911
nft_rule_lookup_byid(const struct net * net,const struct nlattr * nla)2912 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
2913 const struct nlattr *nla)
2914 {
2915 u32 id = ntohl(nla_get_be32(nla));
2916 struct nft_trans *trans;
2917
2918 list_for_each_entry(trans, &net->nft.commit_list, list) {
2919 struct nft_rule *rule = nft_trans_rule(trans);
2920
2921 if (trans->msg_type == NFT_MSG_NEWRULE &&
2922 id == nft_trans_rule_id(trans))
2923 return rule;
2924 }
2925 return ERR_PTR(-ENOENT);
2926 }
2927
nf_tables_delrule(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)2928 static int nf_tables_delrule(struct net *net, struct sock *nlsk,
2929 struct sk_buff *skb, const struct nlmsghdr *nlh,
2930 const struct nlattr * const nla[],
2931 struct netlink_ext_ack *extack)
2932 {
2933 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2934 u8 genmask = nft_genmask_next(net);
2935 struct nft_table *table;
2936 struct nft_chain *chain = NULL;
2937 struct nft_rule *rule;
2938 int family = nfmsg->nfgen_family, err = 0;
2939 struct nft_ctx ctx;
2940
2941 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask);
2942 if (IS_ERR(table)) {
2943 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
2944 return PTR_ERR(table);
2945 }
2946
2947 if (nla[NFTA_RULE_CHAIN]) {
2948 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
2949 genmask);
2950 if (IS_ERR(chain)) {
2951 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
2952 return PTR_ERR(chain);
2953 }
2954 }
2955
2956 nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
2957
2958 if (chain) {
2959 if (nla[NFTA_RULE_HANDLE]) {
2960 rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]);
2961 if (IS_ERR(rule)) {
2962 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
2963 return PTR_ERR(rule);
2964 }
2965
2966 err = nft_delrule(&ctx, rule);
2967 } else if (nla[NFTA_RULE_ID]) {
2968 rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
2969 if (IS_ERR(rule)) {
2970 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
2971 return PTR_ERR(rule);
2972 }
2973
2974 err = nft_delrule(&ctx, rule);
2975 } else {
2976 err = nft_delrule_by_chain(&ctx);
2977 }
2978 } else {
2979 list_for_each_entry(chain, &table->chains, list) {
2980 if (!nft_is_active_next(net, chain))
2981 continue;
2982
2983 ctx.chain = chain;
2984 err = nft_delrule_by_chain(&ctx);
2985 if (err < 0)
2986 break;
2987 }
2988 }
2989
2990 return err;
2991 }
2992
2993 /*
2994 * Sets
2995 */
2996
2997 static LIST_HEAD(nf_tables_set_types);
2998
nft_register_set(struct nft_set_type * type)2999 int nft_register_set(struct nft_set_type *type)
3000 {
3001 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3002 list_add_tail_rcu(&type->list, &nf_tables_set_types);
3003 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3004 return 0;
3005 }
3006 EXPORT_SYMBOL_GPL(nft_register_set);
3007
nft_unregister_set(struct nft_set_type * type)3008 void nft_unregister_set(struct nft_set_type *type)
3009 {
3010 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3011 list_del_rcu(&type->list);
3012 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3013 }
3014 EXPORT_SYMBOL_GPL(nft_unregister_set);
3015
3016 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
3017 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
3018 NFT_SET_EVAL)
3019
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)3020 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
3021 {
3022 return (flags & type->features) == (flags & NFT_SET_FEATURES);
3023 }
3024
3025 /*
3026 * Select a set implementation based on the data characteristics and the
3027 * given policy. The total memory use might not be known if no size is
3028 * given, in that case the amount of memory per element is used.
3029 */
3030 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,const struct nlattr * const nla[],const struct nft_set_desc * desc,enum nft_set_policies policy)3031 nft_select_set_ops(const struct nft_ctx *ctx,
3032 const struct nlattr * const nla[],
3033 const struct nft_set_desc *desc,
3034 enum nft_set_policies policy)
3035 {
3036 const struct nft_set_ops *ops, *bops;
3037 struct nft_set_estimate est, best;
3038 const struct nft_set_type *type;
3039 u32 flags = 0;
3040
3041 lockdep_assert_held(&ctx->net->nft.commit_mutex);
3042 lockdep_nfnl_nft_mutex_not_held();
3043 #ifdef CONFIG_MODULES
3044 if (list_empty(&nf_tables_set_types)) {
3045 if (nft_request_module(ctx->net, "nft-set") == -EAGAIN)
3046 return ERR_PTR(-EAGAIN);
3047 }
3048 #endif
3049 if (nla[NFTA_SET_FLAGS] != NULL)
3050 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3051
3052 bops = NULL;
3053 best.size = ~0;
3054 best.lookup = ~0;
3055 best.space = ~0;
3056
3057 list_for_each_entry(type, &nf_tables_set_types, list) {
3058 ops = &type->ops;
3059
3060 if (!nft_set_ops_candidate(type, flags))
3061 continue;
3062 if (!ops->estimate(desc, flags, &est))
3063 continue;
3064
3065 switch (policy) {
3066 case NFT_SET_POL_PERFORMANCE:
3067 if (est.lookup < best.lookup)
3068 break;
3069 if (est.lookup == best.lookup &&
3070 est.space < best.space)
3071 break;
3072 continue;
3073 case NFT_SET_POL_MEMORY:
3074 if (!desc->size) {
3075 if (est.space < best.space)
3076 break;
3077 if (est.space == best.space &&
3078 est.lookup < best.lookup)
3079 break;
3080 } else if (est.size < best.size || !bops) {
3081 break;
3082 }
3083 continue;
3084 default:
3085 break;
3086 }
3087
3088 if (!try_module_get(type->owner))
3089 continue;
3090 if (bops != NULL)
3091 module_put(to_set_type(bops)->owner);
3092
3093 bops = ops;
3094 best = est;
3095 }
3096
3097 if (bops != NULL)
3098 return bops;
3099
3100 return ERR_PTR(-EOPNOTSUPP);
3101 }
3102
3103 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
3104 [NFTA_SET_TABLE] = { .type = NLA_STRING,
3105 .len = NFT_TABLE_MAXNAMELEN - 1 },
3106 [NFTA_SET_NAME] = { .type = NLA_STRING,
3107 .len = NFT_SET_MAXNAMELEN - 1 },
3108 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
3109 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
3110 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
3111 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
3112 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
3113 [NFTA_SET_POLICY] = { .type = NLA_U32 },
3114 [NFTA_SET_DESC] = { .type = NLA_NESTED },
3115 [NFTA_SET_ID] = { .type = NLA_U32 },
3116 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
3117 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
3118 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
3119 .len = NFT_USERDATA_MAXLEN },
3120 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
3121 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
3122 };
3123
3124 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
3125 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
3126 };
3127
nft_ctx_init_from_setattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)3128 static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
3129 const struct sk_buff *skb,
3130 const struct nlmsghdr *nlh,
3131 const struct nlattr * const nla[],
3132 struct netlink_ext_ack *extack,
3133 u8 genmask)
3134 {
3135 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3136 int family = nfmsg->nfgen_family;
3137 struct nft_table *table = NULL;
3138
3139 if (nla[NFTA_SET_TABLE] != NULL) {
3140 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
3141 genmask);
3142 if (IS_ERR(table)) {
3143 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3144 return PTR_ERR(table);
3145 }
3146 }
3147
3148 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3149 return 0;
3150 }
3151
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3152 static struct nft_set *nft_set_lookup(const struct nft_table *table,
3153 const struct nlattr *nla, u8 genmask)
3154 {
3155 struct nft_set *set;
3156
3157 if (nla == NULL)
3158 return ERR_PTR(-EINVAL);
3159
3160 list_for_each_entry_rcu(set, &table->sets, list) {
3161 if (!nla_strcmp(nla, set->name) &&
3162 nft_active_genmask(set, genmask))
3163 return set;
3164 }
3165 return ERR_PTR(-ENOENT);
3166 }
3167
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)3168 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
3169 const struct nlattr *nla,
3170 u8 genmask)
3171 {
3172 struct nft_set *set;
3173
3174 list_for_each_entry(set, &table->sets, list) {
3175 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
3176 nft_active_genmask(set, genmask))
3177 return set;
3178 }
3179 return ERR_PTR(-ENOENT);
3180 }
3181
nft_set_lookup_byid(const struct net * net,const struct nlattr * nla,u8 genmask)3182 static struct nft_set *nft_set_lookup_byid(const struct net *net,
3183 const struct nlattr *nla, u8 genmask)
3184 {
3185 struct nft_trans *trans;
3186 u32 id = ntohl(nla_get_be32(nla));
3187
3188 list_for_each_entry(trans, &net->nft.commit_list, list) {
3189 if (trans->msg_type == NFT_MSG_NEWSET) {
3190 struct nft_set *set = nft_trans_set(trans);
3191
3192 if (id == nft_trans_set_id(trans) &&
3193 nft_active_genmask(set, genmask))
3194 return set;
3195 }
3196 }
3197 return ERR_PTR(-ENOENT);
3198 }
3199
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)3200 struct nft_set *nft_set_lookup_global(const struct net *net,
3201 const struct nft_table *table,
3202 const struct nlattr *nla_set_name,
3203 const struct nlattr *nla_set_id,
3204 u8 genmask)
3205 {
3206 struct nft_set *set;
3207
3208 set = nft_set_lookup(table, nla_set_name, genmask);
3209 if (IS_ERR(set)) {
3210 if (!nla_set_id)
3211 return set;
3212
3213 set = nft_set_lookup_byid(net, nla_set_id, genmask);
3214 }
3215 return set;
3216 }
3217 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
3218
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)3219 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
3220 const char *name)
3221 {
3222 const struct nft_set *i;
3223 const char *p;
3224 unsigned long *inuse;
3225 unsigned int n = 0, min = 0;
3226
3227 p = strchr(name, '%');
3228 if (p != NULL) {
3229 if (p[1] != 'd' || strchr(p + 2, '%'))
3230 return -EINVAL;
3231
3232 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
3233 if (inuse == NULL)
3234 return -ENOMEM;
3235 cont:
3236 list_for_each_entry(i, &ctx->table->sets, list) {
3237 int tmp;
3238
3239 if (!nft_is_active_next(ctx->net, set))
3240 continue;
3241 if (!sscanf(i->name, name, &tmp))
3242 continue;
3243 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
3244 continue;
3245
3246 set_bit(tmp - min, inuse);
3247 }
3248
3249 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
3250 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
3251 min += BITS_PER_BYTE * PAGE_SIZE;
3252 memset(inuse, 0, PAGE_SIZE);
3253 goto cont;
3254 }
3255 free_page((unsigned long)inuse);
3256 }
3257
3258 set->name = kasprintf(GFP_KERNEL, name, min + n);
3259 if (!set->name)
3260 return -ENOMEM;
3261
3262 list_for_each_entry(i, &ctx->table->sets, list) {
3263 if (!nft_is_active_next(ctx->net, i))
3264 continue;
3265 if (!strcmp(set->name, i->name)) {
3266 kfree(set->name);
3267 return -ENFILE;
3268 }
3269 }
3270 return 0;
3271 }
3272
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)3273 static int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
3274 {
3275 u64 ms = be64_to_cpu(nla_get_be64(nla));
3276 u64 max = (u64)(~((u64)0));
3277
3278 max = div_u64(max, NSEC_PER_MSEC);
3279 if (ms >= max)
3280 return -ERANGE;
3281
3282 ms *= NSEC_PER_MSEC;
3283 *result = nsecs_to_jiffies64(ms);
3284 return 0;
3285 }
3286
nf_jiffies64_to_msecs(u64 input)3287 static __be64 nf_jiffies64_to_msecs(u64 input)
3288 {
3289 return cpu_to_be64(jiffies64_to_msecs(input));
3290 }
3291
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)3292 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3293 const struct nft_set *set, u16 event, u16 flags)
3294 {
3295 struct nfgenmsg *nfmsg;
3296 struct nlmsghdr *nlh;
3297 struct nlattr *desc;
3298 u32 portid = ctx->portid;
3299 u32 seq = ctx->seq;
3300
3301 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3302 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
3303 flags);
3304 if (nlh == NULL)
3305 goto nla_put_failure;
3306
3307 nfmsg = nlmsg_data(nlh);
3308 nfmsg->nfgen_family = ctx->family;
3309 nfmsg->version = NFNETLINK_V0;
3310 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
3311
3312 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
3313 goto nla_put_failure;
3314 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
3315 goto nla_put_failure;
3316 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
3317 NFTA_SET_PAD))
3318 goto nla_put_failure;
3319 if (set->flags != 0)
3320 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
3321 goto nla_put_failure;
3322
3323 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
3324 goto nla_put_failure;
3325 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
3326 goto nla_put_failure;
3327 if (set->flags & NFT_SET_MAP) {
3328 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
3329 goto nla_put_failure;
3330 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
3331 goto nla_put_failure;
3332 }
3333 if (set->flags & NFT_SET_OBJECT &&
3334 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
3335 goto nla_put_failure;
3336
3337 if (set->timeout &&
3338 nla_put_be64(skb, NFTA_SET_TIMEOUT,
3339 nf_jiffies64_to_msecs(set->timeout),
3340 NFTA_SET_PAD))
3341 goto nla_put_failure;
3342 if (set->gc_int &&
3343 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(set->gc_int)))
3344 goto nla_put_failure;
3345
3346 if (set->policy != NFT_SET_POL_PERFORMANCE) {
3347 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
3348 goto nla_put_failure;
3349 }
3350
3351 if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3352 goto nla_put_failure;
3353
3354 desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
3355 if (desc == NULL)
3356 goto nla_put_failure;
3357 if (set->size &&
3358 nla_put_be32(skb, NFTA_SET_DESC_SIZE, htonl(set->size)))
3359 goto nla_put_failure;
3360 nla_nest_end(skb, desc);
3361
3362 nlmsg_end(skb, nlh);
3363 return 0;
3364
3365 nla_put_failure:
3366 nlmsg_trim(skb, nlh);
3367 return -1;
3368 }
3369
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)3370 static void nf_tables_set_notify(const struct nft_ctx *ctx,
3371 const struct nft_set *set, int event,
3372 gfp_t gfp_flags)
3373 {
3374 struct sk_buff *skb;
3375 u32 portid = ctx->portid;
3376 int err;
3377
3378 if (!ctx->report &&
3379 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3380 return;
3381
3382 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
3383 if (skb == NULL)
3384 goto err;
3385
3386 err = nf_tables_fill_set(skb, ctx, set, event, 0);
3387 if (err < 0) {
3388 kfree_skb(skb);
3389 goto err;
3390 }
3391
3392 nfnetlink_send(skb, ctx->net, portid, NFNLGRP_NFTABLES, ctx->report,
3393 gfp_flags);
3394 return;
3395 err:
3396 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
3397 }
3398
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)3399 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
3400 {
3401 const struct nft_set *set;
3402 unsigned int idx, s_idx = cb->args[0];
3403 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
3404 struct net *net = sock_net(skb->sk);
3405 struct nft_ctx *ctx = cb->data, ctx_set;
3406
3407 if (cb->args[1])
3408 return skb->len;
3409
3410 rcu_read_lock();
3411 cb->seq = net->nft.base_seq;
3412
3413 list_for_each_entry_rcu(table, &net->nft.tables, list) {
3414 if (ctx->family != NFPROTO_UNSPEC &&
3415 ctx->family != table->family)
3416 continue;
3417
3418 if (ctx->table && ctx->table != table)
3419 continue;
3420
3421 if (cur_table) {
3422 if (cur_table != table)
3423 continue;
3424
3425 cur_table = NULL;
3426 }
3427 idx = 0;
3428 list_for_each_entry_rcu(set, &table->sets, list) {
3429 if (idx < s_idx)
3430 goto cont;
3431 if (!nft_is_active(net, set))
3432 goto cont;
3433
3434 ctx_set = *ctx;
3435 ctx_set.table = table;
3436 ctx_set.family = table->family;
3437
3438 if (nf_tables_fill_set(skb, &ctx_set, set,
3439 NFT_MSG_NEWSET,
3440 NLM_F_MULTI) < 0) {
3441 cb->args[0] = idx;
3442 cb->args[2] = (unsigned long) table;
3443 goto done;
3444 }
3445 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3446 cont:
3447 idx++;
3448 }
3449 if (s_idx)
3450 s_idx = 0;
3451 }
3452 cb->args[1] = 1;
3453 done:
3454 rcu_read_unlock();
3455 return skb->len;
3456 }
3457
nf_tables_dump_sets_start(struct netlink_callback * cb)3458 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
3459 {
3460 struct nft_ctx *ctx_dump = NULL;
3461
3462 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
3463 if (ctx_dump == NULL)
3464 return -ENOMEM;
3465
3466 cb->data = ctx_dump;
3467 return 0;
3468 }
3469
nf_tables_dump_sets_done(struct netlink_callback * cb)3470 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
3471 {
3472 kfree(cb->data);
3473 return 0;
3474 }
3475
3476 /* called with rcu_read_lock held */
nf_tables_getset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3477 static int nf_tables_getset(struct net *net, struct sock *nlsk,
3478 struct sk_buff *skb, const struct nlmsghdr *nlh,
3479 const struct nlattr * const nla[],
3480 struct netlink_ext_ack *extack)
3481 {
3482 u8 genmask = nft_genmask_cur(net);
3483 const struct nft_set *set;
3484 struct nft_ctx ctx;
3485 struct sk_buff *skb2;
3486 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3487 int err;
3488
3489 /* Verify existence before starting dump */
3490 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3491 genmask);
3492 if (err < 0)
3493 return err;
3494
3495 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3496 struct netlink_dump_control c = {
3497 .start = nf_tables_dump_sets_start,
3498 .dump = nf_tables_dump_sets,
3499 .done = nf_tables_dump_sets_done,
3500 .data = &ctx,
3501 .module = THIS_MODULE,
3502 };
3503
3504 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
3505 }
3506
3507 /* Only accept unspec with dump */
3508 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3509 return -EAFNOSUPPORT;
3510 if (!nla[NFTA_SET_TABLE])
3511 return -EINVAL;
3512
3513 set = nft_set_lookup(ctx.table, nla[NFTA_SET_NAME], genmask);
3514 if (IS_ERR(set))
3515 return PTR_ERR(set);
3516
3517 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3518 if (skb2 == NULL)
3519 return -ENOMEM;
3520
3521 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3522 if (err < 0)
3523 goto err;
3524
