1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2007-2009 Patrick McHardy <kaber@trash.net>
4 *
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
6 */
7
8 #include <linux/module.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/skbuff.h>
12 #include <linux/netlink.h>
13 #include <linux/vmalloc.h>
14 #include <linux/rhashtable.h>
15 #include <linux/audit.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nfnetlink.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_flow_table.h>
20 #include <net/netfilter/nf_tables_core.h>
21 #include <net/netfilter/nf_tables.h>
22 #include <net/netfilter/nf_tables_offload.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25
26 #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
27 #define NFT_SET_MAX_ANONLEN 16
28
29 unsigned int nf_tables_net_id __read_mostly;
30
31 static LIST_HEAD(nf_tables_expressions);
32 static LIST_HEAD(nf_tables_objects);
33 static LIST_HEAD(nf_tables_flowtables);
34 static LIST_HEAD(nf_tables_destroy_list);
35 static LIST_HEAD(nf_tables_gc_list);
36 static DEFINE_SPINLOCK(nf_tables_destroy_list_lock);
37 static DEFINE_SPINLOCK(nf_tables_gc_list_lock);
38
39 enum {
40 NFT_VALIDATE_SKIP = 0,
41 NFT_VALIDATE_NEED,
42 NFT_VALIDATE_DO,
43 };
44
45 static struct rhltable nft_objname_ht;
46
47 static u32 nft_chain_hash(const void *data, u32 len, u32 seed);
48 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed);
49 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *, const void *);
50
51 static u32 nft_objname_hash(const void *data, u32 len, u32 seed);
52 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed);
53 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *, const void *);
54
55 static const struct rhashtable_params nft_chain_ht_params = {
56 .head_offset = offsetof(struct nft_chain, rhlhead),
57 .key_offset = offsetof(struct nft_chain, name),
58 .hashfn = nft_chain_hash,
59 .obj_hashfn = nft_chain_hash_obj,
60 .obj_cmpfn = nft_chain_hash_cmp,
61 .automatic_shrinking = true,
62 };
63
64 static const struct rhashtable_params nft_objname_ht_params = {
65 .head_offset = offsetof(struct nft_object, rhlhead),
66 .key_offset = offsetof(struct nft_object, key),
67 .hashfn = nft_objname_hash,
68 .obj_hashfn = nft_objname_hash_obj,
69 .obj_cmpfn = nft_objname_hash_cmp,
70 .automatic_shrinking = true,
71 };
72
73 struct nft_audit_data {
74 struct nft_table *table;
75 int entries;
76 int op;
77 struct list_head list;
78 };
79
80 static const u8 nft2audit_op[NFT_MSG_MAX] = { // enum nf_tables_msg_types
81 [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
82 [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
83 [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
84 [NFT_MSG_NEWCHAIN] = AUDIT_NFT_OP_CHAIN_REGISTER,
85 [NFT_MSG_GETCHAIN] = AUDIT_NFT_OP_INVALID,
86 [NFT_MSG_DELCHAIN] = AUDIT_NFT_OP_CHAIN_UNREGISTER,
87 [NFT_MSG_NEWRULE] = AUDIT_NFT_OP_RULE_REGISTER,
88 [NFT_MSG_GETRULE] = AUDIT_NFT_OP_INVALID,
89 [NFT_MSG_DELRULE] = AUDIT_NFT_OP_RULE_UNREGISTER,
90 [NFT_MSG_NEWSET] = AUDIT_NFT_OP_SET_REGISTER,
91 [NFT_MSG_GETSET] = AUDIT_NFT_OP_INVALID,
92 [NFT_MSG_DELSET] = AUDIT_NFT_OP_SET_UNREGISTER,
93 [NFT_MSG_NEWSETELEM] = AUDIT_NFT_OP_SETELEM_REGISTER,
94 [NFT_MSG_GETSETELEM] = AUDIT_NFT_OP_INVALID,
95 [NFT_MSG_DELSETELEM] = AUDIT_NFT_OP_SETELEM_UNREGISTER,
96 [NFT_MSG_NEWGEN] = AUDIT_NFT_OP_GEN_REGISTER,
97 [NFT_MSG_GETGEN] = AUDIT_NFT_OP_INVALID,
98 [NFT_MSG_TRACE] = AUDIT_NFT_OP_INVALID,
99 [NFT_MSG_NEWOBJ] = AUDIT_NFT_OP_OBJ_REGISTER,
100 [NFT_MSG_GETOBJ] = AUDIT_NFT_OP_INVALID,
101 [NFT_MSG_DELOBJ] = AUDIT_NFT_OP_OBJ_UNREGISTER,
102 [NFT_MSG_GETOBJ_RESET] = AUDIT_NFT_OP_OBJ_RESET,
103 [NFT_MSG_NEWFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_REGISTER,
104 [NFT_MSG_GETFLOWTABLE] = AUDIT_NFT_OP_INVALID,
105 [NFT_MSG_DELFLOWTABLE] = AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
106 [NFT_MSG_GETSETELEM_RESET] = AUDIT_NFT_OP_SETELEM_RESET,
107 };
108
nft_validate_state_update(struct nft_table * table,u8 new_validate_state)109 static void nft_validate_state_update(struct nft_table *table, u8 new_validate_state)
110 {
111 switch (table->validate_state) {
112 case NFT_VALIDATE_SKIP:
113 WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO);
114 break;
115 case NFT_VALIDATE_NEED:
116 break;
117 case NFT_VALIDATE_DO:
118 if (new_validate_state == NFT_VALIDATE_NEED)
119 return;
120 }
121
122 table->validate_state = new_validate_state;
123 }
124 static void nf_tables_trans_destroy_work(struct work_struct *w);
125 static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work);
126
127 static void nft_trans_gc_work(struct work_struct *work);
128 static DECLARE_WORK(trans_gc_work, nft_trans_gc_work);
129
nft_ctx_init(struct nft_ctx * ctx,struct net * net,const struct sk_buff * skb,const struct nlmsghdr * nlh,u8 family,struct nft_table * table,struct nft_chain * chain,const struct nlattr * const * nla)130 static void nft_ctx_init(struct nft_ctx *ctx,
131 struct net *net,
132 const struct sk_buff *skb,
133 const struct nlmsghdr *nlh,
134 u8 family,
135 struct nft_table *table,
136 struct nft_chain *chain,
137 const struct nlattr * const *nla)
138 {
139 ctx->net = net;
140 ctx->family = family;
141 ctx->level = 0;
142 ctx->table = table;
143 ctx->chain = chain;
144 ctx->nla = nla;
145 ctx->portid = NETLINK_CB(skb).portid;
146 ctx->report = nlmsg_report(nlh);
147 ctx->flags = nlh->nlmsg_flags;
148 ctx->seq = nlh->nlmsg_seq;
149 }
150
nft_trans_alloc_gfp(const struct nft_ctx * ctx,int msg_type,u32 size,gfp_t gfp)151 static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
152 int msg_type, u32 size, gfp_t gfp)
153 {
154 struct nft_trans *trans;
155
156 trans = kzalloc(sizeof(struct nft_trans) + size, gfp);
157 if (trans == NULL)
158 return NULL;
159
160 INIT_LIST_HEAD(&trans->list);
161 INIT_LIST_HEAD(&trans->binding_list);
162 trans->msg_type = msg_type;
163 trans->ctx = *ctx;
164
165 return trans;
166 }
167
nft_trans_alloc(const struct nft_ctx * ctx,int msg_type,u32 size)168 static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
169 int msg_type, u32 size)
170 {
171 return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
172 }
173
nft_trans_list_del(struct nft_trans * trans)174 static void nft_trans_list_del(struct nft_trans *trans)
175 {
176 list_del(&trans->list);
177 list_del(&trans->binding_list);
178 }
179
nft_trans_destroy(struct nft_trans * trans)180 static void nft_trans_destroy(struct nft_trans *trans)
181 {
182 nft_trans_list_del(trans);
183 kfree(trans);
184 }
185
__nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set,bool bind)186 static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
187 bool bind)
188 {
189 struct nftables_pernet *nft_net;
190 struct net *net = ctx->net;
191 struct nft_trans *trans;
192
193 if (!nft_set_is_anonymous(set))
194 return;
195
196 nft_net = nft_pernet(net);
197 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
198 switch (trans->msg_type) {
199 case NFT_MSG_NEWSET:
200 if (nft_trans_set(trans) == set)
201 nft_trans_set_bound(trans) = bind;
202 break;
203 case NFT_MSG_NEWSETELEM:
204 if (nft_trans_elem_set(trans) == set)
205 nft_trans_elem_set_bound(trans) = bind;
206 break;
207 }
208 }
209 }
210
nft_set_trans_bind(const struct nft_ctx * ctx,struct nft_set * set)211 static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
212 {
213 return __nft_set_trans_bind(ctx, set, true);
214 }
215
nft_set_trans_unbind(const struct nft_ctx * ctx,struct nft_set * set)216 static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
217 {
218 return __nft_set_trans_bind(ctx, set, false);
219 }
220
__nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain,bool bind)221 static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
222 struct nft_chain *chain, bool bind)
223 {
224 struct nftables_pernet *nft_net;
225 struct net *net = ctx->net;
226 struct nft_trans *trans;
227
228 if (!nft_chain_binding(chain))
229 return;
230
231 nft_net = nft_pernet(net);
232 list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
233 switch (trans->msg_type) {
234 case NFT_MSG_NEWCHAIN:
235 if (nft_trans_chain(trans) == chain)
236 nft_trans_chain_bound(trans) = bind;
237 break;
238 case NFT_MSG_NEWRULE:
239 if (trans->ctx.chain == chain)
240 nft_trans_rule_bound(trans) = bind;
241 break;
242 }
243 }
244 }
245
nft_chain_trans_bind(const struct nft_ctx * ctx,struct nft_chain * chain)246 static void nft_chain_trans_bind(const struct nft_ctx *ctx,
247 struct nft_chain *chain)
248 {
249 __nft_chain_trans_bind(ctx, chain, true);
250 }
251
nf_tables_bind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)252 int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
253 {
254 if (!nft_chain_binding(chain))
255 return 0;
256
257 if (nft_chain_binding(ctx->chain))
258 return -EOPNOTSUPP;
259
260 if (chain->bound)
261 return -EBUSY;
262
263 if (!nft_use_inc(&chain->use))
264 return -EMFILE;
265
266 chain->bound = true;
267 nft_chain_trans_bind(ctx, chain);
268
269 return 0;
270 }
271
nf_tables_unbind_chain(const struct nft_ctx * ctx,struct nft_chain * chain)272 void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
273 {
274 __nft_chain_trans_bind(ctx, chain, false);
275 }
276
nft_netdev_register_hooks(struct net * net,struct list_head * hook_list)277 static int nft_netdev_register_hooks(struct net *net,
278 struct list_head *hook_list)
279 {
280 struct nft_hook *hook;
281 int err, j;
282
283 j = 0;
284 list_for_each_entry(hook, hook_list, list) {
285 err = nf_register_net_hook(net, &hook->ops);
286 if (err < 0)
287 goto err_register;
288
289 j++;
290 }
291 return 0;
292
293 err_register:
294 list_for_each_entry(hook, hook_list, list) {
295 if (j-- <= 0)
296 break;
297
298 nf_unregister_net_hook(net, &hook->ops);
299 }
300 return err;
301 }
302
nft_netdev_unregister_hooks(struct net * net,struct list_head * hook_list,bool release_netdev)303 static void nft_netdev_unregister_hooks(struct net *net,
304 struct list_head *hook_list,
305 bool release_netdev)
306 {
307 struct nft_hook *hook, *next;
308
309 list_for_each_entry_safe(hook, next, hook_list, list) {
310 nf_unregister_net_hook(net, &hook->ops);
311 if (release_netdev) {
312 list_del(&hook->list);
313 kfree_rcu(hook, rcu);
314 }
315 }
316 }
317
nf_tables_register_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)318 static int nf_tables_register_hook(struct net *net,
319 const struct nft_table *table,
320 struct nft_chain *chain)
321 {
322 struct nft_base_chain *basechain;
323 const struct nf_hook_ops *ops;
324
325 if (table->flags & NFT_TABLE_F_DORMANT ||
326 !nft_is_base_chain(chain))
327 return 0;
328
329 basechain = nft_base_chain(chain);
330 ops = &basechain->ops;
331
332 if (basechain->type->ops_register)
333 return basechain->type->ops_register(net, ops);
334
335 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
336 return nft_netdev_register_hooks(net, &basechain->hook_list);
337
338 return nf_register_net_hook(net, &basechain->ops);
339 }
340
__nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain,bool release_netdev)341 static void __nf_tables_unregister_hook(struct net *net,
342 const struct nft_table *table,
343 struct nft_chain *chain,
344 bool release_netdev)
345 {
346 struct nft_base_chain *basechain;
347 const struct nf_hook_ops *ops;
348
349 if (table->flags & NFT_TABLE_F_DORMANT ||
350 !nft_is_base_chain(chain))
351 return;
352 basechain = nft_base_chain(chain);
353 ops = &basechain->ops;
354
355 if (basechain->type->ops_unregister)
356 return basechain->type->ops_unregister(net, ops);
357
358 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
359 nft_netdev_unregister_hooks(net, &basechain->hook_list,
360 release_netdev);
361 else
362 nf_unregister_net_hook(net, &basechain->ops);
363 }
364
nf_tables_unregister_hook(struct net * net,const struct nft_table * table,struct nft_chain * chain)365 static void nf_tables_unregister_hook(struct net *net,
366 const struct nft_table *table,
367 struct nft_chain *chain)
368 {
369 return __nf_tables_unregister_hook(net, table, chain, false);
370 }
371
nft_trans_commit_list_add_tail(struct net * net,struct nft_trans * trans)372 static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans)
373 {
374 struct nftables_pernet *nft_net = nft_pernet(net);
375
376 switch (trans->msg_type) {
377 case NFT_MSG_NEWSET:
378 if (!nft_trans_set_update(trans) &&
379 nft_set_is_anonymous(nft_trans_set(trans)))
380 list_add_tail(&trans->binding_list, &nft_net->binding_list);
381 break;
382 case NFT_MSG_NEWCHAIN:
383 if (!nft_trans_chain_update(trans) &&
384 nft_chain_binding(nft_trans_chain(trans)))
385 list_add_tail(&trans->binding_list, &nft_net->binding_list);
386 break;
387 }
388
389 list_add_tail(&trans->list, &nft_net->commit_list);
390 }
391
nft_trans_table_add(struct nft_ctx * ctx,int msg_type)392 static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
393 {
394 struct nft_trans *trans;
395
396 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_table));
397 if (trans == NULL)
398 return -ENOMEM;
399
400 if (msg_type == NFT_MSG_NEWTABLE)
401 nft_activate_next(ctx->net, ctx->table);
402
403 nft_trans_commit_list_add_tail(ctx->net, trans);
404 return 0;
405 }
406
nft_deltable(struct nft_ctx * ctx)407 static int nft_deltable(struct nft_ctx *ctx)
408 {
409 int err;
410
411 err = nft_trans_table_add(ctx, NFT_MSG_DELTABLE);
412 if (err < 0)
413 return err;
414
415 nft_deactivate_next(ctx->net, ctx->table);
416 return err;
417 }
418
nft_trans_chain_add(struct nft_ctx * ctx,int msg_type)419 static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
420 {
421 struct nft_trans *trans;
422
423 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_chain));
424 if (trans == NULL)
425 return ERR_PTR(-ENOMEM);
426
427 if (msg_type == NFT_MSG_NEWCHAIN) {
428 nft_activate_next(ctx->net, ctx->chain);
429
430 if (ctx->nla[NFTA_CHAIN_ID]) {
431 nft_trans_chain_id(trans) =
432 ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
433 }
434 }
435 nft_trans_chain(trans) = ctx->chain;
436 nft_trans_commit_list_add_tail(ctx->net, trans);
437
438 return trans;
439 }
440
nft_delchain(struct nft_ctx * ctx)441 static int nft_delchain(struct nft_ctx *ctx)
442 {
443 struct nft_trans *trans;
444
445 trans = nft_trans_chain_add(ctx, NFT_MSG_DELCHAIN);
446 if (IS_ERR(trans))
447 return PTR_ERR(trans);
448
449 nft_use_dec(&ctx->table->use);
450 nft_deactivate_next(ctx->net, ctx->chain);
451
452 return 0;
453 }
454
nft_rule_expr_activate(const struct nft_ctx * ctx,struct nft_rule * rule)455 void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
456 {
457 struct nft_expr *expr;
458
459 expr = nft_expr_first(rule);
460 while (nft_expr_more(rule, expr)) {
461 if (expr->ops->activate)
462 expr->ops->activate(ctx, expr);
463
464 expr = nft_expr_next(expr);
465 }
466 }
467
nft_rule_expr_deactivate(const struct nft_ctx * ctx,struct nft_rule * rule,enum nft_trans_phase phase)468 void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
469 enum nft_trans_phase phase)
470 {
471 struct nft_expr *expr;
472
473 expr = nft_expr_first(rule);
474 while (nft_expr_more(rule, expr)) {
475 if (expr->ops->deactivate)
476 expr->ops->deactivate(ctx, expr, phase);
477
478 expr = nft_expr_next(expr);
479 }
480 }
481
482 static int
nf_tables_delrule_deactivate(struct nft_ctx * ctx,struct nft_rule * rule)483 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
484 {
485 /* You cannot delete the same rule twice */
486 if (nft_is_active_next(ctx->net, rule)) {
487 nft_deactivate_next(ctx->net, rule);
488 nft_use_dec(&ctx->chain->use);
489 return 0;
490 }
491 return -ENOENT;
492 }
493
nft_trans_rule_add(struct nft_ctx * ctx,int msg_type,struct nft_rule * rule)494 static struct nft_trans *nft_trans_rule_add(struct nft_ctx *ctx, int msg_type,
495 struct nft_rule *rule)
496 {
497 struct nft_trans *trans;
498
499 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_rule));
500 if (trans == NULL)
501 return NULL;
502
503 if (msg_type == NFT_MSG_NEWRULE && ctx->nla[NFTA_RULE_ID] != NULL) {
504 nft_trans_rule_id(trans) =
505 ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID]));
506 }
507 nft_trans_rule(trans) = rule;
508 nft_trans_commit_list_add_tail(ctx->net, trans);
509
510 return trans;
511 }
512
nft_delrule(struct nft_ctx * ctx,struct nft_rule * rule)513 static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
514 {
515 struct nft_flow_rule *flow;
516 struct nft_trans *trans;
517 int err;
518
519 trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
520 if (trans == NULL)
521 return -ENOMEM;
522
523 if (ctx->chain->flags & NFT_CHAIN_HW_OFFLOAD) {
524 flow = nft_flow_rule_create(ctx->net, rule);
525 if (IS_ERR(flow)) {
526 nft_trans_destroy(trans);
527 return PTR_ERR(flow);
528 }
529
530 nft_trans_flow_rule(trans) = flow;
531 }
532
533 err = nf_tables_delrule_deactivate(ctx, rule);
534 if (err < 0) {
535 nft_trans_destroy(trans);
536 return err;
537 }
538 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
539
540 return 0;
541 }
542
nft_delrule_by_chain(struct nft_ctx * ctx)543 static int nft_delrule_by_chain(struct nft_ctx *ctx)
544 {
545 struct nft_rule *rule;
546 int err;
547
548 list_for_each_entry(rule, &ctx->chain->rules, list) {
549 if (!nft_is_active_next(ctx->net, rule))
550 continue;
551
552 err = nft_delrule(ctx, rule);
553 if (err < 0)
554 return err;
555 }
556 return 0;
557 }
558
__nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set,const struct nft_set_desc * desc)559 static int __nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
560 struct nft_set *set,
561 const struct nft_set_desc *desc)
562 {
563 struct nft_trans *trans;
564
565 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_set));
566 if (trans == NULL)
567 return -ENOMEM;
568
569 if (msg_type == NFT_MSG_NEWSET && ctx->nla[NFTA_SET_ID] && !desc) {
570 nft_trans_set_id(trans) =
571 ntohl(nla_get_be32(ctx->nla[NFTA_SET_ID]));
572 nft_activate_next(ctx->net, set);
573 }
574 nft_trans_set(trans) = set;
575 if (desc) {
576 nft_trans_set_update(trans) = true;
577 nft_trans_set_gc_int(trans) = desc->gc_int;
578 nft_trans_set_timeout(trans) = desc->timeout;
579 nft_trans_set_size(trans) = desc->size;
580 }
581 nft_trans_commit_list_add_tail(ctx->net, trans);
582
583 return 0;
584 }
585
nft_trans_set_add(const struct nft_ctx * ctx,int msg_type,struct nft_set * set)586 static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
587 struct nft_set *set)
588 {
589 return __nft_trans_set_add(ctx, msg_type, set, NULL);
590 }
591
nft_mapelem_deactivate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)592 static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
593 struct nft_set *set,
594 const struct nft_set_iter *iter,
595 struct nft_set_elem *elem)
596 {
597 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
598
599 if (!nft_set_elem_active(ext, iter->genmask))
600 return 0;
601
602 nft_set_elem_change_active(ctx->net, set, ext);
603 nft_setelem_data_deactivate(ctx->net, set, elem);
604
605 return 0;
606 }
607
608 struct nft_set_elem_catchall {
609 struct list_head list;
610 struct rcu_head rcu;
611 void *elem;
612 };
613
nft_map_catchall_deactivate(const struct nft_ctx * ctx,struct nft_set * set)614 static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
615 struct nft_set *set)
616 {
617 u8 genmask = nft_genmask_next(ctx->net);
618 struct nft_set_elem_catchall *catchall;
619 struct nft_set_elem elem;
620 struct nft_set_ext *ext;
621
622 list_for_each_entry(catchall, &set->catchall_list, list) {
623 ext = nft_set_elem_ext(set, catchall->elem);
624 if (!nft_set_elem_active(ext, genmask))
625 continue;
626
627 elem.priv = catchall->elem;
628 nft_set_elem_change_active(ctx->net, set, ext);
629 nft_setelem_data_deactivate(ctx->net, set, &elem);
630 break;
631 }
632 }
633
nft_map_deactivate(const struct nft_ctx * ctx,struct nft_set * set)634 static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
635 {
636 struct nft_set_iter iter = {
637 .genmask = nft_genmask_next(ctx->net),
638 .type = NFT_ITER_UPDATE,
639 .fn = nft_mapelem_deactivate,
640 };
641
642 set->ops->walk(ctx, set, &iter);
643 WARN_ON_ONCE(iter.err);
644
645 nft_map_catchall_deactivate(ctx, set);
646 }
647
nft_delset(const struct nft_ctx * ctx,struct nft_set * set)648 static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
649 {
650 int err;
651
652 err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
653 if (err < 0)
654 return err;
655
656 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
657 nft_map_deactivate(ctx, set);
658
659 nft_deactivate_next(ctx->net, set);
660 nft_use_dec(&ctx->table->use);
661
662 return err;
663 }
664
nft_trans_obj_add(struct nft_ctx * ctx,int msg_type,struct nft_object * obj)665 static int nft_trans_obj_add(struct nft_ctx *ctx, int msg_type,
666 struct nft_object *obj)
667 {
668 struct nft_trans *trans;
669
670 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_obj));
671 if (trans == NULL)
672 return -ENOMEM;
673
674 if (msg_type == NFT_MSG_NEWOBJ)
675 nft_activate_next(ctx->net, obj);
676
677 nft_trans_obj(trans) = obj;
678 nft_trans_commit_list_add_tail(ctx->net, trans);
679
680 return 0;
681 }
682
nft_delobj(struct nft_ctx * ctx,struct nft_object * obj)683 static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj)
684 {
685 int err;
686
687 err = nft_trans_obj_add(ctx, NFT_MSG_DELOBJ, obj);
688 if (err < 0)
689 return err;
690
691 nft_deactivate_next(ctx->net, obj);
692 nft_use_dec(&ctx->table->use);
693
694 return err;
695 }
696
697 static struct nft_trans *
nft_trans_flowtable_add(struct nft_ctx * ctx,int msg_type,struct nft_flowtable * flowtable)698 nft_trans_flowtable_add(struct nft_ctx *ctx, int msg_type,
699 struct nft_flowtable *flowtable)
700 {
701 struct nft_trans *trans;
702
703 trans = nft_trans_alloc(ctx, msg_type,
704 sizeof(struct nft_trans_flowtable));
705 if (trans == NULL)
706 return ERR_PTR(-ENOMEM);
707
708 if (msg_type == NFT_MSG_NEWFLOWTABLE)
709 nft_activate_next(ctx->net, flowtable);
710
711 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
712 nft_trans_flowtable(trans) = flowtable;
713 nft_trans_commit_list_add_tail(ctx->net, trans);
714
715 return trans;
716 }
717
nft_delflowtable(struct nft_ctx * ctx,struct nft_flowtable * flowtable)718 static int nft_delflowtable(struct nft_ctx *ctx,
719 struct nft_flowtable *flowtable)
720 {
721 struct nft_trans *trans;
722
723 trans = nft_trans_flowtable_add(ctx, NFT_MSG_DELFLOWTABLE, flowtable);
724 if (IS_ERR(trans))
725 return PTR_ERR(trans);
726
727 nft_deactivate_next(ctx->net, flowtable);
728 nft_use_dec(&ctx->table->use);
729
730 return 0;
731 }
732
__nft_reg_track_clobber(struct nft_regs_track * track,u8 dreg)733 static void __nft_reg_track_clobber(struct nft_regs_track *track, u8 dreg)
734 {
735 int i;
736
737 for (i = track->regs[dreg].num_reg; i > 0; i--)
738 __nft_reg_track_cancel(track, dreg - i);
739 }
740
__nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 num_reg)741 static void __nft_reg_track_update(struct nft_regs_track *track,
742 const struct nft_expr *expr,
743 u8 dreg, u8 num_reg)
744 {
745 track->regs[dreg].selector = expr;
746 track->regs[dreg].bitwise = NULL;
747 track->regs[dreg].num_reg = num_reg;
748 }
749
nft_reg_track_update(struct nft_regs_track * track,const struct nft_expr * expr,u8 dreg,u8 len)750 void nft_reg_track_update(struct nft_regs_track *track,
751 const struct nft_expr *expr, u8 dreg, u8 len)
752 {
753 unsigned int regcount;
754 int i;
755
756 __nft_reg_track_clobber(track, dreg);
757
758 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
759 for (i = 0; i < regcount; i++, dreg++)
760 __nft_reg_track_update(track, expr, dreg, i);
761 }
762 EXPORT_SYMBOL_GPL(nft_reg_track_update);
763
nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg,u8 len)764 void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len)
765 {
766 unsigned int regcount;
767 int i;
768
769 __nft_reg_track_clobber(track, dreg);
770
771 regcount = DIV_ROUND_UP(len, NFT_REG32_SIZE);
772 for (i = 0; i < regcount; i++, dreg++)
773 __nft_reg_track_cancel(track, dreg);
774 }
775 EXPORT_SYMBOL_GPL(nft_reg_track_cancel);
776
__nft_reg_track_cancel(struct nft_regs_track * track,u8 dreg)777 void __nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg)
778 {
779 track->regs[dreg].selector = NULL;
780 track->regs[dreg].bitwise = NULL;
781 track->regs[dreg].num_reg = 0;
782 }
783 EXPORT_SYMBOL_GPL(__nft_reg_track_cancel);
784
785 /*
786 * Tables
787 */
788
nft_table_lookup(const struct net * net,const struct nlattr * nla,u8 family,u8 genmask,u32 nlpid)789 static struct nft_table *nft_table_lookup(const struct net *net,
790 const struct nlattr *nla,
791 u8 family, u8 genmask, u32 nlpid)
792 {
793 struct nftables_pernet *nft_net;
794 struct nft_table *table;
795
796 if (nla == NULL)
797 return ERR_PTR(-EINVAL);
798
799 nft_net = nft_pernet(net);
800 list_for_each_entry_rcu(table, &nft_net->tables, list,
801 lockdep_is_held(&nft_net->commit_mutex)) {
802 if (!nla_strcmp(nla, table->name) &&
803 table->family == family &&
804 nft_active_genmask(table, genmask)) {
805 if (nft_table_has_owner(table) &&
806 nlpid && table->nlpid != nlpid)
807 return ERR_PTR(-EPERM);
808
809 return table;
810 }
811 }
812
813 return ERR_PTR(-ENOENT);
814 }
815
nft_table_lookup_byhandle(const struct net * net,const struct nlattr * nla,int family,u8 genmask,u32 nlpid)816 static struct nft_table *nft_table_lookup_byhandle(const struct net *net,
817 const struct nlattr *nla,
818 int family, u8 genmask, u32 nlpid)
819 {
820 struct nftables_pernet *nft_net;
821 struct nft_table *table;
822
823 nft_net = nft_pernet(net);
824 list_for_each_entry(table, &nft_net->tables, list) {
825 if (be64_to_cpu(nla_get_be64(nla)) == table->handle &&
826 table->family == family &&
827 nft_active_genmask(table, genmask)) {
828 if (nft_table_has_owner(table) &&
829 nlpid && table->nlpid != nlpid)
830 return ERR_PTR(-EPERM);
831
832 return table;
833 }
834 }
835
836 return ERR_PTR(-ENOENT);
837 }
838
nf_tables_alloc_handle(struct nft_table * table)839 static inline u64 nf_tables_alloc_handle(struct nft_table *table)
840 {
841 return ++table->hgenerator;
842 }
843
844 static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
845
846 static const struct nft_chain_type *
__nft_chain_type_get(u8 family,enum nft_chain_types type)847 __nft_chain_type_get(u8 family, enum nft_chain_types type)
848 {
849 if (family >= NFPROTO_NUMPROTO ||
850 type >= NFT_CHAIN_T_MAX)
851 return NULL;
852
853 return chain_type[family][type];
854 }
855
856 static const struct nft_chain_type *
__nf_tables_chain_type_lookup(const struct nlattr * nla,u8 family)857 __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
858 {
859 const struct nft_chain_type *type;
860 int i;
861
862 for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
863 type = __nft_chain_type_get(family, i);
864 if (!type)
865 continue;
866 if (!nla_strcmp(nla, type->name))
867 return type;
868 }
869 return NULL;
870 }
871
872 struct nft_module_request {
873 struct list_head list;
874 char module[MODULE_NAME_LEN];
875 bool done;
876 };
877
878 #ifdef CONFIG_MODULES
nft_request_module(struct net * net,const char * fmt,...)879 __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
880 ...)
881 {
882 char module_name[MODULE_NAME_LEN];
883 struct nftables_pernet *nft_net;
884 struct nft_module_request *req;
885 va_list args;
886 int ret;
887
888 va_start(args, fmt);
889 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
890 va_end(args);
891 if (ret >= MODULE_NAME_LEN)
892 return 0;
893
894 nft_net = nft_pernet(net);
895 list_for_each_entry(req, &nft_net->module_list, list) {
896 if (!strcmp(req->module, module_name)) {
897 if (req->done)
898 return 0;
899
900 /* A request to load this module already exists. */
901 return -EAGAIN;
902 }
903 }
904
905 req = kmalloc(sizeof(*req), GFP_KERNEL);
906 if (!req)
907 return -ENOMEM;
908
909 req->done = false;
910 strscpy(req->module, module_name, MODULE_NAME_LEN);
911 list_add_tail(&req->list, &nft_net->module_list);
912
913 return -EAGAIN;
914 }
915 EXPORT_SYMBOL_GPL(nft_request_module);
916 #endif
917
lockdep_nfnl_nft_mutex_not_held(void)918 static void lockdep_nfnl_nft_mutex_not_held(void)
919 {
920 #ifdef CONFIG_PROVE_LOCKING
921 if (debug_locks)
922 WARN_ON_ONCE(lockdep_nfnl_is_held(NFNL_SUBSYS_NFTABLES));
923 #endif
924 }
925
926 static const struct nft_chain_type *
nf_tables_chain_type_lookup(struct net * net,const struct nlattr * nla,u8 family,bool autoload)927 nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
928 u8 family, bool autoload)
929 {
930 const struct nft_chain_type *type;
931
932 type = __nf_tables_chain_type_lookup(nla, family);
933 if (type != NULL)
934 return type;
935
936 lockdep_nfnl_nft_mutex_not_held();
937 #ifdef CONFIG_MODULES
938 if (autoload) {
939 if (nft_request_module(net, "nft-chain-%u-%.*s", family,
940 nla_len(nla),
941 (const char *)nla_data(nla)) == -EAGAIN)
942 return ERR_PTR(-EAGAIN);
943 }
944 #endif
945 return ERR_PTR(-ENOENT);
946 }
947
nft_base_seq(const struct net * net)948 static __be16 nft_base_seq(const struct net *net)
949 {
950 struct nftables_pernet *nft_net = nft_pernet(net);
951
952 return htons(nft_net->base_seq & 0xffff);
953 }
954
955 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
956 [NFTA_TABLE_NAME] = { .type = NLA_STRING,
957 .len = NFT_TABLE_MAXNAMELEN - 1 },
958 [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
959 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
960 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
961 .len = NFT_USERDATA_MAXLEN }
962 };
963
nf_tables_fill_table_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table)964 static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
965 u32 portid, u32 seq, int event, u32 flags,
966 int family, const struct nft_table *table)
967 {
968 struct nlmsghdr *nlh;
969
970 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
971 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
972 NFNETLINK_V0, nft_base_seq(net));
973 if (!nlh)
974 goto nla_put_failure;
975
976 if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) ||
977 nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) ||
978 nla_put_be64(skb, NFTA_TABLE_HANDLE, cpu_to_be64(table->handle),
979 NFTA_TABLE_PAD))
980 goto nla_put_failure;
981
982 if (event == NFT_MSG_DELTABLE) {
983 nlmsg_end(skb, nlh);
984 return 0;
985 }
986
987 if (nla_put_be32(skb, NFTA_TABLE_FLAGS,
988 htonl(table->flags & NFT_TABLE_F_MASK)))
989 goto nla_put_failure;
990
991 if (nft_table_has_owner(table) &&
992 nla_put_be32(skb, NFTA_TABLE_OWNER, htonl(table->nlpid)))
993 goto nla_put_failure;
994
995 if (table->udata) {
996 if (nla_put(skb, NFTA_TABLE_USERDATA, table->udlen, table->udata))
997 goto nla_put_failure;
998 }
999
1000 nlmsg_end(skb, nlh);
1001 return 0;
1002
1003 nla_put_failure:
1004 nlmsg_trim(skb, nlh);
1005 return -1;
1006 }
1007
1008 struct nftnl_skb_parms {
1009 bool report;
1010 };
1011 #define NFT_CB(skb) (*(struct nftnl_skb_parms*)&((skb)->cb))
1012
nft_notify_enqueue(struct sk_buff * skb,bool report,struct list_head * notify_list)1013 static void nft_notify_enqueue(struct sk_buff *skb, bool report,
1014 struct list_head *notify_list)
1015 {
1016 NFT_CB(skb).report = report;
1017 list_add_tail(&skb->list, notify_list);
1018 }
1019
nf_tables_table_notify(const struct nft_ctx * ctx,int event)1020 static void nf_tables_table_notify(const struct nft_ctx *ctx, int event)
1021 {
1022 struct nftables_pernet *nft_net;
1023 struct sk_buff *skb;
1024 u16 flags = 0;
1025 int err;
1026
1027 if (!ctx->report &&
1028 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1029 return;
1030
1031 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1032 if (skb == NULL)
1033 goto err;
1034
1035 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1036 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1037
1038 err = nf_tables_fill_table_info(skb, ctx->net, ctx->portid, ctx->seq,
1039 event, flags, ctx->family, ctx->table);
1040 if (err < 0) {
1041 kfree_skb(skb);
1042 goto err;
1043 }
1044
1045 nft_net = nft_pernet(ctx->net);
1046 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1047 return;
1048 err:
1049 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1050 }
1051
nf_tables_dump_tables(struct sk_buff * skb,struct netlink_callback * cb)1052 static int nf_tables_dump_tables(struct sk_buff *skb,
1053 struct netlink_callback *cb)
1054 {
1055 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1056 struct nftables_pernet *nft_net;
1057 const struct nft_table *table;
1058 unsigned int idx = 0, s_idx = cb->args[0];
1059 struct net *net = sock_net(skb->sk);
1060 int family = nfmsg->nfgen_family;
1061
1062 rcu_read_lock();
1063 nft_net = nft_pernet(net);
1064 cb->seq = READ_ONCE(nft_net->base_seq);
1065
1066 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1067 if (family != NFPROTO_UNSPEC && family != table->family)
1068 continue;
1069
1070 if (idx < s_idx)
1071 goto cont;
1072 if (idx > s_idx)
1073 memset(&cb->args[1], 0,
1074 sizeof(cb->args) - sizeof(cb->args[0]));
1075 if (!nft_is_active(net, table))
1076 continue;
1077 if (nf_tables_fill_table_info(skb, net,
1078 NETLINK_CB(cb->skb).portid,
1079 cb->nlh->nlmsg_seq,
1080 NFT_MSG_NEWTABLE, NLM_F_MULTI,
1081 table->family, table) < 0)
1082 goto done;
1083
1084 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1085 cont:
1086 idx++;
1087 }
1088 done:
1089 rcu_read_unlock();
1090 cb->args[0] = idx;
1091 return skb->len;
1092 }
1093
nft_netlink_dump_start_rcu(struct sock * nlsk,struct sk_buff * skb,const struct nlmsghdr * nlh,struct netlink_dump_control * c)1094 static int nft_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb,
1095 const struct nlmsghdr *nlh,
1096 struct netlink_dump_control *c)
1097 {
1098 int err;
1099
1100 if (!try_module_get(THIS_MODULE))
1101 return -EINVAL;
1102
1103 rcu_read_unlock();
1104 err = netlink_dump_start(nlsk, skb, nlh, c);
1105 rcu_read_lock();
1106 module_put(THIS_MODULE);
1107
1108 return err;
1109 }
1110
1111 /* called with rcu_read_lock held */
nf_tables_gettable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1112 static int nf_tables_gettable(struct sk_buff *skb, const struct nfnl_info *info,
1113 const struct nlattr * const nla[])
1114 {
1115 struct netlink_ext_ack *extack = info->extack;
1116 u8 genmask = nft_genmask_cur(info->net);
1117 u8 family = info->nfmsg->nfgen_family;
1118 const struct nft_table *table;
1119 struct net *net = info->net;
1120 struct sk_buff *skb2;
1121 int err;
1122
1123 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1124 struct netlink_dump_control c = {
1125 .dump = nf_tables_dump_tables,
1126 .module = THIS_MODULE,
1127 };
1128
1129 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1130 }
1131
1132 table = nft_table_lookup(net, nla[NFTA_TABLE_NAME], family, genmask, 0);
1133 if (IS_ERR(table)) {
1134 NL_SET_BAD_ATTR(extack, nla[NFTA_TABLE_NAME]);
1135 return PTR_ERR(table);
1136 }
1137
1138 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1139 if (!skb2)
1140 return -ENOMEM;
1141
1142 err = nf_tables_fill_table_info(skb2, net, NETLINK_CB(skb).portid,
1143 info->nlh->nlmsg_seq, NFT_MSG_NEWTABLE,
1144 0, family, table);
1145 if (err < 0)
1146 goto err_fill_table_info;
1147
1148 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
1149
1150 err_fill_table_info:
1151 kfree_skb(skb2);
1152 return err;
1153 }
1154
nft_table_disable(struct net * net,struct nft_table * table,u32 cnt)1155 static void nft_table_disable(struct net *net, struct nft_table *table, u32 cnt)
1156 {
1157 struct nft_chain *chain;
1158 u32 i = 0;
1159
1160 list_for_each_entry(chain, &table->chains, list) {
1161 if (!nft_is_active_next(net, chain))
1162 continue;
1163 if (!nft_is_base_chain(chain))
1164 continue;
1165
1166 if (cnt && i++ == cnt)
1167 break;
1168
1169 nf_tables_unregister_hook(net, table, chain);
1170 }
1171 }
1172
nf_tables_table_enable(struct net * net,struct nft_table * table)1173 static int nf_tables_table_enable(struct net *net, struct nft_table *table)
1174 {
1175 struct nft_chain *chain;
1176 int err, i = 0;
1177
1178 list_for_each_entry(chain, &table->chains, list) {
1179 if (!nft_is_active_next(net, chain))
1180 continue;
1181 if (!nft_is_base_chain(chain))
1182 continue;
1183
1184 err = nf_tables_register_hook(net, table, chain);
1185 if (err < 0)
1186 goto err_register_hooks;
1187
1188 i++;
1189 }
1190 return 0;
1191
1192 err_register_hooks:
1193 if (i)
1194 nft_table_disable(net, table, i);
1195 return err;
1196 }
1197
nf_tables_table_disable(struct net * net,struct nft_table * table)1198 static void nf_tables_table_disable(struct net *net, struct nft_table *table)
1199 {
1200 table->flags &= ~NFT_TABLE_F_DORMANT;
1201 nft_table_disable(net, table, 0);
1202 table->flags |= NFT_TABLE_F_DORMANT;
1203 }
1204
1205 #define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
1206 #define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
1207 #define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
1208 #define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
1209 __NFT_TABLE_F_WAS_AWAKEN)
1210
nft_table_pending_update(const struct nft_ctx * ctx)1211 static bool nft_table_pending_update(const struct nft_ctx *ctx)
1212 {
1213 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1214 struct nft_trans *trans;
1215
1216 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
1217 return true;
1218
1219 list_for_each_entry(trans, &nft_net->commit_list, list) {
1220 if (trans->ctx.table == ctx->table &&
1221 ((trans->msg_type == NFT_MSG_NEWCHAIN &&
1222 nft_trans_chain_update(trans)) ||
1223 (trans->msg_type == NFT_MSG_DELCHAIN &&
1224 nft_is_base_chain(trans->ctx.chain))))
1225 return true;
1226 }
1227
1228 return false;
1229 }
1230
nf_tables_updtable(struct nft_ctx * ctx)1231 static int nf_tables_updtable(struct nft_ctx *ctx)
1232 {
1233 struct nft_trans *trans;
1234 u32 flags;
1235 int ret;
1236
1237 if (!ctx->nla[NFTA_TABLE_FLAGS])
1238 return 0;
1239
1240 flags = ntohl(nla_get_be32(ctx->nla[NFTA_TABLE_FLAGS]));
1241 if (flags & ~NFT_TABLE_F_MASK)
1242 return -EOPNOTSUPP;
1243
1244 if (flags == (ctx->table->flags & NFT_TABLE_F_MASK))
1245 return 0;
1246
1247 if ((nft_table_has_owner(ctx->table) &&
1248 !(flags & NFT_TABLE_F_OWNER)) ||
1249 (!nft_table_has_owner(ctx->table) &&
1250 flags & NFT_TABLE_F_OWNER))
1251 return -EOPNOTSUPP;
1252
1253 /* No dormant off/on/off/on games in single transaction */
1254 if (nft_table_pending_update(ctx))
1255 return -EINVAL;
1256
1257 trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
1258 sizeof(struct nft_trans_table));
1259 if (trans == NULL)
1260 return -ENOMEM;
1261
1262 if ((flags & NFT_TABLE_F_DORMANT) &&
1263 !(ctx->table->flags & NFT_TABLE_F_DORMANT)) {
1264 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1265 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE))
1266 ctx->table->flags |= __NFT_TABLE_F_WAS_AWAKEN;
1267 } else if (!(flags & NFT_TABLE_F_DORMANT) &&
1268 ctx->table->flags & NFT_TABLE_F_DORMANT) {
1269 ctx->table->flags &= ~NFT_TABLE_F_DORMANT;
1270 if (!(ctx->table->flags & __NFT_TABLE_F_UPDATE)) {
1271 ret = nf_tables_table_enable(ctx->net, ctx->table);
1272 if (ret < 0)
1273 goto err_register_hooks;
1274
1275 ctx->table->flags |= __NFT_TABLE_F_WAS_DORMANT;
1276 }
1277 }
1278
1279 nft_trans_table_update(trans) = true;
1280 nft_trans_commit_list_add_tail(ctx->net, trans);
1281
1282 return 0;
1283
1284 err_register_hooks:
1285 ctx->table->flags |= NFT_TABLE_F_DORMANT;
1286 nft_trans_destroy(trans);
1287 return ret;
1288 }
1289
nft_chain_hash(const void * data,u32 len,u32 seed)1290 static u32 nft_chain_hash(const void *data, u32 len, u32 seed)
1291 {
1292 const char *name = data;
1293
1294 return jhash(name, strlen(name), seed);
1295 }
1296
nft_chain_hash_obj(const void * data,u32 len,u32 seed)1297 static u32 nft_chain_hash_obj(const void *data, u32 len, u32 seed)
1298 {
1299 const struct nft_chain *chain = data;
1300
1301 return nft_chain_hash(chain->name, 0, seed);
1302 }
1303
nft_chain_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1304 static int nft_chain_hash_cmp(struct rhashtable_compare_arg *arg,
1305 const void *ptr)
1306 {
1307 const struct nft_chain *chain = ptr;
1308 const char *name = arg->key;
1309
1310 return strcmp(chain->name, name);
1311 }
1312
nft_objname_hash(const void * data,u32 len,u32 seed)1313 static u32 nft_objname_hash(const void *data, u32 len, u32 seed)
1314 {
1315 const struct nft_object_hash_key *k = data;
1316
1317 seed ^= hash_ptr(k->table, 32);
1318
1319 return jhash(k->name, strlen(k->name), seed);
1320 }
1321
nft_objname_hash_obj(const void * data,u32 len,u32 seed)1322 static u32 nft_objname_hash_obj(const void *data, u32 len, u32 seed)
1323 {
1324 const struct nft_object *obj = data;
1325
1326 return nft_objname_hash(&obj->key, 0, seed);
1327 }
1328
nft_objname_hash_cmp(struct rhashtable_compare_arg * arg,const void * ptr)1329 static int nft_objname_hash_cmp(struct rhashtable_compare_arg *arg,
1330 const void *ptr)
1331 {
1332 const struct nft_object_hash_key *k = arg->key;
1333 const struct nft_object *obj = ptr;
1334
1335 if (obj->key.table != k->table)
1336 return -1;
1337
1338 return strcmp(obj->key.name, k->name);
1339 }
1340
nft_supported_family(u8 family)1341 static bool nft_supported_family(u8 family)
1342 {
1343 return false
1344 #ifdef CONFIG_NF_TABLES_INET
1345 || family == NFPROTO_INET
1346 #endif
1347 #ifdef CONFIG_NF_TABLES_IPV4
1348 || family == NFPROTO_IPV4
1349 #endif
1350 #ifdef CONFIG_NF_TABLES_ARP
1351 || family == NFPROTO_ARP
1352 #endif
1353 #ifdef CONFIG_NF_TABLES_NETDEV
1354 || family == NFPROTO_NETDEV
1355 #endif
1356 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
1357 || family == NFPROTO_BRIDGE
1358 #endif
1359 #ifdef CONFIG_NF_TABLES_IPV6
1360 || family == NFPROTO_IPV6
1361 #endif
1362 ;
1363 }
1364
nf_tables_newtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1365 static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
1366 const struct nlattr * const nla[])
1367 {
1368 struct nftables_pernet *nft_net = nft_pernet(info->net);
1369 struct netlink_ext_ack *extack = info->extack;
1370 u8 genmask = nft_genmask_next(info->net);
1371 u8 family = info->nfmsg->nfgen_family;
1372 struct net *net = info->net;
1373 const struct nlattr *attr;
1374 struct nft_table *table;
1375 struct nft_ctx ctx;
1376 u32 flags = 0;
1377 int err;
1378
1379 if (!nft_supported_family(family))
1380 return -EOPNOTSUPP;
1381
1382 lockdep_assert_held(&nft_net->commit_mutex);
1383 attr = nla[NFTA_TABLE_NAME];
1384 table = nft_table_lookup(net, attr, family, genmask,
1385 NETLINK_CB(skb).portid);
1386 if (IS_ERR(table)) {
1387 if (PTR_ERR(table) != -ENOENT)
1388 return PTR_ERR(table);
1389 } else {
1390 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
1391 NL_SET_BAD_ATTR(extack, attr);
1392 return -EEXIST;
1393 }
1394 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
1395 return -EOPNOTSUPP;
1396
1397 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1398
1399 return nf_tables_updtable(&ctx);
1400 }
1401
1402 if (nla[NFTA_TABLE_FLAGS]) {
1403 flags = ntohl(nla_get_be32(nla[NFTA_TABLE_FLAGS]));
1404 if (flags & ~NFT_TABLE_F_MASK)
1405 return -EOPNOTSUPP;
1406 }
1407
1408 err = -ENOMEM;
1409 table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1410 if (table == NULL)
1411 goto err_kzalloc;
1412
1413 table->validate_state = nft_net->validate_state;
1414 table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1415 if (table->name == NULL)
1416 goto err_strdup;
1417
1418 if (nla[NFTA_TABLE_USERDATA]) {
1419 table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1420 if (table->udata == NULL)
1421 goto err_table_udata;
1422
1423 table->udlen = nla_len(nla[NFTA_TABLE_USERDATA]);
1424 }
1425
1426 err = rhltable_init(&table->chains_ht, &nft_chain_ht_params);
1427 if (err)
1428 goto err_chain_ht;
1429
1430 INIT_LIST_HEAD(&table->chains);
1431 INIT_LIST_HEAD(&table->sets);
1432 INIT_LIST_HEAD(&table->objects);
1433 INIT_LIST_HEAD(&table->flowtables);
1434 table->family = family;
1435 table->flags = flags;
1436 table->handle = ++nft_net->table_handle;
1437 if (table->flags & NFT_TABLE_F_OWNER)
1438 table->nlpid = NETLINK_CB(skb).portid;
1439
1440 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
1441 err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
1442 if (err < 0)
1443 goto err_trans;
1444
1445 list_add_tail_rcu(&table->list, &nft_net->tables);
1446 return 0;
1447 err_trans:
1448 rhltable_destroy(&table->chains_ht);
1449 err_chain_ht:
1450 kfree(table->udata);
1451 err_table_udata:
1452 kfree(table->name);
1453 err_strdup:
1454 kfree(table);
1455 err_kzalloc:
1456 return err;
1457 }
1458
nft_flush_table(struct nft_ctx * ctx)1459 static int nft_flush_table(struct nft_ctx *ctx)
1460 {
1461 struct nft_flowtable *flowtable, *nft;
1462 struct nft_chain *chain, *nc;
1463 struct nft_object *obj, *ne;
1464 struct nft_set *set, *ns;
1465 int err;
1466
1467 list_for_each_entry(chain, &ctx->table->chains, list) {
1468 if (!nft_is_active_next(ctx->net, chain))
1469 continue;
1470
1471 if (nft_chain_binding(chain))
1472 continue;
1473
1474 ctx->chain = chain;
1475
1476 err = nft_delrule_by_chain(ctx);
1477 if (err < 0)
1478 goto out;
1479 }
1480
1481 list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