3525 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3526
3527 err:
3528 kfree_skb(skb2);
3529 return err;
3530 }
3531
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)3532 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
3533 const struct nlattr *nla)
3534 {
3535 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
3536 int err;
3537
3538 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
3539 nft_set_desc_policy, NULL);
3540 if (err < 0)
3541 return err;
3542
3543 if (da[NFTA_SET_DESC_SIZE] != NULL)
3544 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
3545
3546 return 0;
3547 }
3548
nf_tables_newset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3549 static int nf_tables_newset(struct net *net, struct sock *nlsk,
3550 struct sk_buff *skb, const struct nlmsghdr *nlh,
3551 const struct nlattr * const nla[],
3552 struct netlink_ext_ack *extack)
3553 {
3554 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3555 u8 genmask = nft_genmask_next(net);
3556 int family = nfmsg->nfgen_family;
3557 const struct nft_set_ops *ops;
3558 struct nft_table *table;
3559 struct nft_set *set;
3560 struct nft_ctx ctx;
3561 char *name;
3562 u64 size;
3563 u64 timeout;
3564 u32 ktype, dtype, flags, policy, gc_int, objtype;
3565 struct nft_set_desc desc;
3566 unsigned char *udata;
3567 u16 udlen;
3568 int err;
3569
3570 if (nla[NFTA_SET_TABLE] == NULL ||
3571 nla[NFTA_SET_NAME] == NULL ||
3572 nla[NFTA_SET_KEY_LEN] == NULL ||
3573 nla[NFTA_SET_ID] == NULL)
3574 return -EINVAL;
3575
3576 memset(&desc, 0, sizeof(desc));
3577
3578 ktype = NFT_DATA_VALUE;
3579 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
3580 ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
3581 if ((ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
3582 return -EINVAL;
3583 }
3584
3585 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
3586 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
3587 return -EINVAL;
3588
3589 flags = 0;
3590 if (nla[NFTA_SET_FLAGS] != NULL) {
3591 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
3592 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
3593 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
3594 NFT_SET_MAP | NFT_SET_EVAL |
3595 NFT_SET_OBJECT))
3596 return -EINVAL;
3597 /* Only one of these operations is supported */
3598 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
3599 (NFT_SET_MAP | NFT_SET_OBJECT))
3600 return -EOPNOTSUPP;
3601 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
3602 (NFT_SET_EVAL | NFT_SET_OBJECT))
3603 return -EOPNOTSUPP;
3604 }
3605
3606 dtype = 0;
3607 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
3608 if (!(flags & NFT_SET_MAP))
3609 return -EINVAL;
3610
3611 dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
3612 if ((dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
3613 dtype != NFT_DATA_VERDICT)
3614 return -EINVAL;
3615
3616 if (dtype != NFT_DATA_VERDICT) {
3617 if (nla[NFTA_SET_DATA_LEN] == NULL)
3618 return -EINVAL;
3619 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
3620 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
3621 return -EINVAL;
3622 } else
3623 desc.dlen = sizeof(struct nft_verdict);
3624 } else if (flags & NFT_SET_MAP)
3625 return -EINVAL;
3626
3627 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
3628 if (!(flags & NFT_SET_OBJECT))
3629 return -EINVAL;
3630
3631 objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
3632 if (objtype == NFT_OBJECT_UNSPEC ||
3633 objtype > NFT_OBJECT_MAX)
3634 return -EINVAL;
3635 } else if (flags & NFT_SET_OBJECT)
3636 return -EINVAL;
3637 else
3638 objtype = NFT_OBJECT_UNSPEC;
3639
3640 timeout = 0;
3641 if (nla[NFTA_SET_TIMEOUT] != NULL) {
3642 if (!(flags & NFT_SET_TIMEOUT))
3643 return -EINVAL;
3644
3645 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &timeout);
3646 if (err)
3647 return err;
3648 }
3649 gc_int = 0;
3650 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
3651 if (!(flags & NFT_SET_TIMEOUT))
3652 return -EINVAL;
3653 gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
3654 }
3655
3656 policy = NFT_SET_POL_PERFORMANCE;
3657 if (nla[NFTA_SET_POLICY] != NULL)
3658 policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
3659
3660 if (nla[NFTA_SET_DESC] != NULL) {
3661 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
3662 if (err < 0)
3663 return err;
3664 }
3665
3666 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask);
3667 if (IS_ERR(table)) {
3668 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
3669 return PTR_ERR(table);
3670 }
3671
3672 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
3673
3674 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
3675 if (IS_ERR(set)) {
3676 if (PTR_ERR(set) != -ENOENT) {
3677 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3678 return PTR_ERR(set);
3679 }
3680 } else {
3681 if (nlh->nlmsg_flags & NLM_F_EXCL) {
3682 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
3683 return -EEXIST;
3684 }
3685 if (nlh->nlmsg_flags & NLM_F_REPLACE)
3686 return -EOPNOTSUPP;
3687
3688 return 0;
3689 }
3690
3691 if (!(nlh->nlmsg_flags & NLM_F_CREATE))
3692 return -ENOENT;
3693
3694 ops = nft_select_set_ops(&ctx, nla, &desc, policy);
3695 if (IS_ERR(ops))
3696 return PTR_ERR(ops);
3697
3698 udlen = 0;
3699 if (nla[NFTA_SET_USERDATA])
3700 udlen = nla_len(nla[NFTA_SET_USERDATA]);
3701
3702 size = 0;
3703 if (ops->privsize != NULL)
3704 size = ops->privsize(nla, &desc);
3705
3706 set = kvzalloc(sizeof(*set) + size + udlen, GFP_KERNEL);
3707 if (!set) {
3708 err = -ENOMEM;
3709 goto err1;
3710 }
3711
3712 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
3713 if (!name) {
3714 err = -ENOMEM;
3715 goto err2;
3716 }
3717
3718 err = nf_tables_set_alloc_name(&ctx, set, name);
3719 kfree(name);
3720 if (err < 0)
3721 goto err2;
3722
3723 udata = NULL;
3724 if (udlen) {
3725 udata = set->data + size;
3726 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
3727 }
3728
3729 INIT_LIST_HEAD(&set->bindings);
3730 set->table = table;
3731 write_pnet(&set->net, net);
3732 set->ops = ops;
3733 set->ktype = ktype;
3734 set->klen = desc.klen;
3735 set->dtype = dtype;
3736 set->objtype = objtype;
3737 set->dlen = desc.dlen;
3738 set->flags = flags;
3739 set->size = desc.size;
3740 set->policy = policy;
3741 set->udlen = udlen;
3742 set->udata = udata;
3743 set->timeout = timeout;
3744 set->gc_int = gc_int;
3745 set->handle = nf_tables_alloc_handle(table);
3746
3747 err = ops->init(set, &desc, nla);
3748 if (err < 0)
3749 goto err3;
3750
3751 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
3752 if (err < 0)
3753 goto err4;
3754
3755 list_add_tail_rcu(&set->list, &table->sets);
3756 table->use++;
3757 return 0;
3758
3759 err4:
3760 ops->destroy(set);
3761 err3:
3762 kfree(set->name);
3763 err2:
3764 kvfree(set);
3765 err1:
3766 module_put(to_set_type(ops)->owner);
3767 return err;
3768 }
3769
nft_set_destroy(struct nft_set * set)3770 static void nft_set_destroy(struct nft_set *set)
3771 {
3772 if (WARN_ON(set->use > 0))
3773 return;
3774
3775 set->ops->destroy(set);
3776 module_put(to_set_type(set->ops)->owner);
3777 kfree(set->name);
3778 kvfree(set);
3779 }
3780
nf_tables_delset(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)3781 static int nf_tables_delset(struct net *net, struct sock *nlsk,
3782 struct sk_buff *skb, const struct nlmsghdr *nlh,
3783 const struct nlattr * const nla[],
3784 struct netlink_ext_ack *extack)
3785 {
3786 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3787 u8 genmask = nft_genmask_next(net);
3788 const struct nlattr *attr;
3789 struct nft_set *set;
3790 struct nft_ctx ctx;
3791 int err;
3792
3793 if (nfmsg->nfgen_family == NFPROTO_UNSPEC)
3794 return -EAFNOSUPPORT;
3795 if (nla[NFTA_SET_TABLE] == NULL)
3796 return -EINVAL;
3797
3798 err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla, extack,
3799 genmask);
3800 if (err < 0)
3801 return err;
3802
3803 if (nla[NFTA_SET_HANDLE]) {
3804 attr = nla[NFTA_SET_HANDLE];
3805 set = nft_set_lookup_byhandle(ctx.table, attr, genmask);
3806 } else {
3807 attr = nla[NFTA_SET_NAME];
3808 set = nft_set_lookup(ctx.table, attr, genmask);
3809 }
3810
3811 if (IS_ERR(set)) {
3812 NL_SET_BAD_ATTR(extack, attr);
3813 return PTR_ERR(set);
3814 }
3815 if (set->use ||
3816 (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
3817 NL_SET_BAD_ATTR(extack, attr);
3818 return -EBUSY;
3819 }
3820
3821 return nft_delset(&ctx, set);
3822 }
3823
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)3824 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
3825 struct nft_set *set,
3826 const struct nft_set_iter *iter,
3827 struct nft_set_elem *elem)
3828 {
3829 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3830 enum nft_registers dreg;
3831
3832 dreg = nft_type_to_reg(set->dtype);
3833 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
3834 set->dtype == NFT_DATA_VERDICT ?
3835 NFT_DATA_VERDICT : NFT_DATA_VALUE,
3836 set->dlen);
3837 }
3838
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)3839 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
3840 struct nft_set_binding *binding)
3841 {
3842 struct nft_set_binding *i;
3843 struct nft_set_iter iter;
3844
3845 if (set->use == UINT_MAX)
3846 return -EOVERFLOW;
3847
3848 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
3849 return -EBUSY;
3850
3851 if (binding->flags & NFT_SET_MAP) {
3852 /* If the set is already bound to the same chain all
3853 * jumps are already validated for that chain.
3854 */
3855 list_for_each_entry(i, &set->bindings, list) {
3856 if (i->flags & NFT_SET_MAP &&
3857 i->chain == binding->chain)
3858 goto bind;
3859 }
3860
3861 iter.genmask = nft_genmask_next(ctx->net);
3862 iter.skip = 0;
3863 iter.count = 0;
3864 iter.err = 0;
3865 iter.fn = nf_tables_bind_check_setelem;
3866
3867 set->ops->walk(ctx, set, &iter);
3868 if (iter.err < 0)
3869 return iter.err;
3870 }
3871 bind:
3872 binding->chain = ctx->chain;
3873 list_add_tail_rcu(&binding->list, &set->bindings);
3874 nft_set_trans_bind(ctx, set);
3875 set->use++;
3876
3877 return 0;
3878 }
3879 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
3880
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)3881 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
3882 struct nft_set_binding *binding, bool event)
3883 {
3884 list_del_rcu(&binding->list);
3885
3886 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
3887 list_del_rcu(&set->list);
3888 if (event)
3889 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
3890 GFP_KERNEL);
3891 }
3892 }
3893
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)3894 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
3895 struct nft_set_binding *binding,
3896 enum nft_trans_phase phase)
3897 {
3898 switch (phase) {
3899 case NFT_TRANS_PREPARE:
3900 set->use--;
3901 return;
3902 case NFT_TRANS_ABORT:
3903 case NFT_TRANS_RELEASE:
3904 set->use--;
3905 /* fall through */
3906 default:
3907 nf_tables_unbind_set(ctx, set, binding,
3908 phase == NFT_TRANS_COMMIT);
3909 }
3910 }
3911 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
3912
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)3913 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
3914 {
3915 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
3916 nft_set_destroy(set);
3917 }
3918 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
3919
3920 const struct nft_set_ext_type nft_set_ext_types[] = {
3921 [NFT_SET_EXT_KEY] = {
3922 .align = __alignof__(u32),
3923 },
3924 [NFT_SET_EXT_DATA] = {
3925 .align = __alignof__(u32),
3926 },
3927 [NFT_SET_EXT_EXPR] = {
3928 .align = __alignof__(struct nft_expr),
3929 },
3930 [NFT_SET_EXT_OBJREF] = {
3931 .len = sizeof(struct nft_object *),
3932 .align = __alignof__(struct nft_object *),
3933 },
3934 [NFT_SET_EXT_FLAGS] = {
3935 .len = sizeof(u8),
3936 .align = __alignof__(u8),
3937 },
3938 [NFT_SET_EXT_TIMEOUT] = {
3939 .len = sizeof(u64),
3940 .align = __alignof__(u64),
3941 },
3942 [NFT_SET_EXT_EXPIRATION] = {
3943 .len = sizeof(u64),
3944 .align = __alignof__(u64),
3945 },
3946 [NFT_SET_EXT_USERDATA] = {
3947 .len = sizeof(struct nft_userdata),
3948 .align = __alignof__(struct nft_userdata),
3949 },
3950 };
3951 EXPORT_SYMBOL_GPL(nft_set_ext_types);
3952
3953 /*
3954 * Set elements
3955 */
3956
3957 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
3958 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
3959 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
3960 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
3961 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
3962 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
3963 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
3964 .len = NFT_USERDATA_MAXLEN },
3965 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
3966 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
3967 .len = NFT_OBJ_MAXNAMELEN - 1 },
3968 };
3969
3970 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
3971 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
3972 .len = NFT_TABLE_MAXNAMELEN - 1 },
3973 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
3974 .len = NFT_SET_MAXNAMELEN - 1 },
3975 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
3976 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
3977 };
3978
nft_ctx_init_from_elemattr(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack,u8 genmask)3979 static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
3980 const struct sk_buff *skb,
3981 const struct nlmsghdr *nlh,
3982 const struct nlattr * const nla[],
3983 struct netlink_ext_ack *extack,
3984 u8 genmask)
3985 {
3986 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3987 int family = nfmsg->nfgen_family;
3988 struct nft_table *table;
3989
3990 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
3991 genmask);
3992 if (IS_ERR(table)) {
3993 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
3994 return PTR_ERR(table);
3995 }
3996
3997 nft_ctx_init(ctx, net, skb, nlh, family, table, NULL, nla);
3998 return 0;
3999 }
4000
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_elem * elem)4001 static int nf_tables_fill_setelem(struct sk_buff *skb,
4002 const struct nft_set *set,
4003 const struct nft_set_elem *elem)
4004 {
4005 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4006 unsigned char *b = skb_tail_pointer(skb);
4007 struct nlattr *nest;
4008
4009 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4010 if (nest == NULL)
4011 goto nla_put_failure;
4012
4013 if (nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
4014 NFT_DATA_VALUE, set->klen) < 0)
4015 goto nla_put_failure;
4016
4017 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4018 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
4019 set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
4020 set->dlen) < 0)
4021 goto nla_put_failure;
4022
4023 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
4024 nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, nft_set_ext_expr(ext)) < 0)
4025 goto nla_put_failure;
4026
4027 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4028 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
4029 (*nft_set_ext_obj(ext))->key.name) < 0)
4030 goto nla_put_failure;
4031
4032 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
4033 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
4034 htonl(*nft_set_ext_flags(ext))))
4035 goto nla_put_failure;
4036
4037 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
4038 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
4039 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
4040 NFTA_SET_ELEM_PAD))
4041 goto nla_put_failure;
4042
4043 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4044 u64 expires, now = get_jiffies_64();
4045
4046 expires = *nft_set_ext_expiration(ext);
4047 if (time_before64(now, expires))
4048 expires -= now;
4049 else
4050 expires = 0;
4051
4052 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
4053 nf_jiffies64_to_msecs(expires),
4054 NFTA_SET_ELEM_PAD))
4055 goto nla_put_failure;
4056 }
4057
4058 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
4059 struct nft_userdata *udata;
4060
4061 udata = nft_set_ext_userdata(ext);
4062 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
4063 udata->len + 1, udata->data))
4064 goto nla_put_failure;
4065 }
4066
4067 nla_nest_end(skb, nest);
4068 return 0;
4069
4070 nla_put_failure:
4071 nlmsg_trim(skb, b);
4072 return -EMSGSIZE;
4073 }
4074
4075 struct nft_set_dump_args {
4076 const struct netlink_callback *cb;
4077 struct nft_set_iter iter;
4078 struct sk_buff *skb;
4079 };
4080
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4081 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
4082 struct nft_set *set,
4083 const struct nft_set_iter *iter,
4084 struct nft_set_elem *elem)
4085 {
4086 struct nft_set_dump_args *args;
4087
4088 args = container_of(iter, struct nft_set_dump_args, iter);
4089 return nf_tables_fill_setelem(args->skb, set, elem);
4090 }
4091
4092 struct nft_set_dump_ctx {
4093 const struct nft_set *set;
4094 struct nft_ctx ctx;
4095 };
4096
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)4097 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
4098 {
4099 struct nft_set_dump_ctx *dump_ctx = cb->data;
4100 struct net *net = sock_net(skb->sk);
4101 struct nft_table *table;
4102 struct nft_set *set;
4103 struct nft_set_dump_args args;
4104 bool set_found = false;
4105 struct nfgenmsg *nfmsg;
4106 struct nlmsghdr *nlh;
4107 struct nlattr *nest;
4108 u32 portid, seq;
4109 int event;
4110
4111 rcu_read_lock();
4112 list_for_each_entry_rcu(table, &net->nft.tables, list) {
4113 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
4114 dump_ctx->ctx.family != table->family)
4115 continue;
4116
4117 if (table != dump_ctx->ctx.table)
4118 continue;
4119
4120 list_for_each_entry_rcu(set, &table->sets, list) {
4121 if (set == dump_ctx->set) {
4122 set_found = true;
4123 break;
4124 }
4125 }
4126 break;
4127 }
4128
4129 if (!set_found) {
4130 rcu_read_unlock();
4131 return -ENOENT;
4132 }
4133
4134 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
4135 portid = NETLINK_CB(cb->skb).portid;
4136 seq = cb->nlh->nlmsg_seq;
4137
4138 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4139 NLM_F_MULTI);
4140 if (nlh == NULL)
4141 goto nla_put_failure;
4142
4143 nfmsg = nlmsg_data(nlh);
4144 nfmsg->nfgen_family = table->family;