1482 if (!nft_is_active_next(ctx->net, set))
1483 continue;
1484
1485 if (nft_set_is_anonymous(set))
1486 continue;
1487
1488 err = nft_delset(ctx, set);
1489 if (err < 0)
1490 goto out;
1491 }
1492
1493 list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
1494 if (!nft_is_active_next(ctx->net, flowtable))
1495 continue;
1496
1497 err = nft_delflowtable(ctx, flowtable);
1498 if (err < 0)
1499 goto out;
1500 }
1501
1502 list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
1503 if (!nft_is_active_next(ctx->net, obj))
1504 continue;
1505
1506 err = nft_delobj(ctx, obj);
1507 if (err < 0)
1508 goto out;
1509 }
1510
1511 list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
1512 if (!nft_is_active_next(ctx->net, chain))
1513 continue;
1514
1515 if (nft_chain_binding(chain))
1516 continue;
1517
1518 ctx->chain = chain;
1519
1520 err = nft_delchain(ctx);
1521 if (err < 0)
1522 goto out;
1523 }
1524
1525 err = nft_deltable(ctx);
1526 out:
1527 return err;
1528 }
1529
nft_flush(struct nft_ctx * ctx,int family)1530 static int nft_flush(struct nft_ctx *ctx, int family)
1531 {
1532 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
1533 const struct nlattr * const *nla = ctx->nla;
1534 struct nft_table *table, *nt;
1535 int err = 0;
1536
1537 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
1538 if (family != AF_UNSPEC && table->family != family)
1539 continue;
1540
1541 ctx->family = table->family;
1542
1543 if (!nft_is_active_next(ctx->net, table))
1544 continue;
1545
1546 if (nft_table_has_owner(table) && table->nlpid != ctx->portid)
1547 continue;
1548
1549 if (nla[NFTA_TABLE_NAME] &&
1550 nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
1551 continue;
1552
1553 ctx->table = table;
1554
1555 err = nft_flush_table(ctx);
1556 if (err < 0)
1557 goto out;
1558 }
1559 out:
1560 return err;
1561 }
1562
nf_tables_deltable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1563 static int nf_tables_deltable(struct sk_buff *skb, const struct nfnl_info *info,
1564 const struct nlattr * const nla[])
1565 {
1566 struct netlink_ext_ack *extack = info->extack;
1567 u8 genmask = nft_genmask_next(info->net);
1568 u8 family = info->nfmsg->nfgen_family;
1569 struct net *net = info->net;
1570 const struct nlattr *attr;
1571 struct nft_table *table;
1572 struct nft_ctx ctx;
1573
1574 nft_ctx_init(&ctx, net, skb, info->nlh, 0, NULL, NULL, nla);
1575 if (family == AF_UNSPEC ||
1576 (!nla[NFTA_TABLE_NAME] && !nla[NFTA_TABLE_HANDLE]))
1577 return nft_flush(&ctx, family);
1578
1579 if (nla[NFTA_TABLE_HANDLE]) {
1580 attr = nla[NFTA_TABLE_HANDLE];
1581 table = nft_table_lookup_byhandle(net, attr, family, genmask,
1582 NETLINK_CB(skb).portid);
1583 } else {
1584 attr = nla[NFTA_TABLE_NAME];
1585 table = nft_table_lookup(net, attr, family, genmask,
1586 NETLINK_CB(skb).portid);
1587 }
1588
1589 if (IS_ERR(table)) {
1590 if (PTR_ERR(table) == -ENOENT &&
1591 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYTABLE)
1592 return 0;
1593
1594 NL_SET_BAD_ATTR(extack, attr);
1595 return PTR_ERR(table);
1596 }
1597
1598 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
1599 table->use > 0)
1600 return -EBUSY;
1601
1602 ctx.family = family;
1603 ctx.table = table;
1604
1605 return nft_flush_table(&ctx);
1606 }
1607
nf_tables_table_destroy(struct nft_ctx * ctx)1608 static void nf_tables_table_destroy(struct nft_ctx *ctx)
1609 {
1610 if (WARN_ON(ctx->table->use > 0))
1611 return;
1612
1613 rhltable_destroy(&ctx->table->chains_ht);
1614 kfree(ctx->table->name);
1615 kfree(ctx->table->udata);
1616 kfree(ctx->table);
1617 }
1618
nft_register_chain_type(const struct nft_chain_type * ctype)1619 void nft_register_chain_type(const struct nft_chain_type *ctype)
1620 {
1621 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1622 if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1623 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1624 return;
1625 }
1626 chain_type[ctype->family][ctype->type] = ctype;
1627 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1628 }
1629 EXPORT_SYMBOL_GPL(nft_register_chain_type);
1630
nft_unregister_chain_type(const struct nft_chain_type * ctype)1631 void nft_unregister_chain_type(const struct nft_chain_type *ctype)
1632 {
1633 nfnl_lock(NFNL_SUBSYS_NFTABLES);
1634 chain_type[ctype->family][ctype->type] = NULL;
1635 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1636 }
1637 EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
1638
1639 /*
1640 * Chains
1641 */
1642
1643 static struct nft_chain *
nft_chain_lookup_byhandle(const struct nft_table * table,u64 handle,u8 genmask)1644 nft_chain_lookup_byhandle(const struct nft_table *table, u64 handle, u8 genmask)
1645 {
1646 struct nft_chain *chain;
1647
1648 list_for_each_entry(chain, &table->chains, list) {
1649 if (chain->handle == handle &&
1650 nft_active_genmask(chain, genmask))
1651 return chain;
1652 }
1653
1654 return ERR_PTR(-ENOENT);
1655 }
1656
lockdep_commit_lock_is_held(const struct net * net)1657 static bool lockdep_commit_lock_is_held(const struct net *net)
1658 {
1659 #ifdef CONFIG_PROVE_LOCKING
1660 struct nftables_pernet *nft_net = nft_pernet(net);
1661
1662 return lockdep_is_held(&nft_net->commit_mutex);
1663 #else
1664 return true;
1665 #endif
1666 }
1667
nft_chain_lookup(struct net * net,struct nft_table * table,const struct nlattr * nla,u8 genmask)1668 static struct nft_chain *nft_chain_lookup(struct net *net,
1669 struct nft_table *table,
1670 const struct nlattr *nla, u8 genmask)
1671 {
1672 char search[NFT_CHAIN_MAXNAMELEN + 1];
1673 struct rhlist_head *tmp, *list;
1674 struct nft_chain *chain;
1675
1676 if (nla == NULL)
1677 return ERR_PTR(-EINVAL);
1678
1679 nla_strscpy(search, nla, sizeof(search));
1680
1681 WARN_ON(!rcu_read_lock_held() &&
1682 !lockdep_commit_lock_is_held(net));
1683
1684 chain = ERR_PTR(-ENOENT);
1685 rcu_read_lock();
1686 list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
1687 if (!list)
1688 goto out_unlock;
1689
1690 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
1691 if (nft_active_genmask(chain, genmask))
1692 goto out_unlock;
1693 }
1694 chain = ERR_PTR(-ENOENT);
1695 out_unlock:
1696 rcu_read_unlock();
1697 return chain;
1698 }
1699
1700 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
1701 [NFTA_CHAIN_TABLE] = { .type = NLA_STRING,
1702 .len = NFT_TABLE_MAXNAMELEN - 1 },
1703 [NFTA_CHAIN_HANDLE] = { .type = NLA_U64 },
1704 [NFTA_CHAIN_NAME] = { .type = NLA_STRING,
1705 .len = NFT_CHAIN_MAXNAMELEN - 1 },
1706 [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
1707 [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
1708 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
1709 .len = NFT_MODULE_AUTOLOAD_LIMIT },
1710 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
1711 [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
1712 [NFTA_CHAIN_ID] = { .type = NLA_U32 },
1713 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
1714 .len = NFT_USERDATA_MAXLEN },
1715 };
1716
1717 static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
1718 [NFTA_HOOK_HOOKNUM] = { .type = NLA_U32 },
1719 [NFTA_HOOK_PRIORITY] = { .type = NLA_U32 },
1720 [NFTA_HOOK_DEV] = { .type = NLA_STRING,
1721 .len = IFNAMSIZ - 1 },
1722 };
1723
nft_dump_stats(struct sk_buff * skb,struct nft_stats __percpu * stats)1724 static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats)
1725 {
1726 struct nft_stats *cpu_stats, total;
1727 struct nlattr *nest;
1728 unsigned int seq;
1729 u64 pkts, bytes;
1730 int cpu;
1731
1732 if (!stats)
1733 return 0;
1734
1735 memset(&total, 0, sizeof(total));
1736 for_each_possible_cpu(cpu) {
1737 cpu_stats = per_cpu_ptr(stats, cpu);
1738 do {
1739 seq = u64_stats_fetch_begin(&cpu_stats->syncp);
1740 pkts = cpu_stats->pkts;
1741 bytes = cpu_stats->bytes;
1742 } while (u64_stats_fetch_retry(&cpu_stats->syncp, seq));
1743 total.pkts += pkts;
1744 total.bytes += bytes;
1745 }
1746 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_COUNTERS);
1747 if (nest == NULL)
1748 goto nla_put_failure;
1749
1750 if (nla_put_be64(skb, NFTA_COUNTER_PACKETS, cpu_to_be64(total.pkts),
1751 NFTA_COUNTER_PAD) ||
1752 nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
1753 NFTA_COUNTER_PAD))
1754 goto nla_put_failure;
1755
1756 nla_nest_end(skb, nest);
1757 return 0;
1758
1759 nla_put_failure:
1760 return -ENOSPC;
1761 }
1762
nft_dump_basechain_hook(struct sk_buff * skb,int family,const struct nft_base_chain * basechain,const struct list_head * hook_list)1763 static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
1764 const struct nft_base_chain *basechain,
1765 const struct list_head *hook_list)
1766 {
1767 const struct nf_hook_ops *ops = &basechain->ops;
1768 struct nft_hook *hook, *first = NULL;
1769 struct nlattr *nest, *nest_devs;
1770 int n = 0;
1771
1772 nest = nla_nest_start_noflag(skb, NFTA_CHAIN_HOOK);
1773 if (nest == NULL)
1774 goto nla_put_failure;
1775 if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
1776 goto nla_put_failure;
1777 if (nla_put_be32(skb, NFTA_HOOK_PRIORITY, htonl(ops->priority)))
1778 goto nla_put_failure;
1779
1780 if (nft_base_chain_netdev(family, ops->hooknum)) {
1781 nest_devs = nla_nest_start_noflag(skb, NFTA_HOOK_DEVS);
1782 if (!nest_devs)
1783 goto nla_put_failure;
1784
1785 if (!hook_list)
1786 hook_list = &basechain->hook_list;
1787
1788 list_for_each_entry_rcu(hook, hook_list, list) {
1789 if (!first)
1790 first = hook;
1791
1792 if (nla_put_string(skb, NFTA_DEVICE_NAME,
1793 hook->ops.dev->name))
1794 goto nla_put_failure;
1795 n++;
1796 }
1797 nla_nest_end(skb, nest_devs);
1798
1799 if (n == 1 &&
1800 nla_put_string(skb, NFTA_HOOK_DEV, first->ops.dev->name))
1801 goto nla_put_failure;
1802 }
1803 nla_nest_end(skb, nest);
1804
1805 return 0;
1806 nla_put_failure:
1807 return -1;
1808 }
1809
nf_tables_fill_chain_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct list_head * hook_list)1810 static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
1811 u32 portid, u32 seq, int event, u32 flags,
1812 int family, const struct nft_table *table,
1813 const struct nft_chain *chain,
1814 const struct list_head *hook_list)
1815 {
1816 struct nlmsghdr *nlh;
1817
1818 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
1819 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
1820 NFNETLINK_V0, nft_base_seq(net));
1821 if (!nlh)
1822 goto nla_put_failure;
1823
1824 if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name) ||
1825 nla_put_string(skb, NFTA_CHAIN_NAME, chain->name) ||
1826 nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle),
1827 NFTA_CHAIN_PAD))
1828 goto nla_put_failure;
1829
1830 if (event == NFT_MSG_DELCHAIN && !hook_list) {
1831 nlmsg_end(skb, nlh);
1832 return 0;
1833 }
1834
1835 if (nft_is_base_chain(chain)) {
1836 const struct nft_base_chain *basechain = nft_base_chain(chain);
1837 struct nft_stats __percpu *stats;
1838
1839 if (nft_dump_basechain_hook(skb, family, basechain, hook_list))
1840 goto nla_put_failure;
1841
1842 if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
1843 htonl(basechain->policy)))
1844 goto nla_put_failure;
1845
1846 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
1847 goto nla_put_failure;
1848
1849 stats = rcu_dereference_check(basechain->stats,
1850 lockdep_commit_lock_is_held(net));
1851 if (nft_dump_stats(skb, stats))
1852 goto nla_put_failure;
1853 }
1854
1855 if (chain->flags &&
1856 nla_put_be32(skb, NFTA_CHAIN_FLAGS, htonl(chain->flags)))
1857 goto nla_put_failure;
1858
1859 if (nla_put_be32(skb, NFTA_CHAIN_USE, htonl(chain->use)))
1860 goto nla_put_failure;
1861
1862 if (chain->udata &&
1863 nla_put(skb, NFTA_CHAIN_USERDATA, chain->udlen, chain->udata))
1864 goto nla_put_failure;
1865
1866 nlmsg_end(skb, nlh);
1867 return 0;
1868
1869 nla_put_failure:
1870 nlmsg_trim(skb, nlh);
1871 return -1;
1872 }
1873
nf_tables_chain_notify(const struct nft_ctx * ctx,int event,const struct list_head * hook_list)1874 static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event,
1875 const struct list_head *hook_list)
1876 {
1877 struct nftables_pernet *nft_net;
1878 struct sk_buff *skb;
1879 u16 flags = 0;
1880 int err;
1881
1882 if (!ctx->report &&
1883 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
1884 return;
1885
1886 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
1887 if (skb == NULL)
1888 goto err;
1889
1890 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
1891 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
1892
1893 err = nf_tables_fill_chain_info(skb, ctx->net, ctx->portid, ctx->seq,
1894 event, flags, ctx->family, ctx->table,
1895 ctx->chain, hook_list);
1896 if (err < 0) {
1897 kfree_skb(skb);
1898 goto err;
1899 }
1900
1901 nft_net = nft_pernet(ctx->net);
1902 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
1903 return;
1904 err:
1905 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
1906 }
1907
nf_tables_dump_chains(struct sk_buff * skb,struct netlink_callback * cb)1908 static int nf_tables_dump_chains(struct sk_buff *skb,
1909 struct netlink_callback *cb)
1910 {
1911 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1912 unsigned int idx = 0, s_idx = cb->args[0];
1913 struct net *net = sock_net(skb->sk);
1914 int family = nfmsg->nfgen_family;
1915 struct nftables_pernet *nft_net;
1916 const struct nft_table *table;
1917 const struct nft_chain *chain;
1918
1919 rcu_read_lock();
1920 nft_net = nft_pernet(net);
1921 cb->seq = READ_ONCE(nft_net->base_seq);
1922
1923 list_for_each_entry_rcu(table, &nft_net->tables, list) {
1924 if (family != NFPROTO_UNSPEC && family != table->family)
1925 continue;
1926
1927 list_for_each_entry_rcu(chain, &table->chains, list) {
1928 if (idx < s_idx)
1929 goto cont;
1930 if (idx > s_idx)
1931 memset(&cb->args[1], 0,
1932 sizeof(cb->args) - sizeof(cb->args[0]));
1933 if (!nft_is_active(net, chain))
1934 continue;
1935 if (nf_tables_fill_chain_info(skb, net,
1936 NETLINK_CB(cb->skb).portid,
1937 cb->nlh->nlmsg_seq,
1938 NFT_MSG_NEWCHAIN,
1939 NLM_F_MULTI,
1940 table->family, table,
1941 chain, NULL) < 0)
1942 goto done;
1943
1944 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
1945 cont:
1946 idx++;
1947 }
1948 }
1949 done:
1950 rcu_read_unlock();
1951 cb->args[0] = idx;
1952 return skb->len;
1953 }
1954
1955 /* called with rcu_read_lock held */
nf_tables_getchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])1956 static int nf_tables_getchain(struct sk_buff *skb, const struct nfnl_info *info,
1957 const struct nlattr * const nla[])
1958 {
1959 struct netlink_ext_ack *extack = info->extack;
1960 u8 genmask = nft_genmask_cur(info->net);
1961 u8 family = info->nfmsg->nfgen_family;
1962 const struct nft_chain *chain;
1963 struct net *net = info->net;
1964 struct nft_table *table;
1965 struct sk_buff *skb2;
1966 int err;
1967
1968 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1969 struct netlink_dump_control c = {
1970 .dump = nf_tables_dump_chains,
1971 .module = THIS_MODULE,
1972 };
1973
1974 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
1975 }
1976
1977 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask, 0);
1978 if (IS_ERR(table)) {
1979 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
1980 return PTR_ERR(table);
1981 }
1982
1983 chain = nft_chain_lookup(net, table, nla[NFTA_CHAIN_NAME], genmask);
1984 if (IS_ERR(chain)) {
1985 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
1986 return PTR_ERR(chain);
1987 }
1988
1989 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1990 if (!skb2)
1991 return -ENOMEM;
1992
1993 err = nf_tables_fill_chain_info(skb2, net, NETLINK_CB(skb).portid,
1994 info->nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
1995 0, family, table, chain, NULL);
1996 if (err < 0)
1997 goto err_fill_chain_info;
1998
1999 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
2000
2001 err_fill_chain_info:
2002 kfree_skb(skb2);
2003 return err;
2004 }
2005
2006 static const struct nla_policy nft_counter_policy[NFTA_COUNTER_MAX + 1] = {
2007 [NFTA_COUNTER_PACKETS] = { .type = NLA_U64 },
2008 [NFTA_COUNTER_BYTES] = { .type = NLA_U64 },
2009 };
2010
nft_stats_alloc(const struct nlattr * attr)2011 static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
2012 {
2013 struct nlattr *tb[NFTA_COUNTER_MAX+1];
2014 struct nft_stats __percpu *newstats;
2015 struct nft_stats *stats;
2016 int err;
2017
2018 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr,
2019 nft_counter_policy, NULL);
2020 if (err < 0)
2021 return ERR_PTR(err);
2022
2023 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS])
2024 return ERR_PTR(-EINVAL);
2025
2026 newstats = netdev_alloc_pcpu_stats(struct nft_stats);
2027 if (newstats == NULL)
2028 return ERR_PTR(-ENOMEM);
2029
2030 /* Restore old counters on this cpu, no problem. Per-cpu statistics
2031 * are not exposed to userspace.
2032 */
2033 preempt_disable();
2034 stats = this_cpu_ptr(newstats);
2035 stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
2036 stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
2037 preempt_enable();
2038
2039 return newstats;
2040 }
2041
nft_chain_stats_replace(struct nft_trans * trans)2042 static void nft_chain_stats_replace(struct nft_trans *trans)
2043 {
2044 struct nft_base_chain *chain = nft_base_chain(trans->ctx.chain);
2045
2046 if (!nft_trans_chain_stats(trans))
2047 return;
2048
2049 nft_trans_chain_stats(trans) =
2050 rcu_replace_pointer(chain->stats, nft_trans_chain_stats(trans),
2051 lockdep_commit_lock_is_held(trans->ctx.net));
2052
2053 if (!nft_trans_chain_stats(trans))
2054 static_branch_inc(&nft_counters_enabled);
2055 }
2056
nf_tables_chain_free_chain_rules(struct nft_chain * chain)2057 static void nf_tables_chain_free_chain_rules(struct nft_chain *chain)
2058 {
2059 struct nft_rule_blob *g0 = rcu_dereference_raw(chain->blob_gen_0);
2060 struct nft_rule_blob *g1 = rcu_dereference_raw(chain->blob_gen_1);
2061
2062 if (g0 != g1)
2063 kvfree(g1);
2064 kvfree(g0);
2065
2066 /* should be NULL either via abort or via successful commit */
2067 WARN_ON_ONCE(chain->blob_next);
2068 kvfree(chain->blob_next);
2069 }
2070
nf_tables_chain_destroy(struct nft_chain * chain)2071 void nf_tables_chain_destroy(struct nft_chain *chain)
2072 {
2073 const struct nft_table *table = chain->table;
2074 struct nft_hook *hook, *next;
2075
2076 if (WARN_ON(chain->use > 0))
2077 return;
2078
2079 /* no concurrent access possible anymore */
2080 nf_tables_chain_free_chain_rules(chain);
2081
2082 if (nft_is_base_chain(chain)) {
2083 struct nft_base_chain *basechain = nft_base_chain(chain);
2084
2085 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2086 list_for_each_entry_safe(hook, next,
2087 &basechain->hook_list, list) {
2088 list_del_rcu(&hook->list);
2089 kfree_rcu(hook, rcu);
2090 }
2091 }
2092 module_put(basechain->type->owner);
2093 if (rcu_access_pointer(basechain->stats)) {
2094 static_branch_dec(&nft_counters_enabled);
2095 free_percpu(rcu_dereference_raw(basechain->stats));
2096 }
2097 kfree(chain->name);
2098 kfree(chain->udata);
2099 kfree(basechain);
2100 } else {
2101 kfree(chain->name);
2102 kfree(chain->udata);
2103 kfree(chain);
2104 }
2105 }
2106
nft_netdev_hook_alloc(struct net * net,const struct nlattr * attr)2107 static struct nft_hook *nft_netdev_hook_alloc(struct net *net,
2108 const struct nlattr *attr)
2109 {
2110 struct net_device *dev;
2111 char ifname[IFNAMSIZ];
2112 struct nft_hook *hook;
2113 int err;
2114
2115 hook = kzalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
2116 if (!hook) {
2117 err = -ENOMEM;
2118 goto err_hook_alloc;
2119 }
2120
2121 nla_strscpy(ifname, attr, IFNAMSIZ);
2122 /* nf_tables_netdev_event() is called under rtnl_mutex, this is
2123 * indirectly serializing all the other holders of the commit_mutex with
2124 * the rtnl_mutex.
2125 */
2126 dev = __dev_get_by_name(net, ifname);
2127 if (!dev) {
2128 err = -ENOENT;
2129 goto err_hook_dev;
2130 }
2131 hook->ops.dev = dev;
2132
2133 return hook;
2134
2135 err_hook_dev:
2136 kfree(hook);
2137 err_hook_alloc:
2138 return ERR_PTR(err);
2139 }
2140
nft_hook_list_find(struct list_head * hook_list,const struct nft_hook * this)2141 static struct nft_hook *nft_hook_list_find(struct list_head *hook_list,
2142 const struct nft_hook *this)
2143 {
2144 struct nft_hook *hook;
2145
2146 list_for_each_entry(hook, hook_list, list) {
2147 if (this->ops.dev == hook->ops.dev)
2148 return hook;
2149 }
2150
2151 return NULL;
2152 }
2153
nf_tables_parse_netdev_hooks(struct net * net,const struct nlattr * attr,struct list_head * hook_list,struct netlink_ext_ack * extack)2154 static int nf_tables_parse_netdev_hooks(struct net *net,
2155 const struct nlattr *attr,
2156 struct list_head *hook_list,
2157 struct netlink_ext_ack *extack)
2158 {
2159 struct nft_hook *hook, *next;
2160 const struct nlattr *tmp;
2161 int rem, n = 0, err;
2162
2163 nla_for_each_nested(tmp, attr, rem) {
2164 if (nla_type(tmp) != NFTA_DEVICE_NAME) {
2165 err = -EINVAL;
2166 goto err_hook;
2167 }
2168
2169 hook = nft_netdev_hook_alloc(net, tmp);
2170 if (IS_ERR(hook)) {
2171 NL_SET_BAD_ATTR(extack, tmp);
2172 err = PTR_ERR(hook);
2173 goto err_hook;
2174 }
2175 if (nft_hook_list_find(hook_list, hook)) {
2176 NL_SET_BAD_ATTR(extack, tmp);
2177 kfree(hook);
2178 err = -EEXIST;
2179 goto err_hook;
2180 }
2181 list_add_tail(&hook->list, hook_list);
2182 n++;
2183
2184 if (n == NFT_NETDEVICE_MAX) {
2185 err = -EFBIG;
2186 goto err_hook;
2187 }
2188 }
2189
2190 return 0;
2191
2192 err_hook:
2193 list_for_each_entry_safe(hook, next, hook_list, list) {
2194 list_del(&hook->list);
2195 kfree(hook);
2196 }
2197 return err;
2198 }
2199
2200 struct nft_chain_hook {
2201 u32 num;
2202 s32 priority;
2203 const struct nft_chain_type *type;
2204 struct list_head list;
2205 };
2206
nft_chain_parse_netdev(struct net * net,struct nlattr * tb[],struct list_head * hook_list,struct netlink_ext_ack * extack,u32 flags)2207 static int nft_chain_parse_netdev(struct net *net, struct nlattr *tb[],
2208 struct list_head *hook_list,
2209 struct netlink_ext_ack *extack, u32 flags)
2210 {
2211 struct nft_hook *hook;
2212 int err;
2213
2214 if (tb[NFTA_HOOK_DEV]) {
2215 hook = nft_netdev_hook_alloc(net, tb[NFTA_HOOK_DEV]);
2216 if (IS_ERR(hook)) {
2217 NL_SET_BAD_ATTR(extack, tb[NFTA_HOOK_DEV]);
2218 return PTR_ERR(hook);
2219 }
2220
2221 list_add_tail(&hook->list, hook_list);
2222 } else if (tb[NFTA_HOOK_DEVS]) {
2223 err = nf_tables_parse_netdev_hooks(net, tb[NFTA_HOOK_DEVS],
2224 hook_list, extack);
2225 if (err < 0)
2226 return err;
2227
2228 }
2229
2230 if (flags & NFT_CHAIN_HW_OFFLOAD &&
2231 list_empty(hook_list))
2232 return -EINVAL;
2233
2234 return 0;
2235 }
2236
nft_chain_parse_hook(struct net * net,struct nft_base_chain * basechain,const struct nlattr * const nla[],struct nft_chain_hook * hook,u8 family,u32 flags,struct netlink_ext_ack * extack)2237 static int nft_chain_parse_hook(struct net *net,
2238 struct nft_base_chain *basechain,
2239 const struct nlattr * const nla[],
2240 struct nft_chain_hook *hook, u8 family,
2241 u32 flags, struct netlink_ext_ack *extack)
2242 {
2243 struct nftables_pernet *nft_net = nft_pernet(net);
2244 struct nlattr *ha[NFTA_HOOK_MAX + 1];
2245 const struct nft_chain_type *type;
2246 int err;
2247
2248 lockdep_assert_held(&nft_net->commit_mutex);
2249 lockdep_nfnl_nft_mutex_not_held();
2250
2251 err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX,
2252 nla[NFTA_CHAIN_HOOK],
2253 nft_hook_policy, NULL);
2254 if (err < 0)
2255 return err;
2256
2257 if (!basechain) {
2258 if (!ha[NFTA_HOOK_HOOKNUM] ||
2259 !ha[NFTA_HOOK_PRIORITY]) {
2260 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2261 return -ENOENT;
2262 }
2263
2264 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2265 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2266
2267 type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
2268 if (!type)
2269 return -EOPNOTSUPP;
2270
2271 if (nla[NFTA_CHAIN_TYPE]) {
2272 type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
2273 family, true);
2274 if (IS_ERR(type)) {
2275 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2276 return PTR_ERR(type);
2277 }
2278 }
2279 if (hook->num >= NFT_MAX_HOOKS || !(type->hook_mask & (1 << hook->num)))
2280 return -EOPNOTSUPP;
2281
2282 if (type->type == NFT_CHAIN_T_NAT &&
2283 hook->priority <= NF_IP_PRI_CONNTRACK)
2284 return -EOPNOTSUPP;
2285 } else {
2286 if (ha[NFTA_HOOK_HOOKNUM]) {
2287 hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
2288 if (hook->num != basechain->ops.hooknum)
2289 return -EOPNOTSUPP;
2290 }
2291 if (ha[NFTA_HOOK_PRIORITY]) {
2292 hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
2293 if (hook->priority != basechain->ops.priority)
2294 return -EOPNOTSUPP;
2295 }
2296
2297 if (nla[NFTA_CHAIN_TYPE]) {
2298 type = __nf_tables_chain_type_lookup(nla[NFTA_CHAIN_TYPE],
2299 family);
2300 if (!type) {
2301 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2302 return -ENOENT;
2303 }
2304 } else {
2305 type = basechain->type;
2306 }
2307 }
2308
2309 if (!try_module_get(type->owner)) {
2310 if (nla[NFTA_CHAIN_TYPE])
2311 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TYPE]);
2312 return -ENOENT;
2313 }
2314
2315 hook->type = type;
2316
2317 INIT_LIST_HEAD(&hook->list);
2318 if (nft_base_chain_netdev(family, hook->num)) {
2319 err = nft_chain_parse_netdev(net, ha, &hook->list, extack, flags);
2320 if (err < 0) {
2321 module_put(type->owner);
2322 return err;
2323 }
2324 } else if (ha[NFTA_HOOK_DEV] || ha[NFTA_HOOK_DEVS]) {
2325 module_put(type->owner);
2326 return -EOPNOTSUPP;
2327 }
2328
2329 return 0;
2330 }
2331
nft_chain_release_hook(struct nft_chain_hook * hook)2332 static void nft_chain_release_hook(struct nft_chain_hook *hook)
2333 {
2334 struct nft_hook *h, *next;
2335
2336 list_for_each_entry_safe(h, next, &hook->list, list) {
2337 list_del(&h->list);
2338 kfree(h);
2339 }
2340 module_put(hook->type->owner);
2341 }
2342
nft_last_rule(const struct nft_chain * chain,const void * ptr)2343 static void nft_last_rule(const struct nft_chain *chain, const void *ptr)
2344 {
2345 struct nft_rule_dp_last *lrule;
2346
2347 BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0);
2348
2349 lrule = (struct nft_rule_dp_last *)ptr;
2350 lrule->end.is_last = 1;
2351 lrule->chain = chain;
2352 /* blob size does not include the trailer rule */
2353 }
2354
nf_tables_chain_alloc_rules(const struct nft_chain * chain,unsigned int size)2355 static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain,
2356 unsigned int size)
2357 {
2358 struct nft_rule_blob *blob;
2359
2360 if (size > INT_MAX)
2361 return NULL;
2362
2363 size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last);
2364
2365 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2366 if (!blob)
2367 return NULL;
2368
2369 blob->size = 0;
2370 nft_last_rule(chain, blob->data);
2371
2372 return blob;
2373 }
2374
nft_basechain_hook_init(struct nf_hook_ops * ops,u8 family,const struct nft_chain_hook * hook,struct nft_chain * chain)2375 static void nft_basechain_hook_init(struct nf_hook_ops *ops, u8 family,
2376 const struct nft_chain_hook *hook,
2377 struct nft_chain *chain)
2378 {
2379 ops->pf = family;
2380 ops->hooknum = hook->num;
2381 ops->priority = hook->priority;
2382 ops->priv = chain;
2383 ops->hook = hook->type->hooks[ops->hooknum];
2384 ops->hook_ops_type = NF_HOOK_OP_NF_TABLES;
2385 }
2386
nft_basechain_init(struct nft_base_chain * basechain,u8 family,struct nft_chain_hook * hook,u32 flags)2387 static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
2388 struct nft_chain_hook *hook, u32 flags)
2389 {
2390 struct nft_chain *chain;
2391 struct nft_hook *h;
2392
2393 basechain->type = hook->type;
2394 INIT_LIST_HEAD(&basechain->hook_list);
2395 chain = &basechain->chain;
2396
2397 if (nft_base_chain_netdev(family, hook->num)) {
2398 list_splice_init(&hook->list, &basechain->hook_list);
2399 list_for_each_entry(h, &basechain->hook_list, list)
2400 nft_basechain_hook_init(&h->ops, family, hook, chain);
2401 }
2402 nft_basechain_hook_init(&basechain->ops, family, hook, chain);
2403
2404 chain->flags |= NFT_CHAIN_BASE | flags;
2405 basechain->policy = NF_ACCEPT;
2406 if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
2407 !nft_chain_offload_support(basechain)) {
2408 list_splice_init(&basechain->hook_list, &hook->list);
2409 return -EOPNOTSUPP;
2410 }
2411
2412 flow_block_init(&basechain->flow_block);
2413
2414 return 0;
2415 }
2416
nft_chain_add(struct nft_table * table,struct nft_chain * chain)2417 int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2418 {
2419 int err;
2420
2421 err = rhltable_insert_key(&table->chains_ht, chain->name,
2422 &chain->rhlhead, nft_chain_ht_params);
2423 if (err)
2424 return err;
2425
2426 list_add_tail_rcu(&chain->list, &table->chains);
2427
2428 return 0;
2429 }
2430
2431 static u64 chain_id;
2432
nf_tables_addchain(struct nft_ctx * ctx,u8 family,u8 genmask,u8 policy,u32 flags,struct netlink_ext_ack * extack)2433 static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
2434 u8 policy, u32 flags,
2435 struct netlink_ext_ack *extack)
2436 {
2437 const struct nlattr * const *nla = ctx->nla;
2438 struct nft_table *table = ctx->table;
2439 struct nft_base_chain *basechain;
2440 struct net *net = ctx->net;
2441 char name[NFT_NAME_MAXLEN];
2442 struct nft_rule_blob *blob;
2443 struct nft_trans *trans;
2444 struct nft_chain *chain;
2445 int err;
2446
2447 if (nla[NFTA_CHAIN_HOOK]) {
2448 struct nft_stats __percpu *stats = NULL;
2449 struct nft_chain_hook hook = {};
2450
2451 if (table->flags & __NFT_TABLE_F_UPDATE)
2452 return -EINVAL;
2453
2454 if (flags & NFT_CHAIN_BINDING)
2455 return -EOPNOTSUPP;
2456
2457 err = nft_chain_parse_hook(net, NULL, nla, &hook, family, flags,
2458 extack);
2459 if (err < 0)
2460 return err;
2461
2462 basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2463 if (basechain == NULL) {
2464 nft_chain_release_hook(&hook);
2465 return -ENOMEM;
2466 }
2467 chain = &basechain->chain;
2468
2469 if (nla[NFTA_CHAIN_COUNTERS]) {
2470 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2471 if (IS_ERR(stats)) {
2472 nft_chain_release_hook(&hook);
2473 kfree(basechain);
2474 return PTR_ERR(stats);
2475 }
2476 rcu_assign_pointer(basechain->stats, stats);
2477 }
2478
2479 err = nft_basechain_init(basechain, family, &hook, flags);
2480 if (err < 0) {
2481 nft_chain_release_hook(&hook);
2482 kfree(basechain);
2483 free_percpu(stats);
2484 return err;
2485 }
2486 if (stats)
2487 static_branch_inc(&nft_counters_enabled);
2488 } else {
2489 if (flags & NFT_CHAIN_BASE)
2490 return -EINVAL;
2491 if (flags & NFT_CHAIN_HW_OFFLOAD)
2492 return -EOPNOTSUPP;
2493
2494 chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2495 if (chain == NULL)
2496 return -ENOMEM;
2497
2498 chain->flags = flags;
2499 }
2500 ctx->chain = chain;
2501
2502 INIT_LIST_HEAD(&chain->rules);
2503 chain->handle = nf_tables_alloc_handle(table);
2504 chain->table = table;
2505
2506 if (nla[NFTA_CHAIN_NAME]) {
2507 chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2508 } else {
2509 if (!(flags & NFT_CHAIN_BINDING)) {
2510 err = -EINVAL;
2511 goto err_destroy_chain;
2512 }
2513
2514 snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2515 chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2516 }
2517
2518 if (!chain->name) {
2519 err = -ENOMEM;
2520 goto err_destroy_chain;
2521 }
2522
2523 if (nla[NFTA_CHAIN_USERDATA]) {
2524 chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2525 if (chain->udata == NULL) {
2526 err = -ENOMEM;
2527 goto err_destroy_chain;
2528 }
2529 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]);
2530 }
2531
2532 blob = nf_tables_chain_alloc_rules(chain, 0);
2533 if (!blob) {
2534 err = -ENOMEM;
2535 goto err_destroy_chain;
2536 }
2537
2538 RCU_INIT_POINTER(chain->blob_gen_0, blob);
2539 RCU_INIT_POINTER(chain->blob_gen_1, blob);
2540
2541 if (!nft_use_inc(&table->use)) {
2542 err = -EMFILE;
2543 goto err_destroy_chain;
2544 }
2545
2546 trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN);
2547 if (IS_ERR(trans)) {
2548 err = PTR_ERR(trans);
2549 goto err_trans;
2550 }
2551
2552 nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
2553 if (nft_is_base_chain(chain))
2554 nft_trans_chain_policy(trans) = policy;
2555
2556 err = nft_chain_add(table, chain);
2557 if (err < 0)
2558 goto err_chain_add;
2559
2560 /* This must be LAST to ensure no packets are walking over this chain. */
2561 err = nf_tables_register_hook(net, table, chain);
2562 if (err < 0)
2563 goto err_register_hook;
2564
2565 return 0;
2566
2567 err_register_hook:
2568 nft_chain_del(chain);
2569 err_chain_add:
2570 nft_trans_destroy(trans);
2571 err_trans:
2572 nft_use_dec_restore(&table->use);
2573 err_destroy_chain:
2574 nf_tables_chain_destroy(chain);
2575
2576 return err;
2577 }
2578
nf_tables_updchain(struct nft_ctx * ctx,u8 genmask,u8 policy,u32 flags,const struct nlattr * attr,struct netlink_ext_ack * extack)2579 static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
2580 u32 flags, const struct nlattr *attr,
2581 struct netlink_ext_ack *extack)
2582 {
2583 const struct nlattr * const *nla = ctx->nla;
2584 struct nft_base_chain *basechain = NULL;
2585 struct nft_table *table = ctx->table;
2586 struct nft_chain *chain = ctx->chain;
2587 struct nft_chain_hook hook = {};
2588 struct nft_stats *stats = NULL;
2589 struct nft_hook *h, *next;
2590 struct nf_hook_ops *ops;
2591 struct nft_trans *trans;
2592 bool unregister = false;
2593 int err;
2594
2595 if (chain->flags ^ flags)
2596 return -EOPNOTSUPP;
2597
2598 INIT_LIST_HEAD(&hook.list);
2599
2600 if (nla[NFTA_CHAIN_HOOK]) {
2601 if (!nft_is_base_chain(chain)) {
2602 NL_SET_BAD_ATTR(extack, attr);
2603 return -EEXIST;
2604 }
2605
2606 basechain = nft_base_chain(chain);
2607 err = nft_chain_parse_hook(ctx->net, basechain, nla, &hook,
2608 ctx->family, flags, extack);
2609 if (err < 0)
2610 return err;
2611
2612 if (basechain->type != hook.type) {
2613 nft_chain_release_hook(&hook);
2614 NL_SET_BAD_ATTR(extack, attr);
2615 return -EEXIST;
2616 }
2617
2618 if (nft_base_chain_netdev(ctx->family, basechain->ops.hooknum)) {
2619 list_for_each_entry_safe(h, next, &hook.list, list) {
2620 h->ops.pf = basechain->ops.pf;
2621 h->ops.hooknum = basechain->ops.hooknum;
2622 h->ops.priority = basechain->ops.priority;
2623 h->ops.priv = basechain->ops.priv;
2624 h->ops.hook = basechain->ops.hook;
2625
2626 if (nft_hook_list_find(&basechain->hook_list, h)) {
2627 list_del(&h->list);
2628 kfree(h);
2629 }
2630 }
2631 } else {
2632 ops = &basechain->ops;
2633 if (ops->hooknum != hook.num ||
2634 ops->priority != hook.priority) {
2635 nft_chain_release_hook(&hook);
2636 NL_SET_BAD_ATTR(extack, attr);
2637 return -EEXIST;
2638 }
2639 }
2640 }
2641
2642 if (nla[NFTA_CHAIN_HANDLE] &&
2643 nla[NFTA_CHAIN_NAME]) {
2644 struct nft_chain *chain2;
2645
2646 chain2 = nft_chain_lookup(ctx->net, table,
2647 nla[NFTA_CHAIN_NAME], genmask);
2648 if (!IS_ERR(chain2)) {
2649 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2650 err = -EEXIST;
2651 goto err_hooks;
2652 }
2653 }
2654
2655 if (table->flags & __NFT_TABLE_F_UPDATE &&
2656 !list_empty(&hook.list)) {
2657 NL_SET_BAD_ATTR(extack, attr);
2658 err = -EOPNOTSUPP;
2659 goto err_hooks;
2660 }
2661
2662 if (!(table->flags & NFT_TABLE_F_DORMANT) &&
2663 nft_is_base_chain(chain) &&
2664 !list_empty(&hook.list)) {
2665 basechain = nft_base_chain(chain);
2666 ops = &basechain->ops;
2667
2668 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum)) {
2669 err = nft_netdev_register_hooks(ctx->net, &hook.list);
2670 if (err < 0)
2671 goto err_hooks;
2672 }
2673 }
2674
2675 unregister = true;
2676
2677 if (nla[NFTA_CHAIN_COUNTERS]) {
2678 if (!nft_is_base_chain(chain)) {
2679 err = -EOPNOTSUPP;
2680 goto err_hooks;
2681 }
2682
2683 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
2684 if (IS_ERR(stats)) {
2685 err = PTR_ERR(stats);
2686 goto err_hooks;
2687 }
2688 }
2689
2690 err = -ENOMEM;
2691 trans = nft_trans_alloc(ctx, NFT_MSG_NEWCHAIN,
2692 sizeof(struct nft_trans_chain));
2693 if (trans == NULL)
2694 goto err_trans;
2695
2696 nft_trans_chain_stats(trans) = stats;
2697 nft_trans_chain_update(trans) = true;
2698
2699 if (nla[NFTA_CHAIN_POLICY])
2700 nft_trans_chain_policy(trans) = policy;
2701 else
2702 nft_trans_chain_policy(trans) = -1;
2703
2704 if (nla[NFTA_CHAIN_HANDLE] &&
2705 nla[NFTA_CHAIN_NAME]) {
2706 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
2707 struct nft_trans *tmp;
2708 char *name;
2709
2710 err = -ENOMEM;
2711 name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2712 if (!name)
2713 goto err_trans;
2714
2715 err = -EEXIST;
2716 list_for_each_entry(tmp, &nft_net->commit_list, list) {
2717 if (tmp->msg_type == NFT_MSG_NEWCHAIN &&
2718 tmp->ctx.table == table &&
2719 nft_trans_chain_update(tmp) &&
2720 nft_trans_chain_name(tmp) &&
2721 strcmp(name, nft_trans_chain_name(tmp)) == 0) {
2722 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_NAME]);
2723 kfree(name);
2724 goto err_trans;
2725 }
2726 }
2727
2728 nft_trans_chain_name(trans) = name;
2729 }
2730
2731 nft_trans_basechain(trans) = basechain;
2732 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2733 list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2734 if (nla[NFTA_CHAIN_HOOK])
2735 module_put(hook.type->owner);
2736
2737 nft_trans_commit_list_add_tail(ctx->net, trans);
2738
2739 return 0;
2740
2741 err_trans:
2742 free_percpu(stats);
2743 kfree(trans);
2744 err_hooks:
2745 if (nla[NFTA_CHAIN_HOOK]) {
2746 list_for_each_entry_safe(h, next, &hook.list, list) {
2747 if (unregister)
2748 nf_unregister_net_hook(ctx->net, &h->ops);
2749 list_del(&h->list);
2750 kfree_rcu(h, rcu);
2751 }
2752 module_put(hook.type->owner);
2753 }
2754
2755 return err;
2756 }
2757
nft_chain_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)2758 static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
2759 const struct nft_table *table,
2760 const struct nlattr *nla, u8 genmask)
2761 {
2762 struct nftables_pernet *nft_net = nft_pernet(net);
2763 u32 id = ntohl(nla_get_be32(nla));
2764 struct nft_trans *trans;
2765
2766 list_for_each_entry(trans, &nft_net->commit_list, list) {
2767 struct nft_chain *chain = trans->ctx.chain;
2768
2769 if (trans->msg_type == NFT_MSG_NEWCHAIN &&
2770 chain->table == table &&
2771 id == nft_trans_chain_id(trans) &&
2772 nft_active_genmask(chain, genmask))
2773 return chain;
2774 }
2775 return ERR_PTR(-ENOENT);
2776 }
2777
nf_tables_newchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2778 static int nf_tables_newchain(struct sk_buff *skb, const struct nfnl_info *info,
2779 const struct nlattr * const nla[])
2780 {
2781 struct nftables_pernet *nft_net = nft_pernet(info->net);
2782 struct netlink_ext_ack *extack = info->extack;
2783 u8 genmask = nft_genmask_next(info->net);
2784 u8 family = info->nfmsg->nfgen_family;
2785 struct nft_chain *chain = NULL;
2786 struct net *net = info->net;
2787 const struct nlattr *attr;
2788 struct nft_table *table;
2789 u8 policy = NF_ACCEPT;
2790 struct nft_ctx ctx;
2791 u64 handle = 0;
2792 u32 flags = 0;
2793
2794 lockdep_assert_held(&nft_net->commit_mutex);
2795
2796 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2797 NETLINK_CB(skb).portid);
2798 if (IS_ERR(table)) {
2799 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2800 return PTR_ERR(table);
2801 }
2802
2803 chain = NULL;
2804 attr = nla[NFTA_CHAIN_NAME];
2805
2806 if (nla[NFTA_CHAIN_HANDLE]) {
2807 handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
2808 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2809 if (IS_ERR(chain)) {
2810 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_HANDLE]);
2811 return PTR_ERR(chain);
2812 }
2813 attr = nla[NFTA_CHAIN_HANDLE];
2814 } else if (nla[NFTA_CHAIN_NAME]) {
2815 chain = nft_chain_lookup(net, table, attr, genmask);
2816 if (IS_ERR(chain)) {
2817 if (PTR_ERR(chain) != -ENOENT) {
2818 NL_SET_BAD_ATTR(extack, attr);
2819 return PTR_ERR(chain);
2820 }
2821 chain = NULL;
2822 }
2823 } else if (!nla[NFTA_CHAIN_ID]) {
2824 return -EINVAL;
2825 }
2826
2827 if (nla[NFTA_CHAIN_POLICY]) {
2828 if (chain != NULL &&
2829 !nft_is_base_chain(chain)) {
2830 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2831 return -EOPNOTSUPP;
2832 }
2833
2834 if (chain == NULL &&
2835 nla[NFTA_CHAIN_HOOK] == NULL) {
2836 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_POLICY]);
2837 return -EOPNOTSUPP;
2838 }
2839
2840 policy = ntohl(nla_get_be32(nla[NFTA_CHAIN_POLICY]));
2841 switch (policy) {
2842 case NF_DROP:
2843 case NF_ACCEPT:
2844 break;
2845 default:
2846 return -EINVAL;
2847 }
2848 }
2849
2850 if (nla[NFTA_CHAIN_FLAGS])
2851 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
2852 else if (chain)
2853 flags = chain->flags;
2854
2855 if (flags & ~NFT_CHAIN_FLAGS)
2856 return -EOPNOTSUPP;
2857
2858 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2859
2860 if (chain != NULL) {
2861 if (chain->flags & NFT_CHAIN_BINDING)
2862 return -EINVAL;
2863
2864 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
2865 NL_SET_BAD_ATTR(extack, attr);
2866 return -EEXIST;
2867 }
2868 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
2869 return -EOPNOTSUPP;
2870
2871 flags |= chain->flags & NFT_CHAIN_BASE;
2872 return nf_tables_updchain(&ctx, genmask, policy, flags, attr,
2873 extack);
2874 }
2875
2876 return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2877 }
2878
nft_delchain_hook(struct nft_ctx * ctx,struct nft_base_chain * basechain,struct netlink_ext_ack * extack)2879 static int nft_delchain_hook(struct nft_ctx *ctx,
2880 struct nft_base_chain *basechain,
2881 struct netlink_ext_ack *extack)
2882 {
2883 const struct nft_chain *chain = &basechain->chain;
2884 const struct nlattr * const *nla = ctx->nla;
2885 struct nft_chain_hook chain_hook = {};
2886 struct nft_hook *this, *hook;
2887 LIST_HEAD(chain_del_list);
2888 struct nft_trans *trans;
2889 int err;
2890
2891 if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
2892 return -EOPNOTSUPP;
2893
2894 err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2895 ctx->family, chain->flags, extack);
2896 if (err < 0)
2897 return err;
2898
2899 list_for_each_entry(this, &chain_hook.list, list) {
2900 hook = nft_hook_list_find(&basechain->hook_list, this);
2901 if (!hook) {
2902 err = -ENOENT;
2903 goto err_chain_del_hook;
2904 }
2905 list_move(&hook->list, &chain_del_list);
2906 }
2907
2908 trans = nft_trans_alloc(ctx, NFT_MSG_DELCHAIN,
2909 sizeof(struct nft_trans_chain));
2910 if (!trans) {
2911 err = -ENOMEM;
2912 goto err_chain_del_hook;
2913 }
2914
2915 nft_trans_basechain(trans) = basechain;
2916 nft_trans_chain_update(trans) = true;
2917 INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2918 list_splice(&chain_del_list, &nft_trans_chain_hooks(trans));
2919 nft_chain_release_hook(&chain_hook);
2920
2921 nft_trans_commit_list_add_tail(ctx->net, trans);
2922
2923 return 0;
2924
2925 err_chain_del_hook:
2926 list_splice(&chain_del_list, &basechain->hook_list);
2927 nft_chain_release_hook(&chain_hook);
2928
2929 return err;
2930 }
2931
nf_tables_delchain(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])2932 static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
2933 const struct nlattr * const nla[])
2934 {
2935 struct netlink_ext_ack *extack = info->extack;
2936 u8 genmask = nft_genmask_next(info->net);
2937 u8 family = info->nfmsg->nfgen_family;
2938 struct net *net = info->net;
2939 const struct nlattr *attr;
2940 struct nft_table *table;
2941 struct nft_chain *chain;
2942 struct nft_rule *rule;
2943 struct nft_ctx ctx;
2944 u64 handle;
2945 u32 use;
2946 int err;
2947
2948 table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask,
2949 NETLINK_CB(skb).portid);
2950 if (IS_ERR(table)) {
2951 NL_SET_BAD_ATTR(extack, nla[NFTA_CHAIN_TABLE]);
2952 return PTR_ERR(table);
2953 }
2954
2955 if (nla[NFTA_CHAIN_HANDLE]) {
2956 attr = nla[NFTA_CHAIN_HANDLE];
2957 handle = be64_to_cpu(nla_get_be64(attr));
2958 chain = nft_chain_lookup_byhandle(table, handle, genmask);
2959 } else {
2960 attr = nla[NFTA_CHAIN_NAME];
2961 chain = nft_chain_lookup(net, table, attr, genmask);
2962 }
2963 if (IS_ERR(chain)) {
2964 if (PTR_ERR(chain) == -ENOENT &&
2965 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN)
2966 return 0;
2967
2968 NL_SET_BAD_ATTR(extack, attr);
2969 return PTR_ERR(chain);
2970 }
2971
2972 if (nft_chain_binding(chain))
2973 return -EOPNOTSUPP;
2974
2975 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
2976
2977 if (nla[NFTA_CHAIN_HOOK]) {
2978 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYCHAIN ||
2979 chain->flags & NFT_CHAIN_HW_OFFLOAD)
2980 return -EOPNOTSUPP;
2981
2982 if (nft_is_base_chain(chain)) {
2983 struct nft_base_chain *basechain = nft_base_chain(chain);
2984
2985 if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
2986 return nft_delchain_hook(&ctx, basechain, extack);
2987 }
2988 }
2989
2990 if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
2991 chain->use > 0)
2992 return -EBUSY;
2993
2994 use = chain->use;
2995 list_for_each_entry(rule, &chain->rules, list) {
2996 if (!nft_is_active_next(net, rule))
2997 continue;
2998 use--;
2999
3000 err = nft_delrule(&ctx, rule);
3001 if (err < 0)
3002 return err;
3003 }
3004
3005 /* There are rules and elements that are still holding references to us,
3006 * we cannot do a recursive removal in this case.