4145 nfmsg->version = NFNETLINK_V0;
4146 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
4147
4148 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
4149 goto nla_put_failure;
4150 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
4151 goto nla_put_failure;
4152
4153 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4154 if (nest == NULL)
4155 goto nla_put_failure;
4156
4157 args.cb = cb;
4158 args.skb = skb;
4159 args.iter.genmask = nft_genmask_cur(net);
4160 args.iter.skip = cb->args[0];
4161 args.iter.count = 0;
4162 args.iter.err = 0;
4163 args.iter.fn = nf_tables_dump_setelem;
4164 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
4165 rcu_read_unlock();
4166
4167 nla_nest_end(skb, nest);
4168 nlmsg_end(skb, nlh);
4169
4170 if (args.iter.err && args.iter.err != -EMSGSIZE)
4171 return args.iter.err;
4172 if (args.iter.count == cb->args[0])
4173 return 0;
4174
4175 cb->args[0] = args.iter.count;
4176 return skb->len;
4177
4178 nla_put_failure:
4179 rcu_read_unlock();
4180 return -ENOSPC;
4181 }
4182
nf_tables_dump_set_start(struct netlink_callback * cb)4183 static int nf_tables_dump_set_start(struct netlink_callback *cb)
4184 {
4185 struct nft_set_dump_ctx *dump_ctx = cb->data;
4186
4187 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
4188
4189 return cb->data ? 0 : -ENOMEM;
4190 }
4191
nf_tables_dump_set_done(struct netlink_callback * cb)4192 static int nf_tables_dump_set_done(struct netlink_callback *cb)
4193 {
4194 kfree(cb->data);
4195 return 0;
4196 }
4197
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_set_elem * elem)4198 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
4199 const struct nft_ctx *ctx, u32 seq,
4200 u32 portid, int event, u16 flags,
4201 const struct nft_set *set,
4202 const struct nft_set_elem *elem)
4203 {
4204 struct nfgenmsg *nfmsg;
4205 struct nlmsghdr *nlh;
4206 struct nlattr *nest;
4207 int err;
4208
4209 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4210 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
4211 flags);
4212 if (nlh == NULL)
4213 goto nla_put_failure;
4214
4215 nfmsg = nlmsg_data(nlh);
4216 nfmsg->nfgen_family = ctx->family;
4217 nfmsg->version = NFNETLINK_V0;
4218 nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff);
4219
4220 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4221 goto nla_put_failure;
4222 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4223 goto nla_put_failure;
4224
4225 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
4226 if (nest == NULL)
4227 goto nla_put_failure;
4228
4229 err = nf_tables_fill_setelem(skb, set, elem);
4230 if (err < 0)
4231 goto nla_put_failure;
4232
4233 nla_nest_end(skb, nest);
4234
4235 nlmsg_end(skb, nlh);
4236 return 0;
4237
4238 nla_put_failure:
4239 nlmsg_trim(skb, nlh);
4240 return -1;
4241 }
4242
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)4243 static int nft_setelem_parse_flags(const struct nft_set *set,
4244 const struct nlattr *attr, u32 *flags)
4245 {
4246 if (attr == NULL)
4247 return 0;
4248
4249 *flags = ntohl(nla_get_be32(attr));
4250 if (*flags & ~NFT_SET_ELEM_INTERVAL_END)
4251 return -EINVAL;
4252 if (!(set->flags & NFT_SET_INTERVAL) &&
4253 *flags & NFT_SET_ELEM_INTERVAL_END)
4254 return -EINVAL;
4255
4256 return 0;
4257 }
4258
nft_get_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)4259 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4260 const struct nlattr *attr)
4261 {
4262 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4263 struct nft_data_desc desc;
4264 struct nft_set_elem elem;
4265 struct sk_buff *skb;
4266 uint32_t flags = 0;
4267 void *priv;
4268 int err;
4269
4270 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4271 nft_set_elem_policy, NULL);
4272 if (err < 0)
4273 return err;
4274
4275 if (!nla[NFTA_SET_ELEM_KEY])
4276 return -EINVAL;
4277
4278 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4279 if (err < 0)
4280 return err;
4281
4282 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4283 nla[NFTA_SET_ELEM_KEY]);
4284 if (err < 0)
4285 return err;
4286
4287 err = -EINVAL;
4288 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen) {
4289 nft_data_release(&elem.key.val, desc.type);
4290 return err;
4291 }
4292
4293 priv = set->ops->get(ctx->net, set, &elem, flags);
4294 if (IS_ERR(priv))
4295 return PTR_ERR(priv);
4296
4297 elem.priv = priv;
4298
4299 err = -ENOMEM;
4300 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4301 if (skb == NULL)
4302 goto err1;
4303
4304 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4305 NFT_MSG_NEWSETELEM, 0, set, &elem);
4306 if (err < 0)
4307 goto err2;
4308
4309 err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4310 /* This avoids a loop in nfnetlink. */
4311 if (err < 0)
4312 goto err1;
4313
4314 return 0;
4315 err2:
4316 kfree_skb(skb);
4317 err1:
4318 /* this avoids a loop in nfnetlink. */
4319 return err == -EAGAIN ? -ENOBUFS : err;
4320 }
4321
4322 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4323 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
4324 struct sk_buff *skb, const struct nlmsghdr *nlh,
4325 const struct nlattr * const nla[],
4326 struct netlink_ext_ack *extack)
4327 {
4328 u8 genmask = nft_genmask_cur(net);
4329 struct nft_set *set;
4330 struct nlattr *attr;
4331 struct nft_ctx ctx;
4332 int rem, err = 0;
4333
4334 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4335 genmask);
4336 if (err < 0)
4337 return err;
4338
4339 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4340 if (IS_ERR(set))
4341 return PTR_ERR(set);
4342
4343 if (nlh->nlmsg_flags & NLM_F_DUMP) {
4344 struct netlink_dump_control c = {
4345 .start = nf_tables_dump_set_start,
4346 .dump = nf_tables_dump_set,
4347 .done = nf_tables_dump_set_done,
4348 .module = THIS_MODULE,
4349 };
4350 struct nft_set_dump_ctx dump_ctx = {
4351 .set = set,
4352 .ctx = ctx,
4353 };
4354
4355 c.data = &dump_ctx;
4356 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
4357 }
4358
4359 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
4360 return -EINVAL;
4361
4362 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4363 err = nft_get_set_elem(&ctx, set, attr);
4364 if (err < 0)
4365 break;
4366 }
4367
4368 return err;
4369 }
4370
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_set_elem * elem,int event,u16 flags)4371 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
4372 const struct nft_set *set,
4373 const struct nft_set_elem *elem,
4374 int event, u16 flags)
4375 {
4376 struct net *net = ctx->net;
4377 u32 portid = ctx->portid;
4378 struct sk_buff *skb;
4379 int err;
4380
4381 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
4382 return;
4383
4384 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
4385 if (skb == NULL)
4386 goto err;
4387
4388 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
4389 set, elem);
4390 if (err < 0) {
4391 kfree_skb(skb);
4392 goto err;
4393 }
4394
4395 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, ctx->report,
4396 GFP_KERNEL);
4397 return;
4398 err:
4399 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4400 }
4401
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)4402 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
4403 int msg_type,
4404 struct nft_set *set)
4405 {
4406 struct nft_trans *trans;
4407
4408 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
4409 if (trans == NULL)
4410 return NULL;
4411
4412 nft_trans_elem_set(trans) = set;
4413 return trans;
4414 }
4415
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)4416 void *nft_set_elem_init(const struct nft_set *set,
4417 const struct nft_set_ext_tmpl *tmpl,
4418 const u32 *key, const u32 *data,
4419 u64 timeout, u64 expiration, gfp_t gfp)
4420 {
4421 struct nft_set_ext *ext;
4422 void *elem;
4423
4424 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
4425 if (elem == NULL)
4426 return NULL;
4427
4428 ext = nft_set_elem_ext(set, elem);
4429 nft_set_ext_init(ext, tmpl);
4430
4431 memcpy(nft_set_ext_key(ext), key, set->klen);
4432 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4433 memcpy(nft_set_ext_data(ext), data, set->dlen);
4434 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
4435 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
4436 if (expiration == 0)
4437 *nft_set_ext_expiration(ext) += timeout;
4438 }
4439 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
4440 *nft_set_ext_timeout(ext) = timeout;
4441
4442 return elem;
4443 }
4444
nft_set_elem_destroy(const struct nft_set * set,void * elem,bool destroy_expr)4445 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
4446 bool destroy_expr)
4447 {
4448 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4449 struct nft_ctx ctx = {
4450 .net = read_pnet(&set->net),
4451 .family = set->table->family,
4452 };
4453
4454 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
4455 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4456 nft_data_release(nft_set_ext_data(ext), set->dtype);
4457 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR)) {
4458 struct nft_expr *expr = nft_set_ext_expr(ext);
4459
4460 if (expr->ops->destroy_clone) {
4461 expr->ops->destroy_clone(&ctx, expr);
4462 module_put(expr->ops->type->owner);
4463 } else {
4464 nf_tables_expr_destroy(&ctx, expr);
4465 }
4466 }
4467 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4468 (*nft_set_ext_obj(ext))->use--;
4469 kfree(elem);
4470 }
4471 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
4472
4473 /* Only called from commit path, nft_set_elem_deactivate() already deals with
4474 * the refcounting from the preparation phase.
4475 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,void * elem)4476 static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
4477 const struct nft_set *set, void *elem)
4478 {
4479 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
4480
4481 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
4482 nf_tables_expr_destroy(ctx, nft_set_ext_expr(ext));
4483 kfree(elem);
4484 }
4485
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)4486 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4487 const struct nlattr *attr, u32 nlmsg_flags)
4488 {
4489 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4490 u8 genmask = nft_genmask_next(ctx->net);
4491 struct nft_data_desc d1, d2;
4492 struct nft_set_ext_tmpl tmpl;
4493 struct nft_set_ext *ext, *ext2;
4494 struct nft_set_elem elem;
4495 struct nft_set_binding *binding;
4496 struct nft_object *obj = NULL;
4497 struct nft_userdata *udata;
4498 struct nft_data data;
4499 enum nft_registers dreg;
4500 struct nft_trans *trans;
4501 u32 flags = 0;
4502 u64 timeout;
4503 u64 expiration;
4504 u8 ulen;
4505 int err;
4506
4507 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4508 nft_set_elem_policy, NULL);
4509 if (err < 0)
4510 return err;
4511
4512 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4513 return -EINVAL;
4514
4515 nft_set_ext_prepare(&tmpl);
4516
4517 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4518 if (err < 0)
4519 return err;
4520 if (flags != 0)
4521 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4522
4523 if (set->flags & NFT_SET_MAP) {
4524 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
4525 !(flags & NFT_SET_ELEM_INTERVAL_END))
4526 return -EINVAL;
4527 } else {
4528 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4529 return -EINVAL;
4530 }
4531
4532 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
4533 (nla[NFTA_SET_ELEM_DATA] ||
4534 nla[NFTA_SET_ELEM_OBJREF] ||
4535 nla[NFTA_SET_ELEM_TIMEOUT] ||
4536 nla[NFTA_SET_ELEM_EXPIRATION] ||
4537 nla[NFTA_SET_ELEM_USERDATA] ||
4538 nla[NFTA_SET_ELEM_EXPR]))
4539 return -EINVAL;
4540
4541 timeout = 0;
4542 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
4543 if (!(set->flags & NFT_SET_TIMEOUT))
4544 return -EINVAL;
4545 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
4546 &timeout);
4547 if (err)
4548 return err;
4549 } else if (set->flags & NFT_SET_TIMEOUT) {
4550 timeout = set->timeout;
4551 }
4552
4553 expiration = 0;
4554 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
4555 if (!(set->flags & NFT_SET_TIMEOUT))
4556 return -EINVAL;
4557 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
4558 &expiration);
4559 if (err)
4560 return err;
4561 }
4562
4563 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &d1,
4564 nla[NFTA_SET_ELEM_KEY]);
4565 if (err < 0)
4566 goto err1;
4567 err = -EINVAL;
4568 if (d1.type != NFT_DATA_VALUE || d1.len != set->klen)
4569 goto err2;
4570
4571 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, d1.len);
4572 if (timeout > 0) {
4573 nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
4574 if (timeout != set->timeout)
4575 nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
4576 }
4577
4578 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
4579 if (!(set->flags & NFT_SET_OBJECT)) {
4580 err = -EINVAL;
4581 goto err2;
4582 }
4583 obj = nft_obj_lookup(ctx->net, ctx->table,
4584 nla[NFTA_SET_ELEM_OBJREF],
4585 set->objtype, genmask);
4586 if (IS_ERR(obj)) {
4587 err = PTR_ERR(obj);
4588 goto err2;
4589 }
4590 nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
4591 }
4592
4593 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
4594 err = nft_data_init(ctx, &data, sizeof(data), &d2,
4595 nla[NFTA_SET_ELEM_DATA]);
4596 if (err < 0)
4597 goto err2;
4598
4599 err = -EINVAL;
4600 if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
4601 goto err3;
4602
4603 dreg = nft_type_to_reg(set->dtype);
4604 list_for_each_entry(binding, &set->bindings, list) {
4605 struct nft_ctx bind_ctx = {
4606 .net = ctx->net,
4607 .family = ctx->family,
4608 .table = ctx->table,
4609 .chain = (struct nft_chain *)binding->chain,
4610 };
4611
4612 if (!(binding->flags & NFT_SET_MAP))
4613 continue;
4614
4615 err = nft_validate_register_store(&bind_ctx, dreg,
4616 &data,
4617 d2.type, d2.len);
4618 if (err < 0)
4619 goto err3;
4620
4621 if (d2.type == NFT_DATA_VERDICT &&
4622 (data.verdict.code == NFT_GOTO ||
4623 data.verdict.code == NFT_JUMP))
4624 nft_validate_state_update(ctx->net,
4625 NFT_VALIDATE_NEED);
4626 }
4627
4628 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, d2.len);
4629 }
4630
4631 /* The full maximum length of userdata can exceed the maximum
4632 * offset value (U8_MAX) for following extensions, therefor it
4633 * must be the last extension added.
4634 */
4635 ulen = 0;
4636 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
4637 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
4638 if (ulen > 0)
4639 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
4640 ulen);
4641 }
4642
4643 err = -ENOMEM;
4644 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, data.data,
4645 timeout, expiration, GFP_KERNEL);
4646 if (elem.priv == NULL)
4647 goto err3;
4648
4649 ext = nft_set_elem_ext(set, elem.priv);
4650 if (flags)
4651 *nft_set_ext_flags(ext) = flags;
4652 if (ulen > 0) {
4653 udata = nft_set_ext_userdata(ext);
4654 udata->len = ulen - 1;
4655 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
4656 }
4657 if (obj) {
4658 *nft_set_ext_obj(ext) = obj;
4659 obj->use++;
4660 }
4661
4662 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
4663 if (trans == NULL)
4664 goto err4;
4665
4666 ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK;
4667 err = set->ops->insert(ctx->net, set, &elem, &ext2);
4668 if (err) {
4669 if (err == -EEXIST) {
4670 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
4671 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
4672 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
4673 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
4674 err = -EBUSY;
4675 goto err5;
4676 }
4677 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
4678 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
4679 memcmp(nft_set_ext_data(ext),
4680 nft_set_ext_data(ext2), set->dlen) != 0) ||
4681 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
4682 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
4683 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
4684 err = -EBUSY;
4685 else if (!(nlmsg_flags & NLM_F_EXCL))
4686 err = 0;
4687 }
4688 goto err5;
4689 }
4690
4691 if (set->size &&
4692 !atomic_add_unless(&set->nelems, 1, set->size + set->ndeact)) {
4693 err = -ENFILE;
4694 goto err6;
4695 }
4696
4697 nft_trans_elem(trans) = elem;
4698 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4699 return 0;
4700
4701 err6:
4702 set->ops->remove(ctx->net, set, &elem);
4703 err5:
4704 kfree(trans);
4705 err4:
4706 if (obj)
4707 obj->use--;
4708 kfree(elem.priv);
4709 err3:
4710 if (nla[NFTA_SET_ELEM_DATA] != NULL)
4711 nft_data_release(&data, d2.type);
4712 err2:
4713 nft_data_release(&elem.key.val, d1.type);
4714 err1:
4715 return err;
4716 }
4717
nf_tables_newsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4718 static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
4719 struct sk_buff *skb, const struct nlmsghdr *nlh,
4720 const struct nlattr * const nla[],
4721 struct netlink_ext_ack *extack)
4722 {
4723 u8 genmask = nft_genmask_next(net);
4724 const struct nlattr *attr;
4725 struct nft_set *set;
4726 struct nft_ctx ctx;
4727 int rem, err;
4728
4729 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
4730 return -EINVAL;
4731
4732 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4733 genmask);
4734 if (err < 0)
4735 return err;
4736
4737 set = nft_set_lookup_global(net, ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
4738 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
4739 if (IS_ERR(set))
4740 return PTR_ERR(set);
4741
4742 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4743 return -EBUSY;
4744
4745 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4746 err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags);
4747 if (err < 0)
4748 return err;
4749 }
4750
4751 if (net->nft.validate_state == NFT_VALIDATE_DO)
4752 return nft_table_validate(net, ctx.table);
4753
4754 return 0;
4755 }
4756
4757 /**
4758 * nft_data_hold - hold a nft_data item
4759 *
4760 * @data: struct nft_data to release
4761 * @type: type of data
4762 *
4763 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
4764 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
4765 * NFT_GOTO verdicts. This function must be called on active data objects
4766 * from the second phase of the commit protocol.