3007 */
3008 if (use > 0) {
3009 NL_SET_BAD_ATTR(extack, attr);
3010 return -EBUSY;
3011 }
3012
3013 return nft_delchain(&ctx);
3014 }
3015
3016 /*
3017 * Expressions
3018 */
3019
3020 /**
3021 * nft_register_expr - register nf_tables expr type
3022 * @type: expr type
3023 *
3024 * Registers the expr type for use with nf_tables. Returns zero on
3025 * success or a negative errno code otherwise.
3026 */
nft_register_expr(struct nft_expr_type * type)3027 int nft_register_expr(struct nft_expr_type *type)
3028 {
3029 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3030 if (type->family == NFPROTO_UNSPEC)
3031 list_add_tail_rcu(&type->list, &nf_tables_expressions);
3032 else
3033 list_add_rcu(&type->list, &nf_tables_expressions);
3034 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3035 return 0;
3036 }
3037 EXPORT_SYMBOL_GPL(nft_register_expr);
3038
3039 /**
3040 * nft_unregister_expr - unregister nf_tables expr type
3041 * @type: expr type
3042 *
3043 * Unregisters the expr typefor use with nf_tables.
3044 */
nft_unregister_expr(struct nft_expr_type * type)3045 void nft_unregister_expr(struct nft_expr_type *type)
3046 {
3047 nfnl_lock(NFNL_SUBSYS_NFTABLES);
3048 list_del_rcu(&type->list);
3049 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
3050 }
3051 EXPORT_SYMBOL_GPL(nft_unregister_expr);
3052
__nft_expr_type_get(u8 family,struct nlattr * nla)3053 static const struct nft_expr_type *__nft_expr_type_get(u8 family,
3054 struct nlattr *nla)
3055 {
3056 const struct nft_expr_type *type, *candidate = NULL;
3057
3058 list_for_each_entry_rcu(type, &nf_tables_expressions, list) {
3059 if (!nla_strcmp(nla, type->name)) {
3060 if (!type->family && !candidate)
3061 candidate = type;
3062 else if (type->family == family)
3063 candidate = type;
3064 }
3065 }
3066 return candidate;
3067 }
3068
3069 #ifdef CONFIG_MODULES
nft_expr_type_request_module(struct net * net,u8 family,struct nlattr * nla)3070 static int nft_expr_type_request_module(struct net *net, u8 family,
3071 struct nlattr *nla)
3072 {
3073 if (nft_request_module(net, "nft-expr-%u-%.*s", family,
3074 nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
3075 return -EAGAIN;
3076
3077 return 0;
3078 }
3079 #endif
3080
nft_expr_type_get(struct net * net,u8 family,struct nlattr * nla)3081 static const struct nft_expr_type *nft_expr_type_get(struct net *net,
3082 u8 family,
3083 struct nlattr *nla)
3084 {
3085 const struct nft_expr_type *type;
3086
3087 if (nla == NULL)
3088 return ERR_PTR(-EINVAL);
3089
3090 rcu_read_lock();
3091 type = __nft_expr_type_get(family, nla);
3092 if (type != NULL && try_module_get(type->owner)) {
3093 rcu_read_unlock();
3094 return type;
3095 }
3096 rcu_read_unlock();
3097
3098 lockdep_nfnl_nft_mutex_not_held();
3099 #ifdef CONFIG_MODULES
3100 if (type == NULL) {
3101 if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
3102 return ERR_PTR(-EAGAIN);
3103
3104 if (nft_request_module(net, "nft-expr-%.*s",
3105 nla_len(nla),
3106 (char *)nla_data(nla)) == -EAGAIN)
3107 return ERR_PTR(-EAGAIN);
3108 }
3109 #endif
3110 return ERR_PTR(-ENOENT);
3111 }
3112
3113 static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
3114 [NFTA_EXPR_NAME] = { .type = NLA_STRING,
3115 .len = NFT_MODULE_AUTOLOAD_LIMIT },
3116 [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
3117 };
3118
nf_tables_fill_expr_info(struct sk_buff * skb,const struct nft_expr * expr,bool reset)3119 static int nf_tables_fill_expr_info(struct sk_buff *skb,
3120 const struct nft_expr *expr, bool reset)
3121 {
3122 if (nla_put_string(skb, NFTA_EXPR_NAME, expr->ops->type->name))
3123 goto nla_put_failure;
3124
3125 if (expr->ops->dump) {
3126 struct nlattr *data = nla_nest_start_noflag(skb,
3127 NFTA_EXPR_DATA);
3128 if (data == NULL)
3129 goto nla_put_failure;
3130 if (expr->ops->dump(skb, expr, reset) < 0)
3131 goto nla_put_failure;
3132 nla_nest_end(skb, data);
3133 }
3134
3135 return skb->len;
3136
3137 nla_put_failure:
3138 return -1;
3139 };
3140
nft_expr_dump(struct sk_buff * skb,unsigned int attr,const struct nft_expr * expr,bool reset)3141 int nft_expr_dump(struct sk_buff *skb, unsigned int attr,
3142 const struct nft_expr *expr, bool reset)
3143 {
3144 struct nlattr *nest;
3145
3146 nest = nla_nest_start_noflag(skb, attr);
3147 if (!nest)
3148 goto nla_put_failure;
3149 if (nf_tables_fill_expr_info(skb, expr, reset) < 0)
3150 goto nla_put_failure;
3151 nla_nest_end(skb, nest);
3152 return 0;
3153
3154 nla_put_failure:
3155 return -1;
3156 }
3157
3158 struct nft_expr_info {
3159 const struct nft_expr_ops *ops;
3160 const struct nlattr *attr;
3161 struct nlattr *tb[NFT_EXPR_MAXATTR + 1];
3162 };
3163
nf_tables_expr_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3164 static int nf_tables_expr_parse(const struct nft_ctx *ctx,
3165 const struct nlattr *nla,
3166 struct nft_expr_info *info)
3167 {
3168 const struct nft_expr_type *type;
3169 const struct nft_expr_ops *ops;
3170 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3171 int err;
3172
3173 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3174 nft_expr_policy, NULL);
3175 if (err < 0)
3176 return err;
3177
3178 type = nft_expr_type_get(ctx->net, ctx->family, tb[NFTA_EXPR_NAME]);
3179 if (IS_ERR(type))
3180 return PTR_ERR(type);
3181
3182 if (tb[NFTA_EXPR_DATA]) {
3183 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3184 tb[NFTA_EXPR_DATA],
3185 type->policy, NULL);
3186 if (err < 0)
3187 goto err1;
3188 } else
3189 memset(info->tb, 0, sizeof(info->tb[0]) * (type->maxattr + 1));
3190
3191 if (type->select_ops != NULL) {
3192 ops = type->select_ops(ctx,
3193 (const struct nlattr * const *)info->tb);
3194 if (IS_ERR(ops)) {
3195 err = PTR_ERR(ops);
3196 #ifdef CONFIG_MODULES
3197 if (err == -EAGAIN)
3198 if (nft_expr_type_request_module(ctx->net,
3199 ctx->family,
3200 tb[NFTA_EXPR_NAME]) != -EAGAIN)
3201 err = -ENOENT;
3202 #endif
3203 goto err1;
3204 }
3205 } else
3206 ops = type->ops;
3207
3208 info->attr = nla;
3209 info->ops = ops;
3210
3211 return 0;
3212
3213 err1:
3214 module_put(type->owner);
3215 return err;
3216 }
3217
nft_expr_inner_parse(const struct nft_ctx * ctx,const struct nlattr * nla,struct nft_expr_info * info)3218 int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
3219 struct nft_expr_info *info)
3220 {
3221 struct nlattr *tb[NFTA_EXPR_MAX + 1];
3222 const struct nft_expr_type *type;
3223 int err;
3224
3225 err = nla_parse_nested_deprecated(tb, NFTA_EXPR_MAX, nla,
3226 nft_expr_policy, NULL);
3227 if (err < 0)
3228 return err;
3229
3230 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
3231 return -EINVAL;
3232
3233 rcu_read_lock();
3234
3235 type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
3236 if (!type) {
3237 err = -ENOENT;
3238 goto out_unlock;
3239 }
3240
3241 if (!type->inner_ops) {
3242 err = -EOPNOTSUPP;
3243 goto out_unlock;
3244 }
3245
3246 err = nla_parse_nested_deprecated(info->tb, type->maxattr,
3247 tb[NFTA_EXPR_DATA],
3248 type->policy, NULL);
3249 if (err < 0)
3250 goto out_unlock;
3251
3252 info->attr = nla;
3253 info->ops = type->inner_ops;
3254
3255 /* No module reference will be taken on type->owner.
3256 * Presence of type->inner_ops implies that the expression
3257 * is builtin, so it cannot go away.
3258 */
3259 rcu_read_unlock();
3260 return 0;
3261
3262 out_unlock:
3263 rcu_read_unlock();
3264 return err;
3265 }
3266
nf_tables_newexpr(const struct nft_ctx * ctx,const struct nft_expr_info * expr_info,struct nft_expr * expr)3267 static int nf_tables_newexpr(const struct nft_ctx *ctx,
3268 const struct nft_expr_info *expr_info,
3269 struct nft_expr *expr)
3270 {
3271 const struct nft_expr_ops *ops = expr_info->ops;
3272 int err;
3273
3274 expr->ops = ops;
3275 if (ops->init) {
3276 err = ops->init(ctx, expr, (const struct nlattr **)expr_info->tb);
3277 if (err < 0)
3278 goto err1;
3279 }
3280
3281 return 0;
3282 err1:
3283 expr->ops = NULL;
3284 return err;
3285 }
3286
nf_tables_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3287 static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
3288 struct nft_expr *expr)
3289 {
3290 const struct nft_expr_type *type = expr->ops->type;
3291
3292 if (expr->ops->destroy)
3293 expr->ops->destroy(ctx, expr);
3294 module_put(type->owner);
3295 }
3296
nft_expr_init(const struct nft_ctx * ctx,const struct nlattr * nla)3297 static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
3298 const struct nlattr *nla)
3299 {
3300 struct nft_expr_info expr_info;
3301 struct nft_expr *expr;
3302 struct module *owner;
3303 int err;
3304
3305 err = nf_tables_expr_parse(ctx, nla, &expr_info);
3306 if (err < 0)
3307 goto err_expr_parse;
3308
3309 err = -EOPNOTSUPP;
3310 if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))
3311 goto err_expr_stateful;
3312
3313 err = -ENOMEM;
3314 expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
3315 if (expr == NULL)
3316 goto err_expr_stateful;
3317
3318 err = nf_tables_newexpr(ctx, &expr_info, expr);
3319 if (err < 0)
3320 goto err_expr_new;
3321
3322 return expr;
3323 err_expr_new:
3324 kfree(expr);
3325 err_expr_stateful:
3326 owner = expr_info.ops->type->owner;
3327 if (expr_info.ops->type->release_ops)
3328 expr_info.ops->type->release_ops(expr_info.ops);
3329
3330 module_put(owner);
3331 err_expr_parse:
3332 return ERR_PTR(err);
3333 }
3334
nft_expr_clone(struct nft_expr * dst,struct nft_expr * src)3335 int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src)
3336 {
3337 int err;
3338
3339 if (src->ops->clone) {
3340 dst->ops = src->ops;
3341 err = src->ops->clone(dst, src);
3342 if (err < 0)
3343 return err;
3344 } else {
3345 memcpy(dst, src, src->ops->size);
3346 }
3347
3348 __module_get(src->ops->type->owner);
3349
3350 return 0;
3351 }
3352
nft_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)3353 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
3354 {
3355 nf_tables_expr_destroy(ctx, expr);
3356 kfree(expr);
3357 }
3358
3359 /*
3360 * Rules
3361 */
3362
__nft_rule_lookup(const struct net * net,const struct nft_chain * chain,u64 handle)3363 static struct nft_rule *__nft_rule_lookup(const struct net *net,
3364 const struct nft_chain *chain,
3365 u64 handle)
3366 {
3367 struct nft_rule *rule;
3368
3369 // FIXME: this sucks
3370 list_for_each_entry_rcu(rule, &chain->rules, list,
3371 lockdep_commit_lock_is_held(net)) {
3372 if (handle == rule->handle)
3373 return rule;
3374 }
3375
3376 return ERR_PTR(-ENOENT);
3377 }
3378
nft_rule_lookup(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)3379 static struct nft_rule *nft_rule_lookup(const struct net *net,
3380 const struct nft_chain *chain,
3381 const struct nlattr *nla)
3382 {
3383 if (nla == NULL)
3384 return ERR_PTR(-EINVAL);
3385
3386 return __nft_rule_lookup(net, chain, be64_to_cpu(nla_get_be64(nla)));
3387 }
3388
3389 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
3390 [NFTA_RULE_TABLE] = { .type = NLA_STRING,
3391 .len = NFT_TABLE_MAXNAMELEN - 1 },
3392 [NFTA_RULE_CHAIN] = { .type = NLA_STRING,
3393 .len = NFT_CHAIN_MAXNAMELEN - 1 },
3394 [NFTA_RULE_HANDLE] = { .type = NLA_U64 },
3395 [NFTA_RULE_EXPRESSIONS] = { .type = NLA_NESTED },
3396 [NFTA_RULE_COMPAT] = { .type = NLA_NESTED },
3397 [NFTA_RULE_POSITION] = { .type = NLA_U64 },
3398 [NFTA_RULE_USERDATA] = { .type = NLA_BINARY,
3399 .len = NFT_USERDATA_MAXLEN },
3400 [NFTA_RULE_ID] = { .type = NLA_U32 },
3401 [NFTA_RULE_POSITION_ID] = { .type = NLA_U32 },
3402 [NFTA_RULE_CHAIN_ID] = { .type = NLA_U32 },
3403 };
3404
nf_tables_fill_rule_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,const struct nft_chain * chain,const struct nft_rule * rule,u64 handle,bool reset)3405 static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
3406 u32 portid, u32 seq, int event,
3407 u32 flags, int family,
3408 const struct nft_table *table,
3409 const struct nft_chain *chain,
3410 const struct nft_rule *rule, u64 handle,
3411 bool reset)
3412 {
3413 struct nlmsghdr *nlh;
3414 const struct nft_expr *expr, *next;
3415 struct nlattr *list;
3416 u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
3417
3418 nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0,
3419 nft_base_seq(net));
3420 if (!nlh)
3421 goto nla_put_failure;
3422
3423 if (nla_put_string(skb, NFTA_RULE_TABLE, table->name))
3424 goto nla_put_failure;
3425 if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name))
3426 goto nla_put_failure;
3427 if (nla_put_be64(skb, NFTA_RULE_HANDLE, cpu_to_be64(rule->handle),
3428 NFTA_RULE_PAD))
3429 goto nla_put_failure;
3430
3431 if (event != NFT_MSG_DELRULE && handle) {
3432 if (nla_put_be64(skb, NFTA_RULE_POSITION, cpu_to_be64(handle),
3433 NFTA_RULE_PAD))
3434 goto nla_put_failure;
3435 }
3436
3437 if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
3438 nft_flow_rule_stats(chain, rule);
3439
3440 list = nla_nest_start_noflag(skb, NFTA_RULE_EXPRESSIONS);
3441 if (list == NULL)
3442 goto nla_put_failure;
3443 nft_rule_for_each_expr(expr, next, rule) {
3444 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
3445 goto nla_put_failure;
3446 }
3447 nla_nest_end(skb, list);
3448
3449 if (rule->udata) {
3450 struct nft_userdata *udata = nft_userdata(rule);
3451 if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
3452 udata->data) < 0)
3453 goto nla_put_failure;
3454 }
3455
3456 nlmsg_end(skb, nlh);
3457 return 0;
3458
3459 nla_put_failure:
3460 nlmsg_trim(skb, nlh);
3461 return -1;
3462 }
3463
nf_tables_rule_notify(const struct nft_ctx * ctx,const struct nft_rule * rule,int event)3464 static void nf_tables_rule_notify(const struct nft_ctx *ctx,
3465 const struct nft_rule *rule, int event)
3466 {
3467 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
3468 const struct nft_rule *prule;
3469 struct sk_buff *skb;
3470 u64 handle = 0;
3471 u16 flags = 0;
3472 int err;
3473
3474 if (!ctx->report &&
3475 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
3476 return;
3477
3478 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
3479 if (skb == NULL)
3480 goto err;
3481
3482 if (event == NFT_MSG_NEWRULE &&
3483 !list_is_first(&rule->list, &ctx->chain->rules) &&
3484 !list_is_last(&rule->list, &ctx->chain->rules)) {
3485 prule = list_prev_entry(rule, list);
3486 handle = prule->handle;
3487 }
3488 if (ctx->flags & (NLM_F_APPEND | NLM_F_REPLACE))
3489 flags |= NLM_F_APPEND;
3490 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
3491 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
3492
3493 err = nf_tables_fill_rule_info(skb, ctx->net, ctx->portid, ctx->seq,
3494 event, flags, ctx->family, ctx->table,
3495 ctx->chain, rule, handle, false);
3496 if (err < 0) {
3497 kfree_skb(skb);
3498 goto err;
3499 }
3500
3501 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
3502 return;
3503 err:
3504 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
3505 }
3506
audit_log_rule_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)3507 static void audit_log_rule_reset(const struct nft_table *table,
3508 unsigned int base_seq,
3509 unsigned int nentries)
3510 {
3511 char *buf = kasprintf(GFP_ATOMIC, "%s:%u",
3512 table->name, base_seq);
3513
3514 audit_log_nfcfg(buf, table->family, nentries,
3515 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3516 kfree(buf);
3517 }
3518
3519 struct nft_rule_dump_ctx {
3520 char *table;
3521 char *chain;
3522 };
3523
__nf_tables_dump_rules(struct sk_buff * skb,unsigned int * idx,struct netlink_callback * cb,const struct nft_table * table,const struct nft_chain * chain,bool reset)3524 static int __nf_tables_dump_rules(struct sk_buff *skb,
3525 unsigned int *idx,
3526 struct netlink_callback *cb,
3527 const struct nft_table *table,
3528 const struct nft_chain *chain,
3529 bool reset)
3530 {
3531 struct net *net = sock_net(skb->sk);
3532 const struct nft_rule *rule, *prule;
3533 unsigned int s_idx = cb->args[0];
3534 unsigned int entries = 0;
3535 int ret = 0;
3536 u64 handle;
3537
3538 prule = NULL;
3539 list_for_each_entry_rcu(rule, &chain->rules, list) {
3540 if (!nft_is_active(net, rule))
3541 goto cont_skip;
3542 if (*idx < s_idx)
3543 goto cont;
3544 if (prule)
3545 handle = prule->handle;
3546 else
3547 handle = 0;
3548
3549 if (nf_tables_fill_rule_info(skb, net, NETLINK_CB(cb->skb).portid,
3550 cb->nlh->nlmsg_seq,
3551 NFT_MSG_NEWRULE,
3552 NLM_F_MULTI | NLM_F_APPEND,
3553 table->family,
3554 table, chain, rule, handle, reset) < 0) {
3555 ret = 1;
3556 break;
3557 }
3558 entries++;
3559 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
3560 cont:
3561 prule = rule;
3562 cont_skip:
3563 (*idx)++;
3564 }
3565
3566 if (reset && entries)
3567 audit_log_rule_reset(table, cb->seq, entries);
3568
3569 return ret;
3570 }
3571
nf_tables_dump_rules(struct sk_buff * skb,struct netlink_callback * cb)3572 static int nf_tables_dump_rules(struct sk_buff *skb,
3573 struct netlink_callback *cb)
3574 {
3575 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3576 const struct nft_rule_dump_ctx *ctx = cb->data;
3577 struct nft_table *table;
3578 const struct nft_chain *chain;
3579 unsigned int idx = 0;
3580 struct net *net = sock_net(skb->sk);
3581 int family = nfmsg->nfgen_family;
3582 struct nftables_pernet *nft_net;
3583 bool reset = false;
3584
3585 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3586 reset = true;
3587
3588 rcu_read_lock();
3589 nft_net = nft_pernet(net);
3590 cb->seq = READ_ONCE(nft_net->base_seq);
3591
3592 list_for_each_entry_rcu(table, &nft_net->tables, list) {
3593 if (family != NFPROTO_UNSPEC && family != table->family)
3594 continue;
3595
3596 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
3597 continue;
3598
3599 if (ctx && ctx->table && ctx->chain) {
3600 struct rhlist_head *list, *tmp;
3601
3602 list = rhltable_lookup(&table->chains_ht, ctx->chain,
3603 nft_chain_ht_params);
3604 if (!list)
3605 goto done;
3606
3607 rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
3608 if (!nft_is_active(net, chain))
3609 continue;
3610 __nf_tables_dump_rules(skb, &idx,
3611 cb, table, chain, reset);
3612 break;
3613 }
3614 goto done;
3615 }
3616
3617 list_for_each_entry_rcu(chain, &table->chains, list) {
3618 if (__nf_tables_dump_rules(skb, &idx,
3619 cb, table, chain, reset))
3620 goto done;
3621 }
3622
3623 if (ctx && ctx->table)
3624 break;
3625 }
3626 done:
3627 rcu_read_unlock();
3628
3629 cb->args[0] = idx;
3630 return skb->len;
3631 }
3632
nf_tables_dump_rules_start(struct netlink_callback * cb)3633 static int nf_tables_dump_rules_start(struct netlink_callback *cb)
3634 {
3635 const struct nlattr * const *nla = cb->data;
3636 struct nft_rule_dump_ctx *ctx = NULL;
3637
3638 if (nla[NFTA_RULE_TABLE] || nla[NFTA_RULE_CHAIN]) {
3639 ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
3640 if (!ctx)
3641 return -ENOMEM;
3642
3643 if (nla[NFTA_RULE_TABLE]) {
3644 ctx->table = nla_strdup(nla[NFTA_RULE_TABLE],
3645 GFP_ATOMIC);
3646 if (!ctx->table) {
3647 kfree(ctx);
3648 return -ENOMEM;
3649 }
3650 }
3651 if (nla[NFTA_RULE_CHAIN]) {
3652 ctx->chain = nla_strdup(nla[NFTA_RULE_CHAIN],
3653 GFP_ATOMIC);
3654 if (!ctx->chain) {
3655 kfree(ctx->table);
3656 kfree(ctx);
3657 return -ENOMEM;
3658 }
3659 }
3660 }
3661
3662 cb->data = ctx;
3663 return 0;
3664 }
3665
nf_tables_dump_rules_done(struct netlink_callback * cb)3666 static int nf_tables_dump_rules_done(struct netlink_callback *cb)
3667 {
3668 struct nft_rule_dump_ctx *ctx = cb->data;
3669
3670 if (ctx) {
3671 kfree(ctx->table);
3672 kfree(ctx->chain);
3673 kfree(ctx);
3674 }
3675 return 0;
3676 }
3677
3678 /* Caller must hold rcu read lock or transaction mutex */
3679 static struct sk_buff *
nf_tables_getrule_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)3680 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info,
3681 const struct nlattr * const nla[], bool reset)
3682 {
3683 struct netlink_ext_ack *extack = info->extack;
3684 u8 genmask = nft_genmask_cur(info->net);
3685 u8 family = info->nfmsg->nfgen_family;
3686 const struct nft_chain *chain;
3687 const struct nft_rule *rule;
3688 struct net *net = info->net;
3689 struct nft_table *table;
3690 struct sk_buff *skb2;
3691 int err;
3692
3693 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask, 0);
3694 if (IS_ERR(table)) {
3695 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3696 return ERR_CAST(table);
3697 }
3698
3699 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN], genmask);
3700 if (IS_ERR(chain)) {
3701 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3702 return ERR_CAST(chain);
3703 }
3704
3705 rule = nft_rule_lookup(net, chain, nla[NFTA_RULE_HANDLE]);
3706 if (IS_ERR(rule)) {
3707 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3708 return ERR_CAST(rule);
3709 }
3710
3711 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
3712 if (!skb2)
3713 return ERR_PTR(-ENOMEM);
3714
3715 err = nf_tables_fill_rule_info(skb2, net, portid,
3716 info->nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3717 family, table, chain, rule, 0, reset);
3718 if (err < 0) {
3719 kfree_skb(skb2);
3720 return ERR_PTR(err);
3721 }
3722
3723 return skb2;
3724 }
3725
nf_tables_getrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3726 static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
3727 const struct nlattr * const nla[])
3728 {
3729 struct nftables_pernet *nft_net = nft_pernet(info->net);
3730 u32 portid = NETLINK_CB(skb).portid;
3731 struct net *net = info->net;
3732 struct sk_buff *skb2;
3733 bool reset = false;
3734 char *buf;
3735
3736 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3737 struct netlink_dump_control c = {
3738 .start= nf_tables_dump_rules_start,
3739 .dump = nf_tables_dump_rules,
3740 .done = nf_tables_dump_rules_done,
3741 .module = THIS_MODULE,
3742 .data = (void *)nla,
3743 };
3744
3745 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
3746 }
3747
3748 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETRULE_RESET)
3749 reset = true;
3750
3751 skb2 = nf_tables_getrule_single(portid, info, nla, reset);
3752 if (IS_ERR(skb2))
3753 return PTR_ERR(skb2);
3754
3755 if (!reset)
3756 return nfnetlink_unicast(skb2, net, portid);
3757
3758 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
3759 nla_len(nla[NFTA_RULE_TABLE]),
3760 (char *)nla_data(nla[NFTA_RULE_TABLE]),
3761 nft_net->base_seq);
3762 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
3763 AUDIT_NFT_OP_RULE_RESET, GFP_ATOMIC);
3764 kfree(buf);
3765
3766 return nfnetlink_unicast(skb2, net, portid);
3767 }
3768
nf_tables_rule_destroy(const struct nft_ctx * ctx,struct nft_rule * rule)3769 void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3770 {
3771 struct nft_expr *expr, *next;
3772
3773 /*
3774 * Careful: some expressions might not be initialized in case this
3775 * is called on error from nf_tables_newrule().
3776 */
3777 expr = nft_expr_first(rule);
3778 while (nft_expr_more(rule, expr)) {
3779 next = nft_expr_next(expr);
3780 nf_tables_expr_destroy(ctx, expr);
3781 expr = next;
3782 }
3783 kfree(rule);
3784 }
3785
3786 /* can only be used if rule is no longer visible to dumps */
nf_tables_rule_release(const struct nft_ctx * ctx,struct nft_rule * rule)3787 static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3788 {
3789 lockdep_commit_lock_is_held(ctx->net);
3790
3791 nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3792 nf_tables_rule_destroy(ctx, rule);
3793 }
3794
3795 /** nft_chain_validate - loop detection and hook validation
3796 *
3797 * @ctx: context containing call depth and base chain
3798 * @chain: chain to validate
3799 *
3800 * Walk through the rules of the given chain and chase all jumps/gotos
3801 * and set lookups until either the jump limit is hit or all reachable
3802 * chains have been validated.
3803 */
nft_chain_validate(const struct nft_ctx * ctx,const struct nft_chain * chain)3804 int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
3805 {
3806 struct nft_expr *expr, *last;
3807 const struct nft_data *data;
3808 struct nft_rule *rule;
3809 int err;
3810
3811 if (ctx->level == NFT_JUMP_STACK_SIZE)
3812 return -EMLINK;
3813
3814 list_for_each_entry(rule, &chain->rules, list) {
3815 if (fatal_signal_pending(current))
3816 return -EINTR;
3817
3818 if (!nft_is_active_next(ctx->net, rule))
3819 continue;
3820
3821 nft_rule_for_each_expr(expr, last, rule) {
3822 if (!expr->ops->validate)
3823 continue;
3824
3825 /* This may call nft_chain_validate() recursively,
3826 * callers that do so must increment ctx->level.
3827 */
3828 err = expr->ops->validate(ctx, expr, &data);
3829 if (err < 0)
3830 return err;
3831 }
3832 }
3833
3834 return 0;
3835 }
3836 EXPORT_SYMBOL_GPL(nft_chain_validate);
3837
nft_table_validate(struct net * net,const struct nft_table * table)3838 static int nft_table_validate(struct net *net, const struct nft_table *table)
3839 {
3840 struct nft_chain *chain;
3841 struct nft_ctx ctx = {
3842 .net = net,
3843 .family = table->family,
3844 };
3845 int err;
3846
3847 list_for_each_entry(chain, &table->chains, list) {
3848 if (!nft_is_base_chain(chain))
3849 continue;
3850
3851 ctx.chain = chain;
3852 err = nft_chain_validate(&ctx, chain);
3853 if (err < 0)
3854 return err;
3855
3856 cond_resched();
3857 }
3858
3859 return 0;
3860 }
3861
nft_setelem_validate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)3862 int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
3863 const struct nft_set_iter *iter,
3864 struct nft_set_elem *elem)
3865 {
3866 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
3867 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
3868 const struct nft_data *data;
3869 int err;
3870
3871 if (!nft_set_elem_active(ext, iter->genmask))
3872 return 0;
3873
3874 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
3875 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
3876 return 0;
3877
3878 data = nft_set_ext_data(ext);
3879 switch (data->verdict.code) {
3880 case NFT_JUMP:
3881 case NFT_GOTO:
3882 pctx->level++;
3883 err = nft_chain_validate(ctx, data->verdict.chain);
3884 if (err < 0)
3885 return err;
3886 pctx->level--;
3887 break;
3888 default:
3889 break;
3890 }
3891
3892 return 0;
3893 }
3894
nft_set_catchall_validate(const struct nft_ctx * ctx,struct nft_set * set)3895 int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3896 {
3897 struct nft_set_iter dummy_iter = {
3898 .genmask = nft_genmask_next(ctx->net),
3899 };
3900 struct nft_set_elem_catchall *catchall;
3901 struct nft_set_elem elem;
3902
3903 struct nft_set_ext *ext;
3904 int ret = 0;
3905
3906 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
3907 ext = nft_set_elem_ext(set, catchall->elem);
3908 if (!nft_set_elem_active(ext, dummy_iter.genmask))
3909 continue;
3910
3911 elem.priv = catchall->elem;
3912 ret = nft_setelem_validate(ctx, set, &dummy_iter, &elem);
3913 if (ret < 0)
3914 return ret;
3915 }
3916
3917 return ret;
3918 }
3919
3920 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
3921 const struct nft_chain *chain,
3922 const struct nlattr *nla);
3923
3924 #define NFT_RULE_MAXEXPRS 128
3925
nf_tables_newrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])3926 static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
3927 const struct nlattr * const nla[])
3928 {
3929 struct nftables_pernet *nft_net = nft_pernet(info->net);
3930 struct netlink_ext_ack *extack = info->extack;
3931 unsigned int size, i, n, ulen = 0, usize = 0;
3932 u8 genmask = nft_genmask_next(info->net);
3933 struct nft_rule *rule, *old_rule = NULL;
3934 struct nft_expr_info *expr_info = NULL;
3935 u8 family = info->nfmsg->nfgen_family;
3936 struct nft_flow_rule *flow = NULL;
3937 struct net *net = info->net;
3938 struct nft_userdata *udata;
3939 struct nft_table *table;
3940 struct nft_chain *chain;
3941 struct nft_trans *trans;
3942 u64 handle, pos_handle;
3943 struct nft_expr *expr;
3944 struct nft_ctx ctx;
3945 struct nlattr *tmp;
3946 int err, rem;
3947
3948 lockdep_assert_held(&nft_net->commit_mutex);
3949
3950 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
3951 NETLINK_CB(skb).portid);
3952 if (IS_ERR(table)) {
3953 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
3954 return PTR_ERR(table);
3955 }
3956
3957 if (nla[NFTA_RULE_CHAIN]) {
3958 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
3959 genmask);
3960 if (IS_ERR(chain)) {
3961 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
3962 return PTR_ERR(chain);
3963 }
3964
3965 } else if (nla[NFTA_RULE_CHAIN_ID]) {
3966 chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID],
3967 genmask);
3968 if (IS_ERR(chain)) {
3969 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]);
3970 return PTR_ERR(chain);
3971 }
3972 } else {
3973 return -EINVAL;
3974 }
3975
3976 if (nft_chain_is_bound(chain))
3977 return -EOPNOTSUPP;
3978
3979 if (nla[NFTA_RULE_HANDLE]) {
3980 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
3981 rule = __nft_rule_lookup(net, chain, handle);
3982 if (IS_ERR(rule)) {
3983 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3984 return PTR_ERR(rule);
3985 }
3986
3987 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
3988 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
3989 return -EEXIST;
3990 }
3991 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
3992 old_rule = rule;
3993 else
3994 return -EOPNOTSUPP;
3995 } else {
3996 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE) ||
3997 info->nlh->nlmsg_flags & NLM_F_REPLACE)
3998 return -EINVAL;
3999 handle = nf_tables_alloc_handle(table);
4000
4001 if (nla[NFTA_RULE_POSITION]) {
4002 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION]));
4003 old_rule = __nft_rule_lookup(net, chain, pos_handle);
4004 if (IS_ERR(old_rule)) {
4005 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]);
4006 return PTR_ERR(old_rule);
4007 }
4008 } else if (nla[NFTA_RULE_POSITION_ID]) {
4009 old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]);
4010 if (IS_ERR(old_rule)) {
4011 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]);
4012 return PTR_ERR(old_rule);
4013 }
4014 }
4015 }
4016
4017 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4018
4019 n = 0;
4020 size = 0;
4021 if (nla[NFTA_RULE_EXPRESSIONS]) {
4022 expr_info = kvmalloc_array(NFT_RULE_MAXEXPRS,
4023 sizeof(struct nft_expr_info),
4024 GFP_KERNEL);
4025 if (!expr_info)
4026 return -ENOMEM;
4027
4028 nla_for_each_nested(tmp, nla[NFTA_RULE_EXPRESSIONS], rem) {
4029 err = -EINVAL;
4030 if (nla_type(tmp) != NFTA_LIST_ELEM)
4031 goto err_release_expr;
4032 if (n == NFT_RULE_MAXEXPRS)
4033 goto err_release_expr;
4034 err = nf_tables_expr_parse(&ctx, tmp, &expr_info[n]);
4035 if (err < 0) {
4036 NL_SET_BAD_ATTR(extack, tmp);
4037 goto err_release_expr;
4038 }
4039 size += expr_info[n].ops->size;
4040 n++;
4041 }
4042 }
4043 /* Check for overflow of dlen field */
4044 err = -EFBIG;
4045 if (size >= 1 << 12)
4046 goto err_release_expr;
4047
4048 if (nla[NFTA_RULE_USERDATA]) {
4049 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
4050 if (ulen > 0)
4051 usize = sizeof(struct nft_userdata) + ulen;
4052 }
4053
4054 err = -ENOMEM;
4055 rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
4056 if (rule == NULL)
4057 goto err_release_expr;
4058
4059 nft_activate_next(net, rule);
4060
4061 rule->handle = handle;
4062 rule->dlen = size;
4063 rule->udata = ulen ? 1 : 0;
4064
4065 if (ulen) {
4066 udata = nft_userdata(rule);
4067 udata->len = ulen - 1;
4068 nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
4069 }
4070
4071 expr = nft_expr_first(rule);
4072 for (i = 0; i < n; i++) {
4073 err = nf_tables_newexpr(&ctx, &expr_info[i], expr);
4074 if (err < 0) {
4075 NL_SET_BAD_ATTR(extack, expr_info[i].attr);
4076 goto err_release_rule;
4077 }
4078
4079 if (expr_info[i].ops->validate)
4080 nft_validate_state_update(table, NFT_VALIDATE_NEED);
4081
4082 expr_info[i].ops = NULL;
4083 expr = nft_expr_next(expr);
4084 }
4085
4086 if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
4087 flow = nft_flow_rule_create(net, rule);
4088 if (IS_ERR(flow)) {
4089 err = PTR_ERR(flow);
4090 goto err_release_rule;
4091 }
4092 }
4093
4094 if (!nft_use_inc(&chain->use)) {
4095 err = -EMFILE;
4096 goto err_release_rule;
4097 }
4098
4099 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
4100 if (nft_chain_binding(chain)) {
4101 err = -EOPNOTSUPP;
4102 goto err_destroy_flow_rule;
4103 }
4104
4105 err = nft_delrule(&ctx, old_rule);
4106 if (err < 0)
4107 goto err_destroy_flow_rule;
4108
4109 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4110 if (trans == NULL) {
4111 err = -ENOMEM;
4112 goto err_destroy_flow_rule;
4113 }
4114 list_add_tail_rcu(&rule->list, &old_rule->list);
4115 } else {
4116 trans = nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule);
4117 if (!trans) {
4118 err = -ENOMEM;
4119 goto err_destroy_flow_rule;
4120 }
4121
4122 if (info->nlh->nlmsg_flags & NLM_F_APPEND) {
4123 if (old_rule)
4124 list_add_rcu(&rule->list, &old_rule->list);
4125 else
4126 list_add_tail_rcu(&rule->list, &chain->rules);
4127 } else {
4128 if (old_rule)
4129 list_add_tail_rcu(&rule->list, &old_rule->list);
4130 else
4131 list_add_rcu(&rule->list, &chain->rules);
4132 }
4133 }
4134 kvfree(expr_info);
4135
4136 if (flow)
4137 nft_trans_flow_rule(trans) = flow;
4138
4139 if (table->validate_state == NFT_VALIDATE_DO)
4140 return nft_table_validate(net, table);
4141
4142 return 0;
4143
4144 err_destroy_flow_rule:
4145 nft_use_dec_restore(&chain->use);
4146 if (flow)
4147 nft_flow_rule_destroy(flow);
4148 err_release_rule:
4149 nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
4150 nf_tables_rule_destroy(&ctx, rule);
4151 err_release_expr:
4152 for (i = 0; i < n; i++) {
4153 if (expr_info[i].ops) {
4154 module_put(expr_info[i].ops->type->owner);
4155 if (expr_info[i].ops->type->release_ops)
4156 expr_info[i].ops->type->release_ops(expr_info[i].ops);
4157 }
4158 }
4159 kvfree(expr_info);
4160
4161 return err;
4162 }
4163
nft_rule_lookup_byid(const struct net * net,const struct nft_chain * chain,const struct nlattr * nla)4164 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
4165 const struct nft_chain *chain,
4166 const struct nlattr *nla)
4167 {
4168 struct nftables_pernet *nft_net = nft_pernet(net);
4169 u32 id = ntohl(nla_get_be32(nla));
4170 struct nft_trans *trans;
4171
4172 list_for_each_entry(trans, &nft_net->commit_list, list) {
4173 if (trans->msg_type == NFT_MSG_NEWRULE &&
4174 trans->ctx.chain == chain &&
4175 id == nft_trans_rule_id(trans))
4176 return nft_trans_rule(trans);
4177 }
4178 return ERR_PTR(-ENOENT);
4179 }
4180
nf_tables_delrule(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4181 static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
4182 const struct nlattr * const nla[])
4183 {
4184 struct netlink_ext_ack *extack = info->extack;
4185 u8 genmask = nft_genmask_next(info->net);
4186 u8 family = info->nfmsg->nfgen_family;
4187 struct nft_chain *chain = NULL;
4188 struct net *net = info->net;
4189 struct nft_table *table;
4190 struct nft_rule *rule;
4191 struct nft_ctx ctx;
4192 int err = 0;
4193
4194 table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask,
4195 NETLINK_CB(skb).portid);
4196 if (IS_ERR(table)) {
4197 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_TABLE]);
4198 return PTR_ERR(table);
4199 }
4200
4201 if (nla[NFTA_RULE_CHAIN]) {
4202 chain = nft_chain_lookup(net, table, nla[NFTA_RULE_CHAIN],
4203 genmask);
4204 if (IS_ERR(chain)) {
4205 if (PTR_ERR(chain) == -ENOENT &&
4206 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4207 return 0;
4208
4209 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
4210 return PTR_ERR(chain);
4211 }
4212 if (nft_chain_binding(chain))
4213 return -EOPNOTSUPP;
4214 }
4215
4216 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
4217
4218 if (chain) {
4219 if (nla[NFTA_RULE_HANDLE]) {
4220 rule = nft_rule_lookup(info->net, chain, nla[NFTA_RULE_HANDLE]);
4221 if (IS_ERR(rule)) {
4222 if (PTR_ERR(rule) == -ENOENT &&
4223 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE)
4224 return 0;
4225
4226 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]);
4227 return PTR_ERR(rule);
4228 }
4229
4230 err = nft_delrule(&ctx, rule);
4231 } else if (nla[NFTA_RULE_ID]) {
4232 rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
4233 if (IS_ERR(rule)) {
4234 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
4235 return PTR_ERR(rule);
4236 }
4237
4238 err = nft_delrule(&ctx, rule);
4239 } else {
4240 err = nft_delrule_by_chain(&ctx);
4241 }
4242 } else {
4243 list_for_each_entry(chain, &table->chains, list) {
4244 if (!nft_is_active_next(net, chain))
4245 continue;
4246 if (nft_chain_binding(chain))
4247 continue;
4248
4249 ctx.chain = chain;
4250 err = nft_delrule_by_chain(&ctx);
4251 if (err < 0)
4252 break;
4253 }
4254 }
4255
4256 return err;
4257 }
4258
4259 /*
4260 * Sets
4261 */
4262 static const struct nft_set_type *nft_set_types[] = {
4263 &nft_set_hash_fast_type,
4264 &nft_set_hash_type,
4265 &nft_set_rhash_type,
4266 &nft_set_bitmap_type,
4267 &nft_set_rbtree_type,
4268 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
4269 &nft_set_pipapo_avx2_type,
4270 #endif
4271 &nft_set_pipapo_type,
4272 };
4273
4274 #define NFT_SET_FEATURES (NFT_SET_INTERVAL | NFT_SET_MAP | \
4275 NFT_SET_TIMEOUT | NFT_SET_OBJECT | \
4276 NFT_SET_EVAL)
4277
nft_set_ops_candidate(const struct nft_set_type * type,u32 flags)4278 static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
4279 {
4280 return (flags & type->features) == (flags & NFT_SET_FEATURES);
4281 }
4282
4283 /*
4284 * Select a set implementation based on the data characteristics and the
4285 * given policy. The total memory use might not be known if no size is
4286 * given, in that case the amount of memory per element is used.