4767 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)4768 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
4769 {
4770 if (type == NFT_DATA_VERDICT) {
4771 switch (data->verdict.code) {
4772 case NFT_JUMP:
4773 case NFT_GOTO:
4774 data->verdict.chain->use++;
4775 break;
4776 }
4777 }
4778 }
4779
nft_set_elem_activate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)4780 static void nft_set_elem_activate(const struct net *net,
4781 const struct nft_set *set,
4782 struct nft_set_elem *elem)
4783 {
4784 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4785
4786 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4787 nft_data_hold(nft_set_ext_data(ext), set->dtype);
4788 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4789 (*nft_set_ext_obj(ext))->use++;
4790 }
4791
nft_set_elem_deactivate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)4792 static void nft_set_elem_deactivate(const struct net *net,
4793 const struct nft_set *set,
4794 struct nft_set_elem *elem)
4795 {
4796 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
4797
4798 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
4799 nft_data_release(nft_set_ext_data(ext), set->dtype);
4800 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
4801 (*nft_set_ext_obj(ext))->use--;
4802 }
4803
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)4804 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
4805 const struct nlattr *attr)
4806 {
4807 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
4808 struct nft_set_ext_tmpl tmpl;
4809 struct nft_data_desc desc;
4810 struct nft_set_elem elem;
4811 struct nft_set_ext *ext;
4812 struct nft_trans *trans;
4813 u32 flags = 0;
4814 void *priv;
4815 int err;
4816
4817 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
4818 nft_set_elem_policy, NULL);
4819 if (err < 0)
4820 goto err1;
4821
4822 err = -EINVAL;
4823 if (nla[NFTA_SET_ELEM_KEY] == NULL)
4824 goto err1;
4825
4826 nft_set_ext_prepare(&tmpl);
4827
4828 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
4829 if (err < 0)
4830 return err;
4831 if (flags != 0)
4832 nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
4833
4834 err = nft_data_init(ctx, &elem.key.val, sizeof(elem.key), &desc,
4835 nla[NFTA_SET_ELEM_KEY]);
4836 if (err < 0)
4837 goto err1;
4838
4839 err = -EINVAL;
4840 if (desc.type != NFT_DATA_VALUE || desc.len != set->klen)
4841 goto err2;
4842
4843 nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, desc.len);
4844
4845 err = -ENOMEM;
4846 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data, NULL, 0,
4847 0, GFP_KERNEL);
4848 if (elem.priv == NULL)
4849 goto err2;
4850
4851 ext = nft_set_elem_ext(set, elem.priv);
4852 if (flags)
4853 *nft_set_ext_flags(ext) = flags;
4854
4855 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
4856 if (trans == NULL) {
4857 err = -ENOMEM;
4858 goto err3;
4859 }
4860
4861 priv = set->ops->deactivate(ctx->net, set, &elem);
4862 if (priv == NULL) {
4863 err = -ENOENT;
4864 goto err4;
4865 }
4866 kfree(elem.priv);
4867 elem.priv = priv;
4868
4869 nft_set_elem_deactivate(ctx->net, set, &elem);
4870
4871 nft_trans_elem(trans) = elem;
4872 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4873 return 0;
4874
4875 err4:
4876 kfree(trans);
4877 err3:
4878 kfree(elem.priv);
4879 err2:
4880 nft_data_release(&elem.key.val, desc.type);
4881 err1:
4882 return err;
4883 }
4884
nft_flush_set(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)4885 static int nft_flush_set(const struct nft_ctx *ctx,
4886 struct nft_set *set,
4887 const struct nft_set_iter *iter,
4888 struct nft_set_elem *elem)
4889 {
4890 struct nft_trans *trans;
4891 int err;
4892
4893 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
4894 sizeof(struct nft_trans_elem), GFP_ATOMIC);
4895 if (!trans)
4896 return -ENOMEM;
4897
4898 if (!set->ops->flush(ctx->net, set, elem->priv)) {
4899 err = -ENOENT;
4900 goto err1;
4901 }
4902 set->ndeact++;
4903
4904 nft_set_elem_deactivate(ctx->net, set, elem);
4905 nft_trans_elem_set(trans) = set;
4906 nft_trans_elem(trans) = *elem;
4907 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
4908
4909 return 0;
4910 err1:
4911 kfree(trans);
4912 return err;
4913 }
4914
nf_tables_delsetelem(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)4915 static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
4916 struct sk_buff *skb, const struct nlmsghdr *nlh,
4917 const struct nlattr * const nla[],
4918 struct netlink_ext_ack *extack)
4919 {
4920 u8 genmask = nft_genmask_next(net);
4921 const struct nlattr *attr;
4922 struct nft_set *set;
4923 struct nft_ctx ctx;
4924 int rem, err = 0;
4925
4926 err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, extack,
4927 genmask);
4928 if (err < 0)
4929 return err;
4930
4931 set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
4932 if (IS_ERR(set))
4933 return PTR_ERR(set);
4934 if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
4935 return -EBUSY;
4936
4937 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
4938 struct nft_set_iter iter = {
4939 .genmask = genmask,
4940 .fn = nft_flush_set,
4941 };
4942 set->ops->walk(&ctx, set, &iter);
4943
4944 return iter.err;
4945 }
4946
4947 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
4948 err = nft_del_setelem(&ctx, set, attr);
4949 if (err < 0)
4950 break;
4951
4952 set->ndeact++;
4953 }
4954 return err;
4955 }
4956
nft_set_gc_batch_release(struct rcu_head * rcu)4957 void nft_set_gc_batch_release(struct rcu_head *rcu)
4958 {
4959 struct nft_set_gc_batch *gcb;
4960 unsigned int i;
4961
4962 gcb = container_of(rcu, struct nft_set_gc_batch, head.rcu);
4963 for (i = 0; i < gcb->head.cnt; i++)
4964 nft_set_elem_destroy(gcb->head.set, gcb->elems[i], true);
4965 kfree(gcb);
4966 }
4967 EXPORT_SYMBOL_GPL(nft_set_gc_batch_release);
4968
nft_set_gc_batch_alloc(const struct nft_set * set,gfp_t gfp)4969 struct nft_set_gc_batch *nft_set_gc_batch_alloc(const struct nft_set *set,
4970 gfp_t gfp)
4971 {
4972 struct nft_set_gc_batch *gcb;
4973
4974 gcb = kzalloc(sizeof(*gcb), gfp);
4975 if (gcb == NULL)
4976 return gcb;
4977 gcb->head.set = set;
4978 return gcb;
4979 }
4980 EXPORT_SYMBOL_GPL(nft_set_gc_batch_alloc);
4981
4982 /*
4983 * Stateful objects
4984 */
4985
4986 /**
4987 * nft_register_obj- register nf_tables stateful object type
4988 * @obj: object type
4989 *
4990 * Registers the object type for use with nf_tables. Returns zero on
4991 * success or a negative errno code otherwise.
4992 */
nft_register_obj(struct nft_object_type * obj_type)4993 int nft_register_obj(struct nft_object_type *obj_type)
4994 {
4995 if (obj_type->type == NFT_OBJECT_UNSPEC)
4996 return -EINVAL;
4997
4998 nfnl_lock(NFNL_SUBSYS_NFTABLES);
4999 list_add_rcu(&obj_type->list, &nf_tables_objects);
5000 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5001 return 0;
5002 }
5003 EXPORT_SYMBOL_GPL(nft_register_obj);
5004
5005 /**
5006 * nft_unregister_obj - unregister nf_tables object type
5007 * @obj: object type
5008 *
5009 * Unregisters the object type for use with nf_tables.
5010 */
nft_unregister_obj(struct nft_object_type * obj_type)5011 void nft_unregister_obj(struct nft_object_type *obj_type)
5012 {
5013 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5014 list_del_rcu(&obj_type->list);
5015 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5016 }
5017 EXPORT_SYMBOL_GPL(nft_unregister_obj);
5018
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)5019 struct nft_object *nft_obj_lookup(const struct net *net,
5020 const struct nft_table *table,
5021 const struct nlattr *nla, u32 objtype,
5022 u8 genmask)
5023 {
5024 struct nft_object_hash_key k = { .table = table };
5025 char search[NFT_OBJ_MAXNAMELEN];
5026 struct rhlist_head *tmp, *list;
5027 struct nft_object *obj;
5028
5029 nla_strlcpy(search, nla, sizeof(search));
5030 k.name = search;
5031
5032 WARN_ON_ONCE(!rcu_read_lock_held() &&
5033 !lockdep_commit_lock_is_held(net));
5034
5035 rcu_read_lock();
5036 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
5037 if (!list)
5038 goto out;
5039
5040 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
5041 if (objtype == obj->ops->type->type &&
5042 nft_active_genmask(obj, genmask)) {
5043 rcu_read_unlock();
5044 return obj;
5045 }
5046 }
5047 out:
5048 rcu_read_unlock();
5049 return ERR_PTR(-ENOENT);
5050 }
5051 EXPORT_SYMBOL_GPL(nft_obj_lookup);
5052
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)5053 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
5054 const struct nlattr *nla,
5055 u32 objtype, u8 genmask)
5056 {
5057 struct nft_object *obj;
5058
5059 list_for_each_entry(obj, &table->objects, list) {
5060 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
5061 objtype == obj->ops->type->type &&
5062 nft_active_genmask(obj, genmask))
5063 return obj;
5064 }
5065 return ERR_PTR(-ENOENT);
5066 }
5067
5068 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
5069 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
5070 .len = NFT_TABLE_MAXNAMELEN - 1 },
5071 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
5072 .len = NFT_OBJ_MAXNAMELEN - 1 },
5073 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
5074 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
5075 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
5076 };
5077
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)5078 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
5079 const struct nft_object_type *type,
5080 const struct nlattr *attr)
5081 {
5082 struct nlattr **tb;
5083 const struct nft_object_ops *ops;
5084 struct nft_object *obj;
5085 int err = -ENOMEM;
5086
5087 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
5088 if (!tb)
5089 goto err1;
5090
5091 if (attr) {
5092 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
5093 type->policy, NULL);
5094 if (err < 0)
5095 goto err2;
5096 } else {
5097 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
5098 }
5099
5100 if (type->select_ops) {
5101 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
5102 if (IS_ERR(ops)) {
5103 err = PTR_ERR(ops);
5104 goto err2;
5105 }
5106 } else {
5107 ops = type->ops;
5108 }
5109
5110 err = -ENOMEM;
5111 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
5112 if (!obj)
5113 goto err2;
5114
5115 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
5116 if (err < 0)
5117 goto err3;
5118
5119 obj->ops = ops;
5120
5121 kfree(tb);
5122 return obj;
5123 err3:
5124 kfree(obj);
5125 err2:
5126 kfree(tb);
5127 err1:
5128 return ERR_PTR(err);
5129 }
5130
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)5131 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
5132 struct nft_object *obj, bool reset)
5133 {
5134 struct nlattr *nest;
5135
5136 nest = nla_nest_start_noflag(skb, attr);
5137 if (!nest)
5138 goto nla_put_failure;
5139 if (obj->ops->dump(skb, obj, reset) < 0)
5140 goto nla_put_failure;
5141 nla_nest_end(skb, nest);
5142 return 0;
5143
5144 nla_put_failure:
5145 return -1;
5146 }
5147
__nft_obj_type_get(u32 objtype)5148 static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
5149 {
5150 const struct nft_object_type *type;
5151
5152 list_for_each_entry(type, &nf_tables_objects, list) {
5153 if (objtype == type->type)
5154 return type;
5155 }
5156 return NULL;
5157 }
5158
5159 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype)5160 nft_obj_type_get(struct net *net, u32 objtype)
5161 {
5162 const struct nft_object_type *type;
5163
5164 type = __nft_obj_type_get(objtype);
5165 if (type != NULL && try_module_get(type->owner))
5166 return type;
5167
5168 lockdep_nfnl_nft_mutex_not_held();
5169 #ifdef CONFIG_MODULES
5170 if (type == NULL) {
5171 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5172 return ERR_PTR(-EAGAIN);
5173 }
5174 #endif
5175 return ERR_PTR(-ENOENT);
5176 }
5177
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)5178 static int nf_tables_updobj(const struct nft_ctx *ctx,
5179 const struct nft_object_type *type,
5180 const struct nlattr *attr,
5181 struct nft_object *obj)
5182 {
5183 struct nft_object *newobj;
5184 struct nft_trans *trans;
5185 int err;
5186
5187 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
5188 sizeof(struct nft_trans_obj));
5189 if (!trans)
5190 return -ENOMEM;
5191
5192 newobj = nft_obj_init(ctx, type, attr);
5193 if (IS_ERR(newobj)) {
5194 err = PTR_ERR(newobj);
5195 goto err_free_trans;
5196 }
5197
5198 nft_trans_obj(trans) = obj;
5199 nft_trans_obj_update(trans) = true;
5200 nft_trans_obj_newobj(trans) = newobj;
5201 list_add_tail(&trans->list, &ctx->net->nft.commit_list);
5202
5203 return 0;
5204
5205 err_free_trans:
5206 kfree(trans);
5207 return err;
5208 }
5209
nf_tables_newobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5210 static int nf_tables_newobj(struct net *net, struct sock *nlsk,
5211 struct sk_buff *skb, const struct nlmsghdr *nlh,
5212 const struct nlattr * const nla[],
5213 struct netlink_ext_ack *extack)
5214 {
5215 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5216 const struct nft_object_type *type;
5217 u8 genmask = nft_genmask_next(net);
5218 int family = nfmsg->nfgen_family;
5219 struct nft_table *table;
5220 struct nft_object *obj;
5221 struct nft_ctx ctx;
5222 u32 objtype;
5223 int err;
5224
5225 if (!nla[NFTA_OBJ_TYPE] ||
5226 !nla[NFTA_OBJ_NAME] ||
5227 !nla[NFTA_OBJ_DATA])
5228 return -EINVAL;
5229
5230 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5231 if (IS_ERR(table)) {
5232 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5233 return PTR_ERR(table);
5234 }
5235
5236 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5237 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5238 if (IS_ERR(obj)) {
5239 err = PTR_ERR(obj);
5240 if (err != -ENOENT) {
5241 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5242 return err;
5243 }
5244 } else {
5245 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5246 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5247 return -EEXIST;
5248 }
5249 if (nlh->nlmsg_flags & NLM_F_REPLACE)
5250 return -EOPNOTSUPP;
5251
5252 type = __nft_obj_type_get(objtype);
5253 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5254
5255 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
5256 }
5257
5258 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5259
5260 type = nft_obj_type_get(net, objtype);
5261 if (IS_ERR(type))
5262 return PTR_ERR(type);
5263
5264 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
5265 if (IS_ERR(obj)) {
5266 err = PTR_ERR(obj);
5267 goto err1;
5268 }
5269 obj->key.table = table;
5270 obj->handle = nf_tables_alloc_handle(table);
5271
5272 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
5273 if (!obj->key.name) {
5274 err = -ENOMEM;
5275 goto err2;
5276 }
5277
5278 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
5279 if (err < 0)
5280 goto err3;
5281
5282 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
5283 nft_objname_ht_params);
5284 if (err < 0)
5285 goto err4;
5286
5287 list_add_tail_rcu(&obj->list, &table->objects);
5288 table->use++;
5289 return 0;
5290 err4:
5291 /* queued in transaction log */
5292 INIT_LIST_HEAD(&obj->list);
5293 return err;
5294 err3:
5295 kfree(obj->key.name);
5296 err2:
5297 if (obj->ops->destroy)
5298 obj->ops->destroy(&ctx, obj);
5299 kfree(obj);
5300 err1:
5301 module_put(type->owner);
5302 return err;
5303 }
5304
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)5305 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
5306 u32 portid, u32 seq, int event, u32 flags,
5307 int family, const struct nft_table *table,
5308 struct nft_object *obj, bool reset)
5309 {
5310 struct nfgenmsg *nfmsg;
5311 struct nlmsghdr *nlh;
5312
5313 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5314 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5315 if (nlh == NULL)
5316 goto nla_put_failure;
5317
5318 nfmsg = nlmsg_data(nlh);
5319 nfmsg->nfgen_family = family;
5320 nfmsg->version = NFNETLINK_V0;
5321 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5322
5323 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
5324 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
5325 nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
5326 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
5327 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset) ||
5328 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
5329 NFTA_OBJ_PAD))
5330 goto nla_put_failure;
5331
5332 nlmsg_end(skb, nlh);
5333 return 0;
5334
5335 nla_put_failure:
5336 nlmsg_trim(skb, nlh);
5337 return -1;
5338 }
5339
5340 struct nft_obj_filter {
5341 char *table;
5342 u32 type;
5343 };
5344
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)5345 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
5346 {
5347 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
5348 const struct nft_table *table;
5349 unsigned int idx = 0, s_idx = cb->args[0];
5350 struct nft_obj_filter *filter = cb->data;
5351 struct net *net = sock_net(skb->sk);
5352 int family = nfmsg->nfgen_family;
5353 struct nft_object *obj;
5354 bool reset = false;
5355
5356 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5357 reset = true;
5358
5359 rcu_read_lock();
5360 cb->seq = net->nft.base_seq;
5361
5362 list_for_each_entry_rcu(table, &net->nft.tables, list) {
5363 if (family != NFPROTO_UNSPEC && family != table->family)
5364 continue;
5365
5366 list_for_each_entry_rcu(obj, &table->objects, list) {
5367 if (!nft_is_active(net, obj))
5368 goto cont;
5369 if (idx < s_idx)
5370 goto cont;
5371 if (idx > s_idx)
5372 memset(&cb->args[1], 0,
5373 sizeof(cb->args) - sizeof(cb->args[0]));
5374 if (filter && filter->table &&
5375 strcmp(filter->table, table->name))
5376 goto cont;
5377 if (filter &&
5378 filter->type != NFT_OBJECT_UNSPEC &&
5379 obj->ops->type->type != filter->type)
5380 goto cont;
5381
5382 if (nf_tables_fill_obj_info(skb, net, NETLINK_CB(cb->skb).portid,
5383 cb->nlh->nlmsg_seq,
5384 NFT_MSG_NEWOBJ,
5385 NLM_F_MULTI | NLM_F_APPEND,
5386 table->family, table,
5387 obj, reset) < 0)
5388 goto done;
5389
5390 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
5391 cont:
5392 idx++;
5393 }
5394 }
5395 done:
5396 rcu_read_unlock();
5397
5398 cb->args[0] = idx;
5399 return skb->len;
5400 }
5401
nf_tables_dump_obj_start(struct netlink_callback * cb)5402 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
5403 {
5404 const struct nlattr * const *nla = cb->data;
5405 struct nft_obj_filter *filter = NULL;
5406
5407 if (nla[NFTA_OBJ_TABLE] || nla[NFTA_OBJ_TYPE]) {
5408 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
5409 if (!filter)
5410 return -ENOMEM;
5411
5412 if (nla[NFTA_OBJ_TABLE]) {
5413 filter->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
5414 if (!filter->table) {
5415 kfree(filter);
5416 return -ENOMEM;
5417 }
5418 }
5419
5420 if (nla[NFTA_OBJ_TYPE])
5421 filter->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5422 }
5423
5424 cb->data = filter;
5425 return 0;
5426 }
5427
nf_tables_dump_obj_done(struct netlink_callback * cb)5428 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
5429 {
5430 struct nft_obj_filter *filter = cb->data;
5431
5432 if (filter) {
5433 kfree(filter->table);
5434 kfree(filter);
5435 }
5436
5437 return 0;
5438 }
5439
5440 /* called with rcu_read_lock held */
nf_tables_getobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5441 static int nf_tables_getobj(struct net *net, struct sock *nlsk,
5442 struct sk_buff *skb, const struct nlmsghdr *nlh,
5443 const struct nlattr * const nla[],
5444 struct netlink_ext_ack *extack)
5445 {
5446 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5447 u8 genmask = nft_genmask_cur(net);
5448 int family = nfmsg->nfgen_family;
5449 const struct nft_table *table;
5450 struct nft_object *obj;
5451 struct sk_buff *skb2;
5452 bool reset = false;
5453 u32 objtype;
5454 int err;
5455
5456 if (nlh->nlmsg_flags & NLM_F_DUMP) {
5457 struct netlink_dump_control c = {
5458 .start = nf_tables_dump_obj_start,
5459 .dump = nf_tables_dump_obj,
5460 .done = nf_tables_dump_obj_done,
5461 .module = THIS_MODULE,
5462 .data = (void *)nla,
5463 };
5464
5465 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
5466 }
5467
5468 if (!nla[NFTA_OBJ_NAME] ||
5469 !nla[NFTA_OBJ_TYPE])
5470 return -EINVAL;
5471
5472 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5473 if (IS_ERR(table)) {
5474 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5475 return PTR_ERR(table);
5476 }
5477
5478 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5479 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
5480 if (IS_ERR(obj)) {
5481 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
5482 return PTR_ERR(obj);
5483 }
5484
5485 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
5486 if (!skb2)
5487 return -ENOMEM;
5488
5489 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == NFT_MSG_GETOBJ_RESET)
5490 reset = true;
5491
5492 err = nf_tables_fill_obj_info(skb2, net, NETLINK_CB(skb).portid,
5493 nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
5494 family, table, obj, reset);
5495 if (err < 0)
5496 goto err;
5497
5498 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
5499 err:
5500 kfree_skb(skb2);
5501 return err;
5502 }
5503
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)5504 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
5505 {
5506 if (obj->ops->destroy)
5507 obj->ops->destroy(ctx, obj);
5508
5509 module_put(obj->ops->type->owner);
5510 kfree(obj->key.name);
5511 kfree(obj);
5512 }
5513
nf_tables_delobj(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5514 static int nf_tables_delobj(struct net *net, struct sock *nlsk,
5515 struct sk_buff *skb, const struct nlmsghdr *nlh,
5516 const struct nlattr * const nla[],
5517 struct netlink_ext_ack *extack)
5518 {
5519 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5520 u8 genmask = nft_genmask_next(net);
5521 int family = nfmsg->nfgen_family;
5522 const struct nlattr *attr;
5523 struct nft_table *table;
5524 struct nft_object *obj;
5525 struct nft_ctx ctx;
5526 u32 objtype;
5527
5528 if (!nla[NFTA_OBJ_TYPE] ||
5529 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
5530 return -EINVAL;
5531
5532 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask);
5533 if (IS_ERR(table)) {
5534 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
5535 return PTR_ERR(table);
5536 }
5537
5538 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
5539 if (nla[NFTA_OBJ_HANDLE]) {
5540 attr = nla[NFTA_OBJ_HANDLE];
5541 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
5542 } else {
5543 attr = nla[NFTA_OBJ_NAME];
5544 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
5545 }
5546
5547 if (IS_ERR(obj)) {
5548 NL_SET_BAD_ATTR(extack, attr);
5549 return PTR_ERR(obj);
5550 }
5551 if (obj->use > 0) {
5552 NL_SET_BAD_ATTR(extack, attr);
5553 return -EBUSY;
5554 }
5555
5556 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5557
5558 return nft_delobj(&ctx, obj);
5559 }
5560
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,int family,int report,gfp_t gfp)5561 void nft_obj_notify(struct net *net, const struct nft_table *table,
5562 struct nft_object *obj, u32 portid, u32 seq, int event,
5563 int family, int report, gfp_t gfp)
5564 {
5565 struct sk_buff *skb;
5566 int err;
5567
5568 if (!report &&
5569 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
5570 return;
5571
5572 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
5573 if (skb == NULL)
5574 goto err;
5575
5576 err = nf_tables_fill_obj_info(skb, net, portid, seq, event, 0, family,
5577 table, obj, false);
5578 if (err < 0) {
5579 kfree_skb(skb);
5580 goto err;
5581 }
5582
5583 nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report, gfp);
5584 return;
5585 err:
5586 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
5587 }
5588 EXPORT_SYMBOL_GPL(nft_obj_notify);
5589
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)5590 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
5591 struct nft_object *obj, int event)
5592 {
5593 nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
5594 ctx->family, ctx->report, GFP_KERNEL);
5595 }
5596
5597 /*
5598 * Flow tables
5599 */
nft_register_flowtable_type(struct nf_flowtable_type * type)5600 void nft_register_flowtable_type(struct nf_flowtable_type *type)
5601 {
5602 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5603 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
5604 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5605 }
5606 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
5607
nft_unregister_flowtable_type(struct nf_flowtable_type * type)5608 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
5609 {
5610 nfnl_lock(NFNL_SUBSYS_NFTABLES);
5611 list_del_rcu(&type->list);
5612 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5613 }
5614 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
5615
5616 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
5617 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
5618 .len = NFT_NAME_MAXLEN - 1 },
5619 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
5620 .len = NFT_NAME_MAXLEN - 1 },
5621 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
5622 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
5623 };
5624
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)5625 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
5626 const struct nlattr *nla, u8 genmask)
5627 {
5628 struct nft_flowtable *flowtable;
5629
5630 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
5631 if (!nla_strcmp(nla, flowtable->name) &&
5632 nft_active_genmask(flowtable, genmask))
5633 return flowtable;
5634 }
5635 return ERR_PTR(-ENOENT);
5636 }
5637 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
5638
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)5639 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
5640 struct nft_flowtable *flowtable,
5641 enum nft_trans_phase phase)
5642 {
5643 switch (phase) {
5644 case NFT_TRANS_PREPARE:
5645 case NFT_TRANS_ABORT:
5646 case NFT_TRANS_RELEASE:
5647 flowtable->use--;
5648 /* fall through */
5649 default:
5650 return;
5651 }
5652 }
5653 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
5654
5655 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)5656 nft_flowtable_lookup_byhandle(const struct nft_table *table,
5657 const struct nlattr *nla, u8 genmask)
5658 {
5659 struct nft_flowtable *flowtable;
5660
5661 list_for_each_entry(flowtable, &table->flowtables, list) {
5662 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
5663 nft_active_genmask(flowtable, genmask))
5664 return flowtable;
5665 }
5666 return ERR_PTR(-ENOENT);
5667 }
5668
nf_tables_parse_devices(const struct nft_ctx * ctx,const struct nlattr * attr,struct net_device * dev_array[],int * len)5669 static int nf_tables_parse_devices(const struct nft_ctx *ctx,
5670 const struct nlattr *attr,
5671 struct net_device *dev_array[], int *len)
5672 {
5673 const struct nlattr *tmp;
5674 struct net_device *dev;
5675 char ifname[IFNAMSIZ];
5676 int rem, n = 0, err;
5677
5678 nla_for_each_nested(tmp, attr, rem) {
5679 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
5680 err = -EINVAL;
5681 goto err1;
5682 }
5683
5684 nla_strlcpy(ifname, tmp, IFNAMSIZ);
5685 dev = __dev_get_by_name(ctx->net, ifname);
5686 if (!dev) {
5687 err = -ENOENT;
5688 goto err1;
5689 }
5690
5691 dev_array[n++] = dev;
5692 if (n == NFT_FLOWTABLE_DEVICE_MAX) {
5693 err = -EFBIG;
5694 goto err1;
5695 }
5696 }
5697 if (!len)
5698 return -EINVAL;
5699
5700 err = 0;
5701 err1:
5702 *len = n;
5703 return err;
5704 }
5705
5706 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
5707 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
5708 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
5709 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
5710 };
5711
nf_tables_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * attr,struct nft_flowtable * flowtable)5712 static int nf_tables_flowtable_parse_hook(const struct nft_ctx *ctx,
5713 const struct nlattr *attr,
5714 struct nft_flowtable *flowtable)
5715 {
5716 struct net_device *dev_array[NFT_FLOWTABLE_DEVICE_MAX];
5717 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
5718 struct nf_hook_ops *ops;
5719 int hooknum, priority;
5720 int err, n = 0, i;
5721
5722 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX, attr,
5723 nft_flowtable_hook_policy, NULL);
5724 if (err < 0)
5725 return err;
5726
5727 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
5728 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY] ||
5729 !tb[NFTA_FLOWTABLE_HOOK_DEVS])
5730 return -EINVAL;
5731
5732 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
5733 if (hooknum != NF_NETDEV_INGRESS)
5734 return -EINVAL;
5735
5736 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
5737
5738 err = nf_tables_parse_devices(ctx, tb[NFTA_FLOWTABLE_HOOK_DEVS],
5739 dev_array, &n);
5740 if (err < 0)
5741 return err;
5742
5743 ops = kcalloc(n, sizeof(struct nf_hook_ops), GFP_KERNEL);
5744 if (!ops)
5745 return -ENOMEM;
5746
5747 flowtable->hooknum = hooknum;
5748 flowtable->priority = priority;
5749 flowtable->ops = ops;
5750 flowtable->ops_len = n;
5751
5752 for (i = 0; i < n; i++) {
5753 flowtable->ops[i].pf = NFPROTO_NETDEV;
5754 flowtable->ops[i].hooknum = hooknum;
5755 flowtable->ops[i].priority = priority;
5756 flowtable->ops[i].priv = &flowtable->data;
5757 flowtable->ops[i].hook = flowtable->data.type->hook;
5758 flowtable->ops[i].dev = dev_array[i];
5759 }
5760
5761 return err;
5762 }
5763
__nft_flowtable_type_get(u8 family)5764 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
5765 {
5766 const struct nf_flowtable_type *type;
5767
5768 list_for_each_entry(type, &nf_tables_flowtables, list) {
5769 if (family == type->family)
5770 return type;
5771 }
5772 return NULL;
5773 }
5774
5775 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)5776 nft_flowtable_type_get(struct net *net, u8 family)
5777 {
5778 const struct nf_flowtable_type *type;
5779
5780 type = __nft_flowtable_type_get(family);
5781 if (type != NULL && try_module_get(type->owner))
5782 return type;
5783
5784 lockdep_nfnl_nft_mutex_not_held();
5785 #ifdef CONFIG_MODULES
5786 if (type == NULL) {
5787 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
5788 return ERR_PTR(-EAGAIN);
5789 }
5790 #endif
5791 return ERR_PTR(-ENOENT);
5792 }
5793
nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable)5794 static void nft_unregister_flowtable_net_hooks(struct net *net,
5795 struct nft_flowtable *flowtable)
5796 {
5797 int i;
5798
5799 for (i = 0; i < flowtable->ops_len; i++) {
5800 if (!flowtable->ops[i].dev)
5801 continue;
5802
5803 nf_unregister_net_hook(net, &flowtable->ops[i]);
5804 }
5805 }
5806
nf_tables_newflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5807 static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
5808 struct sk_buff *skb,
5809 const struct nlmsghdr *nlh,
5810 const struct nlattr * const nla[],
5811 struct netlink_ext_ack *extack)
5812 {
5813 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5814 const struct nf_flowtable_type *type;
5815 struct nft_flowtable *flowtable, *ft;
5816 u8 genmask = nft_genmask_next(net);
5817 int family = nfmsg->nfgen_family;
5818 struct nft_table *table;
5819 struct nft_ctx ctx;
5820 int err, i, k;
5821
5822 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5823 !nla[NFTA_FLOWTABLE_NAME] ||
5824 !nla[NFTA_FLOWTABLE_HOOK])
5825 return -EINVAL;
5826
5827 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5828 genmask);
5829 if (IS_ERR(table)) {
5830 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5831 return PTR_ERR(table);
5832 }
5833
5834 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
5835 genmask);
5836 if (IS_ERR(flowtable)) {
5837 err = PTR_ERR(flowtable);
5838 if (err != -ENOENT) {
5839 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5840 return err;
5841 }
5842 } else {
5843 if (nlh->nlmsg_flags & NLM_F_EXCL) {
5844 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
5845 return -EEXIST;
5846 }
5847
5848 return 0;
5849 }
5850
5851 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5852
5853 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
5854 if (!flowtable)
5855 return -ENOMEM;
5856
5857 flowtable->table = table;
5858 flowtable->handle = nf_tables_alloc_handle(table);
5859
5860 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
5861 if (!flowtable->name) {
5862 err = -ENOMEM;
5863 goto err1;
5864 }
5865
5866 type = nft_flowtable_type_get(net, family);
5867 if (IS_ERR(type)) {
5868 err = PTR_ERR(type);
5869 goto err2;
5870 }
5871
5872 flowtable->data.type = type;
5873 err = type->init(&flowtable->data);
5874 if (err < 0)
5875 goto err3;
5876
5877 err = nf_tables_flowtable_parse_hook(&ctx, nla[NFTA_FLOWTABLE_HOOK],
5878 flowtable);
5879 if (err < 0)
5880 goto err4;
5881
5882 for (i = 0; i < flowtable->ops_len; i++) {
5883 if (!flowtable->ops[i].dev)
5884 continue;
5885
5886 list_for_each_entry(ft, &table->flowtables, list) {
5887 for (k = 0; k < ft->ops_len; k++) {
5888 if (!ft->ops[k].dev)
5889 continue;
5890
5891 if (flowtable->ops[i].dev == ft->ops[k].dev &&
5892 flowtable->ops[i].pf == ft->ops[k].pf) {
5893 err = -EBUSY;
5894 goto err5;
5895 }
5896 }
5897 }
5898
5899 err = nf_register_net_hook(net, &flowtable->ops[i]);
5900 if (err < 0)
5901 goto err5;
5902 }
5903
5904 err = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
5905 if (err < 0)
5906 goto err6;
5907
5908 list_add_tail_rcu(&flowtable->list, &table->flowtables);
5909 table->use++;
5910
5911 return 0;
5912 err6:
5913 i = flowtable->ops_len;
5914 err5:
5915 for (k = i - 1; k >= 0; k--)
5916 nf_unregister_net_hook(net, &flowtable->ops[k]);
5917
5918 kfree(flowtable->ops);
5919 err4:
5920 flowtable->data.type->free(&flowtable->data);
5921 err3:
5922 module_put(type->owner);
5923 err2:
5924 kfree(flowtable->name);
5925 err1:
5926 kfree(flowtable);
5927 return err;
5928 }
5929
nf_tables_delflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)5930 static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
5931 struct sk_buff *skb,
5932 const struct nlmsghdr *nlh,
5933 const struct nlattr * const nla[],
5934 struct netlink_ext_ack *extack)
5935 {
5936 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
5937 u8 genmask = nft_genmask_next(net);
5938 int family = nfmsg->nfgen_family;
5939 struct nft_flowtable *flowtable;
5940 const struct nlattr *attr;
5941 struct nft_table *table;
5942 struct nft_ctx ctx;
5943
5944 if (!nla[NFTA_FLOWTABLE_TABLE] ||
5945 (!nla[NFTA_FLOWTABLE_NAME] &&
5946 !nla[NFTA_FLOWTABLE_HANDLE]))
5947 return -EINVAL;
5948
5949 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
5950 genmask);
5951 if (IS_ERR(table)) {
5952 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
5953 return PTR_ERR(table);
5954 }
5955
5956 if (nla[NFTA_FLOWTABLE_HANDLE]) {
5957 attr = nla[NFTA_FLOWTABLE_HANDLE];
5958 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
5959 } else {
5960 attr = nla[NFTA_FLOWTABLE_NAME];
5961 flowtable = nft_flowtable_lookup(table, attr, genmask);
5962 }
5963
5964 if (IS_ERR(flowtable)) {
5965 NL_SET_BAD_ATTR(extack, attr);
5966 return PTR_ERR(flowtable);
5967 }
5968 if (flowtable->use > 0) {
5969 NL_SET_BAD_ATTR(extack, attr);
5970 return -EBUSY;
5971 }
5972
5973 nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla);
5974
5975 return nft_delflowtable(&ctx, flowtable);
5976 }
5977
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable)5978 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
5979 u32 portid, u32 seq, int event,
5980 u32 flags, int family,
5981 struct nft_flowtable *flowtable)
5982 {
5983 struct nlattr *nest, *nest_devs;
5984 struct nfgenmsg *nfmsg;
5985 struct nlmsghdr *nlh;
5986 int i;
5987
5988 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
5989 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags);
5990 if (nlh == NULL)
5991 goto nla_put_failure;
5992
5993 nfmsg = nlmsg_data(nlh);
5994 nfmsg->nfgen_family = family;
5995 nfmsg->version = NFNETLINK_V0;
5996 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
5997
5998 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
5999 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
6000 nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
6001 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
6002 NFTA_FLOWTABLE_PAD))
6003 goto nla_put_failure;
6004
6005 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
6006 if (!nest)
6007 goto nla_put_failure;
6008 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
6009 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
6010 goto nla_put_failure;
6011
6012 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
6013 if (!nest_devs)
6014 goto nla_put_failure;
6015
6016 for (i = 0; i < flowtable->ops_len; i++) {
6017 const struct net_device *dev = READ_ONCE(flowtable->ops[i].dev);
6018
6019 if (dev &&
6020 nla_put_string(skb, NFTA_DEVICE_NAME, dev->name))
6021 goto nla_put_failure;
6022 }
6023 nla_nest_end(skb, nest_devs);
6024 nla_nest_end(skb, nest);
6025
6026 nlmsg_end(skb, nlh);
6027 return 0;
6028
6029 nla_put_failure:
6030 nlmsg_trim(skb, nlh);
6031 return -1;
6032 }
6033
6034 struct nft_flowtable_filter {
6035 char *table;
6036 };
6037
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)6038 static int nf_tables_dump_flowtable(struct sk_buff *skb,
6039 struct netlink_callback *cb)
6040 {
6041 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