4287 */
4288 static const struct nft_set_ops *
nft_select_set_ops(const struct nft_ctx * ctx,const struct nlattr * const nla[],const struct nft_set_desc * desc)4289 nft_select_set_ops(const struct nft_ctx *ctx,
4290 const struct nlattr * const nla[],
4291 const struct nft_set_desc *desc)
4292 {
4293 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4294 const struct nft_set_ops *ops, *bops;
4295 struct nft_set_estimate est, best;
4296 const struct nft_set_type *type;
4297 u32 flags = 0;
4298 int i;
4299
4300 lockdep_assert_held(&nft_net->commit_mutex);
4301 lockdep_nfnl_nft_mutex_not_held();
4302
4303 if (nla[NFTA_SET_FLAGS] != NULL)
4304 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
4305
4306 bops = NULL;
4307 best.size = ~0;
4308 best.lookup = ~0;
4309 best.space = ~0;
4310
4311 for (i = 0; i < ARRAY_SIZE(nft_set_types); i++) {
4312 type = nft_set_types[i];
4313 ops = &type->ops;
4314
4315 if (!nft_set_ops_candidate(type, flags))
4316 continue;
4317 if (!ops->estimate(desc, flags, &est))
4318 continue;
4319
4320 switch (desc->policy) {
4321 case NFT_SET_POL_PERFORMANCE:
4322 if (est.lookup < best.lookup)
4323 break;
4324 if (est.lookup == best.lookup &&
4325 est.space < best.space)
4326 break;
4327 continue;
4328 case NFT_SET_POL_MEMORY:
4329 if (!desc->size) {
4330 if (est.space < best.space)
4331 break;
4332 if (est.space == best.space &&
4333 est.lookup < best.lookup)
4334 break;
4335 } else if (est.size < best.size || !bops) {
4336 break;
4337 }
4338 continue;
4339 default:
4340 break;
4341 }
4342
4343 bops = ops;
4344 best = est;
4345 }
4346
4347 if (bops != NULL)
4348 return bops;
4349
4350 return ERR_PTR(-EOPNOTSUPP);
4351 }
4352
4353 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
4354 [NFTA_SET_TABLE] = { .type = NLA_STRING,
4355 .len = NFT_TABLE_MAXNAMELEN - 1 },
4356 [NFTA_SET_NAME] = { .type = NLA_STRING,
4357 .len = NFT_SET_MAXNAMELEN - 1 },
4358 [NFTA_SET_FLAGS] = { .type = NLA_U32 },
4359 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
4360 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
4361 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
4362 [NFTA_SET_DATA_LEN] = { .type = NLA_U32 },
4363 [NFTA_SET_POLICY] = { .type = NLA_U32 },
4364 [NFTA_SET_DESC] = { .type = NLA_NESTED },
4365 [NFTA_SET_ID] = { .type = NLA_U32 },
4366 [NFTA_SET_TIMEOUT] = { .type = NLA_U64 },
4367 [NFTA_SET_GC_INTERVAL] = { .type = NLA_U32 },
4368 [NFTA_SET_USERDATA] = { .type = NLA_BINARY,
4369 .len = NFT_USERDATA_MAXLEN },
4370 [NFTA_SET_OBJ_TYPE] = { .type = NLA_U32 },
4371 [NFTA_SET_HANDLE] = { .type = NLA_U64 },
4372 [NFTA_SET_EXPR] = { .type = NLA_NESTED },
4373 [NFTA_SET_EXPRESSIONS] = { .type = NLA_NESTED },
4374 };
4375
4376 static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
4377 [NFTA_SET_DESC_SIZE] = { .type = NLA_U32 },
4378 [NFTA_SET_DESC_CONCAT] = { .type = NLA_NESTED },
4379 };
4380
nft_set_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4381 static struct nft_set *nft_set_lookup(const struct nft_table *table,
4382 const struct nlattr *nla, u8 genmask)
4383 {
4384 struct nft_set *set;
4385
4386 if (nla == NULL)
4387 return ERR_PTR(-EINVAL);
4388
4389 list_for_each_entry_rcu(set, &table->sets, list) {
4390 if (!nla_strcmp(nla, set->name) &&
4391 nft_active_genmask(set, genmask))
4392 return set;
4393 }
4394 return ERR_PTR(-ENOENT);
4395 }
4396
nft_set_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)4397 static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
4398 const struct nlattr *nla,
4399 u8 genmask)
4400 {
4401 struct nft_set *set;
4402
4403 list_for_each_entry(set, &table->sets, list) {
4404 if (be64_to_cpu(nla_get_be64(nla)) == set->handle &&
4405 nft_active_genmask(set, genmask))
4406 return set;
4407 }
4408 return ERR_PTR(-ENOENT);
4409 }
4410
nft_set_lookup_byid(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u8 genmask)4411 static struct nft_set *nft_set_lookup_byid(const struct net *net,
4412 const struct nft_table *table,
4413 const struct nlattr *nla, u8 genmask)
4414 {
4415 struct nftables_pernet *nft_net = nft_pernet(net);
4416 u32 id = ntohl(nla_get_be32(nla));
4417 struct nft_trans *trans;
4418
4419 list_for_each_entry(trans, &nft_net->commit_list, list) {
4420 if (trans->msg_type == NFT_MSG_NEWSET) {
4421 struct nft_set *set = nft_trans_set(trans);
4422
4423 if (id == nft_trans_set_id(trans) &&
4424 set->table == table &&
4425 nft_active_genmask(set, genmask))
4426 return set;
4427 }
4428 }
4429 return ERR_PTR(-ENOENT);
4430 }
4431
nft_set_lookup_global(const struct net * net,const struct nft_table * table,const struct nlattr * nla_set_name,const struct nlattr * nla_set_id,u8 genmask)4432 struct nft_set *nft_set_lookup_global(const struct net *net,
4433 const struct nft_table *table,
4434 const struct nlattr *nla_set_name,
4435 const struct nlattr *nla_set_id,
4436 u8 genmask)
4437 {
4438 struct nft_set *set;
4439
4440 set = nft_set_lookup(table, nla_set_name, genmask);
4441 if (IS_ERR(set)) {
4442 if (!nla_set_id)
4443 return set;
4444
4445 set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
4446 }
4447 return set;
4448 }
4449 EXPORT_SYMBOL_GPL(nft_set_lookup_global);
4450
nf_tables_set_alloc_name(struct nft_ctx * ctx,struct nft_set * set,const char * name)4451 static int nf_tables_set_alloc_name(struct nft_ctx *ctx, struct nft_set *set,
4452 const char *name)
4453 {
4454 const struct nft_set *i;
4455 const char *p;
4456 unsigned long *inuse;
4457 unsigned int n = 0, min = 0;
4458
4459 p = strchr(name, '%');
4460 if (p != NULL) {
4461 if (p[1] != 'd' || strchr(p + 2, '%'))
4462 return -EINVAL;
4463
4464 if (strnlen(name, NFT_SET_MAX_ANONLEN) >= NFT_SET_MAX_ANONLEN)
4465 return -EINVAL;
4466
4467 inuse = (unsigned long *)get_zeroed_page(GFP_KERNEL);
4468 if (inuse == NULL)
4469 return -ENOMEM;
4470 cont:
4471 list_for_each_entry(i, &ctx->table->sets, list) {
4472 int tmp;
4473
4474 if (!nft_is_active_next(ctx->net, i))
4475 continue;
4476 if (!sscanf(i->name, name, &tmp))
4477 continue;
4478 if (tmp < min || tmp >= min + BITS_PER_BYTE * PAGE_SIZE)
4479 continue;
4480
4481 set_bit(tmp - min, inuse);
4482 }
4483
4484 n = find_first_zero_bit(inuse, BITS_PER_BYTE * PAGE_SIZE);
4485 if (n >= BITS_PER_BYTE * PAGE_SIZE) {
4486 min += BITS_PER_BYTE * PAGE_SIZE;
4487 memset(inuse, 0, PAGE_SIZE);
4488 goto cont;
4489 }
4490 free_page((unsigned long)inuse);
4491 }
4492
4493 set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
4494 if (!set->name)
4495 return -ENOMEM;
4496
4497 list_for_each_entry(i, &ctx->table->sets, list) {
4498 if (!nft_is_active_next(ctx->net, i))
4499 continue;
4500 if (!strcmp(set->name, i->name)) {
4501 kfree(set->name);
4502 set->name = NULL;
4503 return -ENFILE;
4504 }
4505 }
4506 return 0;
4507 }
4508
nf_msecs_to_jiffies64(const struct nlattr * nla,u64 * result)4509 int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
4510 {
4511 u64 ms = be64_to_cpu(nla_get_be64(nla));
4512 u64 max = (u64)(~((u64)0));
4513
4514 max = div_u64(max, NSEC_PER_MSEC);
4515 if (ms >= max)
4516 return -ERANGE;
4517
4518 ms *= NSEC_PER_MSEC;
4519 *result = nsecs_to_jiffies64(ms) ? : !!ms;
4520 return 0;
4521 }
4522
nf_jiffies64_to_msecs(u64 input)4523 __be64 nf_jiffies64_to_msecs(u64 input)
4524 {
4525 return cpu_to_be64(jiffies64_to_msecs(input));
4526 }
4527
nf_tables_fill_set_concat(struct sk_buff * skb,const struct nft_set * set)4528 static int nf_tables_fill_set_concat(struct sk_buff *skb,
4529 const struct nft_set *set)
4530 {
4531 struct nlattr *concat, *field;
4532 int i;
4533
4534 concat = nla_nest_start_noflag(skb, NFTA_SET_DESC_CONCAT);
4535 if (!concat)
4536 return -ENOMEM;
4537
4538 for (i = 0; i < set->field_count; i++) {
4539 field = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
4540 if (!field)
4541 return -ENOMEM;
4542
4543 if (nla_put_be32(skb, NFTA_SET_FIELD_LEN,
4544 htonl(set->field_len[i])))
4545 return -ENOMEM;
4546
4547 nla_nest_end(skb, field);
4548 }
4549
4550 nla_nest_end(skb, concat);
4551
4552 return 0;
4553 }
4554
nft_set_userspace_size(const struct nft_set_ops * ops,u32 size)4555 static u32 nft_set_userspace_size(const struct nft_set_ops *ops, u32 size)
4556 {
4557 if (ops->usize)
4558 return ops->usize(size);
4559
4560 return size;
4561 }
4562
nf_tables_fill_set(struct sk_buff * skb,const struct nft_ctx * ctx,const struct nft_set * set,u16 event,u16 flags)4563 static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4564 const struct nft_set *set, u16 event, u16 flags)
4565 {
4566 u64 timeout = READ_ONCE(set->timeout);
4567 u32 gc_int = READ_ONCE(set->gc_int);
4568 u32 portid = ctx->portid;
4569 struct nlmsghdr *nlh;
4570 struct nlattr *nest;
4571 u32 seq = ctx->seq;
4572 int i;
4573
4574 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
4575 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
4576 NFNETLINK_V0, nft_base_seq(ctx->net));
4577 if (!nlh)
4578 goto nla_put_failure;
4579
4580 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
4581 goto nla_put_failure;
4582 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
4583 goto nla_put_failure;
4584 if (nla_put_be64(skb, NFTA_SET_HANDLE, cpu_to_be64(set->handle),
4585 NFTA_SET_PAD))
4586 goto nla_put_failure;
4587
4588 if (event == NFT_MSG_DELSET) {
4589 nlmsg_end(skb, nlh);
4590 return 0;
4591 }
4592
4593 if (set->flags != 0)
4594 if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags)))
4595 goto nla_put_failure;
4596
4597 if (nla_put_be32(skb, NFTA_SET_KEY_TYPE, htonl(set->ktype)))
4598 goto nla_put_failure;
4599 if (nla_put_be32(skb, NFTA_SET_KEY_LEN, htonl(set->klen)))
4600 goto nla_put_failure;
4601 if (set->flags & NFT_SET_MAP) {
4602 if (nla_put_be32(skb, NFTA_SET_DATA_TYPE, htonl(set->dtype)))
4603 goto nla_put_failure;
4604 if (nla_put_be32(skb, NFTA_SET_DATA_LEN, htonl(set->dlen)))
4605 goto nla_put_failure;
4606 }
4607 if (set->flags & NFT_SET_OBJECT &&
4608 nla_put_be32(skb, NFTA_SET_OBJ_TYPE, htonl(set->objtype)))
4609 goto nla_put_failure;
4610
4611 if (timeout &&
4612 nla_put_be64(skb, NFTA_SET_TIMEOUT,
4613 nf_jiffies64_to_msecs(timeout),
4614 NFTA_SET_PAD))
4615 goto nla_put_failure;
4616 if (gc_int &&
4617 nla_put_be32(skb, NFTA_SET_GC_INTERVAL, htonl(gc_int)))
4618 goto nla_put_failure;
4619
4620 if (set->policy != NFT_SET_POL_PERFORMANCE) {
4621 if (nla_put_be32(skb, NFTA_SET_POLICY, htonl(set->policy)))
4622 goto nla_put_failure;
4623 }
4624
4625 if (set->udata &&
4626 nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4627 goto nla_put_failure;
4628
4629 nest = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4630 if (!nest)
4631 goto nla_put_failure;
4632 if (set->size &&
4633 nla_put_be32(skb, NFTA_SET_DESC_SIZE,
4634 htonl(nft_set_userspace_size(set->ops, set->size))))
4635 goto nla_put_failure;
4636
4637 if (set->field_count > 1 &&
4638 nf_tables_fill_set_concat(skb, set))
4639 goto nla_put_failure;
4640
4641 nla_nest_end(skb, nest);
4642
4643 if (set->num_exprs == 1) {
4644 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPR);
4645 if (nf_tables_fill_expr_info(skb, set->exprs[0], false) < 0)
4646 goto nla_put_failure;
4647
4648 nla_nest_end(skb, nest);
4649 } else if (set->num_exprs > 1) {
4650 nest = nla_nest_start_noflag(skb, NFTA_SET_EXPRESSIONS);
4651 if (nest == NULL)
4652 goto nla_put_failure;
4653
4654 for (i = 0; i < set->num_exprs; i++) {
4655 if (nft_expr_dump(skb, NFTA_LIST_ELEM,
4656 set->exprs[i], false) < 0)
4657 goto nla_put_failure;
4658 }
4659 nla_nest_end(skb, nest);
4660 }
4661
4662 nlmsg_end(skb, nlh);
4663 return 0;
4664
4665 nla_put_failure:
4666 nlmsg_trim(skb, nlh);
4667 return -1;
4668 }
4669
nf_tables_set_notify(const struct nft_ctx * ctx,const struct nft_set * set,int event,gfp_t gfp_flags)4670 static void nf_tables_set_notify(const struct nft_ctx *ctx,
4671 const struct nft_set *set, int event,
4672 gfp_t gfp_flags)
4673 {
4674 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
4675 u32 portid = ctx->portid;
4676 struct sk_buff *skb;
4677 u16 flags = 0;
4678 int err;
4679
4680 if (!ctx->report &&
4681 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
4682 return;
4683
4684 skb = nlmsg_new(NLMSG_GOODSIZE, gfp_flags);
4685 if (skb == NULL)
4686 goto err;
4687
4688 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
4689 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
4690
4691 err = nf_tables_fill_set(skb, ctx, set, event, flags);
4692 if (err < 0) {
4693 kfree_skb(skb);
4694 goto err;
4695 }
4696
4697 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
4698 return;
4699 err:
4700 nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
4701 }
4702
nf_tables_dump_sets(struct sk_buff * skb,struct netlink_callback * cb)4703 static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb)
4704 {
4705 const struct nft_set *set;
4706 unsigned int idx, s_idx = cb->args[0];
4707 struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
4708 struct net *net = sock_net(skb->sk);
4709 struct nft_ctx *ctx = cb->data, ctx_set;
4710 struct nftables_pernet *nft_net;
4711
4712 if (cb->args[1])
4713 return skb->len;
4714
4715 rcu_read_lock();
4716 nft_net = nft_pernet(net);
4717 cb->seq = READ_ONCE(nft_net->base_seq);
4718
4719 list_for_each_entry_rcu(table, &nft_net->tables, list) {
4720 if (ctx->family != NFPROTO_UNSPEC &&
4721 ctx->family != table->family)
4722 continue;
4723
4724 if (ctx->table && ctx->table != table)
4725 continue;
4726
4727 if (cur_table) {
4728 if (cur_table != table)
4729 continue;
4730
4731 cur_table = NULL;
4732 }
4733 idx = 0;
4734 list_for_each_entry_rcu(set, &table->sets, list) {
4735 if (idx < s_idx)
4736 goto cont;
4737 if (!nft_is_active(net, set))
4738 goto cont;
4739
4740 ctx_set = *ctx;
4741 ctx_set.table = table;
4742 ctx_set.family = table->family;
4743
4744 if (nf_tables_fill_set(skb, &ctx_set, set,
4745 NFT_MSG_NEWSET,
4746 NLM_F_MULTI) < 0) {
4747 cb->args[0] = idx;
4748 cb->args[2] = (unsigned long) table;
4749 goto done;
4750 }
4751 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
4752 cont:
4753 idx++;
4754 }
4755 if (s_idx)
4756 s_idx = 0;
4757 }
4758 cb->args[1] = 1;
4759 done:
4760 rcu_read_unlock();
4761 return skb->len;
4762 }
4763
nf_tables_dump_sets_start(struct netlink_callback * cb)4764 static int nf_tables_dump_sets_start(struct netlink_callback *cb)
4765 {
4766 struct nft_ctx *ctx_dump = NULL;
4767
4768 ctx_dump = kmemdup(cb->data, sizeof(*ctx_dump), GFP_ATOMIC);
4769 if (ctx_dump == NULL)
4770 return -ENOMEM;
4771
4772 cb->data = ctx_dump;
4773 return 0;
4774 }
4775
nf_tables_dump_sets_done(struct netlink_callback * cb)4776 static int nf_tables_dump_sets_done(struct netlink_callback *cb)
4777 {
4778 kfree(cb->data);
4779 return 0;
4780 }
4781
4782 /* called with rcu_read_lock held */
nf_tables_getset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])4783 static int nf_tables_getset(struct sk_buff *skb, const struct nfnl_info *info,
4784 const struct nlattr * const nla[])
4785 {
4786 struct netlink_ext_ack *extack = info->extack;
4787 u8 genmask = nft_genmask_cur(info->net);
4788 u8 family = info->nfmsg->nfgen_family;
4789 struct nft_table *table = NULL;
4790 struct net *net = info->net;
4791 const struct nft_set *set;
4792 struct sk_buff *skb2;
4793 struct nft_ctx ctx;
4794 int err;
4795
4796 if (nla[NFTA_SET_TABLE]) {
4797 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
4798 genmask, 0);
4799 if (IS_ERR(table)) {
4800 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
4801 return PTR_ERR(table);
4802 }
4803 }
4804
4805 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
4806
4807 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
4808 struct netlink_dump_control c = {
4809 .start = nf_tables_dump_sets_start,
4810 .dump = nf_tables_dump_sets,
4811 .done = nf_tables_dump_sets_done,
4812 .data = &ctx,
4813 .module = THIS_MODULE,
4814 };
4815
4816 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
4817 }
4818
4819 /* Only accept unspec with dump */
4820 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
4821 return -EAFNOSUPPORT;
4822 if (!nla[NFTA_SET_TABLE])
4823 return -EINVAL;
4824
4825 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
4826 if (IS_ERR(set))
4827 return PTR_ERR(set);
4828
4829 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
4830 if (skb2 == NULL)
4831 return -ENOMEM;
4832
4833 err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4834 if (err < 0)
4835 goto err_fill_set_info;
4836
4837 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4838
4839 err_fill_set_info:
4840 kfree_skb(skb2);
4841 return err;
4842 }
4843
4844 static const struct nla_policy nft_concat_policy[NFTA_SET_FIELD_MAX + 1] = {
4845 [NFTA_SET_FIELD_LEN] = { .type = NLA_U32 },
4846 };
4847
nft_set_desc_concat_parse(const struct nlattr * attr,struct nft_set_desc * desc)4848 static int nft_set_desc_concat_parse(const struct nlattr *attr,
4849 struct nft_set_desc *desc)
4850 {
4851 struct nlattr *tb[NFTA_SET_FIELD_MAX + 1];
4852 u32 len;
4853 int err;
4854
4855 if (desc->field_count >= ARRAY_SIZE(desc->field_len))
4856 return -E2BIG;
4857
4858 err = nla_parse_nested_deprecated(tb, NFTA_SET_FIELD_MAX, attr,
4859 nft_concat_policy, NULL);
4860 if (err < 0)
4861 return err;
4862
4863 if (!tb[NFTA_SET_FIELD_LEN])
4864 return -EINVAL;
4865
4866 len = ntohl(nla_get_be32(tb[NFTA_SET_FIELD_LEN]));
4867 if (!len || len > U8_MAX)
4868 return -EINVAL;
4869
4870 desc->field_len[desc->field_count++] = len;
4871
4872 return 0;
4873 }
4874
nft_set_desc_concat(struct nft_set_desc * desc,const struct nlattr * nla)4875 static int nft_set_desc_concat(struct nft_set_desc *desc,
4876 const struct nlattr *nla)
4877 {
4878 u32 len = 0, num_regs;
4879 struct nlattr *attr;
4880 int rem, err, i;
4881
4882 nla_for_each_nested(attr, nla, rem) {
4883 if (nla_type(attr) != NFTA_LIST_ELEM)
4884 return -EINVAL;
4885
4886 err = nft_set_desc_concat_parse(attr, desc);
4887 if (err < 0)
4888 return err;
4889 }
4890
4891 for (i = 0; i < desc->field_count; i++)
4892 len += round_up(desc->field_len[i], sizeof(u32));
4893
4894 if (len != desc->klen)
4895 return -EINVAL;
4896
4897 num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
4898 if (num_regs > NFT_REG32_COUNT)
4899 return -E2BIG;
4900
4901 return 0;
4902 }
4903
nf_tables_set_desc_parse(struct nft_set_desc * desc,const struct nlattr * nla)4904 static int nf_tables_set_desc_parse(struct nft_set_desc *desc,
4905 const struct nlattr *nla)
4906 {
4907 struct nlattr *da[NFTA_SET_DESC_MAX + 1];
4908 int err;
4909
4910 err = nla_parse_nested_deprecated(da, NFTA_SET_DESC_MAX, nla,
4911 nft_set_desc_policy, NULL);
4912 if (err < 0)
4913 return err;
4914
4915 if (da[NFTA_SET_DESC_SIZE] != NULL)
4916 desc->size = ntohl(nla_get_be32(da[NFTA_SET_DESC_SIZE]));
4917 if (da[NFTA_SET_DESC_CONCAT])
4918 err = nft_set_desc_concat(desc, da[NFTA_SET_DESC_CONCAT]);
4919
4920 return err;
4921 }
4922
nft_set_expr_alloc(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * const * nla,struct nft_expr ** exprs,int * num_exprs,u32 flags)4923 static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
4924 const struct nlattr * const *nla,
4925 struct nft_expr **exprs, int *num_exprs,
4926 u32 flags)
4927 {
4928 struct nft_expr *expr;
4929 int err, i;
4930
4931 if (nla[NFTA_SET_EXPR]) {
4932 expr = nft_set_elem_expr_alloc(ctx, set, nla[NFTA_SET_EXPR]);
4933 if (IS_ERR(expr)) {
4934 err = PTR_ERR(expr);
4935 goto err_set_expr_alloc;
4936 }
4937 exprs[0] = expr;
4938 (*num_exprs)++;
4939 } else if (nla[NFTA_SET_EXPRESSIONS]) {
4940 struct nlattr *tmp;
4941 int left;
4942
4943 if (!(flags & NFT_SET_EXPR)) {
4944 err = -EINVAL;
4945 goto err_set_expr_alloc;
4946 }
4947 i = 0;
4948 nla_for_each_nested(tmp, nla[NFTA_SET_EXPRESSIONS], left) {
4949 if (i == NFT_SET_EXPR_MAX) {
4950 err = -E2BIG;
4951 goto err_set_expr_alloc;
4952 }
4953 if (nla_type(tmp) != NFTA_LIST_ELEM) {
4954 err = -EINVAL;
4955 goto err_set_expr_alloc;
4956 }
4957 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
4958 if (IS_ERR(expr)) {
4959 err = PTR_ERR(expr);
4960 goto err_set_expr_alloc;
4961 }
4962 exprs[i++] = expr;
4963 (*num_exprs)++;
4964 }
4965 }
4966
4967 return 0;
4968
4969 err_set_expr_alloc:
4970 for (i = 0; i < *num_exprs; i++)
4971 nft_expr_destroy(ctx, exprs[i]);
4972
4973 return err;
4974 }
4975
nft_set_is_same(const struct nft_set * set,const struct nft_set_desc * desc,struct nft_expr * exprs[],u32 num_exprs,u32 flags)4976 static bool nft_set_is_same(const struct nft_set *set,
4977 const struct nft_set_desc *desc,
4978 struct nft_expr *exprs[], u32 num_exprs, u32 flags)
4979 {
4980 int i;
4981
4982 if (set->ktype != desc->ktype ||
4983 set->dtype != desc->dtype ||
4984 set->flags != flags ||
4985 set->klen != desc->klen ||
4986 set->dlen != desc->dlen ||
4987 set->field_count != desc->field_count ||
4988 set->num_exprs != num_exprs)
4989 return false;
4990
4991 for (i = 0; i < desc->field_count; i++) {
4992 if (set->field_len[i] != desc->field_len[i])
4993 return false;
4994 }
4995
4996 for (i = 0; i < num_exprs; i++) {
4997 if (set->exprs[i]->ops != exprs[i]->ops)
4998 return false;
4999 }
5000
5001 return true;
5002 }
5003
nft_set_kernel_size(const struct nft_set_ops * ops,const struct nft_set_desc * desc)5004 static u32 nft_set_kernel_size(const struct nft_set_ops *ops,
5005 const struct nft_set_desc *desc)
5006 {
5007 if (ops->ksize)
5008 return ops->ksize(desc->size);
5009
5010 return desc->size;
5011 }
5012
nf_tables_newset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5013 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
5014 const struct nlattr * const nla[])
5015 {
5016 struct netlink_ext_ack *extack = info->extack;
5017 u8 genmask = nft_genmask_next(info->net);
5018 u8 family = info->nfmsg->nfgen_family;
5019 const struct nft_set_ops *ops;
5020 struct net *net = info->net;
5021 struct nft_set_desc desc;
5022 struct nft_table *table;
5023 unsigned char *udata;
5024 struct nft_set *set;
5025 struct nft_ctx ctx;
5026 size_t alloc_size;
5027 int num_exprs = 0;
5028 char *name;
5029 int err, i;
5030 u16 udlen;
5031 u32 flags;
5032 u64 size;
5033
5034 if (nla[NFTA_SET_TABLE] == NULL ||
5035 nla[NFTA_SET_NAME] == NULL ||
5036 nla[NFTA_SET_KEY_LEN] == NULL ||
5037 nla[NFTA_SET_ID] == NULL)
5038 return -EINVAL;
5039
5040 memset(&desc, 0, sizeof(desc));
5041
5042 desc.ktype = NFT_DATA_VALUE;
5043 if (nla[NFTA_SET_KEY_TYPE] != NULL) {
5044 desc.ktype = ntohl(nla_get_be32(nla[NFTA_SET_KEY_TYPE]));
5045 if ((desc.ktype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK)
5046 return -EINVAL;
5047 }
5048
5049 desc.klen = ntohl(nla_get_be32(nla[NFTA_SET_KEY_LEN]));
5050 if (desc.klen == 0 || desc.klen > NFT_DATA_VALUE_MAXLEN)
5051 return -EINVAL;
5052
5053 flags = 0;
5054 if (nla[NFTA_SET_FLAGS] != NULL) {
5055 flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
5056 if (flags & ~(NFT_SET_ANONYMOUS | NFT_SET_CONSTANT |
5057 NFT_SET_INTERVAL | NFT_SET_TIMEOUT |
5058 NFT_SET_MAP | NFT_SET_EVAL |
5059 NFT_SET_OBJECT | NFT_SET_CONCAT | NFT_SET_EXPR))
5060 return -EOPNOTSUPP;
5061 /* Only one of these operations is supported */
5062 if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
5063 (NFT_SET_MAP | NFT_SET_OBJECT))
5064 return -EOPNOTSUPP;
5065 if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
5066 (NFT_SET_EVAL | NFT_SET_OBJECT))
5067 return -EOPNOTSUPP;
5068 if ((flags & (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT | NFT_SET_EVAL)) ==
5069 (NFT_SET_ANONYMOUS | NFT_SET_TIMEOUT))
5070 return -EOPNOTSUPP;
5071 if ((flags & (NFT_SET_CONSTANT | NFT_SET_TIMEOUT)) ==
5072 (NFT_SET_CONSTANT | NFT_SET_TIMEOUT))
5073 return -EOPNOTSUPP;
5074 }
5075
5076 desc.dtype = 0;
5077 if (nla[NFTA_SET_DATA_TYPE] != NULL) {
5078 if (!(flags & NFT_SET_MAP))
5079 return -EINVAL;
5080
5081 desc.dtype = ntohl(nla_get_be32(nla[NFTA_SET_DATA_TYPE]));
5082 if ((desc.dtype & NFT_DATA_RESERVED_MASK) == NFT_DATA_RESERVED_MASK &&
5083 desc.dtype != NFT_DATA_VERDICT)
5084 return -EINVAL;
5085
5086 if (desc.dtype != NFT_DATA_VERDICT) {
5087 if (nla[NFTA_SET_DATA_LEN] == NULL)
5088 return -EINVAL;
5089 desc.dlen = ntohl(nla_get_be32(nla[NFTA_SET_DATA_LEN]));
5090 if (desc.dlen == 0 || desc.dlen > NFT_DATA_VALUE_MAXLEN)
5091 return -EINVAL;
5092 } else
5093 desc.dlen = sizeof(struct nft_verdict);
5094 } else if (flags & NFT_SET_MAP)
5095 return -EINVAL;
5096
5097 if (nla[NFTA_SET_OBJ_TYPE] != NULL) {
5098 if (!(flags & NFT_SET_OBJECT))
5099 return -EINVAL;
5100
5101 desc.objtype = ntohl(nla_get_be32(nla[NFTA_SET_OBJ_TYPE]));
5102 if (desc.objtype == NFT_OBJECT_UNSPEC ||
5103 desc.objtype > NFT_OBJECT_MAX)
5104 return -EOPNOTSUPP;
5105 } else if (flags & NFT_SET_OBJECT)
5106 return -EINVAL;
5107 else
5108 desc.objtype = NFT_OBJECT_UNSPEC;
5109
5110 desc.timeout = 0;
5111 if (nla[NFTA_SET_TIMEOUT] != NULL) {
5112 if (!(flags & NFT_SET_TIMEOUT))
5113 return -EINVAL;
5114
5115 if (flags & NFT_SET_ANONYMOUS)
5116 return -EOPNOTSUPP;
5117
5118 err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
5119 if (err)
5120 return err;
5121 }
5122 desc.gc_int = 0;
5123 if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
5124 if (!(flags & NFT_SET_TIMEOUT))
5125 return -EINVAL;
5126
5127 if (flags & NFT_SET_ANONYMOUS)
5128 return -EOPNOTSUPP;
5129
5130 desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
5131 }
5132
5133 desc.policy = NFT_SET_POL_PERFORMANCE;
5134 if (nla[NFTA_SET_POLICY] != NULL) {
5135 desc.policy = ntohl(nla_get_be32(nla[NFTA_SET_POLICY]));
5136 switch (desc.policy) {
5137 case NFT_SET_POL_PERFORMANCE:
5138 case NFT_SET_POL_MEMORY:
5139 break;
5140 default:
5141 return -EOPNOTSUPP;
5142 }
5143 }
5144
5145 if (nla[NFTA_SET_DESC] != NULL) {
5146 err = nf_tables_set_desc_parse(&desc, nla[NFTA_SET_DESC]);
5147 if (err < 0)
5148 return err;
5149
5150 if (desc.field_count > 1) {
5151 if (!(flags & NFT_SET_CONCAT))
5152 return -EINVAL;
5153 } else if (flags & NFT_SET_CONCAT) {
5154 return -EINVAL;
5155 }
5156 } else if (flags & NFT_SET_CONCAT) {
5157 return -EINVAL;
5158 }
5159
5160 if (nla[NFTA_SET_EXPR] || nla[NFTA_SET_EXPRESSIONS])
5161 desc.expr = true;
5162
5163 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family, genmask,
5164 NETLINK_CB(skb).portid);
5165 if (IS_ERR(table)) {
5166 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5167 return PTR_ERR(table);
5168 }
5169
5170 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5171
5172 set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask);
5173 if (IS_ERR(set)) {
5174 if (PTR_ERR(set) != -ENOENT) {
5175 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5176 return PTR_ERR(set);
5177 }
5178 } else {
5179 struct nft_expr *exprs[NFT_SET_EXPR_MAX] = {};
5180
5181 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
5182 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5183 return -EEXIST;
5184 }
5185 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
5186 return -EOPNOTSUPP;
5187
5188 if (nft_set_is_anonymous(set))
5189 return -EOPNOTSUPP;
5190
5191 err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
5192 if (err < 0)
5193 return err;
5194
5195 if (desc.size)
5196 desc.size = nft_set_kernel_size(set->ops, &desc);
5197
5198 err = 0;
5199 if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
5200 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
5201 err = -EEXIST;
5202 }
5203
5204 for (i = 0; i < num_exprs; i++)
5205 nft_expr_destroy(&ctx, exprs[i]);
5206
5207 if (err < 0)
5208 return err;
5209
5210 return __nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set, &desc);
5211 }
5212
5213 if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
5214 return -ENOENT;
5215
5216 ops = nft_select_set_ops(&ctx, nla, &desc);
5217 if (IS_ERR(ops))
5218 return PTR_ERR(ops);
5219
5220 if (desc.size)
5221 desc.size = nft_set_kernel_size(ops, &desc);
5222
5223 udlen = 0;
5224 if (nla[NFTA_SET_USERDATA])
5225 udlen = nla_len(nla[NFTA_SET_USERDATA]);
5226
5227 size = 0;
5228 if (ops->privsize != NULL)
5229 size = ops->privsize(nla, &desc);
5230 alloc_size = sizeof(*set) + size + udlen;
5231 if (alloc_size < size || alloc_size > INT_MAX)
5232 return -ENOMEM;
5233
5234 if (!nft_use_inc(&table->use))
5235 return -EMFILE;
5236
5237 set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
5238 if (!set) {
5239 err = -ENOMEM;
5240 goto err_alloc;
5241 }
5242
5243 name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
5244 if (!name) {
5245 err = -ENOMEM;
5246 goto err_set_name;
5247 }
5248
5249 err = nf_tables_set_alloc_name(&ctx, set, name);
5250 kfree(name);
5251 if (err < 0)
5252 goto err_set_name;
5253
5254 udata = NULL;
5255 if (udlen) {
5256 udata = set->data + size;
5257 nla_memcpy(udata, nla[NFTA_SET_USERDATA], udlen);
5258 }
5259
5260 INIT_LIST_HEAD(&set->bindings);
5261 INIT_LIST_HEAD(&set->catchall_list);
5262 refcount_set(&set->refs, 1);
5263 set->table = table;
5264 write_pnet(&set->net, net);
5265 set->ops = ops;
5266 set->ktype = desc.ktype;
5267 set->klen = desc.klen;
5268 set->dtype = desc.dtype;
5269 set->objtype = desc.objtype;
5270 set->dlen = desc.dlen;
5271 set->flags = flags;
5272 set->size = desc.size;
5273 set->policy = desc.policy;
5274 set->udlen = udlen;
5275 set->udata = udata;
5276 set->timeout = desc.timeout;
5277 set->gc_int = desc.gc_int;
5278
5279 set->field_count = desc.field_count;
5280 for (i = 0; i < desc.field_count; i++)
5281 set->field_len[i] = desc.field_len[i];
5282
5283 err = ops->init(set, &desc, nla);
5284 if (err < 0)
5285 goto err_set_init;
5286
5287 err = nft_set_expr_alloc(&ctx, set, nla, set->exprs, &num_exprs, flags);
5288 if (err < 0)
5289 goto err_set_destroy;
5290
5291 set->num_exprs = num_exprs;
5292 set->handle = nf_tables_alloc_handle(table);
5293 INIT_LIST_HEAD(&set->pending_update);
5294
5295 err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
5296 if (err < 0)
5297 goto err_set_expr_alloc;
5298
5299 list_add_tail_rcu(&set->list, &table->sets);
5300
5301 return 0;
5302
5303 err_set_expr_alloc:
5304 for (i = 0; i < set->num_exprs; i++)
5305 nft_expr_destroy(&ctx, set->exprs[i]);
5306 err_set_destroy:
5307 ops->destroy(&ctx, set);
5308 err_set_init:
5309 kfree(set->name);
5310 err_set_name:
5311 kvfree(set);
5312 err_alloc:
5313 nft_use_dec_restore(&table->use);
5314
5315 return err;
5316 }
5317
nft_set_catchall_destroy(const struct nft_ctx * ctx,struct nft_set * set)5318 static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
5319 struct nft_set *set)
5320 {
5321 struct nft_set_elem_catchall *next, *catchall;
5322
5323 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5324 list_del_rcu(&catchall->list);
5325 nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5326 kfree_rcu(catchall, rcu);
5327 }
5328 }
5329
nft_set_put(struct nft_set * set)5330 static void nft_set_put(struct nft_set *set)
5331 {
5332 if (refcount_dec_and_test(&set->refs)) {
5333 kfree(set->name);
5334 kvfree(set);
5335 }
5336 }
5337
nft_set_destroy(const struct nft_ctx * ctx,struct nft_set * set)5338 static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
5339 {
5340 int i;
5341
5342 if (WARN_ON(set->use > 0))
5343 return;
5344
5345 for (i = 0; i < set->num_exprs; i++)
5346 nft_expr_destroy(ctx, set->exprs[i]);
5347
5348 set->ops->destroy(ctx, set);
5349 nft_set_catchall_destroy(ctx, set);
5350 nft_set_put(set);
5351 }
5352
nf_tables_delset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])5353 static int nf_tables_delset(struct sk_buff *skb, const struct nfnl_info *info,
5354 const struct nlattr * const nla[])
5355 {
5356 struct netlink_ext_ack *extack = info->extack;
5357 u8 genmask = nft_genmask_next(info->net);
5358 u8 family = info->nfmsg->nfgen_family;
5359 struct net *net = info->net;
5360 const struct nlattr *attr;
5361 struct nft_table *table;
5362 struct nft_set *set;
5363 struct nft_ctx ctx;
5364
5365 if (info->nfmsg->nfgen_family == NFPROTO_UNSPEC)
5366 return -EAFNOSUPPORT;
5367
5368 table = nft_table_lookup(net, nla[NFTA_SET_TABLE], family,
5369 genmask, NETLINK_CB(skb).portid);
5370 if (IS_ERR(table)) {
5371 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_TABLE]);
5372 return PTR_ERR(table);
5373 }
5374
5375 if (nla[NFTA_SET_HANDLE]) {
5376 attr = nla[NFTA_SET_HANDLE];
5377 set = nft_set_lookup_byhandle(table, attr, genmask);
5378 } else {
5379 attr = nla[NFTA_SET_NAME];
5380 set = nft_set_lookup(table, attr, genmask);
5381 }
5382
5383 if (IS_ERR(set)) {
5384 if (PTR_ERR(set) == -ENOENT &&
5385 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSET)
5386 return 0;
5387
5388 NL_SET_BAD_ATTR(extack, attr);
5389 return PTR_ERR(set);
5390 }
5391 if (set->use ||
5392 (info->nlh->nlmsg_flags & NLM_F_NONREC &&
5393 atomic_read(&set->nelems) > 0)) {
5394 NL_SET_BAD_ATTR(extack, attr);
5395 return -EBUSY;
5396 }
5397
5398 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
5399
5400 return nft_delset(&ctx, set);
5401 }
5402
5403 static int nft_validate_register_store(const struct nft_ctx *ctx,
5404 enum nft_registers reg,
5405 const struct nft_data *data,
5406 enum nft_data_types type,
5407 unsigned int len);
5408
nft_setelem_data_validate(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_elem * elem)5409 static int nft_setelem_data_validate(const struct nft_ctx *ctx,
5410 struct nft_set *set,
5411 struct nft_set_elem *elem)
5412 {
5413 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5414 enum nft_registers dreg;
5415
5416 dreg = nft_type_to_reg(set->dtype);
5417 return nft_validate_register_store(ctx, dreg, nft_set_ext_data(ext),
5418 set->dtype == NFT_DATA_VERDICT ?
5419 NFT_DATA_VERDICT : NFT_DATA_VALUE,
5420 set->dlen);
5421 }
5422
nf_tables_bind_check_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)5423 static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
5424 struct nft_set *set,
5425 const struct nft_set_iter *iter,
5426 struct nft_set_elem *elem)
5427 {
5428 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5429
5430 if (!nft_set_elem_active(ext, iter->genmask))
5431 return 0;
5432
5433 return nft_setelem_data_validate(ctx, set, elem);
5434 }
5435
nft_set_catchall_bind_check(const struct nft_ctx * ctx,struct nft_set * set)5436 static int nft_set_catchall_bind_check(const struct nft_ctx *ctx,
5437 struct nft_set *set)
5438 {
5439 u8 genmask = nft_genmask_next(ctx->net);
5440 struct nft_set_elem_catchall *catchall;
5441 struct nft_set_elem elem;
5442 struct nft_set_ext *ext;
5443 int ret = 0;
5444
5445 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5446 ext = nft_set_elem_ext(set, catchall->elem);
5447 if (!nft_set_elem_active(ext, genmask))
5448 continue;
5449
5450 elem.priv = catchall->elem;
5451 ret = nft_setelem_data_validate(ctx, set, &elem);
5452 if (ret < 0)
5453 break;
5454 }
5455
5456 return ret;
5457 }
5458
nf_tables_bind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding)5459 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
5460 struct nft_set_binding *binding)
5461 {
5462 struct nft_set_binding *i;
5463 struct nft_set_iter iter;
5464
5465 if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5466 return -EBUSY;
5467
5468 if (binding->flags & NFT_SET_MAP) {
5469 /* If the set is already bound to the same chain all
5470 * jumps are already validated for that chain.
5471 */
5472 list_for_each_entry(i, &set->bindings, list) {
5473 if (i->flags & NFT_SET_MAP &&
5474 i->chain == binding->chain)
5475 goto bind;
5476 }
5477
5478 iter.genmask = nft_genmask_next(ctx->net);
5479 iter.type = NFT_ITER_UPDATE;
5480 iter.skip = 0;
5481 iter.count = 0;
5482 iter.err = 0;
5483 iter.fn = nf_tables_bind_check_setelem;
5484
5485 set->ops->walk(ctx, set, &iter);
5486 if (!iter.err)
5487 iter.err = nft_set_catchall_bind_check(ctx, set);
5488
5489 if (iter.err < 0)
5490 return iter.err;
5491 }
5492 bind:
5493 if (!nft_use_inc(&set->use))
5494 return -EMFILE;
5495
5496 binding->chain = ctx->chain;
5497 list_add_tail_rcu(&binding->list, &set->bindings);
5498 nft_set_trans_bind(ctx, set);
5499
5500 return 0;
5501 }
5502 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
5503
nf_tables_unbind_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,bool event)5504 static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
5505 struct nft_set_binding *binding, bool event)
5506 {
5507 list_del_rcu(&binding->list);
5508
5509 if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
5510 list_del_rcu(&set->list);
5511 set->dead = 1;
5512 if (event)
5513 nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
5514 GFP_KERNEL);
5515 }
5516 }
5517
5518 static void nft_setelem_data_activate(const struct net *net,
5519 const struct nft_set *set,
5520 struct nft_set_elem *elem);
5521
nft_mapelem_activate(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)5522 static int nft_mapelem_activate(const struct nft_ctx *ctx,
5523 struct nft_set *set,
5524 const struct nft_set_iter *iter,
5525 struct nft_set_elem *elem)
5526 {
5527 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5528
5529 /* called from abort path, reverse check to undo changes. */
5530 if (nft_set_elem_active(ext, iter->genmask))
5531 return 0;
5532
5533 nft_clear(ctx->net, ext);
5534 nft_setelem_data_activate(ctx->net, set, elem);
5535
5536 return 0;
5537 }
5538
nft_map_catchall_activate(const struct nft_ctx * ctx,struct nft_set * set)5539 static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5540 struct nft_set *set)
5541 {
5542 u8 genmask = nft_genmask_next(ctx->net);
5543 struct nft_set_elem_catchall *catchall;
5544 struct nft_set_elem elem;
5545 struct nft_set_ext *ext;
5546
5547 list_for_each_entry(catchall, &set->catchall_list, list) {
5548 ext = nft_set_elem_ext(set, catchall->elem);
5549 if (!nft_set_elem_active(ext, genmask))
5550 continue;
5551
5552 nft_clear(ctx->net, ext);
5553 elem.priv = catchall->elem;
5554 nft_setelem_data_activate(ctx->net, set, &elem);
5555 break;
5556 }
5557 }
5558
nft_map_activate(const struct nft_ctx * ctx,struct nft_set * set)5559 static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5560 {
5561 struct nft_set_iter iter = {
5562 .genmask = nft_genmask_next(ctx->net),
5563 .type = NFT_ITER_UPDATE,
5564 .fn = nft_mapelem_activate,
5565 };
5566
5567 set->ops->walk(ctx, set, &iter);
5568 WARN_ON_ONCE(iter.err);
5569
5570 nft_map_catchall_activate(ctx, set);
5571 }
5572
nf_tables_activate_set(const struct nft_ctx * ctx,struct nft_set * set)5573 void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5574 {
5575 if (nft_set_is_anonymous(set)) {
5576 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5577 nft_map_activate(ctx, set);
5578
5579 nft_clear(ctx->net, set);
5580 }
5581
5582 nft_use_inc_restore(&set->use);
5583 }
5584 EXPORT_SYMBOL_GPL(nf_tables_activate_set);
5585
nf_tables_deactivate_set(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_binding * binding,enum nft_trans_phase phase)5586 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
5587 struct nft_set_binding *binding,
5588 enum nft_trans_phase phase)
5589 {
5590 lockdep_commit_lock_is_held(ctx->net);
5591
5592 switch (phase) {
5593 case NFT_TRANS_PREPARE_ERROR:
5594 nft_set_trans_unbind(ctx, set);
5595 if (nft_set_is_anonymous(set))
5596 nft_deactivate_next(ctx->net, set);
5597 else
5598 list_del_rcu(&binding->list);
5599
5600 nft_use_dec(&set->use);
5601 break;
5602 case NFT_TRANS_PREPARE:
5603 if (nft_set_is_anonymous(set)) {
5604 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5605 nft_map_deactivate(ctx, set);
5606
5607 nft_deactivate_next(ctx->net, set);
5608 }
5609 nft_use_dec(&set->use);
5610 return;
5611 case NFT_TRANS_ABORT:
5612 case NFT_TRANS_RELEASE:
5613 if (nft_set_is_anonymous(set) &&
5614 set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5615 nft_map_deactivate(ctx, set);
5616
5617 nft_use_dec(&set->use);
5618 fallthrough;
5619 default:
5620 nf_tables_unbind_set(ctx, set, binding,
5621 phase == NFT_TRANS_COMMIT);
5622 }
5623 }
5624 EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
5625
nf_tables_destroy_set(const struct nft_ctx * ctx,struct nft_set * set)5626 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
5627 {
5628 if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
5629 nft_set_destroy(ctx, set);
5630 }
5631 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
5632
5633 const struct nft_set_ext_type nft_set_ext_types[] = {
5634 [NFT_SET_EXT_KEY] = {
5635 .align = __alignof__(u32),
5636 },
5637 [NFT_SET_EXT_DATA] = {
5638 .align = __alignof__(u32),
5639 },
5640 [NFT_SET_EXT_EXPRESSIONS] = {
5641 .align = __alignof__(struct nft_set_elem_expr),
5642 },
5643 [NFT_SET_EXT_OBJREF] = {
5644 .len = sizeof(struct nft_object *),
5645 .align = __alignof__(struct nft_object *),
5646 },
5647 [NFT_SET_EXT_FLAGS] = {
5648 .len = sizeof(u8),
5649 .align = __alignof__(u8),
5650 },
5651 [NFT_SET_EXT_TIMEOUT] = {
5652 .len = sizeof(u64),
5653 .align = __alignof__(u64),
5654 },
5655 [NFT_SET_EXT_EXPIRATION] = {
5656 .len = sizeof(u64),
5657 .align = __alignof__(u64),
5658 },
5659 [NFT_SET_EXT_USERDATA] = {
5660 .len = sizeof(struct nft_userdata),
5661 .align = __alignof__(struct nft_userdata),
5662 },
5663 [NFT_SET_EXT_KEY_END] = {
5664 .align = __alignof__(u32),
5665 },
5666 };
5667
5668 /*
5669 * Set elements
5670 */
5671
5672 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
5673 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
5674 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
5675 [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
5676 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
5677 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
5678 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
5679 .len = NFT_USERDATA_MAXLEN },
5680 [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
5681 [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
5682 .len = NFT_OBJ_MAXNAMELEN - 1 },
5683 [NFTA_SET_ELEM_KEY_END] = { .type = NLA_NESTED },
5684 [NFTA_SET_ELEM_EXPRESSIONS] = { .type = NLA_NESTED },
5685 };
5686
5687 static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
5688 [NFTA_SET_ELEM_LIST_TABLE] = { .type = NLA_STRING,
5689 .len = NFT_TABLE_MAXNAMELEN - 1 },
5690 [NFTA_SET_ELEM_LIST_SET] = { .type = NLA_STRING,
5691 .len = NFT_SET_MAXNAMELEN - 1 },
5692 [NFTA_SET_ELEM_LIST_ELEMENTS] = { .type = NLA_NESTED },
5693 [NFTA_SET_ELEM_LIST_SET_ID] = { .type = NLA_U32 },
5694 };
5695
nft_set_elem_expr_dump(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_ext * ext,bool reset)5696 static int nft_set_elem_expr_dump(struct sk_buff *skb,
5697 const struct nft_set *set,
5698 const struct nft_set_ext *ext,
5699 bool reset)
5700 {
5701 struct nft_set_elem_expr *elem_expr;
5702 u32 size, num_exprs = 0;
5703 struct nft_expr *expr;
5704 struct nlattr *nest;
5705
5706 elem_expr = nft_set_ext_expr(ext);
5707 nft_setelem_expr_foreach(expr, elem_expr, size)
5708 num_exprs++;
5709
5710 if (num_exprs == 1) {
5711 expr = nft_setelem_expr_at(elem_expr, 0);
5712 if (nft_expr_dump(skb, NFTA_SET_ELEM_EXPR, expr, reset) < 0)
5713 return -1;
5714
5715 return 0;
5716 } else if (num_exprs > 1) {
5717 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_EXPRESSIONS);
5718 if (nest == NULL)
5719 goto nla_put_failure;
5720
5721 nft_setelem_expr_foreach(expr, elem_expr, size) {
5722 expr = nft_setelem_expr_at(elem_expr, size);
5723 if (nft_expr_dump(skb, NFTA_LIST_ELEM, expr, reset) < 0)
5724 goto nla_put_failure;
5725 }
5726 nla_nest_end(skb, nest);
5727 }
5728 return 0;
5729
5730 nla_put_failure:
5731 return -1;
5732 }
5733
nf_tables_fill_setelem(struct sk_buff * skb,const struct nft_set * set,const struct nft_set_elem * elem,bool reset)5734 static int nf_tables_fill_setelem(struct sk_buff *skb,
5735 const struct nft_set *set,
5736 const struct nft_set_elem *elem,
5737 bool reset)
5738 {
5739 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5740 unsigned char *b = skb_tail_pointer(skb);
5741 struct nlattr *nest;
5742
5743 nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
5744 if (nest == NULL)
5745 goto nla_put_failure;
5746
5747 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
5748 nft_data_dump(skb, NFTA_SET_ELEM_KEY, nft_set_ext_key(ext),
5749 NFT_DATA_VALUE, set->klen) < 0)
5750 goto nla_put_failure;
5751
5752 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
5753 nft_data_dump(skb, NFTA_SET_ELEM_KEY_END, nft_set_ext_key_end(ext),
5754 NFT_DATA_VALUE, set->klen) < 0)
5755 goto nla_put_failure;
5756
5757 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
5758 nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
5759 nft_set_datatype(set), set->dlen) < 0)
5760 goto nla_put_failure;
5761
5762 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
5763 nft_set_elem_expr_dump(skb, set, ext, reset))
5764 goto nla_put_failure;
5765
5766 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
5767 nla_put_string(skb, NFTA_SET_ELEM_OBJREF,
5768 (*nft_set_ext_obj(ext))->key.name) < 0)
5769 goto nla_put_failure;
5770
5771 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
5772 nla_put_be32(skb, NFTA_SET_ELEM_FLAGS,
5773 htonl(*nft_set_ext_flags(ext))))
5774 goto nla_put_failure;
5775
5776 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
5777 nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
5778 nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
5779 NFTA_SET_ELEM_PAD))
5780 goto nla_put_failure;
5781
5782 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
5783 u64 expires, now = get_jiffies_64();
5784
5785 expires = *nft_set_ext_expiration(ext);
5786 if (time_before64(now, expires))
5787 expires -= now;
5788 else
5789 expires = 0;
5790
5791 if (nla_put_be64(skb, NFTA_SET_ELEM_EXPIRATION,
5792 nf_jiffies64_to_msecs(expires),
5793 NFTA_SET_ELEM_PAD))
5794 goto nla_put_failure;
5795 }
5796
5797 if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
5798 struct nft_userdata *udata;
5799
5800 udata = nft_set_ext_userdata(ext);
5801 if (nla_put(skb, NFTA_SET_ELEM_USERDATA,
5802 udata->len + 1, udata->data))
5803 goto nla_put_failure;
5804 }
5805
5806 nla_nest_end(skb, nest);
5807 return 0;
5808
5809 nla_put_failure:
5810 nlmsg_trim(skb, b);
5811 return -EMSGSIZE;
5812 }
5813
5814 struct nft_set_dump_args {
5815 const struct netlink_callback *cb;
5816 struct nft_set_iter iter;
5817 struct sk_buff *skb;
5818 bool reset;
5819 };
5820
nf_tables_dump_setelem(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)5821 static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
5822 struct nft_set *set,
5823 const struct nft_set_iter *iter,
5824 struct nft_set_elem *elem)
5825 {
5826 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
5827 struct nft_set_dump_args *args;
5828
5829 if (!nft_set_elem_active(ext, iter->genmask))
5830 return 0;
5831
5832 if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
5833 return 0;
5834
5835 args = container_of(iter, struct nft_set_dump_args, iter);
5836 return nf_tables_fill_setelem(args->skb, set, elem, args->reset);
5837 }
5838
audit_log_nft_set_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)5839 static void audit_log_nft_set_reset(const struct nft_table *table,
5840 unsigned int base_seq,
5841 unsigned int nentries)
5842 {
5843 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
5844
5845 audit_log_nfcfg(buf, table->family, nentries,
5846 AUDIT_NFT_OP_SETELEM_RESET, GFP_ATOMIC);
5847 kfree(buf);
5848 }
5849
5850 struct nft_set_dump_ctx {
5851 const struct nft_set *set;
5852 struct nft_ctx ctx;
5853 };
5854
nft_set_catchall_dump(struct net * net,struct sk_buff * skb,const struct nft_set * set,bool reset,unsigned int base_seq)5855 static int nft_set_catchall_dump(struct net *net, struct sk_buff *skb,
5856 const struct nft_set *set, bool reset,
5857 unsigned int base_seq)
5858 {
5859 struct nft_set_elem_catchall *catchall;
5860 u8 genmask = nft_genmask_cur(net);
5861 struct nft_set_elem elem;
5862 struct nft_set_ext *ext;
5863 int ret = 0;
5864
5865 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
5866 ext = nft_set_elem_ext(set, catchall->elem);
5867 if (!nft_set_elem_active(ext, genmask) ||
5868 nft_set_elem_expired(ext))
5869 continue;
5870
5871 elem.priv = catchall->elem;
5872 ret = nf_tables_fill_setelem(skb, set, &elem, reset);
5873 if (reset && !ret)
5874 audit_log_nft_set_reset(set->table, base_seq, 1);
5875 break;
5876 }
5877
5878 return ret;
5879 }
5880
nf_tables_dump_set(struct sk_buff * skb,struct netlink_callback * cb)5881 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
5882 {
5883 struct nft_set_dump_ctx *dump_ctx = cb->data;
5884 struct net *net = sock_net(skb->sk);
5885 struct nftables_pernet *nft_net;
5886 struct nft_table *table;
5887 struct nft_set *set;
5888 struct nft_set_dump_args args;
5889 bool set_found = false;
5890 struct nlmsghdr *nlh;
5891 struct nlattr *nest;
5892 bool reset = false;
5893 u32 portid, seq;
5894 int event;
5895
5896 rcu_read_lock();
5897 nft_net = nft_pernet(net);
5898 cb->seq = READ_ONCE(nft_net->base_seq);
5899
5900 list_for_each_entry_rcu(table, &nft_net->tables, list) {
5901 if (dump_ctx->ctx.family != NFPROTO_UNSPEC &&
5902 dump_ctx->ctx.family != table->family)
5903 continue;
5904
5905 if (table != dump_ctx->ctx.table)
5906 continue;
5907
5908 list_for_each_entry_rcu(set, &table->sets, list) {
5909 if (set == dump_ctx->set) {
5910 set_found = true;
5911 break;
5912 }
5913 }
5914 break;
5915 }
5916
5917 if (!set_found) {
5918 rcu_read_unlock();
5919 return -ENOENT;
5920 }
5921
5922 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
5923 portid = NETLINK_CB(cb->skb).portid;
5924 seq = cb->nlh->nlmsg_seq;
5925
5926 nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI,
5927 table->family, NFNETLINK_V0, nft_base_seq(net));
5928 if (!nlh)
5929 goto nla_put_failure;
5930
5931 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
5932 goto nla_put_failure;
5933 if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
5934 goto nla_put_failure;
5935
5936 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
5937 if (nest == NULL)
5938 goto nla_put_failure;
5939
5940 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == NFT_MSG_GETSETELEM_RESET)
5941 reset = true;
5942
5943 args.cb = cb;
5944 args.skb = skb;
5945 args.reset = reset;
5946 args.iter.genmask = nft_genmask_cur(net);
5947 args.iter.type = NFT_ITER_READ;
5948 args.iter.skip = cb->args[0];
5949 args.iter.count = 0;
5950 args.iter.err = 0;
5951 args.iter.fn = nf_tables_dump_setelem;
5952 set->ops->walk(&dump_ctx->ctx, set, &args.iter);
5953
5954 if (!args.iter.err && args.iter.count == cb->args[0])
5955 args.iter.err = nft_set_catchall_dump(net, skb, set,
5956 reset, cb->seq);
5957 nla_nest_end(skb, nest);
5958 nlmsg_end(skb, nlh);
5959
5960 if (reset && args.iter.count > args.iter.skip)
5961 audit_log_nft_set_reset(table, cb->seq,
5962 args.iter.count - args.iter.skip);
5963
5964 rcu_read_unlock();
5965
5966 if (args.iter.err && args.iter.err != -EMSGSIZE)
5967 return args.iter.err;
5968 if (args.iter.count == cb->args[0])
5969 return 0;
5970
5971 cb->args[0] = args.iter.count;
5972 return skb->len;
5973
5974 nla_put_failure:
5975 rcu_read_unlock();
5976 return -ENOSPC;
5977 }
5978
nf_tables_dump_set_start(struct netlink_callback * cb)5979 static int nf_tables_dump_set_start(struct netlink_callback *cb)
5980 {
5981 struct nft_set_dump_ctx *dump_ctx = cb->data;
5982
5983 cb->data = kmemdup(dump_ctx, sizeof(*dump_ctx), GFP_ATOMIC);
5984
5985 return cb->data ? 0 : -ENOMEM;
5986 }
5987
nf_tables_dump_set_done(struct netlink_callback * cb)5988 static int nf_tables_dump_set_done(struct netlink_callback *cb)
5989 {
5990 kfree(cb->data);
5991 return 0;
5992 }
5993
nf_tables_fill_setelem_info(struct sk_buff * skb,const struct nft_ctx * ctx,u32 seq,u32 portid,int event,u16 flags,const struct nft_set * set,const struct nft_set_elem * elem,bool reset)5994 static int nf_tables_fill_setelem_info(struct sk_buff *skb,
5995 const struct nft_ctx *ctx, u32 seq,
5996 u32 portid, int event, u16 flags,
5997 const struct nft_set *set,
5998 const struct nft_set_elem *elem,
5999 bool reset)
6000 {
6001 struct nlmsghdr *nlh;
6002 struct nlattr *nest;
6003 int err;
6004
6005 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
6006 nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family,
6007 NFNETLINK_V0, nft_base_seq(ctx->net));
6008 if (!nlh)
6009 goto nla_put_failure;
6010
6011 if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name))
6012 goto nla_put_failure;
6013 if (nla_put_string(skb, NFTA_SET_NAME, set->name))
6014 goto nla_put_failure;
6015
6016 nest = nla_nest_start_noflag(skb, NFTA_SET_ELEM_LIST_ELEMENTS);
6017 if (nest == NULL)
6018 goto nla_put_failure;
6019
6020 err = nf_tables_fill_setelem(skb, set, elem, reset);
6021 if (err < 0)
6022 goto nla_put_failure;
6023
6024 nla_nest_end(skb, nest);
6025
6026 nlmsg_end(skb, nlh);
6027 return 0;
6028
6029 nla_put_failure:
6030 nlmsg_trim(skb, nlh);
6031 return -1;
6032 }
6033
nft_setelem_parse_flags(const struct nft_set * set,const struct nlattr * attr,u32 * flags)6034 static int nft_setelem_parse_flags(const struct nft_set *set,
6035 const struct nlattr *attr, u32 *flags)
6036 {
6037 if (attr == NULL)
6038 return 0;
6039
6040 *flags = ntohl(nla_get_be32(attr));
6041 if (*flags & ~(NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6042 return -EOPNOTSUPP;
6043 if (!(set->flags & NFT_SET_INTERVAL) &&
6044 *flags & NFT_SET_ELEM_INTERVAL_END)
6045 return -EINVAL;
6046 if ((*flags & (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL)) ==
6047 (NFT_SET_ELEM_INTERVAL_END | NFT_SET_ELEM_CATCHALL))
6048 return -EINVAL;
6049
6050 return 0;
6051 }
6052
nft_setelem_parse_key(struct nft_ctx * ctx,struct nft_set * set,struct nft_data * key,struct nlattr * attr)6053 static int nft_setelem_parse_key(struct nft_ctx *ctx, struct nft_set *set,
6054 struct nft_data *key, struct nlattr *attr)
6055 {
6056 struct nft_data_desc desc = {
6057 .type = NFT_DATA_VALUE,
6058 .size = NFT_DATA_VALUE_MAXLEN,
6059 .len = set->klen,
6060 };
6061
6062 return nft_data_init(ctx, key, &desc, attr);
6063 }
6064
nft_setelem_parse_data(struct nft_ctx * ctx,struct nft_set * set,struct nft_data_desc * desc,struct nft_data * data,struct nlattr * attr)6065 static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
6066 struct nft_data_desc *desc,
6067 struct nft_data *data,
6068 struct nlattr *attr)
6069 {
6070 u32 dtype;
6071
6072 if (set->dtype == NFT_DATA_VERDICT)
6073 dtype = NFT_DATA_VERDICT;
6074 else
6075 dtype = NFT_DATA_VALUE;
6076
6077 desc->type = dtype;
6078 desc->size = NFT_DATA_VALUE_MAXLEN;
6079 desc->len = set->dlen;
6080 desc->flags = NFT_DATA_DESC_SETELEM;
6081
6082 return nft_data_init(ctx, data, desc, attr);
6083 }
6084
nft_setelem_catchall_get(const struct net * net,const struct nft_set * set)6085 static void *nft_setelem_catchall_get(const struct net *net,
6086 const struct nft_set *set)
6087 {
6088 struct nft_set_elem_catchall *catchall;
6089 u8 genmask = nft_genmask_cur(net);
6090 struct nft_set_ext *ext;
6091 void *priv = NULL;
6092
6093 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6094 ext = nft_set_elem_ext(set, catchall->elem);
6095 if (!nft_set_elem_active(ext, genmask) ||
6096 nft_set_elem_expired(ext))
6097 continue;
6098
6099 priv = catchall->elem;
6100 break;
6101 }
6102
6103 return priv;
6104 }
6105
nft_setelem_get(struct nft_ctx * ctx,struct nft_set * set,struct nft_set_elem * elem,u32 flags)6106 static int nft_setelem_get(struct nft_ctx *ctx, struct nft_set *set,
6107 struct nft_set_elem *elem, u32 flags)
6108 {
6109 void *priv;
6110
6111 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
6112 priv = set->ops->get(ctx->net, set, elem, flags);
6113 if (IS_ERR(priv))
6114 return PTR_ERR(priv);
6115 } else {
6116 priv = nft_setelem_catchall_get(ctx->net, set);
6117 if (!priv)
6118 return -ENOENT;
6119 }
6120 elem->priv = priv;
6121
6122 return 0;
6123 }
6124
nft_get_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,bool reset)6125 static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6126 const struct nlattr *attr, bool reset)
6127 {
6128 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6129 struct nft_set_elem elem;
6130 struct sk_buff *skb;
6131 uint32_t flags = 0;
6132 int err;
6133
6134 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6135 nft_set_elem_policy, NULL);
6136 if (err < 0)
6137 return err;
6138
6139 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6140 if (err < 0)
6141 return err;
6142
6143 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
6144 return -EINVAL;
6145
6146 if (nla[NFTA_SET_ELEM_KEY]) {
6147 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6148 nla[NFTA_SET_ELEM_KEY]);
6149 if (err < 0)
6150 return err;
6151 }
6152
6153 if (nla[NFTA_SET_ELEM_KEY_END]) {
6154 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6155 nla[NFTA_SET_ELEM_KEY_END]);
6156 if (err < 0)
6157 return err;
6158 }
6159
6160 err = nft_setelem_get(ctx, set, &elem, flags);
6161 if (err < 0)
6162 return err;
6163
6164 err = -ENOMEM;
6165 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
6166 if (skb == NULL)
6167 return err;
6168
6169 err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
6170 NFT_MSG_NEWSETELEM, 0, set, &elem,
6171 reset);
6172 if (err < 0)
6173 goto err_fill_setelem;
6174
6175 return nfnetlink_unicast(skb, ctx->net, ctx->portid);
6176
6177 err_fill_setelem:
6178 kfree_skb(skb);
6179 return err;
6180 }
6181
6182 /* called with rcu_read_lock held */
nf_tables_getsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])6183 static int nf_tables_getsetelem(struct sk_buff *skb,
6184 const struct nfnl_info *info,
6185 const struct nlattr * const nla[])
6186 {
6187 struct netlink_ext_ack *extack = info->extack;
6188 u8 genmask = nft_genmask_cur(info->net);
6189 u8 family = info->nfmsg->nfgen_family;
6190 int rem, err = 0, nelems = 0;
6191 struct net *net = info->net;
6192 struct nft_table *table;
6193 struct nft_set *set;
6194 struct nlattr *attr;
6195 struct nft_ctx ctx;
6196 bool reset = false;
6197
6198 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
6199 genmask, 0);
6200 if (IS_ERR(table)) {
6201 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
6202 return PTR_ERR(table);
6203 }
6204
6205 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
6206 if (IS_ERR(set))
6207 return PTR_ERR(set);
6208
6209 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
6210
6211 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
6212 struct netlink_dump_control c = {
6213 .start = nf_tables_dump_set_start,
6214 .dump = nf_tables_dump_set,
6215 .done = nf_tables_dump_set_done,
6216 .module = THIS_MODULE,
6217 };
6218 struct nft_set_dump_ctx dump_ctx = {
6219 .set = set,
6220 .ctx = ctx,
6221 };
6222
6223 c.data = &dump_ctx;
6224 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
6225 }
6226
6227 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
6228 return -EINVAL;
6229
6230 if (NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_GETSETELEM_RESET)
6231 reset = true;
6232
6233 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
6234 err = nft_get_set_elem(&ctx, set, attr, reset);
6235 if (err < 0) {
6236 NL_SET_BAD_ATTR(extack, attr);
6237 break;
6238 }
6239 nelems++;
6240 }
6241
6242 if (reset)
6243 audit_log_nft_set_reset(table, nft_pernet(net)->base_seq,
6244 nelems);
6245
6246 return err;
6247 }
6248
nf_tables_setelem_notify(const struct nft_ctx * ctx,const struct nft_set * set,const struct nft_set_elem * elem,int event)6249 static void nf_tables_setelem_notify(const struct nft_ctx *ctx,
6250 const struct nft_set *set,
6251 const struct nft_set_elem *elem,
6252 int event)
6253 {
6254 struct nftables_pernet *nft_net;
6255 struct net *net = ctx->net;
6256 u32 portid = ctx->portid;
6257 struct sk_buff *skb;
6258 u16 flags = 0;
6259 int err;
6260
6261 if (!ctx->report && !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
6262 return;
6263
6264 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
6265 if (skb == NULL)
6266 goto err;
6267
6268 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
6269 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
6270
6271 err = nf_tables_fill_setelem_info(skb, ctx, 0, portid, event, flags,
6272 set, elem, false);
6273 if (err < 0) {
6274 kfree_skb(skb);
6275 goto err;
6276 }
6277
6278 nft_net = nft_pernet(net);
6279 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
6280 return;
6281 err:
6282 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
6283 }
6284
nft_trans_elem_alloc(struct nft_ctx * ctx,int msg_type,struct nft_set * set)6285 static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx,
6286 int msg_type,
6287 struct nft_set *set)
6288 {
6289 struct nft_trans *trans;
6290
6291 trans = nft_trans_alloc(ctx, msg_type, sizeof(struct nft_trans_elem));
6292 if (trans == NULL)
6293 return NULL;
6294
6295 nft_trans_elem_set(trans) = set;
6296 return trans;
6297 }
6298
nft_set_elem_expr_alloc(const struct nft_ctx * ctx,const struct nft_set * set,const struct nlattr * attr)6299 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
6300 const struct nft_set *set,
6301 const struct nlattr *attr)
6302 {
6303 struct nft_expr *expr;
6304 int err;
6305
6306 expr = nft_expr_init(ctx, attr);
6307 if (IS_ERR(expr))
6308 return expr;
6309
6310 err = -EOPNOTSUPP;
6311 if (expr->ops->type->flags & NFT_EXPR_GC) {
6312 if (set->flags & NFT_SET_TIMEOUT)
6313 goto err_set_elem_expr;
6314 if (!set->ops->gc_init)
6315 goto err_set_elem_expr;
6316 set->ops->gc_init(set);
6317 }
6318
6319 return expr;
6320
6321 err_set_elem_expr:
6322 nft_expr_destroy(ctx, expr);
6323 return ERR_PTR(err);
6324 }
6325
nft_set_ext_check(const struct nft_set_ext_tmpl * tmpl,u8 id,u32 len)6326 static int nft_set_ext_check(const struct nft_set_ext_tmpl *tmpl, u8 id, u32 len)
6327 {
6328 len += nft_set_ext_types[id].len;
6329 if (len > tmpl->ext_len[id] ||
6330 len > U8_MAX)
6331 return -1;
6332
6333 return 0;
6334 }
6335
nft_set_ext_memcpy(const struct nft_set_ext_tmpl * tmpl,u8 id,void * to,const void * from,u32 len)6336 static int nft_set_ext_memcpy(const struct nft_set_ext_tmpl *tmpl, u8 id,
6337 void *to, const void *from, u32 len)
6338 {
6339 if (nft_set_ext_check(tmpl, id, len) < 0)
6340 return -1;
6341
6342 memcpy(to, from, len);
6343
6344 return 0;
6345 }
6346
nft_set_elem_init(const struct nft_set * set,const struct nft_set_ext_tmpl * tmpl,const u32 * key,const u32 * key_end,const u32 * data,u64 timeout,u64 expiration,gfp_t gfp)6347 void *nft_set_elem_init(const struct nft_set *set,
6348 const struct nft_set_ext_tmpl *tmpl,
6349 const u32 *key, const u32 *key_end,
6350 const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
6351 {
6352 struct nft_set_ext *ext;
6353 void *elem;
6354
6355 elem = kzalloc(set->ops->elemsize + tmpl->len, gfp);
6356 if (elem == NULL)
6357 return ERR_PTR(-ENOMEM);
6358
6359 ext = nft_set_elem_ext(set, elem);
6360 nft_set_ext_init(ext, tmpl);
6361
6362 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY) &&
6363 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY,
6364 nft_set_ext_key(ext), key, set->klen) < 0)
6365 goto err_ext_check;
6366
6367 if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END) &&
6368 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_KEY_END,
6369 nft_set_ext_key_end(ext), key_end, set->klen) < 0)
6370 goto err_ext_check;
6371
6372 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
6373 nft_set_ext_memcpy(tmpl, NFT_SET_EXT_DATA,
6374 nft_set_ext_data(ext), data, set->dlen) < 0)
6375 goto err_ext_check;
6376
6377 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
6378 *nft_set_ext_expiration(ext) = get_jiffies_64() + expiration;
6379 if (expiration == 0)
6380 *nft_set_ext_expiration(ext) += timeout;
6381 }
6382 if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT))
6383 *nft_set_ext_timeout(ext) = timeout;
6384
6385 return elem;
6386
6387 err_ext_check:
6388 kfree(elem);
6389
6390 return ERR_PTR(-EINVAL);
6391 }
6392
__nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_expr * expr)6393 static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6394 struct nft_expr *expr)
6395 {
6396 if (expr->ops->destroy_clone) {
6397 expr->ops->destroy_clone(ctx, expr);
6398 module_put(expr->ops->type->owner);
6399 } else {
6400 nf_tables_expr_destroy(ctx, expr);
6401 }
6402 }
6403
nft_set_elem_expr_destroy(const struct nft_ctx * ctx,struct nft_set_elem_expr * elem_expr)6404 static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
6405 struct nft_set_elem_expr *elem_expr)
6406 {
6407 struct nft_expr *expr;
6408 u32 size;
6409
6410 nft_setelem_expr_foreach(expr, elem_expr, size)
6411 __nft_set_elem_expr_destroy(ctx, expr);
6412 }
6413
6414 /* Drop references and destroy. Called from gc, dynset and abort path. */
nft_set_elem_destroy(const struct nft_set * set,void * elem,bool destroy_expr)6415 void nft_set_elem_destroy(const struct nft_set *set, void *elem,
6416 bool destroy_expr)
6417 {
6418 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
6419 struct nft_ctx ctx = {
6420 .net = read_pnet(&set->net),
6421 .family = set->table->family,
6422 };
6423
6424 nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
6425 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
6426 nft_data_release(nft_set_ext_data(ext), set->dtype);
6427 if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6428 nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext));
6429
6430 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
6431 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
6432 kfree(elem);
6433 }
6434 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6435
6436 /* Destroy element. References have been already dropped in the preparation
6437 * path via nft_setelem_data_deactivate().
6438 */
nf_tables_set_elem_destroy(const struct nft_ctx * ctx,const struct nft_set * set,void * elem)6439 void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6440 const struct nft_set *set, void *elem)
6441 {
6442 struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
6443
6444 if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS))
6445 nft_set_elem_expr_destroy(ctx, nft_set_ext_expr(ext));
6446
6447 kfree(elem);
6448 }
6449
nft_set_elem_expr_clone(const struct nft_ctx * ctx,struct nft_set * set,struct nft_expr * expr_array[])6450 int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
6451 struct nft_expr *expr_array[])
6452 {
6453 struct nft_expr *expr;
6454 int err, i, k;
6455
6456 for (i = 0; i < set->num_exprs; i++) {
6457 expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
6458 if (!expr)
6459 goto err_expr;
6460
6461 err = nft_expr_clone(expr, set->exprs[i]);
6462 if (err < 0) {
6463 kfree(expr);
6464 goto err_expr;
6465 }
6466 expr_array[i] = expr;
6467 }
6468
6469 return 0;
6470
6471 err_expr:
6472 for (k = i - 1; k >= 0; k--)
6473 nft_expr_destroy(ctx, expr_array[k]);
6474
6475 return -ENOMEM;
6476 }
6477
nft_set_elem_expr_setup(struct nft_ctx * ctx,const struct nft_set_ext_tmpl * tmpl,const struct nft_set_ext * ext,struct nft_expr * expr_array[],u32 num_exprs)6478 static int nft_set_elem_expr_setup(struct nft_ctx *ctx,
6479 const struct nft_set_ext_tmpl *tmpl,
6480 const struct nft_set_ext *ext,
6481 struct nft_expr *expr_array[],
6482 u32 num_exprs)
6483 {
6484 struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
6485 u32 len = sizeof(struct nft_set_elem_expr);
6486 struct nft_expr *expr;
6487 int i, err;
6488
6489 if (num_exprs == 0)
6490 return 0;
6491
6492 for (i = 0; i < num_exprs; i++)
6493 len += expr_array[i]->ops->size;
6494
6495 if (nft_set_ext_check(tmpl, NFT_SET_EXT_EXPRESSIONS, len) < 0)
6496 return -EINVAL;
6497
6498 for (i = 0; i < num_exprs; i++) {
6499 expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
6500 err = nft_expr_clone(expr, expr_array[i]);
6501 if (err < 0)
6502 goto err_elem_expr_setup;
6503
6504 elem_expr->size += expr_array[i]->ops->size;
6505 nft_expr_destroy(ctx, expr_array[i]);
6506 expr_array[i] = NULL;
6507 }
6508
6509 return 0;
6510
6511 err_elem_expr_setup:
6512 for (; i < num_exprs; i++) {
6513 nft_expr_destroy(ctx, expr_array[i]);
6514 expr_array[i] = NULL;
6515 }
6516
6517 return -ENOMEM;
6518 }
6519
nft_set_catchall_lookup(const struct net * net,const struct nft_set * set)6520 struct nft_set_ext *nft_set_catchall_lookup(const struct net *net,
6521 const struct nft_set *set)
6522 {
6523 struct nft_set_elem_catchall *catchall;
6524 u8 genmask = nft_genmask_cur(net);
6525 struct nft_set_ext *ext;
6526
6527 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
6528 ext = nft_set_elem_ext(set, catchall->elem);
6529 if (nft_set_elem_active(ext, genmask) &&
6530 !nft_set_elem_expired(ext) &&
6531 !nft_set_elem_is_dead(ext))
6532 return ext;
6533 }
6534
6535 return NULL;
6536 }
6537 EXPORT_SYMBOL_GPL(nft_set_catchall_lookup);
6538
nft_setelem_catchall_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_set_ext ** pext)6539 static int nft_setelem_catchall_insert(const struct net *net,
6540 struct nft_set *set,
6541 const struct nft_set_elem *elem,
6542 struct nft_set_ext **pext)
6543 {
6544 struct nft_set_elem_catchall *catchall;
6545 u8 genmask = nft_genmask_next(net);
6546 struct nft_set_ext *ext;
6547
6548 list_for_each_entry(catchall, &set->catchall_list, list) {
6549 ext = nft_set_elem_ext(set, catchall->elem);
6550 if (nft_set_elem_active(ext, genmask)) {
6551 *pext = ext;
6552 return -EEXIST;
6553 }
6554 }
6555
6556 catchall = kmalloc(sizeof(*catchall), GFP_KERNEL);
6557 if (!catchall)
6558 return -ENOMEM;
6559
6560 catchall->elem = elem->priv;
6561 list_add_tail_rcu(&catchall->list, &set->catchall_list);
6562
6563 return 0;
6564 }
6565
nft_setelem_insert(const struct net * net,struct nft_set * set,const struct nft_set_elem * elem,struct nft_set_ext ** ext,unsigned int flags)6566 static int nft_setelem_insert(const struct net *net,
6567 struct nft_set *set,
6568 const struct nft_set_elem *elem,
6569 struct nft_set_ext **ext, unsigned int flags)
6570 {
6571 int ret;
6572
6573 if (flags & NFT_SET_ELEM_CATCHALL)
6574 ret = nft_setelem_catchall_insert(net, set, elem, ext);
6575 else
6576 ret = set->ops->insert(net, set, elem, ext);
6577
6578 return ret;
6579 }
6580
nft_setelem_is_catchall(const struct nft_set * set,const struct nft_set_elem * elem)6581 static bool nft_setelem_is_catchall(const struct nft_set *set,
6582 const struct nft_set_elem *elem)
6583 {
6584 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6585
6586 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
6587 *nft_set_ext_flags(ext) & NFT_SET_ELEM_CATCHALL)
6588 return true;
6589
6590 return false;
6591 }
6592
nft_setelem_activate(struct net * net,struct nft_set * set,struct nft_set_elem * elem)6593 static void nft_setelem_activate(struct net *net, struct nft_set *set,
6594 struct nft_set_elem *elem)
6595 {
6596 struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
6597
6598 if (nft_setelem_is_catchall(set, elem)) {
6599 nft_clear(net, ext);
6600 } else {
6601 set->ops->activate(net, set, elem);
6602 }
6603 }
6604
nft_setelem_catchall_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6605 static int nft_setelem_catchall_deactivate(const struct net *net,
6606 struct nft_set *set,
6607 struct nft_set_elem *elem)
6608 {
6609 struct nft_set_elem_catchall *catchall;
6610 struct nft_set_ext *ext;
6611
6612 list_for_each_entry(catchall, &set->catchall_list, list) {
6613 ext = nft_set_elem_ext(set, catchall->elem);
6614 if (!nft_is_active_next(net, ext))
6615 continue;
6616
6617 kfree(elem->priv);
6618 elem->priv = catchall->elem;
6619 nft_set_elem_change_active(net, set, ext);
6620 return 0;
6621 }
6622
6623 return -ENOENT;
6624 }
6625
__nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem)6626 static int __nft_setelem_deactivate(const struct net *net,
6627 struct nft_set *set,
6628 struct nft_set_elem *elem)
6629 {
6630 void *priv;
6631
6632 priv = set->ops->deactivate(net, set, elem);
6633 if (!priv)
6634 return -ENOENT;
6635
6636 kfree(elem->priv);
6637 elem->priv = priv;
6638 set->ndeact++;
6639
6640 return 0;
6641 }
6642
nft_setelem_deactivate(const struct net * net,struct nft_set * set,struct nft_set_elem * elem,u32 flags)6643 static int nft_setelem_deactivate(const struct net *net,
6644 struct nft_set *set,
6645 struct nft_set_elem *elem, u32 flags)
6646 {
6647 int ret;
6648
6649 if (flags & NFT_SET_ELEM_CATCHALL)
6650 ret = nft_setelem_catchall_deactivate(net, set, elem);
6651 else
6652 ret = __nft_setelem_deactivate(net, set, elem);
6653
6654 return ret;
6655 }
6656
nft_setelem_catchall_destroy(struct nft_set_elem_catchall * catchall)6657 static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
6658 {
6659 list_del_rcu(&catchall->list);
6660 kfree_rcu(catchall, rcu);
6661 }
6662
nft_setelem_catchall_remove(const struct net * net,const struct nft_set * set,const struct nft_set_elem * elem)6663 static void nft_setelem_catchall_remove(const struct net *net,
6664 const struct nft_set *set,
6665 const struct nft_set_elem *elem)
6666 {
6667 struct nft_set_elem_catchall *catchall, *next;
6668
6669 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
6670 if (catchall->elem == elem->priv) {
6671 nft_setelem_catchall_destroy(catchall);
6672 break;
6673 }
6674 }
6675 }
6676
nft_setelem_remove(const struct net * net,const struct nft_set * set,const struct nft_set_elem * elem)6677 static void nft_setelem_remove(const struct net *net,
6678 const struct nft_set *set,
6679 const struct nft_set_elem *elem)
6680 {
6681 if (nft_setelem_is_catchall(set, elem))
6682 nft_setelem_catchall_remove(net, set, elem);
6683 else
6684 set->ops->remove(net, set, elem);
6685 }
6686
nft_setelem_valid_key_end(const struct nft_set * set,struct nlattr ** nla,u32 flags)6687 static bool nft_setelem_valid_key_end(const struct nft_set *set,
6688 struct nlattr **nla, u32 flags)
6689 {
6690 if ((set->flags & (NFT_SET_CONCAT | NFT_SET_INTERVAL)) ==
6691 (NFT_SET_CONCAT | NFT_SET_INTERVAL)) {
6692 if (flags & NFT_SET_ELEM_INTERVAL_END)
6693 return false;
6694
6695 if (nla[NFTA_SET_ELEM_KEY_END] &&
6696 flags & NFT_SET_ELEM_CATCHALL)
6697 return false;
6698 } else {
6699 if (nla[NFTA_SET_ELEM_KEY_END])
6700 return false;
6701 }
6702
6703 return true;
6704 }
6705
nft_set_maxsize(const struct nft_set * set)6706 static u32 nft_set_maxsize(const struct nft_set *set)
6707 {
6708 u32 maxsize, delta;
6709
6710 if (!set->size)
6711 return UINT_MAX;
6712
6713 if (set->ops->adjust_maxsize)
6714 delta = set->ops->adjust_maxsize(set);
6715 else
6716 delta = 0;
6717
6718 if (check_add_overflow(set->size, set->ndeact, &maxsize))
6719 return UINT_MAX;
6720
6721 if (check_add_overflow(maxsize, delta, &maxsize))
6722 return UINT_MAX;
6723
6724 return maxsize;
6725 }
6726
nft_add_set_elem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr,u32 nlmsg_flags)6727 static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
6728 const struct nlattr *attr, u32 nlmsg_flags)
6729 {
6730 struct nft_expr *expr_array[NFT_SET_EXPR_MAX] = {};
6731 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
6732 u8 genmask = nft_genmask_next(ctx->net);
6733 u32 flags = 0, size = 0, num_exprs = 0;
6734 struct nft_set_ext_tmpl tmpl;
6735 struct nft_set_ext *ext, *ext2;
6736 struct nft_set_elem elem;
6737 struct nft_set_binding *binding;
6738 struct nft_object *obj = NULL;
6739 struct nft_userdata *udata;
6740 struct nft_data_desc desc;
6741 enum nft_registers dreg;
6742 struct nft_trans *trans;
6743 u64 timeout;
6744 u64 expiration;
6745 int err, i;
6746 u8 ulen;
6747
6748 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
6749 nft_set_elem_policy, NULL);
6750 if (err < 0)
6751 return err;
6752
6753 nft_set_ext_prepare(&tmpl);
6754
6755 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
6756 if (err < 0)
6757 return err;
6758
6759 if (((flags & NFT_SET_ELEM_CATCHALL) && nla[NFTA_SET_ELEM_KEY]) ||
6760 (!(flags & NFT_SET_ELEM_CATCHALL) && !nla[NFTA_SET_ELEM_KEY]))
6761 return -EINVAL;
6762
6763 if (flags != 0) {
6764 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
6765 if (err < 0)
6766 return err;
6767 }
6768
6769 if (set->flags & NFT_SET_MAP) {
6770 if (nla[NFTA_SET_ELEM_DATA] == NULL &&
6771 !(flags & NFT_SET_ELEM_INTERVAL_END))
6772 return -EINVAL;
6773 } else {
6774 if (nla[NFTA_SET_ELEM_DATA] != NULL)
6775 return -EINVAL;
6776 }
6777
6778 if (set->flags & NFT_SET_OBJECT) {
6779 if (!nla[NFTA_SET_ELEM_OBJREF] &&
6780 !(flags & NFT_SET_ELEM_INTERVAL_END))
6781 return -EINVAL;
6782 } else {
6783 if (nla[NFTA_SET_ELEM_OBJREF])
6784 return -EINVAL;
6785 }
6786
6787 if (!nft_setelem_valid_key_end(set, nla, flags))
6788 return -EINVAL;
6789
6790 if ((flags & NFT_SET_ELEM_INTERVAL_END) &&
6791 (nla[NFTA_SET_ELEM_DATA] ||
6792 nla[NFTA_SET_ELEM_OBJREF] ||
6793 nla[NFTA_SET_ELEM_TIMEOUT] ||
6794 nla[NFTA_SET_ELEM_EXPIRATION] ||
6795 nla[NFTA_SET_ELEM_USERDATA] ||
6796 nla[NFTA_SET_ELEM_EXPR] ||
6797 nla[NFTA_SET_ELEM_KEY_END] ||
6798 nla[NFTA_SET_ELEM_EXPRESSIONS]))
6799 return -EINVAL;
6800
6801 timeout = 0;
6802 if (nla[NFTA_SET_ELEM_TIMEOUT] != NULL) {
6803 if (!(set->flags & NFT_SET_TIMEOUT))
6804 return -EINVAL;
6805 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_TIMEOUT],
6806 &timeout);
6807 if (err)
6808 return err;
6809 } else if (set->flags & NFT_SET_TIMEOUT &&
6810 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6811 timeout = set->timeout;
6812 }
6813
6814 expiration = 0;
6815 if (nla[NFTA_SET_ELEM_EXPIRATION] != NULL) {
6816 if (!(set->flags & NFT_SET_TIMEOUT))
6817 return -EINVAL;
6818 if (timeout == 0)
6819 return -EOPNOTSUPP;
6820
6821 err = nf_msecs_to_jiffies64(nla[NFTA_SET_ELEM_EXPIRATION],
6822 &expiration);
6823 if (err)
6824 return err;
6825
6826 if (expiration > timeout)
6827 return -ERANGE;
6828 }
6829
6830 if (nla[NFTA_SET_ELEM_EXPR]) {
6831 struct nft_expr *expr;
6832
6833 if (set->num_exprs && set->num_exprs != 1)
6834 return -EOPNOTSUPP;
6835
6836 expr = nft_set_elem_expr_alloc(ctx, set,
6837 nla[NFTA_SET_ELEM_EXPR]);
6838 if (IS_ERR(expr))
6839 return PTR_ERR(expr);
6840
6841 expr_array[0] = expr;
6842 num_exprs = 1;
6843
6844 if (set->num_exprs && set->exprs[0]->ops != expr->ops) {
6845 err = -EOPNOTSUPP;
6846 goto err_set_elem_expr;
6847 }
6848 } else if (nla[NFTA_SET_ELEM_EXPRESSIONS]) {
6849 struct nft_expr *expr;
6850 struct nlattr *tmp;
6851 int left;
6852
6853 i = 0;
6854 nla_for_each_nested(tmp, nla[NFTA_SET_ELEM_EXPRESSIONS], left) {
6855 if (i == NFT_SET_EXPR_MAX ||
6856 (set->num_exprs && set->num_exprs == i)) {
6857 err = -E2BIG;
6858 goto err_set_elem_expr;
6859 }
6860 if (nla_type(tmp) != NFTA_LIST_ELEM) {
6861 err = -EINVAL;
6862 goto err_set_elem_expr;
6863 }
6864 expr = nft_set_elem_expr_alloc(ctx, set, tmp);
6865 if (IS_ERR(expr)) {
6866 err = PTR_ERR(expr);
6867 goto err_set_elem_expr;
6868 }
6869 expr_array[i] = expr;
6870 num_exprs++;
6871
6872 if (set->num_exprs && expr->ops != set->exprs[i]->ops) {
6873 err = -EOPNOTSUPP;
6874 goto err_set_elem_expr;
6875 }
6876 i++;
6877 }
6878 if (set->num_exprs && set->num_exprs != i) {
6879 err = -EOPNOTSUPP;
6880 goto err_set_elem_expr;
6881 }
6882 } else if (set->num_exprs > 0 &&
6883 !(flags & NFT_SET_ELEM_INTERVAL_END)) {
6884 err = nft_set_elem_expr_clone(ctx, set, expr_array);
6885 if (err < 0)
6886 goto err_set_elem_expr_clone;
6887
6888 num_exprs = set->num_exprs;
6889 }
6890
6891 if (nla[NFTA_SET_ELEM_KEY]) {
6892 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
6893 nla[NFTA_SET_ELEM_KEY]);
6894 if (err < 0)
6895 goto err_set_elem_expr;
6896
6897 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
6898 if (err < 0)
6899 goto err_parse_key;
6900 }
6901
6902 if (nla[NFTA_SET_ELEM_KEY_END]) {
6903 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
6904 nla[NFTA_SET_ELEM_KEY_END]);
6905 if (err < 0)
6906 goto err_parse_key;
6907
6908 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
6909 if (err < 0)
6910 goto err_parse_key_end;
6911 }
6912
6913 if (timeout > 0) {
6914 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_EXPIRATION);
6915 if (err < 0)
6916 goto err_parse_key_end;
6917
6918 if (timeout != set->timeout) {
6919 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_TIMEOUT);
6920 if (err < 0)
6921 goto err_parse_key_end;
6922 }
6923 }
6924
6925 if (num_exprs) {
6926 for (i = 0; i < num_exprs; i++)
6927 size += expr_array[i]->ops->size;
6928
6929 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_EXPRESSIONS,
6930 sizeof(struct nft_set_elem_expr) + size);
6931 if (err < 0)
6932 goto err_parse_key_end;
6933 }
6934
6935 if (nla[NFTA_SET_ELEM_OBJREF] != NULL) {
6936 obj = nft_obj_lookup(ctx->net, ctx->table,
6937 nla[NFTA_SET_ELEM_OBJREF],
6938 set->objtype, genmask);
6939 if (IS_ERR(obj)) {
6940 err = PTR_ERR(obj);
6941 obj = NULL;
6942 goto err_parse_key_end;
6943 }
6944
6945 if (!nft_use_inc(&obj->use)) {
6946 err = -EMFILE;
6947 obj = NULL;
6948 goto err_parse_key_end;
6949 }
6950
6951 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF);
6952 if (err < 0)
6953 goto err_parse_key_end;
6954 }
6955
6956 if (nla[NFTA_SET_ELEM_DATA] != NULL) {
6957 err = nft_setelem_parse_data(ctx, set, &desc, &elem.data.val,
6958 nla[NFTA_SET_ELEM_DATA]);
6959 if (err < 0)
6960 goto err_parse_key_end;
6961
6962 dreg = nft_type_to_reg(set->dtype);
6963 list_for_each_entry(binding, &set->bindings, list) {
6964 struct nft_ctx bind_ctx = {
6965 .net = ctx->net,
6966 .family = ctx->family,
6967 .table = ctx->table,
6968 .chain = (struct nft_chain *)binding->chain,
6969 };
6970
6971 if (!(binding->flags & NFT_SET_MAP))
6972 continue;
6973
6974 err = nft_validate_register_store(&bind_ctx, dreg,
6975 &elem.data.val,
6976 desc.type, desc.len);
6977 if (err < 0)
6978 goto err_parse_data;
6979
6980 if (desc.type == NFT_DATA_VERDICT &&
6981 (elem.data.val.verdict.code == NFT_GOTO ||
6982 elem.data.val.verdict.code == NFT_JUMP))
6983 nft_validate_state_update(ctx->table,
6984 NFT_VALIDATE_NEED);
6985 }
6986
6987 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_DATA, desc.len);
6988 if (err < 0)
6989 goto err_parse_data;
6990 }
6991
6992 /* The full maximum length of userdata can exceed the maximum
6993 * offset value (U8_MAX) for following extensions, therefor it
6994 * must be the last extension added.
6995 */
6996 ulen = 0;
6997 if (nla[NFTA_SET_ELEM_USERDATA] != NULL) {
6998 ulen = nla_len(nla[NFTA_SET_ELEM_USERDATA]);
6999 if (ulen > 0) {
7000 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_USERDATA,
7001 ulen);
7002 if (err < 0)
7003 goto err_parse_data;
7004 }
7005 }
7006
7007 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7008 elem.key_end.val.data, elem.data.val.data,
7009 timeout, expiration, GFP_KERNEL_ACCOUNT);
7010 if (IS_ERR(elem.priv)) {
7011 err = PTR_ERR(elem.priv);
7012 goto err_parse_data;
7013 }
7014
7015 ext = nft_set_elem_ext(set, elem.priv);
7016 if (flags)
7017 *nft_set_ext_flags(ext) = flags;
7018
7019 if (obj)
7020 *nft_set_ext_obj(ext) = obj;
7021
7022 if (ulen > 0) {
7023 if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
7024 err = -EINVAL;
7025 goto err_elem_free;
7026 }
7027 udata = nft_set_ext_userdata(ext);
7028 udata->len = ulen - 1;
7029 nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
7030 }
7031 err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
7032 if (err < 0)
7033 goto err_elem_free;
7034
7035 trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
7036 if (trans == NULL) {
7037 err = -ENOMEM;
7038 goto err_elem_free;
7039 }
7040
7041 ext->genmask = nft_genmask_cur(ctx->net);
7042
7043 err = nft_setelem_insert(ctx->net, set, &elem, &ext2, flags);
7044 if (err) {
7045 if (err == -EEXIST) {
7046 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
7047 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
7048 nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
7049 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
7050 goto err_element_clash;
7051 if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
7052 nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
7053 memcmp(nft_set_ext_data(ext),
7054 nft_set_ext_data(ext2), set->dlen) != 0) ||
7055 (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) &&
7056 nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF) &&
7057 *nft_set_ext_obj(ext) != *nft_set_ext_obj(ext2)))
7058 goto err_element_clash;
7059 else if (!(nlmsg_flags & NLM_F_EXCL))
7060 err = 0;
7061 } else if (err == -ENOTEMPTY) {
7062 /* ENOTEMPTY reports overlapping between this element
7063 * and an existing one.
7064 */
7065 err = -EEXIST;
7066 }
7067 goto err_element_clash;
7068 }
7069
7070 if (!(flags & NFT_SET_ELEM_CATCHALL)) {
7071 unsigned int max = nft_set_maxsize(set);
7072
7073 if (!atomic_add_unless(&set->nelems, 1, max)) {
7074 err = -ENFILE;
7075 goto err_set_full;
7076 }
7077 }
7078
7079 nft_trans_elem(trans) = elem;
7080 nft_trans_commit_list_add_tail(ctx->net, trans);
7081 return 0;
7082
7083 err_set_full:
7084 nft_setelem_remove(ctx->net, set, &elem);
7085 err_element_clash:
7086 kfree(trans);
7087 err_elem_free:
7088 nf_tables_set_elem_destroy(ctx, set, elem.priv);
7089 err_parse_data:
7090 if (nla[NFTA_SET_ELEM_DATA] != NULL)
7091 nft_data_release(&elem.data.val, desc.type);
7092 err_parse_key_end:
7093 if (obj)
7094 nft_use_dec_restore(&obj->use);
7095
7096 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7097 err_parse_key:
7098 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7099 err_set_elem_expr:
7100 for (i = 0; i < num_exprs && expr_array[i]; i++)
7101 nft_expr_destroy(ctx, expr_array[i]);
7102 err_set_elem_expr_clone:
7103 return err;
7104 }
7105
nf_tables_newsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7106 static int nf_tables_newsetelem(struct sk_buff *skb,
7107 const struct nfnl_info *info,
7108 const struct nlattr * const nla[])
7109 {
7110 struct netlink_ext_ack *extack = info->extack;
7111 u8 genmask = nft_genmask_next(info->net);
7112 u8 family = info->nfmsg->nfgen_family;
7113 struct net *net = info->net;
7114 const struct nlattr *attr;
7115 struct nft_table *table;
7116 struct nft_set *set;
7117 struct nft_ctx ctx;
7118 int rem, err;
7119
7120 if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
7121 return -EINVAL;
7122
7123 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7124 genmask, NETLINK_CB(skb).portid);
7125 if (IS_ERR(table)) {
7126 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7127 return PTR_ERR(table);
7128 }
7129
7130 set = nft_set_lookup_global(net, table, nla[NFTA_SET_ELEM_LIST_SET],
7131 nla[NFTA_SET_ELEM_LIST_SET_ID], genmask);
7132 if (IS_ERR(set))
7133 return PTR_ERR(set);
7134
7135 if (!list_empty(&set->bindings) &&
7136 (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7137 return -EBUSY;
7138
7139 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7140
7141 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7142 err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags);
7143 if (err < 0) {
7144 NL_SET_BAD_ATTR(extack, attr);
7145 return err;
7146 }
7147 }
7148
7149 if (table->validate_state == NFT_VALIDATE_DO)
7150 return nft_table_validate(net, table);
7151
7152 return 0;
7153 }
7154
7155 /**
7156 * nft_data_hold - hold a nft_data item
7157 *
7158 * @data: struct nft_data to release
7159 * @type: type of data
7160 *
7161 * Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
7162 * NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
7163 * NFT_GOTO verdicts. This function must be called on active data objects
7164 * from the second phase of the commit protocol.
7165 */
nft_data_hold(const struct nft_data * data,enum nft_data_types type)7166 void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
7167 {
7168 struct nft_chain *chain;
7169
7170 if (type == NFT_DATA_VERDICT) {
7171 switch (data->verdict.code) {
7172 case NFT_JUMP:
7173 case NFT_GOTO:
7174 chain = data->verdict.chain;
7175 nft_use_inc_restore(&chain->use);
7176 break;
7177 }
7178 }
7179 }
7180
nft_setelem_active_next(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)7181 static int nft_setelem_active_next(const struct net *net,
7182 const struct nft_set *set,
7183 struct nft_set_elem *elem)
7184 {
7185 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7186 u8 genmask = nft_genmask_next(net);
7187
7188 return nft_set_elem_active(ext, genmask);
7189 }
7190
nft_setelem_data_activate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)7191 static void nft_setelem_data_activate(const struct net *net,
7192 const struct nft_set *set,
7193 struct nft_set_elem *elem)
7194 {
7195 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7196
7197 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7198 nft_data_hold(nft_set_ext_data(ext), set->dtype);
7199 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7200 nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use);
7201 }
7202
nft_setelem_data_deactivate(const struct net * net,const struct nft_set * set,struct nft_set_elem * elem)7203 void nft_setelem_data_deactivate(const struct net *net,
7204 const struct nft_set *set,
7205 struct nft_set_elem *elem)
7206 {
7207 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7208
7209 if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
7210 nft_data_release(nft_set_ext_data(ext), set->dtype);
7211 if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
7212 nft_use_dec(&(*nft_set_ext_obj(ext))->use);
7213 }
7214
nft_del_setelem(struct nft_ctx * ctx,struct nft_set * set,const struct nlattr * attr)7215 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
7216 const struct nlattr *attr)
7217 {
7218 struct nlattr *nla[NFTA_SET_ELEM_MAX + 1];
7219 struct nft_set_ext_tmpl tmpl;
7220 struct nft_set_elem elem;
7221 struct nft_set_ext *ext;
7222 struct nft_trans *trans;
7223 u32 flags = 0;
7224 int err;
7225
7226 err = nla_parse_nested_deprecated(nla, NFTA_SET_ELEM_MAX, attr,
7227 nft_set_elem_policy, NULL);
7228 if (err < 0)
7229 return err;
7230
7231 err = nft_setelem_parse_flags(set, nla[NFTA_SET_ELEM_FLAGS], &flags);
7232 if (err < 0)
7233 return err;
7234
7235 if (!nla[NFTA_SET_ELEM_KEY] && !(flags & NFT_SET_ELEM_CATCHALL))
7236 return -EINVAL;
7237
7238 if (!nft_setelem_valid_key_end(set, nla, flags))
7239 return -EINVAL;
7240
7241 nft_set_ext_prepare(&tmpl);
7242
7243 if (flags != 0) {
7244 err = nft_set_ext_add(&tmpl, NFT_SET_EXT_FLAGS);
7245 if (err < 0)
7246 return err;
7247 }
7248
7249 if (nla[NFTA_SET_ELEM_KEY]) {
7250 err = nft_setelem_parse_key(ctx, set, &elem.key.val,
7251 nla[NFTA_SET_ELEM_KEY]);
7252 if (err < 0)
7253 return err;
7254
7255 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY, set->klen);
7256 if (err < 0)
7257 goto fail_elem;
7258 }
7259
7260 if (nla[NFTA_SET_ELEM_KEY_END]) {
7261 err = nft_setelem_parse_key(ctx, set, &elem.key_end.val,
7262 nla[NFTA_SET_ELEM_KEY_END]);
7263 if (err < 0)
7264 goto fail_elem;
7265
7266 err = nft_set_ext_add_length(&tmpl, NFT_SET_EXT_KEY_END, set->klen);
7267 if (err < 0)
7268 goto fail_elem_key_end;
7269 }
7270
7271 err = -ENOMEM;
7272 elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
7273 elem.key_end.val.data, NULL, 0, 0,
7274 GFP_KERNEL_ACCOUNT);
7275 if (IS_ERR(elem.priv)) {
7276 err = PTR_ERR(elem.priv);
7277 goto fail_elem_key_end;
7278 }
7279
7280 ext = nft_set_elem_ext(set, elem.priv);
7281 if (flags)
7282 *nft_set_ext_flags(ext) = flags;
7283
7284 trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set);
7285 if (trans == NULL)
7286 goto fail_trans;
7287
7288 err = nft_setelem_deactivate(ctx->net, set, &elem, flags);
7289 if (err < 0)
7290 goto fail_ops;
7291
7292 nft_setelem_data_deactivate(ctx->net, set, &elem);
7293
7294 nft_trans_elem(trans) = elem;
7295 nft_trans_commit_list_add_tail(ctx->net, trans);
7296 return 0;
7297
7298 fail_ops:
7299 kfree(trans);
7300 fail_trans:
7301 kfree(elem.priv);
7302 fail_elem_key_end:
7303 nft_data_release(&elem.key_end.val, NFT_DATA_VALUE);
7304 fail_elem:
7305 nft_data_release(&elem.key.val, NFT_DATA_VALUE);
7306 return err;
7307 }
7308
nft_setelem_flush(const struct nft_ctx * ctx,struct nft_set * set,const struct nft_set_iter * iter,struct nft_set_elem * elem)7309 static int nft_setelem_flush(const struct nft_ctx *ctx,
7310 struct nft_set *set,
7311 const struct nft_set_iter *iter,
7312 struct nft_set_elem *elem)
7313 {
7314 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
7315 struct nft_trans *trans;
7316 int err;
7317
7318 if (!nft_set_elem_active(ext, iter->genmask))
7319 return 0;
7320
7321 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7322 sizeof(struct nft_trans_elem), GFP_ATOMIC);
7323 if (!trans)
7324 return -ENOMEM;
7325
7326 if (!set->ops->flush(ctx->net, set, elem->priv)) {
7327 err = -ENOENT;
7328 goto err1;
7329 }
7330 set->ndeact++;
7331
7332 nft_setelem_data_deactivate(ctx->net, set, elem);
7333 nft_trans_elem_set(trans) = set;
7334 nft_trans_elem(trans) = *elem;
7335 nft_trans_commit_list_add_tail(ctx->net, trans);
7336
7337 return 0;
7338 err1:
7339 kfree(trans);
7340 return err;
7341 }
7342
__nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set,struct nft_set_elem * elem)7343 static int __nft_set_catchall_flush(const struct nft_ctx *ctx,
7344 struct nft_set *set,
7345 struct nft_set_elem *elem)
7346 {
7347 struct nft_trans *trans;
7348
7349 trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
7350 sizeof(struct nft_trans_elem), GFP_KERNEL);
7351 if (!trans)
7352 return -ENOMEM;
7353
7354 nft_setelem_data_deactivate(ctx->net, set, elem);
7355 nft_trans_elem_set(trans) = set;
7356 nft_trans_elem(trans) = *elem;
7357 nft_trans_commit_list_add_tail(ctx->net, trans);
7358
7359 return 0;
7360 }
7361
nft_set_catchall_flush(const struct nft_ctx * ctx,struct nft_set * set)7362 static int nft_set_catchall_flush(const struct nft_ctx *ctx,
7363 struct nft_set *set)
7364 {
7365 u8 genmask = nft_genmask_next(ctx->net);
7366 struct nft_set_elem_catchall *catchall;
7367 struct nft_set_elem elem;
7368 struct nft_set_ext *ext;
7369 int ret = 0;
7370
7371 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
7372 ext = nft_set_elem_ext(set, catchall->elem);
7373 if (!nft_set_elem_active(ext, genmask))
7374 continue;
7375
7376 elem.priv = catchall->elem;
7377 ret = __nft_set_catchall_flush(ctx, set, &elem);
7378 if (ret < 0)
7379 break;
7380 nft_set_elem_change_active(ctx->net, set, ext);
7381 }
7382
7383 return ret;
7384 }
7385
nft_set_flush(struct nft_ctx * ctx,struct nft_set * set,u8 genmask)7386 static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
7387 {
7388 struct nft_set_iter iter = {
7389 .genmask = genmask,
7390 .type = NFT_ITER_UPDATE,
7391 .fn = nft_setelem_flush,
7392 };
7393
7394 set->ops->walk(ctx, set, &iter);
7395 if (!iter.err)
7396 iter.err = nft_set_catchall_flush(ctx, set);
7397
7398 return iter.err;
7399 }
7400
nf_tables_delsetelem(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7401 static int nf_tables_delsetelem(struct sk_buff *skb,
7402 const struct nfnl_info *info,
7403 const struct nlattr * const nla[])
7404 {
7405 struct netlink_ext_ack *extack = info->extack;
7406 u8 genmask = nft_genmask_next(info->net);
7407 u8 family = info->nfmsg->nfgen_family;
7408 struct net *net = info->net;
7409 const struct nlattr *attr;
7410 struct nft_table *table;
7411 struct nft_set *set;
7412 struct nft_ctx ctx;
7413 int rem, err = 0;
7414
7415 table = nft_table_lookup(net, nla[NFTA_SET_ELEM_LIST_TABLE], family,
7416 genmask, NETLINK_CB(skb).portid);
7417 if (IS_ERR(table)) {
7418 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_TABLE]);
7419 return PTR_ERR(table);
7420 }
7421
7422 set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7423 if (IS_ERR(set))
7424 return PTR_ERR(set);
7425
7426 if (nft_set_is_anonymous(set))
7427 return -EOPNOTSUPP;
7428
7429 if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
7430 return -EBUSY;
7431
7432 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7433
7434 if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
7435 return nft_set_flush(&ctx, set, genmask);
7436
7437 nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
7438 err = nft_del_setelem(&ctx, set, attr);
7439 if (err == -ENOENT &&
7440 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYSETELEM)
7441 continue;
7442
7443 if (err < 0) {
7444 NL_SET_BAD_ATTR(extack, attr);
7445 return err;
7446 }
7447 }
7448
7449 return 0;
7450 }
7451
7452 /*
7453 * Stateful objects
7454 */
7455
7456 /**
7457 * nft_register_obj- register nf_tables stateful object type
7458 * @obj_type: object type
7459 *
7460 * Registers the object type for use with nf_tables. Returns zero on
7461 * success or a negative errno code otherwise.