6042 struct nft_flowtable_filter *filter = cb->data;
6043 unsigned int idx = 0, s_idx = cb->args[0];
6044 struct net *net = sock_net(skb->sk);
6045 int family = nfmsg->nfgen_family;
6046 struct nft_flowtable *flowtable;
6047 const struct nft_table *table;
6048
6049 rcu_read_lock();
6050 cb->seq = net->nft.base_seq;
6051
6052 list_for_each_entry_rcu(table, &net->nft.tables, list) {
6053 if (family != NFPROTO_UNSPEC && family != table->family)
6054 continue;
6055
6056 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
6057 if (!nft_is_active(net, flowtable))
6058 goto cont;
6059 if (idx < s_idx)
6060 goto cont;
6061 if (idx > s_idx)
6062 memset(&cb->args[1], 0,
6063 sizeof(cb->args) - sizeof(cb->args[0]));
6064 if (filter && filter->table &&
6065 strcmp(filter->table, table->name))
6066 goto cont;
6067
6068 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
6069 cb->nlh->nlmsg_seq,
6070 NFT_MSG_NEWFLOWTABLE,
6071 NLM_F_MULTI | NLM_F_APPEND,
6072 table->family, flowtable) < 0)
6073 goto done;
6074
6075 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
6076 cont:
6077 idx++;
6078 }
6079 }
6080 done:
6081 rcu_read_unlock();
6082
6083 cb->args[0] = idx;
6084 return skb->len;
6085 }
6086
nf_tables_dump_flowtable_start(struct netlink_callback * cb)6087 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
6088 {
6089 const struct nlattr * const *nla = cb->data;
6090 struct nft_flowtable_filter *filter = NULL;
6091
6092 if (nla[NFTA_FLOWTABLE_TABLE]) {
6093 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
6094 if (!filter)
6095 return -ENOMEM;
6096
6097 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
6098 GFP_ATOMIC);
6099 if (!filter->table) {
6100 kfree(filter);
6101 return -ENOMEM;
6102 }
6103 }
6104
6105 cb->data = filter;
6106 return 0;
6107 }
6108
nf_tables_dump_flowtable_done(struct netlink_callback * cb)6109 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
6110 {
6111 struct nft_flowtable_filter *filter = cb->data;
6112
6113 if (!filter)
6114 return 0;
6115
6116 kfree(filter->table);
6117 kfree(filter);
6118
6119 return 0;
6120 }
6121
6122 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6123 static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
6124 struct sk_buff *skb,
6125 const struct nlmsghdr *nlh,
6126 const struct nlattr * const nla[],
6127 struct netlink_ext_ack *extack)
6128 {
6129 const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
6130 u8 genmask = nft_genmask_cur(net);
6131 int family = nfmsg->nfgen_family;
6132 struct nft_flowtable *flowtable;
6133 const struct nft_table *table;
6134 struct sk_buff *skb2;
6135 int err;
6136
6137 if (nlh->nlmsg_flags & NLM_F_DUMP) {
6138 struct netlink_dump_control c = {
6139 .start = nf_tables_dump_flowtable_start,
6140 .dump = nf_tables_dump_flowtable,
6141 .done = nf_tables_dump_flowtable_done,
6142 .module = THIS_MODULE,
6143 .data = (void *)nla,
6144 };
6145
6146 return nft_netlink_dump_start_rcu(nlsk, skb, nlh, &c);
6147 }
6148
6149 if (!nla[NFTA_FLOWTABLE_NAME])
6150 return -EINVAL;
6151
6152 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
6153 genmask);
6154 if (IS_ERR(table))
6155 return PTR_ERR(table);
6156
6157 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
6158 genmask);
6159 if (IS_ERR(flowtable))
6160 return PTR_ERR(flowtable);
6161
6162 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6163 if (!skb2)
6164 return -ENOMEM;
6165
6166 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
6167 nlh->nlmsg_seq,
6168 NFT_MSG_NEWFLOWTABLE, 0, family,
6169 flowtable);
6170 if (err < 0)
6171 goto err;
6172
6173 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6174 err:
6175 kfree_skb(skb2);
6176 return err;
6177 }
6178
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,int event)6179 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
6180 struct nft_flowtable *flowtable,
6181 int event)
6182 {
6183 struct sk_buff *skb;
6184 int err;
6185
6186 if (ctx->report &&
6187 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
6188 return;
6189
6190 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6191 if (skb == NULL)
6192 goto err;
6193
6194 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
6195 ctx->seq, event, 0,
6196 ctx->family, flowtable);
6197 if (err < 0) {
6198 kfree_skb(skb);
6199 goto err;
6200 }
6201
6202 nfnetlink_send(skb, ctx->net, ctx->portid, NFNLGRP_NFTABLES,
6203 ctx->report, GFP_KERNEL);
6204 return;
6205 err:
6206 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
6207 }
6208
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)6209 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
6210 {
6211 kfree(flowtable->ops);
6212 kfree(flowtable->name);
6213 flowtable->data.type->free(&flowtable->data);
6214 module_put(flowtable->data.type->owner);
6215 kfree(flowtable);
6216 }
6217
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)6218 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
6219 u32 portid, u32 seq)
6220 {
6221 struct nlmsghdr *nlh;
6222 struct nfgenmsg *nfmsg;
6223 char buf[TASK_COMM_LEN];
6224 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
6225
6226 nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
6227 if (nlh == NULL)
6228 goto nla_put_failure;
6229
6230 nfmsg = nlmsg_data(nlh);
6231 nfmsg->nfgen_family = AF_UNSPEC;
6232 nfmsg->version = NFNETLINK_V0;
6233 nfmsg->res_id = htons(net->nft.base_seq & 0xffff);
6234
6235 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) ||
6236 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
6237 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
6238 goto nla_put_failure;
6239
6240 nlmsg_end(skb, nlh);
6241 return 0;
6242
6243 nla_put_failure:
6244 nlmsg_trim(skb, nlh);
6245 return -EMSGSIZE;
6246 }
6247
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)6248 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
6249 struct nft_flowtable *flowtable)
6250 {
6251 int i;
6252
6253 for (i = 0; i < flowtable->ops_len; i++) {
6254 if (flowtable->ops[i].dev != dev)
6255 continue;
6256
6257 nf_unregister_net_hook(dev_net(dev), &flowtable->ops[i]);
6258 flowtable->ops[i].dev = NULL;
6259 break;
6260 }
6261 }
6262
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)6263 static int nf_tables_flowtable_event(struct notifier_block *this,
6264 unsigned long event, void *ptr)
6265 {
6266 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
6267 struct nft_flowtable *flowtable;
6268 struct nft_table *table;
6269 struct net *net;
6270
6271 if (event != NETDEV_UNREGISTER)
6272 return 0;
6273
6274 net = dev_net(dev);
6275 mutex_lock(&net->nft.commit_mutex);
6276 list_for_each_entry(table, &net->nft.tables, list) {
6277 list_for_each_entry(flowtable, &table->flowtables, list) {
6278 nft_flowtable_event(event, dev, flowtable);
6279 }
6280 }
6281 mutex_unlock(&net->nft.commit_mutex);
6282
6283 return NOTIFY_DONE;
6284 }
6285
6286 static struct notifier_block nf_tables_flowtable_notifier = {
6287 .notifier_call = nf_tables_flowtable_event,
6288 };
6289
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)6290 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
6291 int event)
6292 {
6293 struct nlmsghdr *nlh = nlmsg_hdr(skb);
6294 struct sk_buff *skb2;
6295 int err;
6296
6297 if (nlmsg_report(nlh) &&
6298 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6299 return;
6300
6301 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6302 if (skb2 == NULL)
6303 goto err;
6304
6305 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6306 nlh->nlmsg_seq);
6307 if (err < 0) {
6308 kfree_skb(skb2);
6309 goto err;
6310 }
6311
6312 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6313 nlmsg_report(nlh), GFP_KERNEL);
6314 return;
6315 err:
6316 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
6317 -ENOBUFS);
6318 }
6319
nf_tables_getgen(struct net * net,struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const nla[],struct netlink_ext_ack * extack)6320 static int nf_tables_getgen(struct net *net, struct sock *nlsk,
6321 struct sk_buff *skb, const struct nlmsghdr *nlh,
6322 const struct nlattr * const nla[],
6323 struct netlink_ext_ack *extack)
6324 {
6325 struct sk_buff *skb2;
6326 int err;
6327
6328 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
6329 if (skb2 == NULL)
6330 return -ENOMEM;
6331
6332 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
6333 nlh->nlmsg_seq);
6334 if (err < 0)
6335 goto err;
6336
6337 return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
6338 err:
6339 kfree_skb(skb2);
6340 return err;
6341 }
6342
6343 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
6344 [NFT_MSG_NEWTABLE] = {
6345 .call_batch = nf_tables_newtable,
6346 .attr_count = NFTA_TABLE_MAX,
6347 .policy = nft_table_policy,
6348 },
6349 [NFT_MSG_GETTABLE] = {
6350 .call_rcu = nf_tables_gettable,
6351 .attr_count = NFTA_TABLE_MAX,
6352 .policy = nft_table_policy,
6353 },
6354 [NFT_MSG_DELTABLE] = {
6355 .call_batch = nf_tables_deltable,
6356 .attr_count = NFTA_TABLE_MAX,
6357 .policy = nft_table_policy,
6358 },
6359 [NFT_MSG_NEWCHAIN] = {
6360 .call_batch = nf_tables_newchain,
6361 .attr_count = NFTA_CHAIN_MAX,
6362 .policy = nft_chain_policy,
6363 },
6364 [NFT_MSG_GETCHAIN] = {
6365 .call_rcu = nf_tables_getchain,
6366 .attr_count = NFTA_CHAIN_MAX,
6367 .policy = nft_chain_policy,
6368 },
6369 [NFT_MSG_DELCHAIN] = {
6370 .call_batch = nf_tables_delchain,
6371 .attr_count = NFTA_CHAIN_MAX,
6372 .policy = nft_chain_policy,
6373 },
6374 [NFT_MSG_NEWRULE] = {
6375 .call_batch = nf_tables_newrule,
6376 .attr_count = NFTA_RULE_MAX,
6377 .policy = nft_rule_policy,
6378 },
6379 [NFT_MSG_GETRULE] = {
6380 .call_rcu = nf_tables_getrule,
6381 .attr_count = NFTA_RULE_MAX,
6382 .policy = nft_rule_policy,
6383 },
6384 [NFT_MSG_DELRULE] = {
6385 .call_batch = nf_tables_delrule,
6386 .attr_count = NFTA_RULE_MAX,
6387 .policy = nft_rule_policy,
6388 },
6389 [NFT_MSG_NEWSET] = {
6390 .call_batch = nf_tables_newset,
6391 .attr_count = NFTA_SET_MAX,
6392 .policy = nft_set_policy,
6393 },
6394 [NFT_MSG_GETSET] = {
6395 .call_rcu = nf_tables_getset,
6396 .attr_count = NFTA_SET_MAX,
6397 .policy = nft_set_policy,
6398 },
6399 [NFT_MSG_DELSET] = {
6400 .call_batch = nf_tables_delset,
6401 .attr_count = NFTA_SET_MAX,
6402 .policy = nft_set_policy,
6403 },
6404 [NFT_MSG_NEWSETELEM] = {
6405 .call_batch = nf_tables_newsetelem,
6406 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6407 .policy = nft_set_elem_list_policy,
6408 },
6409 [NFT_MSG_GETSETELEM] = {
6410 .call_rcu = nf_tables_getsetelem,
6411 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6412 .policy = nft_set_elem_list_policy,
6413 },
6414 [NFT_MSG_DELSETELEM] = {
6415 .call_batch = nf_tables_delsetelem,
6416 .attr_count = NFTA_SET_ELEM_LIST_MAX,
6417 .policy = nft_set_elem_list_policy,
6418 },
6419 [NFT_MSG_GETGEN] = {
6420 .call_rcu = nf_tables_getgen,
6421 },
6422 [NFT_MSG_NEWOBJ] = {
6423 .call_batch = nf_tables_newobj,
6424 .attr_count = NFTA_OBJ_MAX,
6425 .policy = nft_obj_policy,
6426 },
6427 [NFT_MSG_GETOBJ] = {
6428 .call_rcu = nf_tables_getobj,
6429 .attr_count = NFTA_OBJ_MAX,
6430 .policy = nft_obj_policy,
6431 },
6432 [NFT_MSG_DELOBJ] = {
6433 .call_batch = nf_tables_delobj,
6434 .attr_count = NFTA_OBJ_MAX,
6435 .policy = nft_obj_policy,
6436 },
6437 [NFT_MSG_GETOBJ_RESET] = {
6438 .call_rcu = nf_tables_getobj,
6439 .attr_count = NFTA_OBJ_MAX,
6440 .policy = nft_obj_policy,
6441 },
6442 [NFT_MSG_NEWFLOWTABLE] = {
6443 .call_batch = nf_tables_newflowtable,
6444 .attr_count = NFTA_FLOWTABLE_MAX,
6445 .policy = nft_flowtable_policy,
6446 },
6447 [NFT_MSG_GETFLOWTABLE] = {
6448 .call_rcu = nf_tables_getflowtable,
6449 .attr_count = NFTA_FLOWTABLE_MAX,
6450 .policy = nft_flowtable_policy,
6451 },
6452 [NFT_MSG_DELFLOWTABLE] = {
6453 .call_batch = nf_tables_delflowtable,
6454 .attr_count = NFTA_FLOWTABLE_MAX,
6455 .policy = nft_flowtable_policy,
6456 },
6457 };
6458
nf_tables_validate(struct net * net)6459 static int nf_tables_validate(struct net *net)
6460 {
6461 struct nft_table *table;
6462
6463 switch (net->nft.validate_state) {
6464 case NFT_VALIDATE_SKIP:
6465 break;
6466 case NFT_VALIDATE_NEED:
6467 nft_validate_state_update(net, NFT_VALIDATE_DO);
6468 /* fall through */
6469 case NFT_VALIDATE_DO:
6470 list_for_each_entry(table, &net->nft.tables, list) {
6471 if (nft_table_validate(net, table) < 0)
6472 return -EAGAIN;
6473 }
6474 break;
6475 }
6476
6477 return 0;
6478 }
6479
6480 /* a drop policy has to be deferred until all rules have been activated,
6481 * otherwise a large ruleset that contains a drop-policy base chain will
6482 * cause all packets to get dropped until the full transaction has been
6483 * processed.
6484 *
6485 * We defer the drop policy until the transaction has been finalized.
6486 */
nft_chain_commit_drop_policy(struct nft_trans * trans)6487 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
6488 {
6489 struct nft_base_chain *basechain;
6490
6491 if (nft_trans_chain_policy(trans) != NF_DROP)
6492 return;
6493
6494 if (!nft_is_base_chain(trans->ctx.chain))
6495 return;
6496
6497 basechain = nft_base_chain(trans->ctx.chain);
6498 basechain->policy = NF_DROP;
6499 }
6500
nft_chain_commit_update(struct nft_trans * trans)6501 static void nft_chain_commit_update(struct nft_trans *trans)
6502 {
6503 struct nft_base_chain *basechain;
6504
6505 if (nft_trans_chain_name(trans)) {
6506 rhltable_remove(&trans->ctx.table->chains_ht,
6507 &trans->ctx.chain->rhlhead,
6508 nft_chain_ht_params);
6509 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
6510 rhltable_insert_key(&trans->ctx.table->chains_ht,
6511 trans->ctx.chain->name,
6512 &trans->ctx.chain->rhlhead,
6513 nft_chain_ht_params);
6514 }
6515
6516 if (!nft_is_base_chain(trans->ctx.chain))
6517 return;
6518
6519 nft_chain_stats_replace(trans);
6520
6521 basechain = nft_base_chain(trans->ctx.chain);
6522
6523 switch (nft_trans_chain_policy(trans)) {
6524 case NF_DROP:
6525 case NF_ACCEPT:
6526 basechain->policy = nft_trans_chain_policy(trans);
6527 break;
6528 }
6529 }
6530
nft_obj_commit_update(struct nft_trans * trans)6531 static void nft_obj_commit_update(struct nft_trans *trans)
6532 {
6533 struct nft_object *newobj;
6534 struct nft_object *obj;
6535
6536 obj = nft_trans_obj(trans);
6537 newobj = nft_trans_obj_newobj(trans);
6538
6539 if (obj->ops->update)
6540 obj->ops->update(obj, newobj);
6541
6542 kfree(newobj);
6543 }
6544
nft_commit_release(struct nft_trans * trans)6545 static void nft_commit_release(struct nft_trans *trans)
6546 {
6547 switch (trans->msg_type) {
6548 case NFT_MSG_DELTABLE:
6549 nf_tables_table_destroy(&trans->ctx);
6550 break;
6551 case NFT_MSG_NEWCHAIN:
6552 free_percpu(nft_trans_chain_stats(trans));
6553 kfree(nft_trans_chain_name(trans));
6554 break;
6555 case NFT_MSG_DELCHAIN:
6556 nf_tables_chain_destroy(&trans->ctx);
6557 break;
6558 case NFT_MSG_DELRULE:
6559 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6560 break;
6561 case NFT_MSG_DELSET:
6562 nft_set_destroy(nft_trans_set(trans));
6563 break;
6564 case NFT_MSG_DELSETELEM:
6565 nf_tables_set_elem_destroy(&trans->ctx,
6566 nft_trans_elem_set(trans),
6567 nft_trans_elem(trans).priv);
6568 break;
6569 case NFT_MSG_DELOBJ:
6570 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
6571 break;
6572 case NFT_MSG_DELFLOWTABLE:
6573 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
6574 break;
6575 }
6576
6577 if (trans->put_net)
6578 put_net(trans->ctx.net);
6579
6580 kfree(trans);
6581 }
6582
nf_tables_trans_destroy_work(struct work_struct * w)6583 static void nf_tables_trans_destroy_work(struct work_struct *w)
6584 {
6585 struct nft_trans *trans, *next;
6586 LIST_HEAD(head);
6587
6588 spin_lock(&nf_tables_destroy_list_lock);
6589 list_splice_init(&nf_tables_destroy_list, &head);
6590 spin_unlock(&nf_tables_destroy_list_lock);
6591
6592 if (list_empty(&head))
6593 return;
6594
6595 synchronize_rcu();
6596
6597 list_for_each_entry_safe(trans, next, &head, list) {
6598 list_del(&trans->list);
6599 nft_commit_release(trans);
6600 }
6601 }
6602
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)6603 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
6604 {
6605 struct nft_rule *rule;
6606 unsigned int alloc = 0;
6607 int i;
6608
6609 /* already handled or inactive chain? */
6610 if (chain->rules_next || !nft_is_active_next(net, chain))
6611 return 0;
6612
6613 rule = list_entry(&chain->rules, struct nft_rule, list);
6614 i = 0;
6615
6616 list_for_each_entry_continue(rule, &chain->rules, list) {
6617 if (nft_is_active_next(net, rule))
6618 alloc++;
6619 }
6620
6621 chain->rules_next = nf_tables_chain_alloc_rules(chain, alloc);
6622 if (!chain->rules_next)
6623 return -ENOMEM;
6624
6625 list_for_each_entry_continue(rule, &chain->rules, list) {
6626 if (nft_is_active_next(net, rule))
6627 chain->rules_next[i++] = rule;
6628 }
6629
6630 chain->rules_next[i] = NULL;
6631 return 0;
6632 }
6633
nf_tables_commit_chain_prepare_cancel(struct net * net)6634 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
6635 {
6636 struct nft_trans *trans, *next;
6637
6638 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6639 struct nft_chain *chain = trans->ctx.chain;
6640
6641 if (trans->msg_type == NFT_MSG_NEWRULE ||
6642 trans->msg_type == NFT_MSG_DELRULE) {
6643 kvfree(chain->rules_next);
6644 chain->rules_next = NULL;
6645 }
6646 }
6647 }
6648
__nf_tables_commit_chain_free_rules_old(struct rcu_head * h)6649 static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h)
6650 {
6651 struct nft_rules_old *o = container_of(h, struct nft_rules_old, h);
6652
6653 kvfree(o->start);
6654 }
6655
nf_tables_commit_chain_free_rules_old(struct nft_rule ** rules)6656 static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules)
6657 {
6658 struct nft_rule **r = rules;
6659 struct nft_rules_old *old;
6660
6661 while (*r)
6662 r++;
6663
6664 r++; /* rcu_head is after end marker */
6665 old = (void *) r;
6666 old->start = rules;
6667
6668 call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old);
6669 }
6670
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)6671 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
6672 {
6673 struct nft_rule **g0, **g1;
6674 bool next_genbit;
6675
6676 next_genbit = nft_gencursor_next(net);
6677
6678 g0 = rcu_dereference_protected(chain->rules_gen_0,
6679 lockdep_commit_lock_is_held(net));
6680 g1 = rcu_dereference_protected(chain->rules_gen_1,
6681 lockdep_commit_lock_is_held(net));
6682
6683 /* No changes to this chain? */
6684 if (chain->rules_next == NULL) {
6685 /* chain had no change in last or next generation */
6686 if (g0 == g1)
6687 return;
6688 /*
6689 * chain had no change in this generation; make sure next
6690 * one uses same rules as current generation.