7462 */
nft_register_obj(struct nft_object_type * obj_type)7463 int nft_register_obj(struct nft_object_type *obj_type)
7464 {
7465 if (obj_type->type == NFT_OBJECT_UNSPEC)
7466 return -EINVAL;
7467
7468 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7469 list_add_rcu(&obj_type->list, &nf_tables_objects);
7470 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7471 return 0;
7472 }
7473 EXPORT_SYMBOL_GPL(nft_register_obj);
7474
7475 /**
7476 * nft_unregister_obj - unregister nf_tables object type
7477 * @obj_type: object type
7478 *
7479 * Unregisters the object type for use with nf_tables.
7480 */
nft_unregister_obj(struct nft_object_type * obj_type)7481 void nft_unregister_obj(struct nft_object_type *obj_type)
7482 {
7483 nfnl_lock(NFNL_SUBSYS_NFTABLES);
7484 list_del_rcu(&obj_type->list);
7485 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
7486 }
7487 EXPORT_SYMBOL_GPL(nft_unregister_obj);
7488
nft_obj_lookup(const struct net * net,const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7489 struct nft_object *nft_obj_lookup(const struct net *net,
7490 const struct nft_table *table,
7491 const struct nlattr *nla, u32 objtype,
7492 u8 genmask)
7493 {
7494 struct nft_object_hash_key k = { .table = table };
7495 char search[NFT_OBJ_MAXNAMELEN];
7496 struct rhlist_head *tmp, *list;
7497 struct nft_object *obj;
7498
7499 nla_strscpy(search, nla, sizeof(search));
7500 k.name = search;
7501
7502 WARN_ON_ONCE(!rcu_read_lock_held() &&
7503 !lockdep_commit_lock_is_held(net));
7504
7505 rcu_read_lock();
7506 list = rhltable_lookup(&nft_objname_ht, &k, nft_objname_ht_params);
7507 if (!list)
7508 goto out;
7509
7510 rhl_for_each_entry_rcu(obj, tmp, list, rhlhead) {
7511 if (objtype == obj->ops->type->type &&
7512 nft_active_genmask(obj, genmask)) {
7513 rcu_read_unlock();
7514 return obj;
7515 }
7516 }
7517 out:
7518 rcu_read_unlock();
7519 return ERR_PTR(-ENOENT);
7520 }
7521 EXPORT_SYMBOL_GPL(nft_obj_lookup);
7522
nft_obj_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u32 objtype,u8 genmask)7523 static struct nft_object *nft_obj_lookup_byhandle(const struct nft_table *table,
7524 const struct nlattr *nla,
7525 u32 objtype, u8 genmask)
7526 {
7527 struct nft_object *obj;
7528
7529 list_for_each_entry(obj, &table->objects, list) {
7530 if (be64_to_cpu(nla_get_be64(nla)) == obj->handle &&
7531 objtype == obj->ops->type->type &&
7532 nft_active_genmask(obj, genmask))
7533 return obj;
7534 }
7535 return ERR_PTR(-ENOENT);
7536 }
7537
7538 static const struct nla_policy nft_obj_policy[NFTA_OBJ_MAX + 1] = {
7539 [NFTA_OBJ_TABLE] = { .type = NLA_STRING,
7540 .len = NFT_TABLE_MAXNAMELEN - 1 },
7541 [NFTA_OBJ_NAME] = { .type = NLA_STRING,
7542 .len = NFT_OBJ_MAXNAMELEN - 1 },
7543 [NFTA_OBJ_TYPE] = { .type = NLA_U32 },
7544 [NFTA_OBJ_DATA] = { .type = NLA_NESTED },
7545 [NFTA_OBJ_HANDLE] = { .type = NLA_U64},
7546 [NFTA_OBJ_USERDATA] = { .type = NLA_BINARY,
7547 .len = NFT_USERDATA_MAXLEN },
7548 };
7549
nft_obj_init(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr)7550 static struct nft_object *nft_obj_init(const struct nft_ctx *ctx,
7551 const struct nft_object_type *type,
7552 const struct nlattr *attr)
7553 {
7554 struct nlattr **tb;
7555 const struct nft_object_ops *ops;
7556 struct nft_object *obj;
7557 int err = -ENOMEM;
7558
7559 tb = kmalloc_array(type->maxattr + 1, sizeof(*tb), GFP_KERNEL);
7560 if (!tb)
7561 goto err1;
7562
7563 if (attr) {
7564 err = nla_parse_nested_deprecated(tb, type->maxattr, attr,
7565 type->policy, NULL);
7566 if (err < 0)
7567 goto err2;
7568 } else {
7569 memset(tb, 0, sizeof(tb[0]) * (type->maxattr + 1));
7570 }
7571
7572 if (type->select_ops) {
7573 ops = type->select_ops(ctx, (const struct nlattr * const *)tb);
7574 if (IS_ERR(ops)) {
7575 err = PTR_ERR(ops);
7576 goto err2;
7577 }
7578 } else {
7579 ops = type->ops;
7580 }
7581
7582 err = -ENOMEM;
7583 obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
7584 if (!obj)
7585 goto err2;
7586
7587 err = ops->init(ctx, (const struct nlattr * const *)tb, obj);
7588 if (err < 0)
7589 goto err3;
7590
7591 obj->ops = ops;
7592
7593 kfree(tb);
7594 return obj;
7595 err3:
7596 kfree(obj);
7597 err2:
7598 kfree(tb);
7599 err1:
7600 return ERR_PTR(err);
7601 }
7602
nft_object_dump(struct sk_buff * skb,unsigned int attr,struct nft_object * obj,bool reset)7603 static int nft_object_dump(struct sk_buff *skb, unsigned int attr,
7604 struct nft_object *obj, bool reset)
7605 {
7606 struct nlattr *nest;
7607
7608 nest = nla_nest_start_noflag(skb, attr);
7609 if (!nest)
7610 goto nla_put_failure;
7611 if (obj->ops->dump(skb, obj, reset) < 0)
7612 goto nla_put_failure;
7613 nla_nest_end(skb, nest);
7614 return 0;
7615
7616 nla_put_failure:
7617 return -1;
7618 }
7619
__nft_obj_type_get(u32 objtype,u8 family)7620 static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family)
7621 {
7622 const struct nft_object_type *type;
7623
7624 list_for_each_entry_rcu(type, &nf_tables_objects, list) {
7625 if (type->family != NFPROTO_UNSPEC &&
7626 type->family != family)
7627 continue;
7628
7629 if (objtype == type->type)
7630 return type;
7631 }
7632 return NULL;
7633 }
7634
7635 static const struct nft_object_type *
nft_obj_type_get(struct net * net,u32 objtype,u8 family)7636 nft_obj_type_get(struct net *net, u32 objtype, u8 family)
7637 {
7638 const struct nft_object_type *type;
7639
7640 rcu_read_lock();
7641 type = __nft_obj_type_get(objtype, family);
7642 if (type != NULL && try_module_get(type->owner)) {
7643 rcu_read_unlock();
7644 return type;
7645 }
7646 rcu_read_unlock();
7647
7648 lockdep_nfnl_nft_mutex_not_held();
7649 #ifdef CONFIG_MODULES
7650 if (type == NULL) {
7651 if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
7652 return ERR_PTR(-EAGAIN);
7653 }
7654 #endif
7655 return ERR_PTR(-ENOENT);
7656 }
7657
nf_tables_updobj(const struct nft_ctx * ctx,const struct nft_object_type * type,const struct nlattr * attr,struct nft_object * obj)7658 static int nf_tables_updobj(const struct nft_ctx *ctx,
7659 const struct nft_object_type *type,
7660 const struct nlattr *attr,
7661 struct nft_object *obj)
7662 {
7663 struct nft_object *newobj;
7664 struct nft_trans *trans;
7665 int err = -ENOMEM;
7666
7667 /* caller must have obtained type->owner reference. */
7668 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
7669 sizeof(struct nft_trans_obj));
7670 if (!trans)
7671 goto err_trans;
7672
7673 newobj = nft_obj_init(ctx, type, attr);
7674 if (IS_ERR(newobj)) {
7675 err = PTR_ERR(newobj);
7676 goto err_free_trans;
7677 }
7678
7679 nft_trans_obj(trans) = obj;
7680 nft_trans_obj_update(trans) = true;
7681 nft_trans_obj_newobj(trans) = newobj;
7682 nft_trans_commit_list_add_tail(ctx->net, trans);
7683
7684 return 0;
7685
7686 err_free_trans:
7687 kfree(trans);
7688 err_trans:
7689 module_put(type->owner);
7690 return err;
7691 }
7692
nf_tables_newobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])7693 static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
7694 const struct nlattr * const nla[])
7695 {
7696 struct netlink_ext_ack *extack = info->extack;
7697 u8 genmask = nft_genmask_next(info->net);
7698 u8 family = info->nfmsg->nfgen_family;
7699 const struct nft_object_type *type;
7700 struct net *net = info->net;
7701 struct nft_table *table;
7702 struct nft_object *obj;
7703 struct nft_ctx ctx;
7704 u32 objtype;
7705 int err;
7706
7707 if (!nla[NFTA_OBJ_TYPE] ||
7708 !nla[NFTA_OBJ_NAME] ||
7709 !nla[NFTA_OBJ_DATA])
7710 return -EINVAL;
7711
7712 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
7713 NETLINK_CB(skb).portid);
7714 if (IS_ERR(table)) {
7715 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
7716 return PTR_ERR(table);
7717 }
7718
7719 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7720 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
7721 if (IS_ERR(obj)) {
7722 err = PTR_ERR(obj);
7723 if (err != -ENOENT) {
7724 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7725 return err;
7726 }
7727 } else {
7728 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
7729 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
7730 return -EEXIST;
7731 }
7732 if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
7733 return -EOPNOTSUPP;
7734
7735 if (!obj->ops->update)
7736 return 0;
7737
7738 type = nft_obj_type_get(net, objtype, family);
7739 if (WARN_ON_ONCE(IS_ERR(type)))
7740 return PTR_ERR(type);
7741
7742 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7743
7744 /* type->owner reference is put when transaction object is released. */
7745 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
7746 }
7747
7748 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7749
7750 if (!nft_use_inc(&table->use))
7751 return -EMFILE;
7752
7753 type = nft_obj_type_get(net, objtype, family);
7754 if (IS_ERR(type)) {
7755 err = PTR_ERR(type);
7756 goto err_type;
7757 }
7758
7759 obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]);
7760 if (IS_ERR(obj)) {
7761 err = PTR_ERR(obj);
7762 goto err_init;
7763 }
7764 obj->key.table = table;
7765 obj->handle = nf_tables_alloc_handle(table);
7766
7767 obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
7768 if (!obj->key.name) {
7769 err = -ENOMEM;
7770 goto err_strdup;
7771 }
7772
7773 if (nla[NFTA_OBJ_USERDATA]) {
7774 obj->udata = nla_memdup(nla[NFTA_OBJ_USERDATA], GFP_KERNEL_ACCOUNT);
7775 if (obj->udata == NULL)
7776 goto err_userdata;
7777
7778 obj->udlen = nla_len(nla[NFTA_OBJ_USERDATA]);
7779 }
7780
7781 err = nft_trans_obj_add(&ctx, NFT_MSG_NEWOBJ, obj);
7782 if (err < 0)
7783 goto err_trans;
7784
7785 err = rhltable_insert(&nft_objname_ht, &obj->rhlhead,
7786 nft_objname_ht_params);
7787 if (err < 0)
7788 goto err_obj_ht;
7789
7790 list_add_tail_rcu(&obj->list, &table->objects);
7791
7792 return 0;
7793 err_obj_ht:
7794 /* queued in transaction log */
7795 INIT_LIST_HEAD(&obj->list);
7796 return err;
7797 err_trans:
7798 kfree(obj->udata);
7799 err_userdata:
7800 kfree(obj->key.name);
7801 err_strdup:
7802 if (obj->ops->destroy)
7803 obj->ops->destroy(&ctx, obj);
7804 kfree(obj);
7805 err_init:
7806 module_put(type->owner);
7807 err_type:
7808 nft_use_dec_restore(&table->use);
7809
7810 return err;
7811 }
7812
nf_tables_fill_obj_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,const struct nft_table * table,struct nft_object * obj,bool reset)7813 static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net,
7814 u32 portid, u32 seq, int event, u32 flags,
7815 int family, const struct nft_table *table,
7816 struct nft_object *obj, bool reset)
7817 {
7818 struct nlmsghdr *nlh;
7819
7820 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
7821 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
7822 NFNETLINK_V0, nft_base_seq(net));
7823 if (!nlh)
7824 goto nla_put_failure;
7825
7826 if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) ||
7827 nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) ||
7828 nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle),
7829 NFTA_OBJ_PAD))
7830 goto nla_put_failure;
7831
7832 if (event == NFT_MSG_DELOBJ) {
7833 nlmsg_end(skb, nlh);
7834 return 0;
7835 }
7836
7837 if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) ||
7838 nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) ||
7839 nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset))
7840 goto nla_put_failure;
7841
7842 if (obj->udata &&
7843 nla_put(skb, NFTA_OBJ_USERDATA, obj->udlen, obj->udata))
7844 goto nla_put_failure;
7845
7846 nlmsg_end(skb, nlh);
7847 return 0;
7848
7849 nla_put_failure:
7850 nlmsg_trim(skb, nlh);
7851 return -1;
7852 }
7853
audit_log_obj_reset(const struct nft_table * table,unsigned int base_seq,unsigned int nentries)7854 static void audit_log_obj_reset(const struct nft_table *table,
7855 unsigned int base_seq, unsigned int nentries)
7856 {
7857 char *buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, base_seq);
7858
7859 audit_log_nfcfg(buf, table->family, nentries,
7860 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
7861 kfree(buf);
7862 }
7863
7864 struct nft_obj_dump_ctx {
7865 unsigned int s_idx;
7866 char *table;
7867 u32 type;
7868 bool reset;
7869 };
7870
nf_tables_dump_obj(struct sk_buff * skb,struct netlink_callback * cb)7871 static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
7872 {
7873 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
7874 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7875 struct net *net = sock_net(skb->sk);
7876 int family = nfmsg->nfgen_family;
7877 struct nftables_pernet *nft_net;
7878 const struct nft_table *table;
7879 unsigned int entries = 0;
7880 struct nft_object *obj;
7881 unsigned int idx = 0;
7882 int rc = 0;
7883
7884 rcu_read_lock();
7885 nft_net = nft_pernet(net);
7886 cb->seq = READ_ONCE(nft_net->base_seq);
7887
7888 list_for_each_entry_rcu(table, &nft_net->tables, list) {
7889 if (family != NFPROTO_UNSPEC && family != table->family)
7890 continue;
7891
7892 entries = 0;
7893 list_for_each_entry_rcu(obj, &table->objects, list) {
7894 if (!nft_is_active(net, obj))
7895 goto cont;
7896 if (idx < ctx->s_idx)
7897 goto cont;
7898 if (ctx->table && strcmp(ctx->table, table->name))
7899 goto cont;
7900 if (ctx->type != NFT_OBJECT_UNSPEC &&
7901 obj->ops->type->type != ctx->type)
7902 goto cont;
7903
7904 rc = nf_tables_fill_obj_info(skb, net,
7905 NETLINK_CB(cb->skb).portid,
7906 cb->nlh->nlmsg_seq,
7907 NFT_MSG_NEWOBJ,
7908 NLM_F_MULTI | NLM_F_APPEND,
7909 table->family, table,
7910 obj, ctx->reset);
7911 if (rc < 0)
7912 break;
7913
7914 entries++;
7915 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
7916 cont:
7917 idx++;
7918 }
7919 if (ctx->reset && entries)
7920 audit_log_obj_reset(table, nft_net->base_seq, entries);
7921 if (rc < 0)
7922 break;
7923 }
7924 rcu_read_unlock();
7925
7926 ctx->s_idx = idx;
7927 return skb->len;
7928 }
7929
nf_tables_dumpreset_obj(struct sk_buff * skb,struct netlink_callback * cb)7930 static int nf_tables_dumpreset_obj(struct sk_buff *skb,
7931 struct netlink_callback *cb)
7932 {
7933 struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
7934 int ret;
7935
7936 mutex_lock(&nft_net->commit_mutex);
7937 ret = nf_tables_dump_obj(skb, cb);
7938 mutex_unlock(&nft_net->commit_mutex);
7939
7940 return ret;
7941 }
7942
nf_tables_dump_obj_start(struct netlink_callback * cb)7943 static int nf_tables_dump_obj_start(struct netlink_callback *cb)
7944 {
7945 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7946 const struct nlattr * const *nla = cb->data;
7947
7948 BUILD_BUG_ON(sizeof(*ctx) > sizeof(cb->ctx));
7949
7950 if (nla[NFTA_OBJ_TABLE]) {
7951 ctx->table = nla_strdup(nla[NFTA_OBJ_TABLE], GFP_ATOMIC);
7952 if (!ctx->table)
7953 return -ENOMEM;
7954 }
7955
7956 if (nla[NFTA_OBJ_TYPE])
7957 ctx->type = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
7958
7959 return 0;
7960 }
7961
nf_tables_dumpreset_obj_start(struct netlink_callback * cb)7962 static int nf_tables_dumpreset_obj_start(struct netlink_callback *cb)
7963 {
7964 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7965
7966 ctx->reset = true;
7967
7968 return nf_tables_dump_obj_start(cb);
7969 }
7970
nf_tables_dump_obj_done(struct netlink_callback * cb)7971 static int nf_tables_dump_obj_done(struct netlink_callback *cb)
7972 {
7973 struct nft_obj_dump_ctx *ctx = (void *)cb->ctx;
7974
7975 kfree(ctx->table);
7976
7977 return 0;
7978 }
7979
7980 /* Caller must hold rcu read lock or transaction mutex */
7981 static struct sk_buff *
nf_tables_getobj_single(u32 portid,const struct nfnl_info * info,const struct nlattr * const nla[],bool reset)7982 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info,
7983 const struct nlattr * const nla[], bool reset)
7984 {
7985 struct netlink_ext_ack *extack = info->extack;
7986 u8 genmask = nft_genmask_cur(info->net);
7987 u8 family = info->nfmsg->nfgen_family;
7988 const struct nft_table *table;
7989 struct net *net = info->net;
7990 struct nft_object *obj;
7991 struct sk_buff *skb2;
7992 u32 objtype;
7993 int err;
7994
7995 if (!nla[NFTA_OBJ_NAME] ||
7996 !nla[NFTA_OBJ_TYPE])
7997 return ERR_PTR(-EINVAL);
7998
7999 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask, 0);
8000 if (IS_ERR(table)) {
8001 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8002 return ERR_CAST(table);
8003 }
8004
8005 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8006 obj = nft_obj_lookup(net, table, nla[NFTA_OBJ_NAME], objtype, genmask);
8007 if (IS_ERR(obj)) {
8008 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_NAME]);
8009 return ERR_CAST(obj);
8010 }
8011
8012 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
8013 if (!skb2)
8014 return ERR_PTR(-ENOMEM);
8015
8016 err = nf_tables_fill_obj_info(skb2, net, portid,
8017 info->nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
8018 family, table, obj, reset);
8019 if (err < 0) {
8020 kfree_skb(skb2);
8021 return ERR_PTR(err);
8022 }
8023
8024 return skb2;
8025 }
8026
nf_tables_getobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8027 static int nf_tables_getobj(struct sk_buff *skb, const struct nfnl_info *info,
8028 const struct nlattr * const nla[])
8029 {
8030 u32 portid = NETLINK_CB(skb).portid;
8031 struct sk_buff *skb2;
8032
8033 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8034 struct netlink_dump_control c = {
8035 .start = nf_tables_dump_obj_start,
8036 .dump = nf_tables_dump_obj,
8037 .done = nf_tables_dump_obj_done,
8038 .module = THIS_MODULE,
8039 .data = (void *)nla,
8040 };
8041
8042 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8043 }
8044
8045 skb2 = nf_tables_getobj_single(portid, info, nla, false);
8046 if (IS_ERR(skb2))
8047 return PTR_ERR(skb2);
8048
8049 return nfnetlink_unicast(skb2, info->net, portid);
8050 }
8051
nf_tables_getobj_reset(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8052 static int nf_tables_getobj_reset(struct sk_buff *skb,
8053 const struct nfnl_info *info,
8054 const struct nlattr * const nla[])
8055 {
8056 struct nftables_pernet *nft_net = nft_pernet(info->net);
8057 u32 portid = NETLINK_CB(skb).portid;
8058 struct net *net = info->net;
8059 struct sk_buff *skb2;
8060 char *buf;
8061
8062 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8063 struct netlink_dump_control c = {
8064 .start = nf_tables_dumpreset_obj_start,
8065 .dump = nf_tables_dumpreset_obj,
8066 .done = nf_tables_dump_obj_done,
8067 .module = THIS_MODULE,
8068 .data = (void *)nla,
8069 };
8070
8071 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
8072 }
8073
8074 if (!try_module_get(THIS_MODULE))
8075 return -EINVAL;
8076 rcu_read_unlock();
8077 mutex_lock(&nft_net->commit_mutex);
8078 skb2 = nf_tables_getobj_single(portid, info, nla, true);
8079 mutex_unlock(&nft_net->commit_mutex);
8080 rcu_read_lock();
8081 module_put(THIS_MODULE);
8082
8083 if (IS_ERR(skb2))
8084 return PTR_ERR(skb2);
8085
8086 buf = kasprintf(GFP_ATOMIC, "%.*s:%u",
8087 nla_len(nla[NFTA_OBJ_TABLE]),
8088 (char *)nla_data(nla[NFTA_OBJ_TABLE]),
8089 nft_net->base_seq);
8090 audit_log_nfcfg(buf, info->nfmsg->nfgen_family, 1,
8091 AUDIT_NFT_OP_OBJ_RESET, GFP_ATOMIC);
8092 kfree(buf);
8093
8094 return nfnetlink_unicast(skb2, net, portid);
8095 }
8096
nft_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)8097 static void nft_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
8098 {
8099 if (obj->ops->destroy)
8100 obj->ops->destroy(ctx, obj);
8101
8102 module_put(obj->ops->type->owner);
8103 kfree(obj->key.name);
8104 kfree(obj->udata);
8105 kfree(obj);
8106 }
8107
nf_tables_delobj(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8108 static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
8109 const struct nlattr * const nla[])
8110 {
8111 struct netlink_ext_ack *extack = info->extack;
8112 u8 genmask = nft_genmask_next(info->net);
8113 u8 family = info->nfmsg->nfgen_family;
8114 struct net *net = info->net;
8115 const struct nlattr *attr;
8116 struct nft_table *table;
8117 struct nft_object *obj;
8118 struct nft_ctx ctx;
8119 u32 objtype;
8120
8121 if (!nla[NFTA_OBJ_TYPE] ||
8122 (!nla[NFTA_OBJ_NAME] && !nla[NFTA_OBJ_HANDLE]))
8123 return -EINVAL;
8124
8125 table = nft_table_lookup(net, nla[NFTA_OBJ_TABLE], family, genmask,
8126 NETLINK_CB(skb).portid);
8127 if (IS_ERR(table)) {
8128 NL_SET_BAD_ATTR(extack, nla[NFTA_OBJ_TABLE]);
8129 return PTR_ERR(table);
8130 }
8131
8132 objtype = ntohl(nla_get_be32(nla[NFTA_OBJ_TYPE]));
8133 if (nla[NFTA_OBJ_HANDLE]) {
8134 attr = nla[NFTA_OBJ_HANDLE];
8135 obj = nft_obj_lookup_byhandle(table, attr, objtype, genmask);
8136 } else {
8137 attr = nla[NFTA_OBJ_NAME];
8138 obj = nft_obj_lookup(net, table, attr, objtype, genmask);
8139 }
8140
8141 if (IS_ERR(obj)) {
8142 if (PTR_ERR(obj) == -ENOENT &&
8143 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYOBJ)
8144 return 0;
8145
8146 NL_SET_BAD_ATTR(extack, attr);
8147 return PTR_ERR(obj);
8148 }
8149 if (obj->use > 0) {
8150 NL_SET_BAD_ATTR(extack, attr);
8151 return -EBUSY;
8152 }
8153
8154 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8155
8156 return nft_delobj(&ctx, obj);
8157 }
8158
8159 static void
__nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8160 __nft_obj_notify(struct net *net, const struct nft_table *table,
8161 struct nft_object *obj, u32 portid, u32 seq, int event,
8162 u16 flags, int family, int report, gfp_t gfp)
8163 {
8164 struct nftables_pernet *nft_net = nft_pernet(net);
8165 struct sk_buff *skb;
8166 int err;
8167
8168 if (!report &&
8169 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
8170 return;
8171
8172 skb = nlmsg_new(NLMSG_GOODSIZE, gfp);
8173 if (skb == NULL)
8174 goto err;
8175
8176 err = nf_tables_fill_obj_info(skb, net, portid, seq, event,
8177 flags & (NLM_F_CREATE | NLM_F_EXCL),
8178 family, table, obj, false);
8179 if (err < 0) {
8180 kfree_skb(skb);
8181 goto err;
8182 }
8183
8184 nft_notify_enqueue(skb, report, &nft_net->notify_list);
8185 return;
8186 err:
8187 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
8188 }
8189
nft_obj_notify(struct net * net,const struct nft_table * table,struct nft_object * obj,u32 portid,u32 seq,int event,u16 flags,int family,int report,gfp_t gfp)8190 void nft_obj_notify(struct net *net, const struct nft_table *table,
8191 struct nft_object *obj, u32 portid, u32 seq, int event,
8192 u16 flags, int family, int report, gfp_t gfp)
8193 {
8194 struct nftables_pernet *nft_net = nft_pernet(net);
8195 char *buf = kasprintf(gfp, "%s:%u",
8196 table->name, nft_net->base_seq);
8197
8198 audit_log_nfcfg(buf,
8199 family,
8200 obj->handle,
8201 event == NFT_MSG_NEWOBJ ?
8202 AUDIT_NFT_OP_OBJ_REGISTER :
8203 AUDIT_NFT_OP_OBJ_UNREGISTER,
8204 gfp);
8205 kfree(buf);
8206
8207 __nft_obj_notify(net, table, obj, portid, seq, event,
8208 flags, family, report, gfp);
8209 }
8210 EXPORT_SYMBOL_GPL(nft_obj_notify);
8211
nf_tables_obj_notify(const struct nft_ctx * ctx,struct nft_object * obj,int event)8212 static void nf_tables_obj_notify(const struct nft_ctx *ctx,
8213 struct nft_object *obj, int event)
8214 {
8215 __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
8216 ctx->seq, event, ctx->flags, ctx->family,
8217 ctx->report, GFP_KERNEL);
8218 }
8219
8220 /*
8221 * Flow tables
8222 */
nft_register_flowtable_type(struct nf_flowtable_type * type)8223 void nft_register_flowtable_type(struct nf_flowtable_type *type)
8224 {
8225 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8226 list_add_tail_rcu(&type->list, &nf_tables_flowtables);
8227 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8228 }
8229 EXPORT_SYMBOL_GPL(nft_register_flowtable_type);
8230
nft_unregister_flowtable_type(struct nf_flowtable_type * type)8231 void nft_unregister_flowtable_type(struct nf_flowtable_type *type)
8232 {
8233 nfnl_lock(NFNL_SUBSYS_NFTABLES);
8234 list_del_rcu(&type->list);
8235 nfnl_unlock(NFNL_SUBSYS_NFTABLES);
8236 }
8237 EXPORT_SYMBOL_GPL(nft_unregister_flowtable_type);
8238
8239 static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
8240 [NFTA_FLOWTABLE_TABLE] = { .type = NLA_STRING,
8241 .len = NFT_NAME_MAXLEN - 1 },
8242 [NFTA_FLOWTABLE_NAME] = { .type = NLA_STRING,
8243 .len = NFT_NAME_MAXLEN - 1 },
8244 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
8245 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
8246 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
8247 };
8248
nft_flowtable_lookup(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8249 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
8250 const struct nlattr *nla, u8 genmask)
8251 {
8252 struct nft_flowtable *flowtable;
8253
8254 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8255 if (!nla_strcmp(nla, flowtable->name) &&
8256 nft_active_genmask(flowtable, genmask))
8257 return flowtable;
8258 }
8259 return ERR_PTR(-ENOENT);
8260 }
8261 EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
8262
nf_tables_deactivate_flowtable(const struct nft_ctx * ctx,struct nft_flowtable * flowtable,enum nft_trans_phase phase)8263 void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
8264 struct nft_flowtable *flowtable,
8265 enum nft_trans_phase phase)
8266 {
8267 switch (phase) {
8268 case NFT_TRANS_PREPARE_ERROR:
8269 case NFT_TRANS_PREPARE:
8270 case NFT_TRANS_ABORT:
8271 case NFT_TRANS_RELEASE:
8272 nft_use_dec(&flowtable->use);
8273 fallthrough;
8274 default:
8275 return;
8276 }
8277 }
8278 EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
8279
8280 static struct nft_flowtable *
nft_flowtable_lookup_byhandle(const struct nft_table * table,const struct nlattr * nla,u8 genmask)8281 nft_flowtable_lookup_byhandle(const struct nft_table *table,
8282 const struct nlattr *nla, u8 genmask)
8283 {
8284 struct nft_flowtable *flowtable;
8285
8286 list_for_each_entry(flowtable, &table->flowtables, list) {
8287 if (be64_to_cpu(nla_get_be64(nla)) == flowtable->handle &&
8288 nft_active_genmask(flowtable, genmask))
8289 return flowtable;
8290 }
8291 return ERR_PTR(-ENOENT);
8292 }
8293
8294 struct nft_flowtable_hook {
8295 u32 num;
8296 int priority;
8297 struct list_head list;
8298 };
8299
8300 static const struct nla_policy nft_flowtable_hook_policy[NFTA_FLOWTABLE_HOOK_MAX + 1] = {
8301 [NFTA_FLOWTABLE_HOOK_NUM] = { .type = NLA_U32 },
8302 [NFTA_FLOWTABLE_HOOK_PRIORITY] = { .type = NLA_U32 },
8303 [NFTA_FLOWTABLE_HOOK_DEVS] = { .type = NLA_NESTED },
8304 };
8305
nft_flowtable_parse_hook(const struct nft_ctx * ctx,const struct nlattr * const nla[],struct nft_flowtable_hook * flowtable_hook,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack,bool add)8306 static int nft_flowtable_parse_hook(const struct nft_ctx *ctx,
8307 const struct nlattr * const nla[],
8308 struct nft_flowtable_hook *flowtable_hook,
8309 struct nft_flowtable *flowtable,
8310 struct netlink_ext_ack *extack, bool add)
8311 {
8312 struct nlattr *tb[NFTA_FLOWTABLE_HOOK_MAX + 1];
8313 struct nft_hook *hook;
8314 int hooknum, priority;
8315 int err;
8316
8317 INIT_LIST_HEAD(&flowtable_hook->list);
8318
8319 err = nla_parse_nested_deprecated(tb, NFTA_FLOWTABLE_HOOK_MAX,
8320 nla[NFTA_FLOWTABLE_HOOK],
8321 nft_flowtable_hook_policy, NULL);
8322 if (err < 0)
8323 return err;
8324
8325 if (add) {
8326 if (!tb[NFTA_FLOWTABLE_HOOK_NUM] ||
8327 !tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8328 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8329 return -ENOENT;
8330 }
8331
8332 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8333 if (hooknum != NF_NETDEV_INGRESS)
8334 return -EOPNOTSUPP;
8335
8336 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8337
8338 flowtable_hook->priority = priority;
8339 flowtable_hook->num = hooknum;
8340 } else {
8341 if (tb[NFTA_FLOWTABLE_HOOK_NUM]) {
8342 hooknum = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_NUM]));
8343 if (hooknum != flowtable->hooknum)
8344 return -EOPNOTSUPP;
8345 }
8346
8347 if (tb[NFTA_FLOWTABLE_HOOK_PRIORITY]) {
8348 priority = ntohl(nla_get_be32(tb[NFTA_FLOWTABLE_HOOK_PRIORITY]));
8349 if (priority != flowtable->data.priority)
8350 return -EOPNOTSUPP;
8351 }
8352
8353 flowtable_hook->priority = flowtable->data.priority;
8354 flowtable_hook->num = flowtable->hooknum;
8355 }
8356
8357 if (tb[NFTA_FLOWTABLE_HOOK_DEVS]) {
8358 err = nf_tables_parse_netdev_hooks(ctx->net,
8359 tb[NFTA_FLOWTABLE_HOOK_DEVS],
8360 &flowtable_hook->list,
8361 extack);
8362 if (err < 0)
8363 return err;
8364 }
8365
8366 list_for_each_entry(hook, &flowtable_hook->list, list) {
8367 hook->ops.pf = NFPROTO_NETDEV;
8368 hook->ops.hooknum = flowtable_hook->num;
8369 hook->ops.priority = flowtable_hook->priority;
8370 hook->ops.priv = &flowtable->data;
8371 hook->ops.hook = flowtable->data.type->hook;
8372 }
8373
8374 return err;
8375 }
8376
8377 /* call under rcu_read_lock */
__nft_flowtable_type_get(u8 family)8378 static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
8379 {
8380 const struct nf_flowtable_type *type;
8381
8382 list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
8383 if (family == type->family)
8384 return type;
8385 }
8386 return NULL;
8387 }
8388
8389 static const struct nf_flowtable_type *
nft_flowtable_type_get(struct net * net,u8 family)8390 nft_flowtable_type_get(struct net *net, u8 family)
8391 {
8392 const struct nf_flowtable_type *type;
8393
8394 rcu_read_lock();
8395 type = __nft_flowtable_type_get(family);
8396 if (type != NULL && try_module_get(type->owner)) {
8397 rcu_read_unlock();
8398 return type;
8399 }
8400 rcu_read_unlock();
8401
8402 lockdep_nfnl_nft_mutex_not_held();
8403 #ifdef CONFIG_MODULES
8404 if (type == NULL) {
8405 if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
8406 return ERR_PTR(-EAGAIN);
8407 }
8408 #endif
8409 return ERR_PTR(-ENOENT);
8410 }
8411
8412 /* Only called from error and netdev event paths. */
nft_unregister_flowtable_hook(struct net * net,struct nft_flowtable * flowtable,struct nft_hook * hook)8413 static void nft_unregister_flowtable_hook(struct net *net,
8414 struct nft_flowtable *flowtable,
8415 struct nft_hook *hook)
8416 {
8417 nf_unregister_net_hook(net, &hook->ops);
8418 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8419 FLOW_BLOCK_UNBIND);
8420 }
8421
__nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable,struct list_head * hook_list,bool release_netdev)8422 static void __nft_unregister_flowtable_net_hooks(struct net *net,
8423 struct nft_flowtable *flowtable,
8424 struct list_head *hook_list,
8425 bool release_netdev)
8426 {
8427 struct nft_hook *hook, *next;
8428
8429 list_for_each_entry_safe(hook, next, hook_list, list) {
8430 nf_unregister_net_hook(net, &hook->ops);
8431 flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
8432 FLOW_BLOCK_UNBIND);
8433 if (release_netdev) {
8434 list_del(&hook->list);
8435 kfree_rcu(hook, rcu);
8436 }
8437 }
8438 }
8439
nft_unregister_flowtable_net_hooks(struct net * net,struct nft_flowtable * flowtable,struct list_head * hook_list)8440 static void nft_unregister_flowtable_net_hooks(struct net *net,
8441 struct nft_flowtable *flowtable,
8442 struct list_head *hook_list)
8443 {
8444 __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false);
8445 }
8446
nft_register_flowtable_net_hooks(struct net * net,struct nft_table * table,struct list_head * hook_list,struct nft_flowtable * flowtable)8447 static int nft_register_flowtable_net_hooks(struct net *net,
8448 struct nft_table *table,
8449 struct list_head *hook_list,
8450 struct nft_flowtable *flowtable)
8451 {
8452 struct nft_hook *hook, *hook2, *next;
8453 struct nft_flowtable *ft;
8454 int err, i = 0;
8455
8456 list_for_each_entry(hook, hook_list, list) {
8457 list_for_each_entry(ft, &table->flowtables, list) {
8458 if (!nft_is_active_next(net, ft))
8459 continue;
8460
8461 list_for_each_entry(hook2, &ft->hook_list, list) {
8462 if (hook->ops.dev == hook2->ops.dev &&
8463 hook->ops.pf == hook2->ops.pf) {
8464 err = -EEXIST;
8465 goto err_unregister_net_hooks;
8466 }
8467 }
8468 }
8469
8470 err = flowtable->data.type->setup(&flowtable->data,
8471 hook->ops.dev,
8472 FLOW_BLOCK_BIND);
8473 if (err < 0)
8474 goto err_unregister_net_hooks;
8475
8476 err = nf_register_net_hook(net, &hook->ops);
8477 if (err < 0) {
8478 flowtable->data.type->setup(&flowtable->data,
8479 hook->ops.dev,
8480 FLOW_BLOCK_UNBIND);
8481 goto err_unregister_net_hooks;
8482 }
8483
8484 i++;
8485 }
8486
8487 return 0;
8488
8489 err_unregister_net_hooks:
8490 list_for_each_entry_safe(hook, next, hook_list, list) {
8491 if (i-- <= 0)
8492 break;
8493
8494 nft_unregister_flowtable_hook(net, flowtable, hook);
8495 list_del_rcu(&hook->list);
8496 kfree_rcu(hook, rcu);
8497 }
8498
8499 return err;
8500 }
8501
nft_hooks_destroy(struct list_head * hook_list)8502 static void nft_hooks_destroy(struct list_head *hook_list)
8503 {
8504 struct nft_hook *hook, *next;
8505
8506 list_for_each_entry_safe(hook, next, hook_list, list) {
8507 list_del_rcu(&hook->list);
8508 kfree_rcu(hook, rcu);
8509 }
8510 }
8511
nft_flowtable_update(struct nft_ctx * ctx,const struct nlmsghdr * nlh,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8512 static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
8513 struct nft_flowtable *flowtable,
8514 struct netlink_ext_ack *extack)
8515 {
8516 const struct nlattr * const *nla = ctx->nla;
8517 struct nft_flowtable_hook flowtable_hook;
8518 struct nft_hook *hook, *next;
8519 struct nft_trans *trans;
8520 bool unregister = false;
8521 u32 flags;
8522 int err;
8523
8524 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8525 extack, false);
8526 if (err < 0)
8527 return err;
8528
8529 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8530 if (nft_hook_list_find(&flowtable->hook_list, hook)) {
8531 list_del(&hook->list);
8532 kfree(hook);
8533 }
8534 }
8535
8536 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8537 flags = ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8538 if (flags & ~NFT_FLOWTABLE_MASK) {
8539 err = -EOPNOTSUPP;
8540 goto err_flowtable_update_hook;
8541 }
8542 if ((flowtable->data.flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
8543 (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
8544 err = -EOPNOTSUPP;
8545 goto err_flowtable_update_hook;
8546 }
8547 } else {
8548 flags = flowtable->data.flags;
8549 }
8550
8551 err = nft_register_flowtable_net_hooks(ctx->net, ctx->table,
8552 &flowtable_hook.list, flowtable);
8553 if (err < 0)
8554 goto err_flowtable_update_hook;
8555
8556 trans = nft_trans_alloc(ctx, NFT_MSG_NEWFLOWTABLE,
8557 sizeof(struct nft_trans_flowtable));
8558 if (!trans) {
8559 unregister = true;
8560 err = -ENOMEM;
8561 goto err_flowtable_update_hook;
8562 }
8563
8564 nft_trans_flowtable_flags(trans) = flags;
8565 nft_trans_flowtable(trans) = flowtable;
8566 nft_trans_flowtable_update(trans) = true;
8567 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8568 list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans));
8569
8570 nft_trans_commit_list_add_tail(ctx->net, trans);
8571
8572 return 0;
8573
8574 err_flowtable_update_hook:
8575 list_for_each_entry_safe(hook, next, &flowtable_hook.list, list) {
8576 if (unregister)
8577 nft_unregister_flowtable_hook(ctx->net, flowtable, hook);
8578 list_del_rcu(&hook->list);
8579 kfree_rcu(hook, rcu);
8580 }
8581
8582 return err;
8583
8584 }
8585
nf_tables_newflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8586 static int nf_tables_newflowtable(struct sk_buff *skb,
8587 const struct nfnl_info *info,
8588 const struct nlattr * const nla[])
8589 {
8590 struct netlink_ext_ack *extack = info->extack;
8591 struct nft_flowtable_hook flowtable_hook;
8592 u8 genmask = nft_genmask_next(info->net);
8593 u8 family = info->nfmsg->nfgen_family;
8594 const struct nf_flowtable_type *type;
8595 struct nft_flowtable *flowtable;
8596 struct net *net = info->net;
8597 struct nft_table *table;
8598 struct nft_trans *trans;
8599 struct nft_ctx ctx;
8600 int err;
8601
8602 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8603 !nla[NFTA_FLOWTABLE_NAME] ||
8604 !nla[NFTA_FLOWTABLE_HOOK])
8605 return -EINVAL;
8606
8607 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8608 genmask, NETLINK_CB(skb).portid);
8609 if (IS_ERR(table)) {
8610 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8611 return PTR_ERR(table);
8612 }
8613
8614 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
8615 genmask);
8616 if (IS_ERR(flowtable)) {
8617 err = PTR_ERR(flowtable);
8618 if (err != -ENOENT) {
8619 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8620 return err;
8621 }
8622 } else {
8623 if (info->nlh->nlmsg_flags & NLM_F_EXCL) {
8624 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
8625 return -EEXIST;
8626 }
8627
8628 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8629
8630 return nft_flowtable_update(&ctx, info->nlh, flowtable, extack);
8631 }
8632
8633 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8634
8635 if (!nft_use_inc(&table->use))
8636 return -EMFILE;
8637
8638 flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
8639 if (!flowtable) {
8640 err = -ENOMEM;
8641 goto flowtable_alloc;
8642 }
8643
8644 flowtable->table = table;
8645 flowtable->handle = nf_tables_alloc_handle(table);
8646 INIT_LIST_HEAD(&flowtable->hook_list);
8647
8648 flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
8649 if (!flowtable->name) {
8650 err = -ENOMEM;
8651 goto err1;
8652 }
8653
8654 type = nft_flowtable_type_get(net, family);
8655 if (IS_ERR(type)) {
8656 err = PTR_ERR(type);
8657 goto err2;
8658 }
8659
8660 if (nla[NFTA_FLOWTABLE_FLAGS]) {
8661 flowtable->data.flags =
8662 ntohl(nla_get_be32(nla[NFTA_FLOWTABLE_FLAGS]));
8663 if (flowtable->data.flags & ~NFT_FLOWTABLE_MASK) {
8664 err = -EOPNOTSUPP;
8665 goto err3;
8666 }
8667 }
8668
8669 write_pnet(&flowtable->data.net, net);
8670 flowtable->data.type = type;
8671 err = type->init(&flowtable->data);
8672 if (err < 0)
8673 goto err3;
8674
8675 err = nft_flowtable_parse_hook(&ctx, nla, &flowtable_hook, flowtable,
8676 extack, true);
8677 if (err < 0)
8678 goto err_flowtable_parse_hooks;
8679
8680 list_splice(&flowtable_hook.list, &flowtable->hook_list);
8681 flowtable->data.priority = flowtable_hook.priority;
8682 flowtable->hooknum = flowtable_hook.num;
8683
8684 trans = nft_trans_flowtable_add(&ctx, NFT_MSG_NEWFLOWTABLE, flowtable);
8685 if (IS_ERR(trans)) {
8686 err = PTR_ERR(trans);
8687 goto err_flowtable_trans;
8688 }
8689
8690 /* This must be LAST to ensure no packets are walking over this flowtable. */
8691 err = nft_register_flowtable_net_hooks(ctx.net, table,
8692 &flowtable->hook_list,
8693 flowtable);
8694 if (err < 0)
8695 goto err_flowtable_hooks;
8696
8697 list_add_tail_rcu(&flowtable->list, &table->flowtables);
8698
8699 return 0;
8700
8701 err_flowtable_hooks:
8702 nft_trans_destroy(trans);
8703 err_flowtable_trans:
8704 nft_hooks_destroy(&flowtable->hook_list);
8705 err_flowtable_parse_hooks:
8706 flowtable->data.type->free(&flowtable->data);
8707 err3:
8708 module_put(type->owner);
8709 err2:
8710 kfree(flowtable->name);
8711 err1:
8712 kfree(flowtable);
8713 flowtable_alloc:
8714 nft_use_dec_restore(&table->use);
8715
8716 return err;
8717 }
8718
nft_flowtable_hook_release(struct nft_flowtable_hook * flowtable_hook)8719 static void nft_flowtable_hook_release(struct nft_flowtable_hook *flowtable_hook)
8720 {
8721 struct nft_hook *this, *next;
8722
8723 list_for_each_entry_safe(this, next, &flowtable_hook->list, list) {
8724 list_del(&this->list);
8725 kfree(this);
8726 }
8727 }
8728
nft_delflowtable_hook(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct netlink_ext_ack * extack)8729 static int nft_delflowtable_hook(struct nft_ctx *ctx,
8730 struct nft_flowtable *flowtable,
8731 struct netlink_ext_ack *extack)
8732 {
8733 const struct nlattr * const *nla = ctx->nla;
8734 struct nft_flowtable_hook flowtable_hook;
8735 LIST_HEAD(flowtable_del_list);
8736 struct nft_hook *this, *hook;
8737 struct nft_trans *trans;
8738 int err;
8739
8740 err = nft_flowtable_parse_hook(ctx, nla, &flowtable_hook, flowtable,
8741 extack, false);
8742 if (err < 0)
8743 return err;
8744
8745 list_for_each_entry(this, &flowtable_hook.list, list) {
8746 hook = nft_hook_list_find(&flowtable->hook_list, this);
8747 if (!hook) {
8748 err = -ENOENT;
8749 goto err_flowtable_del_hook;
8750 }
8751 list_move(&hook->list, &flowtable_del_list);
8752 }
8753
8754 trans = nft_trans_alloc(ctx, NFT_MSG_DELFLOWTABLE,
8755 sizeof(struct nft_trans_flowtable));
8756 if (!trans) {
8757 err = -ENOMEM;
8758 goto err_flowtable_del_hook;
8759 }
8760
8761 nft_trans_flowtable(trans) = flowtable;
8762 nft_trans_flowtable_update(trans) = true;
8763 INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans));
8764 list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans));
8765 nft_flowtable_hook_release(&flowtable_hook);
8766
8767 nft_trans_commit_list_add_tail(ctx->net, trans);
8768
8769 return 0;
8770
8771 err_flowtable_del_hook:
8772 list_splice(&flowtable_del_list, &flowtable->hook_list);
8773 nft_flowtable_hook_release(&flowtable_hook);
8774
8775 return err;
8776 }
8777
nf_tables_delflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8778 static int nf_tables_delflowtable(struct sk_buff *skb,
8779 const struct nfnl_info *info,
8780 const struct nlattr * const nla[])
8781 {
8782 struct netlink_ext_ack *extack = info->extack;
8783 u8 genmask = nft_genmask_next(info->net);
8784 u8 family = info->nfmsg->nfgen_family;
8785 struct nft_flowtable *flowtable;
8786 struct net *net = info->net;
8787 const struct nlattr *attr;
8788 struct nft_table *table;
8789 struct nft_ctx ctx;
8790
8791 if (!nla[NFTA_FLOWTABLE_TABLE] ||
8792 (!nla[NFTA_FLOWTABLE_NAME] &&
8793 !nla[NFTA_FLOWTABLE_HANDLE]))
8794 return -EINVAL;
8795
8796 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
8797 genmask, NETLINK_CB(skb).portid);
8798 if (IS_ERR(table)) {
8799 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_TABLE]);
8800 return PTR_ERR(table);
8801 }
8802
8803 if (nla[NFTA_FLOWTABLE_HANDLE]) {
8804 attr = nla[NFTA_FLOWTABLE_HANDLE];
8805 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask);
8806 } else {
8807 attr = nla[NFTA_FLOWTABLE_NAME];
8808 flowtable = nft_flowtable_lookup(table, attr, genmask);
8809 }
8810
8811 if (IS_ERR(flowtable)) {
8812 if (PTR_ERR(flowtable) == -ENOENT &&
8813 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYFLOWTABLE)
8814 return 0;
8815
8816 NL_SET_BAD_ATTR(extack, attr);
8817 return PTR_ERR(flowtable);
8818 }
8819
8820 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
8821
8822 if (nla[NFTA_FLOWTABLE_HOOK])
8823 return nft_delflowtable_hook(&ctx, flowtable, extack);
8824
8825 if (flowtable->use > 0) {
8826 NL_SET_BAD_ATTR(extack, attr);
8827 return -EBUSY;
8828 }
8829
8830 return nft_delflowtable(&ctx, flowtable);
8831 }
8832
nf_tables_fill_flowtable_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq,int event,u32 flags,int family,struct nft_flowtable * flowtable,struct list_head * hook_list)8833 static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
8834 u32 portid, u32 seq, int event,
8835 u32 flags, int family,
8836 struct nft_flowtable *flowtable,
8837 struct list_head *hook_list)
8838 {
8839 struct nlattr *nest, *nest_devs;
8840 struct nft_hook *hook;
8841 struct nlmsghdr *nlh;
8842
8843 event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event);
8844 nlh = nfnl_msg_put(skb, portid, seq, event, flags, family,
8845 NFNETLINK_V0, nft_base_seq(net));
8846 if (!nlh)
8847 goto nla_put_failure;
8848
8849 if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) ||
8850 nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) ||
8851 nla_put_be64(skb, NFTA_FLOWTABLE_HANDLE, cpu_to_be64(flowtable->handle),
8852 NFTA_FLOWTABLE_PAD))
8853 goto nla_put_failure;
8854
8855 if (event == NFT_MSG_DELFLOWTABLE && !hook_list) {
8856 nlmsg_end(skb, nlh);
8857 return 0;
8858 }
8859
8860 if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) ||
8861 nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags)))
8862 goto nla_put_failure;
8863
8864 nest = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK);
8865 if (!nest)
8866 goto nla_put_failure;
8867 if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
8868 nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->data.priority)))
8869 goto nla_put_failure;
8870
8871 nest_devs = nla_nest_start_noflag(skb, NFTA_FLOWTABLE_HOOK_DEVS);
8872 if (!nest_devs)
8873 goto nla_put_failure;
8874
8875 if (!hook_list)
8876 hook_list = &flowtable->hook_list;
8877
8878 list_for_each_entry_rcu(hook, hook_list, list) {
8879 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name))
8880 goto nla_put_failure;
8881 }
8882 nla_nest_end(skb, nest_devs);
8883 nla_nest_end(skb, nest);
8884
8885 nlmsg_end(skb, nlh);
8886 return 0;
8887
8888 nla_put_failure:
8889 nlmsg_trim(skb, nlh);
8890 return -1;
8891 }
8892
8893 struct nft_flowtable_filter {
8894 char *table;
8895 };
8896
nf_tables_dump_flowtable(struct sk_buff * skb,struct netlink_callback * cb)8897 static int nf_tables_dump_flowtable(struct sk_buff *skb,
8898 struct netlink_callback *cb)
8899 {
8900 const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
8901 struct nft_flowtable_filter *filter = cb->data;
8902 unsigned int idx = 0, s_idx = cb->args[0];
8903 struct net *net = sock_net(skb->sk);
8904 int family = nfmsg->nfgen_family;
8905 struct nft_flowtable *flowtable;
8906 struct nftables_pernet *nft_net;
8907 const struct nft_table *table;
8908
8909 rcu_read_lock();
8910 nft_net = nft_pernet(net);
8911 cb->seq = READ_ONCE(nft_net->base_seq);
8912
8913 list_for_each_entry_rcu(table, &nft_net->tables, list) {
8914 if (family != NFPROTO_UNSPEC && family != table->family)
8915 continue;
8916
8917 list_for_each_entry_rcu(flowtable, &table->flowtables, list) {
8918 if (!nft_is_active(net, flowtable))
8919 goto cont;
8920 if (idx < s_idx)
8921 goto cont;
8922 if (idx > s_idx)
8923 memset(&cb->args[1], 0,
8924 sizeof(cb->args) - sizeof(cb->args[0]));
8925 if (filter && filter->table &&
8926 strcmp(filter->table, table->name))
8927 goto cont;
8928
8929 if (nf_tables_fill_flowtable_info(skb, net, NETLINK_CB(cb->skb).portid,
8930 cb->nlh->nlmsg_seq,
8931 NFT_MSG_NEWFLOWTABLE,
8932 NLM_F_MULTI | NLM_F_APPEND,
8933 table->family,
8934 flowtable, NULL) < 0)
8935 goto done;
8936
8937 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
8938 cont:
8939 idx++;
8940 }
8941 }
8942 done:
8943 rcu_read_unlock();
8944
8945 cb->args[0] = idx;
8946 return skb->len;
8947 }
8948
nf_tables_dump_flowtable_start(struct netlink_callback * cb)8949 static int nf_tables_dump_flowtable_start(struct netlink_callback *cb)
8950 {
8951 const struct nlattr * const *nla = cb->data;
8952 struct nft_flowtable_filter *filter = NULL;
8953
8954 if (nla[NFTA_FLOWTABLE_TABLE]) {
8955 filter = kzalloc(sizeof(*filter), GFP_ATOMIC);
8956 if (!filter)
8957 return -ENOMEM;
8958
8959 filter->table = nla_strdup(nla[NFTA_FLOWTABLE_TABLE],
8960 GFP_ATOMIC);
8961 if (!filter->table) {
8962 kfree(filter);
8963 return -ENOMEM;
8964 }
8965 }
8966
8967 cb->data = filter;
8968 return 0;
8969 }
8970
nf_tables_dump_flowtable_done(struct netlink_callback * cb)8971 static int nf_tables_dump_flowtable_done(struct netlink_callback *cb)
8972 {
8973 struct nft_flowtable_filter *filter = cb->data;
8974
8975 if (!filter)
8976 return 0;
8977
8978 kfree(filter->table);
8979 kfree(filter);
8980
8981 return 0;
8982 }
8983
8984 /* called with rcu_read_lock held */
nf_tables_getflowtable(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])8985 static int nf_tables_getflowtable(struct sk_buff *skb,
8986 const struct nfnl_info *info,
8987 const struct nlattr * const nla[])
8988 {
8989 u8 genmask = nft_genmask_cur(info->net);
8990 u8 family = info->nfmsg->nfgen_family;
8991 struct nft_flowtable *flowtable;
8992 const struct nft_table *table;
8993 struct net *net = info->net;
8994 struct sk_buff *skb2;
8995 int err;
8996
8997 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
8998 struct netlink_dump_control c = {
8999 .start = nf_tables_dump_flowtable_start,
9000 .dump = nf_tables_dump_flowtable,
9001 .done = nf_tables_dump_flowtable_done,
9002 .module = THIS_MODULE,
9003 .data = (void *)nla,
9004 };
9005
9006 return nft_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c);
9007 }
9008
9009 if (!nla[NFTA_FLOWTABLE_NAME])
9010 return -EINVAL;
9011
9012 table = nft_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE], family,
9013 genmask, 0);
9014 if (IS_ERR(table))
9015 return PTR_ERR(table);
9016
9017 flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME],
9018 genmask);
9019 if (IS_ERR(flowtable))
9020 return PTR_ERR(flowtable);
9021
9022 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9023 if (!skb2)
9024 return -ENOMEM;
9025
9026 err = nf_tables_fill_flowtable_info(skb2, net, NETLINK_CB(skb).portid,
9027 info->nlh->nlmsg_seq,
9028 NFT_MSG_NEWFLOWTABLE, 0, family,
9029 flowtable, NULL);
9030 if (err < 0)
9031 goto err_fill_flowtable_info;
9032
9033 return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
9034
9035 err_fill_flowtable_info:
9036 kfree_skb(skb2);
9037 return err;
9038 }
9039
nf_tables_flowtable_notify(struct nft_ctx * ctx,struct nft_flowtable * flowtable,struct list_head * hook_list,int event)9040 static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
9041 struct nft_flowtable *flowtable,
9042 struct list_head *hook_list, int event)
9043 {
9044 struct nftables_pernet *nft_net = nft_pernet(ctx->net);
9045 struct sk_buff *skb;
9046 u16 flags = 0;
9047 int err;
9048
9049 if (!ctx->report &&
9050 !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
9051 return;
9052
9053 skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9054 if (skb == NULL)
9055 goto err;
9056
9057 if (ctx->flags & (NLM_F_CREATE | NLM_F_EXCL))
9058 flags |= ctx->flags & (NLM_F_CREATE | NLM_F_EXCL);
9059
9060 err = nf_tables_fill_flowtable_info(skb, ctx->net, ctx->portid,
9061 ctx->seq, event, flags,
9062 ctx->family, flowtable, hook_list);
9063 if (err < 0) {
9064 kfree_skb(skb);
9065 goto err;
9066 }
9067
9068 nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list);
9069 return;
9070 err:
9071 nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS);
9072 }
9073
nf_tables_flowtable_destroy(struct nft_flowtable * flowtable)9074 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
9075 {
9076 struct nft_hook *hook, *next;
9077
9078 flowtable->data.type->free(&flowtable->data);
9079 list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
9080 list_del_rcu(&hook->list);
9081 kfree_rcu(hook, rcu);
9082 }
9083 kfree(flowtable->name);
9084 module_put(flowtable->data.type->owner);
9085 kfree(flowtable);
9086 }
9087
nf_tables_fill_gen_info(struct sk_buff * skb,struct net * net,u32 portid,u32 seq)9088 static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net,
9089 u32 portid, u32 seq)
9090 {
9091 struct nftables_pernet *nft_net = nft_pernet(net);
9092 struct nlmsghdr *nlh;
9093 char buf[TASK_COMM_LEN];
9094 int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN);
9095
9096 nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC,
9097 NFNETLINK_V0, nft_base_seq(net));
9098 if (!nlh)
9099 goto nla_put_failure;
9100
9101 if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) ||
9102 nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) ||
9103 nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current)))
9104 goto nla_put_failure;
9105
9106 nlmsg_end(skb, nlh);
9107 return 0;
9108
9109 nla_put_failure:
9110 nlmsg_trim(skb, nlh);
9111 return -EMSGSIZE;
9112 }
9113
nft_flowtable_event(unsigned long event,struct net_device * dev,struct nft_flowtable * flowtable)9114 static void nft_flowtable_event(unsigned long event, struct net_device *dev,
9115 struct nft_flowtable *flowtable)
9116 {
9117 struct nft_hook *hook;
9118
9119 list_for_each_entry(hook, &flowtable->hook_list, list) {
9120 if (hook->ops.dev != dev)
9121 continue;
9122
9123 /* flow_offload_netdev_event() cleans up entries for us. */
9124 nft_unregister_flowtable_hook(dev_net(dev), flowtable, hook);
9125 list_del_rcu(&hook->list);
9126 kfree_rcu(hook, rcu);
9127 break;
9128 }
9129 }
9130
nf_tables_flowtable_event(struct notifier_block * this,unsigned long event,void * ptr)9131 static int nf_tables_flowtable_event(struct notifier_block *this,
9132 unsigned long event, void *ptr)
9133 {
9134 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
9135 struct nft_flowtable *flowtable;
9136 struct nftables_pernet *nft_net;
9137 struct nft_table *table;
9138 struct net *net;
9139
9140 if (event != NETDEV_UNREGISTER)
9141 return 0;
9142
9143 net = dev_net(dev);
9144 nft_net = nft_pernet(net);
9145 mutex_lock(&nft_net->commit_mutex);
9146 list_for_each_entry(table, &nft_net->tables, list) {
9147 list_for_each_entry(flowtable, &table->flowtables, list) {
9148 nft_flowtable_event(event, dev, flowtable);
9149 }
9150 }
9151 mutex_unlock(&nft_net->commit_mutex);
9152
9153 return NOTIFY_DONE;
9154 }
9155
9156 static struct notifier_block nf_tables_flowtable_notifier = {
9157 .notifier_call = nf_tables_flowtable_event,
9158 };
9159
nf_tables_gen_notify(struct net * net,struct sk_buff * skb,int event)9160 static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
9161 int event)
9162 {
9163 struct nlmsghdr *nlh = nlmsg_hdr(skb);
9164 struct sk_buff *skb2;
9165 int err;
9166
9167 if (!nlmsg_report(nlh) &&
9168 !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
9169 return;
9170
9171 skb2 = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
9172 if (skb2 == NULL)
9173 goto err;
9174
9175 err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
9176 nlh->nlmsg_seq);
9177 if (err < 0) {
9178 kfree_skb(skb2);
9179 goto err;
9180 }
9181
9182 nfnetlink_send(skb2, net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9183 nlmsg_report(nlh), GFP_KERNEL);
9184 return;
9185 err:
9186 nfnetlink_set_err(net, NETLINK_CB(skb).portid, NFNLGRP_NFTABLES,
9187 -ENOBUFS);
9188 }
9189
nf_tables_getgen(struct sk_buff * skb,const struct nfnl_info * info,const struct nlattr * const nla[])9190 static int nf_tables_getgen(struct sk_buff *skb, const struct nfnl_info *info,
9191 const struct nlattr * const nla[])
9192 {
9193 struct sk_buff *skb2;
9194 int err;
9195
9196 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
9197 if (skb2 == NULL)
9198 return -ENOMEM;
9199
9200 err = nf_tables_fill_gen_info(skb2, info->net, NETLINK_CB(skb).portid,
9201 info->nlh->nlmsg_seq);
9202 if (err < 0)
9203 goto err_fill_gen_info;
9204
9205 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
9206
9207 err_fill_gen_info:
9208 kfree_skb(skb2);
9209 return err;
9210 }
9211
9212 static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
9213 [NFT_MSG_NEWTABLE] = {
9214 .call = nf_tables_newtable,
9215 .type = NFNL_CB_BATCH,
9216 .attr_count = NFTA_TABLE_MAX,
9217 .policy = nft_table_policy,
9218 },
9219 [NFT_MSG_GETTABLE] = {
9220 .call = nf_tables_gettable,
9221 .type = NFNL_CB_RCU,
9222 .attr_count = NFTA_TABLE_MAX,
9223 .policy = nft_table_policy,
9224 },
9225 [NFT_MSG_DELTABLE] = {
9226 .call = nf_tables_deltable,
9227 .type = NFNL_CB_BATCH,
9228 .attr_count = NFTA_TABLE_MAX,
9229 .policy = nft_table_policy,
9230 },
9231 [NFT_MSG_DESTROYTABLE] = {
9232 .call = nf_tables_deltable,
9233 .type = NFNL_CB_BATCH,
9234 .attr_count = NFTA_TABLE_MAX,
9235 .policy = nft_table_policy,
9236 },
9237 [NFT_MSG_NEWCHAIN] = {
9238 .call = nf_tables_newchain,
9239 .type = NFNL_CB_BATCH,
9240 .attr_count = NFTA_CHAIN_MAX,
9241 .policy = nft_chain_policy,
9242 },
9243 [NFT_MSG_GETCHAIN] = {
9244 .call = nf_tables_getchain,
9245 .type = NFNL_CB_RCU,
9246 .attr_count = NFTA_CHAIN_MAX,
9247 .policy = nft_chain_policy,
9248 },
9249 [NFT_MSG_DELCHAIN] = {
9250 .call = nf_tables_delchain,
9251 .type = NFNL_CB_BATCH,
9252 .attr_count = NFTA_CHAIN_MAX,
9253 .policy = nft_chain_policy,
9254 },
9255 [NFT_MSG_DESTROYCHAIN] = {
9256 .call = nf_tables_delchain,
9257 .type = NFNL_CB_BATCH,
9258 .attr_count = NFTA_CHAIN_MAX,
9259 .policy = nft_chain_policy,
9260 },
9261 [NFT_MSG_NEWRULE] = {
9262 .call = nf_tables_newrule,
9263 .type = NFNL_CB_BATCH,
9264 .attr_count = NFTA_RULE_MAX,
9265 .policy = nft_rule_policy,
9266 },
9267 [NFT_MSG_GETRULE] = {
9268 .call = nf_tables_getrule,
9269 .type = NFNL_CB_RCU,
9270 .attr_count = NFTA_RULE_MAX,
9271 .policy = nft_rule_policy,
9272 },
9273 [NFT_MSG_GETRULE_RESET] = {
9274 .call = nf_tables_getrule,
9275 .type = NFNL_CB_RCU,
9276 .attr_count = NFTA_RULE_MAX,
9277 .policy = nft_rule_policy,
9278 },
9279 [NFT_MSG_DELRULE] = {
9280 .call = nf_tables_delrule,
9281 .type = NFNL_CB_BATCH,
9282 .attr_count = NFTA_RULE_MAX,
9283 .policy = nft_rule_policy,
9284 },
9285 [NFT_MSG_DESTROYRULE] = {
9286 .call = nf_tables_delrule,
9287 .type = NFNL_CB_BATCH,
9288 .attr_count = NFTA_RULE_MAX,
9289 .policy = nft_rule_policy,
9290 },
9291 [NFT_MSG_NEWSET] = {
9292 .call = nf_tables_newset,
9293 .type = NFNL_CB_BATCH,
9294 .attr_count = NFTA_SET_MAX,
9295 .policy = nft_set_policy,
9296 },
9297 [NFT_MSG_GETSET] = {
9298 .call = nf_tables_getset,
9299 .type = NFNL_CB_RCU,
9300 .attr_count = NFTA_SET_MAX,
9301 .policy = nft_set_policy,
9302 },
9303 [NFT_MSG_DELSET] = {
9304 .call = nf_tables_delset,
9305 .type = NFNL_CB_BATCH,
9306 .attr_count = NFTA_SET_MAX,
9307 .policy = nft_set_policy,
9308 },
9309 [NFT_MSG_DESTROYSET] = {
9310 .call = nf_tables_delset,
9311 .type = NFNL_CB_BATCH,
9312 .attr_count = NFTA_SET_MAX,
9313 .policy = nft_set_policy,
9314 },
9315 [NFT_MSG_NEWSETELEM] = {
9316 .call = nf_tables_newsetelem,
9317 .type = NFNL_CB_BATCH,
9318 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9319 .policy = nft_set_elem_list_policy,
9320 },
9321 [NFT_MSG_GETSETELEM] = {
9322 .call = nf_tables_getsetelem,
9323 .type = NFNL_CB_RCU,
9324 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9325 .policy = nft_set_elem_list_policy,
9326 },
9327 [NFT_MSG_GETSETELEM_RESET] = {
9328 .call = nf_tables_getsetelem,
9329 .type = NFNL_CB_RCU,
9330 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9331 .policy = nft_set_elem_list_policy,
9332 },
9333 [NFT_MSG_DELSETELEM] = {
9334 .call = nf_tables_delsetelem,
9335 .type = NFNL_CB_BATCH,
9336 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9337 .policy = nft_set_elem_list_policy,
9338 },
9339 [NFT_MSG_DESTROYSETELEM] = {
9340 .call = nf_tables_delsetelem,
9341 .type = NFNL_CB_BATCH,
9342 .attr_count = NFTA_SET_ELEM_LIST_MAX,
9343 .policy = nft_set_elem_list_policy,
9344 },
9345 [NFT_MSG_GETGEN] = {
9346 .call = nf_tables_getgen,
9347 .type = NFNL_CB_RCU,
9348 },
9349 [NFT_MSG_NEWOBJ] = {
9350 .call = nf_tables_newobj,
9351 .type = NFNL_CB_BATCH,
9352 .attr_count = NFTA_OBJ_MAX,
9353 .policy = nft_obj_policy,
9354 },
9355 [NFT_MSG_GETOBJ] = {
9356 .call = nf_tables_getobj,
9357 .type = NFNL_CB_RCU,
9358 .attr_count = NFTA_OBJ_MAX,
9359 .policy = nft_obj_policy,
9360 },
9361 [NFT_MSG_DELOBJ] = {
9362 .call = nf_tables_delobj,
9363 .type = NFNL_CB_BATCH,
9364 .attr_count = NFTA_OBJ_MAX,
9365 .policy = nft_obj_policy,
9366 },
9367 [NFT_MSG_DESTROYOBJ] = {
9368 .call = nf_tables_delobj,
9369 .type = NFNL_CB_BATCH,
9370 .attr_count = NFTA_OBJ_MAX,
9371 .policy = nft_obj_policy,
9372 },
9373 [NFT_MSG_GETOBJ_RESET] = {
9374 .call = nf_tables_getobj_reset,
9375 .type = NFNL_CB_RCU,
9376 .attr_count = NFTA_OBJ_MAX,
9377 .policy = nft_obj_policy,
9378 },
9379 [NFT_MSG_NEWFLOWTABLE] = {
9380 .call = nf_tables_newflowtable,
9381 .type = NFNL_CB_BATCH,
9382 .attr_count = NFTA_FLOWTABLE_MAX,
9383 .policy = nft_flowtable_policy,
9384 },
9385 [NFT_MSG_GETFLOWTABLE] = {
9386 .call = nf_tables_getflowtable,
9387 .type = NFNL_CB_RCU,
9388 .attr_count = NFTA_FLOWTABLE_MAX,
9389 .policy = nft_flowtable_policy,
9390 },
9391 [NFT_MSG_DELFLOWTABLE] = {
9392 .call = nf_tables_delflowtable,
9393 .type = NFNL_CB_BATCH,
9394 .attr_count = NFTA_FLOWTABLE_MAX,
9395 .policy = nft_flowtable_policy,
9396 },
9397 [NFT_MSG_DESTROYFLOWTABLE] = {
9398 .call = nf_tables_delflowtable,
9399 .type = NFNL_CB_BATCH,
9400 .attr_count = NFTA_FLOWTABLE_MAX,
9401 .policy = nft_flowtable_policy,
9402 },
9403 };
9404
nf_tables_validate(struct net * net)9405 static int nf_tables_validate(struct net *net)
9406 {
9407 struct nftables_pernet *nft_net = nft_pernet(net);
9408 struct nft_table *table;
9409
9410 list_for_each_entry(table, &nft_net->tables, list) {
9411 switch (table->validate_state) {
9412 case NFT_VALIDATE_SKIP:
9413 continue;
9414 case NFT_VALIDATE_NEED:
9415 nft_validate_state_update(table, NFT_VALIDATE_DO);
9416 fallthrough;
9417 case NFT_VALIDATE_DO:
9418 if (nft_table_validate(net, table) < 0)
9419 return -EAGAIN;
9420
9421 nft_validate_state_update(table, NFT_VALIDATE_SKIP);
9422 break;
9423 }
9424 }
9425
9426 return 0;
9427 }
9428
9429 /* a drop policy has to be deferred until all rules have been activated,
9430 * otherwise a large ruleset that contains a drop-policy base chain will
9431 * cause all packets to get dropped until the full transaction has been
9432 * processed.
9433 *
9434 * We defer the drop policy until the transaction has been finalized.
9435 */
nft_chain_commit_drop_policy(struct nft_trans * trans)9436 static void nft_chain_commit_drop_policy(struct nft_trans *trans)
9437 {
9438 struct nft_base_chain *basechain;
9439
9440 if (nft_trans_chain_policy(trans) != NF_DROP)
9441 return;
9442
9443 if (!nft_is_base_chain(trans->ctx.chain))
9444 return;
9445
9446 basechain = nft_base_chain(trans->ctx.chain);
9447 basechain->policy = NF_DROP;
9448 }
9449
nft_chain_commit_update(struct nft_trans * trans)9450 static void nft_chain_commit_update(struct nft_trans *trans)
9451 {
9452 struct nft_base_chain *basechain;
9453
9454 if (nft_trans_chain_name(trans)) {
9455 rhltable_remove(&trans->ctx.table->chains_ht,
9456 &trans->ctx.chain->rhlhead,
9457 nft_chain_ht_params);
9458 swap(trans->ctx.chain->name, nft_trans_chain_name(trans));
9459 rhltable_insert_key(&trans->ctx.table->chains_ht,
9460 trans->ctx.chain->name,
9461 &trans->ctx.chain->rhlhead,
9462 nft_chain_ht_params);
9463 }
9464
9465 if (!nft_is_base_chain(trans->ctx.chain))
9466 return;
9467
9468 nft_chain_stats_replace(trans);
9469
9470 basechain = nft_base_chain(trans->ctx.chain);
9471
9472 switch (nft_trans_chain_policy(trans)) {
9473 case NF_DROP:
9474 case NF_ACCEPT:
9475 basechain->policy = nft_trans_chain_policy(trans);
9476 break;
9477 }
9478 }
9479
nft_obj_commit_update(struct nft_trans * trans)9480 static void nft_obj_commit_update(struct nft_trans *trans)
9481 {
9482 struct nft_object *newobj;
9483 struct nft_object *obj;
9484
9485 obj = nft_trans_obj(trans);
9486 newobj = nft_trans_obj_newobj(trans);
9487
9488 if (WARN_ON_ONCE(!obj->ops->update))
9489 return;
9490
9491 obj->ops->update(obj, newobj);
9492 nft_obj_destroy(&trans->ctx, newobj);
9493 }
9494
nft_commit_release(struct nft_trans * trans)9495 static void nft_commit_release(struct nft_trans *trans)
9496 {
9497 switch (trans->msg_type) {
9498 case NFT_MSG_DELTABLE:
9499 case NFT_MSG_DESTROYTABLE:
9500 nf_tables_table_destroy(&trans->ctx);
9501 break;
9502 case NFT_MSG_NEWCHAIN:
9503 free_percpu(nft_trans_chain_stats(trans));
9504 kfree(nft_trans_chain_name(trans));
9505 break;
9506 case NFT_MSG_DELCHAIN:
9507 case NFT_MSG_DESTROYCHAIN:
9508 if (nft_trans_chain_update(trans))
9509 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
9510 else
9511 nf_tables_chain_destroy(nft_trans_chain(trans));
9512 break;
9513 case NFT_MSG_DELRULE:
9514 case NFT_MSG_DESTROYRULE:
9515 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
9516 break;
9517 case NFT_MSG_DELSET:
9518 case NFT_MSG_DESTROYSET:
9519 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
9520 break;
9521 case NFT_MSG_DELSETELEM:
9522 case NFT_MSG_DESTROYSETELEM:
9523 nf_tables_set_elem_destroy(&trans->ctx,
9524 nft_trans_elem_set(trans),
9525 nft_trans_elem(trans).priv);
9526 break;
9527 case NFT_MSG_DELOBJ:
9528 case NFT_MSG_DESTROYOBJ:
9529 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
9530 break;
9531 case NFT_MSG_DELFLOWTABLE:
9532 case NFT_MSG_DESTROYFLOWTABLE:
9533 if (nft_trans_flowtable_update(trans))
9534 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
9535 else
9536 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
9537 break;
9538 }
9539
9540 if (trans->put_net)
9541 put_net(trans->ctx.net);
9542
9543 kfree(trans);
9544 }
9545
nf_tables_trans_destroy_work(struct work_struct * w)9546 static void nf_tables_trans_destroy_work(struct work_struct *w)
9547 {
9548 struct nft_trans *trans, *next;
9549 LIST_HEAD(head);
9550
9551 spin_lock(&nf_tables_destroy_list_lock);
9552 list_splice_init(&nf_tables_destroy_list, &head);
9553 spin_unlock(&nf_tables_destroy_list_lock);
9554
9555 if (list_empty(&head))
9556 return;
9557
9558 synchronize_rcu();
9559
9560 list_for_each_entry_safe(trans, next, &head, list) {
9561 nft_trans_list_del(trans);
9562 nft_commit_release(trans);
9563 }
9564 }
9565
nf_tables_trans_destroy_flush_work(void)9566 void nf_tables_trans_destroy_flush_work(void)
9567 {
9568 flush_work(&trans_destroy_work);
9569 }
9570 EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
9571
nft_expr_reduce(struct nft_regs_track * track,const struct nft_expr * expr)9572 static bool nft_expr_reduce(struct nft_regs_track *track,
9573 const struct nft_expr *expr)
9574 {
9575 return false;
9576 }
9577
nf_tables_commit_chain_prepare(struct net * net,struct nft_chain * chain)9578 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
9579 {
9580 const struct nft_expr *expr, *last;
9581 struct nft_regs_track track = {};
9582 unsigned int size, data_size;
9583 void *data, *data_boundary;
9584 struct nft_rule_dp *prule;
9585 struct nft_rule *rule;
9586
9587 /* already handled or inactive chain? */
9588 if (chain->blob_next || !nft_is_active_next(net, chain))
9589 return 0;
9590
9591 data_size = 0;
9592 list_for_each_entry(rule, &chain->rules, list) {
9593 if (nft_is_active_next(net, rule)) {
9594 data_size += sizeof(*prule) + rule->dlen;
9595 if (data_size > INT_MAX)
9596 return -ENOMEM;
9597 }
9598 }
9599
9600 chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size);
9601 if (!chain->blob_next)
9602 return -ENOMEM;
9603
9604 data = (void *)chain->blob_next->data;
9605 data_boundary = data + data_size;
9606 size = 0;
9607
9608 list_for_each_entry(rule, &chain->rules, list) {
9609 if (!nft_is_active_next(net, rule))
9610 continue;
9611
9612 prule = (struct nft_rule_dp *)data;
9613 data += offsetof(struct nft_rule_dp, data);
9614 if (WARN_ON_ONCE(data > data_boundary))
9615 return -ENOMEM;
9616
9617 size = 0;
9618 track.last = nft_expr_last(rule);
9619 nft_rule_for_each_expr(expr, last, rule) {
9620 track.cur = expr;
9621
9622 if (nft_expr_reduce(&track, expr)) {
9623 expr = track.cur;
9624 continue;
9625 }
9626
9627 if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
9628 return -ENOMEM;
9629
9630 memcpy(data + size, expr, expr->ops->size);
9631 size += expr->ops->size;
9632 }
9633 if (WARN_ON_ONCE(size >= 1 << 12))
9634 return -ENOMEM;
9635
9636 prule->handle = rule->handle;
9637 prule->dlen = size;
9638 prule->is_last = 0;
9639
9640 data += size;
9641 size = 0;
9642 chain->blob_next->size += (unsigned long)(data - (void *)prule);
9643 }
9644
9645 if (WARN_ON_ONCE(data > data_boundary))
9646 return -ENOMEM;
9647
9648 prule = (struct nft_rule_dp *)data;
9649 nft_last_rule(chain, prule);
9650
9651 return 0;
9652 }
9653
nf_tables_commit_chain_prepare_cancel(struct net * net)9654 static void nf_tables_commit_chain_prepare_cancel(struct net *net)
9655 {
9656 struct nftables_pernet *nft_net = nft_pernet(net);
9657 struct nft_trans *trans, *next;
9658
9659 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
9660 struct nft_chain *chain = trans->ctx.chain;
9661
9662 if (trans->msg_type == NFT_MSG_NEWRULE ||
9663 trans->msg_type == NFT_MSG_DELRULE) {
9664 kvfree(chain->blob_next);
9665 chain->blob_next = NULL;
9666 }
9667 }
9668 }
9669
__nf_tables_commit_chain_free_rules(struct rcu_head * h)9670 static void __nf_tables_commit_chain_free_rules(struct rcu_head *h)
9671 {
9672 struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h);
9673
9674 kvfree(l->blob);
9675 }
9676
nf_tables_commit_chain_free_rules_old(struct nft_rule_blob * blob)9677 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob)
9678 {
9679 struct nft_rule_dp_last *last;
9680
9681 /* last rule trailer is after end marker */
9682 last = (void *)blob + sizeof(*blob) + blob->size;
9683 last->blob = blob;
9684
9685 call_rcu(&last->h, __nf_tables_commit_chain_free_rules);
9686 }
9687
nf_tables_commit_chain(struct net * net,struct nft_chain * chain)9688 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)
9689 {
9690 struct nft_rule_blob *g0, *g1;
9691 bool next_genbit;
9692
9693 next_genbit = nft_gencursor_next(net);
9694
9695 g0 = rcu_dereference_protected(chain->blob_gen_0,
9696 lockdep_commit_lock_is_held(net));
9697 g1 = rcu_dereference_protected(chain->blob_gen_1,
9698 lockdep_commit_lock_is_held(net));
9699
9700 /* No changes to this chain? */
9701 if (chain->blob_next == NULL) {
9702 /* chain had no change in last or next generation */
9703 if (g0 == g1)
9704 return;
9705 /*
9706 * chain had no change in this generation; make sure next
9707 * one uses same rules as current generation.
9708 */
9709 if (next_genbit) {
9710 rcu_assign_pointer(chain->blob_gen_1, g0);
9711 nf_tables_commit_chain_free_rules_old(g1);
9712 } else {
9713 rcu_assign_pointer(chain->blob_gen_0, g1);
9714 nf_tables_commit_chain_free_rules_old(g0);
9715 }
9716
9717 return;
9718 }
9719
9720 if (next_genbit)
9721 rcu_assign_pointer(chain->blob_gen_1, chain->blob_next);
9722 else
9723 rcu_assign_pointer(chain->blob_gen_0, chain->blob_next);
9724
9725 chain->blob_next = NULL;
9726
9727 if (g0 == g1)
9728 return;
9729
9730 if (next_genbit)
9731 nf_tables_commit_chain_free_rules_old(g1);
9732 else
9733 nf_tables_commit_chain_free_rules_old(g0);
9734 }
9735
nft_obj_del(struct nft_object * obj)9736 static void nft_obj_del(struct nft_object *obj)
9737 {
9738 rhltable_remove(&nft_objname_ht, &obj->rhlhead, nft_objname_ht_params);
9739 list_del_rcu(&obj->list);
9740 }
9741
nft_chain_del(struct nft_chain * chain)9742 void nft_chain_del(struct nft_chain *chain)
9743 {
9744 struct nft_table *table = chain->table;
9745
9746 WARN_ON_ONCE(rhltable_remove(&table->chains_ht, &chain->rhlhead,
9747 nft_chain_ht_params));
9748 list_del_rcu(&chain->list);
9749 }
9750
nft_trans_gc_setelem_remove(struct nft_ctx * ctx,struct nft_trans_gc * trans)9751 static void nft_trans_gc_setelem_remove(struct nft_ctx *ctx,
9752 struct nft_trans_gc *trans)
9753 {
9754 void **priv = trans->priv;
9755 unsigned int i;
9756
9757 for (i = 0; i < trans->count; i++) {
9758 struct nft_set_elem elem = {
9759 .priv = priv[i],
9760 };
9761
9762 nft_setelem_data_deactivate(ctx->net, trans->set, &elem);
9763 nft_setelem_remove(ctx->net, trans->set, &elem);
9764 }
9765 }
9766
nft_trans_gc_destroy(struct nft_trans_gc * trans)9767 void nft_trans_gc_destroy(struct nft_trans_gc *trans)
9768 {
9769 nft_set_put(trans->set);
9770 put_net(trans->net);
9771 kfree(trans);
9772 }
9773
nft_trans_gc_trans_free(struct rcu_head * rcu)9774 static void nft_trans_gc_trans_free(struct rcu_head *rcu)
9775 {
9776 struct nft_set_elem elem = {};
9777 struct nft_trans_gc *trans;
9778 struct nft_ctx ctx = {};
9779 unsigned int i;
9780
9781 trans = container_of(rcu, struct nft_trans_gc, rcu);
9782 ctx.net = read_pnet(&trans->set->net);
9783
9784 for (i = 0; i < trans->count; i++) {
9785 elem.priv = trans->priv[i];
9786 if (!nft_setelem_is_catchall(trans->set, &elem))
9787 atomic_dec(&trans->set->nelems);
9788
9789 nf_tables_set_elem_destroy(&ctx, trans->set, elem.priv);
9790 }
9791
9792 nft_trans_gc_destroy(trans);
9793 }
9794
nft_trans_gc_work_done(struct nft_trans_gc * trans)9795 static bool nft_trans_gc_work_done(struct nft_trans_gc *trans)
9796 {
9797 struct nftables_pernet *nft_net;
9798 struct nft_ctx ctx = {};
9799
9800 nft_net = nft_pernet(trans->net);
9801
9802 mutex_lock(&nft_net->commit_mutex);
9803
9804 /* Check for race with transaction, otherwise this batch refers to
9805 * stale objects that might not be there anymore. Skip transaction if
9806 * set has been destroyed from control plane transaction in case gc
9807 * worker loses race.
9808 */
9809 if (READ_ONCE(nft_net->gc_seq) != trans->seq || trans->set->dead) {
9810 mutex_unlock(&nft_net->commit_mutex);
9811 return false;
9812 }
9813
9814 ctx.net = trans->net;
9815 ctx.table = trans->set->table;
9816
9817 nft_trans_gc_setelem_remove(&ctx, trans);
9818 mutex_unlock(&nft_net->commit_mutex);
9819
9820 return true;
9821 }
9822
nft_trans_gc_work(struct work_struct * work)9823 static void nft_trans_gc_work(struct work_struct *work)
9824 {
9825 struct nft_trans_gc *trans, *next;
9826 LIST_HEAD(trans_gc_list);
9827
9828 spin_lock(&nf_tables_gc_list_lock);
9829 list_splice_init(&nf_tables_gc_list, &trans_gc_list);
9830 spin_unlock(&nf_tables_gc_list_lock);
9831
9832 list_for_each_entry_safe(trans, next, &trans_gc_list, list) {
9833 list_del(&trans->list);
9834 if (!nft_trans_gc_work_done(trans)) {
9835 nft_trans_gc_destroy(trans);
9836 continue;
9837 }
9838 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9839 }
9840 }
9841
nft_trans_gc_alloc(struct nft_set * set,unsigned int gc_seq,gfp_t gfp)9842 struct nft_trans_gc *nft_trans_gc_alloc(struct nft_set *set,
9843 unsigned int gc_seq, gfp_t gfp)
9844 {
9845 struct net *net = read_pnet(&set->net);
9846 struct nft_trans_gc *trans;
9847
9848 trans = kzalloc(sizeof(*trans), gfp);
9849 if (!trans)
9850 return NULL;
9851
9852 trans->net = maybe_get_net(net);
9853 if (!trans->net) {
9854 kfree(trans);
9855 return NULL;
9856 }
9857
9858 refcount_inc(&set->refs);
9859 trans->set = set;
9860 trans->seq = gc_seq;
9861
9862 return trans;
9863 }
9864
nft_trans_gc_elem_add(struct nft_trans_gc * trans,void * priv)9865 void nft_trans_gc_elem_add(struct nft_trans_gc *trans, void *priv)
9866 {
9867 trans->priv[trans->count++] = priv;
9868 }
9869
nft_trans_gc_queue_work(struct nft_trans_gc * trans)9870 static void nft_trans_gc_queue_work(struct nft_trans_gc *trans)
9871 {
9872 spin_lock(&nf_tables_gc_list_lock);
9873 list_add_tail(&trans->list, &nf_tables_gc_list);
9874 spin_unlock(&nf_tables_gc_list_lock);
9875
9876 schedule_work(&trans_gc_work);
9877 }
9878
nft_trans_gc_space(struct nft_trans_gc * trans)9879 static int nft_trans_gc_space(struct nft_trans_gc *trans)
9880 {
9881 return NFT_TRANS_GC_BATCHCOUNT - trans->count;
9882 }
9883
nft_trans_gc_queue_async(struct nft_trans_gc * gc,unsigned int gc_seq,gfp_t gfp)9884 struct nft_trans_gc *nft_trans_gc_queue_async(struct nft_trans_gc *gc,
9885 unsigned int gc_seq, gfp_t gfp)
9886 {
9887 struct nft_set *set;
9888
9889 if (nft_trans_gc_space(gc))
9890 return gc;
9891
9892 set = gc->set;
9893 nft_trans_gc_queue_work(gc);
9894
9895 return nft_trans_gc_alloc(set, gc_seq, gfp);
9896 }
9897
nft_trans_gc_queue_async_done(struct nft_trans_gc * trans)9898 void nft_trans_gc_queue_async_done(struct nft_trans_gc *trans)
9899 {
9900 if (trans->count == 0) {
9901 nft_trans_gc_destroy(trans);
9902 return;
9903 }
9904
9905 nft_trans_gc_queue_work(trans);
9906 }
9907
nft_trans_gc_queue_sync(struct nft_trans_gc * gc,gfp_t gfp)9908 struct nft_trans_gc *nft_trans_gc_queue_sync(struct nft_trans_gc *gc, gfp_t gfp)
9909 {
9910 struct nft_set *set;
9911
9912 if (WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net)))
9913 return NULL;
9914
9915 if (nft_trans_gc_space(gc))
9916 return gc;
9917
9918 set = gc->set;
9919 call_rcu(&gc->rcu, nft_trans_gc_trans_free);
9920
9921 return nft_trans_gc_alloc(set, 0, gfp);
9922 }
9923
nft_trans_gc_queue_sync_done(struct nft_trans_gc * trans)9924 void nft_trans_gc_queue_sync_done(struct nft_trans_gc *trans)
9925 {
9926 WARN_ON_ONCE(!lockdep_commit_lock_is_held(trans->net));
9927
9928 if (trans->count == 0) {
9929 nft_trans_gc_destroy(trans);
9930 return;
9931 }
9932
9933 call_rcu(&trans->rcu, nft_trans_gc_trans_free);
9934 }
9935
nft_trans_gc_catchall_async(struct nft_trans_gc * gc,unsigned int gc_seq)9936 struct nft_trans_gc *nft_trans_gc_catchall_async(struct nft_trans_gc *gc,
9937 unsigned int gc_seq)
9938 {
9939 struct nft_set_elem_catchall *catchall;
9940 const struct nft_set *set = gc->set;
9941 struct nft_set_ext *ext;
9942
9943 list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
9944 ext = nft_set_elem_ext(set, catchall->elem);
9945
9946 if (!nft_set_elem_expired(ext))
9947 continue;
9948 if (nft_set_elem_is_dead(ext))
9949 goto dead_elem;
9950
9951 nft_set_elem_dead(ext);
9952 dead_elem:
9953 gc = nft_trans_gc_queue_async(gc, gc_seq, GFP_ATOMIC);
9954 if (!gc)
9955 return NULL;
9956
9957 nft_trans_gc_elem_add(gc, catchall->elem);
9958 }
9959
9960 return gc;
9961 }
9962
nft_trans_gc_catchall_sync(struct nft_trans_gc * gc)9963 struct nft_trans_gc *nft_trans_gc_catchall_sync(struct nft_trans_gc *gc)
9964 {
9965 struct nft_set_elem_catchall *catchall, *next;
9966 const struct nft_set *set = gc->set;
9967 struct nft_set_elem elem;
9968 struct nft_set_ext *ext;
9969
9970 WARN_ON_ONCE(!lockdep_commit_lock_is_held(gc->net));
9971
9972 list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
9973 ext = nft_set_elem_ext(set, catchall->elem);
9974
9975 if (!nft_set_elem_expired(ext))
9976 continue;
9977
9978 gc = nft_trans_gc_queue_sync(gc, GFP_KERNEL);
9979 if (!gc)
9980 return NULL;
9981
9982 memset(&elem, 0, sizeof(elem));
9983 elem.priv = catchall->elem;
9984
9985 nft_setelem_data_deactivate(gc->net, gc->set, &elem);
9986 nft_setelem_catchall_destroy(catchall);
9987 nft_trans_gc_elem_add(gc, elem.priv);
9988 }
9989
9990 return gc;
9991 }
9992
nf_tables_module_autoload_cleanup(struct net * net)9993 static void nf_tables_module_autoload_cleanup(struct net *net)
9994 {
9995 struct nftables_pernet *nft_net = nft_pernet(net);
9996 struct nft_module_request *req, *next;
9997
9998 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
9999 list_for_each_entry_safe(req, next, &nft_net->module_list, list) {
10000 WARN_ON_ONCE(!req->done);
10001 list_del(&req->list);
10002 kfree(req);
10003 }
10004 }
10005
nf_tables_commit_release(struct net * net)10006 static void nf_tables_commit_release(struct net *net)
10007 {
10008 struct nftables_pernet *nft_net = nft_pernet(net);
10009 struct nft_trans *trans;
10010
10011 /* all side effects have to be made visible.
10012 * For example, if a chain named 'foo' has been deleted, a
10013 * new transaction must not find it anymore.
10014 *
10015 * Memory reclaim happens asynchronously from work queue
10016 * to prevent expensive synchronize_rcu() in commit phase.
10017 */
10018 if (list_empty(&nft_net->commit_list)) {
10019 nf_tables_module_autoload_cleanup(net);
10020 mutex_unlock(&nft_net->commit_mutex);
10021 return;
10022 }
10023
10024 trans = list_last_entry(&nft_net->commit_list,
10025 struct nft_trans, list);
10026 get_net(trans->ctx.net);
10027 WARN_ON_ONCE(trans->put_net);
10028
10029 trans->put_net = true;
10030 spin_lock(&nf_tables_destroy_list_lock);
10031 list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list);
10032 spin_unlock(&nf_tables_destroy_list_lock);
10033
10034 nf_tables_module_autoload_cleanup(net);
10035 schedule_work(&trans_destroy_work);
10036
10037 mutex_unlock(&nft_net->commit_mutex);
10038 }
10039
nft_commit_notify(struct net * net,u32 portid)10040 static void nft_commit_notify(struct net *net, u32 portid)
10041 {
10042 struct nftables_pernet *nft_net = nft_pernet(net);
10043 struct sk_buff *batch_skb = NULL, *nskb, *skb;
10044 unsigned char *data;
10045 int len;
10046
10047 list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) {
10048 if (!batch_skb) {
10049 new_batch:
10050 batch_skb = skb;
10051 len = NLMSG_GOODSIZE - skb->len;
10052 list_del(&skb->list);
10053 continue;
10054 }
10055 len -= skb->len;
10056 if (len > 0 && NFT_CB(skb).report == NFT_CB(batch_skb).report) {
10057 data = skb_put(batch_skb, skb->len);
10058 memcpy(data, skb->data, skb->len);
10059 list_del(&skb->list);
10060 kfree_skb(skb);
10061 continue;
10062 }
10063 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10064 NFT_CB(batch_skb).report, GFP_KERNEL);
10065 goto new_batch;
10066 }
10067
10068 if (batch_skb) {
10069 nfnetlink_send(batch_skb, net, portid, NFNLGRP_NFTABLES,
10070 NFT_CB(batch_skb).report, GFP_KERNEL);
10071 }
10072
10073 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
10074 }
10075
nf_tables_commit_audit_alloc(struct list_head * adl,struct nft_table * table)10076 static int nf_tables_commit_audit_alloc(struct list_head *adl,
10077 struct nft_table *table)
10078 {
10079 struct nft_audit_data *adp;
10080
10081 list_for_each_entry(adp, adl, list) {
10082 if (adp->table == table)
10083 return 0;
10084 }
10085 adp = kzalloc(sizeof(*adp), GFP_KERNEL);
10086 if (!adp)
10087 return -ENOMEM;
10088 adp->table = table;
10089 list_add(&adp->list, adl);
10090 return 0;
10091 }
10092
nf_tables_commit_audit_free(struct list_head * adl)10093 static void nf_tables_commit_audit_free(struct list_head *adl)
10094 {
10095 struct nft_audit_data *adp, *adn;
10096
10097 list_for_each_entry_safe(adp, adn, adl, list) {
10098 list_del(&adp->list);
10099 kfree(adp);
10100 }
10101 }
10102
nf_tables_commit_audit_collect(struct list_head * adl,struct nft_table * table,u32 op)10103 static void nf_tables_commit_audit_collect(struct list_head *adl,
10104 struct nft_table *table, u32 op)
10105 {
10106 struct nft_audit_data *adp;
10107
10108 list_for_each_entry(adp, adl, list) {
10109 if (adp->table == table)
10110 goto found;
10111 }
10112 WARN_ONCE(1, "table=%s not expected in commit list", table->name);
10113 return;
10114 found:
10115 adp->entries++;
10116 if (!adp->op || adp->op > op)
10117 adp->op = op;
10118 }
10119
10120 #define AUNFTABLENAMELEN (NFT_TABLE_MAXNAMELEN + 22)
10121
nf_tables_commit_audit_log(struct list_head * adl,u32 generation)10122 static void nf_tables_commit_audit_log(struct list_head *adl, u32 generation)
10123 {
10124 struct nft_audit_data *adp, *adn;
10125 char aubuf[AUNFTABLENAMELEN];
10126
10127 list_for_each_entry_safe(adp, adn, adl, list) {
10128 snprintf(aubuf, AUNFTABLENAMELEN, "%s:%u", adp->table->name,
10129 generation);
10130 audit_log_nfcfg(aubuf, adp->table->family, adp->entries,
10131 nft2audit_op[adp->op], GFP_KERNEL);
10132 list_del(&adp->list);
10133 kfree(adp);
10134 }
10135 }
10136
nft_set_commit_update(struct list_head * set_update_list)10137 static void nft_set_commit_update(struct list_head *set_update_list)
10138 {
10139 struct nft_set *set, *next;
10140
10141 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10142 list_del_init(&set->pending_update);
10143
10144 if (!set->ops->commit || set->dead)
10145 continue;
10146
10147 set->ops->commit(set);
10148 }
10149 }
10150
nft_gc_seq_begin(struct nftables_pernet * nft_net)10151 static unsigned int nft_gc_seq_begin(struct nftables_pernet *nft_net)
10152 {
10153 unsigned int gc_seq;
10154
10155 /* Bump gc counter, it becomes odd, this is the busy mark. */
10156 gc_seq = READ_ONCE(nft_net->gc_seq);
10157 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10158
10159 return gc_seq;
10160 }
10161
nft_gc_seq_end(struct nftables_pernet * nft_net,unsigned int gc_seq)10162 static void nft_gc_seq_end(struct nftables_pernet *nft_net, unsigned int gc_seq)
10163 {
10164 WRITE_ONCE(nft_net->gc_seq, ++gc_seq);
10165 }
10166
nf_tables_commit(struct net * net,struct sk_buff * skb)10167 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
10168 {
10169 struct nftables_pernet *nft_net = nft_pernet(net);
10170 struct nft_trans *trans, *next;
10171 unsigned int base_seq, gc_seq;
10172 LIST_HEAD(set_update_list);
10173 struct nft_trans_elem *te;
10174 struct nft_chain *chain;
10175 struct nft_table *table;
10176 LIST_HEAD(adl);
10177 int err;
10178
10179 if (list_empty(&nft_net->commit_list)) {
10180 mutex_unlock(&nft_net->commit_mutex);
10181 return 0;
10182 }
10183
10184 list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
10185 switch (trans->msg_type) {
10186 case NFT_MSG_NEWSET:
10187 if (!nft_trans_set_update(trans) &&
10188 nft_set_is_anonymous(nft_trans_set(trans)) &&
10189 !nft_trans_set_bound(trans)) {
10190 pr_warn_once("nftables ruleset with unbound set\n");
10191 return -EINVAL;
10192 }
10193 break;
10194 case NFT_MSG_NEWCHAIN:
10195 if (!nft_trans_chain_update(trans) &&
10196 nft_chain_binding(nft_trans_chain(trans)) &&
10197 !nft_trans_chain_bound(trans)) {
10198 pr_warn_once("nftables ruleset with unbound chain\n");
10199 return -EINVAL;
10200 }
10201 break;
10202 }
10203 }
10204
10205 /* 0. Validate ruleset, otherwise roll back for error reporting. */
10206 if (nf_tables_validate(net) < 0) {
10207 nft_net->validate_state = NFT_VALIDATE_DO;
10208 return -EAGAIN;
10209 }
10210
10211 err = nft_flow_rule_offload_commit(net);
10212 if (err < 0)
10213 return err;
10214
10215 /* 1. Allocate space for next generation rules_gen_X[] */
10216 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10217 int ret;
10218
10219 ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
10220 if (ret) {
10221 nf_tables_commit_chain_prepare_cancel(net);
10222 nf_tables_commit_audit_free(&adl);
10223 return ret;
10224 }
10225 if (trans->msg_type == NFT_MSG_NEWRULE ||
10226 trans->msg_type == NFT_MSG_DELRULE) {
10227 chain = trans->ctx.chain;
10228
10229 ret = nf_tables_commit_chain_prepare(net, chain);
10230 if (ret < 0) {
10231 nf_tables_commit_chain_prepare_cancel(net);
10232 nf_tables_commit_audit_free(&adl);
10233 return ret;
10234 }
10235 }
10236 }
10237
10238 /* step 2. Make rules_gen_X visible to packet path */
10239 list_for_each_entry(table, &nft_net->tables, list) {
10240 list_for_each_entry(chain, &table->chains, list)
10241 nf_tables_commit_chain(net, chain);
10242 }
10243
10244 /*
10245 * Bump generation counter, invalidate any dump in progress.