6691 */
6692 if (next_genbit) {
6693 rcu_assign_pointer(chain->rules_gen_1, g0);
6694 nf_tables_commit_chain_free_rules_old(g1);
6695 } else {
6696 rcu_assign_pointer(chain->rules_gen_0, g1);
6697 nf_tables_commit_chain_free_rules_old(g0);
6698 }
6699
6700 return;
6701 }
6702
6703 if (next_genbit)
6704 rcu_assign_pointer(chain->rules_gen_1, chain->rules_next);
6705 else
6706 rcu_assign_pointer(chain->rules_gen_0, chain->rules_next);
6707
6708 chain->rules_next = NULL;
6709
6710 if (g0 == g1)
6711 return;
6712
6713 if (next_genbit)
6714 nf_tables_commit_chain_free_rules_old(g1);
6715 else
6716 nf_tables_commit_chain_free_rules_old(g0);
6717 }
6718
nft_obj_del(struct nft_object * obj)6719 static void nft_obj_del(struct nft_object *obj)
6720 {
6721 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
6722 list_del_rcu(&obj->list);
6723 }
6724
nft_chain_del(struct nft_chain * chain)6725 static void nft_chain_del(struct nft_chain *chain)
6726 {
6727 struct nft_table *table = chain->table;
6728
6729 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
6730 nft_chain_ht_params));
6731 list_del_rcu(&chain->list);
6732 }
6733
nf_tables_module_autoload_cleanup(struct net * net)6734 static void nf_tables_module_autoload_cleanup(struct net *net)
6735 {
6736 struct nft_module_request *req, *next;
6737
6738 WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
6739 list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
6740 WARN_ON_ONCE(!req->done);
6741 list_del(&req->list);
6742 kfree(req);
6743 }
6744 }
6745
nf_tables_commit_release(struct net * net)6746 static void nf_tables_commit_release(struct net *net)
6747 {
6748 struct nft_trans *trans;
6749
6750 /* all side effects have to be made visible.
6751 * For example, if a chain named 'foo' has been deleted, a
6752 * new transaction must not find it anymore.
6753 *
6754 * Memory reclaim happens asynchronously from work queue
6755 * to prevent expensive synchronize_rcu() in commit phase.
6756 */
6757 if (list_empty(&net->nft.commit_list)) {
6758 nf_tables_module_autoload_cleanup(net);
6759 mutex_unlock(&net->nft.commit_mutex);
6760 return;
6761 }
6762
6763 trans = list_last_entry(&net->nft.commit_list,
6764 struct nft_trans, list);
6765 get_net(trans->ctx.net);
6766 WARN_ON_ONCE(trans->put_net);
6767
6768 trans->put_net = true;
6769 spin_lock(&nf_tables_destroy_list_lock);
6770 list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
6771 spin_unlock(&nf_tables_destroy_list_lock);
6772
6773 nf_tables_module_autoload_cleanup(net);
6774 mutex_unlock(&net->nft.commit_mutex);
6775
6776 schedule_work(&trans_destroy_work);
6777 }
6778
nf_tables_commit(struct net * net,struct sk_buff * skb)6779 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
6780 {
6781 struct nft_trans *trans, *next;
6782 struct nft_trans_elem *te;
6783 struct nft_chain *chain;
6784 struct nft_table *table;
6785 int err;
6786
6787 if (list_empty(&net->nft.commit_list)) {
6788 mutex_unlock(&net->nft.commit_mutex);
6789 return 0;
6790 }
6791
6792 /* 0. Validate ruleset, otherwise roll back for error reporting. */
6793 if (nf_tables_validate(net) < 0)
6794 return -EAGAIN;
6795
6796 err = nft_flow_rule_offload_commit(net);
6797 if (err < 0)
6798 return err;
6799
6800 /* 1. Allocate space for next generation rules_gen_X[] */
6801 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6802 int ret;
6803
6804 if (trans->msg_type == NFT_MSG_NEWRULE ||
6805 trans->msg_type == NFT_MSG_DELRULE) {
6806 chain = trans->ctx.chain;
6807
6808 ret = nf_tables_commit_chain_prepare(net, chain);
6809 if (ret < 0) {
6810 nf_tables_commit_chain_prepare_cancel(net);
6811 return ret;
6812 }
6813 }
6814 }
6815
6816 /* step 2. Make rules_gen_X visible to packet path */
6817 list_for_each_entry(table, &net->nft.tables, list) {
6818 list_for_each_entry(chain, &table->chains, list)
6819 nf_tables_commit_chain(net, chain);
6820 }
6821
6822 /*
6823 * Bump generation counter, invalidate any dump in progress.
6824 * Cannot fail after this point.
6825 */
6826 while (++net->nft.base_seq == 0);
6827
6828 /* step 3. Start new generation, rules_gen_X now in use. */
6829 net->nft.gencursor = nft_gencursor_next(net);
6830
6831 list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
6832 switch (trans->msg_type) {
6833 case NFT_MSG_NEWTABLE:
6834 if (nft_trans_table_update(trans)) {
6835 if (!nft_trans_table_enable(trans)) {
6836 nf_tables_table_disable(net,
6837 trans->ctx.table);
6838 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
6839 }
6840 } else {
6841 nft_clear(net, trans->ctx.table);
6842 }
6843 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
6844 nft_trans_destroy(trans);
6845 break;
6846 case NFT_MSG_DELTABLE:
6847 list_del_rcu(&trans->ctx.table->list);
6848 nf_tables_table_notify(&trans->ctx, NFT_MSG_DELTABLE);
6849 break;
6850 case NFT_MSG_NEWCHAIN:
6851 if (nft_trans_chain_update(trans)) {
6852 nft_chain_commit_update(trans);
6853 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6854 /* trans destroyed after rcu grace period */
6855 } else {
6856 nft_chain_commit_drop_policy(trans);
6857 nft_clear(net, trans->ctx.chain);
6858 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN);
6859 nft_trans_destroy(trans);
6860 }
6861 break;
6862 case NFT_MSG_DELCHAIN:
6863 nft_chain_del(trans->ctx.chain);
6864 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
6865 nf_tables_unregister_hook(trans->ctx.net,
6866 trans->ctx.table,
6867 trans->ctx.chain);
6868 break;
6869 case NFT_MSG_NEWRULE:
6870 nft_clear(trans->ctx.net, nft_trans_rule(trans));
6871 nf_tables_rule_notify(&trans->ctx,
6872 nft_trans_rule(trans),
6873 NFT_MSG_NEWRULE);
6874 nft_trans_destroy(trans);
6875 break;
6876 case NFT_MSG_DELRULE:
6877 list_del_rcu(&nft_trans_rule(trans)->list);
6878 nf_tables_rule_notify(&trans->ctx,
6879 nft_trans_rule(trans),
6880 NFT_MSG_DELRULE);
6881 nft_rule_expr_deactivate(&trans->ctx,
6882 nft_trans_rule(trans),
6883 NFT_TRANS_COMMIT);
6884 break;
6885 case NFT_MSG_NEWSET:
6886 nft_clear(net, nft_trans_set(trans));
6887 /* This avoids hitting -EBUSY when deleting the table
6888 * from the transaction.
6889 */
6890 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
6891 !list_empty(&nft_trans_set(trans)->bindings))
6892 trans->ctx.table->use--;
6893
6894 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6895 NFT_MSG_NEWSET, GFP_KERNEL);
6896 nft_trans_destroy(trans);
6897 break;
6898 case NFT_MSG_DELSET:
6899 list_del_rcu(&nft_trans_set(trans)->list);
6900 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
6901 NFT_MSG_DELSET, GFP_KERNEL);
6902 break;
6903 case NFT_MSG_NEWSETELEM:
6904 te = (struct nft_trans_elem *)trans->data;
6905
6906 te->set->ops->activate(net, te->set, &te->elem);
6907 nf_tables_setelem_notify(&trans->ctx, te->set,
6908 &te->elem,
6909 NFT_MSG_NEWSETELEM, 0);
6910 nft_trans_destroy(trans);
6911 break;
6912 case NFT_MSG_DELSETELEM:
6913 te = (struct nft_trans_elem *)trans->data;
6914
6915 nf_tables_setelem_notify(&trans->ctx, te->set,
6916 &te->elem,
6917 NFT_MSG_DELSETELEM, 0);
6918 te->set->ops->remove(net, te->set, &te->elem);
6919 atomic_dec(&te->set->nelems);
6920 te->set->ndeact--;
6921 break;
6922 case NFT_MSG_NEWOBJ:
6923 if (nft_trans_obj_update(trans)) {
6924 nft_obj_commit_update(trans);
6925 nf_tables_obj_notify(&trans->ctx,
6926 nft_trans_obj(trans),
6927 NFT_MSG_NEWOBJ);
6928 } else {
6929 nft_clear(net, nft_trans_obj(trans));
6930 nf_tables_obj_notify(&trans->ctx,
6931 nft_trans_obj(trans),
6932 NFT_MSG_NEWOBJ);
6933 nft_trans_destroy(trans);
6934 }
6935 break;
6936 case NFT_MSG_DELOBJ:
6937 nft_obj_del(nft_trans_obj(trans));
6938 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
6939 NFT_MSG_DELOBJ);
6940 break;
6941 case NFT_MSG_NEWFLOWTABLE:
6942 nft_clear(net, nft_trans_flowtable(trans));
6943 nf_tables_flowtable_notify(&trans->ctx,
6944 nft_trans_flowtable(trans),
6945 NFT_MSG_NEWFLOWTABLE);
6946 nft_trans_destroy(trans);
6947 break;
6948 case NFT_MSG_DELFLOWTABLE:
6949 list_del_rcu(&nft_trans_flowtable(trans)->list);
6950 nf_tables_flowtable_notify(&trans->ctx,
6951 nft_trans_flowtable(trans),
6952 NFT_MSG_DELFLOWTABLE);
6953 nft_unregister_flowtable_net_hooks(net,
6954 nft_trans_flowtable(trans));
6955 break;
6956 }
6957 }
6958
6959 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
6960 nf_tables_commit_release(net);
6961
6962 return 0;
6963 }
6964
nf_tables_module_autoload(struct net * net)6965 static void nf_tables_module_autoload(struct net *net)
6966 {
6967 struct nft_module_request *req, *next;
6968 LIST_HEAD(module_list);
6969
6970 list_splice_init(&net->nft.module_list, &module_list);
6971 mutex_unlock(&net->nft.commit_mutex);
6972 list_for_each_entry_safe(req, next, &module_list, list) {
6973 if (req->done) {
6974 list_del(&req->list);
6975 kfree(req);
6976 } else {
6977 request_module("%s", req->module);
6978 req->done = true;
6979 }
6980 }
6981 mutex_lock(&net->nft.commit_mutex);
6982 list_splice(&module_list, &net->nft.module_list);
6983 }
6984
nf_tables_abort_release(struct nft_trans * trans)6985 static void nf_tables_abort_release(struct nft_trans *trans)
6986 {
6987 switch (trans->msg_type) {
6988 case NFT_MSG_NEWTABLE:
6989 nf_tables_table_destroy(&trans->ctx);
6990 break;
6991 case NFT_MSG_NEWCHAIN:
6992 nf_tables_chain_destroy(&trans->ctx);
6993 break;
6994 case NFT_MSG_NEWRULE:
6995 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
6996 break;
6997 case NFT_MSG_NEWSET:
6998 nft_set_destroy(nft_trans_set(trans));
6999 break;
7000 case NFT_MSG_NEWSETELEM:
7001 nft_set_elem_destroy(nft_trans_elem_set(trans),
7002 nft_trans_elem(trans).priv, true);
7003 break;
7004 case NFT_MSG_NEWOBJ:
7005 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
7006 break;
7007 case NFT_MSG_NEWFLOWTABLE:
7008 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
7009 break;
7010 }
7011 kfree(trans);
7012 }
7013
__nf_tables_abort(struct net * net,bool autoload)7014 static int __nf_tables_abort(struct net *net, bool autoload)
7015 {
7016 struct nft_trans *trans, *next;
7017 struct nft_trans_elem *te;
7018
7019 list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
7020 list) {
7021 switch (trans->msg_type) {
7022 case NFT_MSG_NEWTABLE:
7023 if (nft_trans_table_update(trans)) {
7024 if (nft_trans_table_enable(trans)) {
7025 nf_tables_table_disable(net,
7026 trans->ctx.table);
7027 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
7028 }
7029 nft_trans_destroy(trans);
7030 } else {
7031 list_del_rcu(&trans->ctx.table->list);
7032 }
7033 break;
7034 case NFT_MSG_DELTABLE:
7035 nft_clear(trans->ctx.net, trans->ctx.table);
7036 nft_trans_destroy(trans);
7037 break;
7038 case NFT_MSG_NEWCHAIN:
7039 if (nft_trans_chain_update(trans)) {
7040 free_percpu(nft_trans_chain_stats(trans));
7041 kfree(nft_trans_chain_name(trans));
7042 nft_trans_destroy(trans);
7043 } else {
7044 trans->ctx.table->use--;
7045 nft_chain_del(trans->ctx.chain);
7046 nf_tables_unregister_hook(trans->ctx.net,
7047 trans->ctx.table,
7048 trans->ctx.chain);
7049 }
7050 break;
7051 case NFT_MSG_DELCHAIN:
7052 trans->ctx.table->use++;
7053 nft_clear(trans->ctx.net, trans->ctx.chain);
7054 nft_trans_destroy(trans);
7055 break;
7056 case NFT_MSG_NEWRULE:
7057 trans->ctx.chain->use--;
7058 list_del_rcu(&nft_trans_rule(trans)->list);
7059 nft_rule_expr_deactivate(&trans->ctx,
7060 nft_trans_rule(trans),
7061 NFT_TRANS_ABORT);
7062 break;
7063 case NFT_MSG_DELRULE:
7064 trans->ctx.chain->use++;
7065 nft_clear(trans->ctx.net, nft_trans_rule(trans));
7066 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
7067 nft_trans_destroy(trans);
7068 break;
7069 case NFT_MSG_NEWSET:
7070 trans->ctx.table->use--;
7071 if (nft_trans_set_bound(trans)) {
7072 nft_trans_destroy(trans);
7073 break;
7074 }
7075 list_del_rcu(&nft_trans_set(trans)->list);
7076 break;
7077 case NFT_MSG_DELSET:
7078 trans->ctx.table->use++;
7079 nft_clear(trans->ctx.net, nft_trans_set(trans));
7080 nft_trans_destroy(trans);
7081 break;
7082 case NFT_MSG_NEWSETELEM:
7083 if (nft_trans_elem_set_bound(trans)) {
7084 nft_trans_destroy(trans);
7085 break;
7086 }
7087 te = (struct nft_trans_elem *)trans->data;
7088 te->set->ops->remove(net, te->set, &te->elem);
7089 atomic_dec(&te->set->nelems);
7090 break;
7091 case NFT_MSG_DELSETELEM:
7092 te = (struct nft_trans_elem *)trans->data;
7093
7094 nft_set_elem_activate(net, te->set, &te->elem);
7095 te->set->ops->activate(net, te->set, &te->elem);
7096 te->set->ndeact--;
7097
7098 nft_trans_destroy(trans);
7099 break;
7100 case NFT_MSG_NEWOBJ:
7101 if (nft_trans_obj_update(trans)) {
7102 kfree(nft_trans_obj_newobj(trans));
7103 nft_trans_destroy(trans);
7104 } else {
7105 trans->ctx.table->use--;
7106 nft_obj_del(nft_trans_obj(trans));
7107 }
7108 break;
7109 case NFT_MSG_DELOBJ:
7110 trans->ctx.table->use++;
7111 nft_clear(trans->ctx.net, nft_trans_obj(trans));
7112 nft_trans_destroy(trans);
7113 break;
7114 case NFT_MSG_NEWFLOWTABLE:
7115 trans->ctx.table->use--;
7116 list_del_rcu(&nft_trans_flowtable(trans)->list);
7117 nft_unregister_flowtable_net_hooks(net,
7118 nft_trans_flowtable(trans));
7119 break;
7120 case NFT_MSG_DELFLOWTABLE:
7121 trans->ctx.table->use++;
7122 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
7123 nft_trans_destroy(trans);
7124 break;
7125 }
7126 }
7127
7128 synchronize_rcu();
7129
7130 list_for_each_entry_safe_reverse(trans, next,
7131 &net->nft.commit_list, list) {
7132 list_del(&trans->list);
7133 nf_tables_abort_release(trans);
7134 }
7135
7136 if (autoload)
7137 nf_tables_module_autoload(net);
7138 else
7139 nf_tables_module_autoload_cleanup(net);
7140
7141 return 0;
7142 }
7143
nf_tables_cleanup(struct net * net)7144 static void nf_tables_cleanup(struct net *net)
7145 {
7146 nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7147 }
7148
nf_tables_abort(struct net * net,struct sk_buff * skb,bool autoload)7149 static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
7150 {
7151 int ret = __nf_tables_abort(net, autoload);
7152
7153 mutex_unlock(&net->nft.commit_mutex);
7154
7155 return ret;
7156 }
7157
nf_tables_valid_genid(struct net * net,u32 genid)7158 static bool nf_tables_valid_genid(struct net *net, u32 genid)
7159 {
7160 bool genid_ok;
7161
7162 mutex_lock(&net->nft.commit_mutex);
7163
7164 genid_ok = genid == 0 || net->nft.base_seq == genid;
7165 if (!genid_ok)
7166 mutex_unlock(&net->nft.commit_mutex);
7167
7168 /* else, commit mutex has to be released by commit or abort function */
7169 return genid_ok;
7170 }
7171
7172 static const struct nfnetlink_subsystem nf_tables_subsys = {
7173 .name = "nf_tables",
7174 .subsys_id = NFNL_SUBSYS_NFTABLES,
7175 .cb_count = NFT_MSG_MAX,
7176 .cb = nf_tables_cb,
7177 .commit = nf_tables_commit,
7178 .abort = nf_tables_abort,
7179 .cleanup = nf_tables_cleanup,
7180 .valid_genid = nf_tables_valid_genid,
7181 .owner = THIS_MODULE,
7182 };
7183
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)7184 int nft_chain_validate_dependency(const struct nft_chain *chain,
7185 enum nft_chain_types type)
7186 {
7187 const struct nft_base_chain *basechain;
7188
7189 if (nft_is_base_chain(chain)) {
7190 basechain = nft_base_chain(chain);
7191 if (basechain->type->type != type)
7192 return -EOPNOTSUPP;
7193 }
7194 return 0;
7195 }
7196 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
7197
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)7198 int nft_chain_validate_hooks(const struct nft_chain *chain,
7199 unsigned int hook_flags)
7200 {
7201 struct nft_base_chain *basechain;
7202
7203 if (nft_is_base_chain(chain)) {
7204 basechain = nft_base_chain(chain);
7205
7206 if ((1 << basechain->ops.hooknum) & hook_flags)
7207 return 0;
7208
7209 return -EOPNOTSUPP;
7210 }
7211
7212 return 0;
7213 }
7214 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
7215
7216 /*
7217 * Loop detection - walk through the ruleset beginning at the destination chain
7218 * of a new jump until either the source chain is reached (loop) or all
7219 * reachable chains have been traversed.
7220 *
7221 * The loop check is performed whenever a new jump verdict is added to an
7222 * expression or verdict map or a verdict map is bound to a new chain.