10246 * Cannot fail after this point.
10247 */
10248 base_seq = READ_ONCE(nft_net->base_seq);
10249 while (++base_seq == 0)
10250 ;
10251
10252 WRITE_ONCE(nft_net->base_seq, base_seq);
10253
10254 gc_seq = nft_gc_seq_begin(nft_net);
10255
10256 /* step 3. Start new generation, rules_gen_X now in use. */
10257 net->nft.gencursor = nft_gencursor_next(net);
10258
10259 list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) {
10260 nf_tables_commit_audit_collect(&adl, trans->ctx.table,
10261 trans->msg_type);
10262 switch (trans->msg_type) {
10263 case NFT_MSG_NEWTABLE:
10264 if (nft_trans_table_update(trans)) {
10265 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10266 nft_trans_destroy(trans);
10267 break;
10268 }
10269 if (trans->ctx.table->flags & NFT_TABLE_F_DORMANT)
10270 nf_tables_table_disable(net, trans->ctx.table);
10271
10272 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10273 } else {
10274 nft_clear(net, trans->ctx.table);
10275 }
10276 nf_tables_table_notify(&trans->ctx, NFT_MSG_NEWTABLE);
10277 nft_trans_destroy(trans);
10278 break;
10279 case NFT_MSG_DELTABLE:
10280 case NFT_MSG_DESTROYTABLE:
10281 list_del_rcu(&trans->ctx.table->list);
10282 nf_tables_table_notify(&trans->ctx, trans->msg_type);
10283 break;
10284 case NFT_MSG_NEWCHAIN:
10285 if (nft_trans_chain_update(trans)) {
10286 nft_chain_commit_update(trans);
10287 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN,
10288 &nft_trans_chain_hooks(trans));
10289 list_splice(&nft_trans_chain_hooks(trans),
10290 &nft_trans_basechain(trans)->hook_list);
10291 /* trans destroyed after rcu grace period */
10292 } else {
10293 nft_chain_commit_drop_policy(trans);
10294 nft_clear(net, trans->ctx.chain);
10295 nf_tables_chain_notify(&trans->ctx, NFT_MSG_NEWCHAIN, NULL);
10296 nft_trans_destroy(trans);
10297 }
10298 break;
10299 case NFT_MSG_DELCHAIN:
10300 case NFT_MSG_DESTROYCHAIN:
10301 if (nft_trans_chain_update(trans)) {
10302 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10303 &nft_trans_chain_hooks(trans));
10304 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
10305 nft_netdev_unregister_hooks(net,
10306 &nft_trans_chain_hooks(trans),
10307 true);
10308 }
10309 } else {
10310 nft_chain_del(trans->ctx.chain);
10311 nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN,
10312 NULL);
10313 nf_tables_unregister_hook(trans->ctx.net,
10314 trans->ctx.table,
10315 trans->ctx.chain);
10316 }
10317 break;
10318 case NFT_MSG_NEWRULE:
10319 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10320 nf_tables_rule_notify(&trans->ctx,
10321 nft_trans_rule(trans),
10322 NFT_MSG_NEWRULE);
10323 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10324 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10325
10326 nft_trans_destroy(trans);
10327 break;
10328 case NFT_MSG_DELRULE:
10329 case NFT_MSG_DESTROYRULE:
10330 list_del_rcu(&nft_trans_rule(trans)->list);
10331 nf_tables_rule_notify(&trans->ctx,
10332 nft_trans_rule(trans),
10333 trans->msg_type);
10334 nft_rule_expr_deactivate(&trans->ctx,
10335 nft_trans_rule(trans),
10336 NFT_TRANS_COMMIT);
10337
10338 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10339 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10340 break;
10341 case NFT_MSG_NEWSET:
10342 if (nft_trans_set_update(trans)) {
10343 struct nft_set *set = nft_trans_set(trans);
10344
10345 WRITE_ONCE(set->timeout, nft_trans_set_timeout(trans));
10346 WRITE_ONCE(set->gc_int, nft_trans_set_gc_int(trans));
10347
10348 if (nft_trans_set_size(trans))
10349 WRITE_ONCE(set->size, nft_trans_set_size(trans));
10350 } else {
10351 nft_clear(net, nft_trans_set(trans));
10352 /* This avoids hitting -EBUSY when deleting the table
10353 * from the transaction.
10354 */
10355 if (nft_set_is_anonymous(nft_trans_set(trans)) &&
10356 !list_empty(&nft_trans_set(trans)->bindings))
10357 nft_use_dec(&trans->ctx.table->use);
10358 }
10359 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10360 NFT_MSG_NEWSET, GFP_KERNEL);
10361 nft_trans_destroy(trans);
10362 break;
10363 case NFT_MSG_DELSET:
10364 case NFT_MSG_DESTROYSET:
10365 nft_trans_set(trans)->dead = 1;
10366 list_del_rcu(&nft_trans_set(trans)->list);
10367 nf_tables_set_notify(&trans->ctx, nft_trans_set(trans),
10368 trans->msg_type, GFP_KERNEL);
10369 break;
10370 case NFT_MSG_NEWSETELEM:
10371 te = (struct nft_trans_elem *)trans->data;
10372
10373 nft_setelem_activate(net, te->set, &te->elem);
10374 nf_tables_setelem_notify(&trans->ctx, te->set,
10375 &te->elem,
10376 NFT_MSG_NEWSETELEM);
10377 if (te->set->ops->commit &&
10378 list_empty(&te->set->pending_update)) {
10379 list_add_tail(&te->set->pending_update,
10380 &set_update_list);
10381 }
10382 nft_trans_destroy(trans);
10383 break;
10384 case NFT_MSG_DELSETELEM:
10385 case NFT_MSG_DESTROYSETELEM:
10386 te = (struct nft_trans_elem *)trans->data;
10387
10388 nf_tables_setelem_notify(&trans->ctx, te->set,
10389 &te->elem,
10390 trans->msg_type);
10391 nft_setelem_remove(net, te->set, &te->elem);
10392 if (!nft_setelem_is_catchall(te->set, &te->elem)) {
10393 atomic_dec(&te->set->nelems);
10394 te->set->ndeact--;
10395 }
10396 if (te->set->ops->commit &&
10397 list_empty(&te->set->pending_update)) {
10398 list_add_tail(&te->set->pending_update,
10399 &set_update_list);
10400 }
10401 break;
10402 case NFT_MSG_NEWOBJ:
10403 if (nft_trans_obj_update(trans)) {
10404 nft_obj_commit_update(trans);
10405 nf_tables_obj_notify(&trans->ctx,
10406 nft_trans_obj(trans),
10407 NFT_MSG_NEWOBJ);
10408 } else {
10409 nft_clear(net, nft_trans_obj(trans));
10410 nf_tables_obj_notify(&trans->ctx,
10411 nft_trans_obj(trans),
10412 NFT_MSG_NEWOBJ);
10413 nft_trans_destroy(trans);
10414 }
10415 break;
10416 case NFT_MSG_DELOBJ:
10417 case NFT_MSG_DESTROYOBJ:
10418 nft_obj_del(nft_trans_obj(trans));
10419 nf_tables_obj_notify(&trans->ctx, nft_trans_obj(trans),
10420 trans->msg_type);
10421 break;
10422 case NFT_MSG_NEWFLOWTABLE:
10423 if (nft_trans_flowtable_update(trans)) {
10424 nft_trans_flowtable(trans)->data.flags =
10425 nft_trans_flowtable_flags(trans);
10426 nf_tables_flowtable_notify(&trans->ctx,
10427 nft_trans_flowtable(trans),
10428 &nft_trans_flowtable_hooks(trans),
10429 NFT_MSG_NEWFLOWTABLE);
10430 list_splice(&nft_trans_flowtable_hooks(trans),
10431 &nft_trans_flowtable(trans)->hook_list);
10432 } else {
10433 nft_clear(net, nft_trans_flowtable(trans));
10434 nf_tables_flowtable_notify(&trans->ctx,
10435 nft_trans_flowtable(trans),
10436 NULL,
10437 NFT_MSG_NEWFLOWTABLE);
10438 }
10439 nft_trans_destroy(trans);
10440 break;
10441 case NFT_MSG_DELFLOWTABLE:
10442 case NFT_MSG_DESTROYFLOWTABLE:
10443 if (nft_trans_flowtable_update(trans)) {
10444 nf_tables_flowtable_notify(&trans->ctx,
10445 nft_trans_flowtable(trans),
10446 &nft_trans_flowtable_hooks(trans),
10447 trans->msg_type);
10448 nft_unregister_flowtable_net_hooks(net,
10449 nft_trans_flowtable(trans),
10450 &nft_trans_flowtable_hooks(trans));
10451 } else {
10452 list_del_rcu(&nft_trans_flowtable(trans)->list);
10453 nf_tables_flowtable_notify(&trans->ctx,
10454 nft_trans_flowtable(trans),
10455 NULL,
10456 trans->msg_type);
10457 nft_unregister_flowtable_net_hooks(net,
10458 nft_trans_flowtable(trans),
10459 &nft_trans_flowtable(trans)->hook_list);
10460 }
10461 break;
10462 }
10463 }
10464
10465 nft_set_commit_update(&set_update_list);
10466
10467 nft_commit_notify(net, NETLINK_CB(skb).portid);
10468 nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
10469 nf_tables_commit_audit_log(&adl, nft_net->base_seq);
10470
10471 nft_gc_seq_end(nft_net, gc_seq);
10472 nft_net->validate_state = NFT_VALIDATE_SKIP;
10473 nf_tables_commit_release(net);
10474
10475 return 0;
10476 }
10477
nf_tables_module_autoload(struct net * net)10478 static void nf_tables_module_autoload(struct net *net)
10479 {
10480 struct nftables_pernet *nft_net = nft_pernet(net);
10481 struct nft_module_request *req, *next;
10482 LIST_HEAD(module_list);
10483
10484 list_splice_init(&nft_net->module_list, &module_list);
10485 mutex_unlock(&nft_net->commit_mutex);
10486 list_for_each_entry_safe(req, next, &module_list, list) {
10487 request_module("%s", req->module);
10488 req->done = true;
10489 }
10490 mutex_lock(&nft_net->commit_mutex);
10491 list_splice(&module_list, &nft_net->module_list);
10492 }
10493
nf_tables_abort_release(struct nft_trans * trans)10494 static void nf_tables_abort_release(struct nft_trans *trans)
10495 {
10496 switch (trans->msg_type) {
10497 case NFT_MSG_NEWTABLE:
10498 nf_tables_table_destroy(&trans->ctx);
10499 break;
10500 case NFT_MSG_NEWCHAIN:
10501 if (nft_trans_chain_update(trans))
10502 nft_hooks_destroy(&nft_trans_chain_hooks(trans));
10503 else
10504 nf_tables_chain_destroy(nft_trans_chain(trans));
10505 break;
10506 case NFT_MSG_NEWRULE:
10507 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
10508 break;
10509 case NFT_MSG_NEWSET:
10510 nft_set_destroy(&trans->ctx, nft_trans_set(trans));
10511 break;
10512 case NFT_MSG_NEWSETELEM:
10513 nft_set_elem_destroy(nft_trans_elem_set(trans),
10514 nft_trans_elem(trans).priv, true);
10515 break;
10516 case NFT_MSG_NEWOBJ:
10517 nft_obj_destroy(&trans->ctx, nft_trans_obj(trans));
10518 break;
10519 case NFT_MSG_NEWFLOWTABLE:
10520 if (nft_trans_flowtable_update(trans))
10521 nft_hooks_destroy(&nft_trans_flowtable_hooks(trans));
10522 else
10523 nf_tables_flowtable_destroy(nft_trans_flowtable(trans));
10524 break;
10525 }
10526 kfree(trans);
10527 }
10528
nft_set_abort_update(struct list_head * set_update_list)10529 static void nft_set_abort_update(struct list_head *set_update_list)
10530 {
10531 struct nft_set *set, *next;
10532
10533 list_for_each_entry_safe(set, next, set_update_list, pending_update) {
10534 list_del_init(&set->pending_update);
10535
10536 if (!set->ops->abort)
10537 continue;
10538
10539 set->ops->abort(set);
10540 }
10541 }
10542
__nf_tables_abort(struct net * net,enum nfnl_abort_action action)10543 static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
10544 {
10545 struct nftables_pernet *nft_net = nft_pernet(net);
10546 struct nft_trans *trans, *next;
10547 LIST_HEAD(set_update_list);
10548 struct nft_trans_elem *te;
10549 int err = 0;
10550
10551 if (action == NFNL_ABORT_VALIDATE &&
10552 nf_tables_validate(net) < 0)
10553 err = -EAGAIN;
10554
10555 list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list,
10556 list) {
10557 switch (trans->msg_type) {
10558 case NFT_MSG_NEWTABLE:
10559 if (nft_trans_table_update(trans)) {
10560 if (!(trans->ctx.table->flags & __NFT_TABLE_F_UPDATE)) {
10561 nft_trans_destroy(trans);
10562 break;
10563 }
10564 if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_DORMANT) {
10565 nf_tables_table_disable(net, trans->ctx.table);
10566 trans->ctx.table->flags |= NFT_TABLE_F_DORMANT;
10567 } else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
10568 trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
10569 }
10570 trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
10571 nft_trans_destroy(trans);
10572 } else {
10573 list_del_rcu(&trans->ctx.table->list);
10574 }
10575 break;
10576 case NFT_MSG_DELTABLE:
10577 case NFT_MSG_DESTROYTABLE:
10578 nft_clear(trans->ctx.net, trans->ctx.table);
10579 nft_trans_destroy(trans);
10580 break;
10581 case NFT_MSG_NEWCHAIN:
10582 if (nft_trans_chain_update(trans)) {
10583 if (!(trans->ctx.table->flags & NFT_TABLE_F_DORMANT)) {
10584 nft_netdev_unregister_hooks(net,
10585 &nft_trans_chain_hooks(trans),
10586 true);
10587 }
10588 free_percpu(nft_trans_chain_stats(trans));
10589 kfree(nft_trans_chain_name(trans));
10590 nft_trans_destroy(trans);
10591 } else {
10592 if (nft_trans_chain_bound(trans)) {
10593 nft_trans_destroy(trans);
10594 break;
10595 }
10596 nft_use_dec_restore(&trans->ctx.table->use);
10597 nft_chain_del(trans->ctx.chain);
10598 nf_tables_unregister_hook(trans->ctx.net,
10599 trans->ctx.table,
10600 trans->ctx.chain);
10601 }
10602 break;
10603 case NFT_MSG_DELCHAIN:
10604 case NFT_MSG_DESTROYCHAIN:
10605 if (nft_trans_chain_update(trans)) {
10606 list_splice(&nft_trans_chain_hooks(trans),
10607 &nft_trans_basechain(trans)->hook_list);
10608 } else {
10609 nft_use_inc_restore(&trans->ctx.table->use);
10610 nft_clear(trans->ctx.net, trans->ctx.chain);
10611 }
10612 nft_trans_destroy(trans);
10613 break;
10614 case NFT_MSG_NEWRULE:
10615 if (nft_trans_rule_bound(trans)) {
10616 nft_trans_destroy(trans);
10617 break;
10618 }
10619 nft_use_dec_restore(&trans->ctx.chain->use);
10620 list_del_rcu(&nft_trans_rule(trans)->list);
10621 nft_rule_expr_deactivate(&trans->ctx,
10622 nft_trans_rule(trans),
10623 NFT_TRANS_ABORT);
10624 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10625 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10626 break;
10627 case NFT_MSG_DELRULE:
10628 case NFT_MSG_DESTROYRULE:
10629 nft_use_inc_restore(&trans->ctx.chain->use);
10630 nft_clear(trans->ctx.net, nft_trans_rule(trans));
10631 nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
10632 if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
10633 nft_flow_rule_destroy(nft_trans_flow_rule(trans));
10634
10635 nft_trans_destroy(trans);
10636 break;
10637 case NFT_MSG_NEWSET:
10638 if (nft_trans_set_update(trans)) {
10639 nft_trans_destroy(trans);
10640 break;
10641 }
10642 nft_use_dec_restore(&trans->ctx.table->use);
10643 if (nft_trans_set_bound(trans)) {
10644 nft_trans_destroy(trans);
10645 break;
10646 }
10647 nft_trans_set(trans)->dead = 1;
10648 list_del_rcu(&nft_trans_set(trans)->list);
10649 break;
10650 case NFT_MSG_DELSET:
10651 case NFT_MSG_DESTROYSET:
10652 nft_use_inc_restore(&trans->ctx.table->use);
10653 nft_clear(trans->ctx.net, nft_trans_set(trans));
10654 if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10655 nft_map_activate(&trans->ctx, nft_trans_set(trans));
10656
10657 nft_trans_destroy(trans);
10658 break;
10659 case NFT_MSG_NEWSETELEM:
10660 if (nft_trans_elem_set_bound(trans)) {
10661 nft_trans_destroy(trans);
10662 break;
10663 }
10664 te = (struct nft_trans_elem *)trans->data;
10665 nft_setelem_remove(net, te->set, &te->elem);
10666 if (!nft_setelem_is_catchall(te->set, &te->elem))
10667 atomic_dec(&te->set->nelems);
10668
10669 if (te->set->ops->abort &&
10670 list_empty(&te->set->pending_update)) {
10671 list_add_tail(&te->set->pending_update,
10672 &set_update_list);
10673 }
10674 break;
10675 case NFT_MSG_DELSETELEM:
10676 case NFT_MSG_DESTROYSETELEM:
10677 te = (struct nft_trans_elem *)trans->data;
10678
10679 if (!nft_setelem_active_next(net, te->set, &te->elem)) {
10680 nft_setelem_data_activate(net, te->set, &te->elem);
10681 nft_setelem_activate(net, te->set, &te->elem);
10682 }
10683 if (!nft_setelem_is_catchall(te->set, &te->elem))
10684 te->set->ndeact--;
10685
10686 if (te->set->ops->abort &&
10687 list_empty(&te->set->pending_update)) {
10688 list_add_tail(&te->set->pending_update,
10689 &set_update_list);
10690 }
10691 nft_trans_destroy(trans);
10692 break;
10693 case NFT_MSG_NEWOBJ:
10694 if (nft_trans_obj_update(trans)) {
10695 nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans));
10696 nft_trans_destroy(trans);
10697 } else {
10698 nft_use_dec_restore(&trans->ctx.table->use);
10699 nft_obj_del(nft_trans_obj(trans));
10700 }
10701 break;
10702 case NFT_MSG_DELOBJ:
10703 case NFT_MSG_DESTROYOBJ:
10704 nft_use_inc_restore(&trans->ctx.table->use);
10705 nft_clear(trans->ctx.net, nft_trans_obj(trans));
10706 nft_trans_destroy(trans);
10707 break;
10708 case NFT_MSG_NEWFLOWTABLE:
10709 if (nft_trans_flowtable_update(trans)) {
10710 nft_unregister_flowtable_net_hooks(net,
10711 nft_trans_flowtable(trans),
10712 &nft_trans_flowtable_hooks(trans));
10713 } else {
10714 nft_use_dec_restore(&trans->ctx.table->use);
10715 list_del_rcu(&nft_trans_flowtable(trans)->list);
10716 nft_unregister_flowtable_net_hooks(net,
10717 nft_trans_flowtable(trans),
10718 &nft_trans_flowtable(trans)->hook_list);
10719 }
10720 break;
10721 case NFT_MSG_DELFLOWTABLE:
10722 case NFT_MSG_DESTROYFLOWTABLE:
10723 if (nft_trans_flowtable_update(trans)) {
10724 list_splice(&nft_trans_flowtable_hooks(trans),
10725 &nft_trans_flowtable(trans)->hook_list);
10726 } else {
10727 nft_use_inc_restore(&trans->ctx.table->use);
10728 nft_clear(trans->ctx.net, nft_trans_flowtable(trans));
10729 }
10730 nft_trans_destroy(trans);
10731 break;
10732 }
10733 }
10734
10735 nft_set_abort_update(&set_update_list);
10736
10737 synchronize_rcu();
10738
10739 list_for_each_entry_safe_reverse(trans, next,
10740 &nft_net->commit_list, list) {
10741 nft_trans_list_del(trans);
10742 nf_tables_abort_release(trans);
10743 }
10744
10745 return err;
10746 }
10747
nf_tables_abort(struct net * net,struct sk_buff * skb,enum nfnl_abort_action action)10748 static int nf_tables_abort(struct net *net, struct sk_buff *skb,
10749 enum nfnl_abort_action action)
10750 {
10751 struct nftables_pernet *nft_net = nft_pernet(net);
10752 unsigned int gc_seq;
10753 int ret;
10754
10755 gc_seq = nft_gc_seq_begin(nft_net);
10756 ret = __nf_tables_abort(net, action);
10757 nft_gc_seq_end(nft_net, gc_seq);
10758
10759 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
10760
10761 /* module autoload needs to happen after GC sequence update because it
10762 * temporarily releases and grabs mutex again.
10763 */
10764 if (action == NFNL_ABORT_AUTOLOAD)
10765 nf_tables_module_autoload(net);
10766 else
10767 nf_tables_module_autoload_cleanup(net);
10768
10769 mutex_unlock(&nft_net->commit_mutex);
10770
10771 return ret;
10772 }
10773
nf_tables_valid_genid(struct net * net,u32 genid)10774 static bool nf_tables_valid_genid(struct net *net, u32 genid)
10775 {
10776 struct nftables_pernet *nft_net = nft_pernet(net);
10777 bool genid_ok;
10778
10779 mutex_lock(&nft_net->commit_mutex);
10780
10781 genid_ok = genid == 0 || nft_net->base_seq == genid;
10782 if (!genid_ok)
10783 mutex_unlock(&nft_net->commit_mutex);
10784
10785 /* else, commit mutex has to be released by commit or abort function */
10786 return genid_ok;
10787 }
10788
10789 static const struct nfnetlink_subsystem nf_tables_subsys = {
10790 .name = "nf_tables",
10791 .subsys_id = NFNL_SUBSYS_NFTABLES,
10792 .cb_count = NFT_MSG_MAX,
10793 .cb = nf_tables_cb,
10794 .commit = nf_tables_commit,
10795 .abort = nf_tables_abort,
10796 .valid_genid = nf_tables_valid_genid,
10797 .owner = THIS_MODULE,
10798 };
10799
nft_chain_validate_dependency(const struct nft_chain * chain,enum nft_chain_types type)10800 int nft_chain_validate_dependency(const struct nft_chain *chain,
10801 enum nft_chain_types type)
10802 {
10803 const struct nft_base_chain *basechain;
10804
10805 if (nft_is_base_chain(chain)) {
10806 basechain = nft_base_chain(chain);
10807 if (basechain->type->type != type)
10808 return -EOPNOTSUPP;
10809 }
10810 return 0;
10811 }
10812 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
10813
nft_chain_validate_hooks(const struct nft_chain * chain,unsigned int hook_flags)10814 int nft_chain_validate_hooks(const struct nft_chain *chain,
10815 unsigned int hook_flags)
10816 {
10817 struct nft_base_chain *basechain;
10818
10819 if (nft_is_base_chain(chain)) {
10820 basechain = nft_base_chain(chain);
10821
10822 if ((1 << basechain->ops.hooknum) & hook_flags)
10823 return 0;
10824
10825 return -EOPNOTSUPP;
10826 }
10827
10828 return 0;
10829 }
10830 EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
10831
10832 /**
10833 * nft_parse_u32_check - fetch u32 attribute and check for maximum value
10834 *
10835 * @attr: netlink attribute to fetch value from
10836 * @max: maximum value to be stored in dest
10837 * @dest: pointer to the variable
10838 *
10839 * Parse, check and store a given u32 netlink attribute into variable.
10840 * This function returns -ERANGE if the value goes over maximum value.
10841 * Otherwise a 0 is returned and the attribute value is stored in the
10842 * destination variable.
10843 */
nft_parse_u32_check(const struct nlattr * attr,int max,u32 * dest)10844 int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
10845 {
10846 u32 val;
10847
10848 val = ntohl(nla_get_be32(attr));
10849 if (val > max)
10850 return -ERANGE;
10851
10852 *dest = val;
10853 return 0;
10854 }
10855 EXPORT_SYMBOL_GPL(nft_parse_u32_check);
10856
nft_parse_register(const struct nlattr * attr,u32 * preg)10857 static int nft_parse_register(const struct nlattr *attr, u32 *preg)
10858 {
10859 unsigned int reg;
10860
10861 reg = ntohl(nla_get_be32(attr));
10862 switch (reg) {
10863 case NFT_REG_VERDICT...NFT_REG_4:
10864 *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
10865 break;
10866 case NFT_REG32_00...NFT_REG32_15:
10867 *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
10868 break;
10869 default:
10870 return -ERANGE;
10871 }
10872
10873 return 0;
10874 }
10875
10876 /**
10877 * nft_dump_register - dump a register value to a netlink attribute
10878 *
10879 * @skb: socket buffer
10880 * @attr: attribute number
10881 * @reg: register number
10882 *
10883 * Construct a netlink attribute containing the register number. For
10884 * compatibility reasons, register numbers being a multiple of 4 are
10885 * translated to the corresponding 128 bit register numbers.
10886 */
nft_dump_register(struct sk_buff * skb,unsigned int attr,unsigned int reg)10887 int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg)
10888 {
10889 if (reg % (NFT_REG_SIZE / NFT_REG32_SIZE) == 0)
10890 reg = reg / (NFT_REG_SIZE / NFT_REG32_SIZE);
10891 else
10892 reg = reg - NFT_REG_SIZE / NFT_REG32_SIZE + NFT_REG32_00;
10893
10894 return nla_put_be32(skb, attr, htonl(reg));
10895 }
10896 EXPORT_SYMBOL_GPL(nft_dump_register);
10897
nft_validate_register_load(enum nft_registers reg,unsigned int len)10898 static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
10899 {
10900 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10901 return -EINVAL;
10902 if (len == 0)
10903 return -EINVAL;
10904 if (reg * NFT_REG32_SIZE + len > sizeof_field(struct nft_regs, data))
10905 return -ERANGE;
10906
10907 return 0;
10908 }
10909
nft_parse_register_load(const struct nlattr * attr,u8 * sreg,u32 len)10910 int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
10911 {
10912 u32 reg;
10913 int err;
10914
10915 err = nft_parse_register(attr, ®);
10916 if (err < 0)
10917 return err;
10918
10919 err = nft_validate_register_load(reg, len);
10920 if (err < 0)
10921 return err;
10922
10923 *sreg = reg;
10924 return 0;
10925 }
10926 EXPORT_SYMBOL_GPL(nft_parse_register_load);
10927
nft_validate_register_store(const struct nft_ctx * ctx,enum nft_registers reg,const struct nft_data * data,enum nft_data_types type,unsigned int len)10928 static int nft_validate_register_store(const struct nft_ctx *ctx,
10929 enum nft_registers reg,
10930 const struct nft_data *data,
10931 enum nft_data_types type,
10932 unsigned int len)
10933 {
10934 int err;
10935
10936 switch (reg) {
10937 case NFT_REG_VERDICT:
10938 if (type != NFT_DATA_VERDICT)
10939 return -EINVAL;
10940
10941 if (data != NULL &&
10942 (data->verdict.code == NFT_GOTO ||
10943 data->verdict.code == NFT_JUMP)) {
10944 err = nft_chain_validate(ctx, data->verdict.chain);
10945 if (err < 0)
10946 return err;
10947 }
10948
10949 return 0;
10950 default:
10951 if (type != NFT_DATA_VALUE)
10952 return -EINVAL;
10953
10954 if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
10955 return -EINVAL;
10956 if (len == 0)
10957 return -EINVAL;
10958 if (reg * NFT_REG32_SIZE + len >
10959 sizeof_field(struct nft_regs, data))
10960 return -ERANGE;
10961
10962 return 0;
10963 }
10964 }
10965
nft_parse_register_store(const struct nft_ctx * ctx,const struct nlattr * attr,u8 * dreg,const struct nft_data * data,enum nft_data_types type,unsigned int len)10966 int nft_parse_register_store(const struct nft_ctx *ctx,
10967 const struct nlattr *attr, u8 *dreg,
10968 const struct nft_data *data,
10969 enum nft_data_types type, unsigned int len)
10970 {
10971 int err;
10972 u32 reg;
10973
10974 err = nft_parse_register(attr, ®);
10975 if (err < 0)
10976 return err;
10977
10978 err = nft_validate_register_store(ctx, reg, data, type, len);
10979 if (err < 0)
10980 return err;
10981
10982 *dreg = reg;
10983 return 0;
10984 }
10985 EXPORT_SYMBOL_GPL(nft_parse_register_store);
10986
10987 static const struct nla_policy nft_verdict_policy[NFTA_VERDICT_MAX + 1] = {
10988 [NFTA_VERDICT_CODE] = { .type = NLA_U32 },
10989 [NFTA_VERDICT_CHAIN] = { .type = NLA_STRING,
10990 .len = NFT_CHAIN_MAXNAMELEN - 1 },
10991 [NFTA_VERDICT_CHAIN_ID] = { .type = NLA_U32 },
10992 };
10993
nft_verdict_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)10994 static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
10995 struct nft_data_desc *desc, const struct nlattr *nla)
10996 {
10997 u8 genmask = nft_genmask_next(ctx->net);
10998 struct nlattr *tb[NFTA_VERDICT_MAX + 1];
10999 struct nft_chain *chain;
11000 int err;
11001
11002 err = nla_parse_nested_deprecated(tb, NFTA_VERDICT_MAX, nla,
11003 nft_verdict_policy, NULL);
11004 if (err < 0)
11005 return err;
11006
11007 if (!tb[NFTA_VERDICT_CODE])
11008 return -EINVAL;
11009
11010 /* zero padding hole for memcmp */
11011 memset(data, 0, sizeof(*data));
11012 data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
11013
11014 switch (data->verdict.code) {
11015 case NF_ACCEPT:
11016 case NF_DROP:
11017 case NF_QUEUE:
11018 break;
11019 case NFT_CONTINUE:
11020 case NFT_BREAK:
11021 case NFT_RETURN:
11022 break;
11023 case NFT_JUMP:
11024 case NFT_GOTO:
11025 if (tb[NFTA_VERDICT_CHAIN]) {
11026 chain = nft_chain_lookup(ctx->net, ctx->table,
11027 tb[NFTA_VERDICT_CHAIN],
11028 genmask);
11029 } else if (tb[NFTA_VERDICT_CHAIN_ID]) {
11030 chain = nft_chain_lookup_byid(ctx->net, ctx->table,
11031 tb[NFTA_VERDICT_CHAIN_ID],
11032 genmask);
11033 if (IS_ERR(chain))
11034 return PTR_ERR(chain);
11035 } else {
11036 return -EINVAL;
11037 }
11038
11039 if (IS_ERR(chain))
11040 return PTR_ERR(chain);
11041 if (nft_is_base_chain(chain))
11042 return -EOPNOTSUPP;
11043 if (nft_chain_is_bound(chain))
11044 return -EINVAL;
11045 if (desc->flags & NFT_DATA_DESC_SETELEM &&
11046 chain->flags & NFT_CHAIN_BINDING)
11047 return -EINVAL;
11048 if (!nft_use_inc(&chain->use))
11049 return -EMFILE;
11050
11051 data->verdict.chain = chain;
11052 break;
11053 default:
11054 return -EINVAL;
11055 }
11056
11057 desc->len = sizeof(data->verdict);
11058
11059 return 0;
11060 }
11061
nft_verdict_uninit(const struct nft_data * data)11062 static void nft_verdict_uninit(const struct nft_data *data)
11063 {
11064 struct nft_chain *chain;
11065
11066 switch (data->verdict.code) {
11067 case NFT_JUMP:
11068 case NFT_GOTO:
11069 chain = data->verdict.chain;
11070 nft_use_dec(&chain->use);
11071 break;
11072 }
11073 }
11074
nft_verdict_dump(struct sk_buff * skb,int type,const struct nft_verdict * v)11075 int nft_verdict_dump(struct sk_buff *skb, int type, const struct nft_verdict *v)
11076 {
11077 struct nlattr *nest;
11078
11079 nest = nla_nest_start_noflag(skb, type);
11080 if (!nest)
11081 goto nla_put_failure;
11082
11083 if (nla_put_be32(skb, NFTA_VERDICT_CODE, htonl(v->code)))
11084 goto nla_put_failure;
11085
11086 switch (v->code) {
11087 case NFT_JUMP:
11088 case NFT_GOTO:
11089 if (nla_put_string(skb, NFTA_VERDICT_CHAIN,
11090 v->chain->name))
11091 goto nla_put_failure;
11092 }
11093 nla_nest_end(skb, nest);
11094 return 0;
11095
11096 nla_put_failure:
11097 return -1;
11098 }
11099
nft_value_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11100 static int nft_value_init(const struct nft_ctx *ctx,
11101 struct nft_data *data, struct nft_data_desc *desc,
11102 const struct nlattr *nla)
11103 {
11104 unsigned int len;
11105
11106 len = nla_len(nla);
11107 if (len == 0)
11108 return -EINVAL;
11109 if (len > desc->size)
11110 return -EOVERFLOW;
11111 if (desc->len) {
11112 if (len != desc->len)
11113 return -EINVAL;
11114 } else {
11115 desc->len = len;
11116 }
11117
11118 nla_memcpy(data->data, nla, len);
11119
11120 return 0;
11121 }
11122
nft_value_dump(struct sk_buff * skb,const struct nft_data * data,unsigned int len)11123 static int nft_value_dump(struct sk_buff *skb, const struct nft_data *data,
11124 unsigned int len)
11125 {
11126 return nla_put(skb, NFTA_DATA_VALUE, len, data->data);
11127 }
11128
11129 static const struct nla_policy nft_data_policy[NFTA_DATA_MAX + 1] = {
11130 [NFTA_DATA_VALUE] = { .type = NLA_BINARY },
11131 [NFTA_DATA_VERDICT] = { .type = NLA_NESTED },
11132 };
11133
11134 /**
11135 * nft_data_init - parse nf_tables data netlink attributes
11136 *
11137 * @ctx: context of the expression using the data
11138 * @data: destination struct nft_data
11139 * @desc: data description
11140 * @nla: netlink attribute containing data
11141 *
11142 * Parse the netlink data attributes and initialize a struct nft_data.
11143 * The type and length of data are returned in the data description.
11144 *
11145 * The caller can indicate that it only wants to accept data of type
11146 * NFT_DATA_VALUE by passing NULL for the ctx argument.
11147 */
nft_data_init(const struct nft_ctx * ctx,struct nft_data * data,struct nft_data_desc * desc,const struct nlattr * nla)11148 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
11149 struct nft_data_desc *desc, const struct nlattr *nla)
11150 {
11151 struct nlattr *tb[NFTA_DATA_MAX + 1];
11152 int err;
11153
11154 if (WARN_ON_ONCE(!desc->size))
11155 return -EINVAL;
11156
11157 err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
11158 nft_data_policy, NULL);
11159 if (err < 0)
11160 return err;
11161
11162 if (tb[NFTA_DATA_VALUE]) {
11163 if (desc->type != NFT_DATA_VALUE)
11164 return -EINVAL;
11165
11166 err = nft_value_init(ctx, data, desc, tb[NFTA_DATA_VALUE]);
11167 } else if (tb[NFTA_DATA_VERDICT] && ctx != NULL) {
11168 if (desc->type != NFT_DATA_VERDICT)
11169 return -EINVAL;
11170
11171 err = nft_verdict_init(ctx, data, desc, tb[NFTA_DATA_VERDICT]);
11172 } else {
11173 err = -EINVAL;
11174 }
11175
11176 return err;
11177 }
11178 EXPORT_SYMBOL_GPL(nft_data_init);
11179
11180 /**
11181 * nft_data_release - release a nft_data item
11182 *
11183 * @data: struct nft_data to release
11184 * @type: type of data
11185 *
11186 * Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
11187 * all others need to be released by calling this function.
11188 */
nft_data_release(const struct nft_data * data,enum nft_data_types type)11189 void nft_data_release(const struct nft_data *data, enum nft_data_types type)
11190 {
11191 if (type < NFT_DATA_VERDICT)
11192 return;
11193 switch (type) {
11194 case NFT_DATA_VERDICT:
11195 return nft_verdict_uninit(data);
11196 default:
11197 WARN_ON(1);
11198 }
11199 }
11200 EXPORT_SYMBOL_GPL(nft_data_release);
11201
nft_data_dump(struct sk_buff * skb,int attr,const struct nft_data * data,enum nft_data_types type,unsigned int len)11202 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
11203 enum nft_data_types type, unsigned int len)
11204 {
11205 struct nlattr *nest;
11206 int err;
11207
11208 nest = nla_nest_start_noflag(skb, attr);
11209 if (nest == NULL)
11210 return -1;
11211
11212 switch (type) {
11213 case NFT_DATA_VALUE:
11214 err = nft_value_dump(skb, data, len);
11215 break;
11216 case NFT_DATA_VERDICT:
11217 err = nft_verdict_dump(skb, NFTA_DATA_VERDICT, &data->verdict);
11218 break;
11219 default:
11220 err = -EINVAL;
11221 WARN_ON(1);
11222 }
11223
11224 nla_nest_end(skb, nest);
11225 return err;
11226 }
11227 EXPORT_SYMBOL_GPL(nft_data_dump);
11228
__nft_release_basechain_now(struct nft_ctx * ctx)11229 static void __nft_release_basechain_now(struct nft_ctx *ctx)
11230 {
11231 struct nft_rule *rule, *nr;
11232
11233 list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
11234 list_del(&rule->list);
11235 nf_tables_rule_release(ctx, rule);
11236 }
11237 nf_tables_chain_destroy(ctx->chain);
11238 }
11239
__nft_release_basechain(struct nft_ctx * ctx)11240 int __nft_release_basechain(struct nft_ctx *ctx)
11241 {
11242 struct nft_rule *rule;
11243
11244 if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain)))
11245 return 0;
11246
11247 nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
11248 list_for_each_entry(rule, &ctx->chain->rules, list)
11249 nft_use_dec(&ctx->chain->use);
11250
11251 nft_chain_del(ctx->chain);
11252 nft_use_dec(&ctx->table->use);
11253
11254 if (!maybe_get_net(ctx->net)) {
11255 __nft_release_basechain_now(ctx);
11256 return 0;
11257 }
11258
11259 /* wait for ruleset dumps to complete. Owning chain is no longer in
11260 * lists, so new dumps can't find any of these rules anymore.
11261 */
11262 synchronize_rcu();
11263
11264 __nft_release_basechain_now(ctx);
11265 put_net(ctx->net);
11266 return 0;
11267 }
11268 EXPORT_SYMBOL_GPL(__nft_release_basechain);
11269
__nft_release_hook(struct net * net,struct nft_table * table)11270 static void __nft_release_hook(struct net *net, struct nft_table *table)
11271 {
11272 struct nft_flowtable *flowtable;
11273 struct nft_chain *chain;
11274
11275 list_for_each_entry(chain, &table->chains, list)
11276 __nf_tables_unregister_hook(net, table, chain, true);
11277 list_for_each_entry(flowtable, &table->flowtables, list)
11278 __nft_unregister_flowtable_net_hooks(net, flowtable,
11279 &flowtable->hook_list,
11280 true);
11281 }
11282
__nft_release_hooks(struct net * net)11283 static void __nft_release_hooks(struct net *net)
11284 {
11285 struct nftables_pernet *nft_net = nft_pernet(net);
11286 struct nft_table *table;
11287
11288 list_for_each_entry(table, &nft_net->tables, list) {
11289 if (nft_table_has_owner(table))
11290 continue;
11291
11292 __nft_release_hook(net, table);
11293 }
11294 }
11295
__nft_release_table(struct net * net,struct nft_table * table)11296 static void __nft_release_table(struct net *net, struct nft_table *table)
11297 {
11298 struct nft_flowtable *flowtable, *nf;
11299 struct nft_chain *chain, *nc;
11300 struct nft_object *obj, *ne;
11301 struct nft_rule *rule, *nr;
11302 struct nft_set *set, *ns;
11303 struct nft_ctx ctx = {
11304 .net = net,
11305 .family = NFPROTO_NETDEV,
11306 };
11307
11308 ctx.family = table->family;
11309 ctx.table = table;
11310 list_for_each_entry(chain, &table->chains, list) {
11311 if (nft_chain_binding(chain))
11312 continue;
11313
11314 ctx.chain = chain;
11315 list_for_each_entry_safe(rule, nr, &chain->rules, list) {
11316 list_del(&rule->list);
11317 nft_use_dec(&chain->use);
11318 nf_tables_rule_release(&ctx, rule);
11319 }
11320 }
11321 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
11322 list_del(&flowtable->list);
11323 nft_use_dec(&table->use);
11324 nf_tables_flowtable_destroy(flowtable);
11325 }
11326 list_for_each_entry_safe(set, ns, &table->sets, list) {
11327 list_del(&set->list);
11328 nft_use_dec(&table->use);
11329 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
11330 nft_map_deactivate(&ctx, set);
11331
11332 nft_set_destroy(&ctx, set);
11333 }
11334 list_for_each_entry_safe(obj, ne, &table->objects, list) {
11335 nft_obj_del(obj);
11336 nft_use_dec(&table->use);
11337 nft_obj_destroy(&ctx, obj);
11338 }
11339 list_for_each_entry_safe(chain, nc, &table->chains, list) {
11340 nft_chain_del(chain);
11341 nft_use_dec(&table->use);
11342 nf_tables_chain_destroy(chain);
11343 }
11344 nf_tables_table_destroy(&ctx);
11345 }
11346
__nft_release_tables(struct net * net)11347 static void __nft_release_tables(struct net *net)
11348 {
11349 struct nftables_pernet *nft_net = nft_pernet(net);
11350 struct nft_table *table, *nt;
11351
11352 list_for_each_entry_safe(table, nt, &nft_net->tables, list) {
11353 if (nft_table_has_owner(table))
11354 continue;
11355
11356 list_del(&table->list);
11357
11358 __nft_release_table(net, table);
11359 }
11360 }
11361
nft_rcv_nl_event(struct notifier_block * this,unsigned long event,void * ptr)11362 static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
11363 void *ptr)
11364 {
11365 struct nft_table *table, *to_delete[8];
11366 struct nftables_pernet *nft_net;
11367 struct netlink_notify *n = ptr;
11368 struct net *net = n->net;
11369 unsigned int deleted;
11370 bool restart = false;
11371 unsigned int gc_seq;
11372
11373 if (event != NETLINK_URELEASE || n->protocol != NETLINK_NETFILTER)
11374 return NOTIFY_DONE;
11375
11376 nft_net = nft_pernet(net);
11377 deleted = 0;
11378 mutex_lock(&nft_net->commit_mutex);
11379
11380 gc_seq = nft_gc_seq_begin(nft_net);
11381
11382 nf_tables_trans_destroy_flush_work();
11383 again:
11384 list_for_each_entry(table, &nft_net->tables, list) {
11385 if (nft_table_has_owner(table) &&
11386 n->portid == table->nlpid) {
11387 __nft_release_hook(net, table);
11388 list_del_rcu(&table->list);
11389 to_delete[deleted++] = table;
11390 if (deleted >= ARRAY_SIZE(to_delete))
11391 break;
11392 }
11393 }
11394 if (deleted) {
11395 restart = deleted >= ARRAY_SIZE(to_delete);
11396 synchronize_rcu();
11397 while (deleted)
11398 __nft_release_table(net, to_delete[--deleted]);
11399
11400 if (restart)
11401 goto again;
11402 }
11403 nft_gc_seq_end(nft_net, gc_seq);
11404
11405 mutex_unlock(&nft_net->commit_mutex);
11406
11407 return NOTIFY_DONE;
11408 }
11409
11410 static struct notifier_block nft_nl_notifier = {
11411 .notifier_call = nft_rcv_nl_event,
11412 };
11413
nf_tables_init_net(struct net * net)11414 static int __net_init nf_tables_init_net(struct net *net)
11415 {
11416 struct nftables_pernet *nft_net = nft_pernet(net);
11417
11418 INIT_LIST_HEAD(&nft_net->tables);
11419 INIT_LIST_HEAD(&nft_net->commit_list);
11420 INIT_LIST_HEAD(&nft_net->binding_list);
11421 INIT_LIST_HEAD(&nft_net->module_list);
11422 INIT_LIST_HEAD(&nft_net->notify_list);
11423 mutex_init(&nft_net->commit_mutex);
11424 nft_net->base_seq = 1;
11425 nft_net->gc_seq = 0;
11426 nft_net->validate_state = NFT_VALIDATE_SKIP;
11427
11428 return 0;
11429 }
11430
nf_tables_pre_exit_net(struct net * net)11431 static void __net_exit nf_tables_pre_exit_net(struct net *net)
11432 {
11433 struct nftables_pernet *nft_net = nft_pernet(net);
11434
11435 mutex_lock(&nft_net->commit_mutex);
11436 __nft_release_hooks(net);
11437 mutex_unlock(&nft_net->commit_mutex);
11438 }
11439
nf_tables_exit_net(struct net * net)11440 static void __net_exit nf_tables_exit_net(struct net *net)
11441 {
11442 struct nftables_pernet *nft_net = nft_pernet(net);
11443 unsigned int gc_seq;
11444
11445 mutex_lock(&nft_net->commit_mutex);
11446
11447 gc_seq = nft_gc_seq_begin(nft_net);
11448
11449 WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
11450
11451 if (!list_empty(&nft_net->module_list))
11452 nf_tables_module_autoload_cleanup(net);
11453
11454 __nft_release_tables(net);
11455
11456 nft_gc_seq_end(nft_net, gc_seq);
11457
11458 mutex_unlock(&nft_net->commit_mutex);
11459 WARN_ON_ONCE(!list_empty(&nft_net->tables));
11460 WARN_ON_ONCE(!list_empty(&nft_net->module_list));
11461 WARN_ON_ONCE(!list_empty(&nft_net->notify_list));
11462 }
11463
nf_tables_exit_batch(struct list_head * net_exit_list)11464 static void nf_tables_exit_batch(struct list_head *net_exit_list)
11465 {
11466 flush_work(&trans_gc_work);
11467 }
11468
11469 static struct pernet_operations nf_tables_net_ops = {
11470 .init = nf_tables_init_net,
11471 .pre_exit = nf_tables_pre_exit_net,
11472 .exit = nf_tables_exit_net,
11473 .exit_batch = nf_tables_exit_batch,
11474 .id = &nf_tables_net_id,
11475 .size = sizeof(struct nftables_pernet),
11476 };
11477
nf_tables_module_init(void)11478 static int __init nf_tables_module_init(void)
11479 {
11480 int err;
11481
11482 err = register_pernet_subsys(&nf_tables_net_ops);
11483 if (err < 0)
11484 return err;
11485
11486 err = nft_chain_filter_init();
11487 if (err < 0)
11488 goto err_chain_filter;
11489
11490 err = nf_tables_core_module_init();
11491 if (err < 0)
11492 goto err_core_module;
11493
11494 err = register_netdevice_notifier(&nf_tables_flowtable_notifier);
11495 if (err < 0)
11496 goto err_netdev_notifier;
11497
11498 err = rhltable_init(&nft_objname_ht, &nft_objname_ht_params);
11499 if (err < 0)
11500 goto err_rht_objname;
11501
11502 err = nft_offload_init();
11503 if (err < 0)
11504 goto err_offload;
11505
11506 err = netlink_register_notifier(&nft_nl_notifier);
11507 if (err < 0)
11508 goto err_netlink_notifier;
11509
11510 /* must be last */
11511 err = nfnetlink_subsys_register(&nf_tables_subsys);
11512 if (err < 0)
11513 goto err_nfnl_subsys;
11514
11515 nft_chain_route_init();
11516
11517 return err;
11518
11519 err_nfnl_subsys:
11520 netlink_unregister_notifier(&nft_nl_notifier);
11521 err_netlink_notifier:
11522 nft_offload_exit();
11523 err_offload:
11524 rhltable_destroy(&nft_objname_ht);
11525 err_rht_objname:
11526 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11527 err_netdev_notifier:
11528 nf_tables_core_module_exit();
11529 err_core_module:
11530 nft_chain_filter_fini();
11531 err_chain_filter:
11532 unregister_pernet_subsys(&nf_tables_net_ops);
11533 return err;
11534 }
11535
nf_tables_module_exit(void)11536 static void __exit nf_tables_module_exit(void)
11537 {
11538 nfnetlink_subsys_unregister(&nf_tables_subsys);
11539 netlink_unregister_notifier(&nft_nl_notifier);
11540 nft_offload_exit();
11541 unregister_netdevice_notifier(&nf_tables_flowtable_notifier);
11542 nft_chain_filter_fini();
11543 nft_chain_route_fini();
11544 nf_tables_trans_destroy_flush_work();
11545 unregister_pernet_subsys(&nf_tables_net_ops);
11546 cancel_work_sync(&trans_gc_work);
11547 cancel_work_sync(&trans_destroy_work);
11548 rcu_barrier();
11549 rhltable_destroy(&nft_objname_ht);
11550 nf_tables_core_module_exit();
11551 }
11552
11553 module_init(nf_tables_module_init);
11554 module_exit(nf_tables_module_exit);
11555
11556 MODULE_LICENSE("GPL");
11557 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
11558 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
11559