7223 */
7224
7225 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7226 const struct nft_chain *chain);
7227
nf_tables_loop_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)7228 static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
7229 struct nft_set *set,
7230 const struct nft_set_iter *iter,
7231 struct nft_set_elem *elem)
7232 {
7233 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7234 const struct nft_data *data;
7235
7236 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
7237 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
7238 return 0;
7239
7240 data = nft_set_ext_data(ext);
7241 switch (data->verdict.code) {
7242 case NFT_JUMP:
7243 case NFT_GOTO:
7244 return nf_tables_check_loops(ctx, data->verdict.chain);
7245 default:
7246 return 0;
7247 }
7248 }
7249
nf_tables_check_loops(const struct nft_ctx * ctx,const struct nft_chain * chain)7250 static int nf_tables_check_loops(const struct nft_ctx *ctx,
7251 const struct nft_chain *chain)
7252 {
7253 const struct nft_rule *rule;
7254 const struct nft_expr *expr, *last;
7255 struct nft_set *set;
7256 struct nft_set_binding *binding;
7257 struct nft_set_iter iter;
7258
7259 if (ctx->chain == chain)
7260 return -ELOOP;
7261
7262 list_for_each_entry(rule, &chain->rules, list) {
7263 nft_rule_for_each_expr(expr, last, rule) {
7264 struct nft_immediate_expr *priv;
7265 const struct nft_data *data;
7266 int err;
7267
7268 if (strcmp(expr->ops->type->name, "immediate"))
7269 continue;
7270
7271 priv = nft_expr_priv(expr);
7272 if (priv->dreg != NFT_REG_VERDICT)
7273 continue;
7274
7275 data = &priv->data;
7276 switch (data->verdict.code) {
7277 case NFT_JUMP:
7278 case NFT_GOTO:
7279 err = nf_tables_check_loops(ctx,
7280 data->verdict.chain);
7281 if (err < 0)
7282 return err;
7283 default:
7284 break;
7285 }
7286 }
7287 }
7288
7289 list_for_each_entry(set, &ctx->table->sets, list) {
7290 if (!nft_is_active_next(ctx->net, set))
7291 continue;
7292 if (!(set->flags & NFT_SET_MAP) ||
7293 set->dtype != NFT_DATA_VERDICT)
7294 continue;
7295
7296 list_for_each_entry(binding, &set->bindings, list) {
7297 if (!(binding->flags & NFT_SET_MAP) ||
7298 binding->chain != chain)
7299 continue;
7300
7301 iter.genmask = nft_genmask_next(ctx->net);
7302 iter.skip = 0;
7303 iter.count = 0;
7304 iter.err = 0;
7305 iter.fn = nf_tables_loop_check_setelem;
7306
7307 set->ops->walk(ctx, set, &iter);
7308 if (iter.err < 0)
7309 return iter.err;
7310 }
7311 }
7312
7313 return 0;
7314 }
7315
7316 /**
7317 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
7318 *
7319 * @attr: netlink attribute to fetch value from
7320 * @max: maximum value to be stored in dest
7321 * @dest: pointer to the variable
7322 *
7323 * Parse, check and store a given u32 netlink attribute into variable.
7324 * This function returns -ERANGE if the value goes over maximum value.
7325 * Otherwise a 0 is returned and the attribute value is stored in the
7326 * destination variable.
7327 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)7328 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
7329 {
7330 u32 val;
7331
7332 val = ntohl(nla_get_be32(attr));
7333 if (val > max)
7334 return -ERANGE;
7335
7336 *dest = val;
7337 return 0;
7338 }
7339 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
7340
7341 /**
7342 * nft_parse_register - parse a register value from a netlink attribute
7343 *
7344 * @attr: netlink attribute
7345 *
7346 * Parse and translate a register value from a netlink attribute.
7347 * Registers used to be 128 bit wide, these register numbers will be
7348 * mapped to the corresponding 32 bit register numbers.
7349 */
nft_parse_register(const struct nlattr * attr)7350 unsigned int nft_parse_register(const struct nlattr *attr)
7351 {
7352 unsigned int reg;
7353
7354 reg = ntohl(nla_get_be32(attr));
7355 switch (reg) {
7356 case NFT_REG_VERDICT...NFT_REG_4:
7357 return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
7358 default:
7359 return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
7360 }
7361 }
7362 EXPORT_SYMBOL_GPL(nft_parse_register);
7363
7364 /**
7365 * nft_dump_register - dump a register value to a netlink attribute
7366 *
7367 * @skb: socket buffer
7368 * @attr: attribute number
7369 * @reg: register number
7370 *
7371 * Construct a netlink attribute containing the register number. For
7372 * compatibility reasons, register numbers being a multiple of 4 are
7373 * translated to the corresponding 128 bit register numbers.
7374 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)7375 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
7376 {
7377 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
7378 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
7379 else
7380 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
7381
7382 return nla_put_be32(skb, attr, htonl(reg));
7383 }
7384 EXPORT_SYMBOL_GPL(nft_dump_register);
7385
7386 /**
7387 * nft_validate_register_load - validate a load from a register
7388 *
7389 * @reg: the register number
7390 * @len: the length of the data
7391 *
7392 * Validate that the input register is one of the general purpose
7393 * registers and that the length of the load is within the bounds.
7394 */
nft_validate_register_load(enum nft_registers reg,unsigned int len)7395 int nft_validate_register_load(enum nft_registers reg, unsigned int len)
7396 {
7397 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7398 return -EINVAL;
7399 if (len == 0)
7400 return -EINVAL;
7401 if (reg * NFT_REG32_SIZE + len > FIELD_SIZEOF(struct nft_regs, data))
7402 return -ERANGE;
7403
7404 return 0;
7405 }
7406 EXPORT_SYMBOL_GPL(nft_validate_register_load);
7407
7408 /**
7409 * nft_validate_register_store - validate an expressions' register store
7410 *
7411 * @ctx: context of the expression performing the load
7412 * @reg: the destination register number
7413 * @data: the data to load
7414 * @type: the data type
7415 * @len: the length of the data
7416 *
7417 * Validate that a data load uses the appropriate data type for
7418 * the destination register and the length is within the bounds.
7419 * A value of NULL for the data means that its runtime gathered
7420 * data.
7421 */
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)7422 int nft_validate_register_store(const struct nft_ctx *ctx,
7423 enum nft_registers reg,
7424 const struct nft_data *data,
7425 enum nft_data_types type, unsigned int len)
7426 {
7427 int err;
7428
7429 switch (reg) {
7430 case NFT_REG_VERDICT:
7431 if (type != NFT_DATA_VERDICT)
7432 return -EINVAL;
7433
7434 if (data != NULL &&
7435 (data->verdict.code == NFT_GOTO ||
7436 data->verdict.code == NFT_JUMP)) {
7437 err = nf_tables_check_loops(ctx, data->verdict.chain);
7438 if (err < 0)
7439 return err;
7440 }
7441
7442 return 0;
7443 default:
7444 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
7445 return -EINVAL;
7446 if (len == 0)
7447 return -EINVAL;
7448 if (reg * NFT_REG32_SIZE + len >
7449 FIELD_SIZEOF(struct nft_regs, data))
7450 return -ERANGE;
7451
7452 if (data != NULL && type != NFT_DATA_VALUE)
7453 return -EINVAL;
7454 return 0;
7455 }
7456 }
7457 EXPORT_SYMBOL_GPL(nft_validate_register_store);
7458
7459 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
7460 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
7461 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
7462 .len = NFT_CHAIN_MAXNAMELEN - 1 },
7463 };
7464
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)7465 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
7466 struct nft_data_desc *desc, const struct nlattr *nla)
7467 {
7468 u8 genmask = nft_genmask_next(ctx->net);
7469 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
7470 struct nft_chain *chain;
7471 int err;
7472
7473 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
7474 nft_verdict_policy, NULL);
7475 if (err < 0)
7476 return err;
7477
7478 if (!tb[NFTA_VERDICT_CODE])
7479 return -EINVAL;
7480 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
7481
7482 switch (data->verdict.code) {
7483 default:
7484 switch (data->verdict.code & NF_VERDICT_MASK) {
7485 case NF_ACCEPT:
7486 case NF_DROP:
7487 case NF_QUEUE:
7488 break;
7489 default:
7490 return -EINVAL;
7491 }
7492 /* fall through */
7493 case NFT_CONTINUE:
7494 case NFT_BREAK:
7495 case NFT_RETURN:
7496 break;
7497 case NFT_JUMP:
7498 case NFT_GOTO:
7499 if (!tb[NFTA_VERDICT_CHAIN])
7500 return -EINVAL;
7501 chain = nft_chain_lookup(ctx->net, ctx->table,
7502 tb[NFTA_VERDICT_CHAIN], genmask);
7503 if (IS_ERR(chain))
7504 return PTR_ERR(chain);
7505 if (nft_is_base_chain(chain))
7506 return -EOPNOTSUPP;
7507
7508 chain->use++;
7509 data->verdict.chain = chain;
7510 break;
7511 }
7512
7513 desc->len = sizeof(data->verdict);
7514 desc->type = NFT_DATA_VERDICT;
7515 return 0;
7516 }
7517
nft_verdict_uninit(const struct nft_data * data)7518 static void nft_verdict_uninit(const struct nft_data *data)
7519 {
7520 switch (data->verdict.code) {
7521 case NFT_JUMP:
7522 case NFT_GOTO:
7523 data->verdict.chain->use--;
7524 break;
7525 }
7526 }
7527
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)7528 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
7529 {
7530 struct nlattr *nest;
7531
7532 nest = nla_nest_start_noflag(skb, type);
7533 if (!nest)
7534 goto nla_put_failure;
7535
7536 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
7537 goto nla_put_failure;
7538
7539 switch (v->code) {
7540 case NFT_JUMP:
7541 case NFT_GOTO:
7542 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
7543 v->chain->name))
7544 goto nla_put_failure;
7545 }
7546 nla_nest_end(skb, nest);
7547 return 0;
7548
7549 nla_put_failure:
7550 return -1;
7551 }
7552
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)7553 static int nft_value_init(const struct nft_ctx *ctx,
7554 struct nft_data *data, unsigned int size,
7555 struct nft_data_desc *desc, const struct nlattr *nla)
7556 {
7557 unsigned int len;
7558
7559 len = nla_len(nla);
7560 if (len == 0)
7561 return -EINVAL;
7562 if (len > size)
7563 return -EOVERFLOW;
7564
7565 nla_memcpy(data->data, nla, len);
7566 desc->type = NFT_DATA_VALUE;
7567 desc->len = len;
7568 return 0;
7569 }
7570
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)7571 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
7572 unsigned int len)
7573 {
7574 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
7575 }
7576
7577 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
7578 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
7579 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
7580 };
7581
7582 /**
7583 * nft_data_init - parse nf_tables data netlink attributes
7584 *
7585 * @ctx: context of the expression using the data
7586 * @data: destination struct nft_data
7587 * @size: maximum data length
7588 * @desc: data description
7589 * @nla: netlink attribute containing data
7590 *
7591 * Parse the netlink data attributes and initialize a struct nft_data.
7592 * The type and length of data are returned in the data description.
7593 *
7594 * The caller can indicate that it only wants to accept data of type
7595 * NFT_DATA_VALUE by passing NULL for the ctx argument.
7596 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,unsigned int size,struct nft_data_desc * desc,const struct nlattr * nla)7597 int nft_data_init(const struct nft_ctx *ctx,
7598 struct nft_data *data, unsigned int size,
7599 struct nft_data_desc *desc, const struct nlattr *nla)
7600 {
7601 struct nlattr *tb[NFTA_DATA_MAX + 1];
7602 int err;
7603
7604 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
7605 nft_data_policy, NULL);
7606 if (err < 0)
7607 return err;
7608
7609 if (tb[NFTA_DATA_VALUE])
7610 return nft_value_init(ctx, data, size, desc,
7611 tb[NFTA_DATA_VALUE]);
7612 if (tb[NFTA_DATA_VERDICT] && ctx != NULL)
7613 return nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
7614 return -EINVAL;
7615 }
7616 EXPORT_SYMBOL_GPL(nft_data_init);
7617
7618 /**
7619 * nft_data_release - release a nft_data item
7620 *
7621 * @data: struct nft_data to release
7622 * @type: type of data
7623 *
7624 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7625 * all others need to be released by calling this function.
7626 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)7627 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
7628 {
7629 if (type < NFT_DATA_VERDICT)
7630 return;
7631 switch (type) {
7632 case NFT_DATA_VERDICT:
7633 return nft_verdict_uninit(data);
7634 default:
7635 WARN_ON(1);
7636 }
7637 }
7638 EXPORT_SYMBOL_GPL(nft_data_release);
7639
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)7640 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
7641 enum nft_data_types type, unsigned int len)
7642 {
7643 struct nlattr *nest;
7644 int err;
7645
7646 nest = nla_nest_start_noflag(skb, attr);
7647 if (nest == NULL)
7648 return -1;
7649
7650 switch (type) {
7651 case NFT_DATA_VALUE:
7652 err = nft_value_dump(skb, data, len);
7653 break;
7654 case NFT_DATA_VERDICT:
7655 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
7656 break;
7657 default:
7658 err = -EINVAL;
7659 WARN_ON(1);
7660 }
7661
7662 nla_nest_end(skb, nest);
7663 return err;
7664 }
7665 EXPORT_SYMBOL_GPL(nft_data_dump);
7666
__nft_release_basechain(struct nft_ctx * ctx)7667 int __nft_release_basechain(struct nft_ctx *ctx)
7668 {
7669 struct nft_rule *rule, *nr;
7670
7671 if (WARN_ON(!nft_is_base_chain(ctx->chain)))
7672 return 0;
7673
7674 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
7675 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
7676 list_del(&rule->list);
7677 ctx->chain->use--;
7678 nf_tables_rule_release(ctx, rule);
7679 }
7680 nft_chain_del(ctx->chain);
7681 ctx->table->use--;
7682 nf_tables_chain_destroy(ctx);
7683
7684 return 0;
7685 }
7686 EXPORT_SYMBOL_GPL(__nft_release_basechain);
7687
__nft_release_tables(struct net * net)7688 static void __nft_release_tables(struct net *net)
7689 {
7690 struct nft_flowtable *flowtable, *nf;
7691 struct nft_table *table, *nt;
7692 struct nft_chain *chain, *nc;
7693 struct nft_object *obj, *ne;
7694 struct nft_rule *rule, *nr;
7695 struct nft_set *set, *ns;
7696 struct nft_ctx ctx = {
7697 .net = net,
7698 .family = NFPROTO_NETDEV,
7699 };
7700
7701 list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
7702 ctx.family = table->family;
7703
7704 list_for_each_entry(chain, &table->chains, list)
7705 nf_tables_unregister_hook(net, table, chain);
7706 /* No packets are walking on these chains anymore. */
7707 ctx.table = table;
7708 list_for_each_entry(chain, &table->chains, list) {
7709 ctx.chain = chain;
7710 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
7711 list_del(&rule->list);
7712 chain->use--;
7713 nf_tables_rule_release(&ctx, rule);
7714 }
7715 }
7716 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
7717 list_del(&flowtable->list);
7718 table->use--;
7719 nf_tables_flowtable_destroy(flowtable);
7720 }
7721 list_for_each_entry_safe(set, ns, &table->sets, list) {
7722 list_del(&set->list);
7723 table->use--;
7724 nft_set_destroy(set);
7725 }
7726 list_for_each_entry_safe(obj, ne, &table->objects, list) {
7727 nft_obj_del(obj);
7728 table->use--;
7729 nft_obj_destroy(&ctx, obj);
7730 }
7731 list_for_each_entry_safe(chain, nc, &table->chains, list) {
7732 ctx.chain = chain;
7733 nft_chain_del(chain);
7734 table->use--;
7735 nf_tables_chain_destroy(&ctx);
7736 }
7737 list_del(&table->list);
7738 nf_tables_table_destroy(&ctx);
7739 }
7740 }
7741
nf_tables_init_net(struct net * net)7742 static int __net_init nf_tables_init_net(struct net *net)
7743 {
7744 INIT_LIST_HEAD(&net->nft.tables);
7745 INIT_LIST_HEAD(&net->nft.commit_list);
7746 INIT_LIST_HEAD(&net->nft.module_list);
7747 mutex_init(&net->nft.commit_mutex);
7748 net->nft.base_seq = 1;
7749 net->nft.validate_state = NFT_VALIDATE_SKIP;
7750
7751 return 0;
7752 }
7753
nf_tables_exit_net(struct net * net)7754 static void __net_exit nf_tables_exit_net(struct net *net)
7755 {
7756 mutex_lock(&net->nft.commit_mutex);
7757 if (!list_empty(&net->nft.commit_list))
7758 __nf_tables_abort(net, false);
7759 __nft_release_tables(net);
7760 mutex_unlock(&net->nft.commit_mutex);
7761 WARN_ON_ONCE(!list_empty(&net->nft.tables));
7762 }
7763
7764 static struct pernet_operations nf_tables_net_ops = {
7765 .init = nf_tables_init_net,
7766 .exit = nf_tables_exit_net,
7767 };
7768
nf_tables_module_init(void)7769 static int __init nf_tables_module_init(void)
7770 {
7771 int err;
7772
7773 spin_lock_init(&nf_tables_destroy_list_lock);
7774 err = register_pernet_subsys(&nf_tables_net_ops);
7775 if (err < 0)
7776 return err;
7777
7778 err = nft_chain_filter_init();
7779 if (err < 0)
7780 goto err1;
7781
7782 err = nf_tables_core_module_init();
7783 if (err < 0)
7784 goto err2;
7785
7786 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
7787 if (err < 0)
7788 goto err3;
7789
7790 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
7791 if (err < 0)
7792 goto err4;
7793
7794 err = nft_offload_init();
7795 if (err < 0)
7796 goto err5;
7797
7798 /* must be last */
7799 err = nfnetlink_subsys_register(&nf_tables_subsys);
7800 if (err < 0)
7801 goto err6;
7802
7803 nft_chain_route_init();
7804
7805 return err;
7806 err6:
7807 nft_offload_exit();
7808 err5:
7809 rhltable_destroy(&nft_objname_ht);
7810 err4:
7811 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7812 err3:
7813 nf_tables_core_module_exit();
7814 err2:
7815 nft_chain_filter_fini();
7816 err1:
7817 unregister_pernet_subsys(&nf_tables_net_ops);
7818 return err;
7819 }
7820
nf_tables_module_exit(void)7821 static void __exit nf_tables_module_exit(void)
7822 {
7823 nfnetlink_subsys_unregister(&nf_tables_subsys);
7824 nft_offload_exit();
7825 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
7826 nft_chain_filter_fini();
7827 nft_chain_route_fini();
7828 unregister_pernet_subsys(&nf_tables_net_ops);
7829 cancel_work_sync(&trans_destroy_work);
7830 rcu_barrier();
7831 rhltable_destroy(&nft_objname_ht);
7832 nf_tables_core_module_exit();
7833 }
7834
7835 module_init(nf_tables_module_init);
7836 module_exit(nf_tables_module_exit);
7837
7838 MODULE_LICENSE("GPL");
7839 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
7840 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
7